ResearchArticle AnImprovedCoercion-ResistantE-VotingScheme

Research ArticleAn Improved Coercion-Resistant E-Voting Scheme

Yuanjing Hao Zhixin Zeng and Liang Chang

Guangxi Key Laboratory of Trusted Software Guilin University of Electronic Technology Guilin 541004 China

Correspondence should be addressed to Liang Chang changlgueteducn

Received 16 August 2021 Revised 20 September 2021 Accepted 22 September 2021 Published 18 October 2021

Academic Editor Chunhua Su

Copyright copy 2021 Yuanjing Hao et alampis is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

E-voting has gradually replaced the traditional voting methods to make it easier for people to conduct an election Recently Liuet al propose an unconditional secure e-voting scheme using secret sharing and k-anonymity ampeir scheme achieves correcttallying results without revealing raw voting information However in this paper we observe that Liu et alrsquos scheme cannotachieve coercion resistance in e-voting since the voter can prove the content of his ballot to the colluded candidates ampen wepropose an improved e-voting scheme to cover up the ballot of the voter with masked values In this way even if the voter colludeswith corresponding candidates he cannot prove which candidate he has voted for Moreover comparing with Liu et alrsquos schemethe security analysis shows that our proposed e-voting scheme achieves these security requirements like the coercion resistanceintegrity of ballots privacy of ballots multiple-voting detection and fairness amprough performance analysis the experimentalresults show that our proposed e-voting scheme has higher time efficiency Compared with other schemes our scheme achieves acomplete voting process and obtains the correct tallying result without complex computation and intricatecommunication process

1 Introduction

At present election is regarded as an indispensable demo-cratic activity in real life Over time it has been divided intotwo categories traditional election and electronic electionampe traditional election consumes a lot of time and resourcesand has low tallying efficiency ampus Chaum [1] first pro-posed the electronic voting scheme in 1981 which eliminatesthese disadvantages Subsequently various e-voting schemescontinue to spring up Recently cloud technology andblockchain technology are widely used in e-voting to achievesecure electronic election For the cloud technology Shankaret al [2] proposed a secure e-voting protocol which realizessecure data transfer with cloud effectively Anjima and Hari[3] proposed a secure cloud e-voting system using fullyhomomorphic elliptical curve cryptography which greatlyensures the privacy of ballots and minimizes the risk of thevote being tampered or leaked Although the cloud tech-nology presents advantages in the application of e-voting itis less used than blockchain technology Currently somee-voting researches related to blockchain have a tendency toincrease gradually such as reducing voter fraud [4] pre-venting ballot content attacks [5] and achieving the

universal verification of ballot [6] However the previouslymentioned description mainly illustrates the recent devel-opment of e-voting rather than the scope of our study

In a real election due to multiparty participation thevoter may sell the content of his ballot to others to obtainprofit Out of curiosity candidates may collude with otherparticipants to infer the content of the original ballotamperefore in practical application the secure e-votingscheme needs to satisfy some necessary security require-ments to protect the privacy of ballot such as freedom (noone can be forced to cast a certain vote) fairness (no one canuse more than his own votes to influence the tallying result)confidentiality (no one can know other voterrsquos contentexcept himself ) coercion resistance [7ndash10] (the voter provesnothing about the content of his ballot to others) verifi-ability [11 12] (every voter can verify if his ballot is correctlytallied and any participant can verify the correctness oftallying result)

For meeting the previously mentioned security re-quirements some encryption techniques have been popu-larly applied to e-voting to achieve secure election such asmix-net [13ndash16] blind signature [17ndash23] homomorphicencryption [24ndash28] and secret sharing [29ndash31] Meanwhile

