Cast Iron
1Cornell Tech · 2IC3 · 3Ava Labs · 4Arbitrum Foundation · 5Tally · *Equal contribution
Under submission · 2026
Coercion-resistance (CR) ensures that voters can cast ballots freely despite adversarial bribery or coercion. Existing CR schemes face a fundamental tradeoff: fake-credential schemes achieve strong CR but require untappable channels, while deniable revoting schemes achieve only weak CR in online settings.
We close this gap with Cast Iron, the first publicly verifiable, fake-credential voting system without untappable channels. At its heart is a new primitive, the Covert Timestamped Commitment (CTC), which lets voters privately register secret voting credentials on a public blockchain — at any time, even far in advance of an election — without a central registration authority.
We prove security in the UC framework, implement a prototype that verifiably tallies 1 million ballots in ~1,350 core-hours (under $100 on commodity cloud), and introduce CoCo (Cost of Coercion), a protocol-agnostic metric for comparing CR across schemes. Under CoCo, Cast Iron outperforms prior schemes in the fully online setting.
In online voting, an adversary seeking to subvert an election can interact with voters remotely to bribe or coerce them, making these attacks more practical. Preventing such attacks requires a stronger security notion than simply ballot secrecy: a voter must be unable to prove their voting behavior to an adversary, even if they can interact arbitrarily. A voting system that satisfies this notion is said to be coercion-resistant. Since the introduction of this concept in 2005, two decades of research has aimed to develop practical coercion-resistant voting systems, and two broad design philosophies to achieve this property have emerged, each with its own tradeoffs.
When coerced, the voter hands over a fake credential that looks real. The adversary has no way of telling whether the voter complied.
Catch: The voter must first register their real credential through an untappable channel — one that generates no transcript. Only practical in person or with special hardware.
When coerced, the voter complies but later casts a ballot that overrides the coerced one. The adversary cannot tell whether a voter revoted because this process is deniable.
Catch: The adversary must not be able to coerce a voter at election close, as otherwise they can race the voter to cast the last ballot. Not a practical assumption online.
A fake-credential scheme that replaces the untappable channel with covert self-registration. Voters register their own credentials by embedding them covertly in ordinary blockchain transactions.
Fake-credential schemes require that an adversary cannot distinguish a voter who registered a credential from one who did not. Untappable channels achieve this by hiding the registration transcript entirely. This is sufficient but not necessary: instead we can leave the transcript in plain sight, but ensure an adversary cannot tell whose transcript it is, or even whether it represents a registration at all.
In covert self-registration, voters generate and post their own voting credentials anonymously to a public bulletin board, with no involvement from a registration authority, and registrations are disguised as ordinary blockchain transactions. Because there is no registration authority, registration is not confined to a designated window: a voter may register at any time after their inalienable credential is created, potentially long before any election is announced.
The primitive that enables covert self-registration is a Covert Timestamped Commitment (CTC): a way to commit to a value at a verifiable time without leaving any sign that a commitment was made. Our construction hides a commitment as the ECDSA signature nonce of an otherwise ordinary blockchain transaction — the resulting transaction is computationally indistinguishable from background traffic. To open the commitment, the user reveals the value and randomness used to generate it, and a verifier recomputes the commitment and verifies that it was used as the nonce for the on-chain signature. Because revealing the nonce leaks the private key, the transaction should transfer the account's entire balance, which restricts the anonymity set.
One of these transactions contains your commitment. Can you tell which one?
To enable comparison across different CR definitions and design approaches, we introduce CoCo (Cost of Coercion), a protocol-agnostic metric that quantifies CR game-theoretically. It measures the economic cost to an adversary of achieving a desired voting outcome with a target probability p, normalized by the same cost for a non-CR scheme. Higher CoCo means stronger practical CR.
CoCo is built on a coercion game that models how rational voters respond to bribes. Each voter chooses to ignore the bribe (vote honestly), cooperate (accept the bribe and vote as instructed), or defect (accept the bribe but secretly try to vote their true preference). The voter's choice depends on the bribe amount, their pivotality (probability their vote swings the outcome), the protocol's evasion success probability (how reliably defection works), and a detection gap — how much more likely the adversary is to pay a voter who truly cooperated versus one who defected. A small detection gap means the adversary can barely distinguish compliance from evasion, so they must bribe as if everyone will defect.
The protocol parameters below are fixed by the voting system. Configure them to reflect a scheme of interest, then act as the adversary: choose a bribe amount and offer it. A rational voter responds based on their privately drawn utility. Notice what you can and cannot observe.
By simulating this game across an electorate of many voters, we can compute the total cost an adversary must pay to achieve a target win probability p. Normalizing by the cost for a protocol with no coercion resistance — one where evasion never works and the adversary can perfectly verify compliance — gives the CoCo curve. A value of k× means the adversary must spend k times more than against a protocol with no CR. Click a curve for its protocol parameters:
Simulation: 100 equal-weight voters · 25% initially prefer yes, 75% prefer no
The most striking result is that deniable revoting with a coin-flip race collapses to CoCo ≈ 1: a voter expecting to evade half the time accepts a bribe roughly half as large for the same expected utility, so the adversary's per-voter cost is nearly unchanged from the no-CR baseline. Cast Iron achieves a flat 25× across all p — when evasion always succeeds (γ = 1), there is an exact analytical formula CoCo = 1 / (α−β) where α−β is the detection gap, so the adversary's cost is entirely determined by how reliably they can tell cooperators from defectors, regardless of the target win probability. Revoting with a voter network-latency advantage stays near 1× for low win-probability targets but rises sharply near certainty, peaking around 30×. Loki, with higher evasion success but a larger detection surface, climbs approximately linearly to ~12× at p = 1. A key takeaway: practical CR cannot be summarized by a single number, and which protocol is cheapest to attack depends on the win-probability regime an operator cares about.
@article{castiron2026,
title = {Cast Iron: Coercion-Resistant Voting from Covert Self-Registration},
author = {Anonymous},
year = {2026},
note = {Under submission}
}