Towards Better Privacy-preserving Electronic Voting System

1 Introduction

Voting is an essential element of the current social and political systems. Individual voting result is a personal privacy which voters may be unwilling to release publicly, especially to the supports of the lost candidate or proposal. The prevailing of electronic voting systems with tracable electronic traces increase the concern of privacy disclosure.

Currently there are many popular privacy-preserving techniques, such as multi-party computation and differential privacy. However, in real-world voting, the security of the former methods relies on splitting an authority into multi-parties, which usually lacks effective supervisions. Meanwhile, The decision-making of a voting process is threshold-based. Therefore, it is hard to deploy differential privacy-based methods, which requires a less sensitive information accuracy of individual votes.

In this paper, we present two approaches towards privacy-preserving electronic voting system. The first approach is a blind signature based voting (BSV), where we apply blind signature to ensure each vote only comes from eligible voters and the government is not able to access the content. The second approach is homomorphic encryption based voting (HEV), where we use homomorphic encryption to calculate the encrypted votes directly and hide individual votes. We also update HEV into homomorphic encryption voting with sampling (HEVS), which has resistance on malicious voters involved who try to ruin the result.

We explain the background and our threat models in Section 2. In Section 3 we briefly discuss our two protocols. We show possible loopholes for both of the approaches and possible solutions in Section 4. And we demonstrate and explain our experiment results in Section 5.

2 Background

In our setting, voting consists of at least two parties: voters and the government. Voters are the main content of voting who submit ballots. The government is the authority determining the eligibility of voters, counting ballots, and publishing the results. We assume that government is able to identify all eligible voters and ignores the votes from any other ineligible voters.

Privacy-preserving voting aims at protecting voters’ voting result(e.g. for or against) from any others, including the government. The government gets the overall result only, instead of individual results.

Our voting environment is electronic, where voters and the government communicate through electronic devices¹¹1computers, databases, etc.. During the communication, everything, including ballots, can be recorded. Thus, anyone who has recorded individual data can never revealed the result of its vote.

Threat Models

Our solution assumes two levels of adversaries: semi-honest voters and semi-honest government will cooperate together to get information but do not deviate from the protocol specification; malicious voters and malicious government may arbitrarily deviate from the protocol execution and do whatever they want.

Before we introduce our protocol, we argue that both of our protocols are privacy-preserving under two levels of adversaries. However, there are ways for malicious adversaries to halt the whole process. We provide combats in Section 4

3 Two Privacy-preserving Approaches

3.1 Blind Signature Based Voting

Blind signature is a form of digital signature where messages are signed without revealing the content to the signer [chaum1983blind]. The message is blinded using a secret blinding factor from the user prior to the signature. The signer generates a signature for the blinded message. Then the user uses the blinding factor to unblind the message and the signature, resulting in the original message with a legitimate signature. Throughout the process, the signer has no knowledge about the message without accessing the blinding factor. Blind signature is supported by many cryptographic algorithms including RSA and Elliptic Curve.

Protocol Blind Signature Voting (BSV)

Notation.
$V = {V_{1}, V_{2}, . . . V_{i}, . . . V_{n}}$ is the group of eligible voters. $\forall i \in {1, 2, . . . n}$ , voter $V_{i}$ holds a vote $m_{i}$ .
$G t$ denoted the government who can identify these $n$ voters.
$B$ denoted a decentralized blockchain.
Protocol detail in appendix A

In Protocol A, every voter do a blind signature protocol with the government. Then voters publish their unblinded vote with the signature of the government to a blockchain through some anonymous channel. The blockchain is used $B$ to make the published ballots unmodifiable. After a period of time, $B$ stop collecting ballots and anyone can check the blockchain to know the voting result.

There are many projects of secure voting system using blind signature and blockchain [8726645] [liu2017voting].

3.2 Homomorphic Encryption Based Voting

Homomorphic encryption is a cryptographic tool of encryption model that allows computation on ciphertexts [gentry2009fully]. To achieve a privacy preserving electronic voting system, encryption of ballots is needed. And the ballot counting is an additive computation. Therefore, homomorphic encryption can be used to compute ciphertexts ²²2the ballots directly, with every ballot encrypted, which inherently protects voters’ privacy. Moreover, additive homomorphic encryption is the only encryption involved.

In Protocol B, we use a modified version of Elgamal encryption with threshold decryption [10.1007/3-540-39568-7_2]. Specifically, eligible voters generate secret key pieces $s K_{i}$ and use them to generate a public key $p K$ with the cooperation of the government $G t$ . Then voters use the public key to submit their vote, $0$ or $1$ . The government aggregates the encrypted result and starts a threshold decryption to decrypt the aggregated result. During the entire process, the individual secret key $s K_{i}$ is not exposed to anyone. Therefore, individual result is safe and private in all circumstances.

