Michael Naehrig
is a Principal Researcher at Microsoft Research working
in cryptography. Much of his research aims at bridging the gap between
theory and practice. He has contributed to elliptic-curve cryptography,
homomorphic encryption, and post-quantum cryptography, and hopes to
enable end-to-end verifiable elections with his work on ElectionGuard.
Ben
Hovland was confirmed by unanimous consent of the United States
Senate on January 2, 2019 as a member of the U.S. Election Assistance
Commission (EAC) and served as Chairman in 2020 and 2024. His
leadership during an unprecedented time for election administration has
helped transform the EAC to better support election officials and
voters across the United States.
Commissioner Donald
Palmer serves on the United States Election Assistance Commission
(EAC) and is the current Chairman of the Commission. His work at the EAC
has consisted of proposed penetration testing as part of the VVSG testing
program and laying the foundation for the EAC evaluation and testing of
election supporting technology.
Schedule
(🏆 = distinguished paper award in tracks 1,2,3, and best presentation award in track 5)
Tuesday 30th Sept., 2025 - PhD Colloquium
12:00pm-1:45pm - Lunch time 🍽️
(* participants are strongly encouraged to have lunch together as an ice breaker *)
1:45pm-2:00pm - Opening remarks
2:00pm-3:20pm - Mechanisms for Trust in Internet Voting
Revo[tk]e: Revote and Revoke to Improve Coercion
Resistance Jose Luis Martin-Navarro
State versus Technology: What drives trust in and usage of internet
voting, institutional or technological trust? Bogdan Romanov
3:20pm-3:45pm - Break ☕️
3:45pm-5:05pm - Usability and Theory of Internet Voting
Investigating Usability of Flexible Vote Updating Christina Frederikke Nissen
🏆 Formal Definitions for Internet Voting Florian Moser
5:05pm-5:45pm - General Q&A and Closure
We will do a group photo 📷
7:00pm-9:00pm - Welcome reception, downtown 🍹🌮
Open to all the participants of the conference.
At the Pub Mac Carthy, 6 Rue Guerrier de Dumast, 54000 Nancy.
Wednesday 1st Oct., 2025 - Day 1
8:00am-9:00am - Registration
8:45am-9:00am - Opening remarks
9:00am-10:00am - Invited talk
Moderator: Leontine Loeber
Speaker: Toby S. James (University of East Anglia UK)
What is Electoral Integrity? Conceptualising Election Quality in an Age of Complexity
There are worldwide concerns about the quality of elections and
democracy, but also an ambiguity in academia, the international community
and popular discourse about how to define and measure good elections.
This talk draws from a forthcoming book with Holly Ann Garnett which
develops an original concept of electoral integrity based around human
empowerment. Elections serve a purpose: they should give citizens voice,
empower the everyday citizen against the powerful and act as mechanisms
for political equality. Secondly, it argues that there have been major
societal megatrends meaning that the holding of elections have moved
from the modern era to an age of complexity. This describes an era of
demographic, technological, legal, economic, and political complexity and
fluidity. The greater connection between nodes of activities in the
electoral process means that elections held in one part of the world can
be very quickly affected by actors and developments elsewhere. Thirdly,
it provides new measurement tools to assess election quality. The
presentation should trigger conversations about how technology can
complement or undermine electoral integrity.
10:00am-10:30am - Break ☕️
10:30am-11:45am - Track 1: Coercion Resistance
Session Chair: Véronique Cortier
Voting Under Pressure: Perceptions of Counter-Strategies in Internet Voting Christina Frederikke Nissen, Tobias Hilt, Jurlind Budurushi, Melanie Volkamer and Oksana Kulyk
While internet voting can enhance democratic participation,
concerns about voter coercion have emerged due to the uncontrolled voting environment. To mitigate this, researchers have proposed different
types of counter-strategies, allowing voters to cast their intended vote
despite being coerced. We conduct semi-structured interviews (N = 26)
to investigate voters’ perceptions of six types of counter-strategies concerning their effectiveness. Our findings show that the voter’s perception
of the effectiveness of counter-strategies depends on both the technical
and personal skills of voters, concrete risks, and ease of use. Overall,
our findings pave the way for future research aimed at developing userfriendly solutions that are effective against voter coercion.
Revisiting silent coercion David Chaum, Richard Carback, Mario Yaksetig, Jeremy Clark, Mahdi Nejadgholi, Bart Preneel, Alan Sherman, Filip Zagorski, Bingsheng Zhang and Zeyuan Yin
We revisit “silent coercion” where an adversary gains access
to a voter’s credential without the voter’s knowledge in an E2E verifiable, coercion-resistant Internet voting system. We argue that in this
setting, casting an intended vote is impossible since the cryptographic
backend can no longer distinguish the voter and adversary. However, we
affirm that the voter can still act to nullify adversarial ballots, which is
preferable to inaction. We provide a new instantiation of nullification using zero-knowledge proofs and multiparty computation, which improves
on the efficiency of the current state-of-the-art. We also demonstrate an
example voting system—VoteXX—that uses nullification. Our nullification protocol can complement new and existing techniques for coercion
resistance (which all require voters to hide cryptographic keys from the
coercer), providing a failsafe option for voters whose keys leak.
