I Introduction
The Internet of Things (IoT) [1][9] is a system comprising smart devices, actuators, sensors and other objects that connected through the network with the ability to transfer data, share resources and make decisions without mantoman or mantodevice interaction. Organizations in various industries utilize IoT for better efficiency, convenience and service ^{1}^{1}1https://internetofthingsagenda.techtarget.com/definition/InternetofThingsIoT
. Besides the wellknown applications of smart city and smart home, IoT has potential in many other public and private applications, such as manufacturing, agriculture, transportation, and healthcare. In recent years, IoT gains extensive attention and some new extensions of IoT are proposed, such as IIoT and NBIoT. The number of devices is in an explosive growth. It is estimated that there will be 50 billion IoT devices by the year of 2020
[10].Voting systems and IoT. Voting systems have wide applications in IoT. We list two typical examples here. 1) Leader election in distributed IoT. Leader election is one of the most common and important activities in a distributed IoT, such as wireless sensor networks [11]. The goal of leader election is to designate a special node as an organizer to coordinate the tasks in distributed nodes to break the inner symmetry in distributed systems. The peers in the network select and communicate among themselves to vote for the leader. 2) Decision making in IoT systems. One of the most salient features of IoT systems is to collect data and make smarter decisions according to the sensed data. Voting is one of the effective approaches making decisions ^{2}^{2}2http://healthandlearning.org/wpcontent/uploads/2017/04/DecisionMakingModelsVotingversusConsensus.pdf. Devices measure various types of data and leverage diverse methods to analyze the data, which may lead to a different opinion to a specific decision. Then devices vote for a final decision. Take an environmental health IoT as an example, which comprises some smart phones with apps to acquire the environmental parameters with high accuracy including temperature, humidity, noise, and dust. All the parameters are closely related to people’s health. Thus, the environmental health IoT is an important reference for healthcare. The smart devices collaborate to make decisions in an environmental health IoT to show whether the current environment is suitable to live or work in.
Nevertheless, most of the IoT implementations are with a centralized infrastructure. Specifically, the devices are linked with the cloud and controlled by a central hub, which suffers from scalability, efficiency and singlepointoffailure issues. To overcome the bottleneck of centralized IoT, the notion of decentralized IoT was proposed [13]. The devices enjoy the desirable merits of peertopeer (P2P) communication, flexibility and better efficiency to exchange information. A majority of decentralized IoT leverages Blockchain [12] to build the underlying P2P network. A San Francisco based startup Helium ^{3}^{3}3https://www.helium.com/ has built a blockchain machine network for IoT. ^{4}^{4}4https://internetofbusiness.com/heliumblockchainmachinenetworkiotunleashed/
Traditional voting systems with a central party to organize the vote and tally the ballots are not suitable for a decentralized IoT framework. As an alternative, selftallying scheme was proposed, which does not require a third party to tally the ballots and reveal the final result. Instead, after all the voters cast the ballots, anyone can collect the ballots and compute the final results at the same time. However, selftallying schemes inherently suffer from fairness issues, as the last voter can collect other voters’ ballots to compute the final result before casting his/her own ballots. That is he can know the result ahead of schedule. Moreover, if he is not satisfied with the final result, this voter may refuse to reveal his ballot, then other voters are hard to obtain the final result.
Ia Our Contributions
In this paper, we aim to improve the fairness of blockchainbased selftallying systems for decentralized IoT. The contributions of this article are listed as follows.

We formalize the system model of selftallying voting systems based on blockchain in decentralized IoT.

We propose a concrete construction of a blockchainbased selftallying voting protocol in decentralized IoT, and prove it satisfies fairness, disputefreeness and maximal ballot secrecy. Specifically, in our construction, we modify the commitment in [15] and recovery phase in [19] to handle the abortive issues, and suggest that timed commitment can be used to deal with adaptive issues selftallying voting schemes based on blockchain.

We implement the proposed protocol on a laptop and a mobile phone respectively.
Organization. The rest of the paper is organized as follows. We review the related work and provide some preliminaries in Sec. II and Sec. III, respectively. The security requirements are presented in Sec. IV. We build a fair blockchainbased selftallying voting system for decentralized IoT in Sec. V. The implementations of the proposed protocol are illustrated in Sec. VII. Finally, we conclude the paper in Sec. VIII.
