Many election schemes rely on art, rather than science, to ensure that choices are made freely and with equal influence. Such schemes build upon creativity and skill, rather than scientific foundations. These schemes are typically broken in ways that compromise free choice, e.g., [12,7,40,41,36], or permit adversaries to unduly influence the outcome, e.g., [15,11,7,37]. This article shows how such breaks can be avoided by carefully formulating security definitions, and proving that schemes satisfy these definitions. Equipped with these definitions, we can build election schemes that can be proven to behave as expected.An election scheme is a decision-making mechanism to choose a representative [21,27,13,3], typically consisting of at least the following three steps. First, an administrator initialises the scheme (setup). Secondly, each voter constructs and casts a ballot for their choice (voting). These ballots are authenticated and recorded using a mechanism, e.g., a bulletin board. Thirdly, the administrator tallies the recorded ballots and announces an outcome, i.e., a frequency distribution of choices (tallying). This distribution is used to select a representative. For example, in first-pastthe-post election schemes the representative corresponds to the choice with highest frequency.Choices must be made freely, which can be achieved by making choices in private [38,25,24], i.e., "when numerous social constraints in which citizens are routinely and universally enmeshed -community of religious allegiances, the patronage of big men, employers or notables, parties, 'political machines' -are kept at bay" [6]. This has led to the emergence of the following requirement.• Ballot secrecy: a voter's choice is not revealed to anyone.Ballot secrecy ensures that a voter's choice is kept secret, which is intended to prevent unwanted consequences (including the preclusion of free choice) that might otherwise arise.To illustrate how ballot secrecy can be achieved, we introduce a simple election scheme that instructs voters to encrypt their choices and instructs administrators to decrypt encrypted choices to obtain the outcome. More specifically, the scheme works as follows: first, the administrator generates a public key. Secondly, each voter encrypts their choice using that key. Finally, the administrator decrypts each encrypted choice and outputs the corresponding outcome. Intuitively, ballot secrecy is achieved if the underlying encryption scheme is secure, i.e., the encryption of a choice leaks no information about that choice.Voters, and any other interested parties, must be able to convince themselves that the announced outcome is indeed the distribution of choices made by voters, which can be achieved by making elections verifiable, i.e., ensuring "there [is] enough evidence for anyone who doubts the results to re-examine and rationally determine whether the [outcome was] called correctly" [39]. Election verifiability can be captured by the following requirements.