Protocol Homomorphic Encryption Voting (HEV)

Notation.
$V = {V_{1}, V_{2}, . . . V_{i}, . . . V_{n}}$ is the group of eligible voters. $\forall i \in {1, 2, . . . n}$ , voter $V_{i}$ holds a vote $v_{i} \in {0, 1}$ .
$G t$ denoted the government who can identify these $n$ voters.
$G$ is a cyclic group of order $q$ with generator $g$ .
$o$ is the aggregated result from $G t$ .
Protocol detail in appendix B

Theorem 3.1.

If the protocol is strictly followed, $o = g^{\sum_{i = 1}^{n} v_{i}}$ (Proof in appendix C).

After the threshold decryption 5, the government collects the result $o = g^{\sum_{i = 1}^{n} v_{i}}$ , and what we want is $\sum_{i = 1}^{n} v_{i}$ . As a discrete log problem, this is a $n$ -bounded problem. However, the result can be verified by matching the result with $g^{0}, g^{1}, g^{2}, . . ., g^{n}$ . Generally, $n$ is bounded by the population, and the computation and comparison can be paralleled. Thus the result $\sum_{i = 1}^{n} v_{i}$ can be retrieved with reasonable cost.

4 Discussion and Improvements

In this section we address potential issues in the design and possible solutions.

4.1 Potential Attacks on BSV

Traffic Analysis

In BSV protocol, the voter have to publish the ballot to the block chain for it to be counted. This creates the risk of traffic analysis which an adversary can correlate the ballot with the voter by monitoring the network traffic from the voter to the blockchain. There are several ways to evade such attack. A Mixnet system can be used in conjunction with the blockchain. Using DC-net system can achieve similar effect but its limited through put make it less suitable for large scale voting. To further increase the anonymity set, one can designate all ballots to be casted in a certain period of time to ensure that there would be a sufficient number of voters posting their ballot at any moment. Depending on the implementation, the voting authority

G

can reveal the voter’s identities through timing analysis if the ballots are casted immediately after the voters request signatures from

G

. Thus it is recommended to introduce a large, random delay between the signing and posting of the ballot. This can be done by making the ballot signing timeframe and voting timeframe non-overlapping.

4.2 Potential Attacks on HEV

The stability of homomorphic encryption voting protocol relies on the honesty of all parties involved. The design of HEV protects the privacy of voters against dishonest authority. On the other hand, the voting result can be easily invalidated by repeated voting from malicious voters. The tentative combats on these threats are explained in the following.

Extra Votes

In the basic encryption setting, each individual voter is supposed to encrypt $0$ for against and $1$ for support. However, theoretically, voters are free to encrypt other numbers like $2$ or $3$ to earn extra votes. For example, with a voter group of 3, $V_{1}$ encrypted 3 in its voting message would dominate the aggregated result if all the other voters are honest. Since the message is encrypted by individual voters, there is no way for the government to tract this kind of cheating.

One way to combat this is to add a zero-knowledge proof on top of the voting procedure to prove that the voter is really sending a $0$ or $1$ instead of other invalid numbers. To make the failing probability negligible, multiple tests of zero-knowledge proof are needed, in the cost of extra network traffic.

Cooperation Interruption

The original HEV requires all voters to remain cooperative through the entire protocol. However, this may not hold due to various active and passive actions. For instance, voters turn offline after voting submissions and during threshold decryption (one potential reason is the network disconnetion). Moreover, some voters can decide to not send the decryption result in threshold decryption or even send something random instead of $_{i} = {X_{R}}^{s K_{i}}$ . The final result is hard to obtain in either way (or being inaccurate) because the government requires decryption results from all voters to compute $W$ . We believe a stochastic approach in the protocol helps mitigate the interruption effects.

Assumption

For simplicity, we assume that malicious voters behave like honest voters and vote against ( $0$ ) before threshold decryption but interrupt the cooperation in threshold decryption by providing fake data (instead of using their own secret keys). We also assume that the result becomes unreliable if any malicious voters are involved in the communication. If the result we get matches the result with same group of voters and all being honest, it is considered as reliable.

