You are on page 1of 18

Eperio: Towards Commonplace Cryptographic

Election Verification

Abstract—Cryptographic (or end-to-end) election verification convinced that their vote was counted without being able to
is a promising approach to providing transparent elections in reveal to anyone how they voted.
an age of electronic voting technology. However it is unrealistic
to expect voters, who do not have specialist knowledge in Over two decades after the seminal groundwork was laid by
cryptography or software development, to be able to conduct an Chaum [12], Benaloh [6] and others, cryptographic election
end-to-end audit. In an effort to reduce the technical complexity verification has been used in real elections with binding
of performing these audits, we present Eperio: a new, provably results. An early Internet voting system to use cryptographic
secure construction for providing a tally that can be efficiently verification was RIES, used in a parliamentary election for
verified using only a small set of primitives. We suggest how
common-place utilities, like the use of file encryption, can further about 70,000 absentee ballots in 2004 in the Netherlands [24].
simplify the verification process for the voter. Using Python, In 2007, a university election in Canada used the optical-scan
verification code can be expressed in 50 lines of code. As system Punchscan for 154 voters [20]. In 2009, the Internet
an interesting alternative, we outline how verification can be system Helios was used in a university election in Belgium
completed manually using built-in functions in a spreadsheet. for 5142 registered voters [2], and in a university election in
Compared to other proposed proof-verification methods for end-
to-end election audits, Eperio lowers the requirements in terms the United States for 567 voters.1 In 2009, the optical scan
of lines of code, execution time, and cryptographic primitives. system Scantegrity was used in a municipal election in the
United States for 1722 voters.2
Case studies based on these elections have suggested that
about 30–40% of voters checked that election data posted to
Electronic vote-casting methods have become increasingly a website matches the information on their privacy-preserving
prominent. By 2006, less than 1% of the Unites States vote receipts [2], [20]. However there is a second step to ver-
voting-age population still voted by paper ballot, with over ifying a cryptographic election—checking the cryptographic
88% voting either by optical-scan, or some other electronic proof of robustness—and it is difficult to determine how many
interface [19]. However, software execution is not inherently voters or auditors are doing this. Very little data is available,
observable, which has generated widespread concern over but our expectation is few do. Cryptographic audits can be far
its use in elections. Furthermore, beginning in 2004 with more involved than what the average voter might be prepared
Kohno et al. [29], independent reviews have continued to to engage in. The recent municipal election in the United
uncover serious security vulnerabilities in widely-used com- States provides a good example: the two independent auditors
mercial systems; vulnerabilities that allow, among other things, of that election each wrote several hundred lines of software
undetectable tally manipulation if an attacker gains access to code to pore over the two and a half gigabytes of cryptographic
the system under reasonable threat scenarios. Recent studies audit data.3
have examined systems by ES&S [5], Premier/Diebold [10], Notwithstanding software development being a reasonably
[11], Sequoia [4], [9], and Hart-InterCivic [10], [25]. widespread (and growing) skill, there is another obstacle:
In response, a return to hand-counted paper ballots has been cryptography. Many systems in the literature employ advanced
suggested, however tallying by hand can be time-consuming cryptographic primitives and techniques not typically found in
for the long, multi-contest ballots common in many US standard software libraries. This typically results in the crypt-
precincts, in particular, for contests using bloc voting or ographic software components being custom coded, which is
instant run-off voting. Furthermore, while offering greater well known to software developers as being easy to botch.
transparency than electronic voting, full confidence in an Beyond these technical questions lies another question for
election result would require observing the process end-to- security researchers to consider: is the verification protocol
end, which is a large time-commitment, extends to only a secure and convincing? Replicating a verification process is
single polling place, and is nullified if the ballots are recounted different than understanding why the verification actually
at a later date. Instead we seek a solution that offers full proves what it claims.
confidence for all precincts and whose audit can be conducted
A consensus is emerging among some researchers and
at any convenient time after the election using commonplace
election officials that conceptual simplification of the overall
computer software.
process will be important to the future of cryptographic elec-
Our solution rests in cryptographic election verification,
which allows voters, and other public organizations, to au-
1 Election website:
dit election results through the addition of three specialized
2 Election website:
components in the election process: an enhanced ballot, a 3 Software and audit results by Ben Adida and Filip Zagorski
privacy-preserving vote receipt, and a cryptographic proof available online at and
of robustness. Through these components, a voter can be
tion verification.4 This trend is reflected in a recent German (1) Voter verifiable robustness: a proof, or strong evidence,
Federal Constitutional Court decision which states that if is made available to any voter that his/her voting intent
verification of a tally requires “specialist knowledge,” it is is included, unmodified, in the election outcome, and
unconstitutional [21]. simultaneously,
In this paper we consider ways to make cryptographic elec- (2) Ballot secrecy: an anonymous association between a
tion verification easier to conduct and comprehend. Although voter and his/her voting intent is maintained.
fundamentally we do not attempt to eliminate the require- Either of these properties, but not both, can be achieved
ment of specialist knowledge needed to verify an election unconditionally. Everlasting privacy implies that the crypto-
(cryptography and formal proofs of security inherently are a graphic transcript created during the course of an E2E election
form of specialist knowledge), we propose novel approaches does not uniquely encode which candidate was voted for on
to reducing specialist knowledge. We approach the design of a given receipt and in theory could be any of the candidate.
simpler cryptographic election verification protocols in two In this case, even a computationally unbounded citizen can-
related settings: not discover how anyone voted, however a computationally
• Less specialized cryptographic primitives: the desired unbounded election authority could change votes without
protocol should be secure under standard computational detection. Conversely, unconditional integrity guarantees that
assumptions, while using cryptographic primitives that the transcript uniquely encodes each vote. This means that
could be considered familiar to a general (non-specialist) probability of detecting a cheating election authority is invari-
audience. ant to its computation power, however ballot secrecy is lost if
• Reduced reliance on custom software implementa- a citizen is computationally unbounded. While we expect that
tions: the software components of the verification inter- both parties are computationally bounded, offering uncondi-
face of the desired protocol could be implemented, wher- tional security in one regard can eliminate assumptions.
ever possible, using either existing software components, Arguments in favor of everlasting privacy note that robust-
or small custom open-source code bases. ness only needs to be maintained for the period of the election,
while ballot secrecy needs to remain secure against the com-
Contributions putational powers of future generations. In the least, secrecy
should be post-quantum. On the other hand, the amount of
The contributions of this paper include: (i) a classification
true randomness needed to truly achieve everlasting privacy is
for levels of election verification, (ii) the Eperio election
inhibiting, especially if secrets are threshold-shared among a
verification protocol and a proof of its security, (iii) a proposal
set of election trustees. Furthermore, everlasting privacy offers
for implementing cryptographic commitments with existing
no protection against election trustees colluding or revealing
file encryption programs, and (iv) several implementations of
their shares. Eperio can achieve either but we devote most of
the verification protocol. Our implementations include a 50-
our explanation to the variant with unconditional integrity.
line Python script that can audit a 5000 ballot, 12 candidate
election in 9.3 seconds, a set of macros for completing Property 2, ballot secrecy, has been formalized in a variety
verification in a spreadsheet, and a set of steps for manually of ways. Benaloh and Tuinstral define receipt-freeness as the
verifying the election using only the built-in functions of a property that a voter is not able to provide useful information
spreadsheet. The implementations are not mutually exclusive, about their vote after it is cast [8]. This definition is strength-
allowing voters to choose an approach they are comfortable ened by Moran and Naor to account for an adversary that
with. interacts with the voter before and after casting [30]. A even
stronger notion, coercion resistance, is possible to achieve in
remote and Internet voting settings [27].
With regards to Property 1, a prevalent model for E2E voter
In this section, we discuss the properties of end-to-end verifiable robustness is to ensure three sequential properties:
cryptographic verification. We then focus on the user interface
(1a) Marked-as-Intended: an auditor can verify that if a
of the verification protocol, with particular attention to its
voter were to attempt to obfuscate their vote, it would
requirements and security properties. We then briefly discuss
be obfuscated correctly,
a number of assumptions we make regarding the voter and
(1b) Collected-as-Marked: a voter can verify that the ob-
trustee interfaces, and outline a number of threats to be
fuscation of their vote is included in a collection of
mitigated by the Eperio verification protocol.
obfuscated votes, and,
(1c) Counted-as-Collected: an auditor can verify that the
End-to-End Verifiability collection of obfuscated votes is properly deobfuscated,
In order to describe cryptographic election audits, the United producing a self-consistent and correct tally.
States Election Assistance Commission has introduced the The composition of these properties results in the voter’s
term end-to-end (E2E) verification [40]. We consider E2E preference being counted-as-intended (i.e., verifiable from end
verification to be the conjunction of two properties: to end). These properties are realized by three interfaces. A
4 See for example talks by Epestein, Gilbert, Jones, Sergeant, Volkamer, and
voting interface is used by voters on election day to create
Wallach at the NIST Workshop on End-to-End Voting Systems, Washington obfuscations of their votes. A trustee interface is used by a set
D.C., 2009. Program available: of election trustees to generate the ballots prior to the election,
called the bulletin board. A robustness proof is generated
from the transcript and receipts by a set of election trustees.
The standard approach to verifying the election is through
three distinct audits, one for each of the previously mentioned
robustness properties (1a,1b, and 1c):
• Receipt Check: Property (1b) is verified by checking
that a privacy-preserving encryption (or obfuscation) of a
vote is present on the bulletin board. A standard method
involves granting the voter with a paper (or electronic)
Fig. 1. Eperio election verification architecture showing entities, interfaces, receipt of this encryption at the time the ballot is cast.
interactions (black arrows) and data flow (grey arrows). Auxiliary inputs (e.g., The voter may later use this receipt to consult the bulletin
audit challenges) are omitted for brevity. Voters are assumed to have been
already registered/authenticated by a separate process. board to ensure it is present and unmodified,
• Print Audit: Property (1a) is verified by checking that
ballots are being presented honestly. That is, a proof that a
collect the obfuscated votes after the election, and generate a mark made for a particular candidate will in fact translate
provably correct tally after the election. Finally, a verification into an obfuscated vote for that candidate. A standard
interface is used by voters and verifiers to check that the proofs method involves granting the voter the option to audit a
are correct. These interactions and interfaces are illustrated in ballot instead of voting on it. The digital representation of
Figure 1. Eperio is not an entire E2E system, just a trustee an audited ballot will be de-anonymized so that it can be
and verification interface that can interact with many of the compared to what was printed (or presented electronically
voting interfaces in the literature. to the voter),
• Tally Audit: Property (1c) is verified by checking a
cryptographic proof of self-consistency of the bulletin
Voting Interface
board. A standard method involves proving a privacy-
Although the voting interface is not part of Eperio, it will preserving mapping from the list of receipts to the
facilitate discussion of Eperio to discuss various means by election outcome.
which a voter can mark a ballot and construct a receipt. The
literature proposes four main methods for obfuscating a ballot
to create an E2E ballot receipt: encrypting a reference to the Grades of Verifier
candidate and retaining only the ciphertext (e.g., [1]), applying
A prevailing view of end-to-end verification is one in which
a randomized permutation to a canonical list of candidates
two categories of verifier exist: voters whose responsibility
and retaining only the position marked (e.g., [15]), substituting
it is to perform the receipt check of their own ballot in a
a randomized code for each candidate and retaining just the
particular election, and security researchers whose job it is to
code (e.g., [14]), and splitting the vote into randomized partial
be responsible for all else. However because of the importance
shares and retaining only one of the shares (e.g., [35]). The
of election verification and the diversity of a real-world
voting interface typically consists of a combination of an ob-
population, E2E audits should ideally accommodate a range of
fuscation technique with a conventional intent capture/storage
skill, knowledge and interest. We consider it useful therefore
mechanism. For example, permutation and code obfuscations
to classify cryptographic verification as a set of grades, each
have often been proposed in combination with optical scan
with its own responsibilities, participatory requirements, and
paper ballots, while encryption has often been proposed in
trust requirements:
conjunction with touch-screen and internet voting interfaces.
The Eperio protocol works directly with most of the permu- Voter
tation and code-based obfuscation techniques in the literature. • Primary responsibility: Substantiate their contribution
For illustrative purposes, we will present how Eperio would to a specific election using the E2E protocol and their
work with a paper ballot system similar to the Prêt à Voter audit data,
system [15]. The list of candidates is independently shuffled • Technical requirements: Be able to perform the receipt
on each ballot. The voter finds their preferred candidate and check of their own ballot and interpret the outcome,
marks the associated position. The voter then tears off just the • Knowledge requirements: Understand the concept of
marks (a figure in the next section, Figure 2, illustrates this), E2E verification at a high level as well as the general
which is scanned and then retained as a receipt. The candidate purpose of each property,
list is shredded by the voter before leaving the polling place. • Trust requirements: Trust someone to verify (1a) and
We refer to each position (bubble) on the ballot that can be (1c) on their behalf, and trust someone to formally
marked as a unique markable region (UMR). analyze the security of the protocol.
Election Data Auditor
Verification Interface • Primary responsibility: Substantiate the outcome of a
A transcript of certain election events and the scanned specific election using the E2E protocol and public audit
receipts are published on an append-only broadcast channel data,
• Technical requirements: Be able to perform each of the Since we are not innovating on the voting interface level, we
audits either by using existing verification software or assume the existence of a voting interface that can interface
writing it themselves, and interpret the outcome, with Eperio and is secure against the following two threats:
• Knowledge requirements: Understand the details of • Coercion. An active adversary may attack the voting
each audit. Understand at a high level why the protocol interface, attempting to coerce a voter into voting in a
works, particular way and producing evidence of compliance.
• Trust requirements: If using existing verification soft- • Repudiation. An active adversary may attack the voting
ware, trust its correctness (or review the source code). interface, attempting to discredit the validity of the elec-
Trust someone to formally analyze the security of the tion proof by submitting a false (i.e., spurious) dispute of
protocol. the results of any of the proofs.
Protocol Analyst
• Primary responsibility: Substantiate the security prop-
erties of the E2E protocol in general, A. Overview
• Technical requirements: Same as election data auditor, As a very quick overview, a set of trustees will jointly
• Knowledge requirements: Decide at a formal level generate a table with three columns. The first will reference
whether the protocol is complete, sound and secret, each unique markable region on each ballot in the election,
• Trust requirements: None. the second will indicate whether this region was marked or
In this paper, we target the second class: Election Data unmarked (or marked for an audit), and the third column will
Auditors. This may encompass software/security enthusiasts, contain the candidate associated with that markable region.
democracy advocacy groups, third party consultants, and po- This table is then randomly shuffled. It is easy to see that
litical campaigns. For the purposes of this paper, we present if the first two columns are revealed, the information should
Eperio as an attempt to simplify the technical and knowledge correspond to the set of all of the receipts in the election.
requirements for Election Data Auditors, and make this class If the last two columns are revealed, the information should
of verification more accessible to individuals who would correspond to the final tally. If all three are revealed (or
otherwise be confined to the Voter level. the contents of an unrevealed column are implied through
some function dependency), then ballot secrecy is breeched.
The Eperio protocol proves the correct formation of all three
Trustee Interface columns by only revealing the information implied in two of
Election trustees construct the cryptographic proofs of in- the three columns. It uses a composition of cut-and-choose
tegrity using private function evaluation, where no trustee is and random audit techniques inspired by randomized partial
permitted to learn more from the public outputs than what they checking [26].
can learn from their own private input. We do not assume that
the function is evaluated correctly (this will be established with B. Entities
a proof), only that intermediate values are unobservable. We
The Eperio protocol relies on the following entities, which
refer to this as a blackbox computation. It can be accomplished
are standard in most E2E voting systems:5
with a distributed multi-party computation or special hardware.
• A set of n election trustees (or the prover), P, tasked
In Section V, we suggest a deployment option that has been
used in actual cryptographic elections based on trustworthy with generating a verifiable tally. P is assumed to be
computing, but for now leave it as an assumption. We also a set of mutually distrustful and non-collusive trustees.
note that assuming integrity but not privacy, the counterfactual, However the protocol can tolerate t ≤ n−1 2 trustees who
is also common in the broader cryptographic literature; e.g., collude or refuse to participate.
• The set of authenticated voters who cast ballots in the
honest-but-curious adversaries and tamper-proof hardware
[28], [31]. election.
• The first set of verifiers, V1 , who verify that their receipts
were collected correctly (Property 1b). V1 are either
Threat Model voters, or auditors that were given access to a copy of
In general we will require an end-to-end election verification a voter’s receipt.
• The second set of verifiers, V2 , who verify that the ballots
protocol to be secure against two principal threats:
are printed correctly (1a). V2 are either voters or auditors
• Manipulation. An active adversary may attack the ad-
who went in person to obtain a ballot to audit.
ministrative interface, attempting to present a false elec- • The third set of verifiers, V3 , who verify that the tally
tion outcome by corrupting software components, data, is computed correctly from the collected receipts (1c).
or a tolerable threshold of election officials. V3 can include anyone in any location with access to the
• Identification. A passive adversary may attack the ver-
election data.
ification interface, attempting to use data on the public 0
• A malicious adversarial prover, P , who will attempt to
bulletin board (which persists indefinitely) to recover the convince the verifiers that an incorrect tally is correct.
unique associations between ballot receipts and individual
votes. 5 Here we categorize verifiers by task, not by grade as in Section II.
• A malicious adversarial verifier, V 0 , who will attempt
to break voter privacy and determine which candidate
was selected on a given receipt (or any non-negligible
information about this selection).