Ii Related work
Selftallying evoting. Evoting is a flourishing and fadeless topic in academic research. In traditional centralized evoting protocols, a central authority is usually involved for organizing the election and counting the votes. To achieve stronger voter privacy, Kiayias and Yung [18] proposed the notion of selftallying voting, which is a new paradigm in decentralized evoting systems. In selftallying systems, tallying is an open procedure in which any party, not only the voters but also the observers, can check the validity of each ballot and perform the computation after collecting all the valid ballots to get the final voting result. They proposed the first concrete construction as well by leveraging a bulletin board, which achieves perfect ballot privacy and disputefreeness. Groth et al.[17] proposed a simpler scheme with better efficiency for each voter. They also constructed an anonymous broadcast channel with perfect message secrecy at the cost of increased round complexity of the protocol, which needs rounds for voters. Hao et al. [16] proposed a selftallying voting protocol based on a tworound anonymous veto protocol (AVnet). Their protocol provides the same security properties but achieves better efficiency in terms of round complexity. Khader et al. [19] claimed that [16] is neither robust nor fair, and they advanced the protocol by adding a commitment phase and a recovery round. However, the recovery phase in their construction ignores the ballots of the abortive voters.
Blockchainbased evoting systems. There are already some existing works on evoting based on blockchain. The role of blockchain in evoting protocols varies from schemes to schemes. Most of the works make blockchain as bulletin boards and still employ a trusted authority for voter privacy, such as Follow My Vote ^{5}^{5}5https://followmyvote.com/, TIVI ^{6}^{6}6 https://tivi.io/ ^{7}^{7}7http://www.smartmatic.com/fileadmin/user_upload/Whitepaper_Online_ Voting_Challenge_Considerations_TIVI.pdf. Some of the existing works are based on cryptocurrencies, such as Bitcoin [20][21]. Takabatake et al. [31] proposed a voting protocol based on Zerocoin to enhance voter privacy. In 2017, McCorry et al. [15] presented Open Vote Network ^{8}^{8}8https://github.com/stonecoldpat/anonymousvoting ^{9}^{9}9https://ethereumfoundation.org/devcon3/sessions/theopenvotenetworkdecentralisedinternetvotingasasmartcontract/, the first implementation of a decentralized selftallying evoting protocol based on Blockchain. The commitment in [15] is the hash of the vote, which is irrecoverable if a voters refuses to cast his ballot in the voting phase.
Iii Preliminaries
In this section, we provide some preliminaries used in our construction.
Iiia Intractable Assumptions
1) Discrete Logarithm (DL) Assumption.
Let be a security parameter and denotes a cyclic group of prime order . DL problem [30] is that, given a tuple and output , where is the set of nonnegative integers smaller than . DL assumption holds if for any polynomialtime algorithm , the following advantage is negligible in .
2) Decisional DiffieHellmam (DDH) Assumption
Let be a security parameter and denotes a cycle group of prime order . DDH problem [30] states that given a tuple and output . DDH assumption holds if for any polynomialtime algorithm , the following advantage is negligible in .
IiiB ElGamal encryption
ElGamal encryption [27] is semantically secure under the DDH assumption. Another merit of ElGamal encryption is its inherent homomorphism. The ciphertexts of can be easily aggregated to obtain the ciphertext of . A distributed ElGamal cryptosystem [28] is a generalization of ElGamal encryption, which contains the following algorithms.
Setup. Suppose there are users in the system, and the key pairs of the th user are . Each user publishes his public key, and the common public key can be generated in a distributed manner[29] as .
Enc. To encrypt a message , randomly choose , and compute a ciphertext of as .
Dec. Each user computes and broadcasts the partial decryption key . Then the decryption can be done by computing
.
IiiC Commitment
A commitment scheme allows a user to commit to a selected statement, which is hidden to others during the Commit phase, but can be revealed by the user in the Open phase. A commitment scheme contains the following two properties:

Binding. The committer cannot change the statement after he has committed to the statement.

Hiding. The receiver knows nothing about the committed statement before the committer opens the commitment.
IiiD ZeroKnowledge Proof of knowledge and Protocol
Let be a binary relation, where is the common input and is a witness. A zeroknowledge proof of knowledge is a protocol in which a prover proves to a verifier that it knows a witness for which without revealing anything.
