An Improved Coercion-Resistant E-Voting Scheme

the original


Introduction
At present, election is regarded as an indispensable democratic activity in real life. Over time, it has been divided into two categories: traditional election and electronic election. e traditional election consumes a lot of time and resources and has low tallying efficiency. us, Chaum [1] first proposed the electronic voting scheme in 1981, which eliminates these disadvantages. Subsequently, various e-voting schemes continue to spring up. Recently, cloud technology and blockchain technology are widely used in e-voting to achieve secure electronic election. For the cloud technology, Shankar et al. [2] proposed a secure e-voting protocol, which realizes secure data transfer with cloud effectively. Anjima and Hari [3] proposed a secure cloud e-voting system using fully homomorphic elliptical curve cryptography, which greatly ensures the privacy of ballots and minimizes the risk of the vote being tampered or leaked. Although the cloud technology presents advantages in the application of e-voting, it is less used than blockchain technology. Currently, some e-voting researches related to blockchain have a tendency to increase gradually, such as reducing voter fraud [4], preventing ballot content attacks [5], and achieving the universal verification of ballot [6]. However, the previously mentioned description mainly illustrates the recent development of e-voting, rather than the scope of our study.
In a real election, due to multiparty participation, the voter may sell the content of his ballot to others to obtain profit. Out of curiosity, candidates may collude with other participants to infer the content of the original ballot. erefore, in practical application, the secure e-voting scheme needs to satisfy some necessary security requirements to protect the privacy of ballot, such as freedom (no one can be forced to cast a certain vote); fairness (no one can use more than his own votes to influence the tallying result); confidentiality (no one can know other voter's content except himself ); coercion resistance [7][8][9][10] (the voter proves nothing about the content of his ballot to others); verifiability [11,12] (every voter can verify if his ballot is correctly tallied, and any participant can verify the correctness of tallying result).
For meeting the previously mentioned security requirements, some encryption techniques have been popularly applied to e-voting to achieve secure election, such as mix-net [13][14][15][16], blind signature [17][18][19][20][21][22][23], homomorphic encryption [24][25][26][27][28], and secret sharing [29][30][31]. Meanwhile, due to the high overhead, mix-net is hard to be applied for the actual election. Although blind signature has better practicality in e-voting, it does not satisfy the security requirement of receipt-freeness and verifiability to some extent. At present, in order to achieve secure and feasible e-voting, homomorphic encryption is popular in conjunction with other encryption techniques, such as zeroknowledge proof [32] and partial knowledge proof [33]. However, the computation burden becomes a problem that needs to be solved. us, avoiding these disadvantages of above encryption techniques, secret sharing is applied to e-voting because of its better completeness and feasibility and also achieves running time in linear [34]. Based on such advantages, Liu and Zhao [35] recently proposed an e-voting scheme using secret sharing and k-anonymity, which achieves the correct tallying result and satisfies the necessary security requirements. Concretely, the content of one ballot is used to sever as the coefficients of the shared polynomial.
e calculated shares are regarded as the encrypted form of one ballot, respectively held by voter, voting system, and all candidates. en, according to the additive homomorphism of secret sharing, the total number of ballots can be correctly obtained for each candidate. Liu and Zhao [35] declare their e-voting scheme achieves the security requirement of coercion resistance, which means the voter cannot prove the content of his ballot to others.
However, in this paper, we observe that Liu et al.'s scheme cannot achieve the security requirement of coercion resistance. e voter can collude with candidates to prove the content of his ballot. us, we propose an improved coercion-resistant e-voting scheme to cover up the content of ballot with masked values, which achieves the security requirement of coercion resistance. Meantime, we also solve the abstention from voting. Additionally, through theoretical analysis and data simulation, we indicate that our proposed e-voting scheme can solve the shortcoming in [35] and has higher time efficiency compared with [32,33]. Our contributions are shown in details as follows: (1) In Liu et al.'s scheme [35], all voters and candidates hold shares. e shared polynomial constructed from the original ballot information can be recovered if the voter colludes with corresponding candidates. e voter can prove which candidate he has voted for. Liu et al.'s scheme does not satisfy the coercion-resistant security requirement. us, we propose an improved e-voting scheme, which replaces the content of the original ballot with masked values to achieve the construction of the share polynomial. In this way, even if the voter colludes with corresponding candidates to recover the shared polynomial, he cannot prove the content of his ballot to others. e improved e-voting scheme achieves coercion-resistant security requirement.
(2) e improved e-voting scheme considers abstention which Liu et al.'s scheme [35] does not accomplish.
In the improved e-voting scheme, voting system constructs the shared polynomial of abstainer only using masked values, and then performs subsequent voting process. Finally, all participants can obtain the correct tallying result. (3) e security analysis shows that the improved e-voting scheme not only inherits some security requirements in Liu et al.'s scheme [35] but also achieves coercion-resistant security requirement which Liu et al.'s scheme does not satisfy. Moreover, the scheme also achieves additional security properties which consist of the integrity of ballots, the privacy of ballots, multiple-voting detection, and fairness. e performance analysis shows that the proposed e-voting scheme has higher time efficiency when candidates and voters are, respectively, specific number. e rest of this paper is organized as follows. In Section 2, the steps of Liu et al.'s e-voting scheme are reviewed. e system model and threat model are presented in Section 3. Section 4 proposes our improved e-voting scheme in detail. In Section 5, we state the differences between Liu et al.'s scheme and the improved e-voting scheme. Finally, the system analysis and conclusion are, respectively, presented in Section 6 and Section 7.

