Enhanced security in internet voting protocol using blind signature and ...

Electron Commer Res (2013) 13:257–272 DOI 10.1007/s10660-013-9120-5

Enhanced security in internet voting protocol using blind signature and dynamic ballots Thi Ai Thao Nguyen · Tran Khanh Dang

Published online: 18 May 2013 © Springer Science+Business Media New York 2013

Abstract In this paper, we introduce an internet voting protocol which satisfies desired security requirements of electronic voting. In the newly proposed protocol, we allow the adversaries to get more power than in any previous works. They can be coercers or vote buyers outside, and corrupted parties inside our system. These adversaries also have ability to collude with each other to ruin the whole system. Our main contribution is to design an internet voting protocol which is unsusceptible to most of sophisticated attacks. We employ the blind signature technique and the dynamic ballots instead of complex cryptographic techniques to preserve privacy in electronic voting. Moreover, we also aim at the practical system by improving the blind signature scheme and removing physical assumptions which have often been used in the previous works. Keywords Internet voting · Voting protocol · Blind signature · Dynamic ballot · Receipt-freeness

1 Introduction Along with the rapid growth of modern technologies, most of the traditional services have been transformed into remote services through internet. Voting service is among them. Remote electronic voting (also called internet voting) system makes voting more efficient, more convenient, and more attractive. Therefore, many researchers have studied this field and tried to put it into practice as soon as possible. However, T.A.T. Nguyen () · T.K. Dang Faculty of Computer Science and Engineering, HCMC University of Technology, 268 Ly Thuong Kiet Street, District 10, Ho Chi Minh City, Vietnam e-mail: [email protected] T.K. Dang e-mail: [email protected]

258

T.A.T. Nguyen, T.K. Dang

that has never been an easy work [27]. It is true that e-voting brings many benefits for not only voters but also voting authorities. Nevertheless, benefits always come along with challenges. The biggest challenge of internet voting is security. In many previous works, authors proposed several internet voting protocols trying to satisfy as many security requirements as possible such as eligibility, uniqueness, privacy, accuracy, fairness, receipt-freeness, uncoercibility, individual verifiability, universal verifiability, and coercion-resistance, the latest one. However, security leaks cannot be rejected thoroughly in recent internet voting protocols when voting authorities collude with each other. In the protocol of Cetinkaya et al. [8], for example, though the authors announced that their protocol fulfilled the requirement of uncoercibility, once the adversaries corrupted the voter and colluded with the voting authorities taking responsibilities of holing ballots and voter’s cast, they could easily found out whether that voter followed their instruction or not. In addition, in voting protocol of Spycher et al. [26] and JCJ protocol [17], if the coercer can communicate with the registrars, no longer can voter lie about their credentials. Therefore, the uncoercibility cannot be satisfied. Moreover, in order to satisfy the receipt-freeness, some protocols employed the physical assumptions such as untappable channels that are not suitable for the services through internet. Most of the previous internet voting protocols applied three main cryptographic techniques to solve the security problems. Thus, we classify these protocols into three types as: protocols using mix-nets, blind signatures, and homomorphic encryption. The concept of mix-nets was firstly introduced by Chaum [9] in 1981. Since then, there have been some proposed voting protocols such as [6, 13, 23]. However, these protocols met with the big difficulties because of the huge costs of calculations and communications which the mix-net required. So far, no election system based on mixnet has been implemented [5]. Besides mix-net, homomorphic encryption is another way to preserve privacy in internet voting system. Though homomorphic encryption protocols [1, 3, 11] are more popular than mix-net, they are still inefficient for large scale elections because computational and communicational costs for the proof and verification of vote’s validity are quite large when there are a lot of candidates. Moreover, homomorphic encryption protocols cannot be employed on multi-choices voting forms. As for the blind signature protocols, they also provided anonymity without requiring any complex computational operators or high communicational cost. Until now, there have been many protocols based on blind signature such as [7, 8, 12, 14, 16, 19]. Some of them employed blind signature on concealing the content of votes, others concealed the identifications of voters. Protocol [12], for example, conceals the content of votes; then at the end of voting process, voters had to send the decryption key to the voting authority. This action might break the security if the adversaries conspired with these voting authorities. Therefore, our proposal applies the blind signature technique which is used to hide the real identification of a voter. Besides that, in order to protect the content of votes we apply dynamic ballots along with a recasting mechanism without sacrificing uniqueness to enhance security in internet voting protocol and make good the previous protocol’s shortcomings as well. In this paper, we propose the practical internet voting protocol which guarantees all security requirements. The remarkable contribution is that our proposal is able to defeat the more powerful adversaries which can collude with many voting authorities.

