A Blockchain-based Self-tallying Voting Scheme in Decentralized IoT

by   Yannan Li, et al.
University of Wollongong

The Internet of Things (IoT) is experiencing explosive growth and has gained extensive attention from academia and industry in recent years. Most of the existing IoT infrastructures are centralized, in which the presence of a cloud server is mandatory. However, centralized frameworks suffer from the issues of unscalability and single-point-of-failure. Consequently, decentralized IoT has been proposed by taking advantage of the emerging technology of Blockchain. Voting systems are widely adopted in IoT, such as a leader election in wireless sensor networks. Self-tallying voting systems are alternatives to traditional centralized voting systems in decentralized IoT since the traditional ones are not suitable for such scenarios. Unfortunately, self-tallying voting systems inherently suffer from fairness issues, such as adaptive and abortive issues caused by malicious voters. In this paper, we introduce a framework of self-tallying systems in decentralized IoT based on Blockchain. We propose a concrete construction and prove the proposed system satisfies all the security requirements including fairness, dispute-freeness and maximal ballot secrecy. The implementations on mobile phones demonstrate the practicability of our system.


page 1

page 2

page 3

page 4


BlendSM-DDM: BLockchain-ENabled Secure Microservices for Decentralized Data Marketplaces

To promote the benefits of the Internet of Things (IoT) in smart communi...

Security Requirement Analysis of Blockchain-based E-Voting Systems

In democratic countries such as India, voting is a fundamental right giv...

Towards Efficient Integration of Blockchain for IoT Security: The Case Study of IoT Remote Access

The booming Internet of Things (IoT) market has drawn tremendous interes...

Decentralized Load Management in HAN: An IoT-Assisted Approach

A Home Area Network (HAN) is considered to be a significant component of...

Hybrid-IoT: Hybrid Blockchain Architecture for Internet of Things - PoW Sub-blockchains

From its early days the Internet of Things (IoT) has evolved into a dece...

Formalism-Driven Development of Decentralized Systems

Decentralized systems have been widely developed and applied to address ...

PhishChain: A Decentralized and Transparent System to Blacklist Phishing URLs

Blacklists are a widely-used Internet security mechanism to protect Inte...

I Introduction

The Internet of Things (IoT) [1]-[9] is a system comprising smart devices, actuators, sensors and other objects that connected through the network with the ability to transfer data, share resources and make decisions without man-to-man or man-to-device interaction. Organizations in various industries utilize IoT for better efficiency, convenience and service 111https://internetofthingsagenda.techtarget.com/definition/Internet-of-Things-IoT

. Besides the well-known applications of smart city and smart home, IoT has potential in many other public and private applications, such as manufacturing, agriculture, transportation, and healthcare. In recent years, IoT gains extensive attention and some new extensions of IoT are proposed, such as IIoT and NB-IoT. The number of devices is in an explosive growth. It is estimated that there will be 50 billion IoT devices by the year of 2020


Voting systems and IoT. Voting systems have wide applications in IoT. We list two typical examples here. 1) Leader election in distributed IoT. Leader election is one of the most common and important activities in a distributed IoT, such as wireless sensor networks [11]. The goal of leader election is to designate a special node as an organizer to coordinate the tasks in distributed nodes to break the inner symmetry in distributed systems. The peers in the network select and communicate among themselves to vote for the leader. 2) Decision making in IoT systems. One of the most salient features of IoT systems is to collect data and make smarter decisions according to the sensed data. Voting is one of the effective approaches making decisions 222http://healthandlearning.org/wp-content/uploads/2017/04/Decision-Making-Models-Voting-versus-Consensus.pdf. Devices measure various types of data and leverage diverse methods to analyze the data, which may lead to a different opinion to a specific decision. Then devices vote for a final decision. Take an environmental health IoT as an example, which comprises some smart phones with apps to acquire the environmental parameters with high accuracy including temperature, humidity, noise, and dust. All the parameters are closely related to people’s health. Thus, the environmental health IoT is an important reference for healthcare. The smart devices collaborate to make decisions in an environmental health IoT to show whether the current environment is suitable to live or work in.

