SoK: Secure e-voting with everlasting privacy

Vote privacy is a fundamental right, which needs to be protected not only during an election, or for a limited time afterwards, but for the foreseeable future. Numerous electronic voting (e-voting) protocols have been proposed to address this challenge, striving for everlasting privacy . This property guarantees that even computationally unbounded adversaries cannot break privacy of past elections. The broad interest in secure e-voting with everlasting privacy has spawned a large variety of protocols over the last three decades. These protocols differ in many aspects, in particular the precise security properties they aim for, the threat scenarios they consider, and the privacy-preserving techniques they employ. Unfortunately, these differences are often opaque, making analysis and comparison cumbersome. In order to overcome this non-transparent state of affairs, we systematically analyze all e-voting protocols designed to provide everlasting privacy. First, we illustrate the relations and dependencies between all these different protocols. Next, we analyze in depth which protocols do provide secure and efficient approaches to e-voting with everlasting privacy under realistic assumptions, and which ones do not. Eventually, based on our extensive and detailed treatment, we identify which research problems in this field have already been solved, and which ones are still open. Altogether, our work offers a well-founded reference point for conducting research on secure e-voting with everlasting privacy as well as for future-proofing privacy in real-world electronic elections.

In all elections, it is crucial to ensure that the final election result correctly reflects the votes chosen by the voters. Moreover, voters' individual votes must remain secret so that the final result is not biased by those who are afraid to express their own will freely. In order to guarantee these two fundamental properties, modern secure e-voting protocols strive for (end-to-end) verifiability and (vote) privacy. Verifiability [19] enables external and internal observers to verify whether the final election result corresponds to the voters' choices, even when some participants (e.g., talliers) are malicious and try to undetectably manipulate the final outcome. Privacy [5] ensures that all data published during an election (including data for proving the correctness of the final result) does not leak more information on the single voters' choices than what can be derived from the public election result.
For many elections, it is important to protect voters' privacy not only during the election, or for a limited time afterwards, but also for the foreseeable future. If voters need to worry about facing negative consequences in case their individual votes are leaked, say, 10 or 20 years after the election, then this fear can undermine the integrity of the final result. This threat is real, both for political and for non-political elections. For instance, democratic systems, in which representatives are elected by the public, can be overthrown and be replaced by oppressive regimes which discriminate or even prosecute people who supported its opponents in the past. But also in non-political elections, the choices that voters make now can still be sensitive several years later, for example in an election of a university's president.
In classical paper-based elections, long-term privacy is commonly protected by the same mechanisms that also ensure privacy during the election. But for electronic voting, the situation is different. In order to guarantee verifiability (see above), some information about the voters' individual choices needs to be public. Since, at the same time, vote privacy must not be jeopardized, essentially all verifiable e-voting systems used in practice today (e.g., Helios [1] or Belenios [20]) employ the following approach: voters encrypt their votes under the talliers' public key, publish the resulting ciphertexts, and the talliers use their secret key to process these ciphertexts to obtain the final result. Now, the problem is that secrecy of all public-key encryption schemes deployed in these systems (e.g., ElGamal) is based on certain computational hardness assumptions (e.g., decisional Diffie-Hellman) that ensure vote privacy at the time of the election, but not necessarily in the long run. A future adversary, who learns from public data of past elections which ciphertext belongs to which voter, may therefore exploit novel (previously unknown) algorithms or more powerful machines (e.g., quantum computers) to efficiently solve the underlying hardness assumptions and thus break privacy of voters retrospectively. As explained above, such a risk is unacceptable for many real-world elections. However, many secure e-voting protocols, such as Helios [1], Civitas [18], Selene [64], sElect [47], Demos [44], or Ordinos [46], were not designed to protect against this threat.
Fortunately, in order to ensure that vote privacy remains preserved in the future, numerous e-voting protocols have been proposed in the academic literature (e.g., [11,21,22,51,56]). These protocols strive for what is called everlasting privacy. This property ensures that privacy is protected unconditionally so that even a computationally unbounded adversary is not able to learn how individual voters voted. Most of the e-voting protocols mentioned above actually aim for a weaker notion of everlasting privacy. In fact, these protocols are designed to guarantee unconditional privacy towards any external adversary who can access all public election data but who is not able to monitor the whole communication network. This relaxed notion of everlasting privacy is called practical everlasting privacy [2]. It accurately models the overall threat scenario of a future adversary who knows all public material required to verify an election and who is able to break any computational hardness assumption.
The diversity of e-voting protocols aiming for (practical) everlasting privacy offers great potential but it also poses a major challenge at the same time. The reason is that existing protocols differ in many aspects: • Security properties: While some protocols were designed to guarantee "only" public verifiability and (everlasting) privacy (e.g., [21,51]), other protocols aim to provide additional security properties, such as receipt-freeness (e.g., [56]), or accountability (e.g., [22]). • Threat scenarios: Existing protocols often differ in the assumptions that they (sometimes implicitly) make to provide specific security properties. For example, some protocols aim to not only provide everlasting privacy towards external but also against internal adversaries (e.g., [11]). • Privacy-preserving techniques: There exists a multitude of techniques that the protocols proposed employ to protect vote privacy or additional privacy-related features like coercion-resistance. While some protocols employ only one technique (e.g., [22]), others use two or more of them (e.g., [56]). In many cases, it is not explained which technique is supposed to provide which privacy-related property precisely.
These differences are often opaque, making analysis and comparison cumbersome. This results in a confusing situation that raises several fundamental questions: (1) How do all the different e-voting protocols aiming for (practical) everlasting privacy relate? How do they depend on each other? (2) Which of these protocols do provide secure and efficient solutions to e-voting with (practical) everlasting privacy under realistic assumptions? Which ones do not? (3) Which research problems in this field have already been solved? Which ones are still open?
(4) Do there exist secure solutions that can be deployed to guarantee (practical) everlasting privacy in real-world electronic voting? If not, which gaps need to be closed?
Addressing these questions is crucial because the need for futureproofing privacy in electronic voting is pressing.

Our contributions
In order to overcome this non-transparent state of affairs, we answer all of the fundamental questions raised above. We do this in a systematic, critical, and detailed manner. As a result, our work offers a well-founded reference point for conducting research on secure e-voting with everlasting privacy as well as for future-proofing privacy in real-world electronic elections.
In what follows, we explain our approach and then describe our key findings. Before that, we clarify the scope of our work.
Moreover, we restrict our attention to concrete constructions of secure e-voting protocols with everlasting privacy, leaving out studies on the theoretical limits of secure e-voting (or more generally: secure MPC) with everlasting privacy (e.g., [17,38,59]).

Approach.
We use the following approach to systematically analyze the state-of-the-art in secure e-voting with everlasting privacy: (1) We study the academic literature to find all relevant existing protocols in this field. (2) We classify existing protocols according to how they (intend to) provide everlasting privacy technically. Moreover, we illuminate how different protocols depend on each other. (3) We analyze which existing protocols are practically efficient and guarantee public verifiability as well as (practical) everlasting privacy under realistic assumptions. To this end, we investigate which protocols actually achieve the properties they were designed for originally, and we critically reflect on the assumptions that existing protocols make. (4) Based on our analysis in the previous steps, we identify which research problems have already been solved and which ones are still open.