Review
In this section, Liu et al.'s scheme [35] is reviewed. It mainly consists of three phases: prevoting phase, voting phase, and postvoting phase. And the process of communication is shown in Figure 1.

Prevoting Phase.
Assume that there are n voters and m candidates, respectively. e voters are divided into several sets, and each set contains k voters.

Voting Phase
Step 1. Each voter V i (i � 1, . . . , n) registers to a trusted authority centre (AC). en, the voting system (VS) issues a temporary identity ID i for each voter, and no one knows the relationship between voter and his temporary identity ID i .

Postvoting Phase.
In this phase, first, voters are randomly divided into some sets, and each set contains k voters. e process can be briefly described in the following steps: Step 1. e voters who are located in a set publish their a i,0 , (i � 1, . . . , k) on the bulletin board.
Step 3. VS publishes the aggregated ballots a 0 , a 1 , a 2 , . . . , a m of k voters on the bulletin board.
Step 4. e participant verifies the correctness of the aggregated ballots by the equation a 0 � k i�1 a i,0 . If the verification is true, everyone can compute the result of C j , vote j � a j , (j � 1, 2, . . . , m). Otherwise, all candidates and VS are asked to check their publishing information and reconstruct the polynomial again.

The System Model and Threat Model
In this section, the system model, threat model, and design goals are introduced, respectively.

e System Model.
In e-voting system, the participants involved are, respectively, a voter (V), candidate (C), trusted authority centre (AC), voting system (VS), and bulletin board, which is used to publish information in voting process.
ese participants mainly achieve the following functions: V: the voter votes for his favourite candidate and obtains the credential from VS C: the candidate and VS collaborate to get the tallying result together AC: AC authorizes the legal voter to cast the ballot and takes charge of arbitrating the disputes and granting the digital certificate for each participant VS: VS generates shares for candidate and credential for voter, respectively; moreover, VS leaks nothing about the intention of the voter In this paper, the communication model is the same as Liu et al.'s scheme and presented in Figure 1. In the communication model, a legal voter casts his favourite candidate using VS. VS generates corresponding credential for this voter and divides the masked voting intention of this voter into m shares. en, VS sends credential to this voter and m shares to each candidate C j (j � 1, . . . , m).

Adversary.
Assume that V 1 is an internal attacker who launches the coercive attack to prove the content of his ballot to others. Meantime, assume that V i 's ID is 1 and he casts candidates C 1 , C 3 , C 4 , a 1,1 � 1, a 1,2 � 0, a 1,3 � 1, a 1,4 � 1.

