Auto-Verifiable Answer-Only Protocol

Updated 31 January 2026

Auto-Verifiable Answer-Only Protocol is a cryptographic scheme that uses NIWI proofs and DLin encryption to provide verifiable results with zero dependence on trusted setups.
The protocol achieves perfect universal verifiability by enabling any observer to confirm the tally using public keys, N ballots, a single result, and a short proof.
Its design eliminates the need for incremental disclosure and trusted reference strings, paving the way for secure and transparent e-voting systems in adversarial environments.

An auto-verifiable answer-only protocol constitutes a cryptographic scheme in which, after a data collection phase, the authority subsequently reveals only a single result and a short proof, eschewing transcripts or incremental disclosure. Any observer, regardless of participation, can verify the correctness of the result unconditionally, without trusting any setup party or invoking computational assumptions during verification. The protocol achieves perfect universal verifiability and privacy by leveraging Non-Interactive Witness-Indistinguishable proofs (NIWIs) with perfect soundness, and a Decision-Linear encryption scheme (DLin) with binding commitments, all without reliance on a Common Reference String (CRS) or a Random Oracle (RO) (Gallegos-Garcia et al., 2016).

1. Perfect Universal Verifiability

The principal security goal of auto-verifiable answer-only protocols is perfect (unconditional) universal verifiability. Formally, any party—irrespective of their involvement—can check using solely the public keys, $N$ ballots, the tally $y$ , and a single short proof $\pi$ , and be assured that $y = F(m_1, ..., m_n)$ for some votes $m_i$ in the designated space. It is impossible for a malicious authority to produce $(y' \neq F(\cdot), \pi')$ that passes verification; the probability of undetected fraud is exactly zero, not merely negligible. This property obviates the need for trusted parties and removes any dependency on computational assumptions at verification time (Gallegos-Garcia et al., 2016).

2. Cryptographic Building Blocks

The protocol is predicated on two main primitives: the DLin encryption scheme and one-message NIWI proof systems.

DLin Encryption Scheme:

Let $(G, G_t, e, g)$ be a bilinear group of prime order $p$ . Key generation is performed as follows:

Sample random $s, t \in \mathbb{Z}_p$ .
Set $g_1 = g^{1/s}, g_2 = g^{1/t}$ .
Public key: $(g, g_1, g_2)$ ; Secret key: $(s, t)$ .

Encryption of $m \in G$ uses random $a, b \in \mathbb{Z}_p$ :

$c = (c_1, c_2, c_3) = (g^a, g^b, m \cdot e(g_1, g_2)^{a + b})$

Decryption computes $m = c_3 / e(c_1, c_2) \in G$ .

NIWI Proof Systems:

A Non-Interactive Witness-Indistinguishable proof for NP relation $R$ consists of

$Prove(R, (x, w)) \to \pi$
$Verify(R, (x, \pi)) \to \{\mathrm{OK}, \perp\}$

Required properties:

Perfect completeness: If $R(x, w)$ holds, verification always succeeds.
Perfect soundness: Any false statement is rejected with probability one.
Witness-indistinguishability: Proofs generated from different valid witnesses are computationally indistinguishable. Groth–Ostrovsky–Sahai [GOS06] construct such NIWIs for all circuit-SAT relations without CRS setup (Gallegos-Garcia et al., 2016).

3. Protocol Workflow

The protocol unfolds in four phases: Setup, Voting, Tally, and Verification.

Setup:

The authority generates three independent DLin key pairs $(\mathrm{Pk}_i, \mathrm{Sk}_i)$ for $i \in \{1,2,3\}$ .
Commits to a bit $1$ in a binding commitment $Z = \mathrm{Com}(1; r)$ .
The public key consists of bilinear group generators, three DLin keys, and $Z$ .

Voting:

Each voter encodes their vote $v \in \mathcal{M}$ into three DLin ciphertexts $c_{j,i}$ , corresponding to unique randomness $r_{j,i}$ .
Constructs a NIWI proof $\pi_j$ $π_{j}$ attesting either:
- All three ciphertexts encode the same valid vote $v \in \mathcal{M}$ , or
- $Z$ is a commitment to $0$ (trapdoor mode).
Publishes the ballot $\mathrm{Blt}_j = (c_{j,1}, c_{j,2}, c_{j,3}, \pi_j)$ publicly.