A Protocol is a way to obtain efficient zeroknowledge proof. A protocol is a Protocol for relation if it has 3move as shown in Fig 1. 1) sends a message to . 2) sends a random bit challenge to . 3) sends a response , and decides to accept or reject based on the verification algorithm.
A protocol has the following properties.

Completeness. If and follow the protocol on input and , where , the verifier always accepts the prover’s proof.

Special soundness. For any and any accepting conversations on with the same message and different challenges and , where , one can efficiently extract such that .

Honest verifier zeroknowledge(HVZK). There is a polynomialtime simulator, which on input and a challenge outputs an accepting conversation with the form
, with the same probability distribution as conversations between the honest
and on input .
The special soundness property implies that the error probability of this proof system is always .
Iv System and Security Model
In this section, we propose the system model of blockchainbased selftallying voting system for decentralized IoT and list the necessary security requirements and security model of a selftallying voting protocol.
Iva System model
The framework of a blockchainbased selftallying voting protocol for decentralized IoT system is shown in Fig. 3. There are three roles in the sytem, smart devices, gateway and a blockchain. The IoT system is equipped with many smart devices, which are regarded as voting devices. A blockchain is leveraged to achieve a P2P overlay network and can also fulfill device management [14] and a bulletin board. Each device needs to register when they first enroll in the system and cast the ballots through gateway to blockahin. After collecting the ballots from the blockchain, the results can be obtained immediately to make decisions for the whole IoT system.
IvB System components
A blockchainbased selftallying voting system in a decentralized IoT consists of the following algorithms. Suppose there are voting devices in the system denoted as voter .
Setup(). This is a probabilistic algorithm that takes a security parameter and the number of voters as input and outputs the private and public key pair for each voter .
Commit(). This algorithm is run by each voter . On input a vote and other voter ’s public key , it outputs a commitment and a corresponding zeroknowledge proof, and publishes and the proof on the blockchain.
Vote(). This algorithm is run by each voter . On input a vote , the private key , and the other voter ’s public key , it outputs a ballot and a zeroknowledge proof to prove the ballot is in the right form, and publishes and the proof on the blockchain.
Tally(). This is a deterministic algorithm that takes all the ballots as input, it outputs the election result.
Recover(). This algorithm is to recover the abortive voter’s vote. On input the abortive voter’s commitment and all the other voters’ private key , it outputs the abortive voter’s vote .
IvC Security requirements
A selftallying protocol is supposed to satisfy the following security requirements.

Maximal ballot secrecy. A partial tally of the ballots can be accessed only by a collusion of all remaining voters.

Selftallying. After all the voters cast their ballots, anyone is able to compute the voting results with all the ballots.

Fairness. Freeness means that nobody has the priority to get a partial tally ahead of schedule. Selftallying protocols always suffer from fairness issues, including abortive issues and adaptive issues. Abortive issues indicate that some of the users refuse to reveal their votes and abort before casting their ballots, then the final results won’t be revealed. Adaptive issues state that the last voter has the priority to get the final results first and thus may affect his choice and even gives up in this vote, thus will cause an abortive issue.

Disputefreeness. This property states that anybody can check whether the voters follow the protocol or not. This is an extension of universal verifiability.
IvD Security model
In this section, we formalize the security model for maximal ballot secrecy.
Suppose there are maximal corrupted voters in the maximal ballot secrecy game, who are fully controlled by the adversary. The adversary can make queries to the commitments as well as the corrupted users’ ballots, and also get access to the final result of the election. And later in the challenge phase, given two ballots from different votes for the two uncorrupted voter, the adversary needs to tell which of the two ballots is from the vote 1. The detailed security model is as follows.
Maximal ballot secrecy (MBS): We say a selftallying voting scheme is MBSsecure, if no polynomial bounded adversary has a nonnegligible advantage against a challenger in the following game.
Initial. There are voters in the game. declares two target voters to be challenged upon. The other voters are regarded as corrupted users. randomly chooses one from and denotes as . Set the vote of as 1, and the other one as 0.
Setup. generates the private and public key pairs for each voter. Then forwards all the public keys and the corrupted users’ private keys to .