Enhanced security in internet voting protocol using blind signature

259

Another improvement here is the enhancement of blind signature scheme that makes our protocol faster and more efficient. The structure of this paper is organized as follows. In Sect. 2, the background knowledge is summarized. We describe the details of our proposal protocol in Sect. 3. Then, in Sect. 4 security of the protocol is discussed. Finally, the conclusion and future works are included in Sect. 5.

2 Background 2.1 Security requirements In [5, 19], the security requirements of a voting system are introduced as followings: • Privacy: it is the main requirement in the information age. The definition of privacy is discussed in many e-commerce applications [25]. In internet voting application, privacy requirement is fulfilled when no one can know the link between the vote and the voter who casted it. • Eligibility: only eligible and authorized voters can carry out their voting process. • Uniqueness: each vote casts only one vote. In [19], though the uniqueness is defined that: “Every voter votes exactly one time”, some voting schemes allow their clients to vote many times in election period. However, only their last vote is accepted by voting authorities. • Accuracy: the content of vote cannot be modified or deleted. In addition, a validated voter cannot be removed from the final tally, and an invalid vote cannot be counted in the final tally without being detected. • Fairness: no one, including voting authorities, can get the intermediate result of the voting process before the final result is publicized. • Receipt-freeness: the voting system should not give voter a receipt which he uses to prove what candidate he voted. Its purpose is to protect against vote-buying. • Uncoercibility: the adversary cannot force any voters to vote for his own intention or to reveal their votes. Its purpose is to avoid the attack of coercers. • Individual verifiability: every voter is able to check whether their vote is counted correctly or not. However, it seems very difficult to prove to voters that their vote is casted as intended while the receipt-freeness requirement is still satisfied. • Universal verifiability: every voter who is interested in tally result can verify that the final result is correctly computed from all the ballots casted by eligible voters. 2.2 Cryptography building block To protect their users, e-commerce applications employ many primitives and protocols from the field of cryptography [4, 22, 24]. Internet voting is among them. In this section, we present some related cryptographic techniques which are frequently applied in many previous internet voting protocols.

260


Bulletin boards In [2], Bulletin board is a communication model which can publish information posted on its body, thus everybody can verify these information. Internet voting system applies this model to fulfill the requirement of verifiability. In the protocol using bulletin board, voters and voting authorities can post information on the board. Nevertheless, no one can delete or alter these things. Blind signature The concept of blind signature was first introduced by Chaum [10]. It stemmed from the need of verifying the valid of a document without revealing anything about its content. The function of the blind signature is similar to the carbon paper put in a sealed envelope. The process of this technique can be imagined as followings: the Owner of a document needs the signature of an authority on his document for authentication purpose. In order to prevent the authority from reading the information, the owner does a trick that he puts the document together with a carbon-paper into a sealed envelope, and sends it to the authority. Upon receiving that envelope, the authority checks the identification of sender. If the owner is eligible, the authority will sign on the predefined area outside the sealed envelope, and send it back to the owner. Finally, thanks to the carbon-paper, owner has the signature of authority without revealing any information written in the document. A simple method to implement the blind signature scheme is to apply the asymmetric cryptosystem RSA. We have some notations: • • • •

m: the document needs to be signed; d: the private key of authority (signer); e, N : the public key of authority; s: the signature of m.

The RSA blind signature scheme is implemented as follows: The owner generates a random number r which satisfies gcd(r, N ) = 1. He blinds m by the blind factor r e (mod N ). After that, he sends the blinded document m = m · r e (mod N ) to the authority. Upon receiving m , the authority computes a blinded signature s , as illustrated in Eq. (1), then sends it back to the owner. d d s ≡ m mod N ≡ m · r e mod N ≡ md · r ed mod N ≡ md · r mod N

(1)

According to Eq. (1), the owner easily obtains the signature s, as Eq. (2). s ≡ s · r −1 mod N ≡ md mod N

(2)

Dynamic ballot The concept of dynamic ballot was first introduced in [7]. In most of internet voting protocols, authors have used usual ballots in which the order of candidates is pre-determined. Therefore, when someone gets a voter’s casting, they instantly know the actual vote of that voter. Alternatively, the candidate orders in dynamic ballot change randomly for each ballot. It is equivalent to the fact that the candidate selection of each voter has its own contextual meaning. Hence, adversary needs the voter’s casting as well as the corresponding dynamic ballot in order to obtain the real choice of a voter.