Tally Phase:

For each ballot, verifies $\pi_j$ ; if invalid, annotates with $\perp$ .
Decrypts surviving ballots' ciphertexts using $\mathrm{Sk}_1$ and $\mathrm{Sk}_2$ .
Computes candidate tallies $y_1, y_2$ ; if they agree, sets $y = y_1$ ; otherwise $y = \perp$ .
Constructs an aggregated NIWI proof $\pi_{\text{agg}}$ for relation $R_{\text{dec}}$ attesting two secret keys were honestly generated from their public keys and yield $y$ , or $Z$ commits to $0$.
Publishes only $(y, \pi_{\text{agg}})$ ; ballots persist on the public board.

Verification:

Any third-party observer can independently perform ballot validation and NIWI proof aggregation verification, using only public information (DLin keys, $Z$ , ballots, $y$ , $\pi_{\text{agg}}$ ), without relying on any secret keys or trusted setup.

4. Security Properties

Privacy is demonstrated under the Decision-Linear (DLin) assumption, yielding IND-CPA security. The standard hybrid argument swaps individual ciphertexts and proof witnesses across the three columns, rendering the adversary's view indistinguishable for vote vectors producing identical tallies.

Perfect Universal Verifiability is guaranteed by the perfect soundness of NIWI proofs and the unique secret keys plus correctness of DLin. No adversary can fabricate either a ballot or a tally/proof pair for a false statement that would verify positively—this confirmation is unconditional.

No Trusted Setup: Unlike NIZKs requiring a CRS or RO model (which can entail unsoundness or trusted setup), the protocol's one-message NIWI schemes eliminate such requirements. All setup steps—DLin key and binding commitment generation—are publicly verifiable and transparent. There is no need for a single trusted authority to generate reference strings or secret trapdoors.

5. Key Formulas and Relations

Several essential mathematical formulations are central for correctness and security of the protocol:

Component	Formula/Definition	Context/Role
DLin encryption	$c = (g^a, g^b, v \cdot e(g_1, g_2)^{a+b})$	Encrypts votes with IND-CPA security
NIWI vote proof	$\pi_j = \mathrm{Prove}_{enc}((j, c_{j,1}, c_{j,2}, c_{j,3}, Z), (v, r_{j,1}, r_{j,2}, r_{j,3}))$	Non-interactive proof for ballot validity
Tally proof	$\pi_{\text{agg}} = \mathrm{Prove}_{dec}((\mathrm{Blt}_1, ..., \mathrm{Blt}_N, \mathrm{Pk}_1, ..., \mathrm{Pk}_3, y), (\mathrm{Sk}_1, \mathrm{Sk}_2, r, i_1, i_2))$	Aggregated proof for correctness of $y$
Verification relation	$R_{dec}(x,w)=true$ iff (a) two $\mathrm{Sk}$ are honestly generated and yield $y$ upon decryption; or (b) $Z$ commits to $0$	Specifies conditions for successful tally verification

6. Significance and Applications

The auto-verifiable answer-only protocol offers a practical and theoretically secure blueprint for e-voting wherein privacy and universal verifiability are achieved simultaneously and unconditionally. The absence of trusted setup requirements and complete reliance on publicly verifiable information make it attractive for large-scale deployments in adversarial environments. Its methodology marks a departure from NIZK-based schemes bounded by setup trust assumptions, and demonstrates the viability of NIWI proofs and bilinear group encryption for advanced cryptographic protocols. Applications extend to any environment demanding public auditability, privacy, and resistance to authority misbehavior, especially in voting protocols (Gallegos-Garcia et al., 2016).

Markdown Report Issue Upgrade to Chat

References (1)

(Universal) Unconditional Verifiability in E-Voting without Trusted Parties (2016)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Auto-Verifiable Answer-Only Protocol.