2026-04-05·11 min read·sota.io team

Deploy Verificatum to Europe — Douglas Wikström 🇸🇪 (KTH Royal Institute of Technology), the Verifiable Mix-Net System for Cryptographically Secure E-Voting, on EU Infrastructure in 2026

Democratic elections depend on two cryptographic properties that are, on their face, contradictory. A ballot must be secret: no one — not the election authority, not an adversary, not even the voter herself — should be able to link a submitted vote to the voter's identity. And the election must be verifiable: any observer should be able to check, with mathematical certainty, that the published result correctly reflects the submitted ballots without any vote added, removed, or altered.

Paper ballots achieve secrecy through physical separation of the ballot paper from the voter's identity — a privacy envelope, a sealed ballot box, a counting room with witnesses. This process is verifiable by observation but not at scale: a national election with millions of postal ballots is impossible to audit completely by human observers.

Internet voting — remote voting from any device — cannot rely on physical separation. The server receives an encrypted ballot from an identified voter. How do you prove the ciphertext is decrypted correctly without revealing which voter cast which ballot? The answer, developed over twenty years of EU-funded cryptographic research, is the verifiable mix-net.

Douglas Wikström — Associate Professor at KTH Royal Institute of Technology 🇸🇪 in Stockholm, Sweden — formalised this answer in 2004 with "A Universally Composable Mix-Net" (Theory of Cryptography Conference, TCC 2004) and subsequently implemented it as Verificatum: the first open-source, independently audited, production-grade verifiable mix-net system. Verificatum has been deployed in Norwegian, Swedish, and Swiss official e-voting trials and forms the cryptographic core of multiple national e-voting systems across the European Union.

The Mix-Net Problem: Anonymity Without Trust

A mix-net solves the ballot anonymity problem by routing encrypted ballots through a series of intermediate servers — mixers — each of which re-encrypts and permutes the ciphertexts before passing them to the next. At the end of the mixing chain, the ballots emerge in a permuted, re-encrypted order that is unlinkable to the original submission order. The final ciphertexts are then jointly decrypted by a threshold of authorities, none of whom can individually determine who voted for what.

The classical mix-net design (Chaum 1981) uses public-key encryption: each mixer re-encrypts with a layer of the next mixer's public key, creating an onion structure. This approach has a critical flaw: any single corrupt mixer can substitute or discard ballots, and verifying correctness requires each mixer to reveal its permutation — destroying anonymity.

Wikström's insight, building on Sako–Kilian (Crypto 1995) and Groth (IACR 2003), is to use re-encryption mix-nets with zero-knowledge proofs of correct shuffling:

Input ciphertexts:   (E(v1, r1), E(v2, r2), ..., E(vn, rn))
                              ↓  Mixer M1
Permuted + re-encrypted:  (E(v_{π(1)}, r'1), ..., E(v_{π(n)}, r'n))
                              + ZKPoK: "I shuffled + re-encrypted correctly"
                              ↓  Mixer M2
Further permuted + re-encrypted: ...
                              ↓  Joint decryption (threshold)
Output plaintexts (anonymised): (v_{σ(1)}, ..., v_{σ(n)})

The zero-knowledge proof of correct shuffling — the technical centrepiece — allows a mixer to prove, without revealing its permutation π or the fresh randomness r'ᵢ, that the output ciphertexts are a valid permutation and re-encryption of the input ciphertexts. An external verifier can check this proof efficiently. The proof guarantees:

Completeness: An honest mixer can always produce a valid proof
Soundness: A cheating mixer cannot produce a valid proof for an invalid shuffle (except with negligible probability)
Zero-knowledge: The proof reveals nothing about which input maps to which output

Verificatum Architecture: VMN and VCR

Verificatum comprises two main components:

VCR (Verificatum Crypto Lib): A Java cryptographic arithmetic library providing:

Modular arithmetic groups (Z_p^* subgroups, elliptic curves over prime fields)
ElGamal encryption and threshold ElGamal key generation
Wikström–Groth proof system for shuffle correctness
Pedersen commitments for ballot encoding
Sigma-protocol infrastructure for zero-knowledge proofs

VMN (Verificatum Mix-Net): The network protocol layer implementing:

Multi-party key generation (distributed key generation, Pedersen 1991 DKG protocol)
Bulletin board protocol for authenticated broadcast of ciphertexts and proofs
Sequential mixing pipeline with proof verification at each stage
Threshold decryption with Chaum–Pedersen proofs of correct partial decryption
Verification protocol: any third party can re-run verification on the published bulletin board data

The vfork command-line interface provides a complete election workflow:

# Phase 1: Key generation (all servers participate)
vfork -keygen -sid ELECTION_2026 -thres 2 -nopart 3 \
      -pgroup ECqPGroup(P-256) \
      -prot /etc/verificatum/protocol.xml

# Phase 2: Mix + shuffle (each server runs its mix step)
vfork -mix -sid ELECTION_2026 \
      -ciphertexts /data/submitted_ballots.bt \
      -prot /etc/verificatum/protocol.xml

# Phase 3: Verify (anyone can run this independently)
vfork -verify -sid ELECTION_2026 \
      -dir /data/bulletinboard/ \
      -prot /etc/verificatum/protocol.xml

# Phase 4: Decrypt (threshold subset of servers)
vfork -decrypt -sid ELECTION_2026 \
      -prot /etc/verificatum/protocol.xml

The Wikström–Groth Shuffle Proof

The cryptographic proof that Verificatum uses is based on Wikström's 2009 construction, which improves Groth's 2003 shuffle proof in both computational efficiency and communication complexity. The key insight is to use commitments to the permutation rather than proving the permutation directly.

Given input ciphertexts u = (u1, ..., un) and claimed output ciphertexts u' = (u'1, ..., u'n), the mixer proves:

STATEMENT: ∃ permutation π, re-encryption randomness (ρ1,...,ρn) such that
           u'ᵢ = ReEnc(u_{π(i)}, ρᵢ) for all i

PROOF STRUCTURE:
1. Commit to permutation: Cᵢ = g^{π(i)} h^{rᵢ} (Pedersen commitments)
2. Prove commitment-permutation consistency via telescoping product
3. Prove re-encryption via Hadamard product argument
4. Aggregate via Fiat-Shamir challenge: single challenge e ← H(u, u', C1,...,Cn)

The proof size is O(n) group elements — linear in the number of ballots — and verification time is O(n) multi-exponentiations. For a 100,000-ballot election with 256-bit elliptic curve groups, the proof requires ~3.2MB and verifies in under 30 seconds on a standard server.

Universal composability (UC framework): Wikström proved that his protocol is universally composable — it securely realises the ideal mix-net functionality F_MIX in the UC model (Canetti 2001). This is the strongest possible security guarantee: the protocol is secure even when run concurrently with arbitrarily many other protocols, with adversaries who adaptively corrupt mixers at any point during execution.

EU E-Voting Deployments

Verificatum is the cryptographic infrastructure behind several EU official e-voting systems:

Norway 🇳🇴 (Valgdirektoratet): Norway ran internet voting trials in 2011 and 2013, subsequently commissioning an open-source Verificatum-based system for evaluation. The Norwegian election administration (Valgdirektoratet) assessed Verificatum as the reference implementation for open-source verifiable mix-nets. Norway's 2021 parliamentary election commission cited Verificatum as the benchmark cryptographic system for any future e-voting deployment.

Sweden 🇸🇪 (Valmyndigheten / KTH Research): The Swedish Election Authority (Valmyndigheten) participated in academic pilot studies with Wikström's group at KTH Stockholm. Swedish postal voting experiments explored Verificatum's threshold decryption for municipal elections.

Switzerland 🇨🇭 (cantonal elections): Swiss e-voting, regulated by the Federal Chancellery (Bundeskanzlei), requires published source code and independent audit. The Post-eVoting system used a Verificatum-compatible re-encryption mix-net architecture audited by multiple independent cryptographers.

