International Association for Cryptologic Research

A short explanation of Helios for cryptographers

Helios is a cryptographically-verifiable election system. Each completed ballot is individually encrypted by a Helios client that runs on the voter's device. Threshold ElGamal encryption is used with the private decryption key shared among the election trustees.

Voters have the opportunity to verify the correct encryptions of their ballots with a cut-and-choose system. Once a voter's client encrypts a ballot, the voter may either enter credentials and have the encrypted ballot posted on the Helios server under the voter's name or instead audit the ballot by having the client reveal the randomness it used for encryption. A ballot verification application - written to an open standard - can be run to ensure that the decryption is correct. Audited ballots may also be posted to become part of the official election verification process.

Each cast ballot is subjected to a non-interactive zero-knowledge proof to show that it is well-formed, and the full set of cast ballots are homomorphically combined to form a single aggregate ballot representing an encryption of the election tally. The election trustees then use their secret keys to form shares of the decryption of the aggregate ballot. The shares are then combined to form a verifiable decryption which produces the tally.

An election verification application - written to an open standard - checks the published proofs that the cast ballots are well formed, recomputes the aggregate ballot from its constituents, and checks its verifiable decryption. The application also checks that all posted audit ballots have been properly decrypted.