E-Ring Voting.
A verifiable, anonymous, traceable e-voting system. One cryptographic primitive, two interchangeable storage layers, a 16-page comparison paper that asks one question honestly: does the blockchain buy you anything?
The cryptographic core.
The otrs/ module is a clean reference implementation of
Scafuro & Zhang's one-time traceable ring signatures
(ESORICS 2021) — KeyGen, Sign, Verify, Trace — over
Ristretto255 with RFC 9380 hash-to-curve.
All randomness from os.urandom; arithmetic delegated to
libsodium via a direct cffi binding. Replaces the original prototype's
160-bit DSA-subgroup with 128-bit security.
What this primitive gives you: ballot anonymity inside the ring (DDH + ROM); deterministic, publicly verifiable double-vote detection via a per-(voter, election) trace tag. Anyone with the ledger independently recomputes the tally — zero trusted components.
Two interchangeable architectures.
A — Federated bulletin board
Hash-chained append-only log; entries co-signed by a t-of-N Ed25519 publisher cohort; log heads independently co-signed by a k-of-M witness federation that surfaces equivocation as publicly verifiable evidence. Certificate-Transparency / Sigsum lineage.
B — Proof-of-work chain
Bitcoin-shaped SHA-256 chain; heaviest-chain selection; median-time difficulty adjustment. eVote ledger with accounts, nonces, fees, coinbase, and eight typed transactions. Ballots carry no chain-layer sender, preserving anonymity at the storage layer.
The comparison thesis.
Both architectures share the same OTRS primitive and the same record schema; what differs is the storage and ordering layer — and that single delta cascades into trust model, decentralisation, censorship resistance, cross-poll linkability, and finality.
At N = 50 voters: the federated log finishes in ≈ 1.1 s with a 324 KB log; the PoW chain finishes the same election in ≈ 3.0 s with a 344 KB chain. ~1.6× wall-clock, ~6 % storage overhead — and an entirely different trust story.
The tech report (paper/artifact.tex) lays this out head-to-head,
including a direct engagement with the Park & Specter critique of
blockchain voting.
Test suite & threat model.
127 tests cover algebraic invariants of the group wrapper, RFC 9380 determinism + domain separation, OTRS sign/verify/trace correctness, property-based tests under Hypothesis, threshold-cohort behaviour, Architecture-A election flow, Architecture-B end-to-end on chain (PoW, ledger arithmetic, nonce replay, signature tampering, double-sign detection, save/load round-trip), and adversarial cases (forged ballots, tampered signatures, illegal choices, extra records after tally).
The threat model in paper/threat_model.md covers five adversary
classes plus a Bitcoin-style hashpower-rental adversary for Architecture B.
Open research directions.
Logarithmic-size traceable rings (Groth–Kohlweiss / Triptych-style + trace tag) · EasyCrypt machine-checked proofs of OTRS security · ProVerif/Tamarin model of the protocol · lattice-based post-quantum traceable rings (open problem to our knowledge) · coercion resistance via JCJ/Civitas-style designated-verifier re-encryption · FROST-aggregated t-of-N signatures replacing the per-entry signature vector.
Co-designed with Niccolò Pagano. Source: github.com/lindaniele/e-ring-voting.