Over the past few decades, we have witnessed significant advances in cryptographic voting protocols. Yet, despite all the progress, see e.g., , secure e-voting is still faced with a plethora of challenges and open questions, which largely arise as a result of the interplay between intricate properties such as vote privacy, individual and universal verifiability, receipt-freeness, and a notoriously difficult requirement, namely that of coercion-resistance. Coercion-resistance can be viewed as a stronger form of privacy that should hold even against an adversary who instructs honest parties to carry out certain computations and verifies their behavior to ensure compliance. This property is typically enforced by providing honest parties with a mechanism that allows them to either deceive the coercer or to deny having performed a particular action. Due to limited space, we do not elaborate on the long series of works in this area and instead refer the reader to [21, 12, 22, 11] and references therein for more details.
Since the breakthrough work of Gentry  on fully homomorphic encryption (FHE), there has been a surge of interest in this line of research that remains very active to this day, with a series of recent advances including, but not limited to, a homomorphic evaluation of AES . Although the use of additively or multiplicatively homomorphic cryptosystems is common place in the e-voting literature, the relevance of FHE for potentially quantum-safe secure e-voting, with better voter verifiability, was only recently discussed by Gjøsteen and Strand . In our work, instead of designing an FHE-based protocol from scratch, we apply the machinery of FHE to a well-known, classical voting scheme, in order to improve its time complexity and to replace its reliance on the hardness assumption of solving the discrete logarithm problem with a quantum-resistant solution, namely lattice-based cryptography. So far, no efficient quantum algorithms capable of breaking lattice-based FHE schemes have been discovered.
Although constructions with varying degrees of coercion-resistance do exist, the voting protocol introduced by Juels, Catalano, and Jakobsson , often referred to as the JCJ protocol, is among the most well-known solutions in the context of coercion-resistant voting schemes. JCJ provides a reasonable level of coercion-resistance using a voter credential faking mechanism, and it was arguably the first proposal with a formal definition of coercion-resistance. However, JCJ suffers from a complexity problem due to the weeding steps in its tallying phase, which are required for eliminating invalid votes and duplicates. The exhaustive, comparison-based approach of JCJ using plaintext equivalence tests (PET)  leads to a quadratic blow-up in the number of votes, which makes the tallying process rather impractical in realistic settings with a large number of voters. For instance, in the Civitas voting system  based on JCJ, voters are grouped into blocks or virtual precincts to reduce the tallying time.
Here we propose an enhancement of the JCJ protocol aimed at performing its tallying work in linear time, based on an approach that incorporates primitives from the realm of fully homomorphic encryption (FHE), which also paves the path towards making JCJ quantum-safe.
In Sect. 2, we describe the JCJ protocol and cover some related work. Next, in Sect. 3, we show how the weeding of “bad” votes can be done in linear time, with minimal change to JCJ, via an approach based on recent advances in various FHE primitives such as hashing, zero-knowledge (ZK) proofs of correct decryption, verifiable shuffles and threshold FHE. We also touch upon some of the advantages and remaining challenges of such an approach in Sect. 3.2 and in Sect. 4, we discuss further security and post-quantum considerations.
2 The JCJ Model and Voting Protocol in a Nutshell
Cryptographic Building Blocks.
JCJ relies on a modified version of ElGamal, a threshold public-key cryptosystem with re-encryption, secure under the hardness assumption of the Decisional Diffie-Hellman (DDH) problem in a multiplicative cyclic group of order . A ciphertext on message has the form for , with being the public key where , and the secret key consists of such that
. The construction allows easy sharing of the secret key in a threshold way. The weeding steps make use of a plaintext equivalence test (PET), which is carried out by the secret key holders and takes as input two ciphertexts and outputs 1 if the underlying plaintexts are equal, and 0 otherwise. The PET produces publicly verifiable evidence with negligible information leakage about plaintexts. Finally, JCJ uses non-interactive zero-knowledge (NIZK) proofs and mix-nets, which are aimed at randomly and secretly permuting and re-encrypting input ciphertexts such that output ciphertexts cannot be traced back to their corresponding ciphertexts. Throughout, it is assumed that the computations of the talliers and registrars are done in a joint, distributed threshold manner. We useto denote an element that is sampled uniformly at random.
