Design and Implementation of a Mobile Voting System Using a Novel Oblivious and Proxy Signature

Electronic voting systems can make the voting process much more convenient. However, in such systems, if a server signs blank votes before users vote, it may cause undue multivoting. Furthermore, if users vote before the signing of the server, voting information will be leaked to the server and may be compromised. Blind signatures could be used to prevent leaking voting information from the server; however, malicious users could produce noncandidate signatures for illegal usage at that time or in the future. To overcome these problems, this paper proposes a novel oblivious signature scheme with a proxy signature function to satisfy security requirements such as information protection, personal privacy, and message verification and to ensure that no one can cheat other users (including the server). We propose an electronic voting system based on the proposed oblivious and proxy signature scheme and implement this scheme in a smartphone application to allow users to vote securely and conveniently. Security analyses and performance comparisons are provided to show the capability and efficiency of the proposed scheme.


Introduction
In recent years, network transactions for applications such as Internet auctions and banking have increased greatly.Network and mobile security technologies [1][2][3][4][5][6] play important roles in protecting users' privacy.In this regard, digital signatures have attracted considerable attention.By using public-key cryptography, a signer can sign a message using his or her private key, which is owned only by the signer, to create a digital signature for the message.Then, any verifier can validate the correctness of this signature by using the signer's public key.
However, it is necessary to protect the privacy of signature receivers in some situations, such as the contents of signed message in a digital cash system or the choices from candidates in an e-voting situation.In 1983, Chaum [7] introduced a blind signature scheme to offer blindness which protects the signee's privacy.In 2013, Nayak et al. [8] proposed a blind signature scheme based on an elliptic curve discrete logarithm problem.In 2005, Rabin [9] introduced the concept of oblivious transfer.In 1994, Chen [10] proposed the concept of oblivious signatures and considered two types of oblivious signature schemes.In 2008, Tso et al. [11] provided formal definitions and security requirements for an oblivious signature scheme.In 2012, Chou [12] proposed a more efficient and secure -out-of- oblivious transfer scheme.
In 1996, Mambo et al. [13] proposed the concept of proxy signature.Various proxy signature schemes have been proposed [14,15].In 2000, Lin and Jan [16] proposed the first proxy blind signature scheme that combines the functionalities of both proxy signatures and blind signatures.In 2002, Tan et al. [17] proposed a proxy blind signature scheme; however, in 2003, Lal and Awasthi [18] showed this scheme to be insecure and further proposed a new scheme that is secure and more efficient than Tan et al. 's scheme.In 2013, Yang and Liang [19] proposed a new proxy blind signature scheme that allows revocation.
For electronic voting systems, in 2001, Ray and Narasimhamurthi [20] introduced an online anonymous electronic voting protocol that allows a voter to cast his or her ballot anonymously by exchanging untraceable authentic messages.In 2013, Pan et al. [21] proposed an electronic voting scheme that is based on the ring signature and is resistant to a clash attack.Several schemes with delegated voting functionality have been proposed.In 2013, Zwattendorfer et al. [22] proposed a proxy voting scheme that allows a voter to delegate his or her voting power to a proxy who actually casts the ballots for all represented voters.Norway has used an Internet-based voting protocol for some years, and the vote privacy and correctness of this scheme have been demonstrated [23].In 2016, Kulyk et al. [24] proposed a new coercion-resistant proxy voting scheme by extending the coercion-resistant JCJ/Civitas theme, aiming to prevent direct voter coercion, delegation coercion, and proxy coercion.They also proposed a new proxy voting scheme [25] to extend the Helios voting system [26] with delegated voting functionality.In 2017, Cohensius et al. [27] considered a social choice problem and demonstrated that the mechanism using proxy voting better approximates the optimal outcome.1.1.Motivation.Compared with a blind signature scheme, a oblivious signature scheme used in e-voting provides one more property: ambiguity in selected messages.A signer cannot find out which message a voter has selected while signing the messages, but the signer can be certain that the message the voter chooses is one of the predetermined messages; otherwise, the signature would not be accepted by a verifier.Therefore, in oblivious signature systems, which differ from blind signature schemes, the limited signed contents can prevent potential malicious users from obtaining valid signatures of some candidates for unauthorized purposes.
In addition, because each unit of a group (such as each state of a country, each county of a state, each campus of a school, or each approved bank of a group) may use different methods to authorize their members (using different keys), polling booths with proxy ability are required.Additional benefits include reducing the load at voting centers and avoiding network jams.Moreover, the mobility of the voting functionality allows people to vote from anywhere using their mobile devices, thereby making the electronic voting system more convenient.
The goal in this research is a design of novel schemes which combine oblivious and proxy signatures and extend the designed schemes to an electronic voting system which provides the following properties: mobility, instant voting, proxy signer, completeness, unforgeability, unlinkability, undeniability, accuracy, distinguishability, ambiguity, nonduplication, eligibility, verifiability, fairness, and privacy, where fairness means that no one can know the current total number of votes received by every candidate before the end of the voting period.

