Review of Cryptographic Schemes applied to Remote Electronic Voting systems: remaining challenges and the upcoming post-quantum paradigm

: The implantation of Remote Electronic Voting (REV) systems to Electoral Processes is happening at a slower pace than anticipated. One of the relevant factors explaining that reality is the lack of studies about the Cryptographic Schemes and Primitives applied to the existing REV solutions. In this paper, the authors review the main cryptographic schemes applied to date, as well as the most relevant Post Quantum research in the field. The aim is twofold: contribute to clarify the strengths and weaknesses of each scheme as well as expose the remaining challenges, as a necessary step towards a broader introduction of REV solutions in binding elections.


Introduction
The Information and Communications Technologies (ICT) have had a huge impact in the day-to-day lives of billions of citizens around the globe in recent years.In the early 2000s, it was widely anticipated that its range would also include public elections and other democratic processes, as an integral part of what was labeled "e-democracy".
More than a decade has passed, and the forecast has not turned into a reality.Some countries such as Estonia, Australia, Norway, Spain, Switzerland, or Canada have implemented e-voting pilots for legally binding elections totalling more than 6 million people.Others, including Germany, Norway, UK, the Netherlands or the US have decided to discontinue their respective e-voting projects.
Certainly, e-voting introduces features making it an especially demanding discipline within the plethora of ICT applications [1]: -The need to comply simultaneously with two antagonistic properties: Integrity and Privacy [2].
-The outcome gives tremendous power and money resources to the winner, thus attracting very powerful attackers.-The results can be very di cult to revert in the event of a fraud discovered after the elections ended.
An additional hindrance are the attack vectors, which have been repeatedly used: -The voter's device, with 30-40 percent of them infected by malware and located in non-controlled environments [2] -The network itself, with a relevant track record of attacks on the associated cryptographic protocols [3,4] -The i-voting (or e-voting) system, which oftentimes carries vulnerabilities serious enough to put the elections in jeopardy [5][6][7] All the aforementioned could sound alarming, but nothing further from reality: there are several examples of attacks coming from foreign nations during i-voting pilots in the US, Australia and Ukraine among others [8][9][10][11].
Additionally, in the latest US General Elections, the O ce of the Director of National Intelligence stated: "Putin and the Russian Government aspired to help President-elect Trump's election chances . . .by discrediting Secretary Clinton...CIA and FBI have big con dence in this judgement".The original document is publicly available: "Assessing Russian Activities and Intentions in Recent US Elections" [12,13].
In order to confront the aforementioned security issues, there have been innovative research approaches such as the development of evaluation methodologies based on the Council of Europe's recommendations [14][15][16].
Despite all the e orts, REV implantation was facing a gradual slowdown, partly because of a lack of long-term secure cryptographic approaches.Fortunately, the landscape has started to change thanks to the lattice-based cryptography and other very promising post-quantum schemes [17,18] which are reviewed in the present article.

. Contribution
In the present paper, the authors analyze the main cryptographic schemes and their application to REV systems, including the main security aws.Subsequently, the most relevant post-quantum cryptographic schemes applied to REV systems are presented, with a focus on the current development stage and pending issues.
The principal contribution is the analysis itself, since there are very limited examples of such research exercises for both "traditional" and post quantum schemes.The authors also sum up the most signi cant open problems related to cryptograhic schemes applied to REV solutions.

. Structure of this article
Section 1 introduces cybersecurity applied to e-democracy, including recent attacks and new approaches facing recent tasks.Section 2 deals with main de nitions, protocols and requirements for a REV systems to be used in this article.
In Section 3, the main REV cryptographic schemes currently applied to REV systems are presented.Some limitations and open problems are also identi ed.
Section 4 introduces an analysis of the main post quantum schemes applied to e-voting with a focus on the existing limitations and future developments.
Lastly, in Section 5 the main conclusions of this article are presented, together with an outline of the issues to be solved before incorporating e-voting as a fully-secure option for legally-binding national elections.

De nitions
As a prior clari cation, it is worth noting that in this article, a Remote Electronic Voting (REV), e-voting or ivoting system is de ned as: "A voting system used in a remote, non-controlled environment, through electronic means, in which the vote is sent partially or totally via an internet connection from a personal computer or mobile device which has not been speci cally designed as a specialized electronic voting machine".
Therefore, and according to the previous de nition, in this paper REV does not include e-voting systems in controlled environments and/or using speci cally designed machines to vote such as DRE voting devices.Those kind initiatives have been thoroughly studied in [19].
Zero Knowledge Proof (ZKP): A ZKP is a protocol between two parties: the prover and the veri er with a language L = x ∈ A * ∶ ∃w ∶ R (x, w) , R being a polynomial-time predicate in a parameter k and x and w strings of length k.The ZKP protocol allows the prover to convince the veri er that she is in possession of a witness w about the fact that x ∈ L. The properties required for ZKP protocols are: completeness, soundness and zero-knowledge [20].
When the protocols have a three-move structure (commitment, challenge and response), they are called sigma protocols or Σ protocols.They have several interesting properties: -Can be repeated in parallel.
-Can be combined to prove I know a witness for x OR/AND for x ′ .
-Can be transformed into Non-Interactive Zero Knowledge Proofs (see below).
Regarding e-voting, ZKPs have several applications depending on the element involved: -ZKP by the Voter: 1.Proves that the encrypted vote in fact contains a valid value (usually 0 or 1).2.It does not reveal the value itself.-ZKP by the Authorities: 1.Proves that the decryption is correct, namely: (a)The correct private key, corresponding to the election public key has been used.(b)The result of the election corresponds to the tally of votes present in the Bulletin Board.2.It does not reveal the election private key.
-ZKP for mix-nets (see Section 3), 1.Proves that the re-encryption has been performed correctly.
2.It reveals neither the randomness used nor the permutation applied.
An especial variation of ZKP are the non-interactive ZKP or NIZKP.In this type, the prover is able to produce a string π in one move, which can by itself convince the veri er about the status of x ∈ L. Therefore, a NIZKP requires a public parameter p produced by an independent third party [2].Probably the most e cient construction of NIZKP is the Fiat-Shamir heuristic [21].It is widely used in many well known e-voting systems like Helios Voting [22], although in [23], Bernhard et al. identify the use of weak Fiat-Shamir proofs as a source of attacks against the ballot privacy in Helios.

