Quantum Election Protocol Based on Quantum Public Key Cryptosystem

(ere is no quantum election protocol that can fulfil the eight requirements of an electronic election protocol, i.e., completeness, robustness, privacy, legality, unreusability, fairness, verifiability, and receipt-freeness. To address this issue, we employ the general construction of quantum digital signature and quantum public key encryption, in conjunction with classic public key encryption, to develop and instantiate a general construction of quantum election protocol. (e proposed protocol exhibits the following advantages: (i) no pre-shared key between any two participants is required, and no trusted third party or anonymous channels are required. (e protocol is suitable for large-scale elections with numerous candidates and voters and accommodates the situation in which multiple voters vote simultaneously. (ii) It is the first protocol that dismantles the contradiction between verifiability and receipt-freeness in a quantum election protocol. It satisfies all eight requirements stated earlier under the physical assumptions that there exists a one-way untappable channel from the administrator to the voter and that there is no collusion between any of the three parties in the protocol. Compared with current election protocols with verifiability and receipt-freeness, this protocol relies upon fewer physical assumptions. (iii) (is construction is flexible and can be instantiated into an election scheme having post-quantum security by applying cryptographic algorithms conveying post-quantum security. Moreover, utilizing quantum digital signature and public key encryption yields a good result: the transmitted ballots are in quantum states, so owing to the nocloning theorem, ballot privacy is less likely to be compromised, even if private keys of the signature and public key encryption are leaked after the election. However, in existing election protocols employing classic digital signatures and public key encryption, ballot privacy can be easily violated if attackers obtain private keys. (us, our construction enhances privacy.


Introduction
We employ elections for various work-and life-related scenarios. ere are several forms and numerous applications of elections, such as the elections of student cadres in universities, chairmen in companies, and presidents in countries.
e aforementioned applications require strict and secure election protocols. Fair and reasonable election systems can accommodate the interests of all aspects of a society and reduce or prevent social conflicts and are conducive to the long-term stability of a society. Furthermore, security problems in elections may affect the stability of a group or even an entire society. erefore, it is of great significance to study election protocols. With the rapid development of the information age, electronic elections are widely replacing traditional paper voting methods, as they are more in line with our everyday lives and work. Designing a secure and effective electronic election protocol is, at present, a prevalent research topic.
Electronic elections generally consist of three parties: the voters, administrator, and counter. e role of the voter is to forward his/her ballot anonymously to the counter, who counts the ballots and publishes the election results on a bulletin board; the administrator is responsible for helping the election run smoothly. Ever since the concept of elections was first proposed, cryptographers have been committed to constructing a secure and practical election scheme. e first electronic election protocol was proposed by Chaum [1] in 1981, which was followed by numerous other classic electronic election protocols. ese classic election protocols can be mainly divided into three categories: electronic election protocols based on hybrid networks [1][2][3][4], electronic election protocols based on homomorphic encryption [5][6][7], and electronic election protocols based on blind signatures [3,[8][9][10].
Furthermore, for the security of election protocols, Fujioka et al. [9] proposed that a voting scheme should satisfy all of the following seven requirements. completeness: all valid votes are counted correctly by the system when all parties in the protocol are honest; robustness: inappropriate behaviour of dishonest participants or nonparticipants cannot undermine the conduct of the election, and the system is fault-tolerant; privacy: the vote message of the ballot is secret, and only the corresponding voter and the counter can know it. In addition, no one, except the voters themselves, can associate it with the corresponding voter identity; legality: only legitimate voters can vote; unreusability: no voter can vote twice; fairness: during the voting process, the statistics of the votes cast shall not be announced, because the intermediate results of the voting would affect the voting tendency of voters who have not yet voted; verifiability: voters can finally verify whether their votes have been counted correctly. Subsequently, in response to the possibility of vote-buying and coercive vote fraud in the election protocol, Benaloh et al. [11] proposed the requirement of receipt − freeness, that is, the voters cannot prove to a third party the content of their vote. is requirement prevents voters from being bribed or forced to vote. Owing to the contradiction between being receipt-free and verifiable, it is difficult to construct an electronic election with the receipt-freeness property. Presently known receiptfree election schemes are based on the physical assumption that the attackers cannot monitor when voters are voting, because if attackers can monitor, then receipt-free voting cannot be realized. We believe that this assumption is necessary for the receipt-freeness of an election. Most receipt-free classic elections are based on the physical assumption that there is a one-way or two-way untappable channel. In addition, some protocols [4] require large amounts of zero-knowledge proof, which reduces the efficiency of the protocol, while some protocols require an anonymous channel [10] or randomizer [7], which increases the complexity of the protocol.
Most classic electronic election protocols are based on the difficulty assumptions of large integer decomposition or discrete logarithms. e development of quantum computers poses a considerable threat to the security of these protocols. erefore, constructing quantum election protocols with the property of resisting quantum computer attacks has become a prevalent research topic. Current quantum election protocols are mainly classified into two types: entangled states-based protocols [12][13][14][15][16][17][18][19][20] and nonentangled states-based protocols [21][22][23]. Some entangled state-based protocols can only perform a binary vote for "yes" or "no" [13,14,16,17], which is not suitable for scenarios with numerous candidates. Some nonentangled state-based protocols [22,23] require numerous keys to be pre-shared among the participants. Furthermore, the current quantum election protocols cannot fulfil all eight electoral requirements mentioned above. A quantum election protocol that can resolve the contradiction between receipt-freeness and verifiability has not been developed yet.
To solve the abovementioned problems, considering the advantages of the physical properties of quantum states in the context of an election protocol, we propose the general construction of a quantum election protocol. Our construction is flexible and can thus be instantiated into an election scheme having post-quantum security by applying cryptographic algorithms, which possess post-quantum security properties. e proposed protocol is suitable for scenarios with numerous candidates and can simultaneously achieve all eight election protocol requirements, i.e., completeness, robustness, privacy, legality, unreusability, fairness, receipt-freeness, and verifiability. Our protocol requires fewer assumptions as compared with the classic election protocol.