Our Contribution.
In this paper, based on the Schnorr signature [28], we propose two novel 1-out-of- blind (oblivious) and proxy signature schemes that combine the advantages of oblivious signatures and proxy signatures and satisfy the security properties of these two signature schemes.One of the proposed proxy oblivious schemes is of the proxy-unprotected type and the other is of the proxyprotected type.Based on our schemes, we also propose an anonymous electronic voting system with proxy signer.By using the concept proposed in [29], we conduct security analyses and performance comparisons.The results showed that our scheme has good performance and is efficient.Finally, we implement the voting system on Android mobile phones to prove that our scheme is workable.This paper extends the research [30], which presents the concept of 1-out-of- oblivious and proxy signature schemes of proxy-unprotected type without the voting system application, security analyses and formal proofs, and mobile phone implementation.

Related Works
In this section, we present two representative protocols that are relevant to our scheme: oblivious signature and proxy signature.
2.1.Oblivious Signature.In 1983, Chaum [7] introduced a blind signature scheme.Compared with a normal signature, a blind signature offers an additional property, blindness, that provides it with the ability to protect the signee's privacy.In a blind signature scheme, a signee could get a message's digital signature signed by a signer without revealing any information about the message.This is vital in some applications such as electronic payment systems and secure voting systems [31][32][33][34][35], because the requester's messages may be sensitive.Nayak et al. [8] also proposed a blind signature scheme based on an elliptic curve discrete logarithm problem.
In 2005, Rabin [9] introduced the concept of oblivious transfer.In this protocol, a sender sends some subsets of some messages but does not know what the receiver has received.Thus, the receiver can get the particular message he or she wants without revealing any information about the message to the sender.In 2012, Chou [12] proposed a more efficient and secure -out-of- oblivious transfer scheme.
In 1994, Chen [10] proposed the concept of oblivious signatures.He considered two types of oblivious signature schemes.The first one comprises  keys and one message; the receiver can get a message signed with one of  keys that are chosen by him or her while the signers cannot know which key has been used for the signature by the receiver.The second one comprises  messages and one key; a signee can choose one predetermined message to get signed while not revealing any information about the selected message to the signer.In contrast to blind signatures, oblivious signatures can guarantee that the signed message is actually one of the predetermined messages; therefore, if the receiver were to submit some additional messages, the signature would not be accepted by the scheme.
In 2008, Tso et al. [11] noted that Chen's proposal does not crisply formalize the notion and security properties of the scheme.Consequently, they provided formal definitions and security requirements for an oblivious signature scheme, including completeness, unforgeability, and ambiguity, and proposed a 1-out-of- oblivious signature agreement based on Schnorr's blind signature [28].They also improved the scheme's performance.The preceding properties render ?
In their scheme [11], it first creates a normalized definition for the oblivious signature agreement and proposes the following properties to ensure security: (1) Completeness: as long as the recipient and the signer can implement the agreement honestly, once the agreement is completed the recipient can obtain the signed message.
(2) Unforgeability: despite the algorithm being publicly published, attackers still have difficulty creating a forged signature within an acceptable time frame.
(3) Ambiguity in selected messages: the signer is unable to determine the recipient's selection.
This system provides for three roles, namely, the signer, the recipient, and the verifier.The operation proceeds through three phases, namely, initiation, signing, and verification.Figure 1 shows their scheme and the steps in this scheme are as follows.
(1) System Initiation Phase.In this phase, the signer generates public parameters and a pair of asymmetric keys for use in the following process.
The signer first establishes security parameter 1  to input into the system to establish the algorithm G, which can be used to obtain the public parameters for the agreement.The signer also selects a random number  ∈   *  as a private key to calculate the public key  =   mod .
(2) Signing Phase.This phase explains how the recipient obtains the signature value from the signer's signature (see Figure 1).
(3) Verification Phase.This phase explains how the verifier verifies the correctness of the signature obtained by the recipient (see Figure 3).
Step 1.The recipient sends the obtained signature value (  ) and the selection   to the verifier.
If it does, this represents that the signature obtained by the recipient is genuine.
Note that, in Step 2 of signing phase, the signer cannot learn which message is selected by the recipient; this is called the ambiguity of the protocol.Moreover, in Step 2 of verification phase, unless the selected message   is one of the elements of   , the signature will not be accepted by a verifier.This protocol ensures that a signee's message is one of the predetermined messages, which is one of the features of an oblivious signature scheme.