. REV protocol
For the de nition of a standard e-voting/REV protocol, Helios Voting [21] is selected, since it is one of the best-known tools, widely accepted by the research community.The entities are: -A: the authority that handles the registration of users and updates the public list of legitimate voters.
-BB: the Bulletin Board.It checks the well-formedness of received ballots before they are cast.-T: a set of trustee(s) in charge of setting up their own decryption keys, and computing the nal tally function.
And the phases, according to [22,24] are: 1.The election is created by naming an election o cer, selecting a set of trustees and introducing the list of authorized voters.2. The Ballot Preparation System (BPS) generates the ballot as well as a distributed key pair pk, sk (public and private key respectively).3.Each voter receives an email containing her user ID, password and election URL.Upon clicking, the Javascript starts and downloads the parameters.4. The voter selects her option and the BPS encrypts it with pk.The vote also contains a NIZKP to verify that the vote is well formed (preventing a malicious voter to introduce an integer i value instead of 1, allowing the ballot to incorrectly represent i votes), because votes are not decrypted individually to be tallied.As a replacement, the homomorphic properties of exponential ElGamal [25] are used.5.The Software client shows the voter a hash of her encrypted vote.The voter then has two options: (a) Audit the ballot: the voter receives the nonce used to encrypt her vote.She can use it to verify that her vote has been included and that it represents her elected option.However, the audited ballot is no longer valid and the voter has to restart with the voting process.Therefore, Helios Voting is a castor-audit type of i-voting tool.The voter can verity her vote as many times as she wants; until she is convinced that Helios is trustable.(b) Seal the vote: in order to send it, the BPS will ask to provide her user ID, password to be identi ed.
The voter sends her user ID, password, encrypted ballot and Zero Knowledge Proof to the server, which veri es that all the information is correct.6.Once the voting phase is over, the server publishes the Bulletin Board with all the encrypted votes, together with the voter's name.7.Each of the trustees publishes a partial decryption of the encrypted tally, together with a signature of knowledge proving the partial decryption's correct construction.Anyone can verify those proofs.8.The election o cer decrypts the tally and publishes the result.Anyone can check the decryption.
Using a formal description and for the simpli ed case of a yes/no type of election: In the case of three voters: Alice, Bob and Charlie, if Alice wants to vote for option a, her vote is represented as v a which is encrypted with the public key p k , obtaining {v a } p k .There is a Zero Knowledge Proof attached to the vote in order to verify that the vote is valid; which means that either v a = or v a = .The veri cation is critical because if it didn't exist, a malicious voter could send v a = i, being i a positive or negative integer, making her vote amount for i valid votes instead of 1.The Zero Knowledge Proof for v a is identi ed as ZKP a .Subsequently, Alice sends {v a } p k , ZKP a to the Bulletin Board (BB).Since the BB is public, Alice can check whether her vote has arrived or not.