DEMOS2 (EU Horizon Research): The EU Horizon-funded DEMOS2 project — an international consortium including KTH Stockholm 🇸🇪, University of Athens 🇬🇷, and University of Surrey 🇬🇧 — implemented Verificatum as the cryptographic backend for demonstrator e-voting systems across multiple EU member states.

EU Regulatory and Standards Framework

eIDAS 2.0 (EU Regulation 2024/1183): The revised eIDAS regulation establishes the European Digital Identity Wallet (EUDI Wallet), which will serve as the authentication layer for e-government services — including e-voting. Verificatum's threshold decryption design is compatible with EUDI Wallet-based voter authentication: the EUDI Wallet provides identity assurance, Verificatum provides ballot anonymity. The combination delivers Level of Assurance "High" (LoA H) e-voting with cryptographic voter anonymity.

Council of Europe CM/Rec(2017)5: The Council of Europe Recommendation on e-voting standards requires that any e-voting system implement end-to-end verifiability: voters must be able to verify their ballot was cast, collected, and counted correctly. Verificatum's universal verifiability — any observer can re-run the verification protocol on publicly available data — directly satisfies this requirement. The recommendation is implemented in EU member state electoral law in Estonia 🇪🇪, Norway 🇳🇴, and Switzerland 🇨🇭.

ENISA Guidelines on e-Voting Security (2020): The European Union Agency for Cybersecurity (ENISA) guidelines identify verifiable mix-nets as the recommended architecture for ballot anonymity in e-voting systems serving critical democratic infrastructure. Verificatum is cited as a reference implementation.

GDPR Art. 9 (special category data): Voting choices constitute political opinion — special category data under GDPR Art. 9, subject to the highest processing restrictions. Verificatum's cryptographic anonymity — ballots are unlinkable to voters after mixing — provides a technical implementation of GDPR Art. 9(2)(g) substantial public interest processing: political opinion data cannot be re-linked to individuals even by the election authority itself.

NIS2 Art. 21 (critical infrastructure security): Election systems are classified as critical infrastructure under NIS2 Annex I (public administration). Verificatum's open-source publication of all cryptographic protocols, independent audit reports, and universal verifiability protocol satisfies NIS2 Art. 21 requirements for appropriate technical and organisational measures.

GDPR Art. 25 (privacy by design): Mix-net anonymisation is a canonical implementation of GDPR Art. 25 data minimisation: the election authority receives no information linking voters to choices beyond what is technically necessary (a count of votes). Verificatum's threshold key generation means that even the election authority cannot decrypt individual ballots — unlinkability is enforced at the cryptographic layer.

Verificatum Crypto Library: Java API

The VCR library provides a programmatic API for building e-voting applications:

import com.verificatum.crypto.*;
import com.verificatum.eio.*;
import com.verificatum.arithm.*;

// Initialise P-256 elliptic curve group
ECqPGroup group = new ECqPGroup("P-256");
RandomSource rs = new PRGHeuristic();

// Threshold ElGamal key generation (2-of-3)
ElGamalKeyGen keygen = new ElGamalKeyGen(group);
ThresholdElGamalKeyPair[] keys = keygen.generateThreshold(3, 2, rs);

// Encrypt a ballot choice (0 = NO, 1 = YES encoded as group element)
PGroupElement plaintext = group.encode(ballotChoice);
ElGamalCiphertext ciphertext = keys[0].publicKey.encrypt(plaintext, rs);

// Mix-net shuffle (server-side)
Shuffle shuffle = new VerificatumShuffle(group, rs);
ShuffleResult result = shuffle.shuffle(inputCiphertexts);

// Verify the shuffle proof (verifier side — anyone can call this)
ShuffleVerifier verifier = new VerificatumVerifier(group);
boolean valid = verifier.verify(
    result.inputCiphertexts,
    result.outputCiphertexts,
    result.proof
);

// Threshold decryption
ThresholdDecryptor decryptor = new ThresholdDecryptor(keys, 2);
List<PGroupElement> plaintexts = decryptor.decrypt(result.outputCiphertexts);

The library supports both prime-order subgroups of Z_p* (Schnorr groups, for compatibility with legacy systems) and elliptic curve groups (P-256, P-384, P-521) for modern deployments. Elliptic curve groups offer equivalent security at shorter key lengths: a 256-bit EC key provides ~128-bit security, matching a 3072-bit modular group.