Our Contributions.
In this study, we utilise the proposed general construction of quantum digital signature [24] and quantum public key encryption [25], in conjunction with classic public key encryption, to develop a general construction of a quantum election protocol.
In our construction, we utilise public key cryptographic algorithms, so no pre-shared key is required for any two participants. e protocol can resist an attack from participants, so there is no need for a trusted third party. Anonymous channels are not required because ballots are delivered with the help of an administrator. e protocol is suitable for large-scale elections with numerous candidates and voters and can accommodate scenarios in which multiple voters vote simultaneously. e protocol is the first to resolve the conflict between verifiability and receipt-freeness in a quantum election protocol, simultaneously achieving completeness, robustness, privacy, legality, unreusability, fairness, verifiability, and receipt-freeness under only two physical assumptions. e first assumption is that there exists a one-way untappable channel from the administrator to the voter. e second assumption is that there is no collusion between any of the three parties in the protocol. In the actual elections, the administrator and the counter are generally composed of multiple people representing different interested parties; thus, their mutual supervision makes the second assumption easy to implement.
We utilise quantum public key encryption [25] with information theory security, quantum digital signature [24] with post-quantum security, and classic public key encryption with post-quantum security to instantiate the proposed construction into election schemes with postquantum security. In the existing election protocols with classic digital signature and public key encryption, the transmitted ballots are classic ciphertexts, and the attacker may intercept and copy the ciphertexts. Once the corresponding private keys are known in the future, the attacker could then decrypt the ciphertexts, thus violating the privacy of the ballots. However, in our construction, the use of quantum digital signature and public key encryption yields a good result: the transmitted votes are delivered in the form of quantum states, which are unknown to the attacker. erefore, according to the no-cloning theorem, the privacy of the ballots is not compromised even if the corresponding private keys are leaked after the election is completed. As an added benefit, private keys do not need to be kept secret after the election is complete. Furthermore, the keys of the quantum digital signature are classic; thus, classic public key infrastructure (PKI) can be used for key management and distribution.

Outline of the Paper.
e remainder of this paper is organised as follows: Section 2 describes the basic knowledge and definitions of the cryptographic primitives used in the protocol, including public key encryptions and digital signatures, and presents two existing models for quantum public key encryption and quantum digital signatures. Section 3 describes the generic construction of the proposed quantum election. Section 4 analyses the security of the generic construction described in Section 3, including completeness, robustness, privacy, legality, unreusability, fairness, verifiability, and receipt-freeness. Section 5 instantiates the general construction of the election protocol into election schemes with post-quantum security by applying cryptographic algorithms with post-quantum security, analyses the efficiency of the instantiation, and compares the efficiency and security with current protocols. Section 6 summarises our work and presents directions for future work.

Preliminaries
For the remainder of this paper, we assume the reader is familiar with the basic notions and notation of quantum computing. ese can be found in textbooks such as [26].
Given |r〉 and m α m | m〉 as input, quantum transformation U f computing a function where ⊕ denotes bitwise addition. In addition, when given |r〉 and m α m |m〉|f(r, m)〉 as input, we can use unitary transformation again and get Unitary transformation implemented via quantum circuits of U f is shown in Figure 1.

Public Key Encryption.
Public key encryption algorithms enable participants to transfer information securely without sharing secret key. A classic public key encryption PKE � (Gen, Enc, Dec) consists of three algorithms, a finite message space M, and a ciphertext space C.
e key generation algorithm takes a security parameter λ as input and outputs a key pair (pk pke , sk pke ). e encryption algorithm Enc takes public key pk pke and a message m ∈ M as input and outputs a ciphertext c ∈ C. e deterministic decryption algorithm Dec takes sk pke and a ciphertext c as input and outputs either a message m � Dec(sk pke , c) ∈ M or a special symbol ⊥ to indicate that c is not a valid ciphertext. For correctness, we require that Pr[m � Dec(sk pke , c)|c � Enc(pk pke , m)] � 1 − negl(λ), where negl(λ) denotes a negligible function. We say that PKE is deterministic if Enc is deterministic, while PKE is probabilistic if Enc is probabilistic.