. Security requirements of a REV system
For this paper, the authors include classi cations of security requirements for REV systems from two di erent standpoints: -Semantic and Active Security [26]: 1.Semantic Security, or indistinguishability under chosen-plaintext attacks (IND-CPA).Given a bit b ∈ { , } generate a public/secret key pair, make the public key available to the attacker, who must reply with two valid messages m , m , encrypt m b using the public key and give the resulting "challenge ciphertext" to the attacker.The scheme is said to be or IND-CPA secure if it is not feasible for an attacker to distinguish between b = and b = , i.e., the probability of accepting both cases should be negligible.2.Active Security, indistinguishability under chosen-ciphertext attacks (IND-CCA).It provides the attacker with a decryption oracle, which runs the decryption algorithm (with the secret key) on any ciphertext the attacker queries, except for the challenge ciphertext itself.The scheme is said to be actively (or IND-CCA) secure if it is not feasible for an attacker to distinguish between b = and b = .-The REV requirements according to the most widely accepted de nitions of End to End Veri ability (E2Ev) [27] and Privacy [28] for e-voting systems.The correlation between E2Ev, privacy and the ve requirements for a democratic election according to the Council of Europe (universal, equal, free, direct and secret) was de ned in [15].
-End to End Veri ability (E2Ev) : Unfortunately, there does not exist a formal, universal de nition for (E2Ev).The main reason is the lack of automated proofs.There are several tools for the symbolic analysis of security protocols such as ProVerif [29] and other prototype tools accepting equivalence properties such as AKISS [30] or APTE [31].For e-voting systems, they all face the same unsolved challenge: associative and commutative operators are out of reach for all of them, making it impossible to analyze the following homomorphic property [32]: Therefore, the challenge of formally de ning veri ability remains unsolved and its analysis must be performed case by case.Currently, the most widely accepted de nition for E2Ev [27] includes the following three properties: * Cast as Intended: voters can get convincing evidence that their encrypted votes accurately re ect their choices.* Recorded as Cast: voters can check that their encrypted votes have been correctly included by nding exactly the encrypted value they cast on a public Bulletin Board (BB).* Tallied as Recorded: Any member of the public can check that all the published encrypted votes are correctly included in the tally, without knowing how any individual voted.The rst two are usually referred to as individual veri ability and the last one as universal veri ability.In the case of Helios Voting, for the Cast as Intented property, it introduces the cast-or-audit approach [21], shared by most of the current e-voting tools.The voter can audit her vote as many times as she wants, until she is convinced that Helios is trustable.Regarding Recorded as Cast, the voter receives a hash of her encrypted vote, which can later check on the BB.Finally, for the Tallied as Recorded condition, ElGamal [25] together with the Sako-Kilian mixnet (see Section 3) are implemented.They also include a ZKP as previously explained.A complete analysis of the E2Ev in Helios Voting system is performed in [33].
-Privacy It can be categorized in 3 increasing demanding levels: * Voter's privacy: The voter's vote is not revealed to anyone.* Receipt-freeness: The voter cannot obtain any information (like a receipt) which could prove a coercer how she voted.* Coercion Resistance: a voter cannot cooperate with a coercer to prove him that she voted in a certain way (even if she is willing to).Hirt and Sako proved in [34] that even receipt-freeness does not su ce for privacy in e-voting systems.Therefore, the required level is the highest one: Coercion Resistance (CR).Originally, the CR concept was introduced by Juels et al. in [28].In order to prevent coercion during the voting, it is mandatory to provide a system where re-voting is fully secret.Here, Plaintext Equivalence Tests apply [35].On the other hand, several threads remain unchanged: imperfect private channels, dishonest Bulletin Board and DDoS attacks are still not considered.An interested reader is thus referred to [35] for a detailed explanation.Currently, no e-voting system is coercion-resistant according to the de nition in [28].Additonally, each country has a di erent legal approach regarding privacy.In Australia, the Authorities consider the coercion risk as low, and therefore do not include coercion-resistance as a requirement for an e-voting system [36].In Estonia and Norway (two of the countries with a longest tradition of e-voting in binding-elections), despite the existing bibliography, the Governments decided to implement a voting scheme with receipts, thus failing to comply even with the second degree of privacy [37,38].

Main REV cryptographic schemes . Mixnets
Introduced in 1981 by D. Chaum [39] for anonymous communications, and subsequently applied to voting systems in 1992 by Fujioka et al. [40].A mix-net de nes a sequence of proxy servers in which each one of them takes as input a set of ciphertexts (encrypted votes in the case of a REV system) obtained through Public Key Protocols, re-encrypts them, shu es them following a secret permutation and sends the output to the next proxy server, which proceeds in the same way.
In reality, the aforementioned sequence corresponds to a re-encryption mix-net, which is the most popular type in the development of REV solutions.The main reason is that, as opposed to decryption mixnets, it su ces that just one server is honest to guarantee the vote's anonymity.
In order to verify that every server is honest, ZKP are performed in each one of them, considerably increasing the computational complexity of the scheme.
Formally, it consists of an algorithm Shu e() which receives as input a public-key pk and a sequence of ciphertexts ψ = (ψ , ...ψ n ).Shu e() then produces as output another sequence of ciphertexts ψ ′ = (ψ ′ , ...ψ ′ n ) and a proof π (usually a NIZKP).The previous NIZKP ensures the following about the values p k , ψ, ψ ′ : Let M be the sequence of plaintexts in which the i-th position equals Dec(ψ i ) and M ′ the sequence of plaintexts in which the i-th position equals Dec(ψ ′ i ).It should hold that there is a permutation µ over n elements such as the j-th element of M is equal to the µ(j) element of M ′ ∀j = , ..., n.The Shu e() algorithm can be applied sequentially over the same sequence of ciphertexts.In such case, the correspondence between the original sequence and the nal sequence of ciphertexts will be hidden even with just one honest server.
In e-voting, one of the most common ways to re-encrypt with a new randomness is to apply exponential ElGamal [20,25] so that the plaintext (vote) stays unchanged and the new encryption cannot be linked to the old one: Let (c, d) = (g r , g m ⋅ y r ) be an encryption of the plaintext g m using randomness r.We take an encryption (with the same public key y) of 1, using a random value: By multiplying those two ciphertexts: we obtain an encryption of the same plaintext g m using a di erent randomness.Concerning mix-net based e-voting systems, the most important advantages are: -They e ectively break the link between voter and vote, contributing to the privacy.
-Better performance in elections with relevant di erences in the number of voting options such as Australia [15].-The ZKPs are not performed in each server, reducing the burden to the voter's device, usually not powerful enough for those complex operations.
Regarding the main disadvantages: -The computational burden eased to the voter has to be carried by the REV system.Therefore, the amount of technical resources allocated is higher than in the case of homomorphic encryption based e-voting systems [15].-The tally cannot start until the ballot box is closed (the last server has re-encrypted and mixed the last vote), which in practice can cause important delays for bigger elections (as happened in Norway in 2013 [38]).
-Mix-net based e-voting systems are more vulnerable to DDoS attacks since all mix-net servers need to be available for the tally.
In conclusion, mix-net based e-voting systems are better suited for elections with a vast array of voting options (many candidates, with preference etc.) but they also require a bigger investment in infrastructure and tend to be more vulnerable to DDoS attacks because of its nature and the fact that the tally cannot start until the voting process is over.
There have been some improvements in the protection againts DDoS attacks, including the development of a distributed version of Helios [39] and implementation of Paxos [40], but a certain degree of vulnerability still remains.In practice, many of the most relevant e-voting programs implement a hybrid system with both mix-net and homomorphic encryption (see Section 3.2) algorithms, such as the ones deployed in Australia and Norway [36,38].