Key insights.
We state the main insights of our endeavor next. We start with the list of relevant protocols that we collected and then summarize our classification of these protocols. Afterwards, we explain which challenges have been solved and which ones are still open.
Existing protocols. We collected 25 existing e-voting protocols designed for secure e-voting with everlasting privacy [2, 11, 20-22, 25-27, 29, 30, 33-35, 40, 42, 45, 51-53, 55, 56, 61, 62, 69, 70]. 1 Classification. We identify two different classes of existing protocols, B-ANON and B-ID. In B-ANON, everlasting privacy reduces to publishing ballots anonymously. On the contrary, in B-ID, where public ballots are identifiable, everlasting privacy is based on the privacy-preserving technique to tally ballots. We will argue that the general approach taken in B-ID is superior to the one in B-ANON; in short: Solved problems. We discover that in both classes, B-ID and B-ANON, there exist reasonable protocols for secure e-voting with everlasting privacy under the respective assumptions made in these classes. For everlasting privacy, all of these protocols consider future adversaries that are not active during an election. We distinguish between those protocols that can handle simple ballot types (e.g., where voters can choose one candidate) and those which can handle arbitrary ballot types (e.g., where voters can rank candidates).
Observation 1 (Simple ballot types). In B-ID, there exist two secure approaches that can handle simple ballot types: the one based on [21] (see Sec. 6) and the one based on the homomorphic version of [22] (see Sec. 7). While [22] offers everlasting privacy towards the public (i.e, practical everlasting privacy), [21] additionally offers everlasting privacy towards a threshold of talliers.
Observation 2 (Arbitrary ballot types). In B-ID, there exists one secure approach that can handle arbitrary ballot types, the one based on the mix net version of [22] (see Sec. 7). In B-ANON, there exist two reasonably secure approaches that can handle arbitrary ballot types, in fact [20] (see Sec. 4) and [51] (see Sec. 5). These protocols offer practical everlasting privacy.
All of the approaches mentioned before are sufficiently efficient for large-scale elections. In particular, Belenios [20] has already been deployed in many real-world elections.
Open problems. Our first two observations demonstrate that almost all of the main challenges have been solved, but there still exist some open problems.

Observation 3 (Open problems).
The most important open problems are: (1) Formal protocol analysis: While the cryptographic components of the promising approaches [21,22,51] have been analyzed in-depth, it is an open problem to formally analyze these proposals on the protocol level. It is also an open problem to formally analyze everlasting privacy of Belenios [51]. (2) Deployable e-voting system: While Belenios [20], which is in B-ANON, can be deployed for real-world elections, it is an open problem to develop a full-fledged deployable e-voting system that realizes one of the promising approaches [21,22] in the superior class B-ID. (3) Weaker trust for arbitrary ballot types: All promising approaches that can handle arbitrary ballot types [20,22,51] require that all election authorities or all talliers are trusted for everlasting privacy. It is an open problem to mitigate trust on the authorities in terms of everlasting privacy for arbitrary ballot types. (4) Receipt-freeness: In all of the promising approaches [20][21][22]51], some evidence is created on the voters' devices that can serve as a proof for how the voter voted. It is an open problem to securely and efficiently improve [20][21][22]51] so that they are free of such receipts.
From our point of view, the first two open problems (formal protocol analysis and development of a deployable system in B-ID) are the most pressing ones. We note that for automated verification, there exist appropriate symbolic definitions to address the first open problem, for example [2] for everlasting privacy and [57] for verifiability/accountability; recent advances [16] facilitate applying these definitions in a joint verification platform.

Overview of paper
We structure our paper as follows. In Sec. 2, we recall the main principles of secure e-voting protocols; moreover, we introduce our notation. In App. A, we describe those cryptographic primitives which are commonly used to design secure e-voting protocols. In Sec. 3, we propose our classification and discuss which of the two main classes, B-ANON and B-ID, offers a more reasonable approach. We will further demonstrate in Sec. 3 that both main classes have two sub-classes each. The subsequent sections are dedicated to the protocols in these sub-classes, in fact Sec. 4 to B-ANON-A, Sec. 5 to B-ANON-V, Sec. 6 to B-ID-HOM, and Sec. 7 to B-ID-MIX. In these sections, we illustrate how existing protocols in the respective sub-classes relate, and we analyze which of them are actually reasonable approaches for secure e-voting with everlasting privacy. We summarized our insights in Table 3. We conclude in Sec. 8.

SECURE E-VOTING IN A NUTSHELL
The following section serves two purposes. First, we briefly introduce those readers to secure e-voting who are not (yet) familiar with the subject. Second, we determine a clear and unified notation for expressions that we will recurrently use in the main part of our paper.
We start off with explaining the basic model of e-voting. After that, we recall the most relevant properties of secure e-voting.
We refer to Table 1 for our notation related to e-voting and to Table 2 for our notation of cryptographic primitives.

Electronic voting
A voting protocol is run between an election authority EA, a set of voters V 1 , . . . , V n , and a trustee T (sometimes called tallier). The election authority EA is responsible for setting up the election (date, set of candidates, voting method, etc.) and for registering voters.
During the submission phase, the voters V 1 , . . . , V n cast their individual votes v 1 , . . . , v n . In the tallying phase, the trustee T then takes these votes as input, applies the specified voting method ρ to these votes (e.g., counts the number of votes per candidate), and eventually outputs the election result ρ(v 1 , . . . , v n ). In electronic voting, voters' choices are encoded digitally and processed electronically.
It is obvious that, without any further measures, the trustee T needs to be trusted in all important aspects: first, T learns how all voters voted, and second, if T is dishonest, it can manipulate the election outcome undetectably. In order to avoid reliance on a single completely trusted authority, secure e-voting protocols offer and combine certain desirable properties, as we describe next.

Security properties
We recall the most important properties of secure e-voting. We start with the two fundamental ones (privacy and verifiability) and then explain the common high-level approach to combine them. Afterwards, we elaborate on three properties that several protocols strive for in addition, namely accountability, receipt-freeness, and coercion-resistance. We explain all security properties on an intuitive level, which is sufficient to follow our exposition, and we provide references to established formal definitions.
Basic security: privacy and verifiability. The two main requirements for secure e-voting, as mentioned in Sec. 1, are (vote) privacy [5] and public verifiability [19].
Privacy guarantees that the links between individual voters and their votes in the (public) final result remain secret. In order to mitigate trust on the trustee T for privacy, its role is often distributed among several entities T 1 , . . . , T m so that only a threshold of them need to be trusted for privacy. Moreover, depending on how trust is distributed, the protocol becomes more robust in case a trustee is not able (or willing) to participate in tallying. Furthermore, some protocols divide or distribute the role of EA among several parties; for example, Belenios distinguishes between the EA proper and the registrar who generates the voters' signing keys.
Public verifiability ensures that everyone is able to verify that the final election result is correct, even if the trustees or other participants are corrupted. Since the main purpose of verifiability is to protect against possibly corrupted parties, verifiability should (ideally) not be based on any trust assumptions. This is in contrast to privacy for which trust in some of the tallying authorities appears unavoidable (hence, the term "trustee(s)").
Basic security: common approach. Secure e-voting protocols commonly employ an additional party, called the public bulletin board PBB. The role of PBB is to broadcast all data that is necessary to verify the correctness of the final result. 2 During the submission phase, the voters V 1 , . . . , V n publish some information about their votes on PBB; commonly, in order to protect their own privacy, voters seal their votes v i in secret ballots. In the tallying phase, the trustees T 1 , . . . , T m use some secret knowledge (e.g., private keys) to process the secret ballots on PBB and obtain the final result res = ρ(v 1 , . . . , v n ). 3 Eventually, the trustees publish on PBB the result as well as some evidence that convinces everyone that res was computed honestly, but without revealing the trustees' secret knowledge. As we shall see in the remainder of our paper, there exist several techniques to realize this high-level approach, each one with its own advantages and disadvantages.
Accountability. Accountability is a stronger notion of verifiability [49]. While public verifiability enables everyone to verify whether the final election result correctly reflects the votes chosen by the voters, verifiability alone is not sufficient to detect which parties manipulated the final outcome. Accountability solves this problem as it enables one to identify misbehaving parties individually and hold these parties accountable. This property is particularly useful in practice because it serves as a deterrent.
Receipt-freeness. Receipt-freeness ensures that the casting process does not create any (cryptographic) evidence that proves how the voter voted [13]. While vote privacy guarantees that the overall election process does not reveal how individual voters voted, the final outcome can still be biased due to vote buying. In fact, the process executed by the voter to create and submit her ballot may leave some local data on the voter's device. A voter can sell this data as a receipt that proves how she voted. In receipt-free e-voting protocols, no convincing evidence is created on the voters' devices.
Coercion-resistance. Coercion-resistance protects against adversaries who coerce voters to follow certain instructions so that the adversary achieves his own goals (e.g., the voter votes for the coercer's favorite candidate) [48]. More precisely, a voting protocol is coercion-resistant if any coerced voter, instead of obeying the coercer, can run some counter-strategy such that (1) by running the counter-strategy, the coerced voter achieves her goal (e.g., successfully votes for her favorite candidate), and (2) the coercer is not able to distinguish whether the coerced voter followed his instructions or tried to achieve her own goal. Unlike receipt-freeness, coercion-resistance also considers voters who actively deviate from their prescribed roles.