Quantum Public Key Encryption.
e difference between quantum and classic public key encryption is that several of the six elements, including public and private keys generated by the key generation algorithm, encryption algorithm, decryption algorithm, plaintext, and ciphertext, may be represented in quantum states.
Liang et al. [36] gave a generic quantum public key encryption construction for encrypting classic messages, where a private key corresponds to an exponent of different public keys. en, Yang et al. [25] slightly improved the abovementioned scheme by using two Boolean functions instead of using one Boolean function. Every public key in [25] is an unknown quantum state for anyone except its generator, so the ciphertext quantum state obtained by encrypting a plaintext is also unknown to its encrypting party. Moreover, every public key is in different quantum state. ese may be useful to achieve the receipt-freeness of election protocol. We briefly recall their generic quantum public key encryption construction qPKE � (qGen, qEnc, qDec). Let p denote the number of messages to be encrypted, and m i denote the i-th message for i ∈ 1, 2, . . . , p .
(i) qGen. (1) Randomly select two functions F 1 , F 2 from a set of polynomial computable functions (2) For i ∈ 1, 2, . . . , p , randomly select and compute k i,1 � F 1 (g i ) and k i,2 � F 2 (g i ). en, the quantum state |ψ k i, 1 (1) In order to encrypt the i-th message m i , download the i-th part of the classic and quantum public-key pair pk i � (g i , |ψ k i,1 ,k i,2 〉) from the public key register. (2) Encrypt the classic plaintext m i by computing |ψ

Digital Signature.
A classic digital signature, Signature � (KeyGen, Sign, Verf), consists of three algorithms and a finite message space M. e key generation algorithm takes a security parameter λ as input and outputs a key pair (vk sig , sk sig ). e signature algorithm Sign takes the secret key sk sig and a message m ∈ M as input and outputs a signature σ. e verification algorithm Verf inputs vk sig and a pair (m, σ) and outputs a bit message comprising either zero or one (this means that σ is a legal signature of message m). For correctness, we require that, pr where negl(λ) denotes a negligible function.

Quantum Digital Signature.
e difference between quantum and classic digital signature is that several of the six elements may be represented in quantum states. ese elements include the signature key and the verification key generated by the key generation algorithm, the signature algorithm, the verification algorithm, the plaintext, and the signature results of the quantum digital signature. Because of the special properties of quantum states, it is difficult to achieve a true quantum digital signature, and most existing quantum digital signature schemes require the participation of arbitrators. Quantum digital signatures, such as classic digital signatures, achieve both the identity authentication of signer and the integrity verification of message.
With the development of quantum computer and quantum communication, it is necessary to study quantum digital signature. In 2001, Gottesman and Chuang [48] firstly proposed a quantum digital signature scheme for signing classic message. Subsequently, some arbitrated quantum digital signature protocols requiring the participation of trusted third parties [49][50][51][52][53][54] were proposed in succession. In 2010, Yang et al. [24] proposed an interactive quantum digital signature protocol for signing quantum message based on induced trapdoor one-way transformations. is protocol exploits the nature of quantum entangled states, realising the identity authentication of signer and protecting the integrity of messages without the participation of arbitrators. Subsequently, several quantum digital signature protocols without quantum memory were proposed [55,56], thus improving the practicability of quantum signatures.
A general construction of quantum digital signature for signing quantum message is proposed by Yang et al. [24]. e signature scheme qSignature consists of three algorithms (qKGen, qSign, qVerf) which are described as follows: (i) qKGen. Randomly select a trapdoor one-way function f: 0, 1 { } t+n ⟶ 0, 1 { } t′+n′ which has a trapdoor f −1 . en, f is the verification key and f − 1 is the signature secret key. In a word, (ii) qSign. e signer signs a n bits quantum message |ψ〉 � m α m |m〉 to the verifier as follows: (1) the verifier randomly generates a number r ver ∈ 0, 1 { } t′ and sends it to the signer. (2) e signer randomly generates a number r sig ∈ 0, 1 { } n′ and computes (3) en, with r, the signer performs the quantum transformation U f on the quantum message |ψ〉|0〉 � m α m |m〉|0〉 and obtains and sends quantum state m α m |m〉|f(r, m)〉 to the verifier. (4) In a word, qSign(sk sig , |ψ〉) ⟶ σ, where (1) e verifier tells the signer that they have received the quantum state. (2) e signer announces r and r ′ . (3) e verifier computes f(r, r ′ ) and checks whether the first t ′ bits of f(r, r ′ ) equal r ver . ey then perform the transformation, and measure the second quantum register. ey accept the signature if and only if the second register is in state |0〉.

Generic Construction of Quantum Election
In this section, we present a generic construction of quantum election protocol. Section 3.1 gives an overview of the construction and Section 3.2 gives a more detailed description.