C. Functions
The Eperio protocol requires a set of standard functions
from the cryptographic literature: a threshold key agreement
modeled after the one due to Pedersen [33], a cryptographi-
cally secure pseudorandom number generator (PRNG), a per-
fect shuffle algorithm, a message commitment scheme (either Fig. 2. Left: E2E-enabled optical scan ballots. Each ballot consists of a
unique serial number, a candidate list printed in an independent random order,
perfectly binding or perfectly hiding), and a public coin (or and a perforation between the optical scan ovals and the candidate list. Upon
random beacon) to generate non-interactive challenges. marking the ballot, the candidate list is detached and shredded. The remaining
1) Distributed Key Generation/Reconstruction: piece is scanned and granted as a receipt. Because the candidate orderings are
independent across ballots, knowing the mark position alone does not reveal
◦ (y1 , . . . , yn , κ) ← DKG(n, t, l, f1 , . . . , fn ) how a voter voted. Right: Eperio table. Each optical scan oval (referenced by
◦ κ ← KeyRec(y1 , . . . , yt+1 ) a serial number and absolute position), its mark-state (marked or unmarked)
and the corresponding candidate name are recorded in a randomly assigned
DKG accepts from each of the n trustees a polynomial row.
of degree t, fi , with coefficients of bit-length l. The
coefficients are summed together, mod 2l , to produce a
new polynomial fˆ. Each trustee i receives yi = fˆ(i) as D. Lists and Tables
their share and the value κ = fˆ(0) forms a shared secret The Eperio protocol relies on a particular data structure,
of bit-length l. t should be set such that n ≥ 2t + 1. called the Eperio table, which is constructed from a set
KeyRec accepts at least t + 1 shares, y1 , . . . , yt+1 , from of private inputs by the trustees. To facilitate clarity, we
a subset of the trustees and outputs the shared secret κ. also denote some intermediate lists and tables used in its
2) Pseudorandom Number Generation: construction. The Eperio table is a novel data structure and
◦ {0, 1}l ← PRNG(κ, l) the primary contribution of this paper. It is shown in Figure 2
PRNG is a stateful function which takes as input the with a permutation-style ballot, which we use to illustrate the
shared secret, κ, as a seed and returns l new pseudo- protocol.
random bits each time it is invoked. For simplicity, we The following lists are public inputs to the system decided
omit l if the size of the output is clear from the context. on prior to the election.
3) Permutation: UMR List: U is the list of each unique markable
◦ π(Wi ) ← Permute(w1 , . . . , wu , Π) region (UMR) for the s candidates on each of
◦ π(Wi ) ← PermuteBlock(w1 , . . . , wu , s, Π) the b ballots. Elements are encoded as a ballot
Permute accepts a list Wi of u elements and a number, serial number and a position, and are listed in
Π = O(u log(u)), of random bits sufficient to per- ascending order. The length of the list is u = s·b.
fectly shuffle the list.6 PermuteBlock splits up the list Candidate Roster: S is the set of selections or
w1 , . . . , wl into blocks of s elements and permutes each candidates to appear on the ballot, for each
block independently. contest. Elements are encoded as a character
4) Commitment: string of arbitrary length. The size of the set is
◦ c ← Commit(m, r) s. Without loss of generality, we assume a single
◦ {0, 1} ← Decommit(c, r, m) contest.
Commit takes as input an arbitrary length message m These are used by the trustees, in conjunction with the
and a random factor r. It outputs a commitment to the functions defined above, to create the following private list.
message c. Decommit accepts values m, r, and c, and Candidate List: S ← U × S is the list of can-
outputs 1 iff c is a valid commitment to m and r. didates for each position on a ballot composed
Otherwise it outputs 0. by randomly selecting, without replacement per
5) Public Coin Toss: ballot, an element from S. It is ordered by U.
◦ {0, 1} ← PubCoin() The length of the list is u.
PubCoin returns a uniformly random bit. The output The marks list will denote the final status of a markable
should be unpredictable prior to being invoked and veri- region. It is empty prior to the election and is provided as a
fiable a posteriori. public input to the system after every ballot has been cast.
Marks List: M is the list of marks corresponding
6 Generating a random integer from random bits is non-deterministic when
to each markable region in U. Elements include
the integer is not a perfect power of 2. Perfect shuffling algorithms, like Fisher-
Yates, require random integers. An upper bound on the expected number of marked (1), unmarked (0), and print audited (-1).
bits is 2(log2 u!). The length of the list is u.
The concatenation of these three lists defines a table that ◦ P(:,2) ← M
collects all the private information of the election. ◦ P(:,3) ← S
Print Table: P is a table formed by joining U, M, Finally, x instances of P are generated and each shuffled
and S. The dimensions of the table are u × 3. row-wise. Each instance is stored in the Eperio table, E(i,j,k) .
A proof of election integrity subsumes a proof that the ◦ For i = 1 to u and k = 1 to x,
relations between each list in P is consistent with a universal ◦ ΠE ← PRNG(κ)
view of the election. Pairwise, a correct U-M relation implies
◦ E(i,:,k) ← Permute(P(i,:) , ΠE )
ballots were collected as marked (Property 1b from Section II),
a correct U-S relation implies ballots were printed correctly We define, for future use, the following function. It encap-
(1a), and a correct M-S relation implies the ballots were sulates all the steps in this ‘generate Eperio table’ section.
counted as collected (1c). Thus revealing P(i,j) for all i ◦ E ← GenE(κ)
and j is sufficient, under our assumptions, for independently 3) Generate Commitments: The trustees are now ready to
verifying the correctness of the tally. Unfortunately, it would commit to the data in E. For each instance 1 < k < x, they
also destroy the privacy preserving property of the ballot will commit to both the E(:,1,k) and E(:,3,k) columns. This
receipt—in conjunction with P, receipts would provide proof requires x × 2 commitments. The random factors for these
of which candidate was selected. commitments are stored in an x × 2 table R. The resulting
The Eperio table is a data structure that, with a set of commitment is stored in corresponding table C.
queries, can prove the correct formation of P while maintain- ◦ For i = 1 to 2, j = 2i − 1, and k = 1 to x,
ing the same level of privacy provided by only revealing the ◦ R(i,k) ← PRNG(κ)
list of receipts and the final tally. Specifically, it is a collection ◦ C(i,k) ← Commit(E(:,j,k) , R(i,k) )
of x instances of P that have been independently shuffled row-
◦ Publish C
wise. By revealing portions of and relations on this structure,
we will show that a complete and robust proof of integrity can Note that 2i − 1 is simply the mapping {1 → 1, 2 → 3},
be established with this minimal disclosure. used to denote that commitments to the first and third columns
of E are stored, respectively, in the first and second rows of
Eperio Table: E is a table formed by x instances
C. C is published to the bulletin board.
of P, each of them independently shuffled row-
4) Voting: Registered and authenticated voters are issued
wise. The dimensions of the table are u × 3 × x.
a paper ballot with a randomized candidate list according to
P. After marking the ballot, the candidate list is detached and
E. Protocol destroyed (e.g., placed in to a paper shredder). The remaining
We now outline the protocol for generating an Eperio table strip is scanned by an optical scanner and the strip is retained
and the various outputs required for proving it encodes a by the voter as a receipt. The optical scanners will record for
correct tally. The focus of this paper is on the protocol for each ballot which position was marked, as well as the ballots
verifying this proof, which is orthogonal to the issue of how that were print audited. After the election, these are placed into
the data is generated. However the security proof we provide the list M. Without knowing P(:,3) , this information does not
in the next section encompasses the generation of the data, and reveal which candidate was voted for and can be published.
so we give it consideration. The first three steps of the protocol ◦ Publish M
are conducted prior to the election: initial setup, generating the 5) Compute Tally: At least t + 1 trustees regenerate the
Eperio table, and generating the commitments to the Eperio election secret, and use it to regenerate the Eperio table, only
table. These steps are performed with a blackbox computation. this time with the completed marks list being shuffled along
1) Initial Setup: The setup assumes that a list of candidates, with the rest of the table.
S, is available as well as the number of ballots, b, to be used ◦ κ ← KeyRec(y1 , . . . , yt+1 )
in the election. The first task is for the trustees to generate an
◦ E ← GenE(κ)
election secret and receive shares of this secret.
For each instance x, they publish the corresponding marks
◦ (y1 , . . . , yn , κ) ← DKG(n, t, l, f1 , . . . , fn )
list. Each of these lists is a shuffled version of the original M.
2) Generate Eperio table: Next, the trustees generate the
◦ Publish: E(:,2,:)
Eperio table E. U is formed by listing the ballot and position
numbers in order. To form S, the candidate list is repeated b Finally, a tally is computed from any E(:,2,k) and E(:,3,k)
times and then randomly permuted on a ballot-by-ballot basis. pair of columns, and the list of totaled values for each
candidate, denoted τ , is published. This can be considered an
◦ ΠS ← PRNG(κ)
asserted tally, as the purpose of E2E verification is to prove
◦ Si ← PermuteBlock(Sb , s, ΠS ) that this tally is correct.
Table P is created by placing U, M, and S beside each 6) Generate the Linkage List: To ensure that the Eperio
other in columns. M is initially empty, but in future meetings table is consistent with what actually appears on the printed
will include the marks recorded during the election. P is used ballots in the election, verifiers have the ability to keep
to print the ballots. We use the symbol : to denote an entire an issued ballot for purposes of auditing its printing. If a
vector within a matrix. ballot where chosen to be print audited and the first position
◦ P(:,1) ← U contained candidate Bob, then a row corresponding to this
F. Verification
We now show the steps that the verifiers take to check that
the published data corresponds to a tally that is correct. Recall
there are three sets of audits (and corresponding verifiers).
The first set, V1 , are the voters who check their receipts (or
provide a copy to someone they delegate to check on their
behalf). If the receipt corresponds to ballot number b and
contains s positions that are either marked (1) or unmarked
(0), the auditor should check that the status of each position
i on the receipt matches the status recorded at Mj , where
j = s(b − 1) + i.
Fig. 3. Auditing Eperio table instances. Two example instances of the
Eperio table during auditing. Each instance contains the same information,
The second set of verifiers, V2 , should check the linkage
but is independently shuffled. Left: E(:,3,1) was challenged to be list against their print audited ballots. Let a = L(i,k) for an i
revealed, allowing verifiers to tally the election. Right: E(:,1,2) was on their ballot and an instance k. Depending on the random
challenged to be revealed allowing voters to check their receipts. Grey
represents cryptographic commitments that will remain unopened (to protect
coin for instance k, V2 should check that E(a,1,k) matches the
ballot secrecy). associated markable region on the ballot or E(a,3,k) matches
the associated candidate. They should do this for all i on their
print audited ballot and each k in the election.
markable region will exist in E at an unknown row. The row These two audits establish that the reported marks corre-
will be different for each instance. If the ballot is printed spond to what appeared on voter’s completed ballots and that
correctly, each corresponding row in each instance should what appears on the ballot corresponds to what is in the pre-
contain Bob in the third column. The print auditor would like committed Eperio table. The final step is to ensure that the
assurance of this fact. asserted tally corresponds to the marks. Recall that for each
However since commitments to only entire columns E(:,1,k) of the x instances, a random coin was flipped to reveal value
and E(:,3,k) exist, this fact cannot be directly revealed without z ∈r {0, 1}. The third set of verifiers, V3 , should do the
decommitting both columns for a given instance. Doing this following.
would reveal which candidate was selected for every receipt ◦ for k = 1 to x:
and cannot be pursued. Instead, the election trustees will indi- ◦ z ← Zk
rectly establish this fact. The trustees assert the row number, ◦ Check Decommit(C(z+1,k) , R(z+1,k) E(:,2z+1,k) )
a, in each instance corresponding to every audited markable
◦ If z = 0, Check {E(:,1,k) , E(:,2,k) } ∼
= {Ui , Mi }
region. Which markable regions are audited is contained in
the marks list, M, with -1 recorded for that entry. The list of ◦ If z = 1, Check {E(:,2,k) , E(:,3,k) } ∼