Queries. can choose any ballots for the corrupted users and make some queries including the Commit queries and the Vote queries corresponding to the chosen ballots.

Commit queries. can query the commitment for a vote. Then generates the commitment and records the ballot and the commitment in the list .

Vote queries. can make queries on the votes generated by any user other than .
Challenge. outputs two challenge ballots on behalf of the uncorrupted voters and chosen in the Initial phase.
Tally. can compute the final result of the election according to the collected ballots.
Guess. outputs a guess to determine which one between and has cast the ballot of 1.
In the above model, the reason we set two challenge votes rather than one is to prevent the adversary deducing the challenged vote from his known information. Specifically, as the adversary can control the ballot of the corrupted voters and will obtain the election result after collecting the challenge vote, if there is only one challenge vote, the adversary can have a nonnegligible advantage in the guessing game. After collecting the votes together, the adversary can do the tallying by itself to know the election result. To see why we set the different ballots for the two challenge votes, let’s suppose the following situation. If we set the challenge vote with the same ballot from , and all the corrupted voters controlled by the adversary vote the same ballot, then the adversary can get the knowledge about the challenge vote easily after knowing the results, in which the advantage is nonnegligible.
Definition 1. The voting scheme is MBS secure if for any polynomial time adversary,
where is negligible.
V Construction
In this section, we present a concrete construction of selftallying voting system with the help of blockchain. As shown in Fig. 4, the system contains three phases, the Prevote phase, which includes Setup and Commit algorithms, Vote phase, which includes Vote algorithm, and Aftervote phase, which includes Tally and Recover algorithms. In the Prevote phase, the system is initialized and the voters register to obtain the privatepublic key pairs. Voters put their public keys together with the zeroknowledge proof for the corresponding private keys on the blockchain. Commit is to ensure fairness. If voters skip commit part and cast their ballots directly, the last voter has the priority to access the final result ahead of schedule. In this phase, other voters cannot see the vote but only the commitment of the vote, thus, the voters need a zeroknowledge proof to prove the committed vote is in the right form. Later if the last voter refuses to vote, other voters can recover the ballot according to the commitment and get the result. In Vote phase, the voters cast their encrypted ballots. In Aftervote phase, by collecting all the ballots from the blockchain, the final result can be obtained publicly by anyone. Recover is an optional phase which can be called when the last voter does not follow the rule to cast his/her ballot in the sense that the ballot can be recovered with the corresponding commitment and the help of all the other voters.
Va Dealing with abortive issues
Basic idea. The existing approaches to deal with abortive issue are adding a recovery phase, in which the abortive users are excluded by removing their ballots, and tally the ballots from the remaining voters. However, an abort may be caused by some user knowing the unwanted result and against revealing the result. So, simply removing the votes will bring a different voting result. Thus, we modified the recovery phase in [15]. In our modification, if the last voter quits after making a commitment, then his/her ballot can be revealed according to the corresponding commitment with the cooperation of all the other voters. The detailed construction is as follows.
Setup(). On input a security parameter , and the number of voters , it initializes the system. Each voter chooses a random private key , and computes the public key . Then generates a zeroknowledge proof as ZKPoK(cf. Fig. 5). The public key and the corresponding ZKP are published to Blockchain.
Commit(). Before casting a ballot, each voter collects the other voters’ public key . To generate a commitment to the vote, chooses a random and publishes . makes the commitment to ensure fairness, where is the vote from {0,1} and . The voters also need to generate a zeroknowledge proof to prove that the commitment is in the right form (cf. Fig. 6) as
And then put the commitment and zeroknowledge proof on the Blockchain.
Vote(). To ensure the secrecy of the vote, all voters encrypted their votes as , where . And generate a zeroknowledge proof to prove that the vote is the same as the one in the commitment. The statement (cf. Fig. 7) is
Then publish the ballot on the Blockchin.
Tally(). To tally the votes, one can collect all the ballots and compute . is a small set that can be easily obtained.
Recover(). If the last voter does not cast his ballot in Vote phase, then each of the remaining voters publish a recover factor for as together with a zeroknowledge proof to prove that it is in the right form (cf. Fig. 5). The value of can be computed as . Then the value of is easy to get as there are only two candidates.