Overview of Our Construction.
e proposed election protocol runs as follows. (1) A voter holds his/her vote message and performs quantum public key encryption on it by using the counter's public key, obtaining the quantum ciphertext which is the ballot of the voter. (2) e ballot is signed by the voter and sent to the administrator. en, the voter's signature is verified by the administrator. (3) e ballot is signed by the administrator and sent to the counter. en, the administrator's signature is verified by the counter. (4) e ballot is decrypted by using the counter's private key and verification information is generated by the counter. (5) e information is sent to the voter with the help of the administrator. Finally, the voter can verify whether his/her vote is counted correctly or not.

Our Concrete Construction.
In this section, we give a detailed description of quantum election protocol which consists of four cryptography primitives: classic probabilistic public key encryption pPKE � (pGen, pEnc, pDec), classic deterministic public key encryption dPKE � (dGen, dEnc, dDec), quantum digital signature qSignature � (qKGen, qSign, qVerf), and quantum public key encryption qPKE � (qGen, qEnc, qDec), where quantum public key encryption and quantum digital signature are two generic constructions proposed by Yang et al. [25] and Yang et al. [24], respectively. Please refer to Sections 2.1 and 2.2 for more details.

Initialization.
Let p denote the number of voters, and v i denote the i-th voter for i ∈ 1, 2, . . . , p . Let q denote the number of legitimate candidates, and A j ∈ 0, 1 { } n−s represent the identity of the j-th legitimate candidate for each j ∈ 1, 2, . . . , q . Moreover, let Admin represent the administrator and Counter represent the counter. In the protocol, each voter has a unique identity string denoted by id i , while Admin has an identity id ad . Identity strings are publicly known. e participants carry on the following steps: (i) Admin. (1) Admin runs the algorithm qKGen of qsignature and gets a pair of public and private keys (f ad , f −1 ad ).
(2) Admin runs the algorithm pGen of pPKE and gets a pair of public and private keys (pk ad , sk ad ). (3) Admin runs the algorithm dGen of dPKE and gets a pair of public and private keys (pk ad ′ , sk ad ′ ).
(ii) Counter. (1) In order to encrypt p messages, Counter runs the algorithm qGen of qPKE and gets a pair of public and private keys (pk te , sk te ), where pk te � g i ,

Election
(1) Preprocessing: Each voter randomly selects a public key from the quantum public key register. Taking the public key (g i , |ψ k i,1 ,k i,2 〉) chosen by voter v i as an example and assuming that v i wants to vote for candidate A j , v i carries on the following steps: (i) v i downloads one classic and quantum publickey pair (g i , |ψ k i,1 ,k i,2 〉) of Counter from the public key register. (ii) v i generates a random string e i ∈ 0, 1 { } s and selects a candidate A j ∈ 0, 1 { } n− s to make up a vote message T ji , where T ji � A j � � � � e i ∈ 0, 1 { } n represents a simple concatenation of A j and e i . (iii) By performing quantum encryption transformation qEnc on the vote message T ji , v i obtains 2 〉 is the quantum ballot and it is clear that it is an n-bit quantum superposition state which can be denoted as m α m |m〉.
(2) Ballot-casting from voter to administrator: is process is briefly illustrated in Figure 2. For the purpose of authenticating the identity of v i and the integrity of ballot, the administrator Admin needs to mutually communicate with v i so that Admin can verify the correctness of the received signature sent by v i .
(i) If v i wants to vote, they will send their id i to Admin. (ii) Let T denote the number of id i received by Admin at the same time. After receiving id i , Admin searches the local data set ID; if id i ∈ ID or T > 1, the request for voting is rejected. Otherwise, Admin randomly generates Security and Communication Networks 5 In a word, (v) By running the encryption algorithm pEnc, v i obtains classic ciphertext c v i ⟶ ad � pEnc(pk ad , (r i,1 , r i,1 ′ , g i )).
Admin decrypts c v i ⟶ ad with their private key sk ad and obtains the plaintext (r i,1 , r i,1 ′ , g i ) � pDec(sk ad , c v i ⟶ ad ). As a result, Admin can get the signature σ � (r ad i,1 , r i,1 , r i,1 ′ , |ψ i,2 〉) of (|ψ Note that in the computing process of qVerf, there exists the following operation to obtain quantum state: When all voters have completed this stage with Admin, the protocol proceeds to the next stage. (3) Ballot-casting from administrator to counter: is process is briefly illustrated in Figure 3. For the purpose of authenticating the identity of Admin and the integrity of ballot, the Counter needs to mutually communicate with Admin so that Counter can verify the correctness of the received signature sent by Admin.
(i) If Admin wants to send v i 's ballot to Counter, they firstly send id ad to Counter. (ii) After receiving id ad , Counter randomly generates r te i ∈ 0, 1 { } t′ and sends it to Admin. (iii) randomly generates r ad i,2 ∈ 0, 1 { } n′ and computes In a word, qSign(f −1 ad , |ψ i,1 〉) ⟶ σ ad , and it is easy to see that σ ad � (r te i , r i,2 , r i,2 ′ , |ψ i,3 〉).
(v) Admin sends (σ ad , g i ) to Counter. (vi) If the output of qVerf(f ad , (|ψ i,1 〉, σ ad )) equals 1, Counter can make sure the identity of Admin. Note that in the process of the above computing qVerf, there exists the following operation to obtain quantum state |ψ i,1 〉,  Counter sends message to v i with the help of Admin so that v i can verify whether their vote is counted correctly. Under the physical assumption that there is a one-way noneavesdropping channel from the administrator to the voter, the election satisfies the requirement of receipt − freeness.
(i) By running the encryption algorithm dEnc, Counter obtains c te⟶ad,i � dEnc(pk ad ′ , (e i ⊕ f i )) and sends (c te⟶ad,i , g i ) to Admin. (ii) Admin utilises g i as a label to find the corresponding v i and sends c te⟶ad,i to v i by the oneway untappable channel from Admin to v i .