261

Let assume that the number of candidates is “n”. So we have “n!” different ways to mix the order of candidates in each ballot. For example, if there are 3 candidates {C1 , C2 , C3 } in the election (n = 3), voters may take 6 different ballots as followings: B1 = {C1 , C2 , C3 }, B2 = {C1 , C3 , C2 }, B3 = {C2 , C1 , C3 }, B4 = {C2 , C3 , C1 }, B5 = {C3 , C2 , C1 }, B6 = {C3 , C1 , C2 }. Naturally, the larger number of candidates is, the more options a voter chooses to arrange the order of candidates in his ballot. Therefore, it is also difficult for adversaries to infer the ballot of a voter. In voting process, each voter can randomly take one of these ballots. After that, he chooses his favorite candidate. Then he casts the order of this candidate in his ballot (not the name of this candidate) to a voting authority and his ballot to another voting authority. Until the voting process completes, these two authorities cooperate with each other to calculate the final result. In short, with dynamic ballots, any participant or authority including the counter cannot gain the intermediate result before the counting stage. This ensures the fairness of the protocol. ElGamal protocol ElGamal cryptosystem was first described by Taher ElGamal in 1984. In [18], it is implicitly based on the difficulty of finding a solution to the discrete logarithm. The discrete logarithm problem, also called DLP, is the computational problem of finding x = loga (b) such that b = a x . In the next paragraph, we cite an instance of ElGamal protocol based on ElGamal cryptosystem (see more in [18]). Sender Alice wants to give receiver Bob a message m. As for Bob, he possesses: • public key: (a, a x , p) where p is a prime; and • private key: x is an integer such that 1 ≤ x ≤ p − 1. ElGamal protocol follows the below steps: at first, Alice obtains Bob’s public key. Then, Alice chooses a private element y randomly where 1 ≤ y ≤ p − 1. After that, she sends the ciphertext message c = (r, s) where r = a y and s = m · a xy to Bob. Upon receiving c, Bob uses his private key x to encrypt the ciphertext message as follows: m = r −x · s mod p We can verify the correctness of the deciphering as follows: −x r −x · s = a y · m · a xy = a −xy · m · a xy = m

262


Plaintext Equality Test (PET) The notion of PET (standing for plaintext equality test) was proposed by Jakobsson and Juels in [15]. The purpose of PET protocol is to compare two ciphertexts without decrypting. It based on the ElGamal cryptosystem. Let (r1 , s1 ) and (r2 , s2 ) be ElGamal ciphertexts of two plaintexts m1 and m2 respectively. The input I of PET protocol is a quotient of ciphertexts (r1 , s1 ) and (r2 , s2 ), and output R is a single bit such that “R = 1” means two plaintexts m1 and m2 are equal, otherwise R = 0. Basing on the ElGamal protocol, we have (r1 , s1 ) = a y1 , m1 a x·y1 (r2 , s2 ) = a y2 , m2 a x·y2 where y1 and y2 are randomly chosen by the owners of m1 and m2 . I = (r1 /r2 , s1 /s2 ) = a y1 −y2 , (m1 /m2 ) · a x(y1 −y2 ) = a y1 −y2 , a x(y1 −y2 )

(3)

According to ElGamal cryptosystem, I is the ciphertext of the plaintext (m1 /m2 ). Therefore, if someone who owns the decryption key x, they can complete the verification by decrypting the expression (3) without gaining any information about the two input plaintexts m1 and m2 . For more information, let refer to [20]. 2.3 Security flaws in internet voting protocol Vote buying and coercion In a traditional voting system, to ensure a voter not to be coerced or try to sell his ballot to another, voting authorities built some election precincts or kiosk in order to separate voters from coercers and vote buyers. Therefore, they could vote based on their own intentions. When internet voting system is brought into reality, there are no election precincts or voting kiosks, but voters and their device which can connect to the internet. Hence, the threats from coercers and vote buyers quickly become the center of attention of the voting system. Corrupted registrar Registration is always the first phase of a voting process where voting authorities check voters’ eligibilities and give voters the certificates to step into the casting phase. However, in case a voter abstains from voting after registration, the corrupted registrars can take advantages of those certificates to legalize the false votes by casting the extra vote on behalf of the abstaining voters. Sometimes, corrupted registrars can issue false certificates to deceive other voting authorities. Corrupted ballot center Some protocols have ballot center as providing voters with ballots. Others, in [3], utilize it for holding the choices that voters made until the casting phase completes. If the ballot center becomes a corrupted party, it can modify the content of the votes or sell them to vote-buyers and coercers who want to check whether the coerced voters cast the candidate they expect. Hence, the feasible internet voting protocol has to possess the mechanism to protect the system against this threat. Corrupted tallier Tallier takes the responsibility for counting up all the votes to get the final result of voting process. If tallier becomes a corrupted party, it will be able to do that job though the voting process does not come to the end. In this case, it will release the intermediate voting result which has the influence on the psychology of the voters who have not casted the ballots yet. This threat makes the fairness fail.


