enhanced security in internet voting protocol using blind signature and dynamic ballots

16
Electron Commer Res (2013) 13:257–272 DOI 10.1007/s10660-013-9120-5 Enhanced security in internet voting protocol using blind signature and dynamic ballots Thi Ai Thao Nguyen · Tran Khanh Dang Published online: 18 May 2013 © Springer Science+Business Media New York 2013 Abstract In this paper, we introduce an internet voting protocol which satisfies de- sired security requirements of electronic voting. In the newly proposed protocol, we allow the adversaries to get more power than in any previous works. They can be coercers or vote buyers outside, and corrupted parties inside our system. These ad- versaries also have ability to collude with each other to ruin the whole system. Our main contribution is to design an internet voting protocol which is unsusceptible to most of sophisticated attacks. We employ the blind signature technique and the dy- namic ballots instead of complex cryptographic techniques to preserve privacy in electronic voting. Moreover, we also aim at the practical system by improving the blind signature scheme and removing physical assumptions which have often been used in the previous works. Keywords Internet voting · Voting protocol · Blind signature · Dynamic ballot · Receipt-freeness 1 Introduction Along with the rapid growth of modern technologies, most of the traditional services have been transformed into remote services through internet. Voting service is among them. Remote electronic voting (also called internet voting) system makes voting more efficient, more convenient, and more attractive. Therefore, many researchers have studied this field and tried to put it into practice as soon as possible. However, T.A.T. Nguyen ( ) · T.K. Dang Faculty of Computer Science and Engineering, HCMC University of Technology, 268 Ly Thuong Kiet Street, District 10, Ho Chi Minh City, Vietnam e-mail: [email protected] T.K. Dang e-mail: [email protected]

Upload: tran-khanh

Post on 23-Dec-2016

217 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: Enhanced security in internet voting protocol using blind signature and dynamic ballots

Electron Commer Res (2013) 13:257–272DOI 10.1007/s10660-013-9120-5

Enhanced security in internet voting protocol usingblind signature and dynamic ballots

Thi Ai Thao Nguyen · Tran Khanh Dang

Published online: 18 May 2013© Springer Science+Business Media New York 2013

Abstract In this paper, we introduce an internet voting protocol which satisfies de-sired security requirements of electronic voting. In the newly proposed protocol, weallow the adversaries to get more power than in any previous works. They can becoercers or vote buyers outside, and corrupted parties inside our system. These ad-versaries also have ability to collude with each other to ruin the whole system. Ourmain contribution is to design an internet voting protocol which is unsusceptible tomost of sophisticated attacks. We employ the blind signature technique and the dy-namic ballots instead of complex cryptographic techniques to preserve privacy inelectronic voting. Moreover, we also aim at the practical system by improving theblind signature scheme and removing physical assumptions which have often beenused in the previous works.

Keywords Internet voting · Voting protocol · Blind signature · Dynamic ballot ·Receipt-freeness

1 Introduction

Along with the rapid growth of modern technologies, most of the traditional serviceshave been transformed into remote services through internet. Voting service is amongthem. Remote electronic voting (also called internet voting) system makes votingmore efficient, more convenient, and more attractive. Therefore, many researchershave studied this field and tried to put it into practice as soon as possible. However,

T.A.T. Nguyen (�) · T.K. DangFaculty of Computer Science and Engineering, HCMC University of Technology,268 Ly Thuong Kiet Street, District 10, Ho Chi Minh City, Vietname-mail: [email protected]

T.K. Dange-mail: [email protected]

Page 2: Enhanced security in internet voting protocol using blind signature and dynamic ballots

258 T.A.T. Nguyen, T.K. Dang

that has never been an easy work [27]. It is true that e-voting brings many benefits fornot only voters but also voting authorities. Nevertheless, benefits always come alongwith challenges. The biggest challenge of internet voting is security.

In many previous works, authors proposed several internet voting protocols try-ing to satisfy as many security requirements as possible such as eligibility, unique-ness, privacy, accuracy, fairness, receipt-freeness, uncoercibility, individual verifiabil-ity, universal verifiability, and coercion-resistance, the latest one. However, securityleaks cannot be rejected thoroughly in recent internet voting protocols when votingauthorities collude with each other. In the protocol of Cetinkaya et al. [8], for ex-ample, though the authors announced that their protocol fulfilled the requirement ofuncoercibility, once the adversaries corrupted the voter and colluded with the votingauthorities taking responsibilities of holing ballots and voter’s cast, they could easilyfound out whether that voter followed their instruction or not. In addition, in votingprotocol of Spycher et al. [26] and JCJ protocol [17], if the coercer can communi-cate with the registrars, no longer can voter lie about their credentials. Therefore, theuncoercibility cannot be satisfied. Moreover, in order to satisfy the receipt-freeness,some protocols employed the physical assumptions such as untappable channels thatare not suitable for the services through internet.

Most of the previous internet voting protocols applied three main cryptographictechniques to solve the security problems. Thus, we classify these protocols into threetypes as: protocols using mix-nets, blind signatures, and homomorphic encryption.

