manufacturers to provide various services to mobile users. Nowadays, mobile users .... user must register the certificate authority to obtain a secret certificate.
Secure
Electronic Voting for Mobile Communications Xun Yi, Pietro Cerone, Yanchun Zhang
School of Computer Science and Mathematics Victoria University, PO Box 14428, Melbourne City MC, VIC 8001, Australia Email: {Xun.Yi, Pietro.Cerone, Yanchun.Zhang}@vu.edu.au an anonymous channel, implemented with a trusted MIX nets and digital pseudonyms, to ensure voter privacy. This scheme can be used only for small elections. Later, some election schemes to be practical for large-scale elections, such as Fujioka-Okamoto-Ohta scheme [2], are proposed. So far, voter anonymity is implemented with one of the following approaches [5]: 1) Blind signatures and anonymous channel, implemented with MIX nets or based on some physical assumption. 2) Some servers are used to count the votes and have voter verifiably secret share votes among the servers. 3) Homomorphic encryption, where a voter simply pubI. INTRODUCTION lishes an encryption of his vote, encryptions are comRecently, the widespread growth of mobile wireless netbined into an encryption of the result, and finally deworks, applications, and services has ushered in the era of cryption servers cooperate to decrypt the result. mobile computing, where handheld computing devices (or Almost all proposed election schemes involve more or less terminals) have become the predominant choice for users modular with large modulus, i.e., g (mod n), exponentiations [1]. Low-cost affordability of portable devices such as cell which are too to be used in mobile communicaexpensive phones, palmtops and their widespread usage are motivating tion because current portable communication environments, manufacturers to provide various services to mobile users. devices have limited only computational power. Nowadays, mobile users can take part in noncritical elecIn this we come with an electronic election paper, up tions (such as deciding the most valuable player in sports in scheme mobile communication which is built environment, events) with low-power, low-cost and small sized portable on modular root and a blind square (MSR) technique signature communication devices. However, more critical elections (such in scheme. Our scheme needs low computation complexity as political elections) have not yet held in mobile commucommunication devices. portable nication environments, mainly because of security concerns, The remaining sections are arranged as follows: Section II communication and computation constrains of portable comintroduces modular square root technique; Section III presents munication devices. An election scheme must protect the privacy off the voter our election scheme; Section IV and Section V analyses and the integrity of the election. In general, typical require- security and performance of our scheme; Conclusions are drawn in the last section. ments for an electronic election scheme include [2][3]: 1) Completeness: All valid votes must be counted correctly. II. MODULAR SQUARE ROOT (MSR) TECHNIQUE 2) Soundness: Dishonest voters cannot disrupt the voting Modular Square Root (MSR) technique was invented by process. Rabin [6] and improved by Williams [7]. MSR technique is All ballots must be secret. 3) Privacy: 4) Unreusability: No voter can cast his ballot more than based on quadratic residues and its properties. Let a be any integer and n a natural number, suppose once. 5) Eligibility: Only those who are allowed to vote can vote. that the greatest common divisor of a and n is 1, i.e., 6) Verifiability: Nobody can falsify the result of the voting gcd(a,n) = 1, then a is called a quadratic residue modulo n if the congruence process. 7) Fairness - Nothing must affect the voting. x 2 =a (mod n) (1) Various approaches for electronic elections have been suggested in the last two decades. Chaum was the first to is soluble. The solutions are called modular square roots of suggest a practical electronic election scheme [4], which used quadratic residue a modulo n. Abstract- Recent technological advances in mobile communications have allowed public to take part in noncritical elections (such as deciding the most valuable player in sports events) with low-power, low-cost and small sized portable communication devices. However, more critical elections (such as political elections) have not yet held in mobile communication environments, mainly because of security concerns, communication and computation constrains of portable communication devices. In this paper, we come up with a secure electronic election scheme in mobile communication environments, which meets completeness, soundness, privacy, unreusability, eligibility, fairness, and verifiability. Our scheme is based on blind signature and needs low computation complexity in portable communication devices.