Nevertheless, most of the IoT implementations are with a centralized infrastructure. Specifically, the devices are linked with the cloud and controlled by a central hub, which suffers from scalability, efficiency and single-point-of-failure issues. To overcome the bottleneck of centralized IoT, the notion of decentralized IoT was proposed [13]. The devices enjoy the desirable merits of peer-to-peer (P2P) communication, flexibility and better efficiency to exchange information. A majority of decentralized IoT leverages Blockchain [12] to build the underlying P2P network. A San Francisco based startup Helium 333https://www.helium.com/ has built a blockchain machine network for IoT. 444https://internetofbusiness.com/helium-blockchain-machine-network-iot-unleashed/

Traditional voting systems with a central party to organize the vote and tally the ballots are not suitable for a decentralized IoT framework. As an alternative, self-tallying scheme was proposed, which does not require a third party to tally the ballots and reveal the final result. Instead, after all the voters cast the ballots, anyone can collect the ballots and compute the final results at the same time. However, self-tallying schemes inherently suffer from fairness issues, as the last voter can collect other voters’ ballots to compute the final result before casting his/her own ballots. That is he can know the result ahead of schedule. Moreover, if he is not satisfied with the final result, this voter may refuse to reveal his ballot, then other voters are hard to obtain the final result.

I-a Our Contributions

In this paper, we aim to improve the fairness of blockchain-based self-tallying systems for decentralized IoT. The contributions of this article are listed as follows.

  1. We formalize the system model of self-tallying voting systems based on blockchain in decentralized IoT.

  2. We propose a concrete construction of a blockchain-based self-tallying voting protocol in decentralized IoT, and prove it satisfies fairness, dispute-freeness and maximal ballot secrecy. Specifically, in our construction, we modify the commitment in [15] and recovery phase in [19] to handle the abortive issues, and suggest that timed commitment can be used to deal with adaptive issues self-tallying voting schemes based on blockchain.

  3. We implement the proposed protocol on a laptop and a mobile phone respectively.

Organization. The rest of the paper is organized as follows. We review the related work and provide some preliminaries in Sec. II and Sec. III, respectively. The security requirements are presented in Sec. IV. We build a fair blockchain-based self-tallying voting system for decentralized IoT in Sec. V. The implementations of the proposed protocol are illustrated in Sec. VII. Finally, we conclude the paper in Sec. VIII.

Ii Related work

Self-tallying e-voting. E-voting is a flourishing and fadeless topic in academic research. In traditional centralized e-voting protocols, a central authority is usually involved for organizing the election and counting the votes. To achieve stronger voter privacy, Kiayias and Yung [18] proposed the notion of self-tallying voting, which is a new paradigm in decentralized e-voting systems. In self-tallying systems, tallying is an open procedure in which any party, not only the voters but also the observers, can check the validity of each ballot and perform the computation after collecting all the valid ballots to get the final voting result. They proposed the first concrete construction as well by leveraging a bulletin board, which achieves perfect ballot privacy and dispute-freeness. Groth et al.[17] proposed a simpler scheme with better efficiency for each voter. They also constructed an anonymous broadcast channel with perfect message secrecy at the cost of increased round complexity of the protocol, which needs rounds for voters. Hao et al. [16] proposed a self-tallying voting protocol based on a two-round anonymous veto protocol (AV-net). Their protocol provides the same security properties but achieves better efficiency in terms of round complexity. Khader et al. [19] claimed that [16] is neither robust nor fair, and they advanced the protocol by adding a commitment phase and a recovery round. However, the recovery phase in their construction ignores the ballots of the abortive voters.

Blockchain-based e-voting systems. There are already some existing works on e-voting based on blockchain. The role of blockchain in e-voting protocols varies from schemes to schemes. Most of the works make blockchain as bulletin boards and still employ a trusted authority for voter privacy, such as Follow My Vote 555https://followmyvote.com/, TIVI 666 https://tivi.io/ 777http://www.smartmatic.com/fileadmin/user_upload/Whitepaper_Online_ Voting_Challenge_Considerations_TIVI.pdf. Some of the existing works are based on cryptocurrencies, such as Bitcoin [20][21]. Takabatake et al. [31] proposed a voting protocol based on Zerocoin to enhance voter privacy. In 2017, McCorry et al. [15] presented Open Vote Network 888https://github.com/stonecoldpat/anonymousvoting 999https://ethereumfoundation.org/devcon3/sessions/the-open-vote-network-decentralised-internet-voting-as-a-smart-contract/, the first implementation of a decentralized self-tallying e-voting protocol based on Blockchain. The commitment in [15] is the hash of the vote, which is irrecoverable if a voters refuses to cast his ballot in the voting phase.

Iii Preliminaries

In this section, we provide some preliminaries used in our construction.

Iii-a Intractable Assumptions

1) Discrete Logarithm (DL) Assumption.

Let be a security parameter and denotes a cyclic group of prime order . DL problem [30] is that, given a tuple and output , where is the set of non-negative integers smaller than . DL assumption holds if for any polynomial-time algorithm , the following advantage is negligible in .

2) Decisional Diffie-Hellmam (DDH) Assumption

Let be a security parameter and denotes a cycle group of prime order . DDH problem [30] states that given a tuple and output . DDH assumption holds if for any polynomial-time algorithm , the following advantage is negligible in .