OUR CLASSIFICATION
We propose a classification that captures all existing e-voting protocols aiming for everlasting privacy. Our classification is particularly useful to answer our initial research questions (Sec. 1). As we shall see, there exist two different main classes, each of which has two sub-classes. In Sec. 4-7, we elaborate on existing protocols in these sub-classes, where we focus on one sub-class in each section.
In this section, we first describe our classification and then explain how different classes relate from a high-level perspective. Eventually, we give some fundamental insights to the question which of the two main classes is more reasonable under realistic assumptions.

Classes
Based on our extensive literature research, we identify the following two main classes of e-voting protocols with everlasting privacy.

Variable
Meaning public-key encryption scheme (pk, sk) public/private encryption key pair e ← E(pk, m) verif. of proof π for statement s

Anonymous ballots (B-ANON).
Here, the ballots published on the bulletin board do not contain any information that could be used to trace single ballots back to individual voters. Everlasting privacy is based on the assumption that the ballot submission channels are unconditionally anonymous towards the adversary. Existing protocols in B-ANON are [2, 20, 27, 33, 35, 40, 42, 45, 51-53, 62, 70].
We further subdivide B-ANON according to the party who generates the voters' credentials that the voters use to prove eligibility of their ballots anonymously: We study sub-class B-ANON-A in Sec. 4, where we demonstrate that all existing protocols in B-ANON-A put much trust in the election authority EA. We study the sub-class B-ANON-V in Sec. 5; we will see that the only secure and practically efficient protocol in this sub-class is [51], but under the arguably strong assumption that all ballot submission channels are unconditionally anonymous (see Sec. 3.3).
We note that the protocols in B-ID-MIX can handle more complex ballots than existing ones in B-ID-HOM. 4 We study sub-class B-ID-HOM in Sec. 6, where we demonstrate that the best protocols in this sub-class are [21] and its extension [29], as well as the homomorphic version of [22]. We study sub-class B-ID-MIX in Sec. 7, where we show that the mixing version of [22] offers the most reasonable approach, including the works built upon it [30,34,61].

Relations
We observe that the two main classes B-ANON and B-ID essentially differ in two aspects: (1) the method used to ensure everlasting privacy as well as the phases when the respective method is applied, and (2) the technique employed to guarantee public verifiability. More precisely: Privacy. In B-ANON, everlasting privacy follows from the property that the method used to publicly prove eligibility of ballots does not leak any information about the respective voters' identities, and from the assumption that the voters' submission channels are unconditionally anonymous towards the adversary. In contrast, in B-ID, everlasting privacy is ensured by employing an unconditionally privacy-preserving technique to process ballots, either homomorphic aggregation (B-ID-HOM) or mixing (B-ID-MIX) of ballots, and under the assumption that the voters' submission channels are unconditionally private towards the adversary.
In particular, in B-ANON, individual links are broken before ballots are published (submission phase), whereas in B-ID, these links are broken afterwards (tallying phase).
Verifiability. In B-ANON, verifiability essentially reduces to the technique that voters use to prove that their anonymous ballots were submitted by eligible voters. In contrast, in B-ID, verifiability mainly follows from the techniques used to prove that ballots were processed correctly in the tallying phase.

Basic evaluation
We found that the general approach taken in B-ID, where ballots are identifiable, is superior to the one in B-ANON, where ballots are necessarily anonymous. In short, loosely speaking, we claim: In what follows, we substantiate this statement. Since our argumentation is heuristic, for the sake of fairness, we will evaluate existing protocols in B-ANON (see Sec. 4-5) independently of our general criticism.
Recall that all protocols in B-ANON require an unconditionally anonymous submission channel to achieve everlasting privacy, whereas protocols in B-ID require an unconditionally private but not necessarily anonymous submission channel. As we will argue next, the gap between these two requirements is significant in practice.
Basic observation. We start with a simple but important fact: perfect secrecy is impossible to achieve in a public-key setting. Hence, unconditionally private or unconditionally anonymous channels can only be realized in a symmetric setting. Such a setting is, however, unrealistic in real-world Internet elections, which is the most dominant form of electronic voting nowadays. This means that, in practice, both unconditional privacy and unconditional anonymity of the submission channels cannot be based on actual cryptographic constructions; instead, these properties follow from the assumption that all adversaries considered are not able to break privacy or anonymity, respectively, of the submission channels.
In what follows, we argue that in B-ID the respective assumption can both be justified for a larger class of elections and be mitigated, but that neither holds in B-ANON.
Adversarial power. It is well-known that multiple agencies across the globe monitor the Internet and permanently store some of its traffic. Since storing all communication data is practically infeasible, these agencies are primarily interested in metadata. If we assume that a future adversary has/gains access to metadata collected during a past election, then anonymity of the voters' submission channels is violated. At the same time, privacy of these channels is still guaranteed under the assumption that only metadata but no further data was stored. We can therefore conclude that the class of potential future adversaries against which protocols in B-ID can protect is larger than the one that protocols in B-ANON can handle.
Mitigation techniques. Even though, as explained above, we cannot establish unconditionally private submission channels in realworld elections, there exist several techniques to realize channels with long-term secrecy, in particular post-quantum TLS (e.g., [66]) which can easily be deployed in real-world Internet elections, without any effort on the voters. For anonymous channels, the situation is different: anonymous communication protocols are currently used by only a tiny fraction of Internet users so that we cannot presume that 'average' voters submit their ballots anonymously. And even for those, probably few, voters who would use anonymous communication tools, their joint anonymity set may be too small to guarantee a significant level of everlasting privacy. We are aware of only one possible way to mitigate this issue: if ballots are published only at the end of the submission phase, but not before, then metadata alone does not help to link individual voters to their ballots. 5 However, this mitigation violates the vote-and-go paradigm of modern e-voting, which ensures that voters can verify instantly whether their ballots have been recorded as submitted and then leave the virtual voting booth.
Summary. To put it bluntly, everlasting privacy is approached mainly constructively in B-ID but only hypothetically in B-ANON. Hence, we conclude that the approach followed in B-ID is superior to the one in B-ANON.

B-ANON-A
We study existing protocols [2,20,27,33,40,42,62,70] in the subclass B-ANON-A, where the election authority generates the voters' credentials (see Sec. 3). We identify three different groups which differ in whether and how eligibility of the anonymous ballots is ensured: no identities, blind signatures, and pseudonyms. In what follows, we elaborate on these groups and evaluate their properties.