0-7803-9392-9/06/$20.00 (c) 2006 IEEE 836
Euler's criterion [8]: Let p be an odd prime and gcd(a, p) 1. Then a is a quadratic residue modulo p if and only if P-1
a 2
1 (mod p)
Euler's criterion does not help us find modular square roots of a. It yields only an answer "yes" or "no". However, if p = 3 (mod 4) and a is a quadratic residue modulo p, there is a simple formula to compute square roots of quadratic residue a modulo p as follows:
rl,2
±a 4 (modp)
=
(3)
because (±aP4 )2= a 2 = a 2 a = a (mod p). According to Euler's criterion, we have Property 1 [8]: Let n = p q and gcd(a, n) = 1, where p, q are two distinct odd primes and p = q = 3 (mod 4). Then a is a quadratic residue modulo n if and only if a 2 = 1 (mod p) q-1 1 (mod q). and a 2 Under the assumption of Property 1, if a is a quadratic residue modulo n, i.e., x2 = a (mod n) is soluble, then square roots rl,2,3,4 of quadratic residue a modulo n can be computed as follows: =
(mod q)
(5)
13 =
a 4
r3,4 gcd(p, q)
(4)
a a
rl,2 where p*
41 (mod p)
a
=
±3 p p (mod n) aqq ±q -a, q q ±3 p p* (mod n)
p-1(mod q) and q
=
(6)
among the administration, the counter, the base station, and mobile voters may be altered, blocked, and delayed. Our electronic election scheme in mobile communication environments is composed of six phases: 1) Setup - The certificate authority, the administrator, the counter and the base station set public and private parameters. 2) Registration - The certificate authority issues secret certificates to mobile users. 3) Ballot application - Mobile voters apply for ballots in the administrator through the base station. 4) Ballot cast - Mobile voters cast ballots to the counter through the base station. 5) Tallying - The counter counts ballots and publishes a list of ballots. 6) Confirmation - A mobile voter checks whether his ballot is in the list or not.
B. Setup Each of the certificate authority (CA), the administrator (A), the counter (C) and the base station (B) generates two large distinct primes p and q such that p = q = 3 (mod 4) and computes n = p q, then publishes n to all parties while keeps p and q secret. The correspondences between CA, A, C, B and their parameters are shown in Tab. 1. Entity | Public
CA A
q-1(mod p). Since
1, both p* and q* can be determined based on the extended Euclidean algorithm. Property 2 [9]: Let n = p q where p, q are two distinct odd primes. Then the number of quadratic residues modulo n is =
(p- 1)(q- 1)/4.
Property 2 shows the probability of any integer a to be a quadratic residue modulo n is about 1/4.
C B
nc nb
Pc, qc Pb, qb
In addition, the administrator publishes a non-quadratic residue modulo na, denoted as 3, where P a-1
2
qa-1
communication services to mobile users. 5) Voters (V) - Mobile users who participate in the election. 6) Election Commissioner (EC) - An objective party which monitors all complaints and takes appropriate action. We assume that the base station never collude with the administrator and the counter. In addition, messages transmitted
na
Private
Pca, qca Pa, qa
Tab. 1. Correspondences between entities and parameters
III. OUR ELECTION SCHEME
A. System Model An electronic election scheme in mobile communication environments, by which mobile users vote candidates, usually involves six parties as follows: 1) Certification authority (CA) - A trusted third party which issues secret certificates to mobile users. 2) Administrator (A) - A party which issues ballots to mobile voters. 3) Counter (C) - A party which receives and tallies ballots from mobile voters. 4) Base station (B) - A party which provides wireless
nca
2
1 (mod pa) -1 (mod qa)
(8) (9)
C. Registration In order to use mobile communication services, a mobile user must register the certificate authority to obtain a secret certificate. For a mobile user Vj whose identification information is IDj, CA issues a secret certificate (IDj, tj, sj) to Vj, where (tj, sj) is the output of Algorithm S as follows: 1) Input IDj. 2) Let tj be the current time and a = h(IDj, tj), where h is one-way hash function which hashes messages with arbitrary length to messages with fixed length. 3) Check whether
837
Pca-1
a 2 qca-1 a 2
If not, go to 2.
1 (mod Pca) 1 (mod qca)
4) Compute four modular square roots rl,2,3,4 of X2 a (mod nca) with knowledge of Pca, qca according to (4)-(7). 5) Choose the smallest square root as sj. 6) Output (tj, sj) and halt. A hash function should be "random" in the sense that all outputs are equi-probable. Therefore, a = h(IDj, tj) can be considered to randomly change with increase of tj. According to Property 2, (tj, sj) can be found with Algorithm S after four loops on the average. At last, CA issues a smart card, e.g., the Subscriber Identity Module (SIM), in which the secret certificate (IDj, tj, sj) is stored safely, to Vj.
If so, Vj is authentic. B computes one of modular square roots of h(IDj, Cj, tbj) modulo nb, where tbj is the current time, by Algorithm S with IDj, Ci as the input. The modular square root is denoted as Sbj. Then B forward IDj, Cj, tbj, Sbj to the administrator A within the secure network. Step 3. At first, A verifies whether
82= h (ID. C. tb.) (mod nb) .