Iii-B ElGamal encryption

ElGamal encryption [27] is semantically secure under the DDH assumption. Another merit of ElGamal encryption is its inherent homomorphism. The ciphertexts of can be easily aggregated to obtain the ciphertext of . A distributed ElGamal cryptosystem [28] is a generalization of ElGamal encryption, which contains the following algorithms.

Setup. Suppose there are users in the system, and the key pairs of the -th user are . Each user publishes his public key, and the common public key can be generated in a distributed manner[29] as .

Enc. To encrypt a message , randomly choose , and compute a ciphertext of as .

Dec. Each user computes and broadcasts the partial decryption key . Then the decryption can be done by computing


Iii-C Commitment

A commitment scheme allows a user to commit to a selected statement, which is hidden to others during the Commit phase, but can be revealed by the user in the Open phase. A commitment scheme contains the following two properties:

  • Binding. The committer cannot change the statement after he has committed to the statement.

  • Hiding. The receiver knows nothing about the committed statement before the committer opens the commitment.

Iii-D Zero-Knowledge Proof of knowledge and -Protocol

Let be a binary relation, where is the common input and is a witness. A zero-knowledge proof of knowledge is a protocol in which a prover proves to a verifier that it knows a witness for which without revealing anything.

A -Protocol is a way to obtain efficient zero-knowledge proof. A protocol is a -Protocol for relation if it has 3-move as shown in Fig 1. 1) sends a message to . 2) sends a random -bit challenge to . 3) sends a response , and decides to accept or reject based on the verification algorithm.

Fig. 1: Protocol

A -protocol has the following properties.

  • Completeness. If and follow the protocol on input and , where , the verifier always accepts the prover’s proof.

  • Special soundness. For any and any accepting conversations on with the same message and different challenges and , where , one can efficiently extract such that .

  • Honest verifier zero-knowledge(HVZK). There is a polynomial-time simulator, which on input and a challenge outputs an accepting conversation with the form

    , with the same probability distribution as conversations between the honest

    and on input .

The special soundness property implies that the error probability of this proof system is always .

Now we show a special case of the definition above by Schnorr to prove a DL relation (Fig. 2)[34]. Let be a group of order with a generator . and have common inputs , has a private input such that .

Fig. 2: protocol for a DL tuple

-Protocol is efficient to prove AND, OR and arbitrary combination of AND/OR statement. More details can be found in [32][33][26].

Iv System and Security Model

In this section, we propose the system model of blockchain-based self-tallying voting system for decentralized IoT and list the necessary security requirements and security model of a self-tallying voting protocol.

Iv-a System model

The framework of a blockchain-based self-tallying voting protocol for decentralized IoT system is shown in Fig. 3. There are three roles in the sytem, smart devices, gateway and a blockchain. The IoT system is equipped with many smart devices, which are regarded as voting devices. A blockchain is leveraged to achieve a P2P overlay network and can also fulfill device management [14] and a bulletin board. Each device needs to register when they first enroll in the system and cast the ballots through gateway to blockahin. After collecting the ballots from the blockchain, the results can be obtained immediately to make decisions for the whole IoT system.

Fig. 3: The framework of blockchain-based self-tallying voting system in a decentralized IoT

Iv-B System components

A blockchain-based self-tallying voting system in a decentralized IoT consists of the following algorithms. Suppose there are voting devices in the system denoted as voter .

Setup(). This is a probabilistic algorithm that takes a security parameter and the number of voters as input and outputs the private and public key pair for each voter .

Commit(). This algorithm is run by each voter . On input a vote and other voter ’s public key , it outputs a commitment and a corresponding zero-knowledge proof, and publishes and the proof on the blockchain.

Vote(). This algorithm is run by each voter . On input a vote , the private key , and the other voter ’s public key , it outputs a ballot and a zero-knowledge proof to prove the ballot is in the right form, and publishes and the proof on the blockchain.

Tally(). This is a deterministic algorithm that takes all the ballots as input, it outputs the election result.

Recover(). This algorithm is to recover the abortive voter’s vote. On input the abortive voter’s commitment and all the other voters’ private key , it outputs the abortive voter’s vote .

Iv-C Security requirements

A self-tallying protocol is supposed to satisfy the following security requirements.

  • Maximal ballot secrecy. A partial tally of the ballots can be accessed only by a collusion of all remaining voters.

  • Self-tallying. After all the voters cast their ballots, anyone is able to compute the voting results with all the ballots.