Attack Process
(1) First, for simplifying computation, we choose p � 29. In voting phase, according to the selection of the voter V 1 , VS generates the shared polynomial en, VS computes four shares (2,0), (3,27), (4,8), and (5,4), which are separately sent to C 1 , C 2 , C 3 , C 4 and one credential 3, 1, 6 { }, which is sent to V 1 . (2) After receiving the credential, V 1 colludes with the candidates C 1 , C 3 , C 4 since he casts the supporting ballot for them. In this way, V 1 can recover the shared polynomial f 1 (x) by owned random number 3 and known three shares of candidates C 1 , C 3 , C 4 . (3) In order to prove the correctness of the recovered polynomial f 1 (x), V 1 verifies the recovered polynomial f 1 (x) using his share (1,6) and published random number a 1,0 � 3. If the verification is true, the candidates C 1 , C 3 , C 4 believe that the recovered polynomial f 1 (x) is true. In fact, the verification is usually true as long as the calculation is correct.

Attack Result.
rough construction of the shared polynomial in Liu et al.'s scheme, we know that the coefficient of the shared polynomial can show whether corresponding candidate obtains the ballot or not. If the coefficient is 1, it shows that the voter casts the candidate whose identity is the same as power of the shared polynomial. us, according to the description in attack process, the candidates C 1 , C 3 , C 4 believe the correctness of the recovered polynomial f 1 (x). Naturally, V 1 can prove he cast the supporting ballot for the candidates C 1 , C 3 , C 4 . Liu et al.'s scheme cannot achieve the security requirement of coercion resistance in e-voting. erefore, to solve the shortcoming of Liu et al.'s scheme, we propose the improved coercion-resistant e-voting scheme. e scheme not only satisfies the coercion-resistant security requirement but also solves the issue of abstainers. e specific process is presented in section 4.

Design Goals.
For the design goals, we mainly introduce some necessary security requirements, which needs to be satisfied in next proposed e-voting scheme. ese security requirements include coercion resistance, which Liu et al.'s scheme does not achieve and other additional security requirements, which are integrity of ballots, privacy of ballots, multiple-voting detection, and fairness.
(i) Coercion resistance: no one voter can prove to others which candidate he has voted for. (ii) Integrity of ballots: in order to obtain correct tallying result, the ballots of all voters involved in the voting process should be counted validly. (iii) Privacy of ballots: no one participant can leak any voting information. (iv) Multiple-voting detection: a legal voter only can cast ballot once. If a voter votes for more than once, the superfluous ballots should be detected. (v) Fairness: no one candidate can know his own ballot in advance.

The Improved Voting Scheme
In this section, we present the improved e-voting scheme in detail. We first suppose that the trust assumptions are the same as [35]. e improved e-voting scheme consists of four phases: prevoting phase, voting phase, postvoting phase, and abstention from voting. Meanwhile, all computations are over a finite field F p , where p is a secure prime, which is published by AC before the prevoting phase. e list of symbols used in the improved e-voting scheme is shown in Table 1, and Figure 2 shows the specific voting process in voting phase, postvoting phase, and abstention from voting.

Voting Phase.
In this phase, the session keys are negotiated freely among voters, and VS computes the masked values. en, each voter casts his favourite candidates and gets the credential in a face-to-face way. e process is described as follows: Step 1. Every voter V i , (i � 1, 2, . . . , n) registers to AC. VS generates a temporary identity ID i , (i � 1, 2, . . . , n) for V i , and no one knows the relationship between V i and ID i .
} voters in a set and then obtains his session key list k i1 , k i2 , . . . , k iβ i . For example, there are three voters V 1 , V 2 , V 3 in a set, V 1 and V 2 share the session key k 12 , and V 1 and V 3 share the session key k 13 . en, V 1 , V 2 , and V 3 can, respectively, obtain their session key lists k 12 , k 13 , k 21 , and k 31 , where k 12 � k 21 , k 13 � k 31 .
Step 3. V i sends his session key list to VS via a secure channel. VS computes and then divides λ i,l � n j�1 b l,j , where H: Z * p ⟶ Z * p is a secure cryptographic hash function, which is published and b l,1 , b l,2 , . . . , b l,n are n random numbers. Afterwards, VS computes masked values n). Meanwhile, the masked values of the voter V i can be represented as the list B 1,i , B 2,i , . . . , B m,i .
Step 4. V i casts his favourite candidates. If the candidate C j (j � 1, . . . , m) is selected, a i,j � 1; otherwise, a i,j � 0. According to the computation of masked values for the voter V i , VS constructs the shared polynomial f i (x) � a i,0 + (B 1,i + a i,1 )x + (B 2,i + a i,2 ) x 2 + · · · + (B m,i + a i,m ) x m modp, where a i,0 ≠ 0 is a random number.

