To date, the security of all practical end-to-end veri-
fiable e-voting protocols relies on “traditional” hardness
assumptions, such as factoring integers or computing discrete logarithms. With more and more powerful quantum
computers on the horizon (see, e.g., [5]), these voting
protocols may be rendered completely insecure. This
threat motivates the design of end-to-end verifiable evoting protocols that are secure against quantum attacks.
Unfortunately, it turned out to be very challenging to
pursue this objective, and, in fact, it had not been met
prior to our work.
The reason behind this state of affairs is that na¨ıvely
replacing the “classical” cryptographic primitives of an
arbitrary end-to-end verifiable e-voting protocol (e.g., Helios [2]) with known post-quantum primitives can destroy
practicality. Despite the fact that post-quantum-secure
cryptography has become more efficient and versatile
in the past decade or so, there exist only the following two practical post-quantum-secure e-voting protocols
in the literature. Boyen, Haines, and Muller [ ¨ 13] proposed and implemented a completely lattice-based veri-
fiable decryption mix net which can be used for verifi-
able post-quantum-secure e-voting but the class of elections it should be used for is limited (see Sec. 8). Del
Pino, Lyubashevsky, Neven, and Seiler [30] instantiated
the homomorphic e-voting protocol by Cramer, Franklin,
Schoenmakers, and Yung [25] with practical lattice-based
cryptographic primitives. However, unlike Boyen et al.’s
mix net [13], the homomorphic e-voting protocol by Del
Pino et al. [30] is not (end-to-end) verifiable: we will
elaborate in Sec. 2 that all tallying authorities and all
voters’ voting devices in [30] need to be honest in order
to (be able to) verify that the final election result is in fact
correct. As we will see, it has long been far from obvious
how to eliminate these undesirable trust assumptions in
the lattice-based setting without undermining practicality.
Altogether, there does not exist a homomorphic evoting protocol in the literature that can be used in a
real practical election to both protect the privacy of votes
and provide end-to-end verifiability in the presence of
quantum attackers.1