. Homomorphic encryption
Homomorphic encryption allows computing on data while it is encrypted rather than having to decrypt it rst.Regarding e-voting, the additively homomorphic encryption has important applications: The space of plaintexts is an abelian group (G, +): Given the ciphertexts ψ = Enc(p k , m ) and ψ = Enc(p k , m ), there is a ciphertext ψ which can be computed and corresponds to an encryption of Enc(p k , m + m ) .It is also required that if at least one of ψ , ψ is uniformly shaped over all ciphertexts, the output follows the uniform distribution over all ciphertexts of m + m .
The two main direct applications for e-voting are: -Given k ciphertexts ψ , ...ψ k encoding k votes v , ..., v k and de ning B ∈ { , }, it is possible to derive a single ciphertext which encodes In practice, T is used to derive the tally of an election if each plaintext vote v i corresponds to the choice made by the i-th voter.
-It is possible to refresh the randomness of ψ for ψ = Enc(p k , m) by processing ψ with Enc(p k , ).This application is very uselful for re-encryption mix-nets as explained in Section 3.1.
Speci cally, one of the most widely used additively homomorphic-based cryptosystem is ElGamal [25].In this case, the group is (G, +) = (Z * q , ⋅).The main functions of the expotential ElGamal (implementing additive homomorphism) are: Given parameters (p, q, g) where p and q are large primes such that q p − , g is a generator of the multiplicative group Z * q and a number n of trustees, ElGamal de nes the following operations: -Distributed key generation: Each trustee i ∈ n selects a private key share x i ∈ Z * q and computes a public key share h i = g x i mod p.The public key is h = h ⋅ ... ⋅ h n mod p.
-Encryption: Given a message m and a public key h, selects a random nonce r ∈ Z * q and derives the ciphertext (a, b) = (g r mod p, g m ⋅ h r mod p).-Re-encryption: Given a ciphertext (a, b) and a public key h, selects a random nonce r ′ ∈ R Z * q and derives the re-encrypted ciphertext ), the homomorphic addition of plaintexts is computed by multiplication (a ⋅ a ′ mod p, b ⋅ b ′ mod p) -Distributed decryption: Given a ciphertext (a, b), each trustee i ∈ n computes the partial decryption The authors have selected ElGamal to illustrate the homomorphic encryption subsection because it is the most widely used cryptosystem in the REV eld.Prominent real-life e-voting deployments implementing ElGamal include: Helios Voting for the IACR elections [43] and the Scytl e-voting tool [44] in the binding elections of Norway [38], Australia [36], Switzerland [45] and France [46].Other relevant homomorphic cryptosystems include RSA [47] or Paillier [48], but they have not been so profusely implemented in REV systems for encryption.
Regarding security issues with e-voting systems implementing homomorphic encryption schemes, there have been reported vulnerabilities at least in the Norwegian [49], Estonian [50], and Australian [10] elections, exploiting export-level RSA de ciencies in the latter.Although no massive attack could be proved in any case, it probably a ected in the Norwegian Government decision of cancelling the e-voting implantation in 2014.
Another very relevant issue in the homomorphic encryption schemes, is that they are malleable by de nition, which means that they do not provide active security (see Section 2.2): an attacker could apply a known operation to the challenge ciphertext, send the result to the oracle, and apply the inverse of the operation to reveal the plaintext selected by the challenger.The problem is shared by partially homomorphic systems, as the ones introduced in the present section 3.2.
Additionally, ElGamal, Paillier and RSA cryptosystems are believed to be vulnerable to quantum attacks, as exposed by Shor [51]: -ElGamal's security is broken if dicrete algorithms can be computed e ciently (which is the case with Shor's algorithm).This is due to the fact the private part can be recovered from the public key by nding the x such that α x ≡ β (mod p) given everything but x. -Paillier and RSA security is broken if large primes can be e ciently factored (which is the case with Shor's algorithm).This is caused by the fact that the private part can be recovered from the public key by factoring n.
In order to solve the vulnerabilities related to quantum attacks, Gentry introduced in 2009 the rst plausible construction for a fully homomorphic encryption scheme (FHE), using lattice-based cryptography [17].
Gentry's revolutionary research has led to innovative proposals of e-voting systems resistant to quantum attacks.The most relevants are reviewed in Section 4.
To sum up, partially homomorphic schemes such as ElGamal are implemented in most of the e-voting systems like Helios Voting or Scytl.The problem is that they are malleable by de nition and vulnerable to quantum attacks.Therefore, FHE alternatives are necessary to guarantee su cient levels of long term security for e-voting systems.
From a user's standpoint, homomorphic encryption schemes require that the voters provide evidence that their cast votes are valid through ZKP, usually very demanding operations for user level PC's.
The biggest advantages of e-voting systems based on homomorphic encryption schemes are: -They are very e ective in the tally process because the votes do not need to be decrypted individually.
-The tally can start before the end of the election, which in practice is a big advantage (voters demand speed in result publication).-There is no need for an anonymous channel (unlike for blind signature schemes).