263

Table 1 Notations for the proposal internet voting protocol Notation

Meaning

(ex , dx )

A public-private key pair of user X

Ex (m)

An encryption of message m with the public key ex

Dx (m)

A decryption/sign of message m with the private key dx

H (m)

An one way hash function with an input m

EPET (m)

An encryption of m using ElGamal cryptosystem

BB

Bulletin Board

PET(x, y)

A PET function applying PET protocol with two inputs x, y

B

A dynamic ballot

V

A voter’s candidate selection basing on the dynamic ballot

V

A voter’s actual vote

3 The proposed internet voting protocol 3.1 Registration phase In this phase, the blind signature technique is applied to conceal the real identity of a voter through creating an anonymous identity for communicating with other voting authorities. The following paragraph will show how voters get his anonymous identification from Privacy of Voter server (hereafter called PVer). Firstly, voter sends his real ID to Registration server (hereafter called RS) to start registration process. In this case, the real ID of voter can be his public key. RS applies Challenge Response Authentication Mechanism (CRAM) to authenticate that the user who sends the real ID is exactly the person whom he declares to be (or the real owner of the public key). Based on the real ID, RS checks whether that user is registered or not. If he did this job before, RS will terminate his session; otherwise, RS will ask CA to check the current rules of the voting process in order to find out whether this person can become an eligible voter or not. Then, RS creates a certificate and sends it to the voter. The certificate issued by RS includes: • A serial number: the PVer uses this parameter to ensure that each voter gets only one anonymous ID. • A digital stamp: is public information, like a sequence number, agreed among voting committees. • A session key: is used to encrypt the message which PVer sends to the voter asking for blind signature. PVer has no information about that voter, therefore it has to use session key to encrypt the message instead of voter’s public key. • A signature of RS: is hashed and signed by the private key of voting committee. Upon receiving the certificate, voter generates his unique identification by encrypting the digital stamp by his private key and then hashing the result with one way function. In short, we have unique identification uid. Other notations in this section are explained in Table 1. uid = Hash DV (Digital stamp)

264


Fig. 1 Registration scheme

To get the signature of voting committee on uid, a voter applies the blind signature scheme as introduced in Sect. 2.2. He uses a random blind factor to blind uid, then sends it together with the certificate to PVer which takes the responsibility for preserving privacy of voters. PVer saves the serial number in certificate in order to ensure that each certificate asks for the blind signature just one time. After checking the validity of certificate, PVer blindly signs the uid using the private key of voting committee, then send the result s to the voter. He, then, unblinds s to get the signature s of voting committee on his uid. Since then, the voter sends uid and corresponding s to other voting authorities for authentication. The detail steps of registration scheme are illustrated in Fig. 1. To avoid man-in-the-middle-attacks, the asymmetric cryptosystem is used at the 1st, 6th, and 8th steps. However, at the 10th step, asymmetric key pairs are not a good choice because they are used only one time for encrypting message, not authenticating. Therefore, the symmetric-key cryptosystem with Tripple DES algorithm is proposed in this blind signature scheme because it has some significant benefits such as: • It does not consume too much computing power so we can shorten encryption time and simplify the period of encryption certificate as well; • Although a symmetric encryption is not as safe as an asymmetric encryption, high level of security still is guaranteed for some reasons that: Triple DES has high complexity, the session key generated randomly by system is long enough to against Brute Force and Dictionary Attack, the period of using session key is limited in one step with a short time. Another improvement of the blind signature scheme is that each voter generates list of anonymous identifications including uid, uid1 , uid2 instead of just one anony-


265

Fig. 2 Casting scheme

mous identification. The purpose of uid is to communicate with other voting servers; and uid1 and uid2 are to ensure the ballot of voter is not modified by any adversaries. 3.2 Authentication and casting phase To protect privacy of votes from coercers, voting buyers, or sometimes adversaries who stay inside the system, we propose the scheme as Fig. 2 which applies dynamic ballots, plaintext equivalent test, bulletin boards as introduced in Sect. 2.2. In many previous works, to avoid coercion as well as vote buying, some authors apply fake identification mechanism to deceive coercers (in JCJ protocol [17]); and others utilize recasting mechanism without sacrificing uniqueness associated with dynamic ballot technique to conceal his or her final decision [8]. Fake identification requires the condition that at least one voting authority must know the real identification of voter in order to determine what the real votes are. Therefore, if the voting authority which generates the real identification of voter becomes adversary, the requirements of uncoercibility and vote-buying can be violated. As a result, our proposal uses recasting mechanism to achieve higher level of security. After registration phase, each voter has three anonymous identifications uid, uid1 , uid2 . Voter applies uid to communicate with other voting authorities including Ballot Center server (BC) holding the dynamic ballots, Casting server (CS) holding the casting V of voters, Key Generator server (KG) generating the session key pairs. Firstly, eligible voter receives the list of candidates from BC; he then, mixes the order of candidates in his ballot randomly, sending this dynamic ballot B to BC and casting his cloaked vote V by picking the order of the candidate he is favor, sending it to the CS. More concretely speaking, voter cannot sell his ballot to buyer as well as the coercers do not have enough clues to threat or coerce voter. To ensure B and V cannot be modified by others, voters encrypts them with uid1 (1) (2) and uid2 by couple of public keys ek and ek generated by KG. KG also saves

