Journal of Network and Computer Applications 36 (2013) 378–387

Contents lists available at SciVerse ScienceDirect

Journal of Network and Computer Applications

journal homepage: www.elsevier.com/locate/jnca

Practical Internet voting system

Xun Yi a,n, Eiji Okamoto b
a
School of Engineering and Science, Victoria University, Melbourne, VIC 8001, Australia
b
Department of Risk Engineering, University of Tsukuba, Tsukuba, Ibaraki 305-8573, Japan

a r t i c l e i n f o a b s t r a c t

Article history: Recently, Internet voting systems have gained popularity and have been used for government elections
Received 14 December 2011 and referendums in the United Kingdom, Estonia and Switzerland as well as municipal elections in
Accepted 24 May 2012 Canada and party primary elections in the United States and France. Current Internet voting systems
Available online 17 June 2012
assume either the voter’s personal computer is trusted or the voter is not physically coerced. In this
Keywords: paper, we present an Internet voting system, in which the voter’s choice remains secret even if the
Internet voting voter’s personal computer is infected by malware or the voter is physically controlled by the adversary.
Coercion-resistance In order to analyze security of our system, we give a formal definition of coercion-resistance, and
Malware provide security proof that our system is coercion-resistant. In particular, our system can achieve
Homomorphic encryption
absolute verifiability even if all election authorities are corrupt. Based on homomorphic encryption, the
overhead for tallying in our system is linear in the number of voters. Thus, our system is practical for
elections at a large scale, such as general elections.
& 2012 Elsevier Ltd. All rights reserved.

1. Introduction
Essentially, an electronic voting system can be envisioned as a
decryption network composed of a collection of election autho-
rities. The network takes as input a collection of encrypted ballots
(posted publicly by voters) in one end and outputs in another end
the tally of votes (posted publicly by the authorities) with a
mathematical proof that the encrypted ballots were decrypted
properly and that the votes were unmodified. Informally, an
electronic voting system achieves integrity if any voter can verify
that her ballot is included unmodified in a collection of ballots,
and the public can verify that the collection of ballots produces
the correct final tally, and the system keeps privacy if no voter can
demonstrate how he or she voted to any third party (National
Institute of Standards and Technology, 2009a,b).
So far, there have been two main categories of electronic
voting systems—polling station voting systems and Internet
voting systems.
Polling station voting systems, such as Adida (2006), Araújo
et al. (2010b), Benaloh (2006, 2007), Chaum (2004, 2005), Chaum
et al. (2008a,b, 2005), Gardner et al. (2009), Moran and Naor
(2006, 2010, 2007), Neff (2004), Riva and Shma (2007), Rivest and
Smith (2007), and Teague et al. (2008), build their security on an
untappable channel implemented as a private voting booth at a
polling place, where a voter can cast her ballot in private. Thus,
n
Corresponding author. Tel.: þ61 3 9919 4426.
E-mail address: [email protected] (X. Yi).
risk of voter coercion and vote buying can be greatly mitigated.
These systems require a voter to vote in person at a polling station
on election days. This may not be convenient for those voters who
have no access to any polling station on election days, e.g.,
overseas citizens and military voters.
Internet voting systems, such as Adida (2008), Chaum (1981),
Clarkson et al. (2008), Fujioka et al. (1992), Juels et al. (2005),
Kiayias and Yung (2004, 2010), Kutylowski and Zagorski (2009,
2010), and Okamoto (1997), allow people to cast their votes over
the Internet, most likely through a Web browser, from home, or
possibly any other location where they have Internet access
(Rubin, 2002). While voting of this kind is hoped to encourage
higher voter turnout and makes accurate accounting for votes
easier, it also carries the potential of making abuse easier to
perform, and easier to perform at a large scale (Juels et al., 2005).
One challenge to Internet voting is how to prevent voter coercion
and vote buying because the behavior of a voter casting a ballot
remotely can be physically controlled by an adversary. Another
challenge is how to ensure the remote personal computer by
which a voter casts her vote is trusted because malware can
endanger integrity of the elections as well as privacy of the voter
(Kutylowski and Zagorski, 2009, 2010).
The first voting system was introduced by Chaum (1981),
based on a mix network, where a collection of tally authorities
take as input a collection of encrypted votes and output a
collection of plain votes according to a secret permutation. This
system allows each voter to make sure her vote was counted,
while preserving the privacy of the vote as long as at least one
tally authority is honest. In order to improve efficiency in tallying,

1084-8045/$ - see front matter & 2012 Elsevier Ltd. All rights reserved.
http://dx.doi.org/10.1016/j.jnca.2012.05.005
 X. Yi, E. Okamoto / Journal of Network and Computer Applications 36 (2013) 378–387
Cohen and Fischer (1985) proposed a voting system, based on a
homomorphic encryption E, where EðxÞEðyÞ ¼ Eðx þ yÞ for any x and
y in its domain. The basic idea is for each voter to encrypt her vote
using a public-key homomorphic encryption. The encrypted votes
are then summed using homomorphic property without decrypt-
ing them. Finally, a collection of tallying authorities cooperate to
decrypt the final tally. This system also preserves the privacy of
votes as long as at least one tally authority is honest. In order to
provide with unconditional privacy of votes, Fujioka et al. (1992)
proposed a voting system, based on blind signature, where a
signer can digitally sign a document without knowing what was
signed. The basic idea is that the voter has her ballot blindly
signed by the voting authority and later publishes the ballot using
an anonymous channel. Current voting systems are based on
either mix network, or homomorphic encryption, or blind
signature.
The notion of receipt-freeness was first introduced by Benaloh
and Tuinstra (1994) to model the security of a voting system
against voter coercion and vote buying. A voting system is
receipt-freeness if a voter cannot prove to an attacker that he or
she voted in a particular manner, even if the voter wishes to do so.
Receipt-freeness voting systems, such as Baudron et al. (2001),
Benaloh and Tuinstra (1994), Hirt and Sako (2000), Lee and Kim
(2002), Okamoto (1997), and Sako and Kilian (1995), assume the
existence of a private voting booth to isolate the voter from the
coercer at the moment she casts her vote. Internet voting systems
are required to be coercion-resistant where the voter can be
physically controlled by the adversary during voting. A rigorous
definition for coercion-resistance was given by Juels et al. (2005).
This model considers a powerful adversary who can demand of
coerced voters that they vote in a particular manner, abstain from
voting, or even disclose their secret keys. A voting system is
coercion-resistant if it is infeasible for the adversary to determine
if a coerced voter compiles with the demands. Intuitively, coer-
cion-resistance implies receipt-freeness which itself implies priv-
acy (Delaune et al., 2006).
A coercion-resistant Internet voting system was demonstrated
by Juels et al. (2005). The basic idea is that each voter casts her
ballot together with a secret credential (similar in spirit to Brands,
2000; Camenisch and Lysyanskaya, 2001), both encrypted by the
public keys of the tally authorities. After a collection of encrypted
ballots are mixed with a mix network such as Golle et al. (2004),
Jakobsson et al. (2002), and Neff (2001), the validity of ballots
(i.e., the validity of credentials) are checked blindly against the
voter roll and only valid ballots are decrypted and counted. This
system does not require an untappable channel for a voter to
cast her ballot, but instead assumes an untappable channel for a
voter to obtain a secret credential from the registrars during
registration (potentially using post mail). Based on this idea, a
coercion-resistant Internet voting system, namely Civitas
(Clarkson et al., 2008), has been implemented in 2007 and revised
in 2008.
In Juels et al.’s system, an adversary may cast a great number
of ballots with randomly chosen credentials. Even if the prob-
ability for this attack to produce one valid ballot is 1/2c, where c is
the length of credential, the validity of ballots can be blindly
checked only after mixing. In addition, to eliminate duplicate
ballots (with the same credential) in their system, plaintext
equivalence test (PET) should be performed for every possible
pair of ballots. As pointed out in Juels et al. (2005), one drawback
of their system is that, even with use of asymptotically efficient
mix networks as Furukawa and Sako (2001), the overhead for
tallying authorities is quadratic in the number of voters. This
system is only practical for small elections. Some efforts (Smith,
2005; Weber et al., 2007) have been made to improve the
efficiency of Juels et al.’s system.