No identities
The most trivial way to achieve everlasting privacy is to specify that ballots contain no information whatsoever about the respective voter's identity. Arapinis, Cortier, Kremer, and Ryan [2] describe and analyze such a version of Helios [1]. 6 4.1.1 Concept. We first describe the original Helios protocol [1] and then its variant without public voter identities.
In the setup phase of Helios, each voter V i obtains an individual password from the election authority EA. In the submission phase of Helios, voter V i encrypts her vote v i under the trustee's public key pk, computes a NIZKP π i to prove that her ciphertext e i ← E(pk, v i ) is valid, uses her password to authenticate to the public bulletin board PBB, and then sends the tuple (V i , e i , π i ) to PBB. The bulletin board publishes (V i , e i , π i ) if the password belongs to V i , if the NIZKP π i is valid, and if π i is not included in any other ballot published before. The encrypted votes are then either tallied homomorphically or with a mix net.
Obviously, the original Helios protocol does not provide (practical) everlasting privacy. The reason is that voters' ciphertexts are linked with their individual identities. Therefore, a computationally unbounded adversary, breaking secrecy of the ElGamal PKE scheme [28] employed in Helios, learns how all voters voted. Arapinis et al. [2] describe a version of Helios, which they call Helios without identities, where ballots are published in the form of (e i , π i ), without any information about V i 's identity. In this way, even if an adversary is computationally unbounded after the election, vote privacy is supposed to be preserved.

Evaluation.
Arapinis et al. [2] claim that Helios without identities provides practical everlasting privacy. To formally prove this statement, they propose and apply a definition of practical everlasting privacy to analyze Helios without identities with two different verification tools, AKISS [12] and ProVerif [6]. We did not find any issues that would contradict their privacy result. However, we Table 3: Overview on the classification of e-voting protocols with everlasting privacy. Security properties not relying on any trust assumption are marked +. Revised trust assumptions are marked !. Trust assumptions are denoted as T for a full trust, DT for a distributed trust; trust to specific parties is denoted in subscript. Additional security properties are marked as CR for coercion-resistance, RF for receipt-freeness, ACC for accountability, followed by trust assumptions in parenthesis. AS denotes necessity of anonymous submission channel for privacy.

Public Verifiability
Everlasting Privacy DT EA + Flawed crypto, AS [70] T EA + All voters online, not robust

Blind signatures
Originally, the idea of using blind signatures for secure e-voting goes back to Fujioka, Okamoto, and Ohta [27], whose work is commonly referred to as the FOO protocol. Van de Graaf [70], who was the first one to observe FOO potentially offers everlasting privacy, proposed a technique to realize unconditionally anonymous submission channels for FOO. The FOO protocol is the basis of two further protocols [33,42], designed to make FOO coercion-resistant [33] or to mitigate trust on the election authority EA [42], respectively.

Concept.
We distinguish between two versions of e-voting with blind signatures. The advanced version, unlike the basic one, employs blind signatures with a special feature that is supposed to offer coercion-resistance in addition.

Basic version.
A blind signature scheme [14] is an interactive protocol between a signer and a user with the goal that the user obtains a signature from the signer on a message but so that the signer does not learn the message. To this end, the user "blinds" the message and the signer signs the blinded message. The user can then "unblind" the signer's blind signature to obtain a signature on the actual message.
In [27,42,70], blind signatures are essentially employed as described next. Each voter blinds her vote and sends the blinded vote to the election authority EA. If the voter is eligible to vote, EA blindly signs the vote and returns its blind signature to the voter. Afterwards, the voter unblinds EA's blind signature and anonymously posts her signed vote on the public bulletin board PBB. Votes with valid signatures by EA are then tallied in clear.

Advanced version.
A conditional blind signature scheme [33] is a blind signature scheme where the signer (EA) uses a secret bit in her blind signature to indicate whether the resulting signature on the actual message (vote) is valid or not. The user (voter) can check validity of the blind signature, but not of the unblinded one. Grontas, Pagourtzis, Zacharakis, and Zhang [33] employ conditional blind signatures as follows to achieve coercion-resistance.
In the setup phase of the election, EA creates a secret credential σ i for each voter V i and sends it to V i . In the voting phase, if V i is not under coercion, she sends her secret credential σ = σ i to EA when she requests a blind signature on her vote; otherwise, if V i is under coercion, she uses any other ('fake credential') σ = σ ′ for that purpose. Then, EA returns a blind signature to V i in which EA secretly encodes that the unblinded signature is valid if and only if the submitted credential σ matches σ i . Afterwards, in the tallying phase, ballots with invalid signatures are removed without revealing the links to individual voters. To this end, Grontas et al. employ the technique by Juels, Catalano, and Jakobsson [41], commonly referred to as the JCJ protocol.

Evaluation.
We observe that neither the basic nor the advanced version provide secure solutions to e-voting with everlasting privacy under realistic assumptions.
Basic version. A significant problem of the original FOO protocol [27] is the fact that EA is able to issue blind signatures for all voters, even those ones who do not send such a request. Therefore, if EA is corrupted, it can secretly stuff the bulletin board with ballots of its own choice for all abstaining voters.. This problem motivated Kaim, Canard, Roux-Langlois, and Traoré [42] to distribute the role of EA by using the threshold blind signature scheme from [7]. However, that scheme [7] was shown to be flawed [36].
Van de Graaf [70] was the first one who observed the following potential of FOO: because the signature scheme [14] originally employed in FOO is unconditionally blinding, everlasting privacy can be achieved if the submission channels are unconditionally anonymous. Now, in order to realize such channels, [70] proposes a variant of Chaum's Dining Cryptographers network (DC-net) [15]. The author of [70] suggests to let all voters in the FOO protocol run this DC-net collectively. In this way, he argues, FOO offers everlasting privacy because voters can submit their ballots unconditionally anonymously. Creditably, [70] is the only work which addressed the problem of realizing unconditionally anonymous submission channels, but its construction illustrates our general criticism of B-ANON (see Sec. 3.3): the solution is neither realistic for most real-world elections nor robust because all voters would have to participate in the DC-net protocol.
Another issue of FOO follows from the fact that privacy in FOO solely reduces to the assumption that the submission channels are perfectly anonymous. In particular, unlike all other protocols in B-ANON-A, FOO does not additionally safeguard privacy by a computationally privacy-preserving tallying method.
Advanced version. We detect that, unlike originally claimed, the election authority EA in [33] needs to be trusted for all security properties (public verifiability, everlasting privacy, and coercionresistance). Therefore, [33] is no more secure than a trivial e-voting protocol with a single completely trusted authority, which contradicts the basic idea of secure e-voting (see Sec. 2).
More precisely, the reason is that, according to the formal specification of [33], EA creates and thus knows the secret credentials of all voters. Hence, EA can impersonate any voter and is thus able to submit votes on all voters' behalf. Such an attack is impossible to detect in [33] because the authors specify that certain parties ("pro democratic organizations") submit (invalid) dummy votes for all voters to protect against coercers who want voters to abstain from voting. Moreover, for the same reason, EA also needs to be trusted for privacy and coercion-resistance. To see this, assume that EA is corrupted and secretly overwrites the votes of all voters except one, say V i . Since the final election result then only consists of EA's votes and the one by V i , EA learns how V i voted, which breaks both privacy and coercion-resistance.
Furthermore, from the underlying JCJ protocol [41], the protocol by Grontas et al. [33] inherits the computational complexity of JCJ's tallying phase, which is quadratic in the number of voters. Hence, [33] cannot be deployed for large-scale elections. Grontas et al. acknowledge this issue and refer to [71] for mitigating it, but they do not provide any details.