HindawiSecurity and Communication NetworksVolume 2021 Article ID 5448370 11 pageshttpsdoiorg10115520215448370

due to the high overhead mix-net is hard to be applied forthe actual election Although blind signature has betterpracticality in e-voting it does not satisfy the security re-quirement of receipt-freeness and verifiability to some ex-tent At present in order to achieve secure and feasiblee-voting homomorphic encryption is popular in conjunc-tion with other encryption techniques such as zero-knowledge proof [32] and partial knowledge proof [33]However the computation burden becomes a problem thatneeds to be solved ampus avoiding these disadvantages ofabove encryption techniques secret sharing is applied toe-voting because of its better completeness and feasibilityand also achieves running time in linear [34] Based on suchadvantages Liu and Zhao [35] recently proposed an e-votingscheme using secret sharing and k-anonymity which ach-ieves the correct tallying result and satisfies the necessarysecurity requirements Concretely the content of one ballotis used to sever as the coefficients of the shared polynomialampe calculated shares are regarded as the encrypted form ofone ballot respectively held by voter voting system and allcandidates ampen according to the additive homomorphismof secret sharing the total number of ballots can be correctlyobtained for each candidate Liu and Zhao [35] declare theire-voting scheme achieves the security requirement of co-ercion resistance which means the voter cannot prove thecontent of his ballot to others

However in this paper we observe that Liu et alrsquosscheme cannot achieve the security requirement of coercionresistance ampe voter can collude with candidates to provethe content of his ballot ampus we propose an improvedcoercion-resistant e-voting scheme to cover up the contentof ballot with masked values which achieves the securityrequirement of coercion resistance Meantime we also solvethe abstention from voting Additionally through theoret-ical analysis and data simulation we indicate that ourproposed e-voting scheme can solve the shortcoming in [35]and has higher time efficiency compared with [32 33] Ourcontributions are shown in details as follows

(1) In Liu et alrsquos scheme [35] all voters and candidateshold shares ampe shared polynomial constructedfrom the original ballot information can be recov-ered if the voter colludes with corresponding can-didates ampe voter can prove which candidate he hasvoted for Liu et alrsquos scheme does not satisfy thecoercion-resistant security requirement ampus wepropose an improved e-voting scheme which re-places the content of the original ballot with maskedvalues to achieve the construction of the sharepolynomial In this way even if the voter colludeswith corresponding candidates to recover the sharedpolynomial he cannot prove the content of his ballotto others ampe improved e-voting scheme achievescoercion-resistant security requirement

(2) ampe improved e-voting scheme considers abstentionwhich Liu et alrsquos scheme [35] does not accomplishIn the improved e-voting scheme voting systemconstructs the shared polynomial of abstainer onlyusing masked values and then performs subsequent

voting process Finally all participants can obtain thecorrect tallying result

(3) ampe security analysis shows that the improvede-voting scheme not only inherits some securityrequirements in Liu et alrsquos scheme [35] but alsoachieves coercion-resistant security requirementwhich Liu et alrsquos scheme does not satisfy Moreoverthe scheme also achieves additional security prop-erties which consist of the integrity of ballots theprivacy of ballots multiple-voting detection andfairness ampe performance analysis shows that theproposed e-voting scheme has higher time efficiencywhen candidates and voters are respectively specificnumber

ampe rest of this paper is organized as follows In Section2 the steps of Liu et alrsquos e-voting scheme are reviewed ampesystem model and threat model are presented in Section 3Section 4 proposes our improved e-voting scheme in detailIn Section 5 we state the differences between Liu et alrsquosscheme and the improved e-voting scheme Finally thesystem analysis and conclusion are respectively presentedin Section 6 and Section 7

2 Review

In this section Liu et alrsquos scheme [35] is reviewed It mainlyconsists of three phases prevoting phase voting phase andpostvoting phase And the process of communication isshown in Figure 1

21 Prevoting Phase Assume that there are n voters and m

candidates respectively ampe voters are divided into severalsets and each set contains k voters

