E-Ring Voting — Daniele Lin

An open-source, publicly verifiable e-voting protocol built around One-time Traceable Ring Signatures (Scafuro & Zhang, 2021). The cryptography comes from the paper; the ledger, the election state machine, and the economic mechanism that holds the whole thing together are our own.

Most deployed electronic voting systems — in Brazil, in parts of Europe, in countless private elections — ask the voter to trust a black box. The protocol operator sees the ballots; the voter does not see the tally. We think the trust direction should be reversed: the tally should be reconstructible by anyone, and the operator should see nothing they could leak. E-Ring Voting explores one way to get there.

The problem

An honest e-voting system has to satisfy two properties that pull in opposite directions:

Ballot secrecy. No one — not the server, not a bribing third party, not a future adversary with a database dump — should be able to link a voter to how they voted.
Public verifiability. Any participant, not just a trusted auditor, should be able to confirm the tally from public data. No "trust us, we counted correctly."

Classical centralized systems achieve secrecy by hiding ballots and verifiability by operator fiat. We wanted both, unconditionally, with no trusted component in the loop.

Approach

The cryptographic core is an implementation of the one-time traceable ring signature scheme of Alessandra Scafuro and Bihan Zhang (2021), building on the ring-signature lineage initiated by Rivest, Shamir and Tauman (ASIACRYPT 2001). The scheme gives us exactly the two properties an e-vote needs:

Anonymity inside the ring: a voter signs a ballot on behalf of a set of eligible voters — the ring — so that a verifier can check the signature came from someone in the ring, but learns nothing about which member.
One-time traceability: each signature carries a deterministic tag bound to (voter, election). A second signature from the same voter in the same election is publicly detectable as a double-vote, while the tag still does not reveal who the voter is to anyone outside the ring.

What the paper gives us — and what it doesn't

Scafuro and Zhang specify a primitive. Building a real voting system around it forced us to design a lot of things they do not: how voters get into the ring in the first place, how an election is started and closed on-chain, how to stop a manager from spamming infinite elections, how results get counted, and how any citizen with a laptop can independently verify the outcome days later.

The prototype is therefore two layers:

Primitive layer — Setup, KeyGen, Sign, Verify, Trace from the paper, on an elliptic-curve group, plus a test harness that exercises correctness and unforgeability on small rings.
Protocol layer — our own design: a proof-of-work ledger, a six-phase election state machine, a two-tier economic structure (fees vs. forfeits), and the voter-registration pipeline that binds real identities to ring members exactly once.

The ledger & economic mechanism

We needed a public, append-only bulletin board no single party could rewrite. Rather than depend on an existing chain, we built a minimal proof-of-work ledger with its own unit of account — eVotes — used purely to price writes:

Fixed block reward of 900 eVotes; half of transaction fees go to miners.
Fees pay miners (spam deterrent). Forfeits are escrowed and never reach the miner — they force election managers to commit real skin in the game before reserving a ballot block, and are released when the election closes cleanly.
Voter registration costs 1 eVote, paid by a benefactor transaction, so registration itself is a public, auditable event tied to a real on-chain actor.

This separation between "fee to the miner" and "forfeit held by the protocol" is the piece we're most interested in extending: it turns election setup into an economic commitment rather than a trust assumption.

Protocol sketch (six phases)

Registration

Eligible voters publish an EC public key, endorsed by a benefactor transaction paying the 1 eVote registration fee on their behalf.

II.

Private collection

Identity verification happens out-of-band; a proof-of-key-ownership is submitted on-chain, binding each ring member to a real person exactly once.

III.

Block reservation

An election manager reserves capacity for the ballot — 5 eVotes per data chunk as a fee, plus a forfeit held in escrow by the protocol.

IV.

Data chunks

Ballot parameters, candidate set, and metadata are pushed during the preparation window — no additional signatures required inside the reservation.

Voting

Each voter emits a ring-signed ballot keyed by the transaction hash of the reservation. The traceability tag makes double-voting publicly detectable.

VI.

Result counting

Every node recomputes the count from public ledger state. Any client, with no special privilege, can reproduce the result bit-for-bit and audit it.

Threat model

Malicious server: no privileged server exists; all election state is on the public ledger.
Coercion / vote-buying: the traceability tag is one-time per election, so a voter cannot prove to a coercer which ballot was theirs beyond the ring — a partial receipt-freeness guarantee.
Sybil at registration: pushed to the identity-verification step; this is the weakest link, and we treat it as an explicit assumption rather than solve it cryptographically.
Chain reorganization: mitigated by burying election results under enough confirmations before tallying.

Open questions (research direction)

Scaling ring size: naive ring signatures grow linearly with ring size — can we integrate a logarithmic-size construction (e.g. CLSAG, MLSAG, or lattice-based rings) without losing traceability?
Receipt-freeness in the presence of a coercer with chain-of-custody over the voter's device.
Formal verification of the state machine (currently hand-specified) in a proof assistant.
Post-quantum variants: swapping EC-based rings for lattice or hash-based primitives.

Status: Early-stage research prototype — protocol specification is drafted and the Python reference implementation is under active development. Not production software. The value is the design space exploration, not deployment.

Selected references

A. Scafuro, B. Zhang. One-time Traceable Ring Signatures. 2021. — primary reference; the signature scheme used in the prototype
R. Rivest, A. Shamir, Y. Tauman. How to Leak a Secret. ASIACRYPT 2001.
E. Fujisaki, K. Suzuki. Traceable Ring Signature. PKC 2007.
B. Adida. Helios: Web-based Open-Audit Voting. USENIX Security 2008.
J. Benaloh, D. Tuinstra. Receipt-free secret-ballot elections. STOC 1994.
S. Noether, B. Goodell. Concise Linkable Ring Signatures and Forgery Against Adversarial Keys. MRL 2019.

Links

→ Source on GitHub