Proxy Signature.
Although the aforementioned signature schemes seem practical, they are unsuitable for applications in which the signers are not always available.To overcome this problem, in 1996, Mambo et al. [13] proposed the concept of proxy signature.Various proxy signature schemes have been proposed [14,15].Such schemes consist of three entities: an original signer, a proxy signer, and a signee.The original signer can delegate his or her signing power to one or more proxy signers to enable them to sign messages submitted on his or her behalf.Mambo et al. discussed two types of proxy signature schemes: proxy unprotected and proxy protected.
Proxy-unprotected proxy signatures include two cases: full delegation and partial delegation.In full delegation, the original signer gives his or her private key to the proxy signer to sign messages; therefore, the original signer takes full responsibility for the signatures produced by the proxy signer.In partial delegation, the original signer creates a proxy signature key using his or her private key and securely forwards it to the proxy signer; then, the proxy signer uses this proxy signature key to sign messages on the original signer's behalf.
Proxy-protected proxy signature schemes allow the original signer to use his or her private key to create a proxy signature key and securely forward it to the proxy signer.The proxy signer computes a new proxy signature signing key-which contains both the original signer's original proxy signature signing key and the private key of the proxy signer-and then signs messages using the new proxy signature key.Therefore, the original signer and proxy signer share the responsibility for the valid proxy signatures generated by the proxy signer.Both of these schemes afford security properties such as verifiability, unforgeability, and undeniability.
For example, the president of a company could ask his or her reliable secretary (using the proxy-unprotected signature scheme) or employee (using the proxy-protected signature scheme) to sign some important documents on his or her behalf.Then, if some illegal situation arises in relation to the proxy signature, the employee's privacy can be uncovered while the secretary's privacy cannot.
Moreover, delegation can be categorized as full delegation, partial delegation, and delegation by warrant, as follows: (1) Full delegation: the proxy signer obtains a copy of the original signer's signature key to produce a proxy signature value identical to the signature of the original signer.
(2) Partial delegation: the proxy signer's signature key is obtained through a calculation based on the original signer's private key.However, the proxy signature key cannot be used to obtain information related to the original signer's private key.Partial delegation can be categorized as one of two types: proxy-unprotected or proxy-protected.In the former, the original signer and proxy signer can both provide valid proxy signatures.In the latter, only the proxy signer can provide a valid proxy signature.
(3) Delegation by warrant: a warrant based on the original signer's signature is used to validate the proxy signer's signing authority.The proxy signer's authorization message and proxy signature content is included in the proxy signature and the verifier is used to determine the legitimacy of the authorization.
The original signer first delegates his/her signing rights to one or more proxy signers, so that the proxy signers can sign a message in the name of the original signer.Each type of the scheme, proxy unprotected or proxy protected, has to satisfy three security requirements.
(1) Verifiability: the proxy signature created by the proxy signer can convince anyone of the permission from the original signer.
(2) Unforgeability: only the authorized proxy signers can sign a valid signature; this cannot be done even by the original signer.
(3) Undeniability: neither the proxy signer nor the original signer can deny the signature they created after the signature creation.
The earliest proxy signature scheme (Figure 2) (proposed by Mambo et al. [13]) is a proxy signature of the proxyunprotected type for the ElGamal scheme [36].The steps in this scheme are as follows.
(1) Key Generation Phase.In this phase, the system generates two primes and a pair of keys, public and private keys, for use in the following process.
Step 3.Each of the original signer and the proxy signer choose a random number  ∈   *  as their private keys.
Step 4. Each of the original signer and the proxy signer compute  =   mod  as their public keys.
? m (secure manner) Original signer Proxy signer Signee Verifier Step 3. The original signer calculates  =  +  mod( − 1) and sends  to the proxy signer via a secure channel.
Step 4. After receiving , the proxy signer checks whether   ?=   mod  is correct.If it is, the proxy signer accepts delegation.
(3) Signing Phase.After receiving a message  from a requestor, the proxy signer processes the follow steps.
(4) Verification Phase.After receiving a message (m, (R, s, K)) from the requestor, a verifier checks the validation of the signature via the following verification equation:   ?= (  )    mod .

