We present a system for running auditable and verifiable elections in untrusted environments. Votes are anonymous since the order of candidates on a ballot sheet is random. Tellers see only the position of the candidate. Voters can check their vote. An election is auditable using blockchain log. Threshold-encryption, which is used to implement the quorum, prevents a deadlock from occurring if a minority of candidates or observers tries to sabotage the election. Candidates and observers can indicate that the election was free and fair by exposing their keys, which are used by the system to decrypt each vote. Ballot sheets are encrypted by onion-routing, which has a layer with the key of the election instance, so it's impossible for a quorum to decode the results before they have announced their decision by exposing their keys. A register of voters ensures that only verified voters can vote without compromising their identity. If there any doubts about the identity of a voter, their vote can be excluded from the election, if a quorum agrees. This system is designed to scale from one instance to a distributed system that runs over an unlimited number of instances, which can be achieved using cloud instances or smartphones belonging to voters or tellers.