Partial Public Key Generation

A primary solution is based on partial public key generation. Specifically, the public key generated only relies on a sampled subset of the voter group, instead of the entire group as in the original HEV protocol. To achieve this, the government randomly samples $t$ public key pieces from $n$ pieces collected from $n$ voters, and generates the public key only based those $t$ pieces. Therefore, even though there are $m$ voters being interrupted, the probability of having a reliable result is $P = \frac{(\frac{n - m}{t})}{(\frac{n}{t})}$ . For instance, when $n = 50$ , $m = 5$ ( $\frac{m}{n} = 0.1$ ), on expectation $t = \frac{n}{2} = 25$ , $P = 0.025$ , which means even if malicious voters are not majority, the probability of getting a reliable result is almost $0$ .

K-Sampling

To improve the performance of the HEV protocol with sampling, we can upgrade the primary solution. In Protocol 4, instead of sampling once and generate one public key, $G t$ samples $k$ times and generates $k$ public keys. After the threshold decryption $G t$ gets $k$ results, then mode is selected as the final result. We argue that if the honest voters are the majority, there are ways to get reliable result with almost $100 %$ probability by adjusting the parameter $k$ .

Protocol 1 HEV with Sampling
Additional Notations. $k$ is the total number times of sampling $G t$ does, also being the number of public key pieces $p K$ uses
$t_{j} \in {t_{1}, t_{2}, . . ., t_{k}}$ is the number of keys chosen from voters in the $j$ -th sampling (with replacement).
${p K_{1}^{(j)}, p K_{2}^{(j)}, . . ., p K_{t_{j}}^{(j)}}$ is the set of chosen public key pieces in the $j$ -th sampling, where $p K_{t_{m}}^{(j)}$ , $p K_{t_{n}}^{(j)}$ can equal for some $m, n$ .
Procedure: Public Key Generation : Same as Protocol B Public Key Broadcast Receiving all public key pieces ${p K_{i}}$ , $i \in {1, 2, . . . n}$ . $G t$ randomly picks $t_{j}$ pieces ${p K_{1}^{(j)}, p K_{2}^{(j)}, . . ., p K_{t_{j}}^{(j)}}$ where $p K_{t_{j}}^{(j)} \in {p K_{i}}$ $G t$ computes the $j$ -th public key $p K^{(j)} = Π_{m = 1}^{t_{j}} p K_{m}^{(j)}$ $G t$ repeats 2b - 2c $k$ times, generating ${p K^{(1)}, p K^{(2)}, . . ., p K^{(k)}}$ $G t$ broadcasts $(p K^{(1)}, p K^{(2)}, . . ., p K^{(k)})$ to all members of $V$ . Vote Delivery Same as Protocol 2. for each $p K^{(j)}, j \in {1, 2, . . ., k}$ , the corresponding vote for $p K^{(j)}$ is $(X_{i}^{(j)}, Y_{i}^{(j)})$ Each $V_{i}$ sends all $(X_{i}^{(j)}, Y_{i}^{(j)})$ to $G t$ . Vote Aggregation $G t$ calculates $(X_{R}^{(j)}, Y_{R}^{(j)}) = (Π_{i = 1}^{R} X_{i}^{(j)}, Π_{i = 1}^{R} Y_{i}^{(j)})$ for each pair of $(X_{i}^{(j)}, Y_{i}^{(j)})$ as in Protocol 4. $G t$ generates ${(X_{R}^{(j)}, Y_{R}^{(j)})}, j \in {1, 2, . . ., k}$ . Threshold Decryption $G t$ sends all $(X_{R}^{(j)}, Y_{R}^{(j)}, d)$ to $V$ where $d$ indicates pending decryption action from $V_{i}$ . Each $V_{i}$ sends $({^X}_{i}^{(j)}, Y_{R}^{(j)}) = ({X_{R}^{(j)}}^{s K_{i}}, Y_{R}^{(j)})$ to $G t$ as in Protocol 2.5 For each $({^X}_{i}^{(j)}, Y_{R}^{(j)})$ , $G t$ computes $W^{(j)} = Π_{q = 1}^{t_{j}} {^X}_{q}^{(j)}$ , where he only multiplies the voters’ feedback if $V_{i}$ is involved in the sampling and computation of $p K^{(j)}$ , then he compute $o^{(j)} = Y_{R} / W$ $G t$ gets ${o^{(1)}, o^{(2)}, . . ., o^{(k)}}$ , then he picks the Mode as the final result.

Theorem 4.1.

If there are more (semi-)honest voters than malicious voters, the Mode of ${o^{(1)}, o^{(2)}, . . ., o^{(k)}}$ is the reliable result.

Proof.

Instead of a rigorous proof, we present idea of the proof.