Pseudonyms
Pseudonyms are used in [20,40,62] to combine public verifiability with practical everlasting privacy, and in case of [40,62] with coercion-resistance in addition.

Concept.
Using pseudonyms is a "quick and dirty way to obtain everlasting privacy" [40]. The election authority EA simply assigns to each voter V i a (pseudo-)random number which serves as V i 's pseudonym. Under the assumption that EA keeps the individual links between voters and their pseudonyms secret, everlasting privacy follows.
In what follows, we describe how existing protocols in this group relate. We distinguish between Belenios [20] and [40,62] since the latter ones were designed to offer coercion-resistance in addition; as we shall see, this difference has a significant impact on the necessary trust assumptions.
Belenios [20] essentially augments Helios (see above) with a public-key infrastructure among the voters in order to mitigate trust on the public bulletin board PBB. One of the election authorities, called the Registrar in Belenios, creates a verification/signing key pair (vk i , ssk i ) for each voter V i and sends the secret keys to the voters. The verification keys replace the voters' identities and thus serve as the voters' pseudonyms. In the submission phase, V i signs her ballot with ssk i and then uses her password to authenticate to PBB. Only ballots with valid signatures are tallied. Since the Registrar keeps the individual links between voters and their pseudonyms secret, practical everlasting privacy is supposed to follow.
The other two protocols [40,62], which employ pseudonyms for everlasting privacy, aim for coercion-resistance in addition. To this end, they employ certain privacy-preserving techniques (which are not relevant for our purposes) that enable voters to secretly overwrite their possibly coerced votes. In both protocols, the election authority EA creates the secret credentials that voters use to create their anonymous ballots. 7

Evaluation.
We explain that all protocols [20,40,62] in this group need to trust EA for verifiability, at least to some degree, and for everlasting privacy. Moreover, [40,62] even need to trust EA for all other security properties as well.
Cortier, Gaudry, and Glondu [20] claim that Belenios is verifiable if the election authority EA or the public bulletin board PBB are honest. 8 However, as we recall next, this claim is not correct. Hirschi, Schmid, and Basin [37] demonstrate that PBB in Belenios needs to be trusted for verifiability (and to a limited degree for privacy). Moreover, Baloglu, Bursuc, Mauw, and Pang [3] present different attacks against verifiability of Belenios if EA or PBB, but not necessarily both of them, are corrupted. Notably, in Sec. IV-C of [3], Baloglu et al. observe that the reason for these issues is the fact that Belenios uses pseudonyms to achieve everlasting privacy. In a different work, Baloglu et al. [4] show how to mitigate most, but not all of Belenios' verifiability issues they presented in [3].
We observe that in both protocols [40,62], the election authority EA needs to be trusted for all security properties, i.e., public verifiability, (everlasting) privacy, and coercion-resistance. As already mentioned in the evaluation of [33] (see Sec. 4.2), such an assumption conflicts with the basic idea of secure e-voting (see Sec. 2). We note that this limitation is acknowledged in [40] but not in [62]; in particular, our observation disproves the privacy and coercion-resistance theorems stated in [62].
The reason why EA needs to be trusted for all security properties follows from the fact that EA knows the links between all voters and their pseudonyms as well as all voters' secret credentials. A corrupted EA can exploit this knowledge to secretly overwrite any voter's choice by anonymously submitting a new ballot on that voter's behalf. Therefore, EA needs to be trusted for public verifiability. Moreover, analogously to [33] (see Sec. 4.2), a corrupted EA can target a particular voter V i and impersonate all voters except V i so that the final result consists only of EA's votes and V i 's vote; hence, EA also needs to be trusted for (everlasting) privacy and coercion-resistance.
We also note that, while [62] can handle large-scale elections efficiently, the computational complexity of the tallying phase in [40] is quadratic in the number of voters, which it inherits from the underlying JCJ protocol [41]. Hence, [40] cannot be deployed efficiently for large-scale elections.

Summary
We demonstrated that there does not exist a completely satisfying solution for secure e-voting with everlasting privacy in B-ANON-A, even if unconditionally anonymous channels are in place. The main reason is that all existing protocols in B-ANON-A put much trust in the election authority EA. Among all protocols in this sub-class, the impact of a corrupted EA seems most limited in Belenios [20], which therefore offers the most reasonable solution in B-ANON-A. However, it remains an open problem to precisely analyze to which degree EA needs to be trusted in Belenios, or, even better, to completely resolve this issue.

B-ANON-V
We study existing protocols [35,45,[51][52][53] in the sub-class B-ANON-V, where the voters themselves generate their credentials (see Sec. 3). We identify two different groups which differ in how eligibility of the anonymous ballots is ensured: linkable ring signatures and membership ZKP. In what follows, we elaborate on these groups and evaluate their properties.

Linkable ring signatures
Linkable ring signatures are the key technique of the VOTOR protocol by Haines and Boyen [35]. In VOTOR, ring signatures are employed as follows. Each voter V i generates a public/private key pair (vk i , ssk i ) for the ring signature scheme. The verification key vk i is used to update the voters' joint verification key vk; the secret signing key ssk i remains private. When the voter creates her ballot, she signs her vote using ssk i . Then, the voter submits her signed vote to the public bulletin board PBB via the onion router TOR. At the end of the voting phase, it is verified for each public vote whether the corresponding signature is valid w.r.t. vk. All votes which pass this test are then tallied.
The ring signature scheme employed in VOTOR offers two additional properties: linkability and forward-security. Linkability prevents voters from casting multiple votes. Forward-security allows voters to update their secret keys ssk i in each election without changing their public verification keys vk i so that even if updated private keys are revealed, then this does not leak any information about previously used private keys. For this purpose, VOTOR employs the ring signature scheme proposed in [8], which is based on the existence of bilinear or multilinear maps.

Evaluation.
The authors of [35] state that VOTOR offers public verifiability as well as practical everlasting privacy. We did not discover any issues that would contradict their statement. However, the amount of work required to verify a signature in the employed scheme is linear in the size of the electorate; this makes the total computation quadratic in the size of the electorate which is infeasible for larger-scale elections.

Membership ZKP
Membership ZKPs are the key technique of the e-voting protocol by Locher and Haenni [51]. This protocol was extended in [52,53] to offer receipt-freeness [52] or coercion-resistance [53], respectively; these protocols use the same membership ZKP as [51] and differ from [51] mainly in the tallying phase. Furthermore, [51] was implemented in [45].

Concept.
The purpose of a membership ZKP is to enable a prover (voter) to prove knowledge of a secret key ssk i that belongs to one of the public keys stored in some list ì vk (all voters' verification keys), without revealing to which one specifically. Locher and Haenni propose a specific membership NIZKP [51] which additionally allows for identifying proofs that used the same ssk i . This membership NIZKP is employed in [45,[51][52][53] as follows. In the setup phase, each voter V i creates a public/private key pair (vk i , ssk i ). The public key vk i is added to the list ì vk, while the secret key ssk i remains private. When the voter submits a vote, she uses her secret credentials ssk i to create a membership NIZKP π i for ì vk. She then appends π i to her vote v i and anonymously submits the resulting pair (v i , π i ) to the public bulletin board PBB. At the end of the voting phase, votes with invalid NIZKPs are removed. After that, the respective last votes that use the same ssk i for their membership NIZKPs are identified and then tallied.