(20)
.
Then, based on IDA, A checks whether Vj is a valid voter and whether Vj applied for any ballot before. If Vj is a valid voter and did not apply for any ballot before, A responds to Vj in four cases as follows. Pa-1 qa-1 Case I (Ci 2 = 1 (mod Pa), Cj 2 1 (mod qa)). In this case, Cj is a quadratic residue modulo na. Based on (4)-(7), A computes one of modular square roots of CE modulo na, denoted as cj, which is replied to V. along with ij = 0. Pa,-1 qa-_ Case 2. (Cj2 = 1 (mod Pa), Cj 2 -1 (mod qa)). In this case, Cja(mod na) is a quadratic residue modulo na. Based on (4)-(7), A computes one of modular square roots of CjE modulo na, denoted as cj, which is replied to Vj along with ij 1. Pa-1 qa-1 Case 3. (Cj 2 1 (mod qa)). In this -1 (mod Pa), Cj 2 case, -Cj(mod na) is a quadratic residue modulo na. Based on (4)-(7), A computes one of modular square roots of -Cja modulo na, denoted as cj, which is replied to Vj along with ij=2. Pa,-1 qa-1 Case 4. (Cj 2 1 (mod qa)). In -1 (mod Pa), C} 2 this case, -Cj(mod na) is a quadratic residue modulo na. Based on (4)-(7), A computes one of modular square roots of -Cj modulo na, denoted as cj, which is replied to Vj along with ij = 3. At last, A publishes the list of voters who have already applied for ballots as shown in Tab. 2. =
D. Ballot Application The purpose of this phase is for the base station to authenticate mobile voters while for mobile voters to apply for ballots from the administrator. Suppose the secret certificate of a mobile voter Vj be (IDj, tj, sj), which is only known to himself. Step 1. Vj, applying for a ballot of selection vj, randomly chooses integers aj, bj, rj, where 4b < aj < nb, /n < bj < ne, 0 < rj < na, and computes
a' (mod nb) b' (mod n,) h(aj) h(bj) Ekj (IDb) Ek* (IDc) r'h(Ek* (vj)) (mod na) Ekcj (IDj, tj, sj, Cj t)
k~
kj*
A/j
B'
Ci
A"j where Ek (*) stands for encryption of a secret key cryptosystem with a secret key k, such as DES and AES, and t is the current time. Then Vj submits (Aj, A', A1) to the base station B. Step 2. B extracts ki with Algorithm K as follows: 1) Computes four modular square roots rl,2,3,4 of X2 Aj (mod nb) with knowledge of Pb, qb according to (4)(7). 2) Calculates four secret key candidates X1,2,3,4
Entry ID1,
Tab. 2. Voter list
After receiving cj and
dj = cj (18)
where D,, (*) denotes decryption of the secret key cryptosystem with a secret key candidate xi. The candidate satisfying (18) is kj. With kj, B decrypts A" to obtain IDj, tj, sj, Cj, t, checks the validity of timestamp t and verifies whether =
h(IDj,tj) (mod nca)
ij from A via B, Vj computes r- 1 (mod na )
(21)
and verifies whether
3) Determine which secret key candidate xi satisfies
s2
Sbl
IDj, Cj, tbj, Sbj
j
h(ri,2,3,4)
Dx,(A') = IDb
Voters Cl, tbl,
di
=
h(Ek-j (Vj ))6ij (mod n,,)
(22)
where
(19) 838
a0,3
a1,2
±1
=
±a
If (22) holds, Vj obtains a blind signature dj Ek* (Vj), on which an encapsulated ballot
(Ek* (Vj) ni jdi :Bi :Bjl)
(23) (24) of A on
can be constructed. The ballot application phase can be illustrated in Fig. 1. B A vi Step 1
(Aj, Alj, A/)
Step 2
(IDj, C
tbj, Sbj)
Step 3
Step 3
(cj, ij)
(cj, ij)
F Tallying When the voting is over, B forwards all received Bj to C. According to h(Bj), C looks for the corresponding encapsulated ballot (Ek (vj), ij, dj, h(Bj), B). Then, based on Bj and B>, C extracts V with Algorithm K and decrypts Ek1 (Vj) to obtain vj, on which a clear ballot (kj, vj, ij, dj) is constructed. In case kj cannot decrypt Ek* (vj) to a meaningful vj, C replies B with an invalid key notification, which is forwarded by B to EC. At last, the counter C publishes the list of clear ballots as shown in Tab. 3. Entry 1
Ballots k ,j, ij, dj
m
kT,vi,ii,di
Fig. 1. Applying Ballots