266


the private key dk along with corresponding ek in KG-List for decrypting in the next phase. After that, voter sends (EPET (uid), Ek(1) (B, uid1 ), time, ek(1) ) to BC, and (2) (2) (uid, Ek (V , uid2 ), ek ) to CS as illustrated in Fig. 1. Each message receiving from voter, CS checks uid of this voter. If uid is invalid, CS discards it immediately; otherwise, it hashes the whole message, and publishes the result on the Bulletin Board BB2 for individual verifiability. It also stores the message with ciphertext of uid into List2 for matching with B in tallying phase. As for BC, it almost does the same things with every message it receives, except authenticating the eligibility of voters. Voters are allowed to recast. Because the actual vote V of a voter consists of B and V , voter just needs to change one of two components to change the value of V if at the first time, he is coerced to vote to someone else. In this protocol, voters are able to change the orders of candidates in his dynamic ballot B . If he wants ∗ (uid), E (1) (B ∗ , uid ), time∗ , e(1) ) to to recast, he just sends another message (EPET 1 k k ∗ ∗ ∗ BC in which EPET (uid), B and time are respectively new encryption of uid using ElGamal cryptosystem, new dynamic ballot and the time when he sends the message. 3.3 Tallying phase At the end of casting phase, PET server which keeps the private key of ElGamal algorithm applies the application of a plaintext equivalence test (PET) to each EPET (uidi ) in List1 in order to find which pair of encryption of uidi is equivalent without decryption, then remove the record holding the earlier time parameter. Concretely, we consider two records Ri and Rj of List1: (1) (1) Ri = EPET (uidi ), Eki (Bi , uid1i ), timei , eki (1) (1) Rj = EPET (uidj ), Ekj (Bj , uid1j ), timej , ekj If PET (EPET (uidi )/EPET (uidj )) = 1, and timei > timej ; then the system remove Rj from the system. The purpose of this process is to remove duplicated votes and gain the latest choices of all voters. After that, PET server continues to compare each EPET (uidi ) in List2 to EPET (uidj ) in List1 to find out which B in List1 is corresponding to V in List2. If there exists a record in List1 which does not match to any record in List2, this record must have come from invalid voter, so it is discarded at once. The purpose of this process is to remove invalid dynamic ballots B in List2. After determining pairs of records, KG-List publishes the list of session keys (ek , dk ) for List1 and List2 to find dk related to each ek which is attached to (1) every record in List1 and List2. With the corresponding dk , Ek (B, uid1 ) and (2) Ek (V , uid2 ) are decrypted. Tallying server (TS) checks the valid of uid1 and uid2 to ensure B and V not to be modified by any parties, then combines the valid values of B and V to find out the actual vote V of a voter. Finally, TS counts up all the actual votes and publishes the result of voting process.


267

Table 2 Comparing security flaws of the earlier typical protocols with our proposal Security flaws

Hasan [14]

Cetinkaya [8]