Threshold Receipt-Free Voting with Server-Side Vote Validation Thi Van Thao Doan, Olivier Pereira and Thomas Peters
Proving the validity of ballots is a central element of verifiable elections. Such proofs can however create challenges when one
desires to make a protocol receipt-free.
We explore the challenges raised by validity proofs in the context of
protocols where threshold receipt-freeness is obtained by secret sharing
an encryption of a vote between multiple authorities. In such contexts,
previous solutions verified the validity of votes by decrypting them after
passing them through a mix-net. This approach however creates subtle
privacy risks, especially when invalid votes leak structural patterns that
threaten receipt-freeness.
We propose a different approach of threshold receipt-free voting in which
authorities re-randomize ballot shares then jointly compute a ZK proof of
ballot validity before letting the ballots enter a (possibly homomorphic)
tallying phase. Our approach keeps the voter computational costs limited
while offering verifiability and improving the ballot privacy of previous
solutions.
We present two protocols that enable a group of servers to verify and publicly prove that encrypted votes satisfy some validity properties: MiniMix,
which preserves prior voter-side behavior with minimal overhead, and
HomoRand, which requires voters to submit auxiliary data to facilitate
validation over large vote domains. We show how to use our two protocols within a threshold receipt-free voting framework. We provide formal
security proofs and efficiency analyses to illustrate trade-offs in our designs.
11:45am-12:00pm - Break ☕️
12:00pm-1:15pm - Track 2: Trust in elections
Session Chair: Leontine Loeber
Does Extending Polling Hours Compensate for Bomb Threats? Evidence from the 2024 Election in Georgia, USA Sequoia Andrade and Philip Stark
At least 227 bomb threats against polling places and tabulation centers were received
on the day of the 2024 US presidential election. Threats disrupted voting in the swing states of
Georgia, Arizona, and Pennsylvania while law enforcement swept polling places. No bombs were
found.Roughlyadozen‘credible’threatswerereceivedinGeorgiainDeKalbandFultoncounties,
interrupting voting at eleven polling locations; there were dozens of ‘non-credible’ threats in addition.
To remediate the effect of the temporary closures of polling places, courts ordered some polling
places to remain open late. Nonparametric statistical tests using turnout data from 2020 and 2024
show that this remedy may have been inadequate: in DeKalb, 2024 in-person turnout in precincts
closed by threats relative to 2020 turnout in the same precincts was suppressed compared to other
DeKalb polling places (𝑃≈0.01). In Fulton, there is no statistical evidence that in-person voting was
suppressedin precincts closed by bomb threats.
i-Voting in Poland? Trust, Political Skepticism, and Safety Concerns David Duenas-Cid and Magdalena Musiał-Karg
While Internet voting is gaining global attention as a democratic innovation, Poland has yet to introduce this option. This study explores public attitudes toward the potential implementation of Internet voting in Poland, a country with high digitalization levels but contested political trust. Using Q-methodology, the research identifies three distinct discourses shaping (dis)trust in Internet voting: (1) an optimistic group, expressing strong support based on trust in both institutions and technology; (2) a skeptical group, marked by deep political distrust and fears of manipulation; and (3) a critically positive group, cautiously supportive if strict security and transparency conditions are met. The study develops a typology of trust in political institutions and digital technologies to interpret these findings. It argues that successful adoption of Internet voting in Poland requires addressing both technological readiness and political legitimacy. The results offer practical insights for policymakers and electoral authorities on designing trust-building strategies for digital electoral innovations in politically polarized environments.
From Reporting Delay to Conspiracy Theory Ines Levin and Gabriel Katz
In 2020, the Iowa caucuses became the focus of controversy due to issues with a mobile
application used to report precinct-level results. This caused significant reporting delays, raised
concerns about electoral integrity, and ultimately led the Iowa Democratic Party to abandon the
traditional caucus system in 2024. Using survey data from a nationally representative sample of
10,300 U.S. adults collected shortly after the 2020 caucuses, we show that predispositions toward
conspiratorial thinking and low levels of political knowledge strongly predict conspiratorial beliefs
about the incident, while political orientations play a relatively minor role. These findings highlight
the critical role of political information in shaping interpretations of electoral controversies.
1:15pm-2:45pm - Lunch time 🍽️
2:45pm-3:35pm - Track 3: Lessons from countries 1
Session Chair: Liisa Past
E-vote in Argentina - 2025 Buenos Aires case study Nicolas Deane and Jorge Garcia
This document describes how elections take place in Argentina, how e-vote has been
introduced, how the system works and actual experiences. The case study analyses the 2025 general
elections in the City of Buenos Aires, highlighting the institutional and operational strengths of its
autonomous electoral framework. The implementation of the Electronic Ballot system improved
transparency, efficiency and accessibility across all stages of the process. The case demonstrates
how integrated technology and efficient electoral planning can enhance confidence in democratic
institutions and offer a scalable model for electoral modernization.
