TRIP: Coercion-resistant Registration for E-Voting with Verifiability and Usability in Votegral
Louis-Henri Merino, Simone Colombo, Rene Reyes, Alaleh Azhir, Shailesh Mishra, Pasindu Tennage, Mohammad Amin Raeisi, Haoqian Zhang, Jeff Allen, Bernhard Tellenbach, Vero Estrada-Galiñanes, and Bryan Ford
To appear in
SOSP 2025: The 31st Symposium on Operating Systems Principles
October 13–16, 2025
Abstract:
Online voting is convenient and flexible, but amplifies the
risks of voter coercion and vote buying. One promising mitigation
strategy enables voters to give a coercer fake voting
credentials, which silently cast votes that do not count. Current
proposals along these lines make problematic assumptions
about credential issuance, however, such as strong trust
in a registrar and/or in voter-controlled hardware, or expecting
voters to interact with multiple registrars. Votegral is
the first coercion-resistant voting architecture that leverages
the physical security of in-person registration to address
these credential-issuance challenges, amortizing the convenience
costs of in-person registration by reusing credentials
across successive elections. Votegral’s registration component,
TRIP, gives voters a kiosk in a privacy booth with
which to print real and fake credentials on paper, eliminating
dependence on trusted hardware in credential issuance.
The voter learns and can verify in the privacy booth which
credential is real, but real and fake credentials thereafter
appear indistinguishable to others. Only voters actually under
coercion, a hopefully-rare case, need to trust the kiosk.
To achieve verifiability, each paper credential encodes an
interactive zero-knowledge proof, which is sound in real
credentials but unsound in fake credentials. Voters observe
the difference in the order of printing steps, but need not
understand the technical details. Experimental results with
our prototype suggest that Votegral is practical and sufficiently
scalable for real-world elections. User-visible latency
of credential issuance in TRIP is at most 19.7 seconds even
on resource-constrained kiosk hardware, making it suitable
for registration at remote locations or on battery power. A
companion usability study indicates that TRIP’s usability
is competitive with other E-voting systems including some
lacking coercion resistance, and formal proofs support TRIP’s
combination of coercion-resistance and verifiability.
Preliminary draft:
PDF