New receipt-free voting scheme using double-trapdoor commitment☆
Introduction
Electronic voting is one of the most significant applications of cryptography. Plenty of research work has been done in the past 20 years. The existing electronic voting schemes can be categorized by their research approaches into three types: schemes using blind signatures [21], [30], [31], schemes using mix-nets [1], [3], [10], [26], [32], [33], [36], and schemes using homomorphic encryption [7], [8], [9], [17], [18], [19], [24], [25], [35].
One essential property of electronic voting is the privacy of the ballot. If a voter is not required to keep his/her ballot secret, the voter could be coerced by a political boss or an employer with power or money into casting a certain ballot. This will affect the final result of the voting and destroy the fairness of the election. In some sense, democracy cannot be achieved since it depends on a proper and fair administration of the election. Therefore, the content of a vote should never be revealed before the counting stage of the voting. Moreover, a voter could not provide a receipt to any third party to prove that a certain vote was casted.
Benaloh and Tuinstra [8] firstly introduced the concept of receipt-freeness to solve the problems of “vote buying” or “coercion” in the electronic voting. Based on the assumption of a voting booth, they also proposed two voting schemes using homomorphic encryption. The first one is a single-authority voting scheme and fails to maintain vote secrecy. The second scheme is extended to a multi-authority scheme achieving vote secrecy. However, Hirt and Sako [24] proved that the scheme could not satisfy the property of receipt-free and proposed the first practical receipt-free voting scheme based on homomorphic encryption.
Receipt-free voting protocol based on a mix-net channel was first proposed by Sako and Kilian [36], which only assumes one-way secret communication from the authorities to the voters. However, a significant disadvantage of this protocol is the heavy processing load required for tallying in mix-net schemes.
The only two receipt-free voting schemes using blind signatures were proposed by Okamoto [31], where a single-trapdoor commitment is used to ensure the receipt-freeness. However, the first scheme requires the help of the parameter registration committee and the second one needs a stronger physical assumption of the voting booth.
Our contribution. In this paper, we point out that the traditional single-trapdoor commitment is unsuitable for design receipt-free voting schemes. We then use the double-trapdoor commitment to propose a new receipt-free voting scheme based on blind signatures. Neither the parameter registration committee nor the voting booth is required in the proposed voting scheme. So, it is more efficient and practical for large scale elections than Okamoto’s voting schemes [31].
Blind signatures, introduced by Chaum [11], allow a recipient to obtain a signature on message m without revealing anything about the message to the signer. Blind signatures play an important role in a plenty of applications such as electronic voting [21], [30], [28], electronic cash [11], [20] where anonymity is of great concern.
Fujioka, Okamoto, and Ohta [21] proposed the first practical voting scheme for large scale elections based on blind signatures. Moreover, Cranor and Cytron designed and implemented a voting system named Sensus based on this scheme. The main disadvantage of [21] is that all voters have to join the ballot counting process. This is because in the counting stage the tally authority needs the help of each voter to open the commitment (ballot) in the bit-commitment scheme. Ohkubo et al. [28] proposed an improved voting scheme based on blind signatures which allowed the voters to walk away once they finished casting their votes. The scheme used a threshold encryption scheme instead of a bit-commitment scheme [27]. However, the scheme is not receipt-free.
Okamoto [30] proposed a new voting scheme based on blind signatures. The scheme tried to use a trapdoor commitment scheme [6] to ahieve the receipt-freeness. The concept of trapdoor commitment (also called chameleon commitment) was first introduced by Brassard, Chaum, and Crepeau [6] for zero-knowledge proofs. In a trapdoor commitment scheme, the holder with a trapdoor knowledge can open a commitment in any possible way in the open phase. Therefore, the scheme satisfies the property of receipt-free only if the trapdoor information is known by the voters. Okamoto [31] then proposed two improved voting schemes which ensure that the voters know the trapdoor information, therefore both of the schemes can satisfy the receipt-freeness. The first scheme requires an untappable channel and a group of parameter registration committee, and the second one requires the stronger physical assumption of a voting booth, where a voter provides a zero-knowledge proof that he/she knows the trapdoor information.