  • Fairness. Freeness means that nobody has the priority to get a partial tally ahead of schedule. Self-tallying protocols always suffer from fairness issues, including abortive issues and adaptive issues. Abortive issues indicate that some of the users refuse to reveal their votes and abort before casting their ballots, then the final results won’t be revealed. Adaptive issues state that the last voter has the priority to get the final results first and thus may affect his choice and even gives up in this vote, thus will cause an abortive issue.

  • Dispute-freeness. This property states that anybody can check whether the voters follow the protocol or not. This is an extension of universal verifiability.

Iv-D Security model

In this section, we formalize the security model for maximal ballot secrecy.

Suppose there are maximal corrupted voters in the maximal ballot secrecy game, who are fully controlled by the adversary. The adversary can make queries to the commitments as well as the corrupted users’ ballots, and also get access to the final result of the election. And later in the challenge phase, given two ballots from different votes for the two uncorrupted voter, the adversary needs to tell which of the two ballots is from the vote 1. The detailed security model is as follows.

Maximal ballot secrecy (MBS): We say a self-tallying voting scheme is MBS-secure, if no polynomial bounded adversary has a non-negligible advantage against a challenger in the following game.

Initial. There are voters in the game. declares two target voters to be challenged upon. The other voters are regarded as corrupted users. randomly chooses one from and denotes as . Set the vote of as 1, and the other one as 0.

Setup. generates the private and public key pairs for each voter. Then forwards all the public keys and the corrupted users’ private keys to .

Queries. can choose any ballots for the corrupted users and make some queries including the Commit queries and the Vote queries corresponding to the chosen ballots.

  • Commit queries. can query the commitment for a vote. Then generates the commitment and records the ballot and the commitment in the list .

  • Vote queries. can make queries on the votes generated by any user other than .

Challenge. outputs two challenge ballots on behalf of the uncorrupted voters and chosen in the Initial phase.

Tally. can compute the final result of the election according to the collected ballots.

Guess. outputs a guess to determine which one between and has cast the ballot of 1.

In the above model, the reason we set two challenge votes rather than one is to prevent the adversary deducing the challenged vote from his known information. Specifically, as the adversary can control the ballot of the corrupted voters and will obtain the election result after collecting the challenge vote, if there is only one challenge vote, the adversary can have a non-negligible advantage in the guessing game. After collecting the votes together, the adversary can do the tallying by itself to know the election result. To see why we set the different ballots for the two challenge votes, let’s suppose the following situation. If we set the challenge vote with the same ballot from , and all the corrupted voters controlled by the adversary vote the same ballot, then the adversary can get the knowledge about the challenge vote easily after knowing the results, in which the advantage is non-negligible.

Definition 1. The voting scheme is MBS secure if for any polynomial time adversary,

where is negligible.

V Construction

In this section, we present a concrete construction of self-tallying voting system with the help of blockchain. As shown in Fig. 4, the system contains three phases, the Pre-vote phase, which includes Setup and Commit algorithms, Vote phase, which includes Vote algorithm, and After-vote phase, which includes Tally and Recover algorithms. In the Pre-vote phase, the system is initialized and the voters register to obtain the private-public key pairs. Voters put their public keys together with the zero-knowledge proof for the corresponding private keys on the blockchain. Commit is to ensure fairness. If voters skip commit part and cast their ballots directly, the last voter has the priority to access the final result ahead of schedule. In this phase, other voters cannot see the vote but only the commitment of the vote, thus, the voters need a zero-knowledge proof to prove the committed vote is in the right form. Later if the last voter refuses to vote, other voters can recover the ballot according to the commitment and get the result. In Vote phase, the voters cast their encrypted ballots. In After-vote phase, by collecting all the ballots from the blockchain, the final result can be obtained publicly by anyone. Recover is an optional phase which can be called when the last voter does not follow the rule to cast his/her ballot in the sense that the ballot can be recovered with the corresponding commitment and the help of all the other voters.

Fig. 4: The workflow of blockchain-based self-tallying voting system.

V-a Dealing with abortive issues

Basic idea. The existing approaches to deal with abortive issue are adding a recovery phase, in which the abortive users are excluded by removing their ballots, and tally the ballots from the remaining voters. However, an abort may be caused by some user knowing the unwanted result and against revealing the result. So, simply removing the votes will bring a different voting result. Thus, we modified the recovery phase in [15]. In our modification, if the last voter quits after making a commitment, then his/her ballot can be revealed according to the corresponding commitment with the cooperation of all the other voters. The detailed construction is as follows.

Setup(). On input a security parameter , and the number of voters , it initializes the system. Each voter chooses a random private key , and computes the public key . Then generates a zero-knowledge proof as ZKPoK(cf. Fig. 5). The public key and the corresponding ZKP are published to Blockchain.