According to assumption 4, if the $j$ -th sampling contains honest voters only, then the result is reliable; otherwise, if the $j$ -th sampling contains any number malicious voter, we assume the result is unreliable (We ignore fake positive cases³³3For example, two malicious voters occasionally do the decryption for each other.). The idea is that, even if the same malicious voter participated in two generation steps of public keys $p K^{(e)}$ and $p K^{(f)}$ and the corresponding fake threshold decryption responses $({^X}_{i}^{(e)}, Y_{R}^{(e)})$ and $({^X}_{i}^{(f)}, Y_{R}^{(f)})$ are identical. Since $\sum r^{(e)}$ and $\sum r^{(f)}$ are different, their result $o^{(e)}$ and $o^{(f)}$ map to two different elements in the group $G$ :

Suppose $({^X}_{i}^{(e)}, Y_{R}^{(e)}) = ({X_{R}^{(e)}}^{r d}, Y_{R}^{(e)})$ and $({^X}_{i}^{(f)}, Y_{R}^{(f)}) = ({X_{R}^{(f)}}^{r d}, Y_{R}^{(f)})$ , where $r d$ is a random number, then the two results don’t equal.

o^{(e)} = \frac{(g^{{s K}^{(e)}})^{\sum r^{(e)}} \cdot g^{\sum v}}{(g^{{s K}^{(e)} - r d})^{\sum r^{(e)}}} \neq o^{(f)} = \frac{(g^{{s K}^{(f)}})^{\sum r^{(f)}} \cdot g^{\sum v}}{(g^{{s K}^{(f)} - r d})^{\sum r^{(f)}}}

Thus we can assume that the results of different failing sampling groups (results are unreliable) are different. If you have the same results, there is negligible probability that they are related to malicious voters. Thus, even two or three consistent results can be considered as the reliable result. Therefore choosing the Mode of ${o^{(1)}, o^{(2)}, . . ., o^{(k)}}$ is a reliable result. ∎

5 Experimental Results

According to our assumption 4 and Theorem 4.1, we simulate experiments based on the number of voters $n$ , the probability that a voter is malicious $p_{f a i l}$ , and the number of sampling $k$ . Figure 1 shows the performance of getting at least two consistent results and Figure 2 shows the performance of getting at least three consistent results. The result is averaged from $3$ random seeds. Our protocol achieves almost $100 %$ accuracy for no more than $500$ voters when $p_{f a i l} = 0.01$ when sampling more than $6$ times. The protocol is almost accurate for no more than $200$ voters when $p_{f a i l} = 0.1$ if sampling more than $16$ times, which improves the performance of almost zero for the primary solution instance. For more than half malicious voters, the protocol doesn’t remain effectiveness.

6 Conclusion

This work provides two approaches for privacy-preserving electronic voting system. Both of them are privacy preserving under semi-honest government. The BSV protocol widely accepted in current literature, which is stable under semi-honest and malicious voters. The HEV protocol is stable under semi-honest voter and the updated HEVS provides stability under malicious voters. There is no solution for a malicious government who rejects all communications.

References

Appendix A Protocol BSV

Protocol 2 Blind Signature Voting (BSV)
Notation. $V = {V_{1}, V_{2}, . . . V_{i}, . . . V_{n}}$ is the group of eligible voters. $\forall i \in {1, 2, . . . n}$ , voter $V_{i}$ holds a vote $m_{i}$ . $G t$ denoted the government who can identify these $n$ voters.
$B$ denoted a decentralized blockchain
Objective. Parties jointly compute $\sum_{i = 1}^{n} v_{i}$ without revealing any $v_{i}$ .
Procedure: Public Key Generation $G t$ generates a public key $p K$ and private key $s K$ . $G t$ announces $p K$ to the public. Ballot Blinding Each voter generates a ballot in the form of $(m_{i}, r)$ , where $m_{i}$ is the ballot content and $r$ is a large randomly generated number. Through a secret blinding factor $b$ , each voter blinds the ballot into $(m_{i}, r)^{'}$ and sends it to $G t$ . Signature After verifying the voter’s eligibility, $G$ produces signatures $s^{'}$ on the blinded ballots $(m_{i}, r)^{'}$ and sends $s^{'}$ back to the voters. Ballot Unblinding Using the blinding factor $b$ , each voter unblinds $s^{'}$ into $s$ , where $s$ equals $s i g ((m, r))$ . The voters send the signed ballot $(m, r, s)$ to the blockchain $B$ . Ballot Verification $B$ accept a given ballot $(m, r, s)$ if and only if: The signature $s$ can be verified with $p K$ . The random number $r$ in $(m, r, s)$ did not appear in any of the previous ballots.

Appendix B Protocol HEV

Protocol 3 Homomorphic Encryption Voting (HEV)
Notation. $V = {V_{1}, V_{2}, . . . V_{i}, . . . V_{n}}$ is the group of eligible voters. $\forall i \in {1, 2, . . . n}$ , voter $V_{i}$ holds a vote $v_{i} \in {0, 1}$ . $G t$ denoted the government who can identify these $n$ voters.
$G$ is a cyclic group of order $q$ with generator $g$ .
$o$ is the aggregated result from $G t$ .
Objective. Parties jointly compute $\sum_{i = 1}^{n} v_{i}$ without revealing any $v_{i}$ .
Procedure: Public Key Generation Each voter $V_{i}$ chooses a random number $s K_{i}$ from ${1, 2, . . ., q - 1}$ . Each voter $V_{i}$ computes public key piece $p K_{i} = g^{s K_{i}}$ and send it to $G$ . Public Key Broadcast After receiving all the $p K_{i}$ ( $i \in {1, 2, . . . n}$ ), $G t$ computes the public key $p K = Π_{i = 1}^{n} p K_{i}$ $G t$ broadcasts $p K$ to all members of $V$ . Vote Delivery After receiving $p K$ , each voter $V_{i}$ generates a random number $r_{i}$ from $G$ , and computes $X_{i} = g^{r_{i}}$ , $Y_{i} = p K^{r_{i}} \cdot g^{v_{i}}$ . Each $V_{i}$ sends $(X_{i}, Y_{i})$ to $G t$ . Vote Aggregation $G t$ calculates $(X_{R}, Y_{R}) = (Π_{i = 1}^{R} X_{i}, Π_{i = 1}^{R} Y_{i})$ . with $R$ is the number of votes received. the computing stops when $R$ equals to $n$ . Threshold Decryption $G t$ sends $(X_{R}, Y_{R}, d)$ to $V$ where $d$ indicates pending decryption action from $V_{i}$ . Each $V_{i}$ sends $(_{i}, Y_{R}) = ({X_{R}}^{s K_{i}}, Y_{R})$ to $G t$ ( $V_{i}$ can first check whether the received $(X_{R}, Y_{R})$ equals $(X_{i}, Y_{i})$ , if so, he refuses to decrypt.) After receiving all the $(_{i}, Y_{R})$ , $G t$ computes $W = Π_{i = 1}^{n}_{i}$ , then he compute $o = Y_{R} / W$

Appendix C Proof of Theorem 3.1

Proof.

	$W = Π_{i = 1}^{n}_{i}$	$= Π_{i = 1}^{n} {X_{R}}^{s K_{i}}$
		$= X_{R}^{\sum_{i = 1}^{n} s K_{i}}$
		$= (Π_{i = 1}^{R} X_{i})^{\sum_{i = 1}^{n} s K_{i}}$
		$= (Π_{i = 1}^{R} g^{r_{i}})^{\sum_{i = 1}^{n} s K_{i}}$
		$= (g^{\sum_{i = 1}^{R} r_{i}})^{\sum_{i = 1}^{n} s K_{i}}$

	$Y_{R}$	$= Π_{i = 1}^{R} Y_{i}$
		$= Π_{i = 1}^{R} p K^{r_{i}} \cdot g^{v_{i}}$
		$= (p K^{\sum_{i = 1}^{n} r_{i}}) \cdot g^{\sum_{i = 1}^{R} v_{i}}$
		$= [(Π_{i = 1}^{n} p K_{i})^{\sum_{i = 1}^{n} r_{i}}] \cdot g^{\sum_{i = 1}^{R} v_{i}}$
		$= [(Π_{i = 1}^{n} g^{s K_{i}})^{\sum_{i = 1}^{n} r_{i}}] \cdot g^{\sum_{i = 1}^{R} v_{i}}$
		$= [(g^{\sum_{i = 1}^{n} s K_{i}})^{\sum_{i = 1}^{n} r_{i}}] \cdot g^{\sum_{i = 1}^{R} v_{i}}$
		$= W \cdot g^{\sum_{i = 1}^{R} v_{i}}$

Then $o = Y_{R} / W = g^{\sum_{i = 1}^{n} v_{i}}$ if $R = n$

∎

Towards Better Privacy-preserving Electronic Voting System

SBvote: Scalable Self-Tallying Blockchain-Based Voting

Zecale: Reconciling Privacy and Scalability on Ethereum

E-voting System Using Homomorphic Encryption and Blockchain Technology to Encrypt Voter Data

A privacy-preserving, decentralized and functional Bitcoin e-voting protocol

Aicyber's System for NLPCC 2017 Shared Task 2: Voting of Baselines

VoteAgain: A scalable coercion-resistant voting system

How Private Is Your Voting? A Framework for Comparing the Privacy of Voting Mechanisms

1 Introduction