Decentralized Voting: A Self-tallying Voting System Using a Smart Contract on the Ethereum Blockchain

Abstract

Electronic online voting has been piloted in various countries in the recent past. These experiments show that further research is required, to improve the security guarantees of such systems, in terms of vote confidentiality and integrity and validity verification. In this paper we argue that blockchain technology, combined with modern cryptography can provide the transparency, integrity and confidentiality required from reliable online voting. Furthermore, we present a decentralized online voting system implemented as a smart contract on the Ethereum blockchain. The system has no hardwired restrictions on possible vote assignments to candidates, protects voter confidentiality by using a homomorphic encryption system and stores proofs for each element of a vote. To the best of our knowledge, our proposed system is the first decentralized ranked choice online voting system in existence. The underlying Ethereum platform enforces the correct execution of the voting protocol. We also present a security and performance analysis, showing the feasibility of our proposed protocol for real-world voting applications at large scale.

Appendix

In order to protect the privacy of the voters, each assigned point is encrypted (refer to Eq. 2) before submission. However, voters have to generate corresponding proofs to prove their votes are cast correctly by observing the following: 1. each encrypted score is computed correctly using the voter’s private key \(x^{c_j}_{v_i}\); 2. sum of all encrypted points are equaled to pre-defined total available point P.

Each Encrypted Value is Computed Correctly: We present the proofs generation and verification for an encrypted score in \(\text {Vote}_{v_1}\), where we assume \(v_1\) assigned 5 points to \(c_1\), and the encrypted value should be \(E(5, pk,y^{c_1}_{v_1}, x_{v_1}) = (c_1, c_2)\), where \(c_1 = (y^{c_1}_{v_1})^{x^{c_1}_{v_1}}\cdot g^{r}\), \(c_2 = g^{5}\cdot {pk}^{r}\):

Prover: generates a random number \(k_1,k_2 \in \mathbb {Z}_q\), computes \(K_1 = (y^{c_1}_{v_1})^{k_1}\cdot g^{k_2}\), computes \(K_2 = g^{k_1}\), \(c = Hash(K_1\Vert K_2)\), \(Z_1 = x^{c_1}_{v_1}c+k_1\), \(Z_2 = rc+k_2\). And ZKP(\(x^{c_1}_{v_i}\)) = \(\{K_1,K_2, Z_1, Z_2\}\)

Verifier: compute \(c= Hash(K_1\Vert K_2)\), verify if \((y^{c_1}_{v_1})^{Z_1}g^{Z_2} = K_1 \times (c_1)^{c}\), verify if \(g^{Z_1} = K_2 \times (g^{x^{c_1}_{v_i}})^{c}\), where \(y^{c_1}_{v_i}\) and \(g^{x^{c_1}_{v_i}}\) are public values, and the verifier(s) will never know the value is encrypted from 5.

Sum of All Encrypted Values is Equavelent to Encrypted from P: We present the proofs generation and verification for the sum of all encrypted points in \(\text {Vote}_{v_1}\), where we assume \(P=10\), and there are 3 candidates \(c_1, c_2\) and \(c_3\). Voter \(v_1\) cast a vote as:

$$\begin{aligned} E(5, pk,y^{c_1}_{v_1}, x^{c_1}_{v_1}) = (y^{c_1}_{v_1})^{x^{c_1}_{v_1}}\cdot g^{r_1},g^{5}\cdot {pk}^{r_1}\\ E(2, pk,y^{c_2}_{v_1}, x^{c_2}_{v_1}) = (y^{c_2}_{v_1})^{x^{c_2}_{v_1}}\cdot g^{r_2},g^{2}\cdot {pk}^{r_2}\\ E(3, pk,y^{c_3}_{v_1}, x^{c_3}_{v_1}) = (y^{c_3}_{v_1})^{x^{c_3}_{v_1}}\cdot g^{r_3},g^{3}\cdot {pk}^{r_3} \end{aligned}$$