379
There is another drawback in Juels et al.’s system (Juels et al.,
2005) and its improved versions (Smith, 2005; Weber et al.,
2007). If all tallying authorities corrupt, they are able to decrypt
all credentials in the voter roll and forge valid ballots without
being detected. This means that these systems are not really
verifiable. Although almost all voting systems achieve privacy on
the basis of the assumption that only a minority of tallying
authorities may corrupt, we believe that voter verification and
universal verification should only build on hard mathematical
assumptions instead of any social assumptions. The corruption of
all tallying authorities in a voting system may reveal privacy, but
must not compromise verifiability (i.e., the election result can be
still trusted), like Gardner et al. (2009).
Current coercion-resistant Internet voting systems, such as Juels
et al.’s system (Juels et al., 2005) and its variants (Araújo et al.,
2010a; Clarkson et al., 2008; Schweisgut, 2006; Smith, 2005; Weber
et al., 2007), require public key encryptions on the side of the voter.
Thus, they require the voter to trust the personal computer actually
casting the ballot on her behalf. Considering that the voter’s personal
computer can be infected by malware that may reveal the voter’s
preferences or even change the encrypted ballot cast by the voter,
Kutylowski and Zagorski (2009, 2010) recently proposed an Internet
voting system, a combination of paper-based voting systems
Punchscan (Chaum, 2005) and ThreeBallot (Rivest and Smith,
2007). The basic idea is that a voter makes a complete ballot by
laying a ballot and a coding card side by side. Each voter is issued
exactly one ballot by the election authority and she can get a coding
card from any Proxy. This system preserves privacy of votes if both
authorities do not collude. Even if the voter’s personal computer is
infected by viruses, her choice remains secret. This system does not
allow a voter to prove how he or she voted unless vote-casting is
physically supervised by an adversary.
Contributions: Current Internet voting systems assume either
the voter’s personal computer is trusted to cast a vote or the voter
is not physically controlled by the adversary. In this paper, we
propose an Internet voting system, in which the voter’s choice
remains secret even if the voter’s personal computer is infected
by malware or the voter is physically controlled by the adversary.
Our work is motivated by the most efficient voting systems
(Baudron et al., 2001; Cramer et al., 1987; Hirt and Sako, 2000) based
on homomorphic encryption. The main difference between them and
our solution is that they assume the availability of an untappable
channel between the voter and the authorities during voting while
we require the untappable channel during voter registration only.
Consider an election where the candidates are fC 1 ,C 2 , . . . ,C nC g
and the choice for each candidate is either ‘‘Yes’’ or ‘‘No’’, our
basic idea can be described as follows. First of all, a voter V i
generates a public/private key pair for digital signature system on
her own device. During registration, V i presents herself to a
registrar’s office, where she is allowed privately to input nC
references r i,j ð A f1,1gÞ on a trusted entry device (like setting
PIN number in a bank branch), which, in turn, encrypts each g ri,j
with the public keys of tally authorities and then posts on a public
bulletin board the ElGamal ciphertexts Eðg ri,j Þ ¼ ðAi,j ,Bi,j Þ (each
corresponds to one candidate Cj) along with the voter’s public
key. During voting, V i posts on the public bulletin board her ballot
composed of bj A f1,1g ðj ¼ 1; 2, . . . ,nC Þ and her signature on it,
where bj ¼ 1 if the choice of V i is the same as her reference r i,j and
bj ¼ 1 otherwise. During tallying, the tallying authorities sum
b b
ðAi,jj ,Bi,jj Þ for each candidate Cj and then cooperate to decrypt the
final tally.
Based on the idea, an Internet voting system was proposed in
Yi and Okamoto (2011), where the tallying discloses the numbers
of ‘‘Yes’’ and ’’No’’ votes. This paper presents an improved Internet
voting system where the tallying can only tell if the candidate
wins or loses. Furthermore, we present a formal definition of
380 X. Yi, E. Okamoto / Journal of Network and Computer Applications 36 (2013) 378–387
coercion-resistance, and provide a proof that our system is
coercion-resistant and shows that our voting system is verifiable
even if all election authorities are corrupted.
Compared to most of existing Internet voting systems, our
system has three merits as follows: (1) no encryption is needed
during voting and the ballot cast by a voter is ‘‘plain’’, thus any
voter can verify that her ballot is included unmodified; (2) the
tallying overhead is linear in the number of voters, therefore it is
practical for elections at a large scale; (3) verifiability remains
even if all election authorities are corrupt.
In addition, our system allows a voter repeatedly to refresh her
references remotely after she registers and to use refresh refer-
ences for a new election. Privacy is built on voter registration
protected by a untappable channel.
Organization: The rest of our paper is organized as follows.
Section 2 provides a formal definition of coercion-resistance for
an Internet voting system. Section 3 describes a basic voting
system at first and then extends it to a general voting system. A
rigorous security proof of coercion-resistance and a descriptive
proof of verifiability for our system are provided in Section 4.
Conclusions are drawn in the last section.
2. Our model for internet voting
2.1. Participating parties
Assume that there exists a publicly readable, insert-only
bulletin board ðBBÞ on which public information (e.g., public keys,
ballots and final tally) is posted. No one can overwrite or erase
existing data on BB. The public (including voters) can read the
contents of BB anytime.
Normally, our Internet voting system involves three types of
participants as follows:
 Registrar ðRÞ authorizes voters for an election by posting each
voter’s identity and public information on BB.
 Voters ðV 1 ,V 2 , . . . ,V nV Þ are the entities participating in the
election administrated by R.
 Tallying authorities ðT 1 ,T 2 , . . . ,T nT Þ jointly process ballots and
publish the final tally.
2.2. Definition of our internet voting scheme
Our basic Internet voting system is for an election where there
is only one candidate, and the choice of the election is either ‘‘Yes’’
or ‘‘No’’. Our general system where there exist multiple candi-
dates can be constructed from our basic system. The basic system
is executed in five major phases—setup, registration, voting,
tallying, and verifying as follows:
 Setup: First of all, our system chooses a digital signature
system SS, a threshold public key encryption system ES. Let
the choices of the election be C ¼ f1,1g, where 1,1 stand for
‘‘Yes’’ and ‘‘No’’, respectively.
 Let V ¼ fV 1 , . . . ,V nV g and T ¼ fT 1 , . . . ,T nT g. Each tallier ðT i Þ
generates a public/private key pair ðTPK i ,TSK i Þ for ES. Let
TPK ¼ fTPK 1 , . . . ,TPK nT g and TSK ¼ fTSK 1 , . . . ,TSK nT g. The regis-
trar ðRÞ posts O ¼ fR,ES,SS,C,T ,TPK,Vg on BB. We model this
process as a function
setupð1k Þ-ðO,TSKÞ
where k is a security parameter and TSKi is known to T i only.
 Registration: Each V i generates one public/private key pair
ðpki ,ski Þ for the signature system SS, and chooses a reference ri
uniformly at random from f1,1g and sends it the registrar R
via a untappable channel, which, in turn, encrypts g ri with TPK,
denoted as Ri ¼ Eðg ri ,TPKÞ, where g is the generator of the
plaintext group of ES, and meanwhile provides a non-inter-
active zero-knowledge proof Pi that Ri is an encryption of
either g or g 1 . Then the registrar R posts V i ,pki ,Ri ,P i on BB.
 We model this process as a function
registrationðR,V i ,TPKÞ-ðV i ,pki ,Ri ,P i ,r i ,ski Þ
where ri and ski are known to V i only.
 Voting: The registrar R announces the candidate on BB. A
voter V i chooses a vote vi from C and determines bi , such that
bi ¼ 1 if vi ¼ri and bi ¼ 1 otherwise. Then, she constructs a
ballot bi including bi and a signature on it with her signing key
ski, and posts bi next to the identity V i on BB. We model this
process as a function
voteðV i ,vi ,r i ,ski Þ-bi ¼ ðbi ,signðbi ,ski ÞÞ
A ballot bi is valid if the signature is valid.