Empowering the Diaspora: A Digital Approach to Voter Registration for Albanian Citizens Out of the Country Elira Hoxha, Jona Josifi and Redion Lila
This paper examines the implementation and outcomes of electronic voter registration
(e-registration) for Albanian citizens living out of the country. As part of broader efforts to modernize
electoral processes and enhance democratic inclusion, Albania introduced a digital platform to enable
diaspora members to register remotely for participation in national elections. The study analyzes the
legal, institutional, and technical dimensions of this initiative, drawing from international practices
and adapting them to Albania’s unique electoral and administrative context. While the system aimed
to increase accessibility, accuracy, and engagement among the diaspora, the paper also considers key
challenges encountered during implementation, including identity verification, cybersecurity, and
outreach effectiveness. The paper offers practical insights into the design, deployment, and initial
impact of e-registration. The findings contribute to the ongoing discourse on expanding democratic
participation through digital tools, particularly in transitional democracies.
3:35pm-4:15pm - Break ☕️
4:15pm-5:45pm - Track 1: New constructions
Session Chair: Peter Y. A. Ryan
End-to-End Verifiable Internet Voting with Partially Private Bulletin Boards Valeh Farzaliyev and Jan Willemson
In 2024, Harrison and Haines examined the applicability of
STARKs in the context of homomorphically tallied elections. While their
work ensures the Recorded-as-Cast and Tallied-as-Recorded properties
of a voting system, it lacks Cast-as-Intended verification and does not
provide a coercion mitigation mechanism. In this work, we address these
challenges and propose an updated voting protocol that achieves all three
verification properties, at the same time providing coercion resistance by
allowing re-voting. Our approach leverages vector commitment schemes
with update mechanisms. We implement our protocol and provide comparative benchmarks to the Harrison and Haines solution. Our approach
significantly outperforms the latter, allowing processing a considerably
larger number of votes within the same hardware limits.
REACTIVE: Rethinking Effective Approaches Concerning Trustees in Verifiable Elections Josh Benaloh, Michael Naehrig and Olivier Pereira
For more than forty years, two principal questions have been
asked when designing verifiable election systems: how will the integrity
of the results be demonstrated and how will the privacy of votes be preserved? Many approaches have been taken towards answering the first
question such as use of mixnets and homomorphic tallying. But, in the
case of large-scale elections, the second question has always been answered in the same way: decryption capabilities are divided amongst
multiple independent “trustees” so that a collusion is required to compromise privacy.
In practice, however, this approach can be fairly challenging to deploy.
Even if multiple human trustees are chosen, they typically use software
and often also hardware provided by a single voting system supplier,
and they rarely have any real opportunity to confirm its correctness.
As a result, we observe that trustees are generally not in a position to
exercise the independent judgment necessary to ensure privacy.
This Systematization of Knowledge (SoK) paper looks at several aspects
of the trustee experience. It begins by surveying and discussing various cryptographic protocols that have been used for key generation in
elections, explores their impact on the role of trustees, and notes that
even the theory of proper use of trustees is more challenging than it
might seem. This is illustrated by showing that one of the only references
defining a full threshold distributed key generation (DKG) for elections
defines an insecure protocol. Belenios, a broadly used open-source voting
system, claims to rely on that reference for its DKG and security proof.
Fortunately, it does not inherit the same vulnerability, and we offer a
security proof for the Belenios DKG.
The paper then discusses various practical contexts, in terms of humans,
software, and hardware, and their impact on the practical deployment of
a trustee-based privacy model.
Surtr: Transparent Verification with Simple yet Strong Coercion Mitigation Rosario Giustolisi, Maryam Sheikhi and Peter Browne Rønne
Transparent verification allows voters to directly identify
their vote in cleartext in the final tally result. Both Selene and Hyperion offer this simple and intuitive verification method, and at the
same time allow for coercion to be mitigated under the assumption that
tally servers can privately notify voters of the keying material needed for
verification. Subsequently, a voter can generate fake keying material to
deceive a coercer.
In this paper, we propose Surtr, a new scheme that enables transparent
verification without requiring a private notification channel. This approach strengthens coercion mitigation, since a coercer can monitor the
notification channel, and simplifies the process by eliminating the need
for voters to generate fake keying material for the coercer.
(short paper) Improving the Efficiency of zkSNARKs for Ballot Validity Felix Röhr, Nicolas Huber and Ralf Küsters
Homomorphic tallying in secure e-voting protocols enables privacy-preserving vote
aggregation. For this approach, zero-knowledge proofs (ZKPs) for ensuring the validity of encrypted
ballots are an essential component.
While it has been common to construct tailored ZKPs forevery kind of ballot and voting method at
hand, recently Huber et al. demonstrated that also general-purpose ZKPs (GPZKPs), such as Groth16
zkSNARKs, are suited for checking ballot validity. Unlike tailored solutions, GPZKPs provide a
unified, generic, and flexible framework for this task. In this work, we improve on the initial GPZKPs
for ballot validity proposed by Huber et al. Specifically, we present several circuit-level optimizations
that significantly reduce proving costs for exponential ElGamal-encrypted ballots. We provide an
independent,ready-to-useCircomimplementationalongwithconcretebenchmarks,demonstrating
substantial improvements in performance and practicalusability over prior implementations.
6:00pm-8:00pm - Poster & Demo session 📜🎬 🍹🌮
See list of accepted posters/demos at the bottom of this page.
Thursday 2nd Oct., 2025 - Day 2
9:00am-10:00am - Invited talk
Moderator: Pierrick Gaudry
Speaker: Michael Naehrig (Microsoft Research, USA)
ElectionGuard: A modular approach to verifiable elections
ElectionGuard is a set of open-source tools that can be used with traditional election systems to produce
end-to-end verifiable elections. Election vendors can integrate it into their own systems and processes,
and it has been deployed in both public and private elections in the U.S. and elsewhere.