System Goal and Security Requirements
In this section, we define the attacker model, propose two new signature schemes, and present one electronic voting system based on the proposed signature schemes.

Attacker
Model for Signature Scheme.The proposed signature schemes consist of four entities: an original signer A, a proxy signer B, a receiver R, and a verifier V.In our scheme, we assume the channels between A and B are secure.Any identity (i.e., R or V) communicates with B via an insecure public channel, offering adversaries opportunities to intercept.In the following, we present the assumptions of the attacker model [37,38].
(1) An adversary may eavesdrop on all communications between protocol actors over the public channel.(2) An attacker can modify, delete, resend, and reroute the eavesdropped message.(3) An attacker cannot intercept a message over a secure channel.(4) An attacker cannot be a legitimate original signer or proxy signer.(5) The attacker knows the protocol description, which means the protocol is public.

Signature Scheme.
We define the security properties of a proxy oblivious signature scheme as follows.
The security requirements of our proposed scheme are listed as follows: (1) Completeness: if all entities follow the protocol honestly, then, at the end of the protocol, R will obtain the valid signature  of the selected message.
(2) Unforgeability: in a proxy-unprotected type scheme, B can sign messages on behalf of A without taking responsibility for the signature.V can merely know that the signature is signed by some proxy delegated by A, and no one except B (or A) can produce a valid signature.In a proxy-protected type scheme, A and B share the responsibility for the signature, and only B can create a valid signature for R. Consequently, the proxy signing key is practically unbreakable, making it almost impossible for an attacker to create a valid signature.
(3) Unlinkability: B can identify neither the message nor the proxy signature he or she generates associated with the scheme after the signature is revealed when necessary.
(4) Undeniability: neither A nor B can deny the signature they have created after signature generation.
(5) Verifiability: the signature that R receives should be able to convince V of the agreement from A and B.
(6) Distinguishability: the proxy signature is distinguishable from a normal one.
(7) Ambiguity: B cannot find out which message R has selected while signing the messages, but B can be certain that the message he or she signs is one of the predetermined messages; otherwise, the signature would not be accepted by a verifier.

Attacker Model for Voting Scheme.
The proposed electronic voting system consists of five entities: a creator A, a proxy creator B, a voter R, a voting center V, and a bulletin board BB.In our scheme, we assume the channels between A and B are secure.Any identity (i.e., R, V, or BB) communicates with B via an insecure public channel, offering adversaries opportunities to intercept.In the following, we present the assumptions of the attacker model [37,38].
(1) An adversary may eavesdrop on all communications between protocol actors over the public channel.
(3) An attacker cannot intercept a message over a secure channel.
(4) An attacker cannot be a legitimate creator or proxy creator.
(5) The attacker knows the protocol description, which means the protocol is public.