22 Voting Phase

Step 1 Each voter Vi(i 1 n) registers to a trustedauthority centre (AC) ampen the voting system (VS)issues a temporary identity IDi for each voter and noone knows the relationship between voter and histemporary identity IDiStep 2 If the candidate Cj(j 1 m) is selected bythe voter Vi aij 1 otherwise aij 0 ampen VSgenerates the shared polynomial fi(x) ai0 + ai1x +

ai2x2 + middot middot middot + aimxmmodp and computes m + 2 shares

(xj yij) (j 1 2 m + 2) by using the IDs ofvoter Vi candidate Cj (j 1 m) and VSStep 3 VS stores the share (xm+1 yim+1) and thensends shares (xj yij) (j 1 2 m) to corre-sponding candidate Cj and credential CRi ai0 xm+21113966

yim+2 to the voter Vi

23 Postvoting Phase In this phase first voters are ran-domly divided into some sets and each set contains k votersampe process can be briefly described in the following steps

2 Security and Communication Networks

Step 1ampe voters who are located in a set publish theirai0 (i 1 k) on the bulletin boardStep 2VS andCj compute yj 1113936

ki1 yij and publish the

points (xj yj) (j 1 2 m + 1) on the bulletinboard According to these points each participant canrecover the polynomial F(x) a0 + a1x + a2x

2 + middot middot middot +

amxmmodp where aj 1113936ki1 aij (j 0 1 m)

Step 3 VS publishes the aggregated ballotsa0 a1 a2 am1113864 1113865 of k voters on the bulletin boardStep 4 ampe participant verifies the correctness of theaggregated ballots by the equation a0 1113936

ki1 ai0 If the

verification is true everyone can compute the result ofCj votej 1113936 aj (j 1 2 m) Otherwise allcandidates and VS are asked to check their publishinginformation and reconstruct the polynomial again

3 The System Model and Threat Model

In this section the system model threat model and designgoals are introduced respectively

31 e System Model In e-voting system the participantsinvolved are respectively a voter (V) candidate (C) trustedauthority centre (AC) voting system (VS) and bulletinboard which is used to publish information in votingprocess ampese participants mainly achieve the followingfunctions

V the voter votes for his favourite candidate andobtains the credential from VSC the candidate and VS collaborate to get the tallyingresult togetherAC AC authorizes the legal voter to cast the ballot andtakes charge of arbitrating the disputes and granting thedigital certificate for each participantVS VS generates shares for candidate and credentialfor voter respectively moreover VS leaks nothingabout the intention of the voter

In this paper the communication model is the same asLiu et alrsquos scheme and presented in Figure 1 In the com-munication model a legal voter casts his favourite candidateusing VS VS generates corresponding credential for thisvoter and divides the masked voting intention of this voter

into m shares ampen VS sends credential to this voter and m

shares to each candidate Cj (j 1 m)

32 e reat Model In this section the threat model isdescribed mainly embodied in the security issue of Liuet alrsquos scheme Many secure e-voting schemes can ensure thecorrectness of the tallying result Meanwhile Liu et alrsquosscheme uses the homomorphic additivity of polynomial toget the correct tallying result However in this scheme thevoter can prove the content of his ballot to others ampeirscheme cannot resist coercive attack from the internal voterwhich cannot achieve coercion-resistant security require-ment in e-voting For the shortcoming in Liu et alrsquos schemewe give a brief example to describe the attack model Assumethat there are four candidates and their IDs are separately 23 4 and 5

321 Adversary Assume that V1 is an internal attacker wholaunches the coercive attack to prove the content of his ballotto others Meantime assume that Virsquos ID is 1 and he castscandidates C1 C3 C4 a11 1 a12 0 a13 1 a14 1

322 Attack Process

(1) First for simplifying computation we choosep 29 In voting phase according to the selection ofthe voter V1 VS generates the shared polynomialf1(x) 3 + x + x3 + x4modp ampen VS computesfour shares (20) (327) (48) and (54) which areseparately sent to C1 C2 C3 C4 and one credential3 1 6 which is sent to V1

(2) After receiving the credential V1 colludes with thecandidates C1 C3 C4 since he casts the supportingballot for them In this way V1 can recover theshared polynomial f1(x) by owned random number3 and known three shares of candidates C1 C3 C4

