Understanding Shielded Voting

Shielded voting refers to voting systems that aim to protect the privacy and anonymity of votes and voters. As elections and voting have moved to digital platforms and online systems, there are growing concerns about the potential loss of voting privacy and the risks of voter coercion or vote buying. Shielded voting protocols attempt to preserve the secrecy of ballots and confidence in election integrity while leveraging the convenience and efficiency of digital voting.

In this comprehensive guide, we will explore several key topics around understanding shielded voting; from the different approaches to shielded voting to real-world implementations, and the future landscape of the model.

The Risks of Non-Private Voting Systems

Most modern democracies consider the privacy of voting and ballots a fundamental right that upholds fair democratic elections. However, many emerging online and electronic voting solutions fail to properly shield voter data and the contents of ballots. Without adequate cryptographic protocols and privacy-enhancing technologies, digital voting systems can pose numerous risks, such as:

  • Loss of voter anonymity: Electronic voting records can reveal which candidates each voter selected if data is not properly encrypted and anonymized. The loss of secrecy opens the door to potential coercion, vote buying, or targeting of voters for their selection.
  • Data breaches and leaks: If voting data is not sufficiently secured and encrypted, cyber-attacks, insider threats, or technical glitches could lead to the unauthorized release of ballots and voter preferences. This damages voter privacy.
  • Voter fraud or tampering: If voting systems do not have verifiable cryptographic proofs built into their protocols, fraudulent or altered ballots can be difficult to detect. This enables faulty voting systems and damages election integrity.
  • Disenfranchises voters: The possibility of leaked or publicized ballot data and loss of privacy around voting choices leads some citizens to abstain from voting over privacy concerns or fears of retaliation. This skews election participation and representation.
  • Undermines trust in electoral processes: Voters have less confidence and trust in the fairness and legitimacy of electoral outcomes if they have doubts about the privacy and security protections of voting systems. This damages democracy.

The Meaning of Voter Privacy and Ballot Secrecy

At the core of shielded voting systems is the notion of voter privacy and ballot secrecy. This represents the idea that an individual’s votes and electoral participation should be protected information known only to that voter, in order to uphold free and fair access to democracy. Maintaining the secrecy of ballots ensures that votes cannot be monitored, voters cannot be unduly pressured, and the revealed results accurately reflect the authentic will of voters.

Cryptographers and computer scientists point to two key principles around achieving voter privacy through shielded voting systems:

  • Voter anonymity: This means that there should be no way to trace any cast vote back to the individual voter who submitted it. Votes should be unlinkable and untraceable to voter identities.
  • Ballot secrecy: This represents the notion that no one should be able to uncover how any individual voted from their encrypted ballot. The system should prevent the ability to decrypt votes on a per-voter level, ensuring votes remain confidential.

Different technical and cryptographic protocols for shielded voting aim to uphold both anonymity and secrecy to varying degrees. Tradeoffs emerge between assuring voter privacy versus goals like transparency, accountability, accessibility, cost, and complexity. System designers must navigate these balances.

Approaches to Shielded Voting

There exist a variety of potential approaches to introducing privacy protections, anonymous authentication, and verifiable integrity into digital voting systems. Let’s explore some of the most promising and prominent categories.

Homomorphic Encryption

Homomorphic encryption represents a special type of encryption that allows computations to be carried out on encrypted data without requiring access to a secret decryption key. This class of encryption enables complex mathematical operations to take place under encryption constraints.

When applied to voting, homomorphic encryption schemes allow ballots to be tallied and aggregated while remaining encrypted. This permits the final vote outcomes to be revealed without exposing any individual voter’s selections. Some simplified examples of homomorphic voting include schemes where voters distribute symmetric encryption keys to all voting authorities, allowing collective tallying, or situations where voters pre-commit encrypted versions of their selections which only appointed entities can later decrypt.

However, many theoretically secure homomorphic encryption algorithms remain too computationally intensive for practical uses or introduce complexities around distributing secret keys. Alternate protocols attempt to realize similar privacy goals through other mathematical means.

Zero-Knowledge Proofs

Zero-knowledge proofs serve as an alternative mathematical approach to facilitate shielded voting. First conceptualized in the 1980s and now realizable through advances in succinct arguments of knowledge and bulletproofs, zero-knowledge protocols allow one party (the prover) to demonstrate to another party (the verifier) that a statement is true without conveying any other additional information apart from the factuality of that statement.

Applied to voting systems, voters can leverage zero-knowledge proofs to convince validating authorities that their vote is constructed properly without revealing which candidate they voted for. Adding zero-knowledge components helps attain voter privacy and ballot secrecy while still allowing votes to undergo public integrity checks. The rapid speeds enabled by modern zero-knowledge systems allow them to secure even national-scale elections.

Mix Networks

A mix network, or mixnet, represents another genre of cryptographic protocol designed to enable anonymous communication and shielded voting. Mixnets split messages into encrypted segments and route them through a series of proxy servers (“mix nodes”), each decrypting a layer of encryption to reveal the next destination. This mixing process ultimately delivers the message to its destination without any single node knowing the complete origin, content, or destination.

By building voter ballots in layers of encryption routed across digital mix nodes, mix networks can deliver anonymized, shuffled votes to provide voter anonymity and ballot secrecy. However, issues like ensuring the trustworthiness of mix nodes, proofs to validate correct shuffling, and achieving sufficient scale and speed remain ongoing challenges for many mixnet implementations.

Secure Multi-Party Computation

Secure multi-party computation (MPC) refers to an approach where multiple parties jointly compute sensitive data inputs to derive final outputs without any individual party learning the secret inputs from the others. Communication and computation take place cooperatively between decentralized nodes in a manner that maintains the segmentation of privileged data.

MPC can enable shielded voting by having voters construct ballots as secret inputs that get jointly processed across nodes to produce anonymized, aggregated voting outputs. By keeping voting data segmented across parties, MPC overcomes traditional privacy limits of databases and networks and opens pathways for Internet-scale secure digital voting. Limitations around computation costs and latency continue to improve.

Real-World Implementations of Shielded Voting

Now that we have reviewed some foundational approaches to architecting shielded voting systems, let us examine some notable real-world implementations of these privacy-preserving electronic voting schemes:


Developed by computer scientists at universities like MIT and the University of Ottawa, Scantegrity represents an end-to-end verifiable voting system that relies on confirmation codes printed on optical scan paper ballots. Obscuring layers conceal voter selections, with cryptographic proofs ensuring votes stay bound to ballots while maintaining anonymity and secrecy.

Scantegrity has undergone successful small-scale deployments in locations like state party conventions and student elections. However, the inherent need for printed paper trails limits the achievable scale, while discarded ballots still pose privacy risks regarding voter identities matched to choices. But Scantegrity helped pioneer and test important principles around shielded voting.

Prêt à Voter

First introduced by academics at the University of Surrey in England, Prêt à Voter (or “ready to vote”) separates ballot construction from the voting process itself to achieve voter anonymity. Election officials randomize candidate orders across equivalent ballots using cryptographic commitments and permutations. This prevents ballots from being uniquely tied to individuals while still enabling tabulation and verification.

While not yet implemented in major public elections, Prêt à Voter and its variants have undergone analysis in simulated elections. It could hold promise for supervised voting stations. But the system’s reliance on trustees and inability to support remote voting narrow its accessibility and impede scalability.


Developed in part by the Galois Research Institute with funding from the Defense Advanced Research Projects Agency, the Secure, Efficient, Reliable, and Verifiable Remote Election (SERVE) program focused on building open-source shielded voting capabilities leveraging homomorphic encryption. Still in experimental conceptual stages, SERVE illustrates ambitions around enabling verifiable integrity, ballot secrecy, and accessibility through remote Internet voting powered by underlying cryptographic proofs.

Galois continues advancing pioneering work into developing large-scale, fully electronic voter-verifiable voting systems resistant to coercion and achieving end-to-end privacy. Such research signals the ongoing momentum toward secure digital voting backed by mathematics and open protocols rather than physical controls.

Evaluating the Tradeoffs

As we assess and compare emerging approaches toward shielded voting, let’s examine some of the key tradeoffs and balances involved with implementing systems to achieve ballot privacy and electoral integrity:

  • Voter Privacy vs Transparency: Systems that fully preserve vote anonymity and ballot secrecy through cryptographic means can struggle to offer the same degree of public verifiability and transparency around auditing election outcomes offered by more simplistic systems using paper trails or voter roll attachments. Difficult balances emerge.
  • Theoretical vs Practical Security: Some mathematically elegant shielded voting schemes boast impressive security and privacy guarantees under theoretical threat models. But many struggle with real-world deployment barriers regarding computational efficiency, key management logistics, voter accessibility, or cost overruns. Practical weaknesses continue to be exploited in operational environments.
  • Centralized vs Decentralized Control: Migrating voting systems to distributed ledger architectures or multi-party computation frameworks avoid certain centralized vulnerabilities. Yet decentralized schemes often still rely on some trusted authorities to facilitate identity, prevent Sybil attacks, provide dispute resolution, and uphold availability. Concentrating control introduces single points of failure that shielded voting strives to overcome.
  • Universality vs Exception Handling: Shielded voting systems built around blanket voter anonymity and secrecy have difficulties integrating exception handling needed for transparency around abnormal activities like inactive voter purges, fraud investigations, or court-ordered oversight. Extensive anonymity means forfeiting transparency pathways necessary for trustworthy electoral stewardship.

Overall, experts agree there exist no definitive solutions yet to manifest maximally secure, affordable, convenient voting systems proving resistant to all vectors of compromise while retaining essential oversight means. Advancing technology expands the solution space, but underlying tradeoffs likely persist indefinitely.

The Future Landscape and Outlook

Shielded voting mechanisms remain largely confined to academic studies, small-scale pilots, and limited experimental deployments in niche contexts so far. Adoption in major public elections at state or national levels is nascent but growing nearer on the horizon. What might we expect for the road ahead?

Likely progressions involve expanding piloting with remote voting via personal devices first in less critical lower-stakes elections around student governments, community issues, union matters, shareholder resolutions, or party primaries. These initial deployments will sharpen remote voting operations while limiting exposure if growing pains emerge.

A broader rollout will necessitate overcoming substantial adoption hurdles across areas like public understanding, election management logistics, accessibility provisions, infrastructure readiness, and legal policy formations. But early indicators point to many advanced democracies targeting some degree of shielded voting allowances over coming years, even if supplemented by alternate physical voting pathways during transitional phases.

Ongoing cryptography research and technology proliferation should catalyze such expansion via continuous improvements around efficiency, reliability, identity management, verifiable trust, coercion resistance, exception handling transparency, and comprehensive election accessibility. Embedding shielded voting into everyday digital infrastructures like computers and smartphones may gradually erode certain barriers as remote voting gets interwoven into societal foundations.

While risks certainly accompany any paradigm shift around electoral systems, shielded voting stands poised to potentially resolve numerous endemic vulnerabilities that plague existing voting approaches if prudent, gradual deployment can allow supportive infrastructure to co-evolve. Done right under careful stewardship, cryptographically-backed private balloting could effectively reinforce modern democracy as we march toward an increasingly digitized future society.