Postvoting Phase.
In this phase, VS and all candidates reconstruct polynomial together by the sum of shares, and each participant can obtain the correct tallying result by verifying the constant coefficient of the reconstructed polynomial. e steps are given as follows: Step 1. All voters are published, and each voter V i , (i � 1, 2, . . . , n) publishes their a i,0 , (i � 1, 2, . . . , n) on the bulletin board.

Security and Communication Networks 5
Step 3. Each participant verifies the correctness of the aggregated ballots by the equation a 0 � n i�1 a i,0 . If the verification is not true, VS and all candidates are asked to check their publishing information and reconstruct the polynomial again.

Abstention from Voting.
In the real-life case, abstention from voting is widespread. For obtaining the correct tallying result, when there are abstainers in voting phase, VS sets their ballots as 0 and then constructs the shared polynomials only using the masked values. In proposed e-voting scheme, if the candidate C j , (j ∈ 1, . . . , m { }) obtains the supporting ballot of the voter V i , (i ∈ 1, 2, . . . , n { }), a i,j � 1. For one abstainer, it can consider that all candidates do not get the supporting ballot from the abstainer. VS sets a i,j � 0, (i ∈ 1, 2, . . . , n { }, j � 1, . . . , m). In this way, the voting system not only ensures the normal voting process but also does not make a difference for the voting result. erefore, the improved e-voting scheme solves the issue of abstainers and guarantees the correctness of the tallying result.

Differences of Two Schemes
In this section, the differences are expounded between Liu et al.'s scheme [35] and the improved e-voting scheme. We describe these differences in terms of the following five security requirements: Coercion resistance: coercion resistance means that no one voter can prove the content of his ballot to others. e requirement is described from the aspect of the voter. When the voter acts as an internal attacker, he cannot disclose the content of the original ballot. us, the improved e-voting scheme satisfies the privacy requirement of ballot. Security: security means that the voting scheme does not rely on the hard problem, such as discrete logarithm and integer factorization, and still can achieve the confidentiality of the voting process. is requirement is described from the aspect of the voting scheme. e improved e-voting scheme guarantees the confidentiality of original ballot forever, which achieves the requirement of security. Fairness: fairness means that no one can know the ballot information in advance. In Liu et al.'s scheme, the voter can prove the content of his ballot to corresponding some candidates. In this way, these candidates can know partial ballots in advance. Liu et al.'s scheme does not satisfy the fairness requirement in e-voting. However, in the improved e-voting scheme, no one can know any ballot information in advance, and the correct tallying result can be obtained simultaneously by each participant. e improved e-voting scheme achieves the fairness requirement.

System Analysis
e system analysis includes the security analysis and the performance analysis.

Security Analysis.
e improved e-voting scheme inherits these security requirements, which are correctness, anonymity, confidentiality, efficiency, noncheating, and universal verifiability in Liu et al.'s scheme [35]. Moreover, the improved e-voting scheme also achieves coercion-resistant security requirement, which Liu et al.'s scheme does not accomplish by adding masked values to the coefficients of the original shared polynomial. In this way, the content of one ballot can be protected, and corresponding privacy requirement can also be satisfied. Meantime, the improved e-voting scheme considers the abstention from voting, which not only ensures the correct tallying result but also achieves integrity of ballots.
In the following part of this section, we give theoretical analysis and proof of the integrity of ballots, privacy of ballots, multiple-voting detection, fairness, and coercion resistance of the improved e-voting scheme.

Theorem 1. For voters who submit the session key list, VS should hold their voting information to ensure the integrity of ballots and then achieve the correct tallying result.
Proof. In a real election, the registered voter may give up casting his ballot. In the proposed e-voting system, assume that a voter V t , (t ∈ 1, 2, . . . , n { }) gives up voting for a ballot after submitting the session key list to VS.
For simplifying analysis, assume that separately negotiates the session key with the remaining voters in voting phase. First, VS computes and divides λ as follows: Equation (1) According to secret sharing homomorphism, the tallying result is − n ≠ t a i,1 , . . . , n i�1,i ≠ t a i,m ,. us, in order to obtain the correct tallying result, VS should ensure the integrity of ballots. In our voting system, VS sets the ballot of abstainer V t as 0 and constructs the shared polynomial f t (x) � a t,0 + n j�1 b 1,t x + · · · + n j�1 b m,t x m modp. In this way, the sum of shares is n i�1 f i (x) � n i�1 a 0,i + n i�1 a i,1 x + · · · + n i�1 a i,m x m modp. e ballot of V t is 0. erefore, the tallying result is n i�1 a i,1 � n i�1,i ≠ t a i,1 , . . . , n i�1 a i,m � n i�1,i ≠ t a i,m . To sum up, in a real election, abstention from voting needs to be considered to ensure the integrity of ballots and obtain the correct tallying result. Proof. In proposed voting scheme, assume the voter V k , (k ∈ 1, 2, . . . , n { }) colludes with m candidates after receiving credential and then recovers the shared polynomial f k (x) � a k,0 + ( n j�1 b 1,k + a k,1 )x + · · · + ( n j�1 b m,k +a k,m )x m modp. However, the voting information a k,1 , . . . , a k,m cannot be revealed because of the masked values n j�1 b 1,k , . . . , n j�1 b m,k . erefore, in the proposed e-voting scheme, even if a voter or candidate has enough computing power, he also cannot reveal any voting information. e scheme achieves the privacy requirement of ballots. Proof. In the proposed e-voting system, assume the legal voter V h , (h ∈ 1, 2, . . . , n { }) submits ballot to VS twice. In this way, VS can construct two shared polynomials f h1 (x) and f h2 (x) for V h according to twice different submissions. en, the voter V h can receive two credentials, and each candidate can receive n + 1 shares. However, according to the computation of the sum of shares in postvoting phase, each candidate only can hold n shares. Moreover, when all voters are published, each candidate can discover that the number of received shares is not equal to n.
us, the multiple-voting is detected for the voter V h . e improved e-voting scheme satisfies the requirement that a legal voter casts a ballot once. Proof. In voting phase, assume that VS constructs the shared polynomial f e (x) � a e,0 + (B 1,e + a e,1 )x + (B 2,e + a e,2 )x 2 + · · · + (B m,e + a e,m )x m modp for the voter V e , (e ∈ 1, 2, . . . , { n}), and computes shares (ID C 1 , f e (ID C 1 )), . . . , (ID C m , f e (ID C m )), (ID VS , f e (ID VS )) and credential a e,0 , ID e , f e (I D e )}. e shares (ID C 1 , f e (ID C 1 )), . . . , (ID C m , f e (ID C m )) are sent to corresponding candidates C 1 , . . . , C m , and the credential a e,0 , ID e , f e (ID e ) is sent to the voter V e . For proving the content of the ballot, it is most likely for V e to recover the shared polynomial f e (x) by colluding with m candidates. However, different from the Liu et al.'s scheme [35], the improved e-voting scheme masks the relationship between coefficient of shared polynomial and voting information. Even if the voter V e recovers the shared polynomial f e (x), he cannot prove his voting intention a e,1 , . . . , a e,m to others. us, the scheme achieves the security requirement of coercion resistance. □ 6.2. Performance Analysis. In this section, the performance of our proposed e-voting system is analysed. e prevoting phase has no computation, which only distributes the numbers of the voters and candidates.
us, we mainly analyse the computation cost of the voting phase and postvoting phase. In addition, we compare our scheme with [32,33,35] for partial security requirement and computation complexity, which is shown in Table 2. Moreover, we also, respectively, test the total time cost for the different numbers of voters and candidates by using the 1024-bit session key and the 512-bit shared secret on a laptop with Intel i5 3.1 GHz CPU and 8.00 GB memory, and the result is shown in Figures 3 and 4.