Fig. 5: Zero-knowledge proof for Setup

Commit(). Before casting a ballot, each voter collects the other voters’ public key . To generate a commitment to the vote, chooses a random and publishes . makes the commitment to ensure fairness, where is the vote from {0,1} and . The voters also need to generate a zero-knowledge proof to prove that the commitment is in the right form (cf. Fig. 6) as

And then put the commitment and zero-knowledge proof on the Blockchain.

Fig. 6: Zero-knowledge proof of knowledge for Commit

Vote(). To ensure the secrecy of the vote, all voters encrypted their votes as , where . And generate a zero-knowledge proof to prove that the vote is the same as the one in the commitment. The statement (cf. Fig. 7) is

Then publish the ballot on the Blockchin.

Fig. 7: Zero-knowledge proof of knowledge for Vote

Tally(). To tally the votes, one can collect all the ballots and compute . is a small set that can be easily obtained.

Recover(). If the last voter does not cast his ballot in Vote phase, then each of the remaining voters publish a recover factor for as together with a zero-knowledge proof to prove that it is in the right form (cf. Fig. 5). The value of can be computed as . Then the value of is easy to get as there are only two candidates.

To compute the final result of the election, each remaining voter publishes , where and a ZKPoK to prove the knowledge of as in Fig. 5. Now everyone can compute the result of the remaining voters as So the final result of this election is .

We note that the proofs in Fig. 6 and Fig. 7 are three-move interactive protocols with the techniques in [32]

, which can be transformed into non-interactive protocols following Fiat-Shamir’s heuristics

[22] by setting be a hash value of a secure hash function.

V-B Dealing with adaptive issues

The adaptive issues seem inevitable in self-tallying protocols from its definition because the last voter holding the ballot has the priority to access the final results ahead of the other voters. We suggest to use time-locked primitives [35][36] to deal with the adaptive issues in voting systems. Time-lock encryption allows users to get the results only after a certain time [23][24]. Once the deadline is past, the decryption can be performed immediately. It is stated in [23] that time-locked encryption can be achieved by using a witness encryption with Blockchain as the computational reference clock. We borrow this idea in our proposed scheme by encrypting the vote with a witness encryption and the witness can be produced by Blockchain after certain time. And the blockchain can also be the computational reference clock to measure the “certain” time, say after generating several blocks. Then the votes can be decrypted once the deadline is past and thus all the voters and observers can do the tallying to get the result simultaneously.

Vi Security Proof

In this section, we show the proposed protocol satisfies all the security requirements presented in Sec. IV.

Firstly, we show the zero-knowledge proof of knowledge in Fig. 5, Fig. 6 and Fig. 7 satisfy completeness, special soundness [32, 33] and honest verifier zero-knowledge (HVZK). We show the detailed proof of Fig. 6 and omit the proofs for other Figures, as the proofs are quite similar.

Theorem 1. The proof in Fig. 6 satisfies completeness, special soundness and honest verifier zero-knowledge.

Proof. We omit the proof for completeness as it’s straightforward to verify.

The witness for the statement in is . To prove special soundness, the goal is to extract a witness from the three-move interaction with two accepting conversations in polynomial time. Given the two accepting conversations with the same values in the first round, different random numbers in the second round and different responses in the third round as and , it can be checked easily that one of the following holds or .

To prove HVZK, there exists a simulator , who is given a random , it randomly chooses , where , and computes the conversation as , which is an accepting conversation. It is indistinguishable from the one generated by the honest prover.

Next, we prove the proposed scheme is MBS secure if ZKPoK is zero-knowledge and the DDH assumption holds.

Theorem 2. If there exists an adversary that can win the guess game in MBS security model with a non-negligible advantage, then we can build an algorithm that can break the zero-knowledge of the ZKPoK and the DDH problem.

Proof. Suppose there are voters in the game. The challenger can interact with the adversary . We list a sequence of games [37] to prove Theorem 2. We denote Pr[Win] as the winning probability of an adversary (guessing correctly) in Game.

Game 0: This is the original Game defined in section IV-D. chooses two target voters to challenge upon and forwards them to . tosses a coin to decide that one of the voters from votes 1 and the other one votes 0. The reason that we do in this way is to let knows nothing even from the tally result. The one who votes 1 is denoted by . The challenges are denoted as and , where is the commitment of the vote, represents all the ZKPoK in the scheme, is the ballot, . The adversary outputs a guess , then from the definition of the MBS game, we have

Game 1. Game 1 is the same as Game 0 with one difference. runs a simulator as in Theorem 1., and replaces all the zero-knowledge proofs with the simulated proofs without using the real witness. The setting is indistinguishable from ’s view. If can distinguish between the two settings in Game 0 and Game 1 with a non-negligible advantage, then we can use the adversary to construct an algorithm to violate Zero-Knowledge of ZKPoK. Thus, the adversary’s winning probability in Game 1 satisfies the following equation.