Evaluation.
Locher and Haenni state that their protocol offers public verifiability as well as practical everlasting privacy [51]. We did not discover any issues that would contradict their statement. Moreover, the authors implemented their membership ZKP and provided detailed benchmarks to demonstrate that their protocol can be used for larger-scale elections.
We note, however, that the fact that the implementation [45] of [51] abstracts away from the anonymous channels exemplifies our general criticism of B-ANON (see Sec. 3.3). This limitation is particularly problematic in [51] because, similarly to FOO (see Sec. 4), privacy solely reduces to the existence of anonymous submission channels.
We observe that both extensions [52,53] of [51] share the same robustness issue. In order to achieve receipt-freeness or coercionresistance, respectively, voters can submit an arbitrary number of ballots. Now, the problem is that the complexity of the tallying phase grows linearly [52] or even quadratically [53] in the number of submitted ballots. Therefore, if a single corrupted voter submits many ballots, the tallying phase becomes inefficient. Due to the anonymous ballot submission, such a corrupted voter cannot be identified. As a result, both protocols [52,53] are not robust because they can only guarantee that the final result is delivered under the unrealistic assumption that all voters are honest.

Summary
We demonstrated that [51] is the only known practically efficient solution for secure e-voting with everlasting privacy in B-ANON-V, although under the (arguable) assumption that all voters' submission channels are unconditionally anonymous (see Sec. 3.3). All other protocols are inefficient for larger-scale elections [35] or not robust [52,53].

B-ID-HOM
We study existing protocols [21,22,26,29,69] in the sub-class B-ID-HOM, where voters' identifiable ballots are homomorphically aggregated (see Sec. 3). We identify three different groups which differ in whether and how trust for privacy is distributed among the talliers: no distribution, distributed decryption, and secret-sharing.
In what follows, we elaborate on second and the third group and evaluate their properties.
We do not elaborate on existing protocols [26,69] in the first group, where trust is not distributed, because they can be regarded as special cases of the two approaches in which trust is actually distributed.
We remind the reader that homomorphic tallying allows for handling simple ballot types, whereas mixing ballots (see Sec. 7) also allows for processing complex ballots.

Distributed decryption
In the homomorphic version of Perfectly Private Audit Trail (PPAT) by Cuvelier, Pereira, and Peters [22], trust is distributed via threshold decryption.
6.1.1 Concept. In the voting phase, each voter encrypts her vote v i under the trustees' joint public key pk as e i ← E(pk, v i ). Then, instead of posting e i on the public bulletin board PBB (which would break everlasting privacy), the voter sends e i to a special party, called the secret bulletin board SBB. Unlike PBB, to which everyone can access, the content of SBB is only accessible by the trustees. Now, the main cryptographic idea of PPAT is that the homomorphic PKE employed offers a special property, Commitment-Consistent Encryption (CCE) [22]. This feature enables everyone, given ciphertext e = E(pk, m), to efficiently and deterministically derive a commitment c = C(prm, m, r ) to the encrypted message m.
The opening values (m, r ) of the commitment c can be computed from e with the secret key sk.
Using the CCE property, SBB derives a commitment c i = C(prm, v i , r i ) from each ciphertext e i = E(pk, v i ) privately submitted by V i , and posts c i on PBB. In the tallying phase, each trustee T j uses its share sk j of the secret key sk to compute the partial opening values (v j , r j ) of the aggregated commitments c ← i c i from the aggregated ciphertexts e ← i e i . Afterwards, T j posts (v j , r j ) on SBB. These partial opening values are then combined to obtain the full opening values (v, r ). Eventually, (v, r ) is published on PBB, where v determines the final election result. The correctness of v can be verified by checking O(prm, c, v, r ) = ? 1.

Evaluation.
Cuvelier et al. stated their protocol [22] guarantees public verifiability and practical everlasting privacy. Cuvelier et al. discuss that their protocol provides two advantages over the secret-sharing approach (see below). Firstly, they argue that their protocol also allows for resolving possible disputes in the submission phase and thus, unlike [21], potentially offers accountability (see Sec. 2). Secondly, they observe that the voters' work load is independent of the number of trustees, whereas it increases linearly with secret-sharing. We agree with Cuvelier et al. in both points, but we think that the second advantage is practically negligible because in real-world elections at most a handful of trustees are typically employed.
Cuvelier et al. propose different instantiations of generic CCE schemes. One of them is an extended version of ElGamal PKE [28], where the derived commitments are (unconditionally hiding) Pedersen commitments [60]; this instantiation is practically efficient.
We conjecture that the homomorphic version of [22] achieves the security properties as stated by Cuvelier et al. [22]. Since Cuvelier et al. demonstrated that their abstract primitives can be instantiated efficiently, we conclude that their approach offers a reasonable solution for secure e-voting with everlasting privacy.

Secret-sharing
The idea of using secret-sharing for distributing trust among the talliers goes back to Cramer, Franklin, Schoenmakers, and Yung [21]. Ge, Chau, Gonsalves et al. [29] present a full-fledged back-end of an e-voting system based on Cramer et al.'s protocol [21]; in particular, Ge et al. address and resolve a critical issue from which Cramer et al. abstracted away from originally (see below).
6.2.1 Concept. We explain how [21] works on a high level. For the sake of simplicity, we make two assumptions. First, voters can choose between two possible candidates, encoded as 0 and 1. In order to extend the protocol to n candidates, the protocol can essentially be run in parallel n times. Second, we use full-threshold additive secret-sharing instead of arbitrary threshold secret-sharing.
The following cryptographic primitives are employed in [21]. First, a commitment scheme C = (KG c , C, O), which is unconditionally hiding, computationally binding, and additively homomorphic. Second, a NIZKP of knowledge Π for the relation R = {((prm, c), (m, r )) : c = C(prm, m, r ) ∧m ∈ {0, 1}}, which states that commitment c commits to one of the two possible candidates.
In the setup phase, the election authority EA generates parameters prm and publishes prm on PBB.
In the voting phase, each voter V i first secretly shares her vote v i among the talliers T 1 , . . . , T m as v i = j v In the tallying phase, all ballots b i , for which the NIZKP π i is invalid or for which a complaint by a trustee was filed, are discarded. After that, each trustee T j aggregates its obtained opening values (of the remaining ballots) as v j ← i v j i and r j ← i r j i , and publishes (v j , r j ). The correctness of T j 's output is verified as 6.2.2 Evaluation. Let us first explain why the original secret-sharing protocol by Cramer et al. [21], as described before, does not offer public verifiability.
Since the commitment scheme is homomorphic and binding, the final result v is accepted (with overwhelming probability) if and only if v = i v i , where v i is the message in V i 's aggregated commitments c i . Hence, the talliers cannot cheat during tallying. Moreover, due to the soundness of the voters' NIZKP π , the voters can only commit to valid choices.
On first sight, these two properties may seem sufficient for public verifiability, but there exists a significant gap. To see this, assume that trustee T j claims that it cannot process V i 's commitment c j i because V i did not submit valid opening values for c j i ; consequently, V i 's ballot is discarded. Now, the problem is that, without further means, it is impossible to distinguish in such a situation whether T j is telling the truth or not. In particular, if T j is corrupted, it can make this claim falsely so that V i 's ballot is wrongly excluded from the tallying. Hence, public verifiability is not guaranteed in [21].
Fortunately, as we will explain in what follows, the public verifiability issue of [21] can be (and has been) resolved in different ways.
Solution: receipts. In order to close the verifiability gap, Ge et al. [29] specify that voter V i sends the tuple (c Of course, a dishonest tallier T j could still refuse to reply at all to V i 's request, but that problem can be mitigated by practical means (e.g., auditors can send test requests to the talliers). We therefore find that Ge et al.'s modification of [21] closes the gap described above and hence offers public verifiability under realistic assumptions.
Solution: secret bulletin board. We note that, as an alternative solution, we can employ a secret bulletin board SBB to which only trustees can access (like in [22]), as described next. Voters post on SBB their commitments (c on the public bulletin board PBB. The voter can verify whether her ballot was published correctly. Now, using a PKE scheme that allows for verifiable decryption, we specify that a tallier needs to verifiably decrypt a ciphertext e j i on PBB whenever it claims that e j i does not contain valid opening values for c j i ; the hash h j i ensures that the publicly decrypted ciphertext is in fact the one privately submitted by V i . In this way, a corrupted tallier can no longer make the above claim falsely. Comparison of solutions. In Figure 1 (App. B), we present the voting phase in [21] and the two solutions. Both solutions, the one by Ge et al. [29] and the alternative one, provide their own balances between public verifiability and everlasting privacy. In terms of verifiability, the alternative solution we propose is superior to the one in [29] because it not only mitigates but completely removes all trust on the talliers for verifiability. For the same reason, the alternative approach potentially offers accountability, i.e., individual identification of all misbehaving parties (recall Sec. 2). However, unlike [29], the alternative approach has the drawback that all talliers need to be trusted for everlasting privacy because they learn the encrypted opening values on SBB.
Altogether, we conjecture that, with one of the improvements in place, the secret-sharing approach offers public verifiability (and optionally even accountability) as well as everlasting privacy towards the public (and optionally even towards less than a threshold of the trustees).
Finally, we note that the secret-sharing approach can be deployed efficiently for large-scale elections with simple ballot types, as demonstrated by Ge et al. [29].