 Tallying: All ballots with valid signatures are combined. Then
the talliers jointly decrypt the result with their private keys
TSK and post on BB a vote tally X, which is either ‘‘WIN’’ or
‘‘LOSE’’, along with a non-interactive zero-knowledge proof P
that the tally was correctly computed. We model this process
as a function
tallyðT , O,fV i ,pki ,Ri ,Pi ,bi gni ¼
V
1 ,TSKÞ-ðX,PÞ
 Verifying: The public (including voters) verify if each Ri is an
encryption of either g or g 1 with Pi, if each ballot on BB is
signed by an eligible voter with signðbi ,ski Þ, and if all ballots
are correctly combined and then decrypted with P. If so, the
tallying is correct. We model this process as a function
verifyðO,fV i ,pki ,Ri ,Pi ,bi gni ¼
V
1 ,ðX,PÞ,TPKÞ-f0; 1g
The function outputs a ‘‘1’’ if the tallying is correct and a ‘‘0’’
otherwise.
Definition 2.2.1. Our Internet voting system, simply called voting
system ðVSÞ, is a collection of five functions setup, registration,
vote, tally, verify, denoted as
VS ¼ fsetup,registration,vote,tally,verifyg
2.3. Definition of coercion resistance
We now give a formal security definition of coercion resistance
for our Internet voting system.
Coercion resistance is a strong form of privacy, in which it is
assumed that an adversary may instruct targeted voters to reveal
their private keys, or may specify that these voters cast ballots of
a particular form. If such an adversary can determine whether or
not these voters behaved as instructed, she is capable of blackmail
or otherwise exercising undue influence over the election. There-
fore, a coercion-resistant voting system is one in which a voter
can deceive an adversary into thinking that the voter has behaved
as instructed.
Currently, the best way to achieve coercion resistance in
Internet voting is to allow a voter to lie to an adversary with a
fake secret, which must be indistinguishable by the adversary
from a valid secret, and only distinguishable by all tallying
authorities. For this purpose, we introduce to our system a new
function, fakeReferenceðV i ,r i ,Ri ,TPKÞ-r~ i , which takes as inputs
the reference ri of the voter and its encryption Ri, the public keys
TPK of authorities, and outputs a false reference r~ i , which is r i in
this case. Note that a voter cannot lie to an adversary with a fake
 X. Yi, E. Okamoto / Journal of Network and Computer Applications 36 (2013) 378–387
signing private key ski because its truth can be easily checked
against her public key on BB.
Formally, the definition of coercion resistance is built on a
game between an adversary and a voter targeted by the adversary
for coercive attack, where a coin is flipped; the outcome is
represented as a bit b; if b ¼0, then the voter provides the
adversary with a false reference; if b¼1, then the voter furnishes
the adversary with the true reference. The task of the adversary is
to guess the value of coin b.
In this game, we assume that at least one of tallying autho-
rities is honest and therefore nT tallying authorities can be
simplified to one tallying authority with a pair of public and
private keys (TPK, TSK). In addition, we assume there are nV
eligible voters for the election, and the number of vote choices is
2 only. The adversary has corrupted (i.e., completely controlled)
nA voters, where nA onV =22. As convention, we consider the
case where the adversary attempts to coerce a single voter in the
game. Extension to coercion of multiple voters is straightforward.
Therefore, there are nU ¼ nV nA 1 voters outside the control of
the adversary. In other words, the nU voters are not subject to
coercion. Among the votes cast by those voters in VV A , we
assume that at least one vote is ‘‘Yes’’ and at least one vote is
‘‘No’’. This is always true in practice. We model the voting
patterns of the nU voters in terms of a probability distribution
DnU ,2 . In the same way, we model the voting patterns of the nA
corrupted voters as a probability distribution DAnA ,2 , which repre-
sents the strategy of the adversary.
Remark. We do not consider the case where nA Z nV =22 because
the adversary cannot control the majority of voters in practice.
Fig. 1. The real experiment for definition of coercion resistance.
381
We assume that the adversary is uncertain of DnU ,2 in the
game. In our model, the abstention case, where a voter has
registered the election, but does not cast her ballot, can be easily
identified and excluded. In view of it, we do not consider the
abstention case in our model.
We consider a static adversary, i.e., one that selects voters to
be corrupt prior to protocol execution. We assume that the
adversary has a list of ‘‘voter names’’, i.e., a roll of potential
participating voters. Let ’ denote assignment and ( denote the
append operation. The game can be illustrated in Fig. 1.
We consider a real experiment Expcresist
VS,A as shown in Fig. 1. The
adversary is assumed to retain states throughout the duration of an
experiment. We say an adversary A succeeds if the experiment
outputs ‘‘1’’. The probability of A in succeeding in the experiment
is denoted as Succcresist
VS,A ðkÞ, where k is the security parameter.
To define the advantage of the adversary A against the voting
system VS, we compare A with a second adversary A0 , which is
capable of coercion only within the framework of an ideal
cresistideal
experiment ExpVS,A 0 , where A0 learns nothing from the
reference he acquires from the coerced voter. This means A0
cannot use the reference to learn information about the voting
behavior of the coerced voter. In other words, the reference
provided by the coerced voter is independent of the real reference
set by the voter during registration. The only information that A0
gets is the election result X. In the ideal experiment, we define an
ideal function tallyideal that tallies the ballots posted on BB in a
special way. The function tallyideal is able to determine the election
result X without knowing the private key TSK.
cresistideal
We present the ideal experiment ExpVS,A 0 that charac-
terizes the success of A0 in Fig. 2.
382 X. Yi, E. Okamoto / Journal of Network and Computer Applications 36 (2013) 378–387
Fig. 2. The ideal experiment for definition of coercion resistance.
We define the advantage of an adversary A against the voting
system VS as a function in the security parameter k
cresist cresistideal
Advcresist
VS,A ðkÞ ¼ 9SuccVS,A ðkÞSuccVS,A ðkÞ9
Definition 2.3.1. A voting system VS is coercion-resistant if, for
any probabilistic polynomial-time (PPT) adversary A and any
probability distributions DnU ,2 and DAnA ,2 , where nA o nV =22, the
advantage of the adversary A against the voting system VS is
negligible.
The above definition ensures that the adversary can (essen-
tially) do no better than random guess b. This means that the
adversary learns nothing from the reference she acquires from the
coerced voter.
3. Our Internet voting system
3.1. Basic Internet voting system
We now introduce our basic Internet voting system, where
there is only one candidate, and the choice of the election is either
‘‘Yes’’ or ‘‘No’’. If the number of ‘‘Yes’’ votes is more than the
number of ‘‘No’’ votes, the candidate wins, and loses otherwise.
Setup: Our system is built on ElGamal (homomorphic and
threshold) encryption system ðESÞ (ElGamal, 1985), the modified
ElGamal signature system ðSSÞ (Pointcheval and Stern, 1996), a
verifiable mix network ðMIXÞ (Golle et al., 2004; Furukawa and
Sako, 2001), the non-interactive zero-knowledge reencryption
proof ðReencPfÞ (Blum et al., 1991; Hirt and Sako, 2000; Santis
et al., 2000), and the non-interactive zero-knowledge equal
discrete logarithm proof ðEqDlogÞ (Chaum and Pedersen, 1992;
Jakobsson and Juels, 2000; MacKenzie et al., 2002), over a group G
of a large prime order q with a generator g.
Let the choices of the election be C ¼ f1,1g, where 1,1 stand
for ‘‘Yes’’ and ‘‘No’’, respectively.
Let the list of tallying authorities be T ¼ fT 1 ,T 2 , . . . ,T nT g. Each
T i randomly chooses a private key TSKi ¼ti from Znq and computes
the public key TPK i ¼ g ti . Let TSK ¼ ft 1 ,t 2 , . . . ,t nT g and TPK ¼
fg t1 ,g t2 , . . . ,g tnT g. Let h be chosen from a family of collision-
resistant hash functions.
At last, the registrar posts O ¼ fR,ES,SS,MIX,ReencPf,EqDlog,
ðG,q,gÞ,h,C,T ,TPK,Vg on the public bulletin board BB.
Registration: Before registration, each voter V i generates a
public/private key pair ðski ¼ xi ,pki ¼ g xi Þ for the signature system
SS on her own device and prints out the public key pki and the
hash value hðpki Þ on paper. The purpose of using hash function is
to facilitate human checking.