. Blind Signature
The blind signature scheme was originally introduced by D. Chaum in [39] and designed to be used in telematic payments.In 1992 Fujioka et al. [40] applied it to voting systems.It implements a type of digital signature in which the authority signs the message without having access to its content.The analogy with the carbon paper exempli es it: the sender encloses the message in a carbon paper envelope.If the sender is successfully identi ed, the authority signs the envelope without opening it (hence without accessing the message).A message is valid only if it includes the authority's signature.An example of a voting application of the blind signature scheme based on RSA would be [52]: Let (n, e) and (n, d) be respectively the authority's public and private signature.
The sender generates a random value r such as GCD(r, n) = and sends it to the authority: Therefore the value r is used to hide or "blind" the vote v to the authority.The authority signs the blinded vote and returns Since the sender knows r, she can obtain the signature s by computing: Once the sender receives the vote signed by the authority, she sends it to a mix-net (Section 3.1) to break the link between the vote and voter.
To avoid potential RSA malleability-related problems, hash functions [2] must be applied to the vote v. Otherwise, the system would be vulnerable to RSA binding attacks and variants [53].
Blind Signature schemes are the most e cient for ballot tallying but they present serious weaknesses: -Veri ability limitations, especially regarding mix-nets because no external party can verify that only (and all) the valid votes had been counted.-Blind Signature based e-voting systems do not include any protocol for voters who decide not to vote.
Therefore, any attacker (or even a corrupt authority) can send all those "non-claimed votes" and no party can even verify whether that "ballot stu ng" happened or not.-They demand anonymous communication channels, very di cult to achieve in reality.
Consequently, blind signature based schemes are currently not extensively used for the development of REV systems.There has been one relevant proposal in 2003, but it never reached a fully-developed stage [54].

Post Quantum schemes
As previously exposed in this article, the security of all probably secure cryptochemes still rely on classical assumptions.It means that they could be compromised in polynomial time by a quantum computer, as originally detailed in 1994 by Peter Shor in the case of RSA [51].
Regarding e-voting, REV systems based on such cryptoschemes are also vulnerable and therefore it is crucial to develop quantum-safe protocols in order to assure a promising future for internet voting.

. Full Homomorphic Encryption and Lattices
Full Homomorphic Encryption (FHE) was rst de ned in 1978 [55], without even knowing if it was solvable or not.As previously presented, the rst fully homomorphic encryption scheme was presented by Gentry using lattice-based cryptography [17].
Currently, despite interesting improvements, in one of the most e cient implementations [56], the homomorphic evaluation of a single AES-128 encryption operation takes 4 minutes with a state of the art computer with an amortized rate of 2 seconds per block.
FHE allows for arbitrary computations on encrypted data, that is to say, if a user has a function f and wants to obtain f (m , ..., m n ) for some inputs m , ..., m n , it is possible to compute on encryptions of these inputs, c , ..., c n instead; obtaining a result which decrypts to f (m , ..., m n ).
In FHE, the plaintext is masked with inner and outer randomness: the former is labeled as noise.Subsequently, additions and multiplications can be performed; although in certain occasions a NAND gate has to be used.
Every operation increases noise level.When the noise level reaches the same size as the outer randomness, the ciphertext will not be decryptable anymore.Multiplications insert a lot more noise than additions.The noise problem can sometimes be solved using bootstrapping (the ciphertext is encrypted again) and the inner encryption is removed by running the decryption circuit in an encrypted state.The parameters can be adjusted so that the resulting ciphertext has a lower noise level than the original one.Nonetheless, bootstrapping is computationally expensive, so it must be handled carefully.
Regarding lattices, formally a lattice is a set of points in an n -dimensional space with a periodic structure.An n-dimensional lattice L is any subset of R n that is both: -an additive subgroup: ∈ L and −x, x + y ∈ L for every x, y ∈ L; and discrete: every x ∈ L has a neighborhood in R n in which x is the only lattice point.
Given k-linearly independent vectors b , ...b k ∈ R n , the rank k lattice generated by them is the set of vectors [17]: Most of the lattice problems exist in two di erent versions: -The exact problem: it is a particular instance of the approximation problem where the approximation factor is γ(n) = , -The approximation problem: it is a generalization de ned with an approximation factor γ(n) in terms of the lattice dimension.
Lattice cryptography became very popular since Regev [57] discovered a quantum reduction from the natural lattice shortest vector problem (SVP) or nding a short basis of independent vectors (SIVP).Lattice problems such as (ring) learning with errors ((R)LWE) are considered to be hard to solve, even for a large quantum computer.In more detail, some of the main lattice problems are: -Approximate Shortest Vector Problem (γ −SVP) Given a lattice basis B, nd a non-zero vector v ∈ L(B) such that v ≤ γ ⋅ λ (L) with λ (L) being the the minimum distance between two points belonging to the lattice.-Approximate Closest Vector Problem (γ − CVP) Given a lattice basis B and a target vector t (not necessarily in the lattice), nd a lattice point u ∈ L(B) such that: Given a lattice basis B and a parameter q ∈ Z, nd a set of shortest q linearly independent lattice vectors (i.e., a set of linearly independent vectors s , ..., s q ∈ L(B) such that s , ..., s q ≤ λ q (B) × T is de ned as: The security in LWE relies on the other two parameters: the Gaussian error parameter α and the number n of bits corresponding to the entropy in the secret.According to standard lattice reduction estimates [60], LWE is 128-bit secure for α equal to − , − or − if n ≥ 300, 800 and 1500 respectively.Additionally, for any α and n = Ω(log( α )), LWE bene ts asymptotically from the worst case to average case reduction, depending on the shape of G [61].Any reader interested in the complete de nitions of the aforementioned variables, formulae and problems can refer to [57][58][59][60][61].
Once the de nitions related to FHE, lattices and their problems have been exposed, the properties applied to e-voting schemes are explained in the following Sections 4.2 and 4.3 for the Helios Voting and Norwegian cases. .

LWE-based E-Voting Scheme (Helios)
The FHE and lattice-based cryptosystems are still a fairly new research topic and, therefore, there are not many implementations in the e-voting eld.Nonetheless, Chillotti et al. proposed in 2016 a tentative post-quantum protocol [18] based on the opensource e-voting reference Helios Voting [22].The construction is based on LWE fully homomorphic encryption, as presented in the previous Section 4. 1.Compared to the traditional Helios, LWE-based Helios presents the following di erences: -It is built on post-quantum primitives: unforgeable lattice-based signatures, LWE-based homomorphic encryption and trapdoors for lattices.-It does not implement ZKP.The original Helios includes two: one so the voter can prove that her vote is valid and another when the trustees decrypt the nal result.
In the post-quantum protocol, the rst ZKP is substituted by Ducas et al.FHE-based bootstrapping [59].The second one is replaced by publicly veri able ciphertext trapdoors generated with GPV lattice signatures [62].-In order to guarantee privacy even if some authorities were corrupt, they rely on concatenated LWE schemes rather than Fiat Shamir secret sharing [21].

. . Post quantum cryptographic schemes
Regarding ballot privacy, it is considered that LWE-Helios Vote protocol ful lls it if there exist an e cient simulator such that, for any Probabilistic Polynomial Timing (PPT) adversary A, the following holds [18]: With respect to veri ability, the Vote protocol is considered veri able if for any adversary A: Following past Section 4.1 lattice-based properties applied to e-voting, LWE samples satisfy a straightforward linear homomorphism property, deriving from continuous Gaussian convolution [59]: Let c , ..., c p be p independent LWE samples of messages µ , ..., µ p ∈ T; α , ..., α p noise paramenters, and x , ..., x p ∈ Z be p integer coe cients.It holds that the sample c = ∑ p i= x i c i is a valid encryption of the message µ = ∑ p i= x i µ i with square noise parameter α ≤ ∑ p i= x i α i .For non-linear operations, the Bootstrapping theorem by Ducas et al. [59] can be implemented: Ducas et al. imply that the output of the aforementioned function is indistinguishable from a fresh LWE sample of µ ′ or µ ′ .In the event that it is preferred to control de randomness for veri ability purposes, in the previous theorem, the Bootstrap function can be assimilated into a perfect random oracle which returns a fresh LWE sample of µ ′ b where b = if d(ϕ s (c), ) < d(ϕ s (c), ).With respect to the second ZKP implemented in the original version of Helios for the distributed decryption, in LWE-Helios it is replaced by a publicly veri able ciphertext trapdoor inspired by the GPV Lattice-based signature [62]: Let LWE(s, α, G) be a LWE instance, pk = [M y] ∈ (G ×T) m a public key and M a discrete message space of packing radius ≥ d.Let also c = (a, b) be a sample with noise amplitude ≤ δ and β = (d − δ ) ᾱ ; then The distributed property is introduced with concatenated LWEs rather than using the Fiat-Shamir Heuristic [21], such being the case for the original Helios.The reason is that the authors prefer to propose a trustable scheme, even if all but one trustees are corrupt and leak their private key.The de nition is as follows: Let LWE(s i , α, G), where ≤ i ≤ t, be λ-bit secure instances of LWE.Let pk i = [M i y i ] ∈ (G × T) m be the corresponding public keys with associated trapdoors R i .A concatenated LWE is the LWE instance whose private key is s = (s ... s t ), discretization group is G = G × ... × G t and public key is: To decrypt the LWE ciphertext c = (a ... a t , b) ∈ G × T, each of the t trustees uses his master trapdoor R i to provide a ciphertext trapdoor Π i of (a i , ).The concatenated ciphertext trapdoor Π = (Π ... Π t ) is a ciphertext trapdoor for c.As explained in [18], even in the case of collusion (see [2] for the de nition) of all trustees but one, the decryption is still λ-bit secure.

