Numerous institutions, such as companies, universities, or non-governmental
organizations, employ Internet voting for remote elections. Since the main
purpose of an election is to determine the voters' will, it is fundamentally
important to ensure that the final election result correctly reflects the
voters' votes. To this end, modern secure Internet voting schemes aim for what
is called end-to-end verifiability. This fundamental security property ensures
that the correctness of the final result can be verified, even if some of the
computers or parties involved are malfunctioning or corrupted.
A standard component in this approach is so called cast-as-intended
verifiability which enables individual voters to verify that the ballots cast
on their behalf contain their intended choices. Numerous approaches for
cast-as-intended verifiability have been proposed in the literature, some of
which have also been employed in real-life Internet elections.
One of the well established approaches for cast-as-intended verifiability is
to employ a second device which can be used by voters to audit their submitted
ballots. This approach offers several advantages - including support for
flexible ballot/election types and intuitive user experience - and it has been
used in real-life elections, for instance in Estonia.
In this work, we improve the existing solutions for cast-as-intended
verifiability based on the use of a second device. We propose a solution which,
while preserving the advantageous practical properties sketched above, provides
tighter security guarantees. Our method does not increase the risk of
vote-selling when compared to the underlying voting protocol being augmented
and, to achieve this, it requires only comparatively weak trust assumptions. It
can be combined with various voting protocols, including commitment-based
systems offering everlasting privacy