Game 2. Game 2 is the same as Game 1 with one difference. replaces the commitment with a random number . The two settings are indistinguishable from ’s view. Specifically, generates private and public key pairs for the voters other than . Then set the public key for as , as , , where is a random number. sets Clearly, if there is a difference in the adversary’s winning probability between Game 1 and Game 2, we can use the adversary to construct an algorithm to violate DDH problem. Thus, the adversary’s winning probability in Game 2 satisfies the following equation.

Game 3. Game 3 is the same as Game 2 with one difference. replaces the commitment with some random number . Follow the same analysis as in the previous game, sets the public key of as , as , , where is a random number. sets . If there is a difference in the adversary’s winning probability between Game 2 and Game 3, we can use the adversary to construct an algorithm to violate DDH problem. Thus, the adversary’s winning probability in Game 3 satisfies the following equation.

Game 4. Game 4 is the same as Game 3 with one difference. changes the values of with two random elements and satisfying certain relation. The change is indistinguishable from ’s view under the DDH assumption. Wlog, we assume . Given the DDH instance where , sets the public key of and as and respectively. computes and as


Thus, and are two random elements satisfying . Clearly, if there is a non-negligible difference in the adversary’s winning probability between Game 3 and Game 4, we can use the adversary to construct an algorithm to solve DDH problem. Thus, the adversary’s winning probability in Game 4 satisfies the following equation.

Wrapping up. The winning probability for in Game 4 to output a correct guess is because in this game the challenges contain only random numbers, which are independent of the votes . Therefore, we can conclude that there is only a negligible difference in winning probability for an adversary between Game 0 and Game 4, if all the ZKPoKs in the scheme are zero-knowledge and DDH assumption holds. So the probability for in winning the MBS game is , where .

Now, we show the scheme satisfies fairness, self tallying and dispute freeness as well.

Fairness. Suppose voter votes for in the Commit phase and refuse to provide the vote in the Vote phase. Due to the Soundness of ZKPoK, we can guarantee that is decryptable by other voters in the Recover phase.

Self-tallying. The zero-knowledge proof of knowledge in each algorithm in the proposed protocol forces the voters to perform honestly according to the protocol. After all the voter cast the ballots, the self-tallying property is easy to verify. As in Tally algorithm, thus the self-tallying property is achieved.

Dispute freeness. For dispute freeness, again the zero-knowledge proof of knowledge in each algorithm of the proposed protocol forces the commitments and ballots are in the right form and also can be publicly verified by anyone.

Vii Implementation

In this section, we report the implementation results of the proposed construction.

In our experiment, we first implement the protocols on a laptop. For a better simulation of IoT devices, we then implement the protocols on a mobile phone, which has constrained resources. The running environment of the laptop is with Win 8 64-bit operating system and Intel Core (TM) i5-4300 @2.49GHz CPU with an 8 GB SSD. And the configuration of the phone is Android 7.1.1 operating system with Qualcomm MSSM8998 @2.45 CPU (Octa-core) and a 6 GB RAM. The projects are written in C++ language with Miracl library[38] under Visual Studio 2010 and Android Studio compiler respectively. We test the efficiency of each algorithm when the number of voters increases. The implementation results are illustrated as follows.

As we can see from both figures (Fig 8,9) that the running time of each algorithm grows almost linearly with the increase of the number of voters and the two figures have the same trend. Among the four algorithms, the most expensive one is Vote, as ZKPoK is the most complicated one among all the zero-knowledge proofs and it is dominant in Vote. The running time of Vote for 3 voters and 12 voters on laptop and phone is 5.01 ms, 12.264 ms and 21.03 ms, 49.794 ms respectively. The fastest algorithm is Tally, which is also consistent with our empirical analysis, as no zero-knowledge proof is needed and the equation to tally the votes is the product of the voters’ ballot, which is linear with the number of voters. The running time of Tally for 3 voters and 12 voters on laptop and phone is 2.02 ms, 4.076 ms and 9.52 ms, 21.714 ms respectively. For the other two algorithms, Commit and Recover, they grow linearly with the increase of the number of voters, as the computation in these two algorithms requires all the other users’ information. Thus, the more voters in the system, the more computation is needed in these two algorithms. For Commit, the running time on laptop for 3 voters and 12 voters is 3.52 ms and 13.03 ms, and it costs 6.699 ms and 26.963 ms on the phone. For Recover, the time consumption on laptop for 3 voters and 12 voters is 3.02 ms and 10.51 ms. The time consumption on phone for 3 voters and 12 voters is 6.699 ms and 26.963 ms.