Here = means that the two pairs of tables are isomorphic—
asserted row numbers is called the linkage list, L.
i.e., they are a permuted representation of the same informa-
◦ for i = 1 to u and k = 1 to x:
◦ if Mi = -1:
◦ Find: a s.t. E(a,1,k) = Ui IV. S ECURITY P ROOF
◦ L(i,k) ← a In this section, we prove that Eperio is complete, sound,
7) Audit Challenge and Response: After the tally has been and computationally secret. Given a transcript of the entire
posted, the trustees prove to an independent auditor that the protocol, the asserted tally can be either accepted or rejected.
tally was calculated correctly. They do this through a cut-and- If the asserted tally is correct, the decision will always be to
choose protocol. First the trustees regenerate the election secret accept (completeness). If the asserted tally is not correct, the
and the Eperio table. decision will be to reject with a high probability (soundness).
Finally, the outputs do not provide any information that can be
◦ κ ← KeyRec(y1 , . . . , yt+1 ) used by a computationally bounded adversary to determine any
◦ E ← GenE(κ) non-negligible information about which candidate was voted
Next, they invoke the public coin toss function to generate for by any voter (computational secrecy).
one flip for each of the x instances. To maintain consistency with the literature, we will denote
the trustees as the prover (P), who we initially consider un-
◦ for k = 1 to x: bounded in computation power. The three types of verifiers (V)
◦ z ← PubCoin() are considered to be bounded to probabilistic polynomial time
◦ Zk ← z (PPT). These bounds are used to demonstrate unconditional
integrity, and are latter reversed for a brief consideration of
◦ Publish: R(z+1,k)
everlasting privacy. Either entity may employ a malicious
◦ Publish: E(:,2z+1,k) strategy and we denote this with a prime (P 0 , V 0 ).
Depending on the flip, they either reveal the first two or last The Eperio verification protocol is challenge-response. The
two columns in each instance. This is illustrated in Figure 3. print audit uses an interactive challenge where verifiers choose
which ballots at random to check that the correspondence
between ballot positions and candidates is consistent with the
ACCEPTV (tr(P 0 ,V) (C, L, ρ, τ, E(:,2,:) , Rz )) ←
committed E table. The receipt check also uses an interactive
challenge where a random fraction of voters will choose to ACCEPTV1 (tr(P 0 ,V) (ρ)) ∩
check that the correspondence between ballot positions and ACCEPTV2 (tr(P 0 ,V) (C, L, Rz )) ∩
marks is consistent with the published marks E(:,2,:) . Finally ACCEPTV3 (tr(P 0 ,V) (C, ρ, τ, E(:,2,:) , Rz )). (1)
the tally audit uses a public coin challenge where the prover
is asked to reveal either E(:,1,x) or E(:,3,x) for a given x. We prove the soundness of the three right-hand decisions
Let Ω represent the description of an election; a mapping be- independently and then consider the implication of their
tween each ballot and the candidate who was voted. Consider conjunction. Since the proof protects against very strong
the pair hE, Ri, an Eperio table and the random factors used in adversaries, we also remark on what a real world adversary
committing to it. These two items are sufficient for generating may want to achieve as it relates to each proof.
all the other data structures needed in the verification protocol. a) Receipt Check: First consider the verification that the
Denote E as the set of all hE, Ri pairs that would correctly asserted receipts, ρ, match the physical receipts retained by
encode Ω, and Ē as the set of all other pairs. the voters: ACCEPTV1 (tr(P 0 ,V) (ρ)). This check does not prove
anything about the committed values directly, but is simply
designed to decide whether ρ alone is reputable. If it is,
A. Completeness this fact can be used to establish other facts more directly
An abbreviated transcript of the verification protocol fol- associated with the asserted tally τ .
lows: A malicious prover has a binary choice at this stage: to
P → V: C Commitment assert a correct value ρ or an incorrect ρ0 . If ρ0 is asserted, the
P ← V: M Challenge transcript’s acceptablity decreases in proportion to the number
P → V: ρ, L, E(:,2,:) , τ Response of voters verifying their receipts. Let b0r be the number of
P ← Coin: Z Challenge modified ballot receipts in ρ0 , and 0 ≤ p1 ≤ 1 represent
P → V: Rz Decommit the fraction of voters who conduct a receipt check. Further
Recall that τ represents the asserted tally and let ρ be the assume the distribution of b0r and the ballots associated with
asserted receipts. Assume E ∈ E for Ω. If P and V behave p1 are independent. In this case, the probability of rejecting
honestly and follow the protocol outlined in the previous an incorrect transcript is tightly approximated by:
section, then τ , ρ and L will also be consistent with Ω and the
three verifications performed by V will succeed with certainty. 0
It may be worthwhile to note that V’s acceptance is condi- Pr[REJECTP 0 ,V1 ] = (1 − (1 − p1 )br ). (2)
tional on many things beyond τ . If P were to commit to wrong In terms of real-world adversaries, this verification step is
values and reveal marks in the wrong position, but still report very important. A malicious set of trustees could use such an
the correct τ , the proof will be rejected. We do not classify attack to explicitly move votes from one candidate to another
this as a true negative error as we are determining whether the in ρ. This result can be generalized to any voting system where
proof is acceptable. voters check the inclusion of their obfuscated votes. Increasing
certainty in the tally proof can often be made exponential in
B. Soundness some chosen parameter (as we will show is the case with
Eperio), but this certainty will at some point overtake the
We now consider whether V will ever accept a proof when
certainty that the inputs are correct, which are fixed by p1
E ∈ Ē. If the probability of rejecting a false proof is much
and invariant to the security parameter of the system. Since
greater than 1/2, we say Eperio is sound. The soundness of
the soundness of the overall system rests in the weakest link—
Eperio relies on two assumptions:
increasing the certainty of the tally does not necessarily add
1) The function Commit(m, r) is perfectly binding. That security overall! Further attention should be paid to methods
is, for any m1 such that Commit(m1 , r1 ) = c1 , there for increasing partition in the receipt check, or introducing
does not exist any r2 and m2 6= m1 such that mechanisms to capture all the receipts. The only system we
Decommit(c1 , r2 ) = m2 . are aware of to address this is VoteBox, which includes their
2) The function PublicCoin() is perfectly unpredictable earlier AUDTITORUM protocol that could capture all receipt
before invocation. information [37].
Let tr(P 0 (E,Ω),V(M,Z)) (α) denote a transcript of a proof b) Print Audit: Next consider tr(P 0 ,V) (C, L, Rz ) which
given by a malicious prover with private information E(i,j,k) is used to determine if the linkage list, L, implies that the
and Ω to an honest verifier with challenges M and Z. The ballots were printed in a way that is consistent with the binary
proof concerns some public information α. We shorten the relation R(E(i,1,k) , E(i,3,k) ) for all i and k. These values
notation to tr(P 0 ,V) (α). Given a transcript, V will decide in are committed to in C and the partial relation E(i,2z+1,k) is
PPT-time to either ACCEPT or REJECT the transcript as a opened by Rz .
valid proof. If a malicious prover misprints b0p ballots, and 0 ≤ p2 ≤ 1
The logic of V’s strategy in terms of the three types of is the fraction of ballots that are print audited, the probability
verification is as follows, of a modified ballot being selected for audit is 1 − (1 − p2 )bp .
Pr@RejectV D
There are different ways to misprint a ballot, however any
surjective modifications are trivially detectable. Consider a 1.000 æææææææææææææææææææææææææ
misprinted ballot to be one that bijectively swaps the order æ