Security Analysis
We assume that there exists no collusion between any two of the three parties in the protocol. In actual elections, the administrator and the counter are generally composed of multiple people representing different interest groups, so their mutual supervision makes this assumption easy to hold. Both participants and nonparticipants can potentially attack the protocol. We define an attack from participants as an internal attack and an attack from nonparticipants as an external attack. In this section, we prove that our proposed election protocol satisfies the eight requirements, namely, completeness, robustness, privacy, legality, unreusability, fairness, verifiability, and receipt-freeness.

Security and Communication Networks
Hence, it is clear that the proposed protocol satisfies completeness.

Robustness
Theorem 2 (robustness). e inappropriate behaviour of dishonest participants or nonparticipants cannot disrupt the election; i.e., the protocol is fault-tolerant.
Proof. We analyse the robustness of the protocol by considering the inappropriate behaviour of participants including voters, administrator and counter, and nonparticipants.
(i) When a dishonest voter v j seeks to disrupt the election, they may have three strategies. In the first case, v j does not vote, that is, in the ballot-casting from voter to administrator stage, v j does not send id j or (c v j ⟶ ad , |ψ j,2 〉, id j ) to Admin. However, it is clear that Admin will be aware of this missing vote.
In the second case, v j sends an invalid message group (c v j ⟶ ad , |ψ j,2 〉, id j ) false to Admin in the ballot-casting from voter to administrator stage. While the running result of qVerf achieved by Admin will not equal 1, this wrong action will be detected by. In the third case, v j generates a random binary string A false , which does not represent a qualified candidate and encrypts A false || e j with Counter's public key (g j , |ψ k j,1 ,k j,2 〉). However, Counter will find out the illegal A false in the ballotcounting and result-publishing stage and reject the ballot. In a word, the voter v j cannot succeed in disrupting the election. (ii) If the internal attacker Admin wants to disrupt the election, they may have two strategies. In the first case, Admin tampers with the quantum state |ψ i,1 〉 from a legitimate voter v i in the ballot-casting from administrator to counter stage. However, because Admin does not know the candidate that v i is going to vote for, their random tampering will result in a random decrypting of the result obtained by Counter in the ballot-counting and result-publishing stage. en, Counter will reject the ballot with a high probability. Because the probability that Admin successfully guesses the candidate that is voted for by v i is 1/q, the probability that they correctly tamper with the quantum state is also 1/q. en, the probability that the decrypted result obtained by Counter represents a legitimate candidate is also 1/q, so the probability that the ballot is rejected in the ballotcounting and result-publishing stage by Counter is (q − 1)/q. In addition, even if the tampered ballot is accepted by Counter, v i can be aware that their vote is not counted correctly in the confirming vote and terminating the election stage. en, v i can request a reelection. In the second case, Admin may substitute the quantum state |ψ i,1 〉. In this manner, Counter will accept the decrypted result, but v i will find that their vote has not been counted correctly during the confirming vote and terminating the election stage, and they can request a reelection.  Proof. Nonparticipants of the protocol, the administrator, and the counter are all likely to attack the privacy of ballots, so we analyse the three cases in turn. Meanwhile, to prove our election can achieve privacy, we use the no-cloning theorem [57], which states that an exact copy of an unknown quantum state is impossible to achieve in quantum mechanics.