To compute the final result of the election, each remaining voter publishes , where and a ZKPoK to prove the knowledge of as in Fig. 5. Now everyone can compute the result of the remaining voters as So the final result of this election is .
We note that the proofs in Fig. 6 and Fig. 7 are threemove interactive protocols with the techniques in [32]
, which can be transformed into noninteractive protocols following FiatShamir’s heuristics
[22] by setting be a hash value of a secure hash function.VB Dealing with adaptive issues
The adaptive issues seem inevitable in selftallying protocols from its definition because the last voter holding the ballot has the priority to access the final results ahead of the other voters. We suggest to use timelocked primitives [35][36] to deal with the adaptive issues in voting systems. Timelock encryption allows users to get the results only after a certain time [23][24]. Once the deadline is past, the decryption can be performed immediately. It is stated in [23] that timelocked encryption can be achieved by using a witness encryption with Blockchain as the computational reference clock. We borrow this idea in our proposed scheme by encrypting the vote with a witness encryption and the witness can be produced by Blockchain after certain time. And the blockchain can also be the computational reference clock to measure the “certain” time, say after generating several blocks. Then the votes can be decrypted once the deadline is past and thus all the voters and observers can do the tallying to get the result simultaneously.
Vi Security Proof
In this section, we show the proposed protocol satisfies all the security requirements presented in Sec. IV.
Firstly, we show the zeroknowledge proof of knowledge in Fig. 5, Fig. 6 and Fig. 7 satisfy completeness, special soundness [32, 33] and honest verifier zeroknowledge (HVZK). We show the detailed proof of Fig. 6 and omit the proofs for other Figures, as the proofs are quite similar.
Theorem 1. The proof in Fig. 6 satisfies completeness, special soundness and honest verifier zeroknowledge.
Proof. We omit the proof for completeness as it’s straightforward to verify.
The witness for the statement in is . To prove special soundness, the goal is to extract a witness from the threemove interaction with two accepting conversations in polynomial time. Given the two accepting conversations with the same values in the first round, different random numbers in the second round and different responses in the third round as and , it can be checked easily that one of the following holds or .
To prove HVZK, there exists a simulator , who is given a random , it randomly chooses , where , and computes the conversation as , which is an accepting conversation. It is indistinguishable from the one generated by the honest prover.
Next, we prove the proposed scheme is MBS secure if ZKPoK is zeroknowledge and the DDH assumption holds.
Theorem 2. If there exists an adversary that can win the guess game in MBS security model with a nonnegligible advantage, then we can build an algorithm that can break the zeroknowledge of the ZKPoK and the DDH problem.
Proof. Suppose there are voters in the game. The challenger can interact with the adversary . We list a sequence of games [37] to prove Theorem 2. We denote Pr[Win] as the winning probability of an adversary (guessing correctly) in Game.
Game 0: This is the original Game defined in section IVD. chooses two target voters to challenge upon and forwards them to . tosses a coin to decide that one of the voters from votes 1 and the other one votes 0. The reason that we do in this way is to let knows nothing even from the tally result. The one who votes 1 is denoted by . The challenges are denoted as and , where is the commitment of the vote, represents all the ZKPoK in the scheme, is the ballot, . The adversary outputs a guess , then from the definition of the MBS game, we have
Game 1. Game 1 is the same as Game 0 with one difference. runs a simulator as in Theorem 1., and replaces all the zeroknowledge proofs with the simulated proofs without using the real witness. The setting is indistinguishable from ’s view. If can distinguish between the two settings in Game 0 and Game 1 with a nonnegligible advantage, then we can use the adversary to construct an algorithm to violate ZeroKnowledge of ZKPoK. Thus, the adversary’s winning probability in Game 1 satisfies the following equation.
Game 2. Game 2 is the same as Game 1 with one difference. replaces the commitment with a random number . The two settings are indistinguishable from ’s view. Specifically, generates private and public key pairs for the voters other than . Then set the public key for as , as , , where is a random number. sets Clearly, if there is a difference in the adversary’s winning probability between Game 1 and Game 2, we can use the adversary to construct an algorithm to violate DDH problem. Thus, the adversary’s winning probability in Game 2 satisfies the following equation.
Game 3. Game 3 is the same as Game 2 with one difference. replaces the commitment with some random number . Follow the same analysis as in the previous game, sets the public key of as , as , , where is a random number. sets . If there is a difference in the adversary’s winning probability between Game 2 and Game 3, we can use the adversary to construct an algorithm to violate DDH problem. Thus, the adversary’s winning probability in Game 3 satisfies the following equation.
Game 4. Game 4 is the same as Game 3 with one difference. changes the values of with two random elements and satisfying certain relation. The change is indistinguishable from ’s view under the DDH assumption. Wlog, we assume . Given the DDH instance where , sets the public key of and as and respectively. computes and as
where
Thus, and are two random elements satisfying . Clearly, if there is a nonnegligible difference in the adversary’s winning probability between Game 3 and Game 4, we can use the adversary to construct an algorithm to solve DDH problem. Thus, the adversary’s winning probability in Game 4 satisfies the following equation.
Wrapping up. The winning probability for in Game 4 to output a correct guess is because in this game the challenges contain only random numbers, which are independent of the votes . Therefore, we can conclude that there is only a negligible difference in winning probability for an adversary between Game 0 and Game 4, if all the ZKPoKs in the scheme are zeroknowledge and DDH assumption holds. So the probability for in winning the MBS game is , where .
Now, we show the scheme satisfies fairness, self tallying and dispute freeness as well.
Fairness. Suppose voter votes for in the Commit phase and refuse to provide the vote in the Vote phase. Due to the Soundness of ZKPoK, we can guarantee that is decryptable by other voters in the Recover phase.
Selftallying. The zeroknowledge proof of knowledge in each algorithm in the proposed protocol forces the voters to perform honestly according to the protocol. After all the voter cast the ballots, the selftallying property is easy to verify. As in Tally algorithm, thus the selftallying property is achieved.
Dispute freeness. For dispute freeness, again the zeroknowledge proof of knowledge in each algorithm of the proposed protocol forces the commitments and ballots are in the right form and also can be publicly verified by anyone.
Vii Implementation
In this section, we report the implementation results of the proposed construction.
In our experiment, we first implement the protocols on a laptop. For a better simulation of IoT devices, we then implement the protocols on a mobile phone, which has constrained resources. The running environment of the laptop is with Win 8 64bit operating system and Intel Core (TM) i54300 @2.49GHz CPU with an 8 GB SSD. And the configuration of the phone is Android 7.1.1 operating system with Qualcomm MSSM8998 @2.45 CPU (Octacore) and a 6 GB RAM. The projects are written in C++ language with Miracl library[38] under Visual Studio 2010 and Android Studio compiler respectively. We test the efficiency of each algorithm when the number of voters increases. The implementation results are illustrated as follows.
As we can see from both figures (Fig 8,9) that the running time of each algorithm grows almost linearly with the increase of the number of voters and the two figures have the same trend. Among the four algorithms, the most expensive one is Vote, as ZKPoK is the most complicated one among all the zeroknowledge proofs and it is dominant in Vote. The running time of Vote for 3 voters and 12 voters on laptop and phone is 5.01 ms, 12.264 ms and 21.03 ms, 49.794 ms respectively. The fastest algorithm is Tally, which is also consistent with our empirical analysis, as no zeroknowledge proof is needed and the equation to tally the votes is the product of the voters’ ballot, which is linear with the number of voters. The running time of Tally for 3 voters and 12 voters on laptop and phone is 2.02 ms, 4.076 ms and 9.52 ms, 21.714 ms respectively. For the other two algorithms, Commit and Recover, they grow linearly with the increase of the number of voters, as the computation in these two algorithms requires all the other users’ information. Thus, the more voters in the system, the more computation is needed in these two algorithms. For Commit, the running time on laptop for 3 voters and 12 voters is 3.52 ms and 13.03 ms, and it costs 6.699 ms and 26.963 ms on the phone. For Recover, the time consumption on laptop for 3 voters and 12 voters is 3.02 ms and 10.51 ms. The time consumption on phone for 3 voters and 12 voters is 6.699 ms and 26.963 ms.
Viii Conclusions
IoT is pervasive in people’s daily life. Decision making is fundamental activity in the IoT. In this paper, we integrate blockchainbased selftallying voting systems in decentralized IoT architecture. We solve the fairness issues in selftallying systems with two distinct mechanisms and provide a concrete construction. We prove the security of the construction and also implement it to test the efficiency of the proposed protocol.