E. Ballot Cast In this phase, each voter Vj casts his ballot to the counter C through the base station B. Step 1: Vj casts his encapsulated ballot (Ek1 (Vj), ij, dj, Bj, B) to B. In this phase, Vj must not reveal (IDj, tj, sj) to B. Step 2: Without (IDj,tj, sj), B authenticates Vj by verifying whether (22) holds or not at first. If so, B forwards (Ek1(vj),Zij,dj,h(Bj),B) to C. Otherwise, B discards the invalid ballot. Step 3: At first, C checks whether any ballot with the same dj was received before or not. If yes, C replies B with a double ballot notification. If not, C verifies whether (22) holds or not. If so, C replies B with one of modular square roots of h(Ek (vj), ij,dj,h(Bj), B> tc) where t, is the currenttime, computed by Algorithm S with (Ek1 (Vj), ij, dj, h(Bj), B) as the input. The modular square root is denoted as s,j, which is replied to B along with t,j. In addition, C keeps (E1 (vj), ij, dj, h(Bj), B> tcJ) for tallying. Step 4: B checks whether scj2 = h(Ek (vj) , h(Bj),BtcJ) (mod n) (25)
j,dj,
If so, B forwards (Ek (Vj), i , dj, h(Bj), B> t s j) to the election commissioner EC, which verifies whether (22) and (27) hold or not and stores it for resolution of future conflicts. In addition, B keeps Bj for tallying. The ballot cast phase can be illustrated in Fig. 2. C B vi Step 1
Step 2
EB* (vj), ij, d Bj, B'J
Ek * (vj) ij, dj
h(Bj), BI Step 3
scj, tcj
Step 4 -*-EC
Fig. 2. Casting Ballots
Tab. 3. Ballot list
In addition, C summarizes and publishes the voting results.
G. Confirmation Vj searches his personal ballot in the list of ballots according either k* or dj. If his ballot is not in the list, Vj sends a complaint (bj,vj, vij, dj) to the election commissioner EC. In this case, EC firstly computes
aj
=
bjb (mod n,)
(26) (27)
3j =h(bj) and looks for (Ek (Vj), ij, dj, h(Bj), B> t, s ) according
(i.e., h(Bj)). If found, EC checks whether , (f3j, vj i ,dj) is in the list of ballots, verifies whether (22) and (27) hold or not, and whether
to
h(aj)
Eoj (IDc) E,3 (vj)
I
(28)
Ek'* (Vj)
(29)
B
If all hold, the counter C is judged to be dishonest or at least to perform duty improperly. Otherwise, EC discards the complaint. Note: If Vj does not disclose vj, EC cannot determine who is dishonest by simply verifying whether (22) holds or not because dishonest voters may submit invalid keys to C. In addition, Vj can also check other ballots, e.g., (ki , Vl, i, di), by verifying whether
d2
=
h(Ek1 (vi))6i,(mod nfa)
(30)
IV. SECURITY ANALYSIS In Section I, we have introduced the security requirements for an electronic election scheme. In this section, we will check whether our scheme meets all of these security requirements. In the ballot application phase, we describe a blind signature scheme, which allows a voter to obtain a signature from the administrator on his vote, in such a way that the administrator learns nothing about the vote that is being signed. 839
Theorem 1 (Blindness and Unforgeability). Our blind signature scheme is secure in the sense that both blindness and unforgeablility are satisfied. Theorem 2 (Completeness). In our scheme, if the certificate authority, the administrator, the counter, the base station and all mobile voters are honest, the result of the election can be trusted. Theorem 3 (Soundness). In our scheme, any dishonest voter cannot disrupt the election. Theorem 4 (Privacy). In our scheme, even if the administrator and the counter collude, the relation between voter Vj and vote Vj cannot be revealed. Theorem 5 (Unresusability). In our scheme, any voter cannot reuse his rights to vote. Theorem 6 (Eligibility). In our scheme, any dishonest person cannot vote. Since nobody can forge a blind signature of the administrator on a meaningful ballot, it is obvious that any dishonest person, without a valid blind signature, cannot vote. Theorem 7 (Fairness). In our scheme, the tallying of ballots does not affect the voting. Theorem 8 (Verifiability). In our scheme, the result of the voting can be verified.
ture scheme suggested by Chaum [10]. In the blind signature scheme based on RSA [11], each voter needs to compute at least two modular exponentiations plus one modular inversion. Comparing with Fujika-Okamoto-Ohta scheme, our scheme requires much less computations in mobile voter and thereby is more suited for implementation on portable communication devices. VI. CONCLUSION Due to recent advances in mobile communications, people can now take part in noncritical elections with low-power, low-cost and small sized portable communication devices. However, more critical elections have not yet held in mobile communication environments, mainly because of security concerns, communication and computation constrains of portable communication devices. In this paper, we have come up with an electronic election scheme for mobile communications. Our scheme is built on modular square root technique. Security analysis has shown that our scheme meets completeness, soundness, privacy, unreuseability, eligibility, fairness, and verifiability. Performance analysis has shown that a mobile voter in our scheme needs to compute at most 7 modular multiplications plus one modular inversion. Comparing with Fujika-Okamoto-Ohta scheme, our scheme requires much less computations in mobile voter and thereby is more suited for implementation on portable communication devices.
V. PERFORMANCE ANALYSIS In an electronic election scheme for mobile communications, portable devices held by mobile voters are usually low-power, low-cost and computing-capability-limited. It is impractical to implement some public key techniques requiring [1] high computation complexity in these portable devices. Our scheme is built on Modular Square Root (MSR) tech[2] nique. The number of modular multiplications required for a mobile voter Vj to compute Aj, Bj, Cj, dj and verify (22) [3] is at most 7. In addition, one modular inversion is needed in determining dj. Besides these computations, the rest of operations in Vj's portable device are just hash function, [4] encryption and decryption of a secret key cryptosystem. [5] In our scheme, assume that nca, na, n , nb are almost the [6] same size, about f bits, and the block size of the secret key cryptosystem E is I bits, the communication load of a mobile [7] voter in the ballot application phase is about 3? bits (sending) plus ft bits (receiving), the communication load of a mobile voter in the ballot cast phase is about 2f + 21 bits (sending). [8] Therefore, the total communication load of a mobile voter is [9] 6? + 21 bits. In case where f = 1024,1 = 64, the transmission [10] time required is less than 1 second over GSM with a line speed of 9.6 kbps. Our scheme requires a mobile voter Vj to keep only sj, [11] about f bits, in the secure memory. The computation complexities and communication loads [12] required in other parties, such as the administrator, are much [13] higher than that required in a mobile voter. However, it does not matter because other parties are powerful in computations [14] and communications. Fujioka-Okamoto-Ohta scheme [2] is practical secret voting scheme for large scale elections. It is built on the blind signa840
REFERENCES P. Stuckman, The GSM Evolution - Mobile Packet Data Services, Wiley, 2003. A. Fujioka, T. Okamoto, K. Ohta, "A practical secret voting scheme for large scale elections", Proceedings of AUSCRYPT'92, 1992, pp. 244251. P. G. Neumann, "The problems and potentials of voting systems: Introduction", Communications of ACM, vol. 47, no. 10, pp. 28-30, Oct 2004. D. Chaum, "Untraceable electronic mail, return addresses, and digital pseudonyms", Communications of ACM, vol. 24, no. 2, pp. 84-88, 1981. I. Damgard and M. Jurik, "Client/server tradeoffs for online elections", Proceedings of PKC'02, 2002, pp. 125-140. M. 0. Rabin, "Digital signature and public key functions as intractable as factorization", MIT Laboratory for Computer Science, Technical Report, MIT/LCS/TR-212, Jan 1979. H. C. Williams, "A Modification of the RSA public key encryption procedure", IEEE Transactions on Information Theory, vol. 26, no. 6, pp. 726-729, Nov 1980. S. S. Yan, Number Theory for Computing, Berlin: Springer, 2000. G. A. Jones and J. M. Jones, Elementary Number Theory, London: Springer, 1998. D. Chaum, "Security without identification: Transaction systems to make big brother obsolete", Communications of ACM, vol. 28, no. 10, pp. 1030-1044, Oct 1985. R. L. Rivest, A. Shamir and L. M. Adleman, "A method for obtaining digital signatures and public key cryptosystems", Communications of ACM, vol. 21, no. 2, pp. 120-126, Feb 1978. D. R. Stinson, Cryptography: Theory and Practice, (2nd ed.), vol. 2, Addison Wesley Longman, 1998. A. K. Lenstra, "Integer factoring", Design, Code and Cryptography, vol. 19, no. 2/3, pp. 101-128, Mar 2000. R. P. Brent, "Recent progress and prospects for integer factorization algorithm", Proceedings of COCOON'2000, Sydney, Australia, July 2000, pp.3-22.