. . LWE-based Helios E-voting protocol
As it has been detailed in the present section 4, there are very relevant di erences in the cryptographic approach between the traditional Helios Voting protocol and LWE Helios.
It is not the case for the voting protocol itself because the main phases and functions are the same in both cases.Although a full explanation of the protocol can be found in [18], the main phases are as follows: -Setup: The Bulletin Board Manager generates a pair of keys (pk BB , sk BB ) = KeyGenE BB ( λ ) and publishes pk BB .The trustees setup the concatenated LWE scheme and each one generates its own LWE secret key s i ∈ B n , master trapdoor R i and a corresponding public key pk i ∈ (G × T) m .They also provide three bootstrapping keys ) and a larger one for low noise amplitude BK ∶= BK (s (m) , )→(s,

L
) .Bootstrapping can be performed with BK and BK in less than 700ms [59].For BK it is expected a slowdown by a constant factor of ≈ .
-Tally and Veri cation: 1.Tally(BB, sk = (sk , ..., sk t )): for each C j , the trustees perform the distributed encryption as de ned earlier in the present section and subsequently publish a ciphertext trapdoor Π i,j ∈ Z m , which is revealed to anyone.2.VerifyTally(BB, (Π , ..., Π t )).If a trapdoor Π i,j is invalid, it proves that the i-th trustee is not honest and thus VerifyTally returns ⊥.If all the trapdoors are valid, anyone can use (Π ,j , ..., Π t,j ) to decrypt C j and recover n j for all j, therefore revealing the number of votes to candidate j .VerifyTally then returns the result (n o , ..., n l− ).
Lastly, regarding Correctness, Veri ability and Privacy, and based on the LWE cryptographical concepts and E-voting protocols introduced in the present section, the authors in [18] a rm that: -Correctness: assuming that: the signature scheme S is unforgeable, ε is a non-malleable encryption scheme, and the public homomorphic operations performed by the Bulletin Board are correct, LWEbased Helios is correct.-Veri ability: Assuming that the Bulletin Board accepts only valid votes and that all operations performed by BB are public, LWE-based Helios is veri able according to the following de nition introduced in section 4.2.1: is negligible in λ. -Privacy: assuming that the publicly veri able decryption for LWE holds (see section 4.2.1),LWE-based Helios ful lls privacy according to following de nition, introduced in the same section 4.2.1 [18]:

. . LWE-based Helios conclusion
Chillotti et al. have introduced in [18] a proposal of a post-quantum LWE and Helios Voting-based e-voting protocol.It is the most complete exercise of this type to date, and they have achieved remarkable milestones: -A successful aplication of post quantum primitives to an e-voting protocol: unforgeable lattice-based signatures, LWE-based homomorphic encryption and trapdoors for lattices.-Achieving veri ability without ZKP.The authors implemented FHE [59] and trapdoor-based lattice signatures [62] instead.-The protocol is correct, veri able and ful lls privacy, according to [28,32].
It is necessary to point out that, while conforming an excellent starting point, LWE-based Helios is (as the authors themselves acknowledge), a theoretical protocol, still far from being a ready-to-use e-voting system.
Additionally, the current version leaves open problems, namely: -The proper de nition and adaptation of strong correctness, strong consistency and privacy models against a malicious Bulletin Board and or/corrupted registration authority.In short, the authors assume that the Bulletin Board is not dishonest or corrupt.Depending of the typology of elections and the country, such assumption could be considered risky.-The proof of privacy relies on a rather strong assumption: a properly randomized bootstrapping function is modelled as a perfect random oracle.It is necessary to successfully simulate the tally.The equivalent problem in the standard model is still an open problem.

. Road to fully Homomorphic Elections in Norway
The present subsection is based on the preliminary work by Gjosteen and Strand in [63].Compared to LWEbased Helios, the current status of the Norwegian approach is clearly at an earlier stage, with no deep cryptographic research made thus far.Nonetheless, it certainly constitutes an interesting rst step and shows that the Norwegian researchers are already starting to work in a potential post-quantum e-voting system.Norway implemented an e-voting system created by Scytl [44] for the local elections in 2011 and the parliamentary elections in 2013.Altogether, almost 100.000votes were cast with the REV tool.Despite there were no attacks reported, certain technical issues, together with a change in the ruling coalition to a less "e-voting friendly" one in 2014, contributed to a cancellation of the e-voting initiative that year [38].
Taking into account the experiences learned during the e-voting pilot deploymet, the authors tried to address the following Norwegian e-voting issues in [63]: -An insu cient degree of veri ability.
-The cryptographic schemes were not quantum-safe.
-Voter veri ability is not considered an issue by the Norwegian electorate [64].-Norwegian ballots are very complex, because the voter can give list votes, person votes or even write in a certain number of candidates.This complexity has important implications as to what cryptographic primitive is more suitable [38].
The main contribution of the article is the introduction of a possible FHE application to the Norwegian electoral system.Regarding security, the authors informally introduce the following requirements: -D-privacy: The decryption service should not be able to correlate its input to voter identities.
-B-privacy: The ballot box should not learn anything from the ciphertexts.
-R-privacy: The receipt generator should not be able to correlate return codes to the voter's vote.
-A-privacy: The auditor should not learn anything about how anyone votes.
-B-integrity: The ballot box must not be able to create an encrypted ballot such that its decryption is inconsistent with the related information that is sent to the receipt generator.-D-integrity: The decryption service must not be able to alter the election outcome.
Regarding the cryptographic primitives, there is no in-depth research and the authors simply suggest equality checking with [65], the Smart-Vercauteren scheme for sorting and division by rational numbers [66], and BGV [67] as the FHE cryptosystem.They also state that some of the potentially required primitives have not yet been described.
Regarding where p is the index of the chosen party list, s i is a bit indicating whether candidate i receives a person vote and e , ..., e 'n ′ are the indices of the write-in representatives.
In order to adapt the ballot to the format accepted by BGV, the authors de ne a function Eq which returns 1 whenever the two input values are equal.They also de ne ln(a, S) = ∑ s∈S Eq(a, s), which will return 1 if a is a member of the set S.
Let {P i } be all parties in the election and P ′′ i the number of list votes tranferred to party P i .Let also P i denote the set of indexes for the candidates on the party list of party i.Then, P ′′ i (the number of list votes transferred) is computed as: p ′′ i ← (ln(e , P i ) + ln(e , P i ) + ... + ln(e n ′ , P i )) Subsequently, in order to compute person's votes to candidates from other lists, let P j be the party that candidate c j belongs to, with p being the party selected by the voter: c j ← ( − Eq(p, P j ))(Eq(j, e ) + Eq(j, e ) + ... + Eq(j, e n ′ )).
Finally, to verify that the vote is valid, the following polynomial is computed: The other interesting contribution included in [63] is the parameter election exercise made by the authors: They consider Oslo, with 500.000eligible voters, 17 party lists with a total of 659 candidates.The city council consists of 59 members and each voter can list at most 15 names from other parties to her ballot.Therefore, the biggest number to handle is 7500000 ≈ so equality checks will need a depth-23 circuit.The authors conclude that no part of the computation requires a depth > 50.The number of slots needed, as previously explained, is m + n; ⋅ + = .Using the test program HElib [68] on a server running Ubuntu 14.04 on Intel Xeon 2.67 GHz, processors with a total of 24 cores and 256 GB of memory.The key generation ran on a single core, 8 cores were used for some ciphertexts operations.The maximum memory usage was 20GB.The whole process took 4:52 minutes, with the key generation consuming half of it.With that amount of time, it is not feasible for a single voter but it might be acceptable for an election.
To sum up, Gjosteen and Strand have proposed a rst initial post-quantum cryptographic approach to e-voting in Norway.Based on the experience accrued during the 2011-2013 e-voting pilots and adapting FHE schemes [65][66][67] to the Norwegian idiosyncrasy, the authors have introduced an initial approach which would take less than 5 minutes to be launched with a ordable computational capacity.
The article constitutes a very remarkable initiative that will be remembered as a pioneering e ort in postquantum cryptography applied to e-voting.
Regarding the open issues, the following aspects should be addressed in order to further improve the scheme towards a functional tool: -The approach is well adapted to the Norwegian case but the cryptographic and methodologic aspects need further re nement.-Implementation of the proposed algorithms.
-De ne and develop in detail the schemes and the cryptographic integration of the primitives.-The coercion resistance should not be addressed by simply allowing re-voting in paper ballots.