To vote, a voter V i presents herself to a registrar’s office, where
V i is allowed privately to press 1 or 1 button on a trusted entry
device (e.g., PIN entry device), which, in turn, encrypts g or g 1
accordingly, and then prints out the hash value hðRi Þ on a slip,
where Ri ¼ ðAi ,Bi Þ is an encryption of either g or g 1 . Let ri ¼1,
Q
Ai ¼ g gi , Bi ¼ gð nt T¼ 1 TPK t Þgi if press 1, and let r i ¼ 1, Ai ¼ g gi ,
Q n
Bi ¼ g 1 ð t T¼ 1 TPK t Þgi if press  1, where gi is randomly chosen by
the device from Znq . Therefore, Ri is an encryption of g ri . The voter
V i needs to remember her reference ri. Having seen hðRi Þ on the
slip, the voter V i is allowed to confirm her choice by pressing
‘‘Confirm’’ or ‘‘Cancel’’ button on the device, like Benaloh (2006,
2007) and Kutylowski and Zagorski (2009, 2010).
 X. Yi, E. Okamoto / Journal of Network and Computer Applications 36 (2013) 378–387
If V i presses ‘‘Cancel’’, the device prints out r i , gi ,Ri on the slip
for V i to check if ri is her choice. In this case, the staff in the
registrar’s office tears off the slip and provides a handwriting
signature on it. V i either keeps the slip for anyone later to check or
inserts the slip into a locked box placed in the registrar’s office for
the election inspector with key later to check. Then the registra-
tion restarts. Note that anyone can check if Ri on the slip is
computed correctly with r i , gi ,TPK without the knowledge of
private keys of tallying authorities.
If the voter V i presses ‘‘Confirm’’, the device scans her identity
(denoted as V i as well) from her identity card, her public key pki
from her paper, and then computes the hash value hðpki Þ and prints
out V i ,hðpki Þ on the slip. The voter needs to check if the hash value
hðpki Þ on the slip is the same as that on her paper. At last, the device
provides non-interactive zero-knowledge reencryption proof Pi
(using ReencPf) that Ri is a reencryption of either (1,g) or ð1,g 1 Þ,
posts V i ,pki ,hðpki Þ,Ri ,hðRi Þ,Pi on BB, and then erases r i , gi from its
memory. The staff tears off the slip with hðRi Þ,V i ,hðpki Þ, provides a
handwriting signature on it and then hands it to the voter.
Let the list of registered voters be V ¼ fV 1 ,V 2 , . . . ,V nV g. For each
V i , there is a row ðV i ,pki ,hðpki Þ,Ri ,hðRi Þ,P i Þ on BB.
Voting: The registrar R announces the candidate on BB. Each V i
chooses her vote vi from C ¼ f1,1g and determines bi as follows:
if vi ¼ri, then bi ¼ 1; if vi a r i , then bi ¼ 1. Note that V i remem-
bers her reference ri.
Next, V i generates a signature on bi (using SS) as follows:
1
Si ¼ g di , T i ¼ ðHðbi ,Si ÞSi xi Þdi ðmod qÞ, where di is randomly cho-
n
sen from Zq , H is a hash function and xi is the private key of V i .
Note that a time stamp may be included in the message to be
signed to prevent replaying attacks.
Then, V i constructs a ballot bi ¼ fbi ,Si ,T i g and casts it to R,
S
which, in turn, posts bi next to V i on BB if g Hðbi ,Si Þ ¼ pki i STi i . The
voter V i checks if bi on BB is the same as that she casts.
Tallying: To tally all valid ballots posted on BB, T performs the
following steps:
1. Combining: Based on the homomorphic property of ElGamal
encryption system, all valid ballots fbi gni ¼ V
1
on BB can be
Qn V QnV
bi b
combined as follows: X T ¼ i ¼ 1 Ai , Y T ¼ i ¼ 1 Bi i . In fact,
yn
ðX T ,Y T Þ is an encryption of g , where y, n stands for the
numbers of ‘‘Yes’’ and ‘‘No’’ votes.
2. Comparing: It is obvious that ðX T ,g j Y T Þ is an encryption of
ynj for j ¼ 1; 2, . . . ,nV . Since nV 5q and y þ n ¼ nV , one of
ðX T ,g j Y T Þ ðj ¼ 1; 2, . . . ,nV Þ is an encryption of g0 if y 4n, and
none of ðX T ,g j Y T Þ ðj ¼ 1; 2, . . . ,nV Þ is an encryption of g0 if y r n.
Next, the first tallying authority T 1 randomly chooses 0 o lj oq
l
and computes ðX Tj ,ðg j Y T Þlj Þ for j ¼ 1; 2, . . . ,nV and posts a
random permutation of the nV ciphertexts on BB. The second
tallying authority T 2 mixes the nV ciphertexts posted by T 1 in
the same way and posts the results on BB, . . ., the last tallying
authority T nT mixes the nV ciphertexts posted by T nT 1 in the
same way and posts the results on BB. Assume the final mixed nV
ciphertexts on BB are ðX j ,Y j Þ where j ¼ 1; 2, . . . ,nV .
Following the threshold ElGamal encryption system, tallying
authorities cooperate to decrypt each ðX j ,Y j Þ as follows: each
tallying authority T i computes X tj i and posts it on BB. With
QnT
fX tj i gni ¼
T
1 , one can compute mj ¼ Y j
ti
i ¼ 1 X j , which is the
decryption of ðX j ,Y j Þ.
If one of m1 ,m2 , . . . ,mnV is 1, the candidate wins the election
ðX ¼ WINÞ. Otherwise, the candidate loses the election
ðX ¼ LOSEÞ. X is posted on BB.
3. Proving: T 1 ,T 2 , . . . ,T nT jointly provide a multi-party non-
interactive zero-knowledge proof P0 (using EqDlog) that
383
PnT PnT
QnT t t
i ¼ 1 i
i ¼ 1 TPK i ¼ g
i ¼ 1 i and m1
j Y j ¼ X j
have the equal dis-
crete logarithm for j ¼ 1; 2, . . . ,nV , and a non-interactive zero-
knowledge proof P00 that ciphertexts ðX j ,Y j Þ ðj ¼ 1; 2, . . . ,nV Þ is a
permutation of ciphertexts ððX T Þl ,ðg j Y T Þl Þ ðj ¼ 1; 2, . . . ,nV Þ,
where l is a random non-zero integer, then posts the proof
P ¼ fP 0 ,P 00 g next to X on BB.
Verifying: During registration, each voter V i is able to check if her
public key pki and ciphertext Ri are posted on BB correctly on the
basis of hash values hðpki Þ and hðRi Þ on her registration slip. In
addition, V i is able to detect if the entry device in the registrar’s office
cheats by pressing ‘‘Cancel’’ and checking if ri on the test slip is her
choice and if Ri on the test slip is computed correctly by herself or
with the help of someone later. During voting, each voter V i is able to
check whether bi (either 1 or  1) in the ballot bi ¼ fbi ,Si ,T i g posted
on BB is her choice even if the computer of V i is infected by malware.
During registration, the election inspector is able to detect if
the entry device cheats voters by collecting all test slips with the
handwriting signatures of the registrar from the test box and
checking if all ciphertexts are computed correctly. During voting,
the public (including the voters) is able to verify if each Ri is an
encryption of either g or g 1 based on the non-interactive zero-
knowledge proof Pi, and check if each ballot bi is valid with the
signature (Si ,T i ) of V i . During tallying, the public can check if all
valid ballots are combined and decrypted correctly based on the
non-interactive zero-knowledge proof P.
Remark. Our basic system can fit an election where yn is required
to be more than d ð Z1Þ. From ðX T ,Y T Þ, we can obtain an encryption
of g ynd , that is ðX T ,g d Y T Þ. Then tallying authorities can cooperate
to determine if ynd 40 as described above.
Remark. Our basic system can fit a two-candidate election,
where þ1 stands for voting one candidate while  1 represents
voting another candidate and both candidates lose the election if
y ¼ n. From ðX T ,Y T Þ, tallying authorities can cooperate to deter-
mine if y ¼ n at first and then who wins the election if y a n.
3.2. General remote voting scheme
Our basic Internet voting system can be used to build a general
Internet voting system, where there is a list of candidates
C ¼ fC 1 ,C 2 , . . . ,C nC g, and the choice for each candidate is either
‘‘Yes’’ or ‘‘No’’. For a candidate, if the number of ‘‘Yes’’ votes is
more than the number of ‘‘No’’ votes, the candidate wins the
election, and loses otherwise.