In this talk, we will take a look at ElectionGuard's cryptographic building blocks, see how they achieve
end-to-end verifiability, discuss some lessons learned from implementation efforts and pilot deployments,
and peak into possible future extensions and changes.
10:00am-10:30am - Break ☕️ + group photo 📸
10:30am-11:45am - Track 3: Election technology in practice
Session Chair: Oliver Spycher
On a Study of Mechanisms for End-to-End Verifiable Online Voting (StuVe) Véronique Cortier, Alexandre Debant, Ralf Kuesters, Florian Moser, Johannes Mueller and Melanie Volkamer
The German Federal Office for Information Security published a study on end-to-end
verifiable online voting mechanisms. We aim to make this study more visible to the E-Vote-ID
community (which includes academia, regulatory bodies and vendors). The study describes the core
idea of the selected mechanisms and evaluates them using an interdisciplinary approach that considers
secrecy, end-to-end verifiability, usability, and practicality. We find that the selection of mechanisms
represents the state of the art in internet voting systems well, and that the evaluation clearly showcases
the fundamental properties of each mechanism. However, we note that the evaluations are conducted
on a per-mechanism basis, whereas real-world systems are composed of multiple.
Experience from UNITA Elections: Reconciling Revote, E2E Verifiability and Low Coercion Feng Hao, Luke Harrison, Saverio Veltri, Irene Pugliatti, Chris Sinclair and Gareth Nixon
This paper presents an experience of designing, building and deploying an online voting system for
the Student Assembly elections in the UNITA Alliance with the following requirements. First, the
system should allow voters to vote as many times as they wish before the election’s closing time with
only the last vote being counted (known as revote). Second, the system should allow end-to-end (E2E)
verifiability. Third, the system should allow voters to cast votes under the minimum influence from
external forces or coercion. Developing an online voting system to meet these requirements poses a
unique challenge. In this paper, we present an online voting system for UNITA elections, based on a
variant of the DRE-ip protocol to provide E2E verifiability with support for revote. The system adopts
a two-server architecture and implements a separation of control between the two servers to protect the
voter’s anonymity. The first UNITA elections were successfully concluded in March 2025, providing a
case study for reconciling revote, E2E verifiability and low coercion in a real-world setting. The use of
verifiable online voting to empower students from different European universities to elect the Student
Assembly also serves as a model for more inclusive democratic governance of a university alliance.
A review of the Chilean Electoral Integrity System (SIE) Mario Novoa, Magdalena Cruzat and Catalina Muñoz
Electoral integrity depends on multiple safeguards to ensure transparency, accountability,
and public trust. In Chile, a country consistently ranked among the highest in international measures
of electoral quality, the Electoral Service (SERVEL) introduced the Electoral Integrity System (SIE)
as a response to the vulnerability of depending solely on the official tabulation system (SCE). The
SIE was designed as a parallel mechanism to compute and publish results independently, providing
redundancy and a verifiable backup during critical stages of the electoral process. This paper examines
the origins, design, and operation of the SIE, with particular attention to its deployment in the 2024
general elections. The analysis covers its procurement, preparation, testing, and contingency planning,
as well as performance on election day, when the system ensured the continuity of result dissemination
during delays in the official platform. The results show that the SIE contributes directly to the tallied
as recorded dimension of verifiability, ensuring that published outcomes reflect the tally sheets, while
also enhancing transparency through redundancy. Although the SIE cannot address irregularities in
earlier stages such as ballot casting or vote recording, and its permanence is limited by the absence of
a legal framework, it nonetheless represents a significant innovation. The Chilean case illustrates how
parallel tabulation systems can reinforce electoral resilience and provide a model adaptable to other
democracies, particularly in contexts marked by complex electoral rules or low levels of trust.
11:45am-12:00pm - Break ☕️
12:00pm-1:15pm - Track 2: Internet voting
Session Chair: Isabelle Borucki
🏆 Development and Expert Evaluation of an Informative Video concerning Verifiable Internet Voting Tobias Hilt, Florian Moser, Philipp Matheis and Melanie Volkamer
As digitalization advances, online elections are becoming increasingly prevalent. State-of-the-art internet voting systems implement
verifiability, which allows to observe the election result to be correct,
while safeguarding the secrecy of the election. However, the continued
use of unverifiable ’black-box’ systems suggests that election organizers
may be unaware of the security challenges in internet voting and the
mitigation strategies that have been developed.
To address this gap, we developed an informative video on the topic for
election organizers who are non-experts in internet voting. To ensure that
the simplifications made for our target audience do not lead to misunderstandings, 19 German-speaking internet voting experts evaluated the
video. Based on their feedback, we consider improvements to the video
to enhance its correctness, clarity, and completeness. Further, developing
the video and then performing the expert evaluation provided valuable
experiences and lessons learned we want to share with similar endeavours
trying to simplify complex topics for non-expert audiences.