JCJ mainly consists of three sets of agents, described as follows.
Registrars: A set of entities in charge of jointly generating and distributing credentials to voters.
Talliers: A set of authorities in charge of processing ballots, jointly counting the votes and publishing the final tally.
Voters: A set of voters, , participating in an election, where each voter is publicly identified by an index .
Bulletin Board and Candidate Slate.
A bulletin board, denoted by , is an abstraction representing a publicly accessible, append-only, but otherwise immutable board, meaning that participants can only add entries to without overwriting or erasing existing items. A candidate slate, , is an ordered set of distinct identifiers capturing voter choices. A tally is defined under slate
, as a vectorof positive integers, where each indicates the number of votes cast for choice .
Assumptions for Coercion-Resistance.
No threshold set of agents in should be corrupted, otherwise privacy is lost. In the registration phase, it is assumed that the distribution of voter credentials is done over an untappable channel and that no registration transcripts can be obtained, assuming that secure erasure is possible. Cast votes are transmitted via anonymous channels, which is a basic requirement for ruling out forced-abstention attacks.
2.1 The JCJ Protocol
Setup and Registration.
The key pairs and are generated in a trustworthy manner, and the public keys, i.e., and , are published with other public system parameters. The registrars generate and transmit to eligible voter a random string that serves as the credential of the voter. adds an encryption of , , to the voter roll , which is maintained on the bulletin board and digitally signed by .
An integrity-protected candidate slate containing the names and unique identifiers in for candidates, along with a unique, random election identifier are published by the authorities. Voter generates a ballot in the form of M-ElGamal ciphertexts , for candidate choice and voter credential , respectively, e.g., for , we have and . computes NIZK proofs of knowledge and correctness of and , collectively denoted by . These ensure non-malleability of ballots, also across elections by including
in the hash of the Fiar-Shamir heuristic.posts to via an anonymous channel.
In order to compute the tally, duplicate votes and those with invalid credentials will have to be removed. The complexity problem crops up in steps 2 and 4 such that given votes, the tallying work has a time complexity of . To tally the ballots posted to , the authority performs the following steps: 1. verifies all proofs on and discards any ballots with invalid proofs. Let and denote the list of remaining candidate choice ciphertexts, and credential ciphertexts, respectively. 2. performs pairwise PETs on all ciphertexts in and removes duplicates according to some fixed criterion such as the order of postings to . For every element removed from , the corresponding element with the same index is also removed from , resulting in the “weeded” vectors and . 3. applies a mix-net to and using the same, secret permutation, resulting in the lists of ciphertexts and . 4. applies a mix-net to the encrypted list of credentials from the voter roll and then compares each ciphertext of to the ciphertexts of using a PET. keeps a vector of all ciphertexts of for which the corresponding elements of match an element of , thus achieving the weeding of ballots with invalid voter credentials. 5. decrypts all ciphertexts in and tallies the final result.
Vote privacy is maintained as long as neither a threshold set of talliers nor all the mixing servers are corrupted. A colluding majority of talliers can obviously decrypt everything and colluding mixing authorities could trace votes back to . Regarding correctness, voters can refer to to verify that their vote has been recorded as intended and that the tally is computed correctly. Similar attacks become possible in case of collusion by a majority of authorities. As for verifiability, anyone can refer to , and to verify the correctness of the tally produced by . The coercion-resistance provided by JCJ essentially comes from keeping voter credentials hidden throughout the election. A coerced voter can then choose a random fake credential to cast a fake vote and present it as their real vote. Any vote cast with the fake credential will not be counted, and the voter can anonymously cast their real vote using their real credential.