The concept of mix-nets was firstly introduced by Chaum [9] in 1981. Since then,there have been some proposed voting protocols such as [6, 13, 23]. However, theseprotocols met with the big difficulties because of the huge costs of calculations andcommunications which the mix-net required. So far, no election system based on mix-net has been implemented [5]. Besides mix-net, homomorphic encryption is anotherway to preserve privacy in internet voting system. Though homomorphic encryptionprotocols [1, 3, 11] are more popular than mix-net, they are still inefficient for largescale elections because computational and communicational costs for the proof andverification of vote’s validity are quite large when there are a lot of candidates. More-over, homomorphic encryption protocols cannot be employed on multi-choices vot-ing forms. As for the blind signature protocols, they also provided anonymity withoutrequiring any complex computational operators or high communicational cost. Untilnow, there have been many protocols based on blind signature such as [7, 8, 12, 14,16, 19]. Some of them employed blind signature on concealing the content of votes,others concealed the identifications of voters. Protocol [12], for example, concealsthe content of votes; then at the end of voting process, voters had to send the decryp-tion key to the voting authority. This action might break the security if the adversariesconspired with these voting authorities. Therefore, our proposal applies the blind sig-nature technique which is used to hide the real identification of a voter. Besides that,in order to protect the content of votes we apply dynamic ballots along with a recast-ing mechanism without sacrificing uniqueness to enhance security in internet votingprotocol and make good the previous protocol’s shortcomings as well.

In this paper, we propose the practical internet voting protocol which guaranteesall security requirements. The remarkable contribution is that our proposal is able todefeat the more powerful adversaries which can collude with many voting authorities.

Page 3: Enhanced security in internet voting protocol using blind signature and dynamic ballots

Enhanced security in internet voting protocol using blind signature 259

Another improvement here is the enhancement of blind signature scheme that makesour protocol faster and more efficient.

The structure of this paper is organized as follows. In Sect. 2, the backgroundknowledge is summarized. We describe the details of our proposal protocol in Sect. 3.Then, in Sect. 4 security of the protocol is discussed. Finally, the conclusion andfuture works are included in Sect. 5.

2 Background

2.1 Security requirements

In [5, 19], the security requirements of a voting system are introduced as followings:

• Privacy: it is the main requirement in the information age. The definition of privacyis discussed in many e-commerce applications [25]. In internet voting application,privacy requirement is fulfilled when no one can know the link between the voteand the voter who casted it.

• Eligibility: only eligible and authorized voters can carry out their voting process.• Uniqueness: each vote casts only one vote. In [19], though the uniqueness is de-

fined that: “Every voter votes exactly one time”, some voting schemes allow theirclients to vote many times in election period. However, only their last vote is ac-cepted by voting authorities.

• Accuracy: the content of vote cannot be modified or deleted. In addition, a vali-dated voter cannot be removed from the final tally, and an invalid vote cannot becounted in the final tally without being detected.

• Fairness: no one, including voting authorities, can get the intermediate result of thevoting process before the final result is publicized.

• Receipt-freeness: the voting system should not give voter a receipt which he usesto prove what candidate he voted. Its purpose is to protect against vote-buying.

• Uncoercibility: the adversary cannot force any voters to vote for his own intentionor to reveal their votes. Its purpose is to avoid the attack of coercers.

• Individual verifiability: every voter is able to check whether their vote is countedcorrectly or not. However, it seems very difficult to prove to voters that their voteis casted as intended while the receipt-freeness requirement is still satisfied.

• Universal verifiability: every voter who is interested in tally result can verify thatthe final result is correctly computed from all the ballots casted by eligible voters.

2.2 Cryptography building block

To protect their users, e-commerce applications employ many primitives and proto-cols from the field of cryptography [4, 22, 24]. Internet voting is among them. Inthis section, we present some related cryptographic techniques which are frequentlyapplied in many previous internet voting protocols.

Page 4: Enhanced security in internet voting protocol using blind signature and dynamic ballots

260 T.A.T. Nguyen, T.K. Dang

Bulletin boards In [2], Bulletin board is a communication model which can publishinformation posted on its body, thus everybody can verify these information. Internetvoting system applies this model to fulfill the requirement of verifiability. In the pro-tocol using bulletin board, voters and voting authorities can post information on theboard. Nevertheless, no one can delete or alter these things.

Blind signature The concept of blind signature was first introduced by Chaum [10].It stemmed from the need of verifying the valid of a document without revealinganything about its content. The function of the blind signature is similar to the car-bon paper put in a sealed envelope. The process of this technique can be imaginedas followings: the Owner of a document needs the signature of an authority on hisdocument for authentication purpose. In order to prevent the authority from readingthe information, the owner does a trick that he puts the document together with acarbon-paper into a sealed envelope, and sends it to the authority. Upon receivingthat envelope, the authority checks the identification of sender. If the owner is eli-gible, the authority will sign on the predefined area outside the sealed envelope, andsend it back to the owner. Finally, thanks to the carbon-paper, owner has the signatureof authority without revealing any information written in the document.

A simple method to implement the blind signature scheme is to apply the asym-metric cryptosystem RSA. We have some notations:

• m: the document needs to be signed;• d : the private key of authority (signer);• e, N : the public key of authority;• s: the signature of m.

The RSA blind signature scheme is implemented as follows:The owner generates a random number r which satisfies gcd(r,N) = 1. He blinds

m by the blind factor re(modN). After that, he sends the blinded document m′ =m · re(modN) to the authority.