No vote buying/Coercion No corrupted Registration

– √

– √

No corrupted Ballot Center

–

–

No corrupted Tallier

–

–

JCJ [17] √ – √

Our protocol

√

√

4 Security analysis 4.1 Security flaws In this section, we analyze the security flaws in the previous internet voting protocols, and also prove our protocol is strong enough to resist these flaws. The content of this section will be summarized in Table 2. In our protocol, a voter employs the blind signature technique to get the voting authority signature on his created identity. Therefore, the Registrar and PVer do not know anything about the anonymous identity that voters use to authenticate themselves. Hence, if these voting authorities become corrupted, they cannot take advantages of abstention to attack the system. So do the protocols of Hasan [14] and Cetinkaya [8]. In JCJ protocol [17], the Registrar establishes the credentials and passes it to voters through an untappable channel. In the worst case, if the Registrar is a corrupted party, it can give voters fake credentials, and use the valid ones to vote for other candidates. Thus, the corrupted RS becomes a security flaw of JCJ protocol. Using physical assumption, i.e. an untappable channel, is another weak point of JCJ protocol in comparison with the previously proposed protocols. In the voting protocols of Hasan [14] and Cetinkaya [8], though eliminating the abstention attack from corrupted RS, these protocols are not stronger enough to defeat sophisticated attacks. The voting protocol of Hasan is quite simple; it has no mechanism to protect the content of votes against being modified. Thus, if Casting or Tallying servers collude with attackers, the system will collapse. As a result, the accuracy and fairness properties cannot be guaranteed. In ideal case which every server is trusted, the protocol cannot avoid vote-buying and coercion if voters reveal their anonymous identities to vote-buyer or coercer. As for the protocol of Cetinkaya [8], it guarantees some security requirements (as illustrated in Table 3). However, the weakness point of this protocol is that the voters are still coerced if the servers holding ballots connive with coercer. In the worst case, voters also able to sell their ballots by providing buyers with their anonymous identities, and then if buyers collude with Ballot Generator, Counter, and Key Generator, they can find out whether these anonymous identities are attached to the candidate they expect or not. In other words, corrupted BC is a security flaw that Cetinkaya’s protocol has not fixed yet. Our protocol makes good Cetinkaya’s protocol shortcomings by encrypting uid using ElGamal cryptosystem before sending it to BC. Therefore, when a voter recasts, BC itself cannot recognize his uid. Only CS has responsibility to authenticate the eligibility of uid. It means that CS receives the uid of voter without ElGamal encryption. How-

268


Table 3 Comparing security requirements of the earlier typical protocols with our proposal Security requirements

Hasan [14]

Cetinkaya [8]

JCJ [17]

Privacy

√

√

√

√

√

Uniqueness

√

√

– √

Uncoercibility

–

–

√

Receipt-freeness

–

– √

√

Eligibility

Accuracy

–

Fairness

–

Individual verifiability Universal verifiability No physical assumption

√

√

√

–

√

√

– √

√

√

√

–

Our protocol

√

ever, the recasting process does not take place in CS, coercers thus cannot collect any information from this server. If Tallier server becomes corrupted, our protocol cannot be broken even though Tallier colludes with others voting authorities in protocol. In previous protocol using dynamic ballot, corrupted Tallier just needs to bribe BC and CS for getting intermediate result. However, in our protocol, B and V are encrypted with the session key generated by KG, so BC and CS cannot provide the value of B and V for Tallier without the decrypt key. Even if Key Generator is also corrupted, the intermediate result of our protocol is still safe because the uid of voters are encrypted using ElGamal cryptosystem. Attackers have no way to combine B and V or to remove invalid and duplicated votes. Therefore, corrupted Tallier is no longer a threat for our protocol. However, regarding sophisticated attacks which many voting authorities conspire together, Hasan [14] and Cetinkaya [8] are not strong enough to defeat these kinds of attacks. 4.2 Security requirements In this section, we provide the sketch of proofs that state how our protocol fulfills the security requirements. The content of this section will be summarized in Table 3. Privacy After RS checks the eligibility of a voter, PVer issues a signature on voter’s blinded identity. Since then, voter uses his anonymous ID(uid) to take part into voting process, instead of real ID. Thanks to blind signature technique, no voting authorities know the link between voter’s real ID and his uid. When voter uses uid to take part in the casting phase, other people also cannot find out the link between a vote and a voter who casted it. It means that the privacy requirement is guaranteed. Eligibility Through the registration scheme, RS issues certificates for only eligible voters after authenticating the requester by CRAM, and checking the validity of requester. In addition, PVer only blindly signs on voter’s uid after checking the eligibility of voter’s certificate. Therefore only eligible voters obtain the blind signature


269

of voting authority on their uid in order to take part in the voting process. Another interesting point of our protocol is that there is voter’s signature dV in the uid of a voter so the RS cannot create a fake uid to cheat other voting authorities without detecting. In brief, our protocol achieves eligibility requirement. Uniqueness Although a voter can cast many times, only the latest casting is taken into consideration and the previous ones are removed securely by PET application. Therefore, there is no voter who has more than one vote when the casting phase completes. Hence, the uniqueness is satisfied. Uncoercibility Recasting is allowed in our protocol. If an adversary coerces voters to cast for his intention, the voters can send another vote to system after that. According to the analysis of security flaw, this process cannot be discovered by coercers though they connive with many voting authorities in the system. Therefore, the uncoercibility requirement is guaranteed. Receipt-freeness This requirement is also fulfilled when the voters have no proof to show what their latest casting is to vote-buyer. In case that an adversary can penetrate into List1 and he gets voters’ uid through bribing, if the uid is not encrypted, the adversary can easily find out a certain uid does recasting process or not. Consequently, he can threat the voter or discover what the latest casting of voter is. Nevertheless, this assumption has never occurred in our protocol, according to the analysis in Sect. 4.1. Therefore, the receipt-freeness is assured. Accuracy In voting phase, the dynamic ballot B and cloaked vote V are associated with uid1 and uid2 , and encrypted by session key pairs. If corrupted voting authorities modify the content of B or V , others will detect the electoral fraud by checking the uid1 and uid2 attached to B and V . Even if the BC, Casting, and RS conspire together, they cannot modify the votes without being discovered, as well as they cannot add a new vote since they are not able to create the list of anonymous id illegally. Therefore, the requirement of accuracy is persevered. Fairness Since we employ the dynamic ballots, Casting just knows the cloaked vote V which does not reveal any information about the intentions of voters. In some protocols applying dynamic ballots like Cetinkaya [8], if Casting colludes with BC, the intermediate result can be revealed. In our protocol, we encrypt B and V using session keys to protect their contents. Only after the casting phase completes are the ciphertexts decrypted by the decrypted key provided by KG. And PET application is also applied in this phase to ensure that no one can combine B and V accurately before voting process finishes. With all protection mechanisms, fairness requirement is achieved. Individual verifiability The requirement of individual verifiability is guaranteed by (1) applying bulletin boards. BC publishes Hash(EPET (uid), EK (B, uid1 ), time) in BB1 (2) and Hash(uid, EK (V , uid2 )) is published in BB2. Thus, voters just have to hash the necessary information which they have already known, and compare their results to all records in bulletin boards to check whether the system counted his vote correctly.