(3) In order to prove the correctness of the recoveredpolynomial f1(x) V1 verifies the recovered poly-nomial f1(x) using his share (16) and publishedrandom number a10 3 If the verification is truethe candidates C1 C3 C4 believe that the recoveredpolynomial f1(x) is true In fact the verification isusually true as long as the calculation is correct

AC

Candidates

1 Register

Voterv1 v2 2 Vote

3 Credentials

VS

YES

NO

4 Shares

AC

1 Register

oterv1 v2 2 Vote

3 Credentials

YES

NO

4 Shares

vk

C1

C1

C2

C2

C3

C3

Cm-1

Cm-1

Cm

Cm

Figure 1 ampe process of communication

Security and Communication Networks 3

323 Attack Result amprough construction of the sharedpolynomial in Liu et alrsquos scheme we know that the coef-ficient of the shared polynomial can show whether corre-sponding candidate obtains the ballot or not If thecoefficient is 1 it shows that the voter casts the candidatewhose identity is the same as power of the shared poly-nomial ampus according to the description in attack processthe candidates C1 C3 C4 believe the correctness of the re-covered polynomial f1(x) Naturally V1 can prove he castthe supporting ballot for the candidatesC1 C3 C4 Liu et alrsquosscheme cannot achieve the security requirement of coercionresistance in e-voting

amperefore to solve the shortcoming of Liu et alrsquos schemewe propose the improved coercion-resistant e-votingscheme ampe scheme not only satisfies the coercion-resistantsecurity requirement but also solves the issue of abstainersampe specific process is presented in section 4

33 DesignGoals For the design goals we mainly introducesome necessary security requirements which needs to besatisfied in next proposed e-voting scheme ampese securityrequirements include coercion resistance which Liu et alrsquosscheme does not achieve and other additional security re-quirements which are integrity of ballots privacy of ballotsmultiple-voting detection and fairness

(i) Coercion resistance no one voter can prove toothers which candidate he has voted for

(ii) Integrity of ballots in order to obtain correct tal-lying result the ballots of all voters involved in thevoting process should be counted validly

(iii) Privacy of ballots no one participant can leak anyvoting information

(iv) Multiple-voting detection a legal voter only can castballot once If a voter votes for more than once thesuperfluous ballots should be detected

(v) Fairness no one candidate can know his own ballotin advance

4 The Improved Voting Scheme

In this section we present the improved e-voting scheme indetail We first suppose that the trust assumptions are thesame as [35] ampe improved e-voting scheme consists of fourphases prevoting phase voting phase postvoting phase andabstention from voting Meanwhile all computations areover a finite field Fp where p is a secure prime which ispublished by AC before the prevoting phase ampe list ofsymbols used in the improved e-voting scheme is shown inTable 1 and Figure 2 shows the specific voting process invoting phase postvoting phase and abstention from voting

41 Prevoting Phase Assume that there are n votersV1 Vn and m candidates C1 Cm

42 Voting Phase In this phase the session keys are ne-gotiated freely among voters and VS computes the masked

values ampen each voter casts his favourite candidates andgets the credential in a face-to-face way ampe process isdescribed as follows

Step 1 Every voter Vi (i 1 2 n) registers to ACVS generates a temporary identity IDi (i 1 2

n) for Vi and no one knows the relationship between Vi

and IDiStep 2 Vi negotiates session key kij (i j isin i 1 2

n ine j) with other βi isin i 1 2 n minus 1 votersin a set and then obtains his session key listki1 ki2 kiβi

1113966 1113967 For example there are three votersV1 V2 V31113864 1113865 in a set V1 and V2 share the session key

k12 and V1 and V3 share the session key k13 ampen V1V2 and V3 can respectively obtain their session keylists k12 k131113864 1113865 k211113864 1113865 and k311113864 1113865 where k12 k21

k13 k31Step 3 Vi sends his session key list to VS via a securechannel VS computes λil 1113936

