a secure voting system on a public network

A Secure Voting System on a Public Network

Chin-Chen Chang and Wen-Bin Wu

Institute of Computer Science and Information Engineering, National Chung Cheng University,Chiayi, Taiwan, 62107, Republic of China

Due to the rapid progress in computers and communication networks, we may want to hold a secureelectronic election on a public network. The election scheme that we proposed in this paper can fullyconform the requirements of holding a large-scale election. The privacy of the voters can be preservedagainst the voting center. No one, including the voting center, knows which voting strategy each voteradopts. The voting center cannot present a false tally without being caught. Then, ‘‘Electronic Election’’on a public network is possible by employing our proposed scheme. q 1997 John Wiley & Sons, Inc.

1. INTRODUCTION 5. Each voter can recast before the deadline for castingballots.

In past years, network systems have become more and There have been several discussions [9, 11] concernedmore prevalent. There has been an increasing need for with the issue of how to hold an election over computercommunication security and privacy, and various kinds networks. The first one was proposed by Chaum [3].of encryption techniques [5, 12] have been applied to Within his multiparty election protocol, one or severalsafeguard the transmitted information. ‘‘mixes’’ were used to protect the secrecy of voters.

Due to the rapid progress in computers and communi- Chaum [4] also proposed another method of holding se-cation technologies, we may want to use a terminal to cure ballot elections. However, Chaum’s scheme cannotdo many things, including shopping by cable television, prevent a single user from disrupting the election. Later,money transactions by electronic cash, food ordering, and Boyd [1] proposed an election scheme based on the useso on. It is easy to imagine that someday we will hold of ‘‘multiple key cipher.’’ In 1989, Boyd [2] again pre-an electronic election by using a personal computer and sented another improvement of the above electioncomputer networks at home. An electronic election sys- scheme. It ensured that the privacy of voters can be pre-tem would require each authorized participant in an elec- served and the voters may cast their votes anonymously.tion to vote anonymously. A voter can check whether However, the voting center can produce a false tally byhis/her vote has been counted correctly by the ballot adding votes of its own choice. It is clear that the resultcounting center. Now, we list the security requirements of the election will be incorrect.[7, 10] of a voting system as follows: In this paper, we propose another solution for holding

a secure election on computer networks. The scheme pro-posed can meet the security requirements stated above.1. Only legitimate voters can cast valid votes.There are two centers, Voting Center (VC) and Shuffle

2. Each legitimate voter may cast a vote only once.Center (SC), needed in our proposed scheme. VC gener-

3. No one but the voter knows which voting strategy the ates many packages of identification tags depending onvoter adopts. the number of voters. Each package contains the ci-

phertext of an identification tag. While SC shuffles these4. Each voter can check whether his/her vote has beencounted correctly by the ballot counting center. packages and randomly distributes each authorized voter

NETWORKS, Vol. 29 (1997) 81–87q 1997 John Wiley & Sons, Inc. CCC 0028-3045/97/020081-07

81

747/ 8u0d$$0009 01-22-97 00:06:12 netwa W: Networks

82 CHANG AND WU

a package in this election, each voter can decipher the 5. S tells B the numberspackage and get his/her identification tag by using a pro-tocol to talk with VC. After that, no one but the voter si ! f 01(y *i ) , for i Å 1, 2, . .. , k .knows which identification tag he/she got. By using theidentification tag, the voter can cast a valid vote. VC can S also tells C the numbersonly know the interconnection between identification tagsand voting strategies. However, it does not know the rela- si ! g01(yi ) , for i Å 1, 2, . . . , k .tionship between voters and voting strategies. It just meetsthe third security requirement stated above. Thus, the pri-

6. B computes sj since he/she knows that x*j Å f 01(y*j ).vacy of voters can be preserved. VC then announces the

C computes s*j since he/she knows that xj Å g01(yj) .result of the election by publishing a table containingcandidates and their corresponding identification tags. If

Now, we introduce Nurmi et al.’s voting scheme. LetVC produced a false tally by allocating a voter’s identifi-A be the agency supervising the electoral procedure:cation tag to a wrong place, the voter can point this out

without damaging ballot secrecy.1. A chooses n large random numbers P1 , P2 , . . . , Pn ,In Section 2, we briefly review and discuss an election

as the identification tags, where n is the number ofscheme proposed by Nurmi et al. [10]. Our proposedvoters, and conducts the ANDOS protocol for theelection scheme is given in Section 3. We also give anvoters.example to illustrate our method in the same section.

2. The voter B can get the identification tag Pi by usingFinally, some conclusions appear in Section 4.the ANDOS protocol, but A does not know the inter-connection between B and Pi .