Summary
For simple ballot types, secret-sharing and distributed decryption are both reasonable approaches for secure e-voting with everlasting privacy. The secret-sharing approach has, however, some advantageous features. First, unlike the distributed decryption approach, which employs specific cryptographic primitives (CCE), the secretsharing approach can be instantiated with a larger class of primitives; this feature may be helpful to offer receipt-freeness, which is still an open problem. Second, depending on how the verifiability gap is closed, the secret-sharing approach provides everlasting privacy even if a future adversary gains private data of some trustees.
The most pressing open problem is to formally analyze on the protocol level our conjectures on the security of the secret-sharing and distributed decryption approaches.

B-ID-MIX
We study existing protocols [11,22,25,26,30,34,55,56,61] in the sub-class B-ID-MIX, where voters' identifiable ballots are mixed (see Sec. 3). We identify three different groups which differ in whether and how trust is distributed for privacy: limited distribution for computational privacy, arbitrary distribution for computational privacy, and arbitrary distribution for everlasting privacy. In what follows, we elaborate on these groups and evaluate their properties.
We remind the reader that the main advantage of mixing ballots over homomorphically aggregating (see Sec. 6) is the property that arbitary (possibly very complex) ballots can be processed efficiently.

Limited distribution of trust for computational privacy
Originally, the idea of providing everlasting privacy for verifiable e-voting via mixing/shuffling ballots goes back to Moran and Naor [55]. They propose a verifiable on-site (i.e., booth) e-voting protocol which employs an interactive zero-knowledge proof (ZKP) protocol for shuffling unconditionally hiding commitments. Because that ZKP is specifically tailored to shuffle and open a vector of commitments in a single step, the overall e-voting protocol [55] is centered around a single tallier who learns how each individual voter votes. In order to mitigate trust on the tallier, Moran and Naor subsequently presented a new verifiable on-site e-voting protocol [56], called Split-Ballot, with two separate talliers.   Despite its thorough security analyses, Split-Ballot has two significant disadvantages. Firstly, the protocol was specifically designed (even on the cryptographic level) for elections with exactly two trustees. Secondly, the protocol can only be employed for on-site (booth) voting, but not for remote (Internet) voting.

Arbitrary distribution of trust for computational privacy
The mix net version of Cuvelier et al.'s perfectly private audit trail (PPAT) framework [22] (recall Sec. 6) is designed to distribute trust for computational privacy among an arbitrary number of talliers.

Concept.
The main idea of [22] is to shuffle in parallel unconditionally hiding commitments to the voters' choices on PBB and the corresponding encrypted opening values of the public commitments on SBB. On the cryptographic level, in order to connect the public trail on PBB and the (perfectly) private trail on SBB, again commitment-consistent encryption (CCE) is employed (recall Sec. 6). More precisely, the protocol works as follows. The voting phase is the same as in the homomorphic version: voter V i encrypts her vote v i under the trustees' joint public key pk as e i ← E(pk, v i ), posts e i on SBB, SBB derives a commitment c i = C(v i , r i ) from each ciphertext e i , and publishes c i on PBB.
In the tallying phase, the vectors ì e 0 = (e i ) i are processed by a set of mix servers M 1 , . . . , M l as follows. The first mix server takes as input ì e 0 , re-encrypts all ciphertexts in ì e 0 , and then permutes the re-encrypted ciphertexts to obtain a shuffled ciphertext vector ì e 1 . The first mix server M 1 posts ì e 1 on SBB, which will be the input of the second mix server M 2 , and so on. Using the CCE feature, a commitment vector ì c k is derived from each shuffled ciphertext vector ì e k and then published on PBB. Eventually, the trustees T 1 , . . . , T m use their secret key shares sk 1 , . . . , sk m to jointly compute an opening ( ì v, ì r ) of the final commitment vector ì c l . The final election result ì v consists of the voters' individual votes, secretly shuffled according to the mix servers overall permutation. The correctness of ì v can be verified by checking O(ì c l , ì v, ì r ) = ? 1. In order to ensure correctness of all intermediate shuffles, Cuvelier et al. [22] employ a NIZKP for proving that a ciphertext vector ì e k is in fact a result of shuffling ì e k −1 . This NIZKP is "CCE-compatible" in the following sense: from a proof π k for the ciphertext vector pair (ì e k−1 , ì e k ), a proof π ′ k can be derived for the corresponding commitment vector pair (ì c k −1 , ì c k ). Now, Cuvelier et al. specify that each mix server M k posts such a proof π k on SBB; the derived proof π ′ k is published on PBB.
Before the trustees open the final commitment vector, they need to verify correctness of all these NIZKPs. We note that these checks are also necessary for privacy in a re-encryption mix net. 9 7.2.2 Evaluation. We conjecture that the mixing version of [22] achieves all security properties it was designed for originally: practical everlasting privacy, computational privacy under the assumption at least one mix server and at least a threshold of trustees are honest, public verifiability, and accountability. Because Gjøsteen, Haines, and Solberg [30] demonstrate that the PPAT protocol can be instantiated to achieve a performance similar to state-of-the-art NIZKP of shuffle [68], we conclude that the PPAT protocol offers a reasonable solution for secure e-voting with everlasting privacy that can even handle complex ballots.
We mention two works built upon [22]. Pereira and Rønne [61] show how to realize a special voting method, called quadratic voting [50], in the PPAT setting. Haines [34] proposes a cast-asintended protocol for PPAT to mitigate trust on the voting devices. We studied these extensions and confirm that they achieve the additional features they were designed for.