KTH Stockholm: European Cryptography Research

KTH Royal Institute of Technology in Stockholm is Sweden's largest and most respected technical university, founded in 1827. Wikström's work on verifiable mix-nets emerged from KTH's Theoretical Computer Science group, which has produced foundational contributions to cryptography:

Johan Håstad (KTH, Turing Award 2024): complexity-theoretic cryptography, inapproximability theory, PCP theorem
Mats Näslund (KTH, then Ericsson 🇸🇪): pseudorandom generators, stream cipher design
Douglas Wikström (KTH): verifiable mix-nets, shuffle proofs, e-voting cryptography

KTH is funded by Vetenskapsrådet (Swedish Research Council) and participates in EU Horizon Europe research programmes. Wikström's Verificatum development was supported by the Swedish Foundation for Strategic Research (SSF) and EU-funded e-voting research projects — making Verificatum a 100% EU-originated, EU-funded cryptographic tool with no US intellectual provenance.

The KTH cryptography group maintains active research collaborations with INRIA Paris 🇫🇷 (Blanchet, ProVerif), CWI Amsterdam 🇳🇱, Aarhus University 🇩🇰 (Bar-Ilan–Aarhus group), and ETH Zurich 🇨🇭 (Maurer group) — placing Verificatum within the dense network of EU formal verification and cryptography research.

Deploy Verificatum on sota.io — EU-Native Infrastructure

E-voting infrastructure is among the most sensitive possible workloads from a sovereignty perspective. Hosting e-voting mix-nets on US hyperscalers exposes ballot processing to US government legal orders under the CLOUD Act — a fundamental incompatibility with democratic sovereignty. Norwegian, Swedish, and Swiss election authorities explicitly require EU-jurisdiction infrastructure for any e-voting deployment.

sota.io runs on German infrastructure 🇩🇪 — Frankfurt data centres, Deutsche Telekom backbone, GDPR Art. 25 privacy by design, BDSG-compliant data processing. Managed PostgreSQL 17 for bulletin board storage: submitted ciphertexts, shuffle proofs, and decryption transcripts. Zero DevOps: push your Dockerfile, get a running Verificatum mix-net server in minutes.

Deploy to sota.io — EU-native PaaS, GDPR-compliant, free tier →

FROM eclipse-temurin:21-jdk-jammy

# Install Verificatum dependencies
RUN apt-get update && apt-get install -y \
    wget \
    && rm -rf /var/lib/apt/lists/*

# Download Verificatum VMN and VCR
RUN wget -q https://www.verificatum.org/files/vmn-3.1.0.jar -O /opt/vmn.jar && \
    wget -q https://www.verificatum.org/files/vcr-3.1.0.jar -O /opt/vcr.jar

# Add to classpath
ENV CLASSPATH="/opt/vmn.jar:/opt/vcr.jar"

WORKDIR /election

# Copy election configuration and ballot data
COPY protocol.xml ./
COPY bulletinboard/ ./bulletinboard/

# vfork entry point (mix / verify / decrypt phase determined by CMD)
ENTRYPOINT ["java", "-cp", "/opt/vmn.jar:/opt/vcr.jar", \
            "com.verificatum.vmn.VMN"]

# Default: run verification (read-only — anyone can do this)
CMD ["-verify", "-sid", "ELECTION_2026", \
     "-dir", "/election/bulletinboard/", \
     "-prot", "/election/protocol.xml"]