3. B sends A the pair (Pi , hB(Pi , £B)) , where hB is a2. A Review of Nurmi, Salomaa, andhashing function, and £B , B’s voting strategy.Santean’s Ballot Elections Scheme

4. A acknowledges that the information has been re-ceived by publishing the number hB(Pi , £B) .Recently, Nurmi et al. [10] proposed a ballot election in

computer networks. Here, we give a brief review of their 5. B sends A the pair (Pi , h01B ) . A knows the interconnec-

scheme. First of all, we introduce the ANDOS (all-or- tion between Pi and £B but not between B and £B .nothing disclosure of secrets) protocol which was the 6. When the deadline for casting ballots is over, A an-main technical tool of their scheme. nounces the result of the election by publishing the

ANDOS is a protocol for the ‘‘secret selling of se- list of all hB(Pi , £B)’s.crets.’’ A seller S of secrets publishes a number of secretss1 , s2 , . . . , sk . Two buyers B and C want to buy secrets We may ask: If some of the voters might want tosj and s *j , respectively. The protocol guarantees that B and change their mind and recast their ballots, then how willC can get the secrets sj and s *j , respectively, and S does they do it? The following action can be used if the re-not know which secret each buyer gets. The protocol is casting of the ballot is done only once. (7 *) is used instated as follows: case that several possibilities of recasting are allowed:

7. B recasts his/her vote by sending A the triple (Pi ,1. S sends the one-way functions f and g to B and C ,

hB(Pi , £B) , £ *B) , where £ *B is the new voting strategy.respectively; however, he/she keeps the relative in-

7*. B recasts his/her ballot by sending the pair (Pi ,verse f 01 , g01 to him/herself.h *B(Pi , £ *B)) , where h *B is a new hashing function

2. B tells C k random numbers of n-bits x1 , x2 , . . . , xk . chosen by B .C tells B k random numbers of n-bits x*1, x*2 , . . . , x*k .

3. B sends C the set of FBIB with respect to (x*j , In the new election result, hB(Pi , £B) is removed fromf ( x *j )) , where FBI stands for the fixed bit index. We the list, and h *B(P *i , £ *B) is added to the list according tosay that an index is in the set of FBI with respect to the new voting strategy £ *B .the pair (x , f ) if the i th bit in x is equal to the i th bit By the above algorithm, we see that two voters willin f ( x) . get the same identification tag by using the ANDOS pro-C sends B the set of FBIC with respect to (xj , g(xj)) . tocol. To avoid this, they proposed two solutions: One is

to make sure that the numbers of identification tags are4. B tells S the numbers y1 , y2 , . . . , yk , where yi resultsfrom xi by replacing every bit whose index is not in much larger than those of voters such that the probability

for a coincidence is negligible. However, this will leadFBIC with its complement. C also tells S the numbersy *1 , y*2 , . . . , y *k . the center to vote the unused identification tag without


SECURE VOTING SYSTEM ON A PUBLIC NETWORK 83

being caught. The other solution is when receiving the the received messages according to the user’s demand,and all users can read the published information throughsame identification tag twice the later voter must rechoose

another identification tag to vote. However, the complex- the public channel. More details can be found in [8] .Now, we describe our scheme as follows:ity of the ANDOS protocol is O(n 2) . The voters and

the voting center need a large-scale communication tocomplete the protocol. These make this scheme imprac-

Registration Phasetical.In the following section, we propose a secure election

First, VC chooses a large prime number P and a primitivescheme which can avoid the drawbacks of Nurmi et al.’selement e over Galois Field GF(P) and makes them pub-scheme and still meet the security requirements over com-lic. Then, VC randomly chooses n prime numbers a1 , a2 ,puter networks.. . . , an as the identification tags over GF(P) , where nis the number of voters. VC sends the values of

3. OUR PROPOSED ELECTION SCHEME

In this section, we describe our proposed secure electionscheme over a public computer channel. It can fully sat-

ea1 mod P ,

ea2 mod P ,

:

ean mod P

isfy the security requirements stated above.Just as in the normal election process, the proposed

election system is divided into two phases: the registrationphase and the voting phase. In the registration phase, a

to the previously defined semipublic board for future au-voter should register him/herself to VC. After that, SCthentication.will randomly distribute each authorized voter a package