Arbitrary distribution of trust for everlasting privacy
About at the same time when Cuvelier et al. introduced the concept of PPAT [22], in a parallel line of research, Buchmann, Demirel, and van de Graaf [11] published a similar approach to PPAT but with a more ambitious goal: unlike in [22], trust among mix servers should not only be distributed for computational but also for everlasting privacy. In her PhD thesis, Demirel [24], proved this protocol secure in a cryptographic framework, and Arapinis et al. [2] proved everlasting privacy of this protocol in a symbolic model, using automated verification tools. Buchmann et al.'s protocol [11] is employed in [25,26] to provide unconditional privacy in the mix-net version of Helios [1] and in Prêt à Voter [65], respectively. 7.3.1 Concept. The following cryptographic primitives are used in [11]. First, a commitment scheme C = (KG c , C, O), which is unconditionally hiding, computationally binding, and homomorphic. Second, a PKE scheme E = (KG e , E, D), which is IND-CPA-secure 10 and homomorphic. Third, a NIZKP of "correct re-encryption" to prove that "the set of output values is a valid shuffle of the set of input values" [11], and a NIZKP of "consistency" to "privately prove that the same permutation and random values have been used to rerandomize the published commitments and to reencrypt the corresponding private encrypted opening values" [11]; the exact relations are not defined in [11] and hence remain unclear.
In the voting phase, each voter V i commits to her vote v i as c i ← C(prm, v i , r i ). Then, V i encrypts the opening values of c i separately as e 0 i ← E(pk, v i ) and e 1 i ← E(pk, r i ), under the trustees' public key pk. Afterwards, the voter creates a proof of consistency π i for (c i , e 0 i , e 1 i ) and submits b i ← (c i , e 0 i , e 1 i , π i ) to the first mix server M 1 . At the end of the voting phase, M 1 publishes the commitments c i of the ballots b i it received on the bulletin board PBB as a vector C 0 and keeps the corresponding ciphertext vectors E 0 0 and E 1 0 secret. In the mixing phase, starting with the first mix server M 1 , each mix server M k takes as input (C k −1 , E 0 k −1 , E 1 k −1 ) that it either received from the voters (in case of M 1 ) or from the preceding mix server M k −1 . First, M k rerandomizes each commitment c k −1,i from C k −1 using some fresh randomness ρ k ,i and homomorphically adds ρ k ,i to the associated encrypted randomness in e 1 k−1,i from E 1 k−1 . Furthermore, M k rerandomizes the vector of encrypted votes , all permuted according to the same random permutation. Then, M k computes a NIZKP of "correct re-encryption" and posts it on PBB. Eventually, M k sends (C k , E 0 k , E 1 k ) to M k +1 (or the trustees in case of the last mix server) via its private channel, together with a proof of "consistency".
In the opening/decryption phase, the trustees use their shares of the secret key sk to jointly compute V * ← D(sk, E 0 m ) and R * ← D(sk, E 1 m ), and publish (V * , R * ) on the bulletin board PBB. In the verification phase, it is checked whether (V * , R * ) is a valid opening for C m and whether all proofs of correct re-encryption published by the mix servers on PBB are valid.

Evaluation.
The original protocol description, both in Buchmann et al.'s conference paper [11] and in Demirel's PhD thesis [24], is imprecise in several important aspects. For example, it is unclear how mix server M k +1 can verify M k 's proof of consistency when it does not know M k 's input. In what follows, we condone these issues and focus on the main conceptual shortcoming.
We discover that, in fact, trust is not distributed in [11], neither in terms of computational nor everlasting privacy. Our finding therefore disproves Buchmann et al.'s original privacy theorem [11] (and its proof in Sec. 5.2.2 of [24]), as well the everlasting privacy result in [2]. 11 The reason for this issue is that, due to the design of [11], it cannot be guaranteed that the mix servers involved share the same view on the private trail of votes. For example, if the first mix server M 1 is corrupted, it can replace all ciphertexts except for the one by some voter V i . Then, the final result consists only of M 1 's votes and V i 's vote. In this way, M 1 learns how V i voted. But also more advanced attacks to break privacy of several voters are feasible by exploiting the homomorphic property of the PKE scheme (see, e.g., [58]).
Since this issue stems from the design of [11], we conclude that there does not exist a secure e-voting protocol in the literature that can simultaneously handle arbitrary ballots and mitigate trust on the talliers for everlasting privacy.

Summary
The mixing version of PPAT [22] is the only known approach in B-ID-MIX in which trust for computational privacy is actually distributed among an arbitrary number of talliers. Both other approaches require trust in all (or all but one) talliers. The most pressing open problem is to formally analyze our conjectures on the security of the PPAT protocol.

CONCLUSION
We demonstrated that there exist four promising approaches [20][21][22]51] among the numerous proposals for secure e-voting with everlasting privacy. These solutions offer the potential to guarantee everlasting privacy in real elections. We explained, however, that these approaches significantly differ in the assumptions that they need to make for everlasting privacy. While [20,51] need to assume that voters submit their ballots anonymously, the other two approaches can avoid this, as we argued, often unrealistic assumption. Therefore, [21,22] are preferable whenever distributing the trustee is feasible.
We identified two important open problems, one of theoretical and the other one of practical nature. First, it is fundamental to formally analyze the security of all promising protocols [20][21][22]51]. Second, it is desirable to realize the two strongest proposals [21,22] so that they can be deployed to guarantee everlasting privacy of elections in the real world, not only in theory.

A CRYPTOGRAPHIC PRIMITIVES
We recall the most common cryptographic primitives employed for secure e-voting and introduce our notation for these primitives. We refer to established text books (e.g., [31,32,43]) for formal definitions.
Digital signature. A digital signature (DS) scheme enables a party to sign messages so that everyone can convince herself that the signatures were created by that party but no-one else. We denote DS schemes by S = (KG s , S, V s ), where KG s outputs a verification/signing key pair (vk, ssk), S(ssk, m) outputs a signature s, and V s (vk, m, s) outputs a bit b. (Throughout this paper, we typically keep the security parameter 1 ℓ in the input to algorithms/processes implicit.) Public-key encryption. A public-key encryption (PKE) scheme enables everyone to encrypt messages so that the content of the resulting ciphertexts can only be read by a designated receiver but no-one else. We denote PKE schemes by E = (KG e , E, D), where KG e outputs a public/private key pair (pk, sk), E(pk, m) outputs a ciphertext e, and D(sk, e) outputs a message m ′ . The most important security notions are Chosen-Plaintext-Attack (CPA) and Chosen-Ciphertext-Attack (CCA) security.
Some e-voting protocols employ homomorphic PKE schemes. In such schemes, ciphertexts e i = E(pk, m i ) can be combined (without knowledge of the secret key sk or the messages m i ) to obtain a ciphertext e for which D(sk, e) = i m i ; such schemes may be additively or multiplicatively homomorphic. A widely used homomorphic PKE scheme is ElGamal PKE [28], which is CPA-secure under the decisional Diffie-Hellman assumption.

Commitment.
A commitment scheme (CS) enables everyone to commit to messages so that (1) anyone, who does not know how the resulting commitments were created, is unable to derive the original messages, and (2) everyone can be convinced by the committing party that the commitments in fact committed to the original messages. The first property is called hiding, and the second one binding. We denote CSs by C = (KG c , C, O), where KG c outputs parameters prm, C(prm, m, r ) outputs a commitment c, and O(prm, m, c, r ) outputs a bit b.
Some e-voting protocols employ homomorphic CSs. In such schemes, commitments c i = C(m i , r i ) can be combined (without knowledge of the opening values (m i , r i )) to obtain a commitment c = C( i m i , i r i ). A widely used homomorphic CS is Pedersen's CS [60], which is unconditionally hiding and computationally binding under the discrete logarithm assumption.
Zero-knowledge proof. A non-interactive zero-knowledge proof (NIZKP) system enables a party to prove non-interactively that a certain statement holds true without revealing any information beyond the correctness of that statement. The property that ensures that a dishonest prover cannot create a valid proof for a false statement is called soundness; the property that no more information can be extracted from the proof than the correctness of the statement is called zero-knowledge. We denote NIZKP systems by Π = (P, V), where the prover P takes as input the statement/witness pair (s, w) of the respective relation and outputs a proof π , and the verifier V takes as input (s, π ) and outputs a bit b.
Many e-voting protocols employ a NIZKP of knowledge, which requires that a prover also needs to know a witness of the respective statement.

B COMPARISON OF SECRET-SHARING SOLUTIONS
Cramer et al.