Setup: Same as our basic system, the registrar R posts
O ¼ fR,ES,SS,MIX,ReencPf,EqDlog,ðG,q,gÞ,h,C,T ,TPK,Vg on the
public bulletin board BB.
Registration: For registration, a voter V i presents herself with
her printed public key pki and hash value hðpki Þ to the registrar’s
office, where V i is allowed privately to enter an integer
ri ð ¼ ai,1 þai,2 2 þ    þai,nC 2nC 1 , where ai,j is either 0 or 1) into a
trusted entry device, which, in turn, encrypts a series of g and g 1
according to ai,j . The ciphertext Ri,j ¼ ðAi,j ,Bi,j Þ is either
Q Q
ðg gi,j ,gð nt T¼ 1 TPK t Þgi,j Þ if ai,j ¼ 0 or ðg gi,j ,g 1 ð nt T¼ 1 TPK t Þgi,j Þ if ai,j ¼ 1,
where gi,j is randomly chosen by the device from Znq . Then the
device prints out the hash value hðRi Þ on a slip, where
Ri ¼ fRi,j gnj ¼
C
1
. The voter V i needs to remember her reference ri
(like a PIN number). If the number of candidates is large, V i may
write down ri on a note privately.
Having seen hðRi Þ on the slip, V i decides whether to confirm ri . If
not, the device prints out ri , fgi,j gnj C¼ 1 and Ri on the slip. In this case,
the staff in the registrar’s office tears off the slip, provides a
384 X. Yi, E. Okamoto / Journal of Network and Computer Applications 36 (2013) 378–387

m Q m
handwriting signature on it. V i either keeps the slip for anyone later from Znq and computes R0i ¼ ðA0i ,B0i Þ ¼ ðg ri Ai i ,ð nt T¼ 1 TPK t Þri Bi i Þ,
to check or inserts the slip into a locked box placed in the registrar’s 0
where Ri is an encryption of g r i mi
and the refresh reference
office for the election inspector with key later to check. Then the r 0i ¼ r i mi . Next the computer of V i provides a non-interactive
registration restarts. Otherwise, the device scans the identity V i and zero-knowledge reencryption proof P0i that R0i is a reencryption
the public key pki and prints out V i ,hðpki Þ on the slip for V i to check.
of either ðAi ,Bi Þ or ðA1 1 0
i ,Bi Þ and generates a signature on Ri as
At last, the device provides a non-interactive zero-knowledge 0 0
reencryption proofs Pi (using ReencPf) that each ciphertext in Ri follows: S0i ¼ g di , T 0i ¼ ðHðR0i ,S0i ÞSi xi Þdi 1ðmod qÞ,where d0i is ran-
n
is a reencryption of either ð1,gÞ or ð1,g 1 Þ, and erases ri ,ai,j , gi,j from domly chosen from Zq and xi is the private key of V i . At last, V i
its memory, and posts V i ,pki ,hðpki Þ, Ri ,hðRi Þ, Pi on BB. The staff posts ðR0i ,S0i ,T 0i ,P 0i Þ next to V i on BB.
tears off the slip with hðRi Þ,V i ,hðpki Þ, provides a handwriting
Remark. If an adversary coerces a voter V i to compute R0i with mi
signature on it and then hands it to the voter.
and ri chosen by himself, he is uncertain of the refresh reference
Voting: The registrar R announces the list of candidates
r 0i ¼ r i mi because he is uncertain of the original reference ri. In case
C ¼ fC 1 ,C 2 , . . . ,C nC g on BB.
the registrar obtains r i , gi during the registration of V i , the
For each candidate C j ðj ¼ 1; 2, . . . ,nC Þ, a voter V i chooses her
registrar is uncertain of the refresh reference r 0i ¼ r i mi because
vote vi,j from f1,1g and determines bi,j as follows: if vi,j ¼ ð1Þai,j , he is uncertain of mi .
then bi,j ¼ 1; if vi,j a ð1Þai,j , then bi,j ¼ 1. Note that V i remembers
For our general system, when the voter V i refreshes her
her reference ri ¼ ai,1 þ ai,2 2 þ    þai,nC 2nC 1 .
reference ri ð ¼ ai,1 þ ai,2 2þ    þ    ai,nC 2nC 1 Þ, where ai,j A f0; 1g,
Next, V i generates a signature on fbi,1 , bi,2 , . . . , bi,nC g as follows:
1
she randomly chooses mi,1 , mi,2 , . . . , mi,nC from f1,1g, and her
Si ¼ g di , T i ¼ ðHðbi,1 , bi,2 , . . . , bi,nC ,Si ÞSi xi Þdi ðmod qÞ, where di is
n
computer randomly chooses ri,1 , ri,2 , . . . , ri,nC from Znq and com-
randomly chosen from Zq , and xi is the private key of V i . m Q m
putes R0i ¼ fðA0i,j ,B0i,j Þgnj C¼ 1 ¼ fðg ri,j Ai i,j , ð nt T¼ 1 TPK t Þri,j Bi i,j Þgnj ¼
C
, where
Then, V i constructs a ballot bi ¼ ffbi,j gnj C¼ 1 ,Si ,T i g and casts it to ai,n
1
a a
R0i are encryptions of g mi,1 ð1Þ i,1 , g mi,2 ð1Þ i,2 , . . . ,g mi,nC ð1Þ
C
R, which, in turn, posts bi next to Vi on BB if Þ and the
Hðbi,1 , bi,2 ,..., bi,n ,Si Þ S nC 1
g C ¼ pki i STi i .
The voter V i checks if bi on BB is the refresh reference r0i ¼ a0i,1 þ a0i,2 2 þ    þ a0i,nC 2 , where
ai,j
same as that she casts. a0i,j ¼ ð1mi,j ð1Þ Þ=2. Next V i provides a non-interactive zero-
Tallying: To tally all valid ballots posted on BB for each knowledge reencryption proof P0i that each ðAi,j 0 ,Bi,j 0 Þ in R0i is a
candidate C j ðj ¼ 1; 2, . . . ,nC Þ, T performs the following steps:
reencryption of either ðAi,j ,Bi,j Þ or ðA1 1
i,j ,Bi,j Þ and generates
0 0 1
1. Combining: T combines all valid ballots on BB for the candidate Ck a signature on R0i as follows: S0i ¼ g di , T 0i ¼ ðHðR0i ,S0i ÞSi xi Þdi
Q V bi,k QnV bi,k
as follows: X T,k ¼ ni ¼ 1 Ai,k , Y T,k ¼ i ¼ 1 Bi,k . ðX T,k ,Y T,k Þ is an
ðmod qÞ, where d0i is randomly chosen from Znq and xi is the private
yk nk
encryption of g , where yk ,nk are the number of ‘‘Yes’’ and key of V i . At last, V i posts ðR0i ,S0i ,T 0i , Pi Þ next to V i on BB.
‘‘No’’ votes, respectively, for the candidate Ck.
2. Comparing: Like our basic protocol, for the candidate Ck, Remark. As a voter V i is able to test if the entry device in the
tallying authorities cooperate to mix ðX T,k ,g j Y T,k Þ registrar’s office is cheating during the registration, V i is able to
test if her computer is cheating during voter reference refresh by
ðj ¼ 1; 2, . . . ,nV Þ. Assume the mixed results are ðX k,j ,Y k,j Þ
sending test data to the election inspector by post.
ðj ¼ 1; 2, . . . ,nV Þ. Then each tallying authority T i computes X tk,j
i

and posts it on BB. With fX tk,j i

gni ¼
T
1 , one can compute 4. Security analysis
Qn T ti
mk,j ¼ Y k,j  i ¼ 1 X k,j . If one of mk,1 ,mk,2 , . . . ,mk,nV is 1, then
4.1. Security analysis of coercion resistance
the candidate Ck wins the election ðXk ¼ WINÞ and loses the
election otherwise ðXk ¼ LOSEÞ.
In this section, we provide a rigorous proof that our basic
Let X ¼ ðX1 ,X2 , . . . ,XnC Þ and X is posted on BB.
voting system is coercion-resistant.