Next, VC randomly chooses a secret key d over GF(P)as well as an identification tag. Then, he/she will get afor this election, where gcd(d , P 0 1) Å 1. Here, gcd(x ,valid ballot with an identification tag. This can be doney) denotes the greatest common divisor between x and y .by an efficient protocol, such that no one, including VCThen, VC computes n packages O1 , O2 , . . . , On in theitself, knows which identification tag he/she gets. In thefollowing:voting phase, a voter can use the valid ballot with an

identification tag to cast his/her vote. The privacy ofvoters can be preserved against VC because no one except O1 Å (ea1 mod P , a d

1 mod P) ,the voter him/herself knows which voting strategy that

O2 Å (ea2 mod P , a d2 mod P) ,he/she adopts. The others and VC only know the relation-

ship between the identification tag and the voting strategy :but not between the voter and the voting strategy. While

On Å (ean mod P , a dn mod P) ,all the voters have completed their votes, VC publishes

the result of the election with the identification tag on it.Each voter can then check whether or not his/her voting and sends these packages to an independent SC. Then,strategy has been counted correctly. If not, the voter can SC will shuffle these packages and distribute each user apoint this out and the third party can prove VC produces package. This will be done by a one-to-one and ontoa false tally. function. After that, SC can be closed completely.

Before describing the detailed algorithm, we introduce While each voter gets a package, he/she can use thethe concept of semipublic board (He et al. [8]) used in second element in the package to get his/her identificationour scheme. tag. Assume that the voter Ui gets the j th package Oj , 1

° i , j ° n . The following algorithm is used to get Ui’sidentification tag.Definition (He, Harn, and Yang [8])STEP 1. Ui randomly chooses a secret key si such thatA semipublic board is a Blackboard (BB) in the system.

gcd(si , P 0 1) Å 1. Then, he/she computesEach user can read (or write) messages from (to) BBthrough a public channel. There exits a unidirectionalsecure channel from each user to the server, i.e., each Ai Å (a d

j ) si mod P ,user can send secure message to BB through a securechannel, and no one knows where the message comes and sends Ai to the semipublic board.from.

The work of BB is simple since it receives messages STEP 2. VC gets Ai from the semipublic board and com-putesfrom each user through a secure channel and publishes


84 CHANG AND WU

It is also impossible for an intruder to calculate ai fromA*i Å (Ai ) d01mod P

the expressionÅ (a drsi

j ) d01mod P

a di mod PÅ a si

j mod P ,

without knowing the secret key d . The computing of ajwhere d01 is the inverse of d over GF(P) , and thenfrom the formulasends A*i back to the semipublic board.

STEP 3. Ui gets A *i from the semipublic board and calcu- Ai Å (a dj ) si mod P , or

lates his/her identification tag a *j asA *i Å (aj)

si mod P

a *j Å (A *i ) s01i mod P

will meet the same defeat.Now, let us consider another problem. Suppose thatÅ (a sij ) s01

i mod Pan intruder wants to derive the secret key d of VC. He/Å aj , she must solve one of the following expressions:

where s01i is the inverse of si over GF(P) . a d

i mod P , orUi checks the validity of aj by using the first element

Ai Å (a dj ) si mod P .in Oj to test whether the following expression is satis-

fied or not:It is computationally infeasible. The reason is that deriv-ing d from one of the above expressions is as difficult asea j Å ea *

j mod P .solving the discrete logarithm problem. Thus, our schemecan guarantee that a voter will get a valid ballot with anIf not, Ui claims that VC’s behaviors are fraudulent.identification tag secretly.

Security AnalysisVoting Phase

Assume that SC and VC are fully independent, i.e., theyIn this phase, we describe the process of how a votercannot work cooperatively. Thus, VC has no idea ofcasts his/her vote. Suppose that each voter Ui , 1 ° iwhich package a voter gets. On the other hand, we may ° n , has a secret key xi and a public key yi , whereproduce a tamper-free shuffle machine in place of the

role of SC. The tamper-free shuffle machine can onlyyi Å exi mod P .distribute packages to the voters and reveal nothing about

whom the package was sent to. It is more convenient andThe secret key and the public key of VC are chosen bysecure than the original SC. Since VC does not knowthe same way, which is denoted as x0 and y0 , respectively.which package a voter gets, it has no idea of which identi-

Suppose that a voter Ui has gotten a valid identificationfication tag the voter will get.tag aj . He/she can use aj and the well-known ElGamalNext, the communications between the voters and thepublic key cryptosystem [6] to cast ballot. The detailedsemipublic board are on a secure channel according toalgorithm is stated as below:the definition of semipublic board. No one knows where

the package flows from and to. The packages Ai and STEP 1. Ui chooses a random number ri over GF(P) .A *i have been encrypted by the secret key si chosen by

STEP 2. Ui computes Ci,1 , Ci,2 as follows:the voter Ui . It is impossible for anyone, including VCitself, to know which identification tag was in these pack-

Ci, 1 Å eri mod Pages. Thus, an anonymous identification tag has been ob-tained by the voter safely and secretly.