Voting System.
The proposed electronic voting system consists of five entities, A, B, R, V, and BB, which, in a practical situation, would correspond to a central government, a local government, a voter, a voting center computer, and a bulletin website, respectively.Anane et al. [39] present the core properties of the voting system and indicated that a viable e-voting system should possess (1) accuracy, (2) privacy (untraceability), (3) individual and universal verifiability, (4) eligibility, and (5) fairness.Based on [39], we define the system requirements of the proposed electronic voting system as follows.
This system requirements of our electronic voting system are listed as follows: (1) Proxy completeness: the proxy creator should not deny the fact that he or she has accepted the delegation from the creator.
(2) Eligibility: only voters who have the right to vote can participate in the voting event.
(3) Nonduplication: every legal voter is allowed to cast only one ballot.
(4) Fairness: before the end of the voting period, no one can know the current total number of votes received by every candidate.
(5) Accuracy: the validity of all ballots can be verified by using the proper public key.
(6) Verifiability: every voter should be able to confirm his or her voting condition and verify all other voters' ballots.
(7) Privacy: no one except for the voter can find out which candidate has been chosen, even at the end of voting.

Proposed Signature Scheme
Two types of proxy oblivious signature schemes are proposed: proxy-unprotected type and proxy-protected type.Each scheme includes four phases: (1) system setup phase, (2) proxy phase (Figure 3), (3) signing phase (Figure 4), and (4) verification phase (Figure 5).Notation illustrates the notations used in the protocol.

Proxy-Unprotected Type.
For a proxy-unprotected type scheme, our protocol is as follows.
Step 3. The original signer A chooses   ∈  *  and computes   =    mod .
Step 2 (proxy delivery).A securely forwards the pair (,   ) to the proxy signer B and publishes   .
Step 3 (proxy verification).B checks whether    =    mod  holds.If it does, B accepts the proxy and uses   as his or her secret proxy signature key.
(4) Verification Phase.As shown in Figure 5, the verifier V accepts the signature  as a valid signature if and only if  = (  ,      mod ).

Proxy-Protected Type.
For a proxy-protected type scheme, the signing phase and verification phase are the same as those in the case of a proxy-unprotected type scheme except for one more computation   =      mod  (as shown in Figure 6).The proxy phase is modified as described subsequently.
Step 2 (proxy delivery).A securely forwards the pair (,   ) to the proxy signer B and publishes    .
Step 3 (proxy verification).B checks whether    =    mod  holds.If it does, B accepts the proxy and computes   =   +   mod  as his or her secret proxy signature key.

System Overview.
Based on the proposed signature scheme, our electronic voting system allows a creator (central government) to delegate one or more proxy creators (local government), and a voter can get a legal ballot from a proxy creator and send his or her vote to a verifier (center voting computer).
Step 1.The system first generates the required parameters.
Step 2a.The creator delegates his or her authority to a proxy creator.Step 2b.The creator publishes the public key of the proxy creator to the bulletin.
Step 3a.The proxy creator examines whether the registrant is a legal voter; if so, he or she distributes a certificate to the voter.
Step 3b.The proxy creator publishes the certificate to the bulletin.
Step 3c.The voter checks whether he or she has registered successfully via the bulletin.
Step 4. The voter chooses a candidate and receives the signature on it from the proxy creator.
Step 5a.The voter casts his or her ballot and sends it to the voting center.
Step 5b.The voting center publishes a message about the ballot from the voter to the bulletin.
Step 5c.Every voter can confirm whether his or her ballot has been received by the voting center; if not, he or she can resend the ballot.
Step 6a.At the end of the voting period, the proxy creator forwards the decrypting key to the voting canter, and the voting center starts to verify and count the ballots.
Step 6b.The voting center publishes the voting result to the bulletin, where everyone can verify and count all ballots.