How to Implement Anywhere Voting: A Case Study of Brazil Leonardo Kimura, Roberto Araújo and Marcos Simplicio
High levels of abstention in elections are often caused by
the distance to polling stations. This is particularly prominent for voters
who are traveling or have recently relocated. A promising solution to this
problem is “anywhere voting”, which allows citizens to cast their votes at
any polling station. However, existing implementations typically rely on
Internet-connected authentication to avoid double voting. Albeit simple,
this approach is often seen as impractical in many scenarios, especially
in remote regions where Internet access is unreliable or when the risk of
denial-of-service attacks is high. In this article, we study how anywhere
voting could be adapted to such constrained environments. Using Brazil
as a case study — given its vast territory, regional disparities, and infrastructural challenges — we evaluate four potential solutions. Our analysis
suggests that the most viable approach involves preventing double voting through secure hardware, while eliminating residual duplicates via
mixnets and threshold cryptography.
Recommendations to OSCE/ODIHR (on how to give better recommendations for Internet voting) Jan Willemson
This paper takes a critical look at the recommendations
OSCE/ODIHR has given for the Estonian Internet voting over the 20
years it has been running. We present examples of recommendations
that can not be fulfilled at all, but also examples where fulfilling a recommendation requires a non-trivial trade-off, potentially weakening the
system in some other respect. In such cases OSCE/ODIHR should take
an explicit position which trade-off it recommends. We also look at the
development of the recommendation to introduce end-to-end verifiability.
In this case we expect OSCE/ODIHR to define what it exactly means
by this property, as well as to give explicit criteria to determine whether
and to which extent end-to-end verifiability has been achieved.
1:15pm-2:30pm - Lunch time 🍽️
2:30pm-4:00pm - Track 1: Verifiability
Session Chair: Michelle Blom
Dice, but don’t slice: Optimizing the efficiency of ONEAudit Jacob Spertus, Amanda Glazer and Philip Stark
ONEAudit provides more efficient risk-limiting audits than
other extant methods when the voting system cannot report a cast-vote
record linked to each cast card. It obviates the need for re-scanning; it
is simpler and more efficient than ‘hybrid’ audits; and it is far more
efficient than batch-level comparison audits. There may be room to
improve the efficiency of ONEAudit further by tuning the statistical
tests it uses and by using stratified sampling. We show that tuning the
tests by optimizing for the reported batch-level tallies or integrating
over a distribution reduces expected workloads by 70-85% compared
to the current ONEAudit implementation across a range of simulated
elections. The improved tests reduce the expected workload to audit the
2024 Mayoral race in San Francisco, California, by half—from about 200
cards to about 100 cards. In contrast, stratified sampling does not help:
it increases workloads by about 25% on average.
MERGE: Matching Electronic Results with Genuine Evidence, for verifiable voting in person at remote locations Ben Adida, John Caron, Arash Mirzaei and Vanessa Teague
Overseas military personnel often face significant challenges in participating in
elections due to the slow pace of traditional mail systems, which can result
in ballots missing crucial deadlines. While internet-based voting offers a faster
alternative, it introduces serious risks to the integrity and privacy of the voting
process. We introduce the MERGE protocol to address these issues by combining
the speed of electronic ballot delivery with the reliability of paper returns. This
protocol allows voters to submit an electronic record of their vote quickly while
simultaneously mailing a paper ballot for verification. The electronic record can
be used for preliminary results, but the paper ballot is used in a Risk Limiting
Audit (RLA) if received in time, ensuring the integrity of the election. This
approach extends the time window for ballot arrival without undermining the
security and accuracy of the vote count.
End-to-End Verifiability with Casting of Publicly Audited, Cleartext Ballots P. Y. A. Ryan, Afonso Arriaga, Olivier Pereira and Peter Roenne
Many end-to-end verifiable schemes have been proposed and
these typically require voters to perform some form of ballot audit in
order to achieve cast-as-intended assurance. Such audits typically take
the form of a cut-and-choose procedure, often in sequential form, where
the voters should randomly decide at each step whether to audit or to
cast (Benaloh challenges). These are generally thought to be awkward
from a usability point of view and hard to understand.
Here we propose an in-person scheme in which ballot audits are outsourced to independent auditors and observers. There is no longer any
need or expectation that voters perform ballot audits (but the option
to audit can still be offered to voters). All ballots are audited, including
ones that are used to cast votes, thus there is no cut-and choose needed,
resulting in high levels of ballot assurance.
This contributes to improved usability and acceptability. It also means
that assurance in the outcome is no longer reliant on a good proportion
of voters performing ballot audits with sufficient diligence. Verification
can be performed by any observers, and the outcome is verified even if
no voter performs ballot audits. Furthermore, ballot audits take the form
of verifying cryptographic tracing data (e.g. malleable signatures) rather
than verifying vote encryptions, avoiding the need to reveal randomisation factors etc. For transparency and usability, the ballots incorporate a
cleartext version of the vote and so the vote is displayed to the voter. Dispute resolution is also improved compared to many other ballot auditing
methods, including many flavors of the Benaloh challenges, as they are
now public and universally verifiable.
(short paper) The DROP Protocol: Dispute Resolution via Observation in Public for Verifiable, In-Person Voting (Extended Abstract) Josh Benaloh, Michael Naehrig and Olivier Pereira
Dispute resolution has been a significant challenge in verifiable election protocols since such protocols
were first proposed more than forty years ago. This work explores the problem from a new perspective
and offers strong dispute resolution forin-personvoting bydepending on observers.