Suppose that an intruder wants to derive a valid ballot;andhe/she should calculate an identification tag ai from the

package (eai mod P , a di mod P) . However, to derive ai Ci,2 Å y ri0 ! Vi mod P ,

from the expression

where Vi is the voting strategy of Ui and ! denoteseai mod P the exclusive-or operator. Then, he/she encrypts the

message (aj , Ci ,2 ) by using a public key cryptosystemand sends VC the ciphertext.is as difficult to solve as the discrete logarithm problem.



STEP 3. VC decrypts the ciphertext of (aj , Ci ,2 ) and ac- reason is that there are no two distinct prime numbers,aj and ak , where j x k , such thatknowledges that the information has been received by

publishing the value of Ci ,2 .

eai Å eak mod P .STEP 4. While Ui realizes that (aj , Ci ,2 ) has been receivedby VC, he/she sends the ciphertext of (aj , Ci ,1 ) to VC.

Thus, VC cannot present such a false tally by adding anSTEP 5. VC decrypts the ciphertext of (aj , Ci ,1 ) and pub-invalid ballot with an identification tag an/1 without beinglishes (Ci ,1 , Ci ,2 ) to the public.caught.

STEP 6. Assume that Ui wants to recast his/her ballot. In the following, we will use an example to illustrateHe/she can choose another random number r *i to re- our scheme:place of ri and repeats the above four steps once beforethe deadline for casting ballots.

ExampleSTEP 7. When the deadline for casting ballots is over,VC can get the ballots of Ui by computing the value

Suppose that there are four legitimate voters U1 , U2 , U3 ,of Vi as follows:and U4 in the election. VC chooses a large prime numberP Å 31, a primitive element e Å 7 over GF(31), and

Vi Å Cx0i,1

! Ci,2 mod Ppublishes P and e . VC also chooses four prime numbers5, 11, 17, and 23 as the identification tags and a secretÅ erirx0 ! yri0 ! Vi mod Pkey d Å 13 over GF(31) for this election, where gcd(13,

Å yri0 ! yri0 ! Vi mod P 31 0 1) Å 1. The following phase shows how a user canget an identification tag secretly:Å Vi .

Now, VC announces the result of the election byRegistration Phasepublishing the table containing candidates and their

corresponding identification tags.At first, VC computes four packages O1 , O2 , O3 , and O4

as follows:Security Analysis

O1 Å (75 mod 31, 513 mod 31)The security of this phase is based on the well-knownElGamal scheme. It is computationally infeasible to solve Å (5, 5) ,the discrete logarithm. Thus, our scheme is secure.

O2 Å (711 mod 31, 1113 mod 31)Suppose that VC does not properly allocate Vi ; Ui canpoint this out by presenting (aj , Ci,2 , Ci,1) . By Step 3 in Å (20, 21),the Voting Phase, the third party can prove that Ui is

O3 Å (717 mod 31, 1713 mod 31)right and, therefore, VC has to correct the result.Assume that VC wants to present a false tally by add- Å (18, 3) ,

ing an invalid ballot with an identification tag an/1 , then,andthe value of the expression

O4 Å (723 mod 31, 2313 mod 31)ean/1 mod P

Å (10, 15).

must be equal to one of the following expressions:VC sends these packages to SC and publishes 5, 20, 18,10 for future authentication. Next, SC shuffles these pack-ages and distributes each voter a package.

Suppose that U1 , U2 , U3 , and U4 get packages O4 , O3 ,

ea1 mod P ,

ea2 mod P ,

:

ean mod P ,

O1 , and O2 , respectively. The following steps shows thathow U2 can get an identification tag secretly:

STEP 1. U2 gets the package O3 Å (18, 3) . He/she ran-domly chooses a secret key S2 Å 29, where gcd(29,which have been published at the registration phase, and

an/1 x ai , for all i Å 1, 2, . . . , n . It is impossible. The 31 0 1) Å 1, and computes


86 CHANG AND WU

STEP 4. U2 sends the ciphertext of (17, 2) to VC. Then,A2 Å 329 mod 31VC publishes the pair (2, 1010).Å 21.

STEP 5. When the deadline of ballots is done, VC canThen, U2 sends 21 to the semipublic board. get the vote of U2 by computing

STEP 2. VC computesV2 Å Cx02,1 ! C2,2 mod 31

A *2 Å 211301mod 31 Å 23 ! 1010 mod 31

Å 11 Å 1000 ! 1010 mod 31

Å 0010and sends 11 back to the semipublic board correspond-ing to 21. Å 2.