of some candidates. 0.998 æ

P 0 could escape detection by decommiting to the misprinted æææææææææææææææææææææææææææææææææææææææ

value, however we assume this is impossible by soundness 0.996 æ

assumption 1. Instead, P 0 must assert which i in E(i,j,k) 0.994
matches the printed ballot. For a given k, P 0 could choose
i such that E(i,1,k) is correct, and will escape detection if 0.992 æ

the coin flip is 0 but be detected if z = 1. Alternatively, the
prover could choose the row such that E(i,3,k) is correct, and 0.990 x
5 10 15 20 25 30 35 40
will escape detection if z = 1 but be detected if z = 0. Given
the second soundness assumption, P 0 cannot predict z to a Fig. 4. The Weakest Link. The probability that the transcript of an
E2E-enabled election will be discovered to be unsound, given ballots were
probability better than 1/2 for each instance 1 ≤ k ≤ x. In manipulated in an attempt reverse the outcome, is the minimum of two data
this case, series: a receipt audit (horizontal line) and tally audit (asymptote). The tally
audit converges on 100% as the number of proof instances, x, is increased.
The receipt audit however is a function of the number of voters checking their
0 1
Pr[REJECTP 0 ,V2 ] = (1 − (1 − p2 )bp )(1 − ). (3) receipts relative to the incidence of fraud. For example, if only a random 5% of
2x voters checked their receipts in a tight race, such as the 2008 Minnesota senate
In our estimate, a real-world adversary is unlikely to gain race in which the victory margin was 225 votes, the probability of detecting the
fraud would be 99.7%, meaning at x = 9, committing to additional instances
from misprinting ballots. The attack would begin with some would not have increased overall effective soundness.
prior knowledge of the expected distribution of votes—e.g.,
pre-election polls showing another candidate leading or an ex-
pected bias for a given precinct—and would involve mapping trustees could use such an attack to explicitly move votes from
the leading candidate’s votes to the adversary’s preferred can- one candidate to another in τ .
didate and the least preferred candidate to the main competitor. d) Overall Effective Soundness: We assume P 0 will
With x = 20 and 5% of ballots being print audited, the election adopt a proof strategy that minimizes the soundness of the
authority can be 99% certain that no more than 89 ballots were proof. Thus given a transcript with an incorrect public input,
misprinted and 50% certain that no more than 13 were. With the probability of it being rejected by V is,
20% checked, no more than 20 ballots were misprinted with
99% certainty and no more than 3 with 50% certainty. While a 0

99% detection rate tolerates a fairly high number of misprinted Pr[REJECTP 0 ,V ] = min[(1 − (1 − p1 )br ),
ballots, this attack is marginalized by the observation that a 0 1 1
(1 − (1 − p2 )bp )(1 − x ), (1 − x )]. (5)
successful execution will only probabilistically gain votes for 2 2
the attacker. For example, if working from poll data showing By estimating p1 and b0r , we can use this equation to
a 51-49% split between two candidates, misprinting 89 ballots determine a suitable x for our implementation. For example, if
will on average only net the attacker 2 votes. the close 2008 Minnesota senate race was run with Eperio, the
c) Tally Audit: Finally consider the verification that attacker would need to modify at least 113 marks to overthrow
the now validated receipt list, ρ, implies that the asserted the 225 victory margin.7 Setting aside misprinted ballots, if say
tally, τ , is correct. The partial relation E(i,2z+1,k) is opened 5% of voters would check their receipts, an incorrect ρ will be
by R(z+1,j) and can be considered along side E(:,2,:) ). detected with 99.7% certainty. Thus x must be increased until
If z = 0, this pair of values should match ρ. If z = the probability of detecting an incorrect τ is greater than this
1, the pair should match τ . Thus our consideration is probability, which occurs at x = 9 instances. This is shown in
ACCEPTV3 (tr(P 0 ,V) (C(i,j) , ρ, τ, E(:,2,:) , R)). Figure 4.
If E(:,2,:) is correct, then the tally produced by any E(i,3,k)
is also correct. However if E(:,2,:) is not correct, it is possible
for P 0 to assert a tally τ 0 that is incorrect and acceptable to C. Computational Secrecy
V. For a given k, P 0 could choose E(:,2,:) to match τ , and We now prove that Eperio achieves computational secrecy.
will escape detection if the coin flip is 0 but be detected if This relies on the following assumptions:
z = 1. Alternatively, P 0 could choose E(:,2,:) to match τ 0 , and 1) The maximum number of colluding trustees is t.
will escape detection if z = 1 but be detected if z = 0. Given 2) At least one trustee submits to DKG an fi drawn with
the second soundness assumption, P 0 cannot predict z to a uniform randomness from Ztl .
probability better than 1/2 for each instance 1 ≤ k ≤ x. In 3) All outputs are computed with a blackbox.
this case, 4) Any polynomial-sized output from PRNG(κ) provides
no non-negligible advantage to a PPT-bounded adversary
1 in guessing either κ, the next bit in the output, or any
Pr[REJECTP 0 ,V3 ] = (1 − ). (4)
2x unobserved previous bit.
In terms of real-world adversaries, this verification step is
very important. Like in the receipt check, a malicious set of 7
5) The function Commit(m, r) is semantically secure and from L or knowledge of one’s own receipt) and output non-
computationally hiding. That is, given either c1 = negligible information about how the permutation maps other
Commit(m1 , r1 ) or c2 = Commit(m2 , r2 ) for any pairs not in L. Given that the Permute() and PermuteBlock()
chosen m1 and m2 , a PPT-bounded adversary should functions are implemented with perfect shuffles, RecoverSel0 ()
have no non-negligible advantage in guessing which cannot be polynomial in time unless if the PRNG(), its seed κ,
message was committed to. or all the trustee shares follow a distinguishable distribution.
Our approach will be to demonstrate that a transcript As shown by cases (ii-a) and (ii-b) above, this cannot be.
provides a malicious verifier, V 0 , with no non-negligible in- Similarly, the information leaked by R is addressed by case
formation about which candidate was selected for any ballot (ii) above.
in the election. Let RecoverSel be a PPT-algorithm that returns This demonstrates that the Eperio verification protocol is
1 if it successfully recovers such information. Note that computationally secret in a single instance. We complete the
given a correct list of receipts and tally, some information proof by considering the composition of multiple instances
may be determinable. For example, the adversary may be of independently shuffled tables. Give a single instance, k, is
able to determine if a voter abstained or voted randomly secure, consider as an inductive step the addition of k + 1,
(if the adversary instructs voters to, say, always mark the
first position). If everyone votes for the same candidate then
RecoverSel will trivially succeed. For reasons such as these, |Pr[RecoverSel(ViewV 0 (ρ, τ, C(:,k) , C(:,k+1) , L(:,k) ,
we define a baseline success, ψ, which depends on the security L(:,k+1) , E(:,2,k) , E(:,2,k+1) , Rz,k , Rz,k+1 ) = 1] −
of the voting interface (out-of-scope in our paper) and only Pr[RecoverSel(ViewV 0 (ρ, τ, C(:,k) , L(:,k) ,
theorize that Eperio is computationally secret relative to ψ.
E(:,2,k) , R(z,k) ) = 1]| ≤ 5 (9)

Pr[RecoverSel(ViewV 0 (ρ, τ )) = 1] , ψ (6) Given the output of instance k, we show how a deterministic
polynomial time simulator could generate a second transcript,
We begin by proving, k+1, that is indistinguishable from a real transcript. Intuitively,
there is only one set of marks E(:,2,:) that will satisfy the
binary relation B(E(i,1,k) , ρ). However there are many permu-
|Pr[RecoverSel(ViewV 0 (ρ, τ, C)) = 1] −
tations of E(i,3,k) that satisfy the binary relation B(E(:,2,:) , τ ).
Pr[RecoverSel(ViewV 0 (ρ, τ )) = 1]| ≤ 1 + 2 . (7) The output of Eperio only proves that τ is correct, it does not
give any information about which receipts the votes for each
Assume there exists a polynomial time algorithm
candidate in τ came from. Any mapping of the results in τ
RecoverSel0 () that can distinguish these two views with
is plausible, and the simulator, SV 0 , only needs to generate a
greater than negligible advantage. Such an algorithm could
transcript of one of them.
take as input any set of commitments C and return non-
SV 0 will generate E such that E(i,1,k+1) is randomly shuf-
negligible information about the messages committed to.
fled along i for k+1. Next, SV 0 will fill in E(:,2,k+1) according
Consider two cases: (i) the random factors in the commitments
to ρ. Then, SV 0 will fill in E(i,3,k+1) for each i in L(i,j) with
are indistinguishable from uniform randomness and (ii) the
the appropriate candidate. Finally, SV 0 will randomly assign
random factors are distinguishable by a bounded V 0 .
candidates to the rest of E(i,3,k+1) such that τ is satisfied. The
Case (i) is in violation of assumption 5. Given RecoverSel0 ()
simulator will commit to this, generating C(i,j) .
runs in polynomial time, it cannot achieve more information
than . Let this information be 1 . If case (ii) holds, this can be The verifier, V 0 , will observe random bits Zi and challenge
further broken into two cases: (ii-a) the output of the PRNG() SV 0 to reveal R(z+1,j) . Since we have gone through the
function follows some distinguishable distribution and (ii-b) difficulty of validating all of the public parameters, SV 0 ’s
the seed to the PRNG() function follows some distinguishable output will be acceptable at this stage with probability 1. It
distribution. Case (ii-a) is in violation of assumption 4 which does not need to rewind the protocol.
implies that if RecoverSel0 () runs in polynomial time, it cannot Consider a bound on the size of E for a given Ω. Recall that
achieve more information than . Let this information be 2 . b is the number of ballots, s the number of selections, and x
Given that DKG() is information theoretic, case (ii-b) can only the number of instances. The construction of E(i,j,k) requires
hold if all of the trustee shares follow a known distribution, a two permutations, ΠS = s!b and ΠE = (bs)!x , while R(i,j)
violation of case (ii-b). requires two l-bit random factors for each instance, yielding
Now consider the following, 22xl possible values. The number of random bits for any E
is thus on the order of 2xl + b · O(s log s) + x · O(bs log bs).
For large enough b and s, this is much greater than the l
|Pr[RecoverSel(ViewV 0 (ρ, τ, C, L, E(:,2,:) , Rz ) = 1] bits of true randomness in κ. Thus, only a small subset of
−Pr[RecoverSel(ViewV 0 (ρ, τ, C)) = 1]| ≤ 3 + 4 . (8) E are possible outputs of the described protocol. Due to the
properties of the PRNG, a bounded simulation strategy cannot
Again assume RecoverSel0 () can distinguish these two distinguish this subset from a randomly generated E however a
views with greater than  advantage. Such an algorithm could unbounded V 0 can. This is the intuition behind Eperio offering
take as input several input-output pairs of a permutation (e.g., only computational secrecy.
D. Everlasting Privacy of the recent occasions where end-to-end verifiable voting
We now briefly sketch how to modify Eperio to achieve systems were used in real-life binding elections, semi-trusted
everlasting privacy. It requires three simple modifications. computers were deployed: e.g., Punchscan at the University of
First, the commitment function is replaced with one that is Ottawa [20], Helios at Université Catholique de Louvain [2],
perfectly hiding and computationally binding. This affects the and Scantegrity at Takoma Park, MD [14].
soundness proof as committed values can be opened, by an
unbounded adversary, to any value. Therefore the soundness of Cryptographic Commitment
the argument is only as hard as the computational bindingness We are interested in using file encryption as a commitment
of the commitments. This also changes assumption 5 of the function. Specific to Eperio, the columns of the Eperio table
secrecy proof. Second, trustees generate all of the randomness will be put into a file of a standard format, such as the comma-
needed to do the permutations and random factors. From a separated values (CSV) format, and an encryption of the file
practical standpoint, this significantly increases the complexity will be posted as a commitment to it. Later, the encryption key
of the protocol as a DKG is needed to threshold share will be revealed to open the file (making it a commitment with
every piece of randomness. Finally, given the direct source message recovery). While our implementation of Eperio can
of randomness, the PRNG can be eliminated. This removes be easily modified to work with any standard commitment
assumption 4 of the secrecy proof. function, we use this approach to simplify the experience
The first 3 secrecy assumptions still hold, demonstrating for voters who want to verify the proof for themselves. File
that everlasting privacy is achievable but only within a narrow encryption utilities are readily available, easy to use and fits
view of the protocol. For example, if at least t + 1 trustees within the common mental model of encryption: a secret
reveal their private inputs, privacy can still be broken. This message is protected by a secret and symmetric key.
holds for any distributed voting system in the literature.
Conjecture 1: Define a hiding-only “commitment”
function as (c, IV) ← WeakCommit(m, r) =
Er (IV, m), where E is a pseudorandom permu-
In this section, we revisit a few of the cryptographic tation using a chosen plaintext attack (CPA) se-
primitives needed in Eperio. In particular, we are interested cure mode of operation with initialization vector
in options that allow for useful deployment options. IV. While not binding, we conjecture that such
a “commitment” is computationally hiding.
Blackbox Computation Proof Sketch: To address the hidingness, consider an attack
The Eperio protocol requires the generation of the Eperio game where an adversary A provides equal-length messages
table to be done using a blackbox computation. While in m1 and m2 to an oracle O. O generates a random value r
theory, the task performed by the blackbox could be made and IV, flips a coin z, and returns (cz , IV) = Er (IV, mz ).
into a multiparty computation (where only privacy is required A must guess if cz is a commitment to m1 or m2 (or that
as correctness is provided by Eperio), we instead propose the both are possible under a different r). Assume an algorithm
use of a semi-trusted computer. z ← Ah (m1 , m2 , cz , IV) exists that can guess z correctly with
A semi-trusted computer in this context is only trusted to non-negligible advantage. It is straightforward to see how this
provide private evaluation of functions; the correctness can be algorithm would provide an advantage in a chosen plaintext
determined through the audit. However, to prevent elections attack game: the adversary would submit the CPA challenge
from having to be rerun when a post-election audit reveals values to Ah and respond with z. Since the scheme is assumed
errors or fraud, mechanisms are provided to encourage correct to be CPA-secure (heuristically in the case of something like
evaluation. We assume that source code for the functions to be AES-CBC), Ah can be assumed to be not computable by
evaluated is provided for inspection prior to its use, and the a PPT-bounded adversary. Thus the commitment scheme is
computer is capable of providing an attestation mechanism computationally hiding and conjecture 1 holds.
to assure the trustees that the same verifiable code is being Breaking the bindingness of WeakCommit is, of course,
booted on the computer. We also assume that trustees can trivial as Dr (IV, c) = m for a random r is overwhelmingly
interact with the trusted computer over a physically untappable likely to reveal an m 6= m1 . However, in this particular
channel to submit their secret shares. This could be plugging application, de-committing to an arbitrary string of bits is
a USB stick with the share into the computer. The software unlikely to be of use should an adversary actually wish
should be suitably hardened to prevent trustees from injecting to decommit to something meaningful. This is akin to the
code or conducting a buffer overflow attack when entering difference between existential forgery and selective forgery
their shares. in MAC security (or collision resistance and target collision
Eperio is a stateless protocol. All tasks performed by the resistance in hash function security). Consider a game where
trustees can be accomplished by regenerating the Eperio table, O chooses a random m1 and m2 and provides this to A. A
and the regeneration of this table can be accomplished through must find an r1 and r2 such that Er1 (IV, m1 ) = Er2 (IV, m2 ).
a threshold of secret shares from the trustees. Therefore the Assume an algorithm Ab exists that can return such a r1
computer should not have any persistent memory and its and r2 . We do not pursue an intractability argument for Ab as
internal state should be purged after the outputs have been it implies a weaker commitment function than those standard
published. While this assumption may seem strong, in each in the literature. For example, with a Pedersen commitment
[33], finding any (m, r) pair, meaningful or not, is as hard as cipher, under the assumption that the block cipher models a
the discrete logarithm problem. Instead, we will demonstrate pseudorandom permutation, a CPA-secure mode of operation
a commitment for which it is statistically unlikely that such a is selected, and the keyspace is equal to the message space.
pair could exist. In particular, if |c|  |m| × |r|, this property We model this ideal functionality in the real-world with AES-
could hold. We cannot decrease |r| without ramifications for 128-CBC in the next section.
the hidingness of the commitment, however we can effectively
increase the |c| : |m| ratio by adding redundancy to m prior Public Coin Toss
to committing to it.
Voting systems often require the use of a public coin (or
Conjecture 2: Define a commitment function as
beacon) for the purposes of fairly implementing the cut-and-
(c, IV) ← Commit(m, r) = Er (IV, mkf (m)),
choose aspect of the audits. In the case of conventional voting,
where E is a pseudorandom permutation us-
it is used to select precincts for manual recounts. Cordero
ing a CPA-secure mode of operation. We con-
et al. suggest a protocol using dice [18]. Clark et al. note
jecture that such a commitment is computa-
that dice outcomes are only observable by those in the room,
tionally hiding and statistically binding for an
and suggests a protocol for auditing E2E ballots using stock
appropriate choice of f . We define m0 ←
market prices and volumes [16]. This was suggested earlier
Decommit(c, IV, r) = Dr (IV, c), which is only
by Waters et al. outside of the voting context [38]. A further
accepted when m0 has the correct form mkf (m).
alternative is to use the Fiat-Shamir heuristic [22], which is
Proof Sketch: The hiding property remains intact from secure in the random oracle model. However, a requirement
WeakCommit. We say Commit is statistically binding for a for Fiat-Shamir is that the challenge space is large. In our
correctly formed m0 if, case, the number of challenge bits is the same as the number
of proof instances, which is unsuitable for 10 or 20 instances.
p , Pr[∃m0 s.t. (c, IV) = Commit(m0 , r0 )| Thus, we use the stock market protocol as follows: the output
from a statistically-sound PRNG is seeded with a hash of a
(c, IV) = Commit(m, r) & m 6= m0 ] ≤ negl(|r|). (10)
pre-selected portfolio of closing stock prices and volumes.
(We will abuse notation by reusing variable names from Evaluation of challenges occurs at least a full business day
the previous section.) Consider f (m) = mkm; that is, after the audit data has been committed to [16].
Commit(m, r) = Er (IV, mkmkm). If so, the probability p
of an m0 and r0 , as defined in Equation 10, existing given VI. I MPLEMENTATION
an m and r takes the following form where x is the size of In this section, we consider implementation possibilities for
domain of the commitment function and y, the co-domain. the verification interface of an election run using Eperio. The
requirements for the receipt check (proof of Property 1b in
1 Section II) and the first component of the print audit (proof of
p = 1 − (1 − )x−1 (11)
y Property 1a) primarily involve looking up an serial number in
Let the input to E be a message block of bit-length |m̄| a sorted list and therefore are simplistic enough to not require
and a key of bit-length |r|. For a message with b blocks their own implementation per se. The requirements for the
(|m| = b|m̄|), the domain of Commit is x = 2|r|+b|m̄| . The 2 tally audit (proof of Property 1c) and the verification of the
repetitions of |m| are fixed by choice of the domain, and the print audit linkage lists will however require symmetric-key
initialization vector is a constant. The co-domain is y = 23b|m̄| , file encryption and basic data operations and will be the subject
with the factor of 3 due to the redundancy function f . We of our discussion. We present three options for implementing
are interested in an upper-bound to equation 11 with these the encryption and data operations individually, as well as one
values of x and y. As we are not trying to prove a general “all-in-one” option as a future possibility.
case, assume for simplicity that |m̄| = |r|, and note that b is a
positive integer such that p is maximized when b is minimized. A. Overview
The upper bound at b = 1 is given as Equation 12. We assume each instance of the receipt list E(:,1,i) and
candidate list E(:,3,i) are generated during the black-box
1 22|r| −1 computation and written into their own CSV file. These files
p ≤ 1 − (1 − ) (12)
23|r| shall be encrypted individually, under their own independently
22|r| derived secret-key, using standard file encryption software in
≈ 1 − exp(− 3|r| ) (13)
2 accordance with the commitment scheme described in the
= 1 − exp(−2−|r| ) (14) previous section. The encrypted files are posted to the bulletin
≤ negl(|r|) (15) board prior to the election along with an election definition.
After the election, each instance of E(:,2,i) is computed in a
Equation 13 follows from the approximations that (1 − black-box computation and put into a CSV file and posted (in
1/y)x ≈ exp(−x/y) and (1 − 1/y)−1 ≈ 1 for large y. plaintext) to the bulletin board alongside an asserted receipt-
We have demonstrated a very specific statistically hiding and tally-lists. After the passing of a business day, the closing
commitment function that can be constructed from a block prices of the stock market are used to generate a public audit
challenge. For each instance i the secret key to one of either TrueCrypt file dialog. The user can then work in the spread-
E(:,1,i) or E(:,3,i) is challenged to be published. As a means of sheet with the decrypted file directly from the mounted True-
simulating the append-only property of the bulletin board, we Crypt volume. Spreadsheets offer the advantage that verifiers
assume verifiers will download these files as they are made can manually work through the audit process without having
available. to examine or understand custom software code. The data
operations themselves are basic: copy, paste, sort and compare
data columns from several different files. We tested the manual
B. Standalone File Encryption and Small Custom Codebase verification steps in two popular spreadsheet applications:
This first implementation option is most closely related Microsoft Excel 2007 and Calc 3.0. The full
those of existing systems: verifiers write a program in their version of this paper provides a set of directions for manual
favorite language to perform the verification steps. It is also verification using OpenOffice Calc.
the option with the most technical requirements: the ability Although the integrity proofs could be performed manually
to write (or analyze) software code and use a command-line by a user in a few basic spreadsheet operations, the repetition
interface. of checking multiple instances can become tedious to a user,
Implementation Option 1 (OpenSSL and and for this reason we consider automating the process using
Python): A Phython script externally calls spreadsheet macros. This third option combines the conve-
OpenSSL to decrypt relevant files and then nience of executing a custom code base with the widespread
performs the audits using those files. pre-existing availability of spreadsheets.
Implementation Option 3 (TrueCrypt and
We implemented proofs of properties (1a) and (1c) in a
Spreadsheet Macros): A verifier decrypts in-
compact fifty (50) lines of Python code, and have placed it
dividual files, mounting them as TrueCrypt vol-
online along with sample election audit data8 . As will be
umes, and uses a spreadsheet macro to perform
discussed in the following section, this represents the smallest
data operations.
implementation of a verification interface relative to other
major implementations by an order of magnitude. We tested Spreadsheet macros also offer the advantage of easy execution
this implementation on Ubuntu 7.10 (Python 2.5) and 9.10 from within the application. Excel allows easy viewing and
(Python 2.6) as well as on Mac OSX Leopard and found that editing of the macro source code using a built-in VBA
it could be executed directly from the command-line without development environment. As a downside, Excel 2007 is not
any other user action (i.e., without additional installation or configured by default to run unsigned macros. These security
configuration). Verifiers using Windows would be required to warnings may be contradictory to the user’s expectations in
install Python and OpenSSL, or as an alternative, they could the context of a security proof, however the warning can be
be directed to burn an Ubuntu live cd, and with the election eliminated by purchasing a code signing certificate from a
data and verification script on a USB key, could run the entire commercial authority for a fee.
audit without actually installing software on their machine.
D. Spreadsheets as an All-in-one Solution?
C. Standalone File Encryption and Spreadsheets Most major spreadsheets, including Calc and Excel, provide
built-in file encryption, suggesting commitments could be
An interesting alternative to writing a custom codebase
issued as encrypted workbooks. Although there is no funda-
is to use a spreadsheet which can import a CSV file as a
mental reason why a spreadsheet could not provide secure file
worksheet. We believe that spreadsheets can help broaden the
encryption, spreadsheets ultimately are not designed with doc-
real-world appeal of E2E verification, given many citizens
ument security as a priority. Indeed improper implementation
who are not accustomed to reading or writing software do
of RC4 in Microsoft Office 2003 [39], as well as only allowing
use spreadsheets. Spreadsheets have grown to become one of
40-bit keys, rightfully contributes to a sense of skepticism
the most familiar computer applications, capturing a diverse
about whether spreadsheets (even current versions) can provide
cross-section of users in government, enterprise, and consumer
the necessary security properties for our purpose. Office 2007
sectors. Because we are offering spreadsheets as a less tech-
uses 128-bit AES encryption in CBC mode9 and OpenOffice
nical alternative, we pair it with a file encryption utility that
uses 128-bit Blowfish in cipher-feedback (CFB) mode10 . At
has a graphical user interface.
a cursory level, the fundamentals of a secure commitment
Implementation Option 2 (TrueCrypt and scheme seem present.
Spreadsheets): A verifier decrypts individual However digging deeper reveals some potentially unde-
files by mounting them as TrueCrypt volumes, sirable properties. OpenOffice in particular has a privacy
and performs the audits using those files manu- weakness that would render it unsuitable to enforce the hiding
ally in a spreadsheet. property of a cryptographic commitment. Specifically at issue
The cryptographic operation requires the user to copy and is OpenOffice’s hashing of the first kilobyte of the compressed
paste an ASCII encoded key from a spreadsheet cell into a workbook and storing this hash (called SHA1/1k)—unsalted
8 Verification reference implementation and sample election data available 9 MS-OFFCRYPTO: Office Document Cryptography Structure v1.06
at: 10 Open Document Format for Office Applications (OpenDocument) v1.2
and unencrypted—in the encrypted file’s meta data. This of comparison a sample election of Helios v1. may provide
vulnerability would conceivably allow an adversary to recover some insight: here a ballot with 4 selections, 500 ballots and
at least the first portion of the encrypted column E(:,j,i) using 80 proof instances took approximately 4 hours to complete [1].
a brute-force search on the reasonably small space of possible A simulated dataset of a similarly sized Eperio election took
values the cells could hold while being sensible in the context 1.13 seconds to complete. We note however that Helios v2. is
of an election. This could potentially result in the receipt- a fundamentally different proof mechanism and thus in many
candidate associations of several voters being identifiable. ways, a direct comparison is difficult to make. However the
It would appear that current spreadsheets are not quite major differences in the performance of Helios’ verification
yet suitable for implementing cryptographic commitments. interface, both in code size and execution time can largely
However the prospect of an “all-in-one” election verification be attributed to the use of specialized homomorphic public-
tool already being installed on most voters’ computers is an key operations. Finally, and because of this, Helios requires
intriguing one. Until that time comes however, we shall con- custom cryptographic software components.
sider spreadsheets solely for the non-cryptographic operations Scantegrity: The Scantegrity II system was used in a
of election verification. municipal election in Takoma Park, Maryland in 2009. This
was an optical-scan based election consisting of 6 wards
E. Understanding Errors each of 5000 ballots and 20 proof instances. There were
two independent audits performed (supra. note 3). The first
It is important that any verification interface be able to implementation consisted of almost 850 lines of Python. We
communicate meaningful error messages so that a user is had an unresolvable execution issue that allowed us to only
reasonably able to distinguish between a user error (e.g., partially verify the election using this codebase, but we found
missing files, using the wrong key, etc) and an election data that auditing one ward took at least 7 minutes. The second
error (e.g., failed decommitment, inconsistent tables, etc). In implementation consisted of almost 900 lines of Java and
the former case, an error would have to convey which action required 56 seconds to complete. A simulated dataset of a
the user can take to resolve the problem. In the latter case, the similarly sized Eperio election took 29.0 seconds to complete.
error should be able to convey how to seek further assistance. We acknowledge however that Scantegrity is a more mature
User studies would be necessary to determine whether a implementation which factors in additional features (provi-
script’s error handling was suitable for this. Note that error sional ballots, dispute resolution and public coin verification)
messages are not possible with implementation option 2, and that we leave for future work. Despite this, we contend that
therefore a well annotated instruction manual (or video) would the performance increases over Scantegrity are fundamental,
be necessary. and can be attributed to three features: linkage lists, column-
wise commitments, and the inherent “net-less” structure of the
Several implementations of E2E systems exist, however we
only consider the performance and code length of Eperio’s VIII. R ELATED W ORK
verification interface relative to systems that have recently con- Throughout the 1980s and 1990s, many protocols for crypt-
ducted binding elections: Punchscan, Helios, and Scantegrity. ographic voting were proposed, the majority based on either
Specifically we compare the Eperio reference implementation mix networks, originating with Chaum [12], or additive homo-
(option 1—Python) to the implementations of the these sys- morphic encryption, originating with Benaloh and Tuinstra [8].
tems. All Eperio timing data was performed on a 2.4GHz Duo The first generation of mixnet protocols appeared before
Core MacBook Pro (MB470). Our Eperio verification interface techniques for provably correct mixing were known, including
is implemented in 50 lines of code. a well-studied protocol by Fujioka et. al [23], while second
Punchscan: The Punchscan system was used in a student generation protocols, originating with Sako and Killian [36],
election at the University of Ottawa in 2007. This was an use a correctness proof.
optical-scan election consisting of 12 selections, 5000 ballots Recently, implementation issues are given more consider-
and 10 proof instances. The provided verification software ation. VoteHere [32] and Votegrity [13] are early electronic
consists of approximately 2000 lines of C#. We ran their audit systems where voters do not need to perform traditional
software on their provided election data and found it took 75 cryptography, while VoteBox [37] allows voters to obtain
seconds to complete. In comparison, a simulated dataset of a an encrypted ballot from an untrusted machine using a cut-
similarly sized Eperio election took 9.3 seconds to complete and-choose protocol due to Beneloh [7]. Prêt à Voter [15],
with our reference implementation. Punchscan [34], Scratch & Vote [3], ThreeBallot [35], and
Helios: The Helios v2. system was used in a student Scantegrity [14] are examples of systems that use paper
election at the Université catholique de Louvain in 2009 [2]. ballots, require no cryptography for vote capture, and offer
This was an internet-based election consisting of approxi- a privacy preserving receipt to each voter. Civitas [17] is an
mately 4000 voters who voted for a university president. We internet system based on a protocol by Juels et al. [27] for high
were unable to make a comparison with Helios verification coercion elections, while Helios is designed for low coercion
code as used in the UCL election: no timing data for the internet elections [1].
audits was given and the UCL bulletin board data appears The cryptographic proofs in these systems use a variety of
to have been taken offline at the time of writing. As a point approaches, including zero-knowledge proofs, cut-and-choose
protocols, and randomized partial checking [26]. Eperio is [18] A. Cordero, D. Wagner, and D. Dill. The role of dice in election audits.
perhaps closest to Scantegrity, which also breaks election WOTE 2006.
[19] Election Data Services Inc. Voting equipment summary by type as of
data into markable regions and uses a blackbox computation. 11/07/2006. 2006.
However Eperio uses a more compact data structure, no [20] A. Essex, J. Clark, R. T. Carback, and S. Popoveniuc. Punchscan in
pointers, and does not need to commit at the high level of practice: an E2E election case study. WOTE 2007.
[21] Federal Constitutional Court of Germany. Judgement 2 BvC 3/07, 2
granularity that Scantegrity does. BvC 4/07, Verfahren über die Wahlprüfungsbeschwerden, 2009.
[22] A. Fiat and A. Shamir. How to prove yourself: practical solutions to
identification and signature problems. CRYPTO ’86.
IX. C ONCLUDING R EMARKS [23] A. Fujioka, T. Okamoto, and K. Ohta. A practical secret voting scheme
The contemporary verification process for electronic voting for large scale elections. In ASIACRYPT ’92.
[24] E. Hubbers, B. Jacobs, and W. Pieters. RIES: Internet voting in action.
is deficient. Independent security reviews are generally rare, COMPSAC 2005.
time-constrained affairs subject to non-disclosure. While we [25] S. Inguva, E. Rescorla, H. Shacham, , and D. S. Wallach. Source code
advocate greater transparency for existing election technology, review of the Hart InterCivic voting system. State of California’s Top
to Bottom Review, 2007.
we also contend that end-to-end verification offers a distinct [26] M. Jacobsson, A. Juels, and R. L. Rivest. Making mix nets robust
advantage: verification becomes a task of checking election for electronic voting by randomized partial checking. USENIX Security
data not software and equipment. This may appear to simply Symposium 2002.
[27] A. Juels, D. Catalano, and M. Jacobsson. Coercion-resistant electronic
shift the problem: the prevailing methods for verifying E2E elections. WPES 2005.
election data is with software. However it is not a simple shift. [28] J. Katz. Universally composable multi-party computation using tamper-
In nearly all E2E systems, the verification code is smaller than proof hardware. EUROCRYPT ’07
[29] T. Kohno, A. Stubblefield, A. D. Rubin, and D. S. Wallach. Analysis of
the hundreds of thousands of lines of code in a modern DRE. an electronic voting system. IEEE Symposium on Security and Privacy
With Eperio, it is much smaller—four orders of magnitude 2004.
smaller—and verification can even be performed manually [30] T. Moran and M. Naor. Split-ballot voting: Everlasting privacy with
distributed trust. CCS 2007.
without any code. By making verification more accessible [31] T. Moran and G. Segev. David and Goliath commitments: UC computa-
to voters, we contend that Eperio is an important democracy tion for asymmetric parties using tamper-proof hardware. EUROCRYPT
enhancing technology. ’08.
[32] C. A. Neff. Practical high certainty intent verification for encrypted
votes. Technical report, VoteHere, 2004.
R EFERENCES [33] T. P. Pedersen. A threshold cryptosystem without a trusted party.
[1] B. Adida. Helios: web-based open-audit voting. USENIX Security [34] S. Popoveniuc and B. Hosp. An introduction to Punchscan. WOTE
Symposium 2008. 2006.
[2] B. Adida, O. de Marneffe, O. Pereira, and J.-J. Quisquater. Electing a [35] R. L. Rivest and W. D. Smith. Three voting protocols: Threeballot, VAV,
university president using open-audit voting: analysis of real-world use and Twin. EVT 2007.
of Helios. EVT 2009. [36] K. Sako and J. Kilian. Receipt-free mix-type voting scheme: a practical
[3] B. Adida and R. L. Rivest. Scratch & Vote: self-contained paper-based solution to the implementation of a voting booth. EUROCRYPT ’95.
cryptographic voting. WPES 2006. [37] D. R. Sandler, K. Derr, and D. S. Wallach. VoteBox: a tamper-evident,
[4] A. W. Appel, M. Ginsburg, H. Hursti, B. W. Kernighan, C. D. Richards, verifiable electronic voting system. USENIX Security Symposium 2008.
G. Tan, and P. Venetis. The New Jersey voting-machine lawsuit and the [38] B. Waters, A. Juels, J. A. Halderman, and E. W. Felten. New client
AVC Advantage DRE voting machine. EVT 2009. puzzle outsourcing techniques for DOS resistance. CCS 2004.
[5] A. Aviv, P. Cerny, S. Clark, E. Cronin, G. Shah, M. Sherr, and M. Blaze. [39] H. Wu. The misuse of RC4 in Microsoft Word and Excel. Cryptography
Security evaluation of ES&S voting machines and election management ePrint Archive, 2005/007, 2005.
system. EVT 2008. [40] United States Election Assistance Commission (EAC). The 2008
[6] J. Benaloh. Verifiable secret-ballot elections. PhD thesis, Yale Univer- voluntary voting system guidelines (v1.1), 2009.
sity, 1987.
[7] J. Benaloh. Simple verifiable elections. EVT 2006.
[8] J. Benaloh and D. Tuinstra. Receipt-free secret-ballot elections. STOC
[9] M. Blaze, A. Cordero, S. Engle, C. Karlof, N. Sastry, M. Sherr,
T. Stegers, and K.-P. Yee. Source code review of the Sequoia voting
system. State of California’s Top to Bottom Review, 2007.
[10] K. Butler, W. Enck, H. Hursti, S. McLaughlin, P. Traynor, and P. Mc-
Daniel. Systemic issues in the Hart InterCivic and Premier voting
systems: reflections on project everest. EVT 2008.
[11] J. A. Calandrino, A. J. Feldman, J. A. Halderman, D. Wagner, H. Yu,
and W. P. Zeller. Source code review of the Diebold voting system.
State of California’s Top to Bottom Review, 2007.
[12] D. Chaum. Untraceable electronic mail, return addresses, and digital
pseudonyms. Communications of the ACM, 24(2), 1981.
[13] D. Chaum. Secret-ballot receipts: true voter-verifiable elections. IEEE
Security and Privacy, 2(1), 2004.
[14] D. Chaum, R. Carback, J. Clark, A. Essex, S. Popoveniuc, R. L. Rivest,
P. Y. A. Ryan, E. Shen, and A. T. Sherman. Scantegrity II: end-to-
end verifiability for optical scan election systems using invisible ink
confirmation codes. EVT 2008.
[15] D. Chaum, P. Y. Ryan, and S. A. Schneider. A practical, voter-verifiable,
election scheme. ESORICS 2005.
[16] J. Clark, A. Essex, and C. Adams. Secure and observable auditing of
electronic voting systems using stock indices. IEEE CCECE 2007.
[17] M. R. Clarkson, S. Chong, and A. C. Myers. Civitas: toward a secure
voting system. IEEE Symposium on Security and Privacy 2008.
A. Eperio Audit Data Specification
All (unencrypted and decrypted) election data files are formatted as UTF-8 encoded Comma Separated Values (CSV).
Columns are separated by the delimiter ‘,’ (0x2C) and rows are separated by a carriage return (0x0A).

File Naming and Formatting Convention
For an election of b ballots, c candidates, I proof instances, of which p were print audited, the following files will be
generated and posted to the bulletin board through the course of the election verification timeline
$electionDir$/AssertedReceipts.csv: is a bc × 2 list containing an assertion of all receipt information
created during an election. Each element in (:, 1) is unique election references: s-p where 1 ≤ s ≤ b is a ballot
serial number and 0 ≤ p ≤ c − 1 a mark position. Elements in column (:,2) represent the corresponding mark
state registered during the election, either 0, 1, or -1 indicating the corresponding unique reference was either
unmarked, marked or print audited respectively.
$electionDir$/AssertedTally.csv: is a bc × 2 list containing an assertion of aggregate voting intent
created during an election. Column (:, 1) is a list of b repetitions of c candidate names. Elements in column (:, 2)
represent the corresponding mark state.
$electionDir$/LinkageList.csv: is a p × i + 2 list containing an assertion of the association between
receipt (:, 1) and candidate (:, 2) for all print audited ballots, as well as an assertion of the row number the entry
in each of the I instances of shuffled receipt (U) and tally (S) lists.
$electionDir$/ChallengeKeys.csv: is a i × 2 list containing a respond to the audit challenge. Elements
at (i, 1) represent the relative file path to the file that was challenged: the i-th shuffled instance of the receipt
list $electionDir$/i/Ui or tally list $electionDir$/i/Si respectively. Elements at (i,2) represent the
corresponding revealed decryption key to the file (128-bits, BASE64 encoded).
For each instance 1 ≤ i ≤ I:
$electionDir$/i/Si.csv: is a bc × 3 list representing a shuffled instance of column (:,1) of
AssertedTally.csv repeated three times (as per the commitment scheme described in section V) in columns
(:, 1), (:, 2) and (:, 3) respectively.
$electionDir$/i/Ui.csv: is a bc × 3 list representing a shuffled instance of column (:, 1) of
AssertedReceipts.csv repeated three times as above.
$electionDir$/Marks/Mi.csv: is a bc × 1 list representing a shuffled instance of column (:, 2 of
AssertedReceipts.csv and AssertedTally.csv.

File Encryption Conventions
128-bit file encryption keys are derived by the semi-trusted trustee workstation and BASE64 encoded for convenience of
transmission over the internet. The two file encryption options (OpenSSL and TrueCrypt) use their own password-based key
derivation functions. OpenSSL and TrueCrypt encrypted files are denoted by the .enc and .tcr extensions, and use AES-
128-CBC and AES-128-XTS encryption modes respectively. There is no inherent way to bypass the key-derivation process
of these applications to directly apply a binary key. As such the BASE64 encoded keys are supplied as passwords and each
program (OpenSSL, TrueCrypt, etc) will derive its own (binary) encryption key using its own particular password based key
derivation function. In OpenSSL the workstation applies the -a command option to BASE64 encode the encrypted output for
safe internet transport.
B. Source code for Implementation Option 1 (Python)
1 import csv , os , s t r i n g , t i m e , s y s
2 d e f openCSV ( f i l e N a m e ) :
3 data = []
4 f i l e C o n t e n t s = open ( f i l e N a m e , ’ r ’ )
5 for i in f i l e C o n t e n t s :
6 d a t a . append ( i . s t r i p ( ) . s p l i t ( ” , ” ) )
7 return data
8 def v e r i f y F a i l e d ( errorMsg ) :
9 print errorMsg
10 sys . e x i t ( )
11 def verifyCommitment ( i n s t a n c e ) :
12 o s . s y s t e m ( ” o p e n s s l e n c −d −a e s −128−c b c −a −i n ” + i n s t a n c e [ 0 ] + ” . e n c −o u t ” +
i n s t a n c e [ 0 ] + ” . c s v −p a s s p a s s : ” + i n s t a n c e [ 1 ] )
13 d a t a = openCSV ( i n s t a n c e [ 0 ] . s t r i p ( ’ ” ’ ) + ” . c s v ” )
14 col = []
15 for i in data :
16 i f i [ 0 ] ! = i [ 1 ] or i [ 0 ] ! = i [ 2 ] :
17 v e r i f y F a i l e d ( ” I n v a l i d Commitment ” )
18 return [ i [ 0 ] for i in data ]
19 def getMarks ( i n s t a n c e ) :
20 marks = openCSV ( ” . / Marks /M”+ i n s t a n c e [ 0 ] [ 2 : 4 ] + ” . c s v ” )
21 r e t u r n [ i [ 0 ] f o r i i n marks ]

23 a s s R e c e i p t s = s o r t e d ( openCSV ( ’ . / A s s e r t e d R e c e i p t s . c s v ’ ) )
24 a s s T a l l y = s o r t e d ( openCSV ( ’ . / A s s e r t e d T a l l y . c s v ’ ) )
25 pwds = openCSV ( ’ . / C h a l l e n g e K e y s . c s v ’ )
26 l i n k a g e L i s t = openCSV ( ’ . / L i n k a g e L i s t . c s v ’ )
27 f o r i , i n s t a n c e i n e n u m e r a t e ( pwds ) :
28 merged = [ ]
29 d a ta = verifyCommitment ( i n s t a n c e )
30 marks = g e t M a r k s ( i n s t a n c e )
31 for index in range ( len ( data ) ) :
32 merged . a p p e n d ( [ d a t a [ i n d e x ] , marks [ i n d e x ] ] )
33 i f i n s t a n c e [ 0 ] [ 5 ] == ”U” :
34 for b a l l o t , linkage in enumerate ( l i n k a g e L i s t ) :
35 i f l i n k a g e L i s t [ b a l l o t ] [ 0 ] ! = merged [ i n t ( l i n k a g e L i s t [ b a l l o t ] [ i + 2 ] )
− 1][ 0] or merged [ i n t ( l i n k a g e L i s t [ b a l l o t ] [ i + 2 ] ) − 1][ 1] ! = ”−1” :
36 v e r i f y F a i l e d ( ” L i n k a g e l i s t FAIL : R e c e i p t i n s t a n c e #%d d o e s
n o t d o e s n o t match l i n k a g e l i s t ” % ( i + 1 ) )
37 i f a s s R e c e i p t s == s o r t e d ( merged ) :
38 p r i n t ” I n s t a n c e %d v e r i f i e d ” % ( i + 1 )
39 else :
40 v e r i f y F a i l e d ( ” V e r i f i c a t i o n FAIL : R e c e i p t i n s t a n c e #%d d o e s n o t match
a s s e r t e d r e c e i p t l i s t ! ” % ( i +1) )
41 e l i f i n s t a n c e [ 0 ] [ 5 ] == ”S” :
42 for b a l l o t , linkage in enumerate ( l i n k a g e L i s t ) :
43 i f l i n k a g e L i s t [ b a l l o t ] [ 1 ] ! = merged [ i n t ( l i n k a g e L i s t [ b a l l o t ] [ i + 2 ] )
− 1][ 0] or merged [ i n t ( l i n k a g e L i s t [ b a l l o t ] [ i + 2 ] ) − 1][ 1] ! = ”−1” :
44 v e r i f y F a i l e d ( ” L i n k a g e l i s t FAIL : T a l l y i n s t a n c e #%d do \
t e x t t t {BASE64} e n c o d e d e s n o t d o e s n o t match l i n k a g e l i s t
” % ( i + 1) )
45 i f a s s T a l l y == s o r t e d ( merged ) :
46 p r i n t ” I n s t a n c e %d v e r i f i e d ” % ( i + 1 )
47 else :
48 v e r i f y F a i l e d ( ” V e r i f i c a t i o n FAIL : T a l l y i n s t a n c e #%s d o e s n o t match
a s s e r t e d t a l l y l i s t ! ” % ( i +1) )
49 else :
50 verifyFailed ( ” Instance filename is i n c o r r e c t l y formatted ” )
C. User Instructions for Option 2 (Manual Verification)
The following instructions were tested in Calc 3.0 and TrueCrypt 6.0a. The user is assumed to have
downloaded all relevant data files to directory /$electionDir$/. Let i represent the instance number the verifier wishes
to check.

Part I: Verify Commitments
In Calc:
• Open $electionDir$/ChallengeKeys.csv
• Let $filePath$ represent the contents of cell Ai

In TrueCrypt:
• Select a free drive letter (without loss of generality assume Z:)
• Click Select File → Select $electionDir$/$filePath$.trc → Open

In Calc:
• Click on cell Bi → CTRL + C

In TrueCrypt:
• Click Mount → CTRL+V → OK

In Calc:
• Open Z:/$filePath$.csv,
• In cell D1 type formula =A1=B1,
• Click on cell D1 once and double click on the square in the bottom right corner of the cell to apply the formula to all
cells in the column,
• In cell E1 type formula =A1=C1,
• Click on cell E1 once and double click on the square as before,
• In cell F1 type formula =COUNTIF(D1:E65536;0),
• If F1 equals 0, the commitment is verified.

Part II: Comparing decommitted list to assterted list
In Calc:
• Let $asserted$ represent $electionDir$/AssertedReceipts.csv if $filePath$ is /i/Ui, otherwise let
it represent $electionDir$/AssertedTally.csv if $filePath$ is /i/Si
• Open $electionDir$/$asserted$.csv,
• Click Data → Sort. Select Sort by Column A (Ascending) and Then by Column B (Ascending) → OK,
• In Z:/$filePath$.csv click on column A → CTRL+C,
• Open $electionDir$/Marks/Mi.csv,
• Right click on column A → Insert Columns → CTRL+V,
• Click Data → Sort. Select Sort by Column A (Ascending) and Then by Column B (Ascending) → OK,
• Holding CTRL click columns A and B → CTRL+C,
• In the asserted list, click column C → CTRL+V,
• In cell E1 type formula =A1=C1 and apply formula to all cells in the column as previously described,
• In cell F1 type formula =B1=D1 and apply to all cells in the column,
• In cell G1 type formula =COUNTIF(E1:F65536;0),
• If G1 equals 0, Z:/$filePath$.csv matches $electionDir$/AssertedReceipts.csv.

PART III: Comparing decommitted list to linkage list
In Calc:
• Let X = A if the asserted receipt list was opened during Part II otherwise let X = B if the asserted tally was opened
instead. Let Y be the i + 2-th letter of the alphabet,
• Open $electionDir$/LinkageList.csv,
• For each print audited ballot 1 ≤ j ≤ p:

– Click on cell Y j → CTRL+C,
– In Z:/$filePath$.csv in the name box (top left) type ‘A’ → CTRL+V → Enter. The audit fails if the contents
of the active (highlighted) cell do not match the contents of cell Xj in the linkage list.
– In $electionDir$/Marks/Mi.csv in the name box type ‘A’ → CTRL+V → Enter. The audit fails if the contents
of the active cell does not equal -1.