Prover: multiply them as

$$\begin{aligned}&E(5, pk,y^{c_1}_{v_1}, x^{c_1}_{v_1})\times E(2,pk,y^{c_2}_{v_1}, x^{c_2}_{v_1})\times E(3, pk,y^{c_3}_{v_1}, x^{c_3}_{v_1}) \\ =&(y^{c_1}_{v_1})^{x^{c_1}_{v_1}} \cdot (y^{c_2}_{v_1})^{x^{c_2}_{v_1}} \cdot (y^{c_3}_{v_1})^{x^{c_3}_{v_1}}\cdot g^{r_1+r_2+r_3}, g^{5+2+3}\cdot {pk}^{r_1+r_2+r_3} \\ =&(y^{c_1}_{v_1})^{x^{c_1}_{v_1}} \cdot (y^{c_2}_{v_1})^{x^{c_2}_{v_1}} \cdot (y^{c_3}_{v_1})^{x^{c_3}_{v_1}}\cdot g^{r_4}, g^{10}\cdot {pk}^{r_4} \end{aligned}$$

We use \(c_1\) and \(c_2\) to denote \((y^{c_1}_{v_1})^{x^{c_1}_{v_1}} \cdot (y^{c_2}_{v_1})^{x^{c_2}_{v_1}} \cdot (y^{c_3}_{v_1})^{x^{c_3}_{v_1}}\cdot g^{r_4}\) and \(g^{10}\cdot {pk}^{r_4}\), respectively.

And then, compute \(z = \prod ^{n_c}_{j=1} (y^{c_j}_{v_1})^{x^{c_j}_{v_1}}\). In this case, \(z= (y^{c_1}_{v_1})^{x^{c_1}_{v_1}} \cdot (y^{c_2}_{v_1})^{x^{c_2}_{v_1}} \cdot (y^{c_3}_{v_1})^{x^{c_3}_{v_1}}\). Selects random numbers \(k_1,k_2,k_3 \in \mathbb {Z}_q\), computes \(K_1 = (y^{c_1}_{v_1})^{k_1}\cdot (y^{c_2}_{v_1})^{k_2} \cdot (y^{c_3}_{v_1})^{k_3}\), \(K_2 = g^{k_1}\), \(K_3 = g^{k_2}\), \(K_4 = g^{k_3}\), \(c = Hash(K_1\Vert K_2\Vert K_3\Vert K_4)\), \(Z_1 = x^{c_1}_{v_1}c+k_1\), \(Z_2 = x^{c_2}_{v_1}c+k_2\), \(Z_3 = x^{c_3}_{v_1}c+k_3\). And ZKP(z) = \(\{K_1,K_2,K_3,K_4, Z_1, Z_2, Z_3\}\).

Prove \(\dfrac{c_1}{z} (=g^{r_4})\) and \(\dfrac{c_2}{g^{10}} (=pk^{r_4})\) has the same exponentiation (refer to Sect. 3), select \(t\in Z\), compute \(T_1 = (g)^t\), compute \(T_2 = {pk}^t\), compute \(c = Hash(T_1||T_2)\), compute \(s = r_4 \cdot c + t\) (\(r_4\) in this case). ZKP(P) = \(\{T_1, T_2, s, z, \text {ZKP}(z)\}\).

Verifier: firstly verify z using \(\text {ZKP}(z)\), compute \(c = Hash(K_1\Vert K_2\Vert K_3)\), verify if \((y^{c_1}_{v_1})^{Z_1}(y^{c_2}_{v_1})^{Z_2}(y^{c_3}_{v_1})^{Z_3} = K_1 \times (z)^{c}\), verify if \((y^{c_1}_{v_1})^{Z_1} = K_1 \times (g^{x^{c_1}_{v_1}})^{c}\), verify if \((y^{c_2}_{v_1})^{Z_2} = K_2 \times (g^{x^{c_3}_{v_1}})^{c}\), verify if \((y^{c_3}_{v_1})^{Z_3} = K_3 \times (g^{x^{c_3}_{v_1}})^{c}\).

Secondly verify P using \(T_1, T_2, s\) and z, multiply \(E(5, \cdots ), E(2, \cdots )\) and \(E(3, \cdots )\) as \((c_1, c_2)\), compute \(c = Hash(T_1||T_2)\), verify if \(g^s = (\dfrac{c_1}{z})^c \cdot T_1\), verify if \({pk}^{s} = (\dfrac{c_2}{g^{10}})^c \cdot T_2\). Same as to verify \(\dfrac{c_1}{z}\) and \(\dfrac{c_2}{g^{10}}\) has the same exponentiation \(r_4\).