2.2 Related Work
We focus on the most closely-related works on improving the efficiency problem of the tallying work in JCJ. Smith  and Weber et al. [30, 29] follow a similar approach in that they do away with comparisons using PETs, and instead, they raise the credentials to a jointly -shared secret value and store these blinded terms in a hash table such that collisions can be found in linear time. The use of a single exponent means that a coercer can test if the voter has provided them with a fake or a real credential by submitting a ballot with the given credential and another with the credential raised to a known random value. In [4, 5], Araujo et al. move away from comparing entries in with terms in the cast ballots to a setting in which duplicates are publicly identifiable and a majority of talliers use their private keys to identify legitimate votes, and in  the authors use algebraic MACs. Spycher et al.  use the same solution proposed by Smith and Weber to remove duplicates and apply targeted PETs only to terms in and , identified via additional information provided by voters linking their vote to the right entry in . In , publicly auditable conditional blind signatures are used to achieve coercion-resistance in linear time using a FOO-like  architecture, the downsides being the need for extra authorization requests for participation privacy and a double use of anonymous channels.
3 JCJ in Linear Time via Fully Homomorphic Encryption
Our proposal revolves around replacing the original cryptosystem of JCJ with a fully homomorphic one, thus allowing us to preserve the original design of JCJ. The main idea is to homomorphically evaluate hashes of the underlying plaintext of the FHE-encrypted voter credentials, perform FHE-decryption and post the hash values of the credentials to the bulletin board . Now the elimination of invalid and duplicate entries can be done in linear time by using a hash table.
Constrained by limited space, we only enumerate the cryptographic primitives that will be required for the enhancement suggested below and refer the reader to the cited sources for further details. Let denote an FHE-encryption of a message under the public key . At its core, for , given and , FHE allows us to compute and by working over ciphertexts alone, without having access to the secret key, thus enabling the homomorphic evaluation of any boolean circuit, i.e., computing from for any computable function . We make use of FHE [15, 7], fully homomorphic hashing , zero-knowledge proofs of correct decryption for FHE ciphertexts , verifiable shuffles  and threshold FHE , see Sect. 3.2 for more details on open questions and the state-of-the-art.
3.1 Enhancing JCJ with FHE and Weeding in Linear Time
We now describe how FHE primitives can be incorporated into JCJ while inducing minimal change in the original protocol. We assume threshold FHE throughout.
Setup and Registration.
The setup and registration phases remain unchanged w.r.t. JCJ, except that now adds an FHE-encryption of , , to the voter roll . We adopt the same assumptions mentioned earlier in Sect. 2.
Instead of using ElGamal encryption, the credentials posted on the are encrypted under some FHE scheme, say BGV , with a key pair . Each voter adds , along with the required NIZK proofs, to .
The tallying phase remains largely the same except that for removing duplicates and invalid votes, we leverage our use of FHE to carry out simple equality tests between hash digests of credentials. Since the concealed credentials are now stored in FHE ciphertexts, we can process them using an FHE hashing circuit. More precisely, for a jointly created -shared key , published under encryption , the credentials contained in the FHE-encrypted terms are homomorphically hashed (see  by Fiore, Gennaro and Pastro and  by Catalano et al.), under key resulting in , such that upon decryption we obtain . A ZK proof of correct decryption is also posted to for verifiability, see  by Carr et al. for an approach to this. Once the hash values of the credentials are posted on the , the weeding of duplicates can be done in using a simple hash table look-up, i.e., iterate, hash and check for collision in constant time, thus an overall linear-time complexity in the number of votes. Next, the registered credentials and the submitted vote/credential pairs are mixed  and the homomorphic hashing procedure is carried out again using a new secret key on all credential ciphertexts. Comparing the hashed registered credentials with those from the cast ballots allows us to remove invalid votes in . Finally, the remaining valid votes are verifiably decrypted.
3.2 Advantages, Potential Pitfalls and Open Questions
Apart from the linear-time weeding algorithm, as already pointed out by Gjøsteen and Strand in , in addition to being a novel application of FHE to secure e-voting, obtaining better voter verifiability and a scheme believed to be quantum-resistant are among the noteworthy benefits of such an approach. Clearly, in terms of real world FHE implementations, the state-of-the-art still suffers from efficiency issues. However, some significant progress has already been made in this area, e.g., the homomorphic evaluation of AES  or block ciphers designed for homomorphic evaluation . Moreover, it should be pointed out that some of the needed primitives, e.g., turning ZK proofs of correct decryption for FHE [8, 23] into NIZK proofs, are still not satisfactory and remain the subject of ongoing research and future improvements.