270


Universal verifiability At the end of election, all voting authorities publish their lists. Any participant or passive observer can check the soundness of final result based on the information on these lists and the bulletin boards as well. Hence, universal verifiability is fulfilled. In summary, in case that BC, CS, KG and TS conspire together, our protocol is still kept in safe. However, if PET server joins this group, the adversaries can get uid of voters and their votes as well. Though, it is difficult for all authorities to become corrupted at the same time in reality, we still take account of this issue to enhance security. To solve that problem, we can employ the threshold cryptography technique or separate the parameters in List1 and List2 into more groups which are held by different parties.

5 Conclusion and future works In this paper, we have proposed an unsusceptible internet voting protocol to most of sophisticated attacks. The proposed protocol preserves the privacy of voters and the content of votes against vote-buyers, coercers, and corrupted authorities inside our system even though more and more adversaries collude together. Furthermore, the fact that no physical assumptions and no complex cryptographic techniques need to be used makes our proposal more practical. In the future, we intend to formalize an internet voting protocols using process calculi such as pi-calculus for describing concurrent processes and their interactions in order to standardize internet voting protocols and get more accurate evaluation as well. Up till now, there are the governments of Estonia and the city of Geneva in Switzerland employing elections over internet. The success of the internet voting in these governments encourages the development of this research, especially the development of security aspects of internet voting systems [21].

References 1. Acquisti, A. (2004). Receipt-free homomorphic elections and write-in voter verified ballots (ISRI Technical report CMU-ISRI-04-116). Carnegie Mellon University, PA. 2. Araújo, R., Rajeb, N.B., Robbana, R., Traoré, J., & Youssfi, S. (2010). Towards practical and secure coercion-resistant electronic election. In S. H. Heng, R. N. Wright, & B. M. Goi (Eds.), LNCS: Vol. 6467. Cryptology and network security (CANS 2010) (pp. 278–297). Heidelberg: Springer. 3. Baudron, O., Fouque, P. A., Pointcheval, D., Stern, J., & Poupard, G. (2001). Practical multi-candidate election system. In Proceedings of the twentieth annual ACM symposium on principles of distributed computing (pp. 274–283). New York: ACM. 4. Bradford, P. G., Park, S., Rothkopf, M. H., & Park, H. (2008). Protocol completion incentive problems in cryptographic Vickrey auctions. Electronic Commerce Research, 8(1), 57–77. 5. Burmester, M., & Magkos, E. (2003). Towards secure and practical e-elections in the new era. In Secure electronic voting (Vol. 7, pp. 63–76). 6. Camenisch, J., & Lysyanskaya, A. (2005). A formal treatment of onion routing. In Advances in cryptology–CRYPTO 2005 (pp. 169–187). Berlin: Springer. 7. Cetinkaya, O., & Doganaksoy, A. (2006). A practical privacy preserving e-voting protocol using dynamic ballots. In Proceedings of the 2nd national cryptology symposium, Ankara, Turkey. 8. Cetinkaya, O., & Doganaksoy, A. (2007). A practical verifiable e-voting protocol for large scale elections over a network. In Proceedings of availability, reliability and security 2007 (ARES 2007), Vienna (pp. 432–442).