(i) Resistance to attacks from nonparticipants: if a nonparticipant of the protocol wants to attack the privacy of v i 's ballot, the only possible opportunity occurs during the transmission of information in the ballot-casting from voter to administrator stage and ballot-casting from administrator to counter stage. Assuming that the attacker intercepts (c v i ⟶ ad , |ψ i,2 〉, id i ) in the ballot-casting from voter to administrator stage, the security of pPKE ensures that the attackers cannot decrypt c v i ⟶ ad to obtain (r i,1 , r i,1 ′ , g i ) and cannot obtain the signature σ � (r ad i,1 , r i,1 , r i,1 ′ , |ψ i,2 〉) of |ψ (T ji ) k i,1 ,k i,2 〉. en, the attacker cannot untangle quantum state |ψ i,2 〉 to obtain |ψ i,1 〉 and the ciphertext c � (g i , |ψ (T ji ) k i,1 ,k i,2 〉), let alone obtain the vote message of the ballot, because they do not know Counter's private key (F 1 , F 2 ). Moreover, if the transmitted ballot is classic, the attacker may copy it during its transmission. Once the corresponding private keys are known in the future, the attacker could then violate the privacy of the ballot. However, in our construction, the ballot is transmitted in the form of a quantum state, and |ψ i,2 〉 is unknown to the attacker. Owing to the no-cloning theorem, after the election is completed, even if the private keys (F 1 , F 2 ) and sk ad are leaked, the privacy of the ballots is not compromised. If the attacker intercepts (σ ad , g i ) in the ballot-casting from administrator to counter stage, they can untangle |ψ i,3 〉 with r i,2 to obtain |ψ i,1 〉 and the ciphertext c � (g i , |ψ (T ji ) k i,1 ,k i,2 〉). However, they cannot decrypt the ciphertext to obtain v i 's vote message, because the attacker does not know Counter's private key (F 1 , F 2 ). In this case, |ψ i,1 〉 is unknown to the attacker. us, the attacker cannot copy this state and obtain the vote message of the ballot even if the private key (F 1 , F 2 ) is leaked after the election.
(ii) Resistance to an attack from Admin: Admin can obtain the ciphertext c � (g i , |ψ (T ji ) k i,1 ,k i,2 〉) in the stage of ballot-casting from voter to administrator, but the security of qPKE ensures that they cannot obtain the vote message of the ballot, because Counter's private key (F 1 , F 2 ) is unknown. Similar to the earlier analysis, c � (g i , |ψ (T ji ) k i,1 ,k i,2 〉) is unknown to Admin, so they cannot copy the ciphertext c. Going further, they cannot obtain the vote message of the ballot even if the private key (F 1 , F 2 ) is leaked after the election.
(iii) Resistance to an attack from Counter: if Counter wants to attack the privacy of v i 's ballot, they may attack in the stages of ballot-casting from voter to administrator and ballot-casting from administrator to counter. In the stage of ballot-casting from voter to administrator, Counter may intercept (c v i ⟶ ad , |ψ i,2 〉, id i ) during the transformation and attempt to obtain v i 's vote message via the intercepted information. However, similar to this type of attack from nonparticipants, the security of pPKE ensures that Counter cannot obtain (r i,1 , r i,1 ′ , g i ) and obtain the signature σ � (r ad i,1 , r i,1 , r i,1 ′ , |ψ i,2 〉) of |ψ (T ji ) k i,1 ,k i,2 〉. us, Counter cannot untangle quantum state |ψ i,2 〉 to obtain |ψ i,1 〉 and the ciphertext erefore, it is impossible for Counter to use the private key (F 1 , F 2 ) to decrypt the ciphertext to obtain v i 's vote message. In this stage, |ψ i,2 〉 is unknown to Counter; thus, they cannot copy it and associate v i ′ s ballot content with v i 's identity even if Admin's private key sk ad is leaked after the election. Moreover, it is worth noting that Counter cannot utilise g i , which is obtained in the stage of ballot-casting from administrator to counter, as a label of v i ′ s identity to associate v i ′ s vote message with v i 's identity because g i is encrypted by pPKE in the stage of ballot-casting from voter to administrator. In the stage of ballot-casting from administrator to counter, even though Counter can finally obtain v i 's vote message, they do not know which voter the decrypted ballot comes from because Admin replaces the voter identity id i with g i at this stage.
As a result, the protocol can satisfy the privacy requirement during an election, and the privacy will not be threatened even if corresponding private keys are leaked after the election.    Proof. (sketch). Counter announces the voting result of every voter v i in the form of A j ||(e i ⊕ dEnc(pk ad ′ , f i )). Subsequently, running the encryption algorithm dEnc, Counter obtains c te⟶ad,i � dEnc(pk ad ′ , (e i ⊕ f i )); they then send c te⟶ad,i to v i with the help of Admin. After v i receives it, Admin publishes their private key sk ad ′ . Running the decryption algorithm dDec, v i obtains e i ⊕ f i � dDec(sk ad ′ , c te⟶ad,i ). v i obtains f i with the knowledge of e i . With e i , f i , and pk ad ′ , v i can compute e i ⊕ dEnc(pk ad ′ , f i ). By searching for e i ⊕ dEnc(pk ad ′ , f i ) on the bulletin board and verifying whether the candidate information corresponding to e i ⊕ dEnc(pk ad ′ , f i ) is A j , v i can verify whether their vote has been counted correctly. □