Performance Analysis of the Voting Phase.
In the voting phase, the five steps are as follows: registering identification for voters, negotiating session keys among voters, generating masked values, constructing shared polynomials, and computing shares. Meanwhile, the computation cost mainly concentrates upon generating masked values and computing shares. Assume that the computation costs of one masked value and one share are separately expressed as cost mask and cost share . e total computation cost in this phase can be expressed as cost voting_phase � n · m · cost mask + n · (m + 2) · cost share .

Performance Analysis of the Postvoting Phase.
In postvoting phase, VS and candidates are responsible for computing the sum of shares and then publish. Each participant reconstructs a polynomial to obtain the tallying result and then verifies it. Meanwhile, computing the sum of shares, recovering polynomial, and verifying the tallying result are the main computation cost in this phase. Assume that they are separately expressed as cost share_sum , cost recover , and cost verify . e total computation cost in this phase is cost post_voting � (m + 1) · cost share_sum + cost recover + cost verify .
From the previously mentioned analysis of two phases, the total computation cost is cost total � cost voting_phase + cost post_voting in the improved e-voting scheme and increases with the numbers of voters and candidates. us, the computation complexity is O(nm) in the improved e-voting scheme. In Table 2, it shows that our e-voting scheme simultaneously achieves privacy, verifiability, and coercion resistance, and the computation complexity is less than that mentioned in [32] due to m ≪ n.
In Figure 3, we select m � 5 candidates to test the total time cost with different numbers of voters. As shown in Figure 3, the total time cost of the improved e-voting scheme is slightly higher than the scheme [35]. Liu et al.'s scheme [35] is unaffected by the numbers of voters. erefore, it has an advantage in total time cost. However, it cannot achieve the security requirement of coercion resistance in e-voting. Although the improved e-voting scheme increases the total  [35] e scheme [32] e scheme [33] e proposed scheme   [35] e scheme [32] e scheme [33] e proposed scheme time cost, it achieves the coercion-resistant security requirement. Moreover, comparing [32,33], the improved e-voting scheme takes less time overall. In Figure 4, we select n � 10000 voters to test the total time cost with different numbers of candidates. As shown in Figure 4, both the improved e-voting scheme and the scheme [35] increase with the numbers of candidates in the total time cost. Similarly, the total time cost of the improved e-voting scheme is slightly higher than the scheme [35]. In order to achieve the security requirement of coercion resistance, the improved e-voting scheme adds masked values on the basis of the scheme [35]. us, the computation cost is higher than Liu et al.'s scheme [35]. However, the total time consumption is still smaller than those in [32,33].

Conclusions
In this paper, we first show that the e-voting scheme recently proposed by Liu et al. in [35] suffers from the coercive attack by internal voter. en, we proposed an improved e-voting scheme to achieve coercion resistance and solve abstention from voting. Different from the scheme proposed by Liu et al., the improved e-voting scheme uses the sum of the masked value and the value of the original ballot to achieve the construction of shared polynomial. e scheme prevents malicious voter proving the content of his ballot to others, which achieves the security requirement of coercion resistance. Besides, VS sets the ballot of the abstainer as 0, and correct tallying result can be obtained in subsequent voting process. Moreover, theoretical analysis shows that our proposed scheme not only inherits all security requirements of Liu et al.'s scheme but also achieves the integrity of ballots, privacy of ballots, multiple-voting detection, and fairness. e performance evaluation results also indicate our scheme can achieve higher efficiency than other e-voting schemes in terms of total time consumption. In future, with the increasing application of blockchain, we are going to combine blockchain technology to propose novel and secure e-voting scheme.

Data Availability
All data generated or analysed during this study are included in this published article.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this study.