Acknowledgment
This work was supported by National Key R&D Program of China (2017YFB0802000), National Natural Science Foundation of China ( 61872229 ), NSFC Research Fund for International Young Scientists (61750110528), National Cryptography Development Fund during the 13th Fiveyear Plan Period (MMJJ20170216) and Fundamental Research Funds for the Central Universities(GK201702004).
References
 [1] Y. Xiao, et al., “Internet Protocol Television (IPTV): the Killer Application for the Next Generation Internet,” IEEE Communications Magazine, Vol. 45, No. 11, pp. 126 C134, Nov. 2007.
 [2] X. Du and H. H. Chen, “Security in Wireless Sensor Networks,”?IEEE Wireless Communications Magazine, Vol. 15, Issue 4, pp. 6066, Aug. 2008.
 [3] X. Du, M. Guizani, Y. Xiao and H. H. Chen, Transactions papers, “A RoutingDriven Elliptic Curve Cryptography based Key Management Scheme for Heterogeneous Sensor Networks,” IEEE Transactions on Wireless Communications, Vol. 8, No. 3, pp. 1223  1229, March 2009.
 [4] Y. Xiao, et al., “A Survey of Key Management Schemes in Wireless Sensor Networks,” Journal of Computer Communications, Vol. 30, Issue 1112, pp. 23142341, Sept. 2007.
 [5] X. Du, Y. Xiao, M. Guizani, and H. H. Chen, “An Effective Key Management Scheme for Heterogeneous Sensor Networks,”?Ad Hoc Networks, Elsevier, Vol. 5, Issue 1, pp 24 C34, Jan. 2007.
 [6] X. Du and F. Lin, “Designing efficient routing protocol for heterogeneous sensor networks,” Conference Proceedings of the 2005 IEEE International Performance, Computing and Communications Conference(PCCC), Phoenix, AZ, USA, pp. 5158.
 [7] X. Du and D. Wu, “Adaptive CellRelay Routing Protocol for Mobile Ad Hoc Networks,” IEEE Transactions on Vehicular Technology, Vol. 55, Issue 1, pp. 270277, Jan. 2006.
 [8] X. Du, “QoS Routing Based on MultiClass Nodes for Mobile Ad Hoc Networks,” Ad Hoc Networks, Elsevier, Vol. 2, Issue 3, pp 241 C254, July 2004.
 [9] D. Mandala, F. Dai, X. Du, and C. You, “Load Balance and Energy Efficient Data Gathering in Wireless Sensor Networks”, MASS 2006, Vancouver, BC, Canada, 586591.
 [10] P. FragaLamas, T. FernandezCarames, M. SuarezAlbela, L. Castedo, and M. GonzalezLopez, “A Review on Internet of Things for Defense and Public Safety,” Sensors, vol. 16, no. 10, p. 1644, 2016.
 [11] AlHamadi, Hamid, and Ray Chen. ”Trustbased decision making for health IoT systems.” IEEE Internet of Things Journal, vol. 4, no. 5 (2017): 14081419.
 [12] V. Santos, J. P. Barraca, and D. Gomes. “Secure Decentralized IoT Infrastructure”. In Wireless Days, IEEE, pp. 173175, 2017.
 [13] I. Yaqoob, E. Ahmed, I. A. T. Hashem, A. I. A. Ahmed, A. Gani, M. Imran and M. Guizani, “Internet of things architecture: Recent advances, taxonomy, requirements, and open challenges”. IEEE wireless communications, vol. 24, no.3, pp. 1016, 2017.
 [14] S. Huh, S. Cho and S. Kim. “Managing IoT devices using blockchain platform.” In Advanced Communication Technology (ICACT), 2017 19th International Conference on, pp. 464467. IEEE, 2017.
 [15] P. McCorry, S.F. Shahandashti and F. Hao. “A smart contract for boardroom voting with maximum voter privacy”. International Conference on Financial Cryptography and Data Security. Springer, Cham, pp. 357375, 2017.
 [16] F. Hao, P.Y.A. Ryan and P. Zieli??ski. “Anonymous voting by tworound public discussion”. IET Information Security, vol. 4, no. 2, pp. 6267, 2010.