Receipt-Freeness
Theorem 8 (receipt-freeness). In the protocol, the voter cannot prove to a third party the content of their vote. Proof.
e protocol can achieve receipt-freeness under the physical assumption that there is a one-way untappable channel from the authority (i.e., the administrator) to the voter [4,58]. By a standard exclusive-OR trick, this assumption can be implemented by having a number of oneway channels, assuming that the adversary cannot simultaneously tap every one of them [4].
Suppose that voter v i wants to vote for candidate A j , while there is a briber who requires v i to vote for candidate A a . In this protocol, under the premise that the number of ballots for candidate A a displayed on the bulletin board does not affect the judgment of the briber (for example, the number of votes for candidate A a is zero, and this case can be ignored in a large-scale election), and v i can vote for candidate according to their preferences, but lie to the briber successfully by providing the briber with false evidence to prove that they voted for candidate A a .
In the pre-voting stage, the briber may have asked voter to provide e i as evidence for future verification. In this stage, v i performs quantum encryption transformation qEnc on T ji , obtaining the ciphertext (g i , |ψ In v i 's view, the density operator of the quantum public key |ψ k i,1 ,k i,2 〉is at is, in v i 's view, the quantum public key |ψ k i,1 ,k i,2 〉 is in the maximum mixed state. en, the quantum ciphertext |ψ (T ji ) k i,1 ,k i,2 〉 is also in the maximum mixed state for v i . So, even if v i sells all known information to the briber, the briber cannot obtain any information about the vote message of v i by eavesdropping (c v i ⟶ ad , |ψ i,2 〉, id i ) on the channel from v i to Admin in the ballot-casting from voter to administrator stage. erefore, the step of computing the ciphertext, i.e., , avoids the requirement that the channel from the v i to Admin is untappable.
In the stage of confirming vote and terminating the election, v i receives c te⟶ad,i by the one-way untappable channel from Admin and obtains e i ⊕ f i � dDec (sk ad ′ , c te⟶ad,i ) by performing dDec. Finally, v i obtains f i with the knowledge of e i . Now, we show that v i cannot prove their vote to the briber according to f i . v i first searches for a vote for candidate A a on the bulletin board. Assuming the voter v a has voted for the candidate A a , then their corresponding message, which is published by Counter on the bulletin board, is A a � � � � � � � (e a ⊕ dEnc(pk ad ′ , f a ), where e a and f a are binary strings of lengths randomly generated by v a and Counter, respectively. As sk ad ′ is known, v i can obtain f false which satisfies e a ⊕ dEnc(pk ad ′ , f a ) � e i ⊕ dEnc(pk ad ′ , f false ). en, v i can obtain f false by running the dDec algorithm, i.e., f false � dDec(sk ad ′ , e i ⊕ e a ⊕ dEnc(pk ad ′ , f a )).
en, v i tells f false to the briber, such that the briber can find A a � � � � � � � (e i ⊕ dEnc(pk ad ′ , f false )) on the bulletin board. erefore, with f i , v i cannot prove to the briber how they voted. In conclusion, the protocol is receipt-free.

Instantiation of Our Generic Construction
In this section, we instantiate the general construction of the election protocol.

Quantum
Public Key Encryption qPKE � (qGen, qEnc, qDec). To achieve post-quantum security for the protocol, we instantiate the construction of quantum public key cryptography qPKE with quantum public key encryption scheme [25] based on conjugate encoding which is information-theoretic secure.
Let I and Y be two of the Pauli matrices and H be the Hadamard transformation, where For where H is the Hadamard transformation mentioned as above, H 0 � I, H 1 � H, and ⊗ is the tensor product. Similarly, we also define where Y is one of the Pauli matrices defined as above. Let p denote the number of messages to be encrypted, and m i ∈ 0, 1 { } n denote the i-th message for i ∈ 1, 2, . . . , p .
(i) qGen. (1) Randomly select two functions F 1 , F 2 as private key from a set of polynomial computable functions F: (2) Randomly select g i ∈ 0, 1 { } n and compute k i,1 � F 1 (g i ) and k i,2 � F 2 (g i ).
(2) Encrypt m i ∈ 0, 1 { } n by applying Y m i to (2) According to k i,1 , apply H k i,1 to Y mi H k i,1 |k i,2 〉 and measure on the basis |0〉, |1〉 { } n to obtain m i ⊕ k i,2 . en, with k i,2 , perform an exclusive OR on m i ⊕ k i,2 to get m i .
(3) It is clear that the algorithm D is the whole process of step (2) described as above. (4) In a word, qDec(sk, c � (g i , Y m i H k i,1 |k i,2 〉)) ⟶ m i .