Upon receiving m′, the authority computes a blinded signature s′, as illustrated inEq. (1), then sends it back to the owner.

s′ ≡ (m′)d modN ≡ (

m · re)d modN ≡ (

md · red)

modN ≡ (md · r)modN (1)

According to Eq. (1), the owner easily obtains the signature s, as Eq. (2).

s ≡ s′ · r−1 modN ≡ md modN (2)

Dynamic ballot The concept of dynamic ballot was first introduced in [7]. In mostof internet voting protocols, authors have used usual ballots in which the order ofcandidates is pre-determined. Therefore, when someone gets a voter’s casting, theyinstantly know the actual vote of that voter. Alternatively, the candidate orders indynamic ballot change randomly for each ballot. It is equivalent to the fact that thecandidate selection of each voter has its own contextual meaning. Hence, adversaryneeds the voter’s casting as well as the corresponding dynamic ballot in order toobtain the real choice of a voter.

Page 5: Enhanced security in internet voting protocol using blind signature and dynamic ballots

Enhanced security in internet voting protocol using blind signature 261

Let assume that the number of candidates is “n”. So we have “n!” different waysto mix the order of candidates in each ballot. For example, if there are 3 candidates{C1,C2,C3} in the election (n = 3), voters may take 6 different ballots as followings:

B1 = {C1,C2,C3},B2 = {C1,C3,C2},B3 = {C2,C1,C3},B4 = {C2,C3,C1},B5 = {C3,C2,C1},B6 = {C3,C1,C2}.

Naturally, the larger number of candidates is, the more options a voter chooses toarrange the order of candidates in his ballot. Therefore, it is also difficult for adver-saries to infer the ballot of a voter.

In voting process, each voter can randomly take one of these ballots. After that,he chooses his favorite candidate. Then he casts the order of this candidate in hisballot (not the name of this candidate) to a voting authority and his ballot to anothervoting authority. Until the voting process completes, these two authorities cooperatewith each other to calculate the final result. In short, with dynamic ballots, any par-ticipant or authority including the counter cannot gain the intermediate result beforethe counting stage. This ensures the fairness of the protocol.

ElGamal protocol ElGamal cryptosystem was first described by Taher ElGamal in1984. In [18], it is implicitly based on the difficulty of finding a solution to the discretelogarithm. The discrete logarithm problem, also called DLP, is the computationalproblem of finding x = loga(b) such that b = ax . In the next paragraph, we cite aninstance of ElGamal protocol based on ElGamal cryptosystem (see more in [18]).

Sender Alice wants to give receiver Bob a message m. As for Bob, he possesses:

• public key: (a, ax,p) where p is a prime; and• private key: x is an integer such that 1 ≤ x ≤ p − 1.

ElGamal protocol follows the below steps: at first, Alice obtains Bob’s public key.Then, Alice chooses a private element y randomly where 1 ≤ y ≤ p − 1. After that,she sends the ciphertext message c = (r, s) where r = ay and s = m · axy to Bob.Upon receiving c, Bob uses his private key x to encrypt the ciphertext message asfollows:

m = r−x · s modp

We can verify the correctness of the deciphering as follows:

r−x · s = (ay

)−x · m · axy = a−xy · m · axy = m

Page 6: Enhanced security in internet voting protocol using blind signature and dynamic ballots

262 T.A.T. Nguyen, T.K. Dang

Plaintext Equality Test (PET) The notion of PET (standing for plaintext equalitytest) was proposed by Jakobsson and Juels in [15]. The purpose of PET protocol is tocompare two ciphertexts without decrypting. It based on the ElGamal cryptosystem.

Let (r1, s1) and (r2, s2) be ElGamal ciphertexts of two plaintexts m1 and m2respectively. The input I of PET protocol is a quotient of ciphertexts (r1, s1) and(r2, s2), and output R is a single bit such that “R = 1” means two plaintexts m1 andm2 are equal, otherwise R = 0. Basing on the ElGamal protocol, we have

(r1, s1) = (ay1,m1a

x·y1)

(r2, s2) = (ay2,m2a

x·y2)

where y1 and y2 are randomly chosen by the owners of m1 and m2.

I = (r1/r2, s1/s2) = (ay1−y2 , (m1/m2) · ax(y1−y2)

) = (ay1−y2 , ax(y1−y2)

)(3)

According to ElGamal cryptosystem, I is the ciphertext of the plaintext (m1/m2).Therefore, if someone who owns the decryption key x, they can complete the veri-fication by decrypting the expression (3) without gaining any information about thetwo input plaintexts m1 and m2. For more information, let refer to [20].

2.3 Security flaws in internet voting protocol

Vote buying and coercion In a traditional voting system, to ensure a voter not tobe coerced or try to sell his ballot to another, voting authorities built some electionprecincts or kiosk in order to separate voters from coercers and vote buyers. There-fore, they could vote based on their own intentions. When internet voting system isbrought into reality, there are no election precincts or voting kiosks, but voters andtheir device which can connect to the internet. Hence, the threats from coercers andvote buyers quickly become the center of attention of the voting system.

Corrupted registrar Registration is always the first phase of a voting process wherevoting authorities check voters’ eligibilities and give voters the certificates to step intothe casting phase. However, in case a voter abstains from voting after registration, thecorrupted registrars can take advantages of those certificates to legalize the false votesby casting the extra vote on behalf of the abstaining voters. Sometimes, corruptedregistrars can issue false certificates to deceive other voting authorities.

Corrupted ballot center Some protocols have ballot center as providing voters withballots. Others, in [3], utilize it for holding the choices that voters made until thecasting phase completes. If the ballot center becomes a corrupted party, it can modifythe content of the votes or sell them to vote-buyers and coercers who want to checkwhether the coerced voters cast the candidate they expect. Hence, the feasible internetvoting protocol has to possess the mechanism to protect the system against this threat.

Corrupted tallier Tallier takes the responsibility for counting up all the votes to getthe final result of voting process. If tallier becomes a corrupted party, it will be ableto do that job though the voting process does not come to the end. In this case, it willrelease the intermediate voting result which has the influence on the psychology ofthe voters who have not casted the ballots yet. This threat makes the fairness fail.

Page 7: Enhanced security in internet voting protocol using blind signature and dynamic ballots

Enhanced security in internet voting protocol using blind signature 263

Table 1 Notations for the proposal internet voting protocol

Notation Meaning

(ex , dx) A public-private key pair of user X

Ex(m) An encryption of message m with the public key ex

Dx(m) A decryption/sign of message m with the private key dx

H(m) An one way hash function with an input m

EPET (m) An encryption of m using ElGamal cryptosystem

BB Bulletin Board

PET(x, y) A PET function applying PET protocol with two inputs x, y

B A dynamic ballot

V ′ A voter’s candidate selection basing on the dynamic ballot

V A voter’s actual vote

3 The proposed internet voting protocol

3.1 Registration phase

In this phase, the blind signature technique is applied to conceal the real identityof a voter through creating an anonymous identity for communicating with othervoting authorities. The following paragraph will show how voters get his anonymousidentification from Privacy of Voter server (hereafter called PVer).

Firstly, voter sends his real ID to Registration server (hereafter called RS) to startregistration process. In this case, the real ID of voter can be his public key. RS ap-plies Challenge Response Authentication Mechanism (CRAM) to authenticate thatthe user who sends the real ID is exactly the person whom he declares to be (or thereal owner of the public key). Based on the real ID, RS checks whether that user isregistered or not. If he did this job before, RS will terminate his session; otherwise,RS will ask CA to check the current rules of the voting process in order to find outwhether this person can become an eligible voter or not. Then, RS creates a certificateand sends it to the voter. The certificate issued by RS includes:

• A serial number: the PVer uses this parameter to ensure that each voter gets onlyone anonymous ID.

• A digital stamp: is public information, like a sequence number, agreed among vot-ing committees.

• A session key: is used to encrypt the message which PVer sends to the voter askingfor blind signature. PVer has no information about that voter, therefore it has to usesession key to encrypt the message instead of voter’s public key.

• A signature of RS: is hashed and signed by the private key of voting committee.

Upon receiving the certificate, voter generates his unique identification by encrypt-ing the digital stamp by his private key and then hashing the result with one wayfunction. In short, we have unique identification uid. Other notations in this sectionare explained in Table 1.

uid = Hash(DV (Digital stamp)

)

Page 8: Enhanced security in internet voting protocol using blind signature and dynamic ballots

264 T.A.T. Nguyen, T.K. Dang

Fig. 1 Registration scheme

To get the signature of voting committee on uid, a voter applies the blind signa-ture scheme as introduced in Sect. 2.2. He uses a random blind factor to blind uid,then sends it together with the certificate to PVer which takes the responsibility forpreserving privacy of voters. PVer saves the serial number in certificate in order to en-sure that each certificate asks for the blind signature just one time. After checking thevalidity of certificate, PVer blindly signs the uid using the private key of voting com-mittee, then send the result s′ to the voter. He, then, unblinds s′ to get the signature s

of voting committee on his uid.Since then, the voter sends uid and corresponding s to other voting authorities for

authentication. The detail steps of registration scheme are illustrated in Fig. 1.To avoid man-in-the-middle-attacks, the asymmetric cryptosystem is used at the

1st, 6th, and 8th steps. However, at the 10th step, asymmetric key pairs are not agood choice because they are used only one time for encrypting message, not authen-ticating. Therefore, the symmetric-key cryptosystem with Tripple DES algorithm isproposed in this blind signature scheme because it has some significant benefits suchas:

• It does not consume too much computing power so we can shorten encryption timeand simplify the period of encryption certificate as well;

• Although a symmetric encryption is not as safe as an asymmetric encryption, highlevel of security still is guaranteed for some reasons that: Triple DES has high com-plexity, the session key generated randomly by system is long enough to againstBrute Force and Dictionary Attack, the period of using session key is limited inone step with a short time.

Another improvement of the blind signature scheme is that each voter generateslist of anonymous identifications including uid, uid1, uid2 instead of just one anony-

Page 9: Enhanced security in internet voting protocol using blind signature and dynamic ballots

Enhanced security in internet voting protocol using blind signature 265

Fig. 2 Casting scheme

mous identification. The purpose of uid is to communicate with other voting servers;and uid1 and uid2 are to ensure the ballot of voter is not modified by any adversaries.

3.2 Authentication and casting phase

To protect privacy of votes from coercers, voting buyers, or sometimes adversarieswho stay inside the system, we propose the scheme as Fig. 2 which applies dynamicballots, plaintext equivalent test, bulletin boards as introduced in Sect. 2.2.

In many previous works, to avoid coercion as well as vote buying, some authorsapply fake identification mechanism to deceive coercers (in JCJ protocol [17]); andothers utilize recasting mechanism without sacrificing uniqueness associated withdynamic ballot technique to conceal his or her final decision [8]. Fake identificationrequires the condition that at least one voting authority must know the real iden-tification of voter in order to determine what the real votes are. Therefore, if thevoting authority which generates the real identification of voter becomes adversary,the requirements of uncoercibility and vote-buying can be violated. As a result, ourproposal uses recasting mechanism to achieve higher level of security.

After registration phase, each voter has three anonymous identifications uid, uid1,uid2. Voter applies uid to communicate with other voting authorities including Bal-lot Center server (BC) holding the dynamic ballots, Casting server (CS) holding thecasting V ′ of voters, Key Generator server (KG) generating the session key pairs.

Firstly, eligible voter receives the list of candidates from BC; he then, mixes theorder of candidates in his ballot randomly, sending this dynamic ballot B to BC andcasting his cloaked vote V ′ by picking the order of the candidate he is favor, sendingit to the CS. More concretely speaking, voter cannot sell his ballot to buyer as well asthe coercers do not have enough clues to threat or coerce voter.

To ensure B and V ′ cannot be modified by others, voters encrypts them with uid1

and uid2 by couple of public keys e(1)k and e

(2)k generated by KG. KG also saves

Page 10: Enhanced security in internet voting protocol using blind signature and dynamic ballots

266 T.A.T. Nguyen, T.K. Dang

the private key dk along with corresponding ek in KG-List for decrypting in thenext phase. After that, voter sends (EPET(uid),E

(1)k (B,uid1), time, e(1)

k ) to BC, and

(uid,E(2)k (V ′,uid2), e

(2)k ) to CS as illustrated in Fig. 1. Each message receiving from

voter, CS checks uid of this voter. If uid is invalid, CS discards it immediately; oth-erwise, it hashes the whole message, and publishes the result on the Bulletin BoardBB2 for individual verifiability. It also stores the message with ciphertext of uid intoList2 for matching with B in tallying phase. As for BC, it almost does the same thingswith every message it receives, except authenticating the eligibility of voters.

Voters are allowed to recast. Because the actual vote V of a voter consists of B

and V ′, voter just needs to change one of two components to change the value ofV if at the first time, he is coerced to vote to someone else. In this protocol, votersare able to change the orders of candidates in his dynamic ballot B ′. If he wantsto recast, he just sends another message (E∗

PET(uid),E(1)k (B∗,uid1), time∗, e(1)

k ) toBC in which E∗

PET(uid), B∗ and time∗ are respectively new encryption of uid usingElGamal cryptosystem, new dynamic ballot and the time when he sends the message.

3.3 Tallying phase

At the end of casting phase, PET server which keeps the private key of ElGamal algo-rithm applies the application of a plaintext equivalence test (PET) to each EPET(uidi )

in List1 in order to find which pair of encryption of uidi is equivalent without de-cryption, then remove the record holding the earlier time parameter. Concretely, weconsider two records Ri and Rj of List1:

Ri = (EPET(uidi ),E

(1)ki (Bi,uid1i ), timei , e

(1)ki

)

Rj = (EPET(uidj ),E

(1)kj (Bj ,uid1j ), timej , e

(1)kj

)

If PET (EPET(uidi )/EPET(uidj )) = 1, and timei > timej ; then the system removeRj from the system. The purpose of this process is to remove duplicated votes andgain the latest choices of all voters. After that, PET server continues to compareeach EPET(uidi ) in List2 to EPET(uidj ) in List1 to find out which B in List1 iscorresponding to V ′ in List2. If there exists a record in List1 which does not match toany record in List2, this record must have come from invalid voter, so it is discardedat once. The purpose of this process is to remove invalid dynamic ballots B in List2.

After determining pairs of records, KG-List publishes the list of session keys(ek, dk) for List1 and List2 to find dk related to each ek which is attached toevery record in List1 and List2. With the corresponding dk , E

(1)k (B,uid1) and

E(2)k (V ′,uid2) are decrypted. Tallying server (TS) checks the valid of uid1 and uid2

to ensure B and V ′ not to be modified by any parties, then combines the valid valuesof B and V ′ to find out the actual vote V of a voter. Finally, TS counts up all theactual votes and publishes the result of voting process.

Page 11: Enhanced security in internet voting protocol using blind signature and dynamic ballots

Enhanced security in internet voting protocol using blind signature 267

Table 2 Comparing security flaws of the earlier typical protocols with our proposal

Security flaws Hasan [14] Cetinkaya [8] JCJ [17] Our protocol

No vote buying/Coercion – – √√No corrupted Registration √ √ –

No corrupted Ballot Center – – √No corrupted Tallier – – √

4 Security analysis

4.1 Security flaws

In this section, we analyze the security flaws in the previous internet voting protocols,and also prove our protocol is strong enough to resist these flaws. The content of thissection will be summarized in Table 2.