Conclusions
In recent years, the implementation of e-voting systems to electoral processes has been struggling to nd continuity.There are still active projects in relevant countries such as Estonia or some Swiss cantons, but many others have decided to discontinue its implementation (Norway, UK, Germany, USA, the Netherlands), or just decided not to start with the foreseen deployments (New Zealand).
The reasons are varied and include: -E-voting demands simultaneously veri ability and privacy [2].
-Di erent electoral laws depending on the country/territory.-Flaws in the cryptographic schemes and the e-voting tools [1,3,8,13].
Regarding the main cryptographic schemes, most of the fully-functioning e-voting tools rely on either mixnets, homomorphic encryption or a hybrid system.Currently, none of them can assure coercion resistance, even though it should be the required level of privacy [34].Regarding veri ability, the assumptions still tend to be hard for collusion, even for the latest schemes [32].Lastly, protection against DDoS attacks has improved [40], but mix-net based solutions are still vulnerable to those cyberattacks.Overall, the "classic" cryptographic approaches seemed to be limited to face the upcoming security challenges, specially in the long term.Moreso since Shor proved in [51] that the traditional cryptographic schemes are vulnerable to quantum-computing attacks.
Fortunately, in the last two years there has been an increasing number of applications of post-quantum schemes to e-voting.In the present article, the authors have reviewed two of the most relevant: -The lattice-based learning with errors (LWE) application to a Helios [22] based e-voting protocol [18].-The initial steps of a post-quantum scheme for the Norwegian elections [63].
Although the aforementioned post-quantum e-voting schemes are still at an early stage (specially the Norwegian one), they certainly provide a promising alternative.In particular, the LWE-based scheme over Helios has achieved several remarkable milestones, namely: -A successful aplication of unforgeable lattice-based signatures, LWE-based homomorphic encryption and trapdoors for lattices to a e-voting scheme.-Achieving veri ability without ZKP.The authors implemented FHE [59] and trapdoor-based lattice signatures [62] instead.
On the other hand, the research still relies on strong assumptions, such as an honest Bulletin Board or a perfect random oracle.There are still important challenges ahead, including the development of a fully-functioning postquantum e-voting system, but the initial steps are already being taken, and they are very promising.
The phase of a LWE sample (a, b) ∈ T n ). -Learning with errors problem (LWE): Originally introduced by Regev [57] and further improved by Lyubashevsky et al. to obtain ring variants [58] and by Ducas et al. among others to obtain homomorphic encryption [59].Let α ∈ R + be a noise parameter, (s , ..., s n ) be a uniformly distributed binary secret in B n , and G ⊆ T n a su ciently dense nite discretization group.LWE (s, α, G) is the scaling-invariant instance.A random LWE sample of a message µ ∈ T is de ned as an element (a, b) ∈ G × T where a = (a , ..., a n ) ∈ G ⊂ T n is a uniform sample of G, and b is equal to ∑ n i= s i a i + µ + e ∈ T, where e is statistically close from a zero-centered continuous Gaussian sample of T over α.