Quantum Digital
Signature qSignature � (qKGen, qSign, qVerf) e function of quantum signature in the election protocol is to make the verifier get the information that the signer wants to send authenticatively. To achieve post-quantum security for the protocol, we instantiate the construction of quantum digital signature qSignature with quantum digital signature [24] which is constructed based on the McEliece cryptosystem with post-quantum security [59]. e McEliece secret key consists of a nonsingular n × n matrix S; a generator matrix G size of n × t for a Goppa code; and a t × t permutation matrix P. e McEliece public key is the n × t matrix SGP. In the following, t ′ � (t/2) and n ′ � (t/2). (2) Let the secret key sk sig be (S, G, P) and the verification key vk sig be G ′ � SGP. (ii) qSign. e signer signs a n bits quantum message |ψ〉 � m α m | m〉 to the verifier as follows: (1) the verifier randomly generates a number r ver ∈ 0, 1 { } t′ and sends it to the signer. (2) e signer randomly generates a number r sig ∈ 0, 1 { } n′ . (3) With the knowledge of sk sig � (S, G, P), the signer can get (r, r ′ ) which satisfy that r ′ G ′ ⊕ r � (r ver , r sig ), where r ∈ 0, 1 { } t , r ′ ∈ 0, 1 { } n . (4) Note that f − 1 is the whole process of step (3) described as above and f(r, r ′ ) � r ′ G ′ ⊕ r. (5) en, with r, the signer performs the quantum transformation U f on the quantum message |ψ〉|0〉 � m α m |m〉|0〉 and obtains and sends quantum state m α m |m〉|f(r, m)〉 to the verifier. (4) In a word, qSign(sk sig , |ψ〉) ⟶ σ, where (iii) qVerf. (1) e verifier tells the signer that they have received the quantum state. (2) e signer announces r and r′. (3) e verifier computes f(r, r ′ ) � r ′ G ′ ⊕ r and checks whether the first t ′ bits of f(r, r ′ ) equal r ver . ey then perform the transformation and measure the second quantum register. ey accept the signature if and only if the second register is in state |0〉. In a word, qVerf(vk sig , (|ψ〉, σ)) ⟶ 1 if and only if the second register is in state |0〉.

Classic Public Key Encryption pPKE and dPKE.
e classic probabilistic public key encryption pPKE in the instantiation can be any classic public key encryption schemes with post-quantum security such as public key encryption based on coding [59], lattices [60], and multivariates [61].
Bellare et al. [62] proposed a generic deterministic public key encryption construction from probabilistic public key encryption, i.e., if there exists a probabilistic public key encryption pPKE � (pGen, pEnc, pDec), then there is a classic deterministic public key encryption scheme dPKE � (dGen, dEnc, dDec) which is illustrated in Figure 4. In the deterministic PKE construction, H denotes a hash function, such as SHA2 and SHA3.

Efficiency Analysis.
According to Ref. [18], quantum bit efficiency of quantum election protocol is defined as where the total number of transmitted classic bits (message bits) is C and the total number of quantum bits generated is Q.
We can split this protocol into two parts. In the first part, the voter passes the vote message to Counter with the help of Admin. In the second part, Counter passes the verification information to the corresponding voter with the help of Admin. In the first part, the valid classic information transmitted is T ji , and its number of bits is n. To transmit T ji , the n bits quantum public key H k i,1 |k i,2 〉, n bits quantum ciphertext Y m i H k i,1 |k i,2 〉, and |ψ i,2 〉, |ψ i,3 〉 are generated, where |ψ i,2 〉, |ψ i,3 〉 are both n + t bits quantum states generated during the signature process. Hence, in this part, total of 4n + 2t quantum bits are generated. In the second part, the valid classic information transmitted is f i ⊕ e i , whose length is s, where there is no quantum bit generated. us, the number C of valid classic bits transmitted in the protocol is n + s, and the number Q of quantum bits generated in the protocol is 4n + 2t. Subsequently, the efficiency of the protocol is η � n + s 4n + 2t .
When s is equal to t, the efficiency is greater than 1/4.

Security Comparison.
is protocol is an instantiation of our general construction. We have proved that our general construction satisfies the eight requirements of election, so the instantiation also satisfies the eight Algorithm dGen : Algorithm dDec (sk, c) : Else return ⊥ return c (pk, sk)←pGen return (pk, (pk, sk)) Algorithm dEnc (pk, m) : R←H (pk, m) c←pEnc (pk, m, R) m←pDec (sk, c) R←H (pk, m) If pEnc (pk, m, R) = c, then return m

Conclusion
In this paper, we utilise the general construction of quantum digital signature [24] and quantum public key encryption [25], in conjunction with classic public key encryption, to develop a general construction of a quantum election protocol. e protocol is suitable for large-scale elections with numerous candidates and voters and accommodates scenarios in which multiple voters vote simultaneously. e protocol does not require any two participants to pre-share a secret key, nor does it require anonymous channels or a trusted third party. is construction is the first to achieve the properties of completeness, robustness, privacy, legality, unreusability, fairness, verifiability, and receipt-freeness under attacks from both external and internal agents in the current quantum election protocols. We instantiate the general construction into an election scheme with postquantum security by applying cryptographic algorithms having post-quantum security. Furthermore, our election protocol has higher security than that of existing protocols. All the keys of the quantum digital signature are classic so that the classic PKI can be used for key management and distribution. is construction is a theoretical achievement, and any practical application remains a distant goal. e quantum public key cryptosystem has significant room for development in comparison with the relatively well-established conventional public key cryptosystem. Numerous problems remain to be solved, such as developing the quantum PKI.
Data Availability e data used are available within the article.

Conflicts of Interest
e authors declare that they have no conflicts of interest.