 [17] J. Groth. “Efficient maximal privacy in boardroom voting and anonymous broadcast”. In International Conference on Financial Cryptography. Springer, Berlin, Heidelberg, pp. 90104, 2004.
 [18] A. Kiayias and M. Yung. “Selftallying elections and perfect ballot secrecy”. In International Workshop on Public Key Cryptography, Springer, Berlin, Heidelberg, pp. 141158, 2002.
 [19] D. Khader, B. Smyth, P. Ryan and F. Hao. “A fair and robust voting system by broadcast”. Lecture Notes in Informatics (LNI), ProceedingsSeries of the Gesellschaft fur Informatik (GI), pp. 285299, 2012.
 [20] Z. Zhao, T. H. H. Chan. “How to vote privately using bitcoin”. In International Conference on Information and Communications Security. Springer, Cham, pp. 8296 2015.
 [21] S. Bistarelli, M. Mantilacci, P. Santancini and F. Santini. “An endtoend votingsystem based on bitcoin” In Proceedings of the Symposium on Applied Computing, pp. 18361841. ACM, 2017.
 [22] A. Fiat and A. Shamir. “How to prove yourself: Practical solutions to identification and signature problems”. In Advances in CryptologyCRYPTO’86, Springer, Berlin, Heidelberg, pp. 186194, 1986.
 [23] T. Jager. “How to Build TimeLock Encryption.” IACR Cryptology ePrint Archive 2015, 478, 2015.
 [24] J. Liu, T. Jager, S. A. Kakvi and B. Warinschi. “How to build timelock encryption”. Designs, Codes and Cryptography, pp. 138, 2018.
 [25] R. Cramer, I. Damgrd and B. Schoenmakers. “Proofs of partial knowledge and simplified design of witness hiding protocols.” In Annual International Cryptology Conference, Springer, Berlin, Heidelberg, pp. 174187, 1994.
 [26] J. Camenisch and M. Stadler, “Proof systems for general statements about discrete logarithms”. Technical report/Dept. of Computer Science, ETH Z??rich, 260.
 [27] T. ElGamal. “A public key cryptosystem and a signature scheme based on discrete logarithms.” IEEE Transactions on Information Theory. vol. 3, no. 4, pp. 469472, 1985.
 [28] F. Brandt. “Efficient cryptographic protocol design based on distributed ElGamal encryption”. In International Conference on Information Security and Cryptology, Springer, Berlin, Heidelberg, pp. 3247, 2005.
 [29] T. Pedersen. “Noninteractive and informationtheoretic secure verifiable secret sharing”. In J. Feigenbaum, editor, Proc. of 11th CRYPTO Conference, volume 576 of LNCS, pages 129?C140. Springer, 1991.
 [30] J. Katz. “Digital signatures”. Springer Science and Business Media, 2010.
 [31] Y. Takabatake, D. Kotani, and Y. Okabe. “An anonymous distributed electronic voting system using Zerocoin”. IEICE Techinical Report. vol. 54, no. 11, pp. 127131, 2016.
 [32] R. Cramer, I. Damgrd and B. Schoenmakers. “Proofs of partial knowledge and simplified design of witness hiding protocols”. In Annual International Cryptology Conference. Springer, Berlin, Heidelberg, pp. 174187, 1994.
 [33] A. De Santis, G. Di Crescenzo, G. Persiano and M. Yung. “On monotone formula closure of SZK”. In Foundations of Computer Science, 1994 Proceedings., 35th Annual Symposium on , IEEE, pp. 454465, 1994.
 [34] C. P. Schnorr. “Efficient signature generation by smart cards”. Journal of Cryptology, vol. 4, no.3, pp. 161?C174, 1991.
 [35] R. L. Rivest, A. Shamir and D. A. Wagner, “Timelock puzzles and timedrelease crypto”. 1996.
 [36] N. Bitansky, S. Goldwasser, A. Jain, O. Paneth, V. Vaikuntanathan and B. Waters. “Timelock puzzles from randomized encodings”. In Proceedings of the 2016 ACM Conference on Innovations in Theoretical Computer Science. ACM, pp. 345356, 2016.
 [37] V. Shoup. Sequences of games: a tool for taming complexity in security proofs. IACR Cryptology ePrint Archive, 2004, 332.
 [38] https://certivox.org/display/EXT/MIRACL.