It proposes a simple definition of dispute resolution as a property of a voting protocol — a definition that
is independent of any other security goal. It also presents the DROP protocol, a verifiable, in-person
voting protocol that runs in the presence of observers who will always reach a correct conclusion in
the case of a dispute without ever being able to compromise privacy or facilitate coercion.
4:00pm-4:30pm - Break ☕️
4:30pm-5:20pm - Track 3: Lessons from countries 2
Session Chair: David Dueñas-Cid
🏆 Offline Electronic Voting in Flanders - Implementation, Evaluation and Strategic Lessons Jan Coudron
This paper presents a case-study of offline electronic voting as implemented in Flanders, Belgium, across three election cycles (2012, 2018, 2024). The contribution draws on official evaluation reports and implementation practice. It analyses the structure and functioning of the voting system, the conditions under which it was deployed, and the lessons learned. The paper also explores strategic considerations for future development, including policy challenges. This case-study aims to support electoral authorities and e-voting stakeholders in selecting secure, auditable, and trusted technologies for democratic processes.
The Impact of Election Technology in Bulgaria Stoil Tzitzelkov
The paper examines the role of electronic voting machines (EVM) in all national and
municipal elections conducted in Bulgaria between 2021 and 2024, with particular attention to
invalid ballots and irregularities in preferential vote counting. Drawing upon comprehensive
empirical material, including official electoral statistics, judicial records, and stakeholder interviews,
the analysis demonstrates that e-voting markedly reduced invalid ballots (0.35% in the 2022
parliamentary elections) and enhanced the accuracy of preferential tabulation. By contrast, the
reintroduction of paper voting during the 2023 municipal elections produced a surge in invalid votes
to 15.3%, thereby exposing the fragility of electoral integrity. Despite the clear benefits of
technological innovation, challenges persist, stemming from political resistance and administrative
inconsistencies, most notably nearly 10,000 discrepancies between machine and manual tallies in
2024. The Bulgarian case highlights that careful implementation, transparency, and data-driven
oversight are indispensable for strengthening integrity, public trust, auditability, and efficiency of
tabulation.
5:20pm-6:20pm - Panel
Post-Quantum Transformation in E-Voting
Chair: Peter Roenne
Panelists:
Thomas Haines, Audhild Høgåsen, Riccardo Longo, Olivier Pereira, Jan Willemson
7:30pm-9:30pm - Gala diner 🥂🍷🍽️
Grands Salons de l'Hôtel de Ville, Place Stanislas.
Distinguished paper awards ceremony
Friday 3rd Oct., 2025 - Day 3
9:00am-10:15am - Invited talk
Speakers: Benjamin W. Hovland (U.S. Election Assistance Commission) and Donald L. Palmer (U.S. Election Assistance Commission)
A Bipartisan Dialogue on Securing Voting Technology in the United States
In this conversational keynote, Chairman Donald Palmer and Commissioner
Ben Hovland will share how the Election Assistance Commission (EAC)
supports the secure and reliable use of technology in elections across
the United States, one of the most decentralized and diverse election
environments in the world. Created by the Help America Vote Act in 2002
(HAVA), the EAC serves as an independent, bipartisan federal agency
charged with helping states improve election administration and voter
access. A central part of its mission is the development of the Voluntary
Voting System Guidelines (VVSG), a set of specifications against which
voting systems can be certified. Although these guidelines are voluntary,
they play a crucial role in setting national standards for security,
accessibility, usability, and interoperability. HAVA also mandates that
the EAC accredit voting system test laboratories and certify voting
systems. According to the 2024 Election Administration and Voting Survey,
nearly 93 percent of states, the territories, and DC require voting
system testing and certification either by statute or through a formal
administrative rule or guidance. About 46 percent of states reported
using the EAC-adopted VVSG, while others require testing to federal
standards or testing by a federally accredited laboratory. The EAC
supports election officials across states and jurisdictions, each of
which faces different legal frameworks, resource constraints, and
operational challenges. In the lead-up to recent federal election cycles,
risks around elections have become increasingly complex. Chairman Palmer
and Commissioner Hovland will discuss how the Commission has met these
challenges in practice, including how to support a highly diverse set of
election managers who are juggling many priorities. Their discussion
will focus on how the EAC puts its mission into action, offering
practical insights into balancing technical rigor, policy realities, and
local needs to strengthen democratic resilience.
10:15am-10:45am - Break ☕️
10:45am-12:15pm - Track 1: Analysis and Attacks
Session Chair: Alexandre Debant
🏆 Credential Attacks in Ontario's Online Elections Eric Klassen, James Brunet, Nicole Goodman and Aleksander Essex
We propose two novel voter authentication attacks in the
context of the 2022 Ontario Municipal Election, which offered online
voting to almost four million voters in over 200 municipalities. One attack exploits a misconfiguration in one of the voting portals used by up to
one million voters. It was mitigated through a successful coordinated vulnerability disclosure that we conducted with the affected vendor during
the election period. The other attack exploits widespread and insecurely
discarded login credentials. This attack affects the vast majority of the
deployments examined, and we study and quantify the risk for each city
individually. In both cases, the risks were aggravated by unique, contextdependent factors, which we detail. Finally, toward quantifying this risk,
and absent the availability of this data elsewhere, we present a comprehensive census of online deployments used in the province
Attack Once, Compromise All? On the Scalability of Attacks Eva Hetzel, Marc Nemes and Jörn Müller-Quade
Electronic voting schemes are often criticized for being insecure, on the grounds that a successful attack would allow an adversary
to manipulate all votes at once. It is argued that attacks therefore have a
higher impact at lower adversary costs compared to paper-based schemes,
where attacks are cumbersome. In this paper, we propose a framework
to quantify how prone different protocols are to attacks that scale well.