271

9. Chaum, D. (1981). Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM, 24(2), 84–88. 10. Chaum, D. (1982). Blind signatures for untraceable payments. In Advances in cryptology: proceedings of crypto (Vol. 82, pp. 199–203). 11. Cramer, R., Gennaro, R., & Schoenmakers, B. (1997). A secure and optimally efficient multi-authority election scheme. European Transactions on Telecommunications, 8(5), 481–490. 12. Fujioka, A., Okamoto, T., & Ohta, K. (1993). A practical secret voting scheme for large scale elections. In Advances in cryptology—AUSCRYPT’92 (pp. 244–251). Berlin: Springer. 13. Goldschlag, D., Reed, M., & Syverson, P. (1999). Onion routing for anonymous and private communications. Communications of the ACM, 42(2), 39–41. 14. Hasan, M. S. (2008). E-voting scheme over Internet. In International conference on business and information, Seoul, South Korea. 15. Jakobsson, M., & Juels, A. (2000). Mix and match: secure function evaluation via ciphertexts. In Proceedings of the 6th international conference on the theory and application of cryptography and information security: advances in cryptography (pp. 162–177). London: Springer. 16. Juang, W. S., Lei, C. L., & Liaw, H. T. (2002). A verifiable multi-authority secret election allowing abstention from voting. Computer Journal, 45(6), 672–682. 17. Juels, A., Catalano, D., & Jakobsson, M. (2005). Coercion-resistant electronic elections. In Proceedings of the 2005 ACM workshop on privacy in the electronic society (pp. 61–70). New York: ACM. 18. Kohel, R. D. (2010). Public key cryptography. In Cryptography (pp. 67–74). 19. Liaw, H. T. (2004). A secure electronic voting protocol for general elections. Computers & Security, 23(2), 107–119. 20. Meng, B. (2009). A critical review of receipt-freeness and coercion-resistance. Information Technology Journal, 8(7), 934–964. ISSN 1812-5638 21. Nguyen, T. A. T., & Dang, T. K. (2011). Preserving privacy in electronic voting. In Proceedings of the 4th regional conference on information and communication technology, Ho Chi Minh City, Vietnam (pp. 46–55). 22. Pagnoni, A., & Visconti, A. (2010). Secure electronic bills of lading: blind counts and digital signatures. Electronic Commerce Research, 10(3), 363–388. 23. Park, C., Itoh, K., & Kurosawa, K. (1994). Efficient anonymous channel and all/nothing election scheme. In T. Helleseth (Ed.), LNCS: Vol. 765. Advances in cryptology EUROCRYPT’93 (pp. 248– 259). Heidelberg: Springer. 24. Röhrig, S., & Knorr, K. (2004). Security analysis of electronic business processes. Electronic Commerce Research, 4(1), 59–81. 25. Smith, R., & Shao, J. (2007). Privacy and e-commerce: a consumer-centric perspective. Electronic Commerce Research, 7(2), 89–116. 26. Spycher, O., Koenig, R., Haenni, R., & Schläpfer, M. (2012). A new approach towards coercionresistant remote e-voting in linear time. In G. Danezis (Ed.), LNCS: Vol. 7035. Financial cryptography and data security (FC 2011) (pp. 182–189). Heidelberg: Springer. 27. Srivastava, A. (2011). Resistance to change: six reasons why businesses don’t use e-signatures. Electronic Commerce Research, 11(4), 357–382.

Thi Ai Thao Nguyen received her B.Eng. degree in Computer Science and Engineering, with the Honor Program from the HCMC University of Technology-HCMUT (Vietnam) in 2010. After that, she continued her academic career by studying the Master Program of HCMC University of Technology, Vietnam. In 2012, she got the Master Degree with high GPA. From 2010 till now, she has been working for the Faculty as a lecture and a researcher. Her research interests include database & information security, privacy preserving in location-based services, security in electronic voting.

272


Tran Khanh Dang received his B.Eng. degree from the Faculty of Computer Science & Engineering in HCMC University of TechnologyHCMUT (Vietnam) in 1998. He achieved a medal awarded for the best graduation student. From 1998–2000, he had been working for the Faculty as a lecturer and researcher. He had got a Ph.D. scholarship of the Austrian Exchange Service (OeAD) from 2000–2003, and finished his Ph.D. degree (Dr. techn.) in May 2003 at FAW Institute, University of Linz (Austria). Afterwards, he had been working as a lecturer and researcher at the School of Computing Science, Middlesex University in London (UK) since August 2003. In October 2005, he returned home and has continued working for the Faculty of Computer Science & Engineering in HCMUT. Currently, he is the head of the Department of Information Systems. Dr. Dang’s research interests include database & information security, privacy protection in location-based services, mobile data security, and big data management. He is also the founder of the Data SecuriTy Applied Research (D-STAR) Lab (http://www.dstar.edu.vn). He has published more than 95 scientific papers in international journals & conferences. Dr. Dang has also participated in and managed many research as well as commercial projects.