System Process.
We assume that the system database already contains an identification list of legal voters and that the bulletin is read-only to all entities except for the authorities.
Step 3. The creator A chooses   ∈  *  and computes   =    mod .
Step 4. The proxy creator B chooses   ∈  *  and computes   =    mod .
Step 3. B decrypts (  ,   ) using (  ,   ) and checks whether    =       mod  holds.If it does, B accepts the proxy and computes   =   +   mod  as his or her secret proxy signature key.
Step 4. B generates a signature  , = (   mod )   mod   and forwards it to A.
Step 5. A checks whether    , = (   ) mod   holds.If it does, he or she publishes    ,   to the bulletin.
Step 3. R verifies whether     = (pn,   ) mod   is correct.If so, he or she has the right to vote.

Security and Communication Networks (4) Circling Phase
Step 1. B sends a random number  ∈   *  to R after receiving a login request from R.
Step 3. Every voter can check whether his or her ballot is received by the voting center via the bulletin.If it is not, the voter resends (Cert(),   ).
Step 2. V decrypts   using the symmetric key key  , publishes (Cert(),   ,   , key  ) to the bulletin and calculates   =      mod , and verifies whether  = (  , pn,      mod ) is correct.If so, the signature is valid and the ballot is counted.
Step 3. V publishes the voting result.Everyone can verify and count the ballots via the bulletin.

Security Analysis
In this section, we analyze our protocol according to the security requirements defined in Section 3.
Definition 3 (DLP).Let  1 be a large prime,  1 be a primitive root modulo , and  =  (3) Proxy Oblivious Signatures Are Unlinkable.In the signing phase, because B receives the disguised selection  of the mod , and, thus, (  ,      mod ) = (  ,     mod ) = ê = .Therefore, the signature can be verified by all verifiers.
(6) Generated Signatures Are Distinguishable.Evidently, by using different congruences to check the validity of the original signatures and the proxy signatures, everyone can easily distinguish the proxy signature from a normal signature.(7) The Proposed Scheme Provides Ambiguity of the Message Selected by R; That Is, It Provides Perfect Security for R. If an attacker A 1 takes the place of B, A 1 needs to obtain b, where  =  V ℎ − mod , V ∈   *  , because we know that, for every  of any , there exists V  such that  =  V ℎ − =  V  ℎ − mod , for  = 1, 2, . . ., .Finally, we conclude that the probability of A 1 getting the correct  is 1/, which achieves theoretical security.

Voting System
(1) Delegation from Creator Is Complete.In the proxy phase, B signs the proxy public key    using his or her private key   and passes the signature  , to A. Therefore, B cannot deny the fact that he or she has accepted the delegation from A.
(2) Eligibility.In the register phase, B checks whether R is a legal voter by his or her id.Therefore, only legal voters can get the certificate CERT(R) from B and participate in the voting event.
(3) Nonduplication.In the circling phase, B checks whether flag(pn) = 0.If it holds, it means that pn has not voted (4) Fairness.In the voting phase, R encrypts his or her ballot using the symmetric key ((pw),   ) and sends it to the voting center.Therefore, no one can learn the current voting situation before the voting period is over.
(5) Accuracy.The validity of all ballots can be verified using the examining equation  = (  , pn,      mod ).
(6) Verifiability.In the voting phase, every voter can check his or her own ballot via the bulletin, and the ballot cannot be modified by anyone.Furthermore, in the counting phase, every voter can verify and count all other voters' ballots on the bulletin.
(7) Privacy.In the circling phase, owing to the ambiguity of the proxy oblivious signature, no one can learn a voter's selection from  =  V ℎ − mod .In the voting phase, R encrypts his or her ballot using the key ((pw),   ) before casting it to V, and, therefore, no one can obtain his or her plain ballot.Finally, in the counting phase, because every selected candidate on the bulletin corresponds to a pseudoname pn, no one can discover which person has made the selection.