STEP 3. U2 calculates his/her identification tag a2 asIt is exactly the voting strategy of U2 . The other

voting strategy can be computed in the same way.a2 Å 112901mod 31

Suppose that the other votes represented as the formÅ 17. (candidate, identification tag) are (1, 5) , (0, 11), and

(2, 23), respectively. Then, VC announces the resultU2 checks whether or not 17 is a valid identification of the election by publishing the table

tag by testing whether the following expression:

717 mod 31,

is equal to the first element 7 in O3 .

Identiˆcation tags

Candidates

11

≤0

5

1

17 23

≤2

If there are no opinions about the list, the result of theballot election is correct, i.e., the secret voting has beenVoting Phasesuccessfully held securely.

Let the pairs of (secret key, public key)’s of U1 , U2 ,U3 , and U4 be (7, 28), (6, 4) , (4, 14), and (10, 25),respectively. The pair of (secret key x0 , public key y0)

4. CONCLUSIONSof VC is (3, 2) . U2 has gotten a valid identification tag17 and his voting strategy V2 Å 2. Then, he/she can use

In this paper, we proposed a secure electronic electionit and the ElGamal cryptosystem to cast ballot withouton a public network. The scheme consists of two phases:worrying about revealing the interconnection betweenthe registration phase and the voting phase. In the registra-him/herself and his/her voting strategy.tion phase, a legitimate voter can get an identification tag

STEP 1. U2 chooses a random number r2 Å 3. which is anonymous. The voting phase allows a voter tocast a ballot by using the identification tag. After that,STEP 2. U2 computes C2,1 , C2,2 as below:only the voting center knows the interconnection betweenthe identification tag and the voting strategy, but not be-C2,1 Å 73 mod 31tween the voter and the voting strategy. Thus, secret vo-

Å 2, ting over a public network is possible by employing ourscheme.C2,2 Å yr20 ! V2 mod 31

Å 23 ! 2 mod 31

Å 1000 ! 0010 mod 31 REFERENCES

Å 1010.[1] C. Boyd, Some applications of multiple key ciphers.

Proceedings of Eurocrypt ’88. Springer-Verlag, Davos,Then, U2 encrypts the pair (17, 1010) and sends VCSwitzerland (1988) 455–467.

the ciphertext.[2] C. Boyd, A new multiple key cipher and an improved

voting scheme. Proceedings of Eurocrypt ’89. Springer-STEP 3. VC decrypts the ciphertext of (17, 1010) andVerlag, Houthalen, Belgium (1989) 617–625.acknowledges that the information has been received

[3] D. Chaum, Untraceable electronic mail, return address,by publishing the value of 1010.



and digital pseudonyms. Commun. ACM 24(2) (1981) probably better than ‘‘public key.’’ Private Communica-tion (1992).84–88.

[9] K. R. Iversen, A cryptographic scheme for computerized[4] D. Chaum, Elections with unconditionally secret ballotsgeneral elections. Proceeding of Crypt’91. Springer-Ver-and disruption equivalent to breaking RSA. Proceedingslag, New York (1991) 405–419.of Eurocrypt ’88. Springer-Verlag, Davos, Switzerland

(1988) 177–182. [10] H. Nurmi, A. Salomaa, and L. Santean, Secret ballotelections in computer networks. Comput. Sec. (1991)[5] W. Diffie and M. Hellman, New directions in cryptogra-553–560.phy. IEEE Trans. Info. Theory IT-22(6) (1976) 644–

[11] C. Park, K. Itoh, and K. Kurosawa, All /nothing election654.scheme and anonymous channel. Pre-Proceeding of Eu-[6] T. ElGamal, A public key cryptosystem and a signaturedrocrypt ’93, Lofthus, Norway (1993) T97–T113.scheme based on discrete logarithms. IEEE Trans. Info.

[12] R. L. Rivest, A. Shamir, and L. Adleman, A method forTheory IT-31(4) (1985) 469–472.obtaining digital signatures and public-key cryptosys-

[7] L. Harn and T. Kiesler, How to hold an election overtems. Commun. ACM 21(2) (1978) 120–126.

computer network. Workshop on Information Security &Modern Cryptography, Tainan, Taiwan (1991) 129–138. Received February 28, 1994

Accepted November 21, 1995[8] J. He, L. Harn, and S. Yang, ‘‘Semi-public key’’ is


a secure voting system on a public network

Documents