2. Proving: For each candidate Ck, tallying authorities
Given a probabilistic polynomial time-bounded (PPT) adver-
T 1 ,T 2 , . . . ,T nT jointly provide a multi-party non-interactive
QnT sary A, we imagine a simulator S that runs the game as shown in
zero-knowledge proof P C k 0 (using EqDlog) that i ¼ 1 TPK i ¼
PnT P nT
Fig. 1 for A. More preciously, the simulator begins by generating a
t ti
i 1
g i ¼ 1 and mk,j Y T,k ¼ X T,k i ¼ 1
have the equal discrete loga- multiplicative cyclic group ðG,q,gÞ, and the public and private
rithm, and a non-interactive zero-knowledge proof P C k 00 that keys (TPK,TSK) for the tallying authority T , and posting O on BB.
During registration, the simulator S, playing the role of the
ðX k,j ,Y k,j Þ ðj ¼ 1; 2, . . . ,nV Þ is a permutation of ððX T,k Þl ,ðg j Y T,k Þl Þ
registrar R, generates public and private key pairs ðpki ,ski Þ for
ðj ¼ 1; 2, . . . ,nV Þ, where l is a random non-zero integer. nV nA honest voters, while the adversary A generates public and
Let P ¼ ðPC 1 ,PC 2 , . . . ,PC nC Þ and P is posted next to X on BB. private key pairs ðpki ,ski Þ for nA controlled voters. When a
(controlled or honest) voter V i registers the election, she ran-
Verifying: Same as our basic voting system. domly chooses ri from f1,1g and sends r i ,pki to S, which, in turn,
encrypts g ri and posts pki and the ciphertext Ri with a non-
3.3. Voter reference refresh interactive zero-knowledge proof Pi that each Ri is an encryption
of either g or g 1 on BB.
In our basic and general Internet voting systems, the reference During voting, A constructs nA ballots for controlled voters in
of a voter can be used for one election only. For a new election, V A and posts them on BB, and sets a target voter V j A VV A to
the voter may go to the registrar’s office to reset her reference as coerce. On coercing, S randomly chooses a bit b. If b¼0, S gives rj
the registration described above or refresh her reference online as and skj to A. Otherwise, S gives r j and skj to A. Then A constructs
follows. a ballot for V j and posts it on BB. In addition, S constructs nU
For our basic system, when the voter V i refreshes her reference ballots for voters in VV A fV j g and posts them on BB.
r i ð A f1,1gÞ, whose ciphertext on BB is Ri ¼ ðAi ,Bi Þ, she randomly During tallying, S, playing the role of the tallying authority,
chooses mi from f1,1g while her computer randomly chooses ri combines all valid ballots, decrypts the resulted ciphertext (with
 X. Yi, E. Okamoto / Journal of Network and Computer Applications 36 (2013) 378–387
the private key of the tally authority) and extracts a final tally X,
and provides a non-interactive zero-knowledge proof P that the
decryption is correct. Then S releases ðX,PÞ on BB.
0 0
At last, A submits a guess b to S. If b ¼ b, A wins the game.
Otherwise, A fails.
cresist
The real experiment ExpVS,A ðkÞ has been described as above.
Next, we modify the experiment on the basis of the semantic
security of ElGamal encryption system (refer to Appendix A).
At first, we assume that the challenger of ElGamal encryption
system runs the key generation algorithm, gives the public key
TPK to the simulator S, but keeps the private key TSK to itself.
Then, the simulator S runs as same as the real experiment except
that
 During registration, for any corrupted voter V i A V A , the simu-
lator S requests the challenger to decrypt Ri and thus S can
obtain all references set by corrupted voters. Assume that
voters V k and V ‘ from VV A cast ‘‘Yes’’ and ‘‘No’’ votes,
respectively, in the original experiment. The simulator S
challenges two plaintexts M0 ¼ g and M 1 ¼ g 1 and the chal-
lenger picks a random bit b^ A f0; 1g and sends back
Rk ¼ EðMb^ ,TPKÞ ¼ ðAk ,Bk Þ and R‘ ¼ EðM 1b^ ,TPKÞ ¼ ðA‘ ,B‘ Þ as the
challenge along with non-interactive zero-knowledge reen-
cryption proofs Pk and P ‘ that Rk and R‘ are reencryptions of
either (1,g) or (1,g 1 ). S posts them on BB for V k and V ‘ ,
respectively.
 During voting, the simulator S ensures bk ¼ b‘ even if either V k
or V ‘ is coerced (i.e., even if either V k ¼ V j or V ‘ ¼ V j ). This can
be always achieved because the adversary can coerce one
voter from VV A only. For the coerced voter V j A VV A , S
randomly chooses r j 0 from f1,1g and b from f0; 1g, if b¼ 1, S
provides the adversary A with r j 0 and r j 0 otherwise, where r j 0
is independent of rj set by S during the registration.
 During tallying, the simulator S can determine g yn and then
the election result X0 (either WIN or LOSE) without any
decryption because S knows g ri bi for all i. During voting, S
adaptively arranges the votes cast by the voter in VV A fV j g
so that X0 ¼ X. At last, S submits g yn and its encryption
ðX T ,Y T Þ to the challenger and requests it to mix the ciphertexts
ðX T ,g j Y T Þ ðj ¼ 1; 2, . . . ,nV Þ, decrypt the mixed ciphertexts, and
provide a non-interactive zero-knowledge proof P, and posts
(X, P) on BB.
Since ElGamal encryption system is semantic secure, the
adversary A cannot distinguish the real experiment and the
modified experiment with non-negligible advantage. In fact, the
adversary’s view in the modified experiment is the same as the
ideal experiment. Therefore, for any probabilistic polynomial-
time (PPT) adversary A and any probability distributions DnU ,2
and DAnA ,2 , where nA onV =22, the advantage of the adversary A
against our Internet voting system VS is negligible. Based on
Definition 2.3.1, we have
Theorem 4.1.1. Our Internet voting system VS is coercion-resistant
if at least one tally authority is honest and ElGamal encryption
system is semantically secure under chosen plaintext attack.
Remark. In our definition of coercion resistance described in
Section 2.3, we have assumed that at least one of nT tallying
authorities is honest and therefore nT tallying authorities can be
simplified to one tallying authority.
4.2. Security analysis of verifiability
In this section, we provide a descriptive proof that our basic
voting system is verifiable.
385
We assume that the adversary A has corrupted the registrar
and all tallying authorities T plus nA voters and intends to cause a
fake election tally X0 to be accepted by the public. This is possible
only in one of the following four events:
 During registration, the adversarial registrar A cheats the
public with a non-interactive zero-knowledge proof Pi for a
voter V i that Ri is an encryption of either g or g 1 , but it is
actually not. We model this attack as verifyðBBÞ ¼ 1, but there
exists V i such that DðRi ,TSKÞ= 2fg,g 1 g, where D stands for
decryption. We denote the event as Succ1 .
 During registration, the adversarial registrar A cheats a honest
voter V i with a ciphertext Ri which is not an encryption of g ri ,
where ri is randomly chosen by V i from f1,1g. We model this
attack as verifyðBBÞ ¼ 1, but there exists V i such that
DðRi ,TSKÞ ¼ g ri . We denote the event as Succ2 .
 During voting, the adversary A forges the vote of a single voter
V j A VV A . In this attack, A sets the target voter V j , intercepts
the ballot bj ¼ ðbj ,signðbj ,skj ÞÞ cast by V j and posts a modified
A A
ballot bj ¼ ðbj ,signAj Þ on BB. We model this attack as
A
verifyðBBÞ ¼ 1, but bj a bj . We denote the event as Succ3 .
 During tallying, the adversarial tally authorities A post a fake
election tally X0 with a non-interactive zero-knowledge
proof P 0 that the tally X0 is computed correctly. We model this
attack as verifyðBB,X0 ,P 0 Þ ¼ 1, but X0 aX where ðX,PÞ ¼ tally
ðBB,TSKÞ, i.e., the fake election tally is accepted, but it is
different from the true output of tallying. We denote the event
as Succ4 .
Obviously, the probability of the adversary in causing a fake
election tally X0 to be accepted by the public is less than
PrA ½Succ1  þ PrA ½Succ2  þ PrA ½Succ3  þ PrA ½Succ4 .
If PrA ½Succ1  is non-negligible, a simulator S can make use A as
a subroutine to break the security of the non-interactive zero-
knowledge reencryption proof system ðReencPfÞ (Hirt and Sako,
2000).