βi

j1jne i(IDi minus IDj)H(kij

|l) (i isin i 1 2 n l isin i 1 2 m ) and thendivides λil 1113936

nj1 blj where H Zlowastp⟶ Zlowastp is a secure

cryptographic hash function which is published andbl1 bl2 bln are n random numbers Afterwards VScomputes masked values 1113936

nj1 b1i B1i 1113936

nj1 b2i

B2i 1113936nj1 bm i Bmi (i 1 2 n) Mean-

while the masked values of the voter Vi can be rep-resented as the list B1i B2i Bmi1113966 1113967Step 4 Vi casts his favourite candidates If the candidateCj(j 1 m) is selected aij 1 otherwise aij 0According to the computation of masked values for thevoter Vi VS constructs the shared polynomial fi(x)

ai0 + (B1i + ai1)x + (B2i + ai2) x2 + middot middot middot + (Bmi + aim)

xm modp where ai0 ne 0 is a random numberStep 5 Assume that the IDs of candidates Cj(j 1

m) the voter Vi and VS are respectively xj xm+1 andxm+2 VS computes m + 2 shares (xj yij) (j 1 2

m + 2) by the polynomial in Step 4 ampen VS storesthe share (xm+1 yim+1) and sends shares (xj yij) (j

1 2 m) to corresponding candidates Cj (j 1

m) and credential CRi ai0 xm+2 yim+21113966 1113967 to thevoter Vi

43 Postvoting Phase In this phase VS and all candidatesreconstruct polynomial together by the sum of shares andeach participant can obtain the correct tallying result byverifying the constant coefficient of the reconstructedpolynomial ampe steps are given as follows

Step 1 All voters are published and each voter Vi (i

1 2 n) publishes their ai0 (i 1 2 n) onthe bulletin boardStep 2VS and Cj compute yj 1113936

ni1 yijand publish the

points (xj yj) (j 1 2 m + 1) ampen eachparticipant can recover the polynomial F(x) a0 + a1x

+a2x2 + middot middot middot + amxmmodp where aj 1113936

ni1 aij (j

0 1 m) Finally VS publishes the aggregated ballotsa1 a2 am1113864 1113865 of n voters on the bulletin board


Table 1 List of notations

Symbol Significancen ampe number of votersm ampe number of candidatesVi i-th voterCj j-th candidateIDi Temporary identification of Vi (i isin 1 2 n )

kij Session key of Vi (i isin 1 2 n )

βi ampe number of session keys negotiated with Vi (i isin 1 2 n )

λil A value can be used to compute masked valuesBji j-th masked value of the i-th shared polynomialaij A ballot from Vi (i isin 1 2 n ) for Cj (j isin 1 2 m )

(xj yij) ampe shares computed by the i-th shared polynomialCRi ampe credential of Vi (i isin 1 2 n )

yj ampe sum of shares computed by Cj (j isin 1 2 m )

aj ampe total number of ballots for Cj (j isin 1 2 m )

Voter1 Voter2

ACRegister Register

Session key k12

Session key k21

Masked values

B11 B21

Maskedvalues

B12 B22

Ballota11 a12

Cast

f1 (x)=a10+(B11+a11) x+(B21+a12) x2modp f2 (x)=a20+B12x+B22x2modp

Construct

Shares and Credential(x1y11) (x2y12) (x3y13) CR1


Candidate1 Candidate2

(x1y11) (x2y12)(x1y21) (x2y22)

VS

CR1 CR2

Sum of shares(x1y1)

Sum of shares(x2y2)

Sum of shares(x3y3)

F (x)=a0+a1x+a2x2modp

Aggregate Aggregate Aggregate

RecoverTallying result

a1a2Verify Publish

Construct

(x3y13) (x3y23)

a0 = ai0

3

i=1

Figure 2ampe voting phase postvoting phase and abstention from voting of two voters and two candidates in the improved e-voting systemAssume the Voter2 abstains from voting


Step 3 Each participant verifies the correctness of theaggregated ballots by the equation a0 1113936

ni1 ai0 If the

verification is not true VS and all candidates are askedto check their publishing information and reconstructthe polynomial again

44 Abstention from Voting In the real-life case abstentionfrom voting is widespread For obtaining the correct tallyingresult when there are abstainers in voting phase VS setