A Protocol for Cast-as-Intended Verifiability with a Second Device

Numerous institutions, such as companies, universities, or non-governmental organizations, employ Internet voting for remote elections. Since the main purpose of an election is to determine the voters' will, it is fundamentally important to ensure that the final election result correctly reflects the voters' votes. To this end, modern secure Internet voting schemes aim for what is called end-to-end verifiability. This fundamental security property ensures that the correctness of the final result can be verified, even if some of the computers or parties involved are malfunctioning or corrupted. A standard component in this approach is so called cast-as-intended verifiability which enables individual voters to verify that the ballots cast on their behalf contain their intended choices. Numerous approaches for cast-as-intended verifiability have been proposed in the literature, some of which have also been employed in real-life Internet elections. One of the well established approaches for cast-as-intended verifiability is to employ a second device which can be used by voters to audit their submitted ballots. This approach offers several advantages - including support for flexible ballot/election types and intuitive user experience - and it has been used in real-life elections, for instance in Estonia. In this work, we improve the existing solutions for cast-as-intended verifiability based on the use of a second device. We propose a solution which, while preserving the advantageous practical properties sketched above, provides tighter security guarantees. Our method does not increase the risk of vote-selling when compared to the underlying voting protocol being augmented and, to achieve this, it requires only comparatively weak trust assumptions. It can be combined with various voting protocols, including commitment-based systems offering everlasting privacy.