Next, let us analyze PrA ½Succ2 . During registration, a (honest)
voter V i sends her reference r i A f1,1g to the adversary A who is
playing the role of the entry device. To facilitate analysis, we
assume the entry device prints out the ciphertext at first instead
of its hash value. Our system still works without the hash
function h. Because A cannot predict when V i confirms her
Q
reference, V has to print out Ri ¼ ðg gi ,g ri ð nt T¼ 1 TPK t Þgi Þ at first to
win the game. In case V i presses ‘‘Cancel’’ button, A has to print
Q
out r i , g0i such that Ri ¼ ðg gi ,g ri ð nt T¼ 1 TPK t Þgi Þ to avoid being
0 0
detected. In fact, g gi ¼ g gi implies g0i ¼ gi ðmod qÞ. Therefore,
0
Q Q
g ri ð nt T¼ 1 TPK t Þgi ¼ g ri ð nt T¼ 1 TPK t Þgi must hold. However it cannot
hold even if the adversary A has known all private keys of tallying
authorities.
In addition, if PrA ½Succ3  is non-negligible, a simulator S can
make use A as a subroutine to break the security of the modified
ElGamal signature system ðSSÞ (Pointcheval and Stern, 1996)
(refer to Appendix A).
If PrA ½Succ4  is non-negligible, a simulator S can make use A as
a subroutine to break the security of the non-interactive zero-
knowledge equal discrete logarithm proof system ðEqDlogÞ
(Chaum and Pedersen, 1992) or the security of the verifiable
mix network (Golle et al., 2004; Furukawa and Sako, 2001).
Based on the above analysis, we have
Theorem 4.2.1. Assume that (1) the modified ElGamal signature
system ðSSÞ (Pointcheval and Stern, 1996) is existentially unforgeable
under the chosen message attack, over a group G of a large prime order q
with a generator g; (2) the non-interactive zero-knowledge reencryption
386 X. Yi, E. Okamoto / Journal of Network and Computer Applications 36 (2013) 378–387
proof ðReencPfÞ (Hirt and Sako, 2000) is secure; (3) the non-interactive
zero-knowledge equal discrete logarithm proof ðEqDlogÞ (Chaum and
Pedersen, 1992) is secure; (4) the mix network is verifiable; our basic
voting system is verifiable even if all election authorities are corrupt.
5. Conclusion
In this paper, we have presented an Internet voting system. In
addition, we have given a formal definition of coercion-resistance for
Internet voting and provided a rigorous proof of coercion-resistance
and a descriptive proof of verifiability for our Internet voting system.
While the overhead for tallying in Juels et al.’s remote voting
system (Juels et al., 2005) is quadratic in the number of voters, the
overhead for tallying in our Internet voting system is O(nV) which
is linear in the number of voters. Therefore, our system is
practical for elections at a large scale, such as general elections.
In addition, Juels et al.’s remote voting system (Juels et al., 2005)
is not verifiable in the sense that an adversary, who has corrupted
all tallying authorities, is able to forge valid ballots without being
detected. Our Internet voting system overcomes this drawback.
Even if the adversary corrupts all election authorities, the adver-
sary is unable to forge any valid ballot in our system.
At last, a voter in our Internet voting system does not need to
encrypt her ballot during voting. The ballot is in a form of plaintext.
Therefore, even if the voter’s personal computer is infected by
malware, any modification on the voter’s ballot can be detected by
the voter. Furthermore, her vote choice remains secret because her
final vote is a combination of her ballot and her reference which is
encrypted during registration and posted on BB.
Appendix A
Our system is build on ElGamal encryption system (ElGamal,
1985) and a modified ElGamal signature system (Pointcheval and
Stern, 1996) as follows.
ElGamal encryption system (ElGamal, 1985) consists of key
generation, encryption, and decryption algorithms as follows:
 Key generation: On input a security parameter k, it publishes a
multiplicative cyclic group G of prime order q with a generator
g. Then it chooses a private key x randomly from Znq and
computes a public key y ¼ g x .
 Encryption: On inputs a message m A G and the public key y, it
chooses an integer r randomly from Znq and outputs a cipher-
text C ¼ Eðm,yÞ ¼ ðA,BÞ, where A ¼ g r and B ¼ m  yr .
 Decryption: On inputs a ciphertext ðA,BÞ, and the private key x,
it outputs the plaintext m ¼ DðC,xÞ ¼ B=Ax .
Tsiounis and Yung (1998) proved ElGamal encryption system
to be semantically secure under Decisional Diffie–Hellman (DDH)
assumption. Semantic security is commonly defined by the
following game:
 Initialize: The challenger runs the key generation algorithm,
gives the public key pk to a probabilistic polynomial time-
bounded (PPT) adversary, but keeps the private key sk to itself.
 Phase 1: The adversary adaptively asks a number of different
encryption queries C i ¼ Eðmi ,pkÞ for mi, where i ¼ 1; 2, . . . ,n.
 Challenge: Once the adversary decides that Phase 1 is over, it
outputs a pair of equal length plaintexts ðM 0 ,M 1 Þ on which it
wishes to be challenged. The challenger picks a random bit
bA f0; 1g and sends C ¼ EðMb ,pkÞ as the challenge to the
adversary.
 Phase 2: The adversary issues more encryption queries adap-
tively as in Phase 1.
 Guess: Finally, the adversary outputs a guess b0 A f0; 1g and
0
wins the game if b ¼ b.
The public key encryption cryptosystem is semantically secure
under chosen plaintext attack if the adversary cannot determine
which of the two messages was chosen by the challenger, with
probability significantly greater than 1/2 (the success rate of
random guessing).
A modified ElGamal signature system (Pointcheval and Stern,
1996) consists of key generation, signing, and verifying algo-
rithms as follows:
 Key generation: Same as ElGamal encryption system.
 Signing: On inputs a message m and the private key x, it
chooses an integer r randomly from Znq and outputs a signature
s ¼ ðS,TÞ, where S ¼ g r and T ¼ ðHðm,SÞS  xÞr1 ðmod qÞ, where
H is a hash function.
 Verifying: On inputs a message m, a signature s, and the pubic
key y, it return ‘‘1’’ if g Hðm,SÞ ¼ ST yS and ‘‘0’’ otherwise.
Pointcheval and Stern (1996) proved the modified ElGamal
signature system to be existentially unforgeable under the chosen
message attack.
Definition for security of signature system against adaptive
chosen-message attacks was first given by Goldwasser et al.
(1988). Assume that a forger takes as input a public key pk, and
tries to forge signatures with respect to pk. The forger is allowed a
chosen message attack in which it can request, and obtain,
signatures of messages of its choice. The forger is deemed
successful if it outputs a valid forgery, namely, a message/
signature pair ðm0 , s0 Þ such that verifyS ðm0 , s0 ,pkÞ ¼ 1 but m0 was
not a message of which a signature was requested earlier of the
signer. We denote this event as Succ. The advantage of an
adversary A in attacking a signature system is defined as a
function of security parameter k, AdvA ðkÞ ¼ PrA ½Succ, where the
probability is over the random bits used. A digital signature
system is existentially unforgeable under the chosen message
attack if no probabilistic polynomial time-bounded (PPT) adver-
sary has a non-negligible advantage.
References
Adida B. Advances in cryptographic voting systems. PhD thesis. MIT; 2006.
Adida B. Helios: web-based open-audit voting. In: Proceedings of the 17th USENIX
security symposium; 2008. p. 335–48.
Araújo R, Foulle S, Traoré J. A practical and secure coercion-resistant scheme for
Internet voting (extended abstract). In: Towards trustworthy elections—new
directions in electronic voting. Springer; 2010a. p. 330–42.
Araújo R, Custodio R, Graaf J. A verifiable voting protocol based on Farnel
(extended abstract). In: Towards trustworthy elections—new directions in
electronic voting. Springer; 2010b. p. 274–88.
Baudron O, Fouque PA, Pointcheval D, Stern J, Poupard G. Practical multi-candidate
election system. In: Proceedings of the PODC’01; 2001. p. 274–83.
Benaloh J. Simple verifiable elections. In: Proceedings of the electronic voting
technology workshop (EVT’06); 2006.
Benaloh J. Ballot casting assurance via voter-initiated poll station auditing. In:
Proceedings of the electronic voting technology workshop (EVT’07); 2007.