Comparison
This section presents a comparison of our scheme against other related schemes, including blind signature [8], proxy signature [13], oblivious signature [10,11], and proxy blind signature [19].Tables 1, 2, and 3 present the computation cost, communication cost, and ability comparison, respectively.Because modular exponentiation is the most significant computational operation, we denote its time cost as " ex " and ignore the other operations in the schemes.
Compared with other related schemes, our scheme provides the most abilities with a low increment in computation cost.Furthermore, the communication cost is no higher than that of other oblivious signature schemes.In the proxy phase, B processes 2 ex to examine whether    =    mod  holds (see asterisk in Table 1).In the signing phase, B processes  ex to calculate   =    mod  for  = 1, 2, . . ., .For   = (ℎ)  mod , B may compute   by letting  0 =  and generate   =  −1 (ℎ) mod  for  = 1, 2, . . ., .Consequently, the computation cost is  modular multiplication rather than  ex .

Implementation
This section demonstrates an application of an anonymous mobile electronic voting with proxy signer implemented on smartphones.Figure 13 shows a flowchart of this system.In this system, it is assumed that any signer who is asked for his or her public key responds with his or her real public key immediately and that the requester would receive this public key at once.Tables 4, 5, and 6 present the average computation times of each role in each phase, the average communication times of each communication direction in each phase, and the average computation and communication times in each phase, respectively, where PP, RP, CiP, VP, and CoP stand for proxy phase, register phase, circling phase, voting phase, and counting phase.The steps in this system are as follows.
Step 1.On the main page (Figure 14(a)), users are allowed to select a role and enter a pseudoname (Figure 14(b)).An original signer first runs the procedure and waits for proxy signers (Figure 14(c)).
Step 2. A proxy signer runs Step 1 and selects a detected original signer to request delegation (Figure 14(d)).
Step 3. The original signer selects the proxy signer on the request list to process the delegation (Figure 14(e)).
Step 4. After verifying the correctness of the delegation, the proxy signer sets the voting issue (Figure 14(f)) and starts waiting for verifiers (Figure 14(g)).
Step 5. A verifier runs Step 1 and waits for a proxy signer to send him a voting event (Figure 14(h)).
Step 6.The proxy signer selects a verifier to send the voting event (Figure 14(i)) and starts holding the event (Figure 14(j)).
Step 7. A receiver selects "Voter" on the main page and chooses a detected voting event (Figure 14(k)).
Step 8.The receiver votes for a candidate and presses the "Vote" button (Figure 14(l)) to send his or her vote to the proxy signer.Then, he or she receives a proxy oblivious signature and sends the extracted signature to the verifier by pressing the "Send" button (Figure 14(m)).
Step 9.The verifier keeps collecting votes (Figure 14(n)) until the proxy signer ends the voting event by pressing the "End Event" button shown in Figure 14(j).
Step 10.After the end of the voting event, the verifier starts verifying the collected votes and displays the voting result (Figure 14(o)).

Conclusion
We first construct 1-out-of- proxy oblivious signature schemes of proxy-unprotected and proxy-protected types and discuss their security requirements.The proposed schemes combine the advantages of a proxy signature and an oblivious signature and satisfy the security properties of both signatures, including completeness, unforgeability, unlinkability, undeniability, verifiability, distinguishability, and ambiguity.Compared with related schemes, our schemes provide extra proxy ability and perform well in terms of both complexity and usability.Finally, an anonymous proxy electronic voting application is implemented on smartphones based on the proposed scheme.Th en um bero fm es sa g es   :

Nomenclature
Theth message : The value of the subscript of the selected message   : Thesigna t ur eo n  (⋅): A public one-way hash function.

Table 1 :
Computation cost comparison., he or she cannot find out the selection of R.Moreover, because the blinding factor V is required during the conversion of the oblivious signature ŝ , where V is known only by R, B cannot make a linkage between the signature and R's selection.Thus, we can conclude that B can discover neither the message nor the proxy signature associated with the protocol after the signature is verified.(4)ProxyOblivious Signatures Are Undeniable.Owing to the unforgeability of the proxy oblivious signature, B cannot repudiate any proxy signature produced by him or her.(5) Proxy Oblivious Signatures Are Verifiable.In the verification phase, V checks whether the equation  = (  ,      mod ) holds, because      =  ŝ +V+  ê