For this purpose, we introduce the notion of scalability of attacks. We
give the adversary access to an oracle which can break common cryptographic building blocks and assumptions and analyze how many inputs
of a (multiparty computation) protocol they can learn or manipulate for
each oracle access. The more inputs are affected, the more susceptible
the protocol is to attacks that scale well. We compare several pairs of
protocols solving the same problem in different ways in three examples
and analyze the scalability of attacks on each protocol. We find that
some protocols have a fatal breakdown, i.e. all inputs are affected with
only one access to the oracle, while other protocols scale linearly or have
a threshold, where the number of affected inputs increases drastically
from one access to the other. Our framework provides strong arguments
in favoring one voting scheme over another. It enables voting authorities
to compare schemes that appear equally secure at first glance, and to
consider the scalability of attacks when deciding on a scheme.
Re‑Voting Under Surveillance: National eID Transaction Logs as a Threat to Coercion Resistance in Estonian Internet Voting Tarvo Treier
Estonia’s nationwide Internet-voting scheme relies on the
state-mandated electronic identity (eID) infrastructure for strong voter
authentication and qualified electronic signatures. A statutory safeguard
against coercion is re-voting: a voter may cast multiple electronic ballots
during the advance-voting period, with only the last one counted, and
the number of ballots must remain secret.
This expectation is violated by current eID audit practice: every signing
transaction—including each vote—is irrevocably logged by the eID service provider and displayed to the credential holder. These logs reveal the
exact count and timing of a voter’s interactions with the voting system,
compromising the intended secrecy of re-voting and enabling coercers to
detect whether the voter has changed their choice.
This paper presents a threat model and examines concrete design alternatives—such as persistent log filtering, dedicated voting credentials, and
offline signing—analysing their respective trade-offs in security, usability, regulatory compliance, and system complexity. The findings demonstrate how well-intentioned components can interact to break coercion
resistance through a metadata-based side-channel.
The identified vulnerability has been responsibly disclosed to the relevant
Estonian authorities. The case underlines the need for composition-aware
risk assessment whenever election systems depend on external digital
infrastructures.
(short paper) Towards formal verification and corrupted setup security for the SwissPost voting system Sevdenur Baloglu, Sergiu Bursuc, Reynaldo Gil-Pons and Sjouke Mauw
The SwissPost voting system is one of the most advanced voting systems aimed for national
elections, featuring extensive documentation [Gi],continuous deployment and improvement
[Sp23], and security reports from independent researchers [CDG22; Fo22; Ha20; Ha23;
HPT22a; HPT22b; Kr22; KS19]. In this extended abstract, we propose the development of
two further pillars of trust: formal verification accompanied by machine-checked proofs,
and resistance to attacks exploiting a corrupted setup component. We focus on the two
main security properties that the SwissPost system aims to achieve: vote privacy, i.e.
voter choices are private, and end-to-end verifiability, i.e. voters and auditors can obtain
guarantees on the correct counting of voting choices. Vote privacy should hold even if the
network, voting servers and the bulletin board are corrupt. The guarantees expected for
verifiability are even stronger: it should also hold even if, in addition to parties mentioned
above, the voting platform of voters is corrupt.
12:15pm-12:30pm - Break ☕️
12:30pm-1:30pm - Rump Session & Conclusion 🎤
Session chair: Steve Kremer
1:30pm-2:30pm - Lunch time 🍽️
2:30pm - End of the conference.
At the end of the Venue & Accomodation page, we list
some things that can be done on Friday afternoon and/or over the
week-end.
Accepted papers (Tracks 1, 2, 3)
Recommendations to OSCE/ODIHR (on how to give better recommendations for Internet voting) - Jan Willemson
Development and Expert Evaluation of an Informative Video concerning Verifiable Internet Voting - Tobias Hilt, Florian Moser, Philipp Matheis and Melanie Volkamer
i-Voting in Poland? Trust, Political Skepticism, and Safety Concerns - David Duenas-Cid and Magdalena Musiał-Karg
Voting Under Pressure: Perceptions of Counter-Strategies in Internet Voting - Christina Frederikke Nissen, Tobias Hilt, Jurlind Budurushi, Melanie Volkamer and Oksana Kulyk
End-to-End Verifiable Internet Voting with Partially Private Bulletin Boards - Valeh Farzaliyev and Jan Willemson
Threshold Receipt-Free Voting with Server-Side Vote Validation - Thi Van Thao Doan, Olivier Pereira and Thomas Peters
Attack Once, Compromise All? On the Scalability of Attacks - Eva Hetzel, Marc Nemes and Jörn Müller-Quade
Credential Attacks in Ontario's Online Elections - Eric Klassen, James Brunet, Nicole Goodman and Aleksander Essex
Does Extending Polling Hours Compensate for Bomb Threats? The 2024 Election in Georgia, USA - Sequoia Andrade and Philip Stark
REACTIVE: Rethinking Effective Approaches Concerning Trustees in Verifiable Elections - Josh Benaloh, Michael Naehrig and Olivier Pereira
MERGE: Matching Electronic Results with Genuine Evidence, for verifiable voting in person at remote locations - Ben Adida, John Caron, Arash Mirzaei and Vanessa Teague
From Reporting Delay to Conspiracy Theory - Ines Levin and Gabriel Katz
Re‑Voting Under Surveillance: National eID Transaction Logs as a Threat to Coercion Resistance in Estonian Internet Voting - Tarvo Treier
How to Implement Anywhere Voting: A Case Study of Brazil - Leonardo Kimura, Roberto Araújo and Marcos Simplicio
Towards formal verification and corrupted setup security for the SwissPost voting system - Sevdenur Baloglu, Sergiu Bursuc, Reynaldo Gil-Pons and Sjouke Mauw
The DROP Protocol: Dispute Resolution via Observation in Public for Verifiable, In-Person Voting - Josh Benaloh, Michael Naehrig and Olivier Pereira
Revisiting silent coercion - David Chaum, Richard Carback, Mario Yaksetig, Jeremy Clark, Mahdi Nejadgholi, Bart Preneel, Alan Sherman, Filip Zagorski, Bingsheng Zhang and Zeyuan Yin
Dice, but don’t slice: Optimizing the efficiency of ONEAudit - Jacob Spertus, Amanda Glazer and Philip Stark
End-to-End Verifiability with Casting of Publicly Audited, Cleartext Ballots - P. Y. A. Ryan, Afonso Arriaga, Olivier Pereira and Peter Roenne
Short Paper: Improving the Efficiency of zkSNARKs for Ballot Validity - Felix Röhr, Nicolas Huber and Ralf Küsters
Surtr: Transparent Verification with Simple yet Strong Coercion Mitigation - Rosario Giustolisi, Maryam Sheikhi and Peter Browne Rønne
On a Study of Mechanisms for End-to-End Verifiable Online Voting (StuVe) - Veronique Cortier, Alexandre Debant, Ralf Kuesters, Florian Moser, Johannes Mueller and Melanie Volkamer
The Impact of Election Technology in Bulgaria - Stoil Tzitzelkov
Offline Electronic Voting in Flanders - Implementation, Evaluation and Strategic Lessons - Jan Coudron
Experience from UNITA Elections: Reconciling Revote, E2E Verifiability and Low Coercion - Feng Hao, Luke Harrison, Saverio Veltri, Irene Pugliatti, Chris Sinclair and Gareth Nixon
Empowering the Diaspora: A Digital Approach to Voter Registration for Albanian Citizens Out of the Country - Elira Hoxha, Jona Josifi and Redion Lila
E-vote in Argentina - 2025 Buenos Aires case study - Nicolas Deane and Jorge Garcia
A review of the Chilean Electoral Integrity System (SIE) - Mario Novoa, Magdalena Cruzat and Catalina Muñoz
Accepted posters/demos (Tracks 4)
Posters and Demos provide an opportunity to interact with the E-Vote-ID community. However, their acceptance for the Poster and Demo session does not
imply an endorsement from E-Vote-ID nor that they have been subject to a full scientific review process.
Achieving Court Verifiability without Expert Knowledge
while Maintaining Coercion Resistance- A (2 Devices) and
(3+ Receipts) in-booth e-voting system - Shymaa Arafat
Automated Ballot Stuffing with an Encrypted Vote: A
Large-Scale Attack on the Estonian Internet Voting System
(IVXV) and its Mitigation - Shymaa Arafat
Removing Insiders' Trust From the Estonian Internet Voting - Shymaa Arafat
Where did my vote go? - Andrew Conway, Michelle Blom, Alexander Ek, Peter J. Stuckey and Vanessa Teague
Zero-Trust Digital Voting Protocol For Government Elections - David Ernst and Ariana Ivan
Unconditional Individual Verifiability with Receipt Freeness via Post-Cast Isolation - Janis Erdmanis
Usable, Secure and Legally Compliant Individual Verifiability in Internet Voting - Tobias Hilt, Bernhard Beckert, Felix Dörre, Amina Gutjahr, Michael Kirsten, Jörn Müller-Quade, Indra Spiecker gen. Döhmann and Melanie Volkamer
Enhancing Transparency in E-Voting: Lessons from the Swiss Post Community Programme and the 2026 Release - Xavier Monnat and Audhild Høgåsen
Digitalizing Eligibility Checks at Poll Stations: a Proposal for the
Italian Scenario - Simone Brunello, Riccardo Longo, Francesco Antonio
Marino, Umberto Morelli, Giada Sciarretta, Chiara Spadafora and
Alessandro Tomasi
A proven Hybrid "Portal-to-Paper" Electronic Balloting Solution - Bryan Finney
Secure Digital Voting with Voter-Verified Paper Ballots: A Hybrid Election Case Study - Josefina Correa Gutierrez and Cesar Correa Parker
The Additive Evoting System - Paul Cheffers
DAVINCI: decentralized autonomous vote integrity network with cryptographic inference - Pau Escrich, Marta Bellés-Muñoz, Jordi Piñana, Lucas Menéndez, Roger Baig, Jose Luis Muñoz-Tapia and Alex Kampa