4 Further Security Remarks
Although we leave proofs for an extended version, security against classical adversaries can be shown in the same random oracle (RO) model. The plaintext proofs of knowledge and hashes amount to preimage guessing as the best adversarial strategy. Post-quantum security will have to be shown in the quantum RO model.
Assuming a majority of colluding authorities, apart from a compromise of vote privacy, another, perhaps more damaging problem with JCJ and its improved variants is that of eligibility verifiability. A colluding majority would be able to retrieve voter credentials and submit valid votes for non-participating voters, i.e., perform ballot stuffing. A solution in  suggests performing the registration phase in such a way that only the voter would know the discrete logarithm of their credential. Votes are then cast with an anonymous signature in the form of a ZK proof of knowledge of the discrete logarithm of the encrypted credential, thus preventing ballot stuffing. A similar approach could be used here, with the potential downside of having inefficient proofs and a discrete logarithm hardness assumption, thus not being quantum secure.
For a relaxation of the trustworthiness assumption of , without assuming secure erasure, quantum-resistant designated verifier proofs [28, 20] could replace the classical ones suggested in the original JCJ . To obtain post-quantum security for eligibility verifiability, future research will investigate the use of a quantum-resistant signature scheme that can be evaluated under FHE to preserve ballot anonymity. As a naive, but illustrative example that is one-time only and non-distributive, consider that the voter creates their credential as , and that only the voter knows the preimage . The voter now submits both and to . Before weeding, the hash is homomorphically evaluated on the ciphertext of the preimage, i.e., , followed by an equality test against the ciphertext of the credential . A malicious authority can now cast only a valid ballot with a registered credential after the corresponding voter has cast a ballot, and an attempt to vote on their behalf is detectable in the weeding phase.
-  Adida, B.: Helios: Web-based open-audit voting. In: USENIX security symposium. vol. 17, pp. 335–348 (2008)
-  Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. In: EUROCRYPT 2015 - International Conference on the Theory and Applications of Cryptographic Techniques. pp. 430–454. Springer (2015)
-  Araújo, R., Barki, A., Brunet, S., Traoré, J.: Remote electronic voting can be efficient, verifiable and coercion-resistant. In: International Conference on Financial Cryptography and Data Security. pp. 224–232. Springer (2016)
-  Araújo, R., Foulle, S., Traoré, J.: A practical and secure coercion-resistant scheme for remote elections. In: Dagstuhl Seminar Proceedings. Schloss Dagstuhl-Leibniz-Zentrum für Informatik (2008)
-  Araújo, R., Rajeb, N.B., Robbana, R., Traoré, J., Youssfi, S.: Towards practical and secure coercion-resistant electronic elections. In: International Conference on Cryptology and Network Security. pp. 278–297. Springer (2010)
-  Boneh, D., Gennaro, R., Goldfeder, S., Jain, A., Kim, S., Rasmussen, P.M., Sahai, A.: Threshold cryptosystems from threshold fully homomorphic encryption. In: Annual International Cryptology Conference. pp. 565–596. Springer (2018)
-  Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (leveled) fully homomorphic encryption without bootstrapping. ACM Transactions on Computation Theory 6(3), 13 (2014)
-  Carr, C., Costache, A., Davies, G.T., Gjøsteen, K., Strand, M.: Zero-knowledge proof of decryption for FHE ciphertexts. IACR Cryptology ePrint Archive 2018, 26 (2018), http://eprint.iacr.org/2018/026
-  Catalano, D., Marcedone, A., Puglisi, O.: Authenticating computation on groups: New homomorphic primitives and applications. In: International Conference on the Theory and Application of Cryptology and Information Security. pp. 193–212. Springer (2014)
-  Clarkson, M.R., Chong, S., Myers, A.C.: Civitas: Toward a secure voting system. In: IEEE Symposium on Security and Privacy, 2008. pp. 354–368. IEEE (2008)
-  Cortier, V., Galindo, D., Küsters, R., Mueller, J., Truderung, T.: Sok: Verifiability notions for e-voting protocols. In: Security and Privacy (SP), 2016 IEEE Symposium on. pp. 779–798. IEEE (2016)
-  Delaune, S., Kremer, S., Ryan, M.: Coercion-resistance and receipt-freeness in electronic voting. In: Computer Security Foundations Workshop, 2006. 19th IEEE. pp. 12–pp. IEEE (2006)
-  Fiore, D., Gennaro, R., Pastro, V.: Efficiently verifiable computation on encrypted data. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. pp. 844–855. ACM (2014)
-  Fujioka, A., Okamoto, T., Ohta, K.: A practical secret voting scheme for large scale elections. In: International Workshop on the Theory and Application of Cryptographic Techniques. pp. 244–251. Springer (1992)
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of the 41st annual ACM symposium on Symposium on theory of computing-STOC’09. pp. 169–169. ACM Press (2009)
-  Gentry, C., Halevi, S., Smart, N.P.: Homomorphic evaluation of the aes circuit. In: Advances in Cryptology–CRYPTO 2012, pp. 850–867. Springer (2012)
-  Gjøsteen, K., Strand, M.: A roadmap to fully homomorphic elections: Stronger security, better verifiability. In: International Conference on Financial Cryptography and Data Security. pp. 404–418. Springer (2017)
-  Grontas, P., Pagourtzis, A., Zacharakis, A., Zhang, B.: Towards everlasting privacy and efficient coercion resistance in remote electronic voting. IACR Cryptology ePrint Archive 2018, 215 (2018)
-  Jakobsson, M., Juels, A.: Mix and match: Secure function evaluation via ciphertexts. In: International Conference on the Theory and Application of Cryptology and Information Security. pp. 162–177. Springer (2000)
-  Jao, D., Soukharev, V.: Isogeny-based quantum-resistant undeniable signatures. In: International Workshop on Post-Quantum Cryptography. pp. 160–179. Springer (2014)
-  Juels, A., Catalano, D., Jakobsson, M.: Coercion-resistant electronic elections. In: Proceedings of the 2005 ACM workshop on Privacy in the electronic society. pp. 61–70. ACM (2005)
-  Küsters, R., Truderung, T., Vogt, A.: A game-based definition of coercion resistance and its applications 1. Journal of Computer Security 20(6), 709–764 (2012)
-  Luo, F., Wang, K.: Verifiable decryption for fully homomorphic encryption. In: International Conference on Information Security. pp. 347–365. Springer (2018)
-  Roenne, P.B.: JCJ with improved verifiability guarantees. In: The International Conference on Electronic Voting E-Vote-ID 2016 (2016)
-  Smith, D.: New cryptographic voting schemes with best-known theoretical properties. In: Workshop on Frontiers in Electronic Elections (2005)
-  Spycher, O., Koenig, R., Haenni, R., Schläpfer, M.: A new approach towards coercion-resistant remote e-voting in linear time. In: International Conference on Financial Cryptography and Data Security. pp. 182–189. Springer (2011)
-  Strand, M.: A verifiable shuffle for the GSW cryptosystem. IACR Cryptology ePrint Archive 2018, 27 (2018), http://eprint.iacr.org/2018/027
-  Sun, X., Tian, H., Wang, Y.: Toward quantum-resistant strong designated verifier signature from isogenies. In: Intelligent Networking and Collaborative Systems (INCoS), 2012 4th International Conference on. pp. 292–296. IEEE (2012)
-  Weber, S.G.: Coercion-Resistant Cryptographic Voting: Implementing Free and Secret Electronic Elections. VDM Publishing (2008)
-  Weber, S.G., Araujo, R., Buchmann, J.: On coercion-resistant electronic elections with linear work. In: Availability, Reliability and Security, 2007. ARES 2007. The Second International Conference on. pp. 908–916. IEEE (2007)