Benaloh J, Tuinstra D. Receipt-free secret-ballot elections (extended abstract). In:
Proceedings of the 26th ACM STOC’94; 1994. p. 544–53.
Blum M, Santis AD, Micali S, Persiano G. Non-interactive zero-knowledge. SIAM
Journal on Computing 1991;6:1084–118.
Brands S. Rethinking public key infrastructures and digital certificates: building in
privacy. MIT Press; 2000.
Camenisch J, Lysyanskaya A. An efficient system for non-transferable anonymous
credentials with optional anonymity revocation. In: Proceedings of the EURO-
CRYPT’01; 2001. p. 93–118.
Chaum D. Untraceable electronic mail, return addresses, and digital pseudonyms.
Communications of the ACM 1981;24(2):84–8.
Chaum D. Secret-ballot receipts: true voter-verifiable elections. IEEE Security and
Privacy 2004;2(1):38–47.
Chaum D. Punchscan; 2005. /http://www.punchscan.orgS.
Chaum D, Essex A, Carback R, Clark J, Popoveniuc S, Rivest R, et al. Scantegrity II:
end-to-end voter-verifiable optical scan election systems using invisible ink
 X. Yi, E. Okamoto / Journal of Network and Computer Applications 36 (2013) 378–387
confirmation codes. In: Proceedings of the electronic voting technology
workshop (EVT’08); 2008a.
Chaum D, Essex A, Carback R, Clark J, Popoveniuc S, Sherman A, et al. Scantegrity:
end-to-end voter-verifiable optical-scan voting. IEEE Security and Privacy
2008;6(3):40–6.
Chaum D, Pedersen TP. Wallet databases with observers. In: Proceedings if the
Crypto’92; 1992. p. 89–105.
Chaum D, Ryan P, Schneider S. A practical voter-verifiable election scheme. In:
Proceedings of the ESORICS’05; 2005. p. 118–39.
Clarkson MR, Chong S, Myers AC. Civitas: a secure remote voting system. In:
Proceedings of the IEEE symposium on security and privacy; 2008. p. 354–68.
Cohen JD, Fischer MJ. A robust and verifiable cryptographically secure election
scheme. In: Proceedings of the FOCS’85; 1985. p. 372–82.
Cramer R, Gennaro R, Schoenmakers B. A secure and optimally efficient multi-
authority election scheme. In: Proceedings of the EUROCRYPT’97; 1997. p.
103–18.
Delaune S, Kremer S, Ryan M. Coercion-resistant and receipt-freeness in electronic
voting. In: Proceedings of the 19th IEEE workshop on computer security
foundations; 2006. p. 28–42.
Draft voluntary voting system guidelines version 1.1. Volume I. Voting system
performance guidelines. National Institute of Standards and Technology; May
2009a.
Draft voluntary voting system guidelines version 1.1. Volume II. National certifica-
tion testing guidelines. National Institute of Standards and Technology; May
2009b.
ElGamal T. A public key cryptosystem and a signature scheme based on discrete
logarithms. IEEE Transactions on Information Theory 1985;31:469–72.
Fujioka A, Okamoto T, Ohta K. A practical secret voting scheme for large scale
elections. In: Proceedings of the AUSCRYPT’92; 1992. p. 244–51.
Furukawa J, Sako K. An efficient scheme for proving a shuffle. In: Proceedings of
the CRYPTO’01; 2001. p. 368–87.
Gardner RW, Garera S, Rubin AD. Coercion resistant end-to-end voting. In:
Proceedings of the financial cryptography (FC’09); 2009. p. 344–61.
Goldwasser S, Micali S, Rivest RL. A digital signature scheme secure against
adaptive chosen message attacks. SIAM Journal of Computing 1988;17(2):
281–308.
Golle P, Jakobsson M, Juels A, Syverson P. Universal re-encryption for mixnets. In:
Proceedings of the CT-RSA’04; 2004. p. 163–78.
Hirt M, Sako K. Efficient receipt-free voting based on homomorphic encryption. In:
Proceedings of the EUROCRYPT’00; 2000. p. 539–56.
Jakobsson M, Juels A. Mix and match: secure function evaluation via ciphertexts.
In: Proceedings of the ASIACRYPT’00; 2000. p. 162–77.
Jakobsson M, Juels A, Rivest R. Making mix nets robust for electronic voting
by randomized partial checking. In: Proceedings of the USENIX’02; 2002.
p. 339–53.
Juels A, Catalano D, Jakobsson M. Coercion-resistant electronic election. In:
Proceedings of the WPES’05; 2005. p. 61–70.
Kiayias A, Yung M. The vector-ballot e-voting approach. In: Proceedings of the
FC’04; 2004. p. 72–89.
387
Kiayias A, Yung M. The vector-ballot approach for online voting procedures. In:
Towards trustworthy elections—new directions in electronic voting. Springer;
2010. p. 115–74.
Kutylowski M, Zagorski F. Scratch, click & vote: E2E voting over the Internet. In:
NIST end-to-end voting system workshop; 2009.
Kutylowski M, Zagorski F. Scratch, click & vote: E2E voting over the Internet. In:
Towards trustworthy elections—new directions in electronic voting. Springer;
2010. p. 343–56.
Lee B, Kim K. Receipt-free electronic voting scheme with tamper-resistant
randomizer. In: Proceedings of the ICICS’02; 2002. p. 389–406.
MacKenzie P, Shrimpton T, Jakobsson M. Threshold password-authenticated key
exchange. In: CRYPTO’02; 2002. p. 385–400.
Moran T, Naor M. Receipt-free universally-verifiable voting with everlasting
privacy. In: Proceedings of the CRYPTO’06; 2006. p. 373–92.
Moran T, Naor M. Split-ballot voting: everlasting privacy with distributed trust.
ACM Transactions on Information and System Security 2010;13(2).
Moran T, Naor M. Split-ballot voting: everlasting privacy with distributed trust. In:
Proceedings of the CCS’07; 2007. p. 246–55.
Neff A. A verifiable secret shuffle and its application to e-voting. In: Proceedings of
the ACM CCS’01; 2001. p. 116–25.
Neff A. Practical high certainty intent verification for encrypted votes; 2004.
Available at /http://www.votehere.com/vhti/documentationS.
Okamoto T. Receipt-free electronic voting schemes for large scale election. In:
Proceedings of the security protocol workshop’97; 1997. p. 25–35.
Pointcheval D, Stern J. Security proofs for signature schemes. In: Proceedings of the
EUROCRYPT’96; 1996. p. 387–98.
Riva B, Shma AT. Bare-handed electronic voting with pre-processing. In: Proceed-
ings of the electronic voting technology workshop (EVT’07); 2007.
Rivest RL, Smith WD. Three voting protocols: threeballot, VAV, and twin. In:
Proceedings of the electronic voting technology workshop (EVT’07); 2007.
Rubin A. Security considerations for remote electronic voting. Communications of
the ACM 2002;45(2):39–44.
Sako K, Kilian J. Receipt-free mix-type voting scheme—a practical solution to the
implementation of a voting booth. In: Proceedings of the EUROCRYPT’95;
1995. p. 393–403.
Santis AD, Crescenzo GD, Persiano G. Necessary and sufficient assumptions for
non-interactive zero-knowledge proofs of knowledge for all NP relations. In:
Proceedings of the ICALP’00; 2000. p. 451–62.
Schweisgut J. Coercion-resistant electronic elections with observer. In: Proceed-
ings of the 2nd international workshop on electronic voting; 2006. p. 171–7.
Smith WD. New cryptographic voting scheme with bestknown theoretical proper-
ties. In: Proceedings of the workshop on frontiers in electronic elections
(FEE’05); 2005.
Teague V, Ramchen K, Naish L. Coercion-resistant tallying for STV voting. In:
Proceedings of the electronic voting technology workshop (EVT’08); 2008.
Tsiounis Y, Yung M. On the security of ElGamal based encryption. In: Proceedings
of the PKC’98; 1998. p. 117–34.
Weber SG, Araujo R, Buchmann J. On coercion-resistant electronic elections with
linear work. In: Proceedings of the ARES’07; 2007. p. 908–16.
Yi X, Okamoto E. Practical remote end-to-end voting scheme. In: Proceedings of
the EGOVIS’11; 2011. p. 386–400.