In our protocol, a voter employs the blind signature technique to get the vot-ing authority signature on his created identity. Therefore, the Registrar and PVerdo not know anything about the anonymous identity that voters use to authenticatethemselves. Hence, if these voting authorities become corrupted, they cannot takeadvantages of abstention to attack the system. So do the protocols of Hasan [14]and Cetinkaya [8]. In JCJ protocol [17], the Registrar establishes the credentials andpasses it to voters through an untappable channel. In the worst case, if the Registraris a corrupted party, it can give voters fake credentials, and use the valid ones to votefor other candidates. Thus, the corrupted RS becomes a security flaw of JCJ protocol.Using physical assumption, i.e. an untappable channel, is another weak point of JCJprotocol in comparison with the previously proposed protocols.

In the voting protocols of Hasan [14] and Cetinkaya [8], though eliminating theabstention attack from corrupted RS, these protocols are not stronger enough to de-feat sophisticated attacks. The voting protocol of Hasan is quite simple; it has nomechanism to protect the content of votes against being modified. Thus, if Casting orTallying servers collude with attackers, the system will collapse. As a result, the ac-curacy and fairness properties cannot be guaranteed. In ideal case which every serveris trusted, the protocol cannot avoid vote-buying and coercion if voters reveal theiranonymous identities to vote-buyer or coercer. As for the protocol of Cetinkaya [8],it guarantees some security requirements (as illustrated in Table 3). However, theweakness point of this protocol is that the voters are still coerced if the servers hold-ing ballots connive with coercer. In the worst case, voters also able to sell their bal-lots by providing buyers with their anonymous identities, and then if buyers colludewith Ballot Generator, Counter, and Key Generator, they can find out whether theseanonymous identities are attached to the candidate they expect or not. In other words,corrupted BC is a security flaw that Cetinkaya’s protocol has not fixed yet. Our proto-col makes good Cetinkaya’s protocol shortcomings by encrypting uid using ElGamalcryptosystem before sending it to BC. Therefore, when a voter recasts, BC itself can-not recognize his uid. Only CS has responsibility to authenticate the eligibility ofuid. It means that CS receives the uid of voter without ElGamal encryption. How-

Page 12: Enhanced security in internet voting protocol using blind signature and dynamic ballots

268 T.A.T. Nguyen, T.K. Dang

Table 3 Comparing security requirements of the earlier typical protocols with our proposal

Security requirements Hasan [14] Cetinkaya [8] JCJ [17] Our protocol

Privacy √ √ √

Eligibility √ √ –

Uniqueness √ √ √Uncoercibility – – √Receipt-freeness – – √Accuracy – √ √Fairness – √ √Individual verifiability – √ √Universal verifiability – √ √No physical assumption √ √ –

ever, the recasting process does not take place in CS, coercers thus cannot collect anyinformation from this server.

If Tallier server becomes corrupted, our protocol cannot be broken even thoughTallier colludes with others voting authorities in protocol. In previous protocol usingdynamic ballot, corrupted Tallier just needs to bribe BC and CS for getting interme-diate result. However, in our protocol, B and V ′ are encrypted with the session keygenerated by KG, so BC and CS cannot provide the value of B and V ′ for Tallierwithout the decrypt key. Even if Key Generator is also corrupted, the intermediate re-sult of our protocol is still safe because the uid of voters are encrypted using ElGamalcryptosystem. Attackers have no way to combine B and V ′ or to remove invalid andduplicated votes. Therefore, corrupted Tallier is no longer a threat for our protocol.However, regarding sophisticated attacks which many voting authorities conspire to-gether, Hasan [14] and Cetinkaya [8] are not strong enough to defeat these kinds ofattacks.

4.2 Security requirements

In this section, we provide the sketch of proofs that state how our protocol fulfills thesecurity requirements. The content of this section will be summarized in Table 3.

Privacy After RS checks the eligibility of a voter, PVer issues a signature on voter’sblinded identity. Since then, voter uses his anonymous ID(uid) to take part into votingprocess, instead of real ID. Thanks to blind signature technique, no voting authoritiesknow the link between voter’s real ID and his uid. When voter uses uid to take partin the casting phase, other people also cannot find out the link between a vote and avoter who casted it. It means that the privacy requirement is guaranteed.

Eligibility Through the registration scheme, RS issues certificates for only eligi-ble voters after authenticating the requester by CRAM, and checking the validity ofrequester. In addition, PVer only blindly signs on voter’s uid after checking the eli-gibility of voter’s certificate. Therefore only eligible voters obtain the blind signature

Page 13: Enhanced security in internet voting protocol using blind signature and dynamic ballots

Enhanced security in internet voting protocol using blind signature 269

of voting authority on their uid in order to take part in the voting process. Another in-teresting point of our protocol is that there is voter’s signature dV in the uid of a voterso the RS cannot create a fake uid to cheat other voting authorities without detecting.In brief, our protocol achieves eligibility requirement.

Uniqueness Although a voter can cast many times, only the latest casting is takeninto consideration and the previous ones are removed securely by PET application.Therefore, there is no voter who has more than one vote when the casting phasecompletes. Hence, the uniqueness is satisfied.

Uncoercibility Recasting is allowed in our protocol. If an adversary coerces vot-ers to cast for his intention, the voters can send another vote to system after that.According to the analysis of security flaw, this process cannot be discovered by co-ercers though they connive with many voting authorities in the system. Therefore, theuncoercibility requirement is guaranteed.