In other electronic commerce protocols such as electronic auction and contract signing, similar concepts were also introduced to prevent the corresponding crimes. For example, Abe and Suziki [2] introduced the idea of receipt-free auctions to prevent bid-rigging in the auction protocol. In the contract signing, if a party can provide a proof that he is capable of choosing whether to validate or invalidate the contract, he may obtain a better contract. Garay et al. [23] first introduced the concept of abuse-free contract signing to solve this problem.
The rest of the paper is organized as follows: Some preliminaries are given in Section 2. Okamoto’s receipt-free voting schemes are revisited in Section 3. The proposed receipt-free voting scheme and its security and efficiency analysis are given in Section 4. The non-interactive zero-knowledge proof required in our voting scheme is presented in Section 5. Finally, conclusions will be made in Section 6.
Section snippets
Preliminaries
In this section, we first describe the model and security requirements of electronic voting, and then introduce the notion of trapdoor commitment.
Revisiting Okamoto’s receipt-free voting schemes
In this section we briefly introduce Okamoto’s receipt-free voting schemes [30], [31] and then give a further discussion about the receipt-freeness of the schemes.
The participants of the scheme [30] are voters Vi(1 ⩽ i ⩽ I), an administrator A, and a timeliness commission member T. Let (e,n) be the RSA public key of A for signatures, and H be a hash function. We also denote the signature of Vi for message m, and EA(m) the encryption of m using A’s public key. The scheme consists of the
High-level description of the scheme
In this paper, we still use the weaker physical assumption of the untappable channel as in [30] to construct a receipt-free voting scheme. The key point is how to make the voters obtain the trapdoor information. We will use the double trapdoor commitment scheme in Section 2.2 to reach the aim. Note that the specific trapdoor in the commitment scheme is an RSA signature of the administrator A. Moreover, the signature is also a proof that Vi is an eligible voter. Therefore, Vi must know the
Knowledge proof of secret permutation
In this section, we present zero-knowledge proofs of secret permutations. We begin with sub-protocols and use the conventional notationto denote a zero-knowledge proof protocol that the prover knows a secret witness x of y for the NP-relation . Meanwhile, we argue that the following interactive protocol can be easily converted into a non-interactive one if we use a one-way hash function.
Conclusion
The approach for realizing electronic voting using blind signatures and anonymous channels seems to be the most suitable and promising for large scale elections. Receipt-free voting schemes can prevent the problem of vote-buying and coercion. Okamoto [30] presented a receipt-free electronic voting scheme based on this framework. However, the following paper [31] proved this scheme was not receipt-free and presented two improved schemes, one scheme requires the help of the parameter registration
Acknowledgements
The authors are grateful to the anonymous referees for their invaluable suggestions for improving this paper. This work is supported by the National Natural Science Foundation of China (Nos. 60970144, 60503006, 61003244, 61070168, and 60803135), the Fundamental Research Funds for the Central Universities (Nos. K50510010003 and JY10000901034), and Program of the Science and Technology of Guangzhou, China (No. 2008J1-C231-2).
References (36)
- et al.
Minimum disclosure proofs of knowledge
Journal of Computer and System Sciences
(1988) - et al.
Efficient generic on-line/off-line (threshold) signatures without key exposure
Information Sciences
(2008) Ownership-attached unblinding of blind signatures for untraceable electronic cash
Information Sciences
(2006)Mix-networks on permutation networks
(1999)- et al.
Receipt-free sealed-bid auction
(2002) - et al.
An efficient mixnet-based voting scheme providing receipt-freeness
(2004) - et al.
Identity-based chameleon hash and applications
(2004) - et al.
On the key-exposure problem in chameleon hashes
(2005) - J. Benaloh, M. Fischer, A robust and verifiable cryptographically secure election scheme, in: Proc. 26th IEEE Symposium...
- J. Benaloh, D. Tuinstra, Receipt-free secret-ballot elections, in: Proc. of 26th Symp. on Theory of Computing-STOC...