Privacy preserving digital voting

Part II: Experimental digital voting in Zug, Swiss

The part I that introduces general privacy preserving techniques to design voting platform can be found here;

The Swiss solution treat model in a similar way to microservices but are cognisant of the design limitations inherent to a decentralized, consensus driven, data replication architecture. The decentralized technology has been identified as efficient tool to construct electronic voting solutions so they imply its distributed data storage is shared across multiple nodes. It increases level of trust to the system in general and provides better auditability, integrity properties against a centralised approach.

There are few important terms to note before proceed with architecture definition:

Digital Identity. The identity instance therefore is a composition of a wallet with cryptography key and identity assertions (credentials) that allow the identity owner to control how the identity is established and proof eligibility to vote.

Distributed Ledger Technology (DLT). A decentralised network of independent computers that are able to agree on an immutable record of the sequence and outcome of transactions.

The model decomposes the ideas of DLT into layers. At the centre of the model is kind of Consensus Computer. The idea is that instead of processing being done in one place (by a single system that everyone trusts), processing is duplicated and done in many places so that trust does not need to be placed in a single system or organisation. The consensus, communications and control layers are non-functional. These layers determine the performance, scalability and underlying security of the platform.

Cryptographic blinding techniques.
Homomorphic Encryption (+) is a crypto-system that may execute simple mathematical operation under encrypted data. For example, in such crypto-system the multiplication of encrypted data is equal to encrypted sum of its pre-images.

plaintext for x is 7, y is 8; multiplication of x*y is equal to sum of 7+8 in encrypted form

Zero-Knowledge Proof is a method where one party can prove to another party that a given statement is true, without conveying any information apart from the fact that the statement is indeed true. ZKP is a sort of function that on some inputs responds with true or false.

Will be encrypted Z equal to 15 if I decrypt it?

A new voting poll

An electronic voting system is a distributed network protocol that includes few sequential steps with strong security requirements for each.

The authority initiates a new round of voting by sending all necessary information about what will be voted on to the appointed registrar. The registrar creates a new poll (with a list of questions and choices, when that vote opens and closes, etc.) on the blockchain and assigns the voting executors, polling stations and committee. The committee generates secret key that obtains Homomorphic properties and publishes its public part.

The platform is based on Paillier crypto-system that is homomorphic by addition (+) operation and has blinding properties, so means that same value will always produce different encryption results.

A voters use dedicated polling stations to pass eligibility check using digital identity and to register intention to vote. The polling station authenticates voter using special credentials that are issued and signed by legal authority beforehand. The every voter also generates personal ESDSA key pair during this phase and registered public part on the ledger via polling station. This key never leaves private wallet and it’s used to prove ballot ownership by signing it with private part.

If user successfully completes this step her/she obtains anonymized personal ballot uploaded on the ledger.

The SSI technology has been used to prove eligibility to check. The model is based on Trusted Third Party approach so means the correlation between anon id and the vote result is still possible if Polling Station & Committee are colluded.

However, this can be address by another cryptography techniques in a future: Cryptography Accumulators.

The voting step

At these steps the ledger already contains: (1) Poll with associated list of questions; (2) Poll’s Paillier public key issued by Committee; (3) Voters’ personal ballots; (4) List of anonymized ids and associated voter’s public keys.

The beatify of DLT is that preparation and real voting are totally independent steps. So a voter can choose any instance of blockchain to cast the vote. The wider network the more trust. The voter application is a stateless service that only provides interface to core ledger. It doesn’t need to know voter’s identity or manage secure keys.

The voter downloads all the necessary details, votes and encrypts answers with committee’s public key. Afterwards, voter signs ballot using individual private key and adds it to the blockchain. The votes are then aggregated into decentralized baskets and replicated between network nodes on the blockchain.

The results sum up

Once voting is over, the committee retrieves all anonymized and encrypted ballots from the ledger, checks their authenticity by verifying all signatures (and a number of cryptographic proofs), then simply sum ups the results.

The blinding cryptography plays here! The homomorphic by addition property gives nice capability to work with encrypted votes. Anyone who has access to the ledger is able to sum up votes without decrypting pre-images & identifying voters.

The outcome of such operation is always results of the poll, but it’s still encrypted with secret committee key.

When sum up is finished, the committee submits the decrypted results back to the ledger and also provides zero-knowledge proof of equivalents between encrypted sum of votes and published results.

The results verification

The verification takes time cause every network participant pulls all the votes out and runs verification that includes: (1) sum the votes in encrypted form using homomorphic property of Paillier (2) verify ZKP using decrypted results (published by Committee) and manually calculated (but still encrypted) sum of the votes.

The Committee can’t alter the votes, because the verifier always re-calculates it from scratch.


Despite the fact that the project has been deployed as an experiment, it successfully proved sustainability with certain security assumptions. The approach is respectful of privacy although the level of privacy obtained is dependent on the implementation of the crypto-system, network security and it requires hard research on new vectors of attack, like voters de-anonymisation, voting correlation, fake users, keys rotation, etc.

The diagram below depicts deployment model that includes multiple clouds and few business services who implement Trusted Third Party technique.

Thank you for reading.


  1. Aleksandr Kopnin, Oleg Sesov. Verifiable Electronic Voting System, 2016
  2. zk-paillier. Paillier cryptosystem zero knowledge proofs written in Rust,
  3. vice-city. Two Party Distributed RSA Modulus Generation, threshold Paillier cryptosystem,

DLT & Digital Identity — Chief Technologist , @Luxoft,

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store