Fig. 8: Simulation on laptop

Fig. 9: Simulation on Android device

Viii Conclusions

IoT is pervasive in people’s daily life. Decision making is fundamental activity in the IoT. In this paper, we integrate blockchain-based self-tallying voting systems in decentralized IoT architecture. We solve the fairness issues in self-tallying systems with two distinct mechanisms and provide a concrete construction. We prove the security of the construction and also implement it to test the efficiency of the proposed protocol.


This work was supported by National Key R&D Program of China (2017YFB0802000), National Natural Science Foundation of China ( 61872229 ), NSFC Research Fund for International Young Scientists (61750110528), National Cryptography Development Fund during the 13th Five-year Plan Period (MMJJ20170216) and Fundamental Research Funds for the Central Universities(GK201702004).


  • [1] Y. Xiao, et al., “Internet Protocol Television (IPTV): the Killer Application for the Next Generation Internet,” IEEE Communications Magazine, Vol. 45, No. 11, pp. 126 C134, Nov. 2007.
  • [2] X. Du and H. H. Chen, “Security in Wireless Sensor Networks,”?IEEE Wireless Communications Magazine, Vol. 15, Issue 4, pp. 60-66, Aug. 2008.
  • [3] X. Du, M. Guizani, Y. Xiao and H. H. Chen, Transactions papers, “A Routing-Driven Elliptic Curve Cryptography based Key Management Scheme for Heterogeneous Sensor Networks,” IEEE Transactions on Wireless Communications, Vol. 8, No. 3, pp. 1223 - 1229, March 2009.
  • [4] Y. Xiao, et al., “A Survey of Key Management Schemes in Wireless Sensor Networks,” Journal of Computer Communications, Vol. 30, Issue 11-12, pp. 2314-2341, Sept. 2007.
  • [5] X. Du, Y. Xiao, M. Guizani, and H. H. Chen, “An Effective Key Management Scheme for Heterogeneous Sensor Networks,”?Ad Hoc Networks, Elsevier, Vol. 5, Issue 1, pp 24 C34, Jan. 2007.
  • [6] X. Du and F. Lin, “Designing efficient routing protocol for heterogeneous sensor networks,” Conference Proceedings of the 2005 IEEE International Performance, Computing and Communications Conference(PCCC), Phoenix, AZ, USA, pp. 51-58.
  • [7] X. Du and D. Wu, “Adaptive Cell-Relay Routing Protocol for Mobile Ad Hoc Networks,” IEEE Transactions on Vehicular Technology, Vol. 55, Issue 1, pp. 270-277, Jan. 2006.
  • [8] X. Du, “QoS Routing Based on Multi-Class Nodes for Mobile Ad Hoc Networks,” Ad Hoc Networks, Elsevier, Vol. 2, Issue 3, pp 241 C254, July 2004.
  • [9] D. Mandala, F. Dai, X. Du, and C. You, “Load Balance and Energy Efficient Data Gathering in Wireless Sensor Networks”, MASS 2006, Vancouver, BC, Canada, 586-591.
  • [10] P. Fraga-Lamas, T. Fernandez-Carames, M. Suarez-Albela, L. Castedo, and M. Gonzalez-Lopez, “A Review on Internet of Things for Defense and Public Safety,” Sensors, vol. 16, no. 10, p. 1644, 2016.
  • [11] Al-Hamadi, Hamid, and Ray Chen. ”Trust-based decision making for health IoT systems.” IEEE Internet of Things Journal, vol. 4, no. 5 (2017): 1408-1419.
  • [12] V. Santos, J. P. Barraca, and D. Gomes. “Secure Decentralized IoT Infrastructure”. In Wireless Days, IEEE, pp. 173-175, 2017.
  • [13] I. Yaqoob, E. Ahmed, I. A. T. Hashem, A. I. A. Ahmed, A. Gani, M. Imran and M. Guizani, “Internet of things architecture: Recent advances, taxonomy, requirements, and open challenges”. IEEE wireless communications, vol. 24, no.3, pp. 10-16, 2017.
  • [14] S. Huh, S. Cho and S. Kim. “Managing IoT devices using blockchain platform.” In Advanced Communication Technology (ICACT), 2017 19th International Conference on, pp. 464-467. IEEE, 2017.
  • [15] P. McCorry, S.F. Shahandashti and F. Hao. “A smart contract for boardroom voting with maximum voter privacy”. International Conference on Financial Cryptography and Data Security. Springer, Cham, pp. 357-375, 2017.
  • [16] F. Hao, P.Y.A. Ryan and P. Zieli??ski. “Anonymous voting by two-round public discussion”. IET Information Security, vol. 4, no. 2, pp. 62-67, 2010.
  • [17] J. Groth. “Efficient maximal privacy in boardroom voting and anonymous broadcast”. In International Conference on Financial Cryptography. Springer, Berlin, Heidelberg, pp. 90-104, 2004.
  • [18] A. Kiayias and M. Yung. “Self-tallying elections and perfect ballot secrecy”. In International Workshop on Public Key Cryptography, Springer, Berlin, Heidelberg, pp. 141-158, 2002.
  • [19] D. Khader, B. Smyth, P. Ryan and F. Hao. “A fair and robust voting system by broadcast”. Lecture Notes in Informatics (LNI), Proceedings-Series of the Gesellschaft fur Informatik (GI), pp. 285-299, 2012.
  • [20] Z. Zhao, T. H. H. Chan. “How to vote privately using bitcoin”. In International Conference on Information and Communications Security. Springer, Cham, pp. 82-96 2015.
  • [21] S. Bistarelli, M. Mantilacci, P. Santancini and F. Santini. “An end-to-end voting-system based on bitcoin” In Proceedings of the Symposium on Applied Computing, pp. 1836-1841. ACM, 2017.
  • [22] A. Fiat and A. Shamir. “How to prove yourself: Practical solutions to identification and signature problems”. In Advances in Cryptology-CRYPTO’86, Springer, Berlin, Heidelberg, pp. 186-194, 1986.
  • [23] T. Jager. “How to Build Time-Lock Encryption.” IACR Cryptology ePrint Archive 2015, 478, 2015.
  • [24] J. Liu, T. Jager, S. A. Kakvi and B. Warinschi. “How to build time-lock encryption”. Designs, Codes and Cryptography, pp. 1-38, 2018.
  • [25] R. Cramer, I. Damgrd and B. Schoenmakers. “Proofs of partial knowledge and simplified design of witness hiding protocols.” In Annual International Cryptology Conference, Springer, Berlin, Heidelberg, pp. 174-187, 1994.
  • [26] J. Camenisch and M. Stadler, “Proof systems for general statements about discrete logarithms”. Technical report/Dept. of Computer Science, ETH Z??rich, 260.
  • [27] T. ElGamal. “A public key cryptosystem and a signature scheme based on discrete logarithms.” IEEE Transactions on Information Theory. vol. 3, no. 4, pp. 469-472, 1985.
  • [28] F. Brandt. “Efficient cryptographic protocol design based on distributed ElGamal encryption”. In International Conference on Information Security and Cryptology, Springer, Berlin, Heidelberg, pp. 32-47, 2005.
  • [29] T. Pedersen. “Non-interactive and information-theoretic secure verifiable secret sharing”. In J. Feigenbaum, editor, Proc. of 11th CRYPTO Conference, volume 576 of LNCS, pages 129?C140. Springer, 1991.
  • [30] J. Katz. “Digital signatures”. Springer Science and Business Media, 2010.
  • [31] Y. Takabatake, D. Kotani, and Y. Okabe. “An anonymous distributed electronic voting system using Zerocoin”. IEICE Techinical Report. vol. 54, no. 11, pp. 127-131, 2016.
  • [32] R. Cramer, I. Damgrd and B. Schoenmakers. “Proofs of partial knowledge and simplified design of witness hiding protocols”. In Annual International Cryptology Conference. Springer, Berlin, Heidelberg, pp. 174-187, 1994.
  • [33] A. De Santis, G. Di Crescenzo, G. Persiano and M. Yung. “On monotone formula closure of SZK”. In Foundations of Computer Science, 1994 Proceedings., 35th Annual Symposium on , IEEE, pp. 454-465, 1994.
  • [34] C. P. Schnorr. “Efficient signature generation by smart cards”. Journal of Cryptology, vol. 4, no.3, pp. 161?C174, 1991.
  • [35] R. L. Rivest, A. Shamir and D. A. Wagner, “Time-lock puzzles and timed-release crypto”. 1996.
  • [36] N. Bitansky, S. Goldwasser, A. Jain, O. Paneth, V. Vaikuntanathan and B. Waters. “Time-lock puzzles from randomized encodings”. In Proceedings of the 2016 ACM Conference on Innovations in Theoretical Computer Science. ACM, pp. 345-356, 2016.
  • [37] V. Shoup. Sequences of games: a tool for taming complexity in security proofs. IACR Cryptology ePrint Archive, 2004, 332.
  • [38] https://certivox.org/display/EXT/MIRACL.