Receipt-freeness This requirement is also fulfilled when the voters have no proof toshow what their latest casting is to vote-buyer. In case that an adversary can penetrateinto List1 and he gets voters’ uid through bribing, if the uid is not encrypted, the ad-versary can easily find out a certain uid does recasting process or not. Consequently,he can threat the voter or discover what the latest casting of voter is. Nevertheless, thisassumption has never occurred in our protocol, according to the analysis in Sect. 4.1.Therefore, the receipt-freeness is assured.

Accuracy In voting phase, the dynamic ballot B and cloaked vote V ′ are associatedwith uid1 and uid2, and encrypted by session key pairs. If corrupted voting authori-ties modify the content of B or V ′, others will detect the electoral fraud by checkingthe uid1 and uid2 attached to B and V ′. Even if the BC, Casting, and RS conspiretogether, they cannot modify the votes without being discovered, as well as they can-not add a new vote since they are not able to create the list of anonymous id illegally.Therefore, the requirement of accuracy is persevered.

Fairness Since we employ the dynamic ballots, Casting just knows the cloakedvote V ′ which does not reveal any information about the intentions of voters. In someprotocols applying dynamic ballots like Cetinkaya [8], if Casting colludes with BC,the intermediate result can be revealed. In our protocol, we encrypt B and V ′ usingsession keys to protect their contents. Only after the casting phase completes are theciphertexts decrypted by the decrypted key provided by KG. And PET applicationis also applied in this phase to ensure that no one can combine B and V ′ accuratelybefore voting process finishes. With all protection mechanisms, fairness requirementis achieved.

Individual verifiability The requirement of individual verifiability is guaranteed byapplying bulletin boards. BC publishes Hash(EPET(uid),E

(1)K (B,uid1), time) in BB1

and Hash(uid,E(2)K (V ′,uid2)) is published in BB2. Thus, voters just have to hash the

necessary information which they have already known, and compare their results toall records in bulletin boards to check whether the system counted his vote correctly.

Page 14: Enhanced security in internet voting protocol using blind signature and dynamic ballots

270 T.A.T. Nguyen, T.K. Dang

Universal verifiability At the end of election, all voting authorities publish theirlists. Any participant or passive observer can check the soundness of final result basedon the information on these lists and the bulletin boards as well. Hence, universalverifiability is fulfilled.

In summary, in case that BC, CS, KG and TS conspire together, our protocol isstill kept in safe. However, if PET server joins this group, the adversaries can get uidof voters and their votes as well. Though, it is difficult for all authorities to becomecorrupted at the same time in reality, we still take account of this issue to enhancesecurity. To solve that problem, we can employ the threshold cryptography techniqueor separate the parameters in List1 and List2 into more groups which are held bydifferent parties.

5 Conclusion and future works

In this paper, we have proposed an unsusceptible internet voting protocol to most ofsophisticated attacks. The proposed protocol preserves the privacy of voters and thecontent of votes against vote-buyers, coercers, and corrupted authorities inside oursystem even though more and more adversaries collude together. Furthermore, thefact that no physical assumptions and no complex cryptographic techniques need tobe used makes our proposal more practical.

In the future, we intend to formalize an internet voting protocols using processcalculi such as pi-calculus for describing concurrent processes and their interactionsin order to standardize internet voting protocols and get more accurate evaluationas well. Up till now, there are the governments of Estonia and the city of Genevain Switzerland employing elections over internet. The success of the internet votingin these governments encourages the development of this research, especially thedevelopment of security aspects of internet voting systems [21].

References

1. Acquisti, A. (2004). Receipt-free homomorphic elections and write-in voter verified ballots (ISRITechnical report CMU-ISRI-04-116). Carnegie Mellon University, PA.

2. Araújo, R., Rajeb, N.B., Robbana, R., Traoré, J., & Youssfi, S. (2010). Towards practical and se-cure coercion-resistant electronic election. In S. H. Heng, R. N. Wright, & B. M. Goi (Eds.), LNCS:Vol. 6467. Cryptology and network security (CANS 2010) (pp. 278–297). Heidelberg: Springer.

3. Baudron, O., Fouque, P. A., Pointcheval, D., Stern, J., & Poupard, G. (2001). Practical multi-candidateelection system. In Proceedings of the twentieth annual ACM symposium on principles of distributedcomputing (pp. 274–283). New York: ACM.

4. Bradford, P. G., Park, S., Rothkopf, M. H., & Park, H. (2008). Protocol completion incentive problemsin cryptographic Vickrey auctions. Electronic Commerce Research, 8(1), 57–77.

5. Burmester, M., & Magkos, E. (2003). Towards secure and practical e-elections in the new era. InSecure electronic voting (Vol. 7, pp. 63–76).

6. Camenisch, J., & Lysyanskaya, A. (2005). A formal treatment of onion routing. In Advances incryptology–CRYPTO 2005 (pp. 169–187). Berlin: Springer.

7. Cetinkaya, O., & Doganaksoy, A. (2006). A practical privacy preserving e-voting protocol using dy-namic ballots. In Proceedings of the 2nd national cryptology symposium, Ankara, Turkey.

8. Cetinkaya, O., & Doganaksoy, A. (2007). A practical verifiable e-voting protocol for large scale elec-tions over a network. In Proceedings of availability, reliability and security 2007 (ARES 2007), Vienna(pp. 432–442).

Page 15: Enhanced security in internet voting protocol using blind signature and dynamic ballots

Enhanced security in internet voting protocol using blind signature 271

9. Chaum, D. (1981). Untraceable electronic mail, return addresses, and digital pseudonyms. Communi-cations of the ACM, 24(2), 84–88.

10. Chaum, D. (1982). Blind signatures for untraceable payments. In Advances in cryptology: proceedingsof crypto (Vol. 82, pp. 199–203).

11. Cramer, R., Gennaro, R., & Schoenmakers, B. (1997). A secure and optimally efficient multi-authorityelection scheme. European Transactions on Telecommunications, 8(5), 481–490.

12. Fujioka, A., Okamoto, T., & Ohta, K. (1993). A practical secret voting scheme for large scale elec-tions. In Advances in cryptology—AUSCRYPT’92 (pp. 244–251). Berlin: Springer.

13. Goldschlag, D., Reed, M., & Syverson, P. (1999). Onion routing for anonymous and private commu-nications. Communications of the ACM, 42(2), 39–41.

14. Hasan, M. S. (2008). E-voting scheme over Internet. In International conference on business andinformation, Seoul, South Korea.

15. Jakobsson, M., & Juels, A. (2000). Mix and match: secure function evaluation via ciphertexts. InProceedings of the 6th international conference on the theory and application of cryptography andinformation security: advances in cryptography (pp. 162–177). London: Springer.

16. Juang, W. S., Lei, C. L., & Liaw, H. T. (2002). A verifiable multi-authority secret election allowingabstention from voting. Computer Journal, 45(6), 672–682.

17. Juels, A., Catalano, D., & Jakobsson, M. (2005). Coercion-resistant electronic elections. In Proceed-ings of the 2005 ACM workshop on privacy in the electronic society (pp. 61–70). New York: ACM.

18. Kohel, R. D. (2010). Public key cryptography. In Cryptography (pp. 67–74).19. Liaw, H. T. (2004). A secure electronic voting protocol for general elections. Computers & Security,

23(2), 107–119.20. Meng, B. (2009). A critical review of receipt-freeness and coercion-resistance. Information Technol-

ogy Journal, 8(7), 934–964. ISSN 1812-563821. Nguyen, T. A. T., & Dang, T. K. (2011). Preserving privacy in electronic voting. In Proceedings of the

4th regional conference on information and communication technology, Ho Chi Minh City, Vietnam(pp. 46–55).

22. Pagnoni, A., & Visconti, A. (2010). Secure electronic bills of lading: blind counts and digital signa-tures. Electronic Commerce Research, 10(3), 363–388.

23. Park, C., Itoh, K., & Kurosawa, K. (1994). Efficient anonymous channel and all/nothing electionscheme. In T. Helleseth (Ed.), LNCS: Vol. 765. Advances in cryptology EUROCRYPT’93 (pp. 248–259). Heidelberg: Springer.

24. Röhrig, S., & Knorr, K. (2004). Security analysis of electronic business processes. Electronic Com-merce Research, 4(1), 59–81.

25. Smith, R., & Shao, J. (2007). Privacy and e-commerce: a consumer-centric perspective. ElectronicCommerce Research, 7(2), 89–116.

26. Spycher, O., Koenig, R., Haenni, R., & Schläpfer, M. (2012). A new approach towards coercion-resistant remote e-voting in linear time. In G. Danezis (Ed.), LNCS: Vol. 7035. Financial cryptographyand data security (FC 2011) (pp. 182–189). Heidelberg: Springer.

27. Srivastava, A. (2011). Resistance to change: six reasons why businesses don’t use e-signatures. Elec-tronic Commerce Research, 11(4), 357–382.

Thi Ai Thao Nguyen received her B.Eng. degree in Computer Scienceand Engineering, with the Honor Program from the HCMC Universityof Technology-HCMUT (Vietnam) in 2010. After that, she continuedher academic career by studying the Master Program of HCMC Univer-sity of Technology, Vietnam. In 2012, she got the Master Degree withhigh GPA. From 2010 till now, she has been working for the Facultyas a lecture and a researcher. Her research interests include database& information security, privacy preserving in location-based services,security in electronic voting.

Page 16: Enhanced security in internet voting protocol using blind signature and dynamic ballots

272 T.A.T. Nguyen, T.K. Dang

Tran Khanh Dang received his B.Eng. degree from the Faculty ofComputer Science & Engineering in HCMC University of Technology-HCMUT (Vietnam) in 1998. He achieved a medal awarded for the bestgraduation student. From 1998–2000, he had been working for the Fac-ulty as a lecturer and researcher. He had got a Ph.D. scholarship of theAustrian Exchange Service (OeAD) from 2000–2003, and finished hisPh.D. degree (Dr. techn.) in May 2003 at FAW Institute, University ofLinz (Austria). Afterwards, he had been working as a lecturer and re-searcher at the School of Computing Science, Middlesex University inLondon (UK) since August 2003. In October 2005, he returned homeand has continued working for the Faculty of Computer Science & En-gineering in HCMUT. Currently, he is the head of the Department ofInformation Systems. Dr. Dang’s research interests include database &information security, privacy protection in location-based services, mo-bile data security, and big data management. He is also the founder of

the Data SecuriTy Applied Research (D-STAR) Lab (http://www.dstar.edu.vn). He has published morethan 95 scientific papers in international journals & conferences. Dr. Dang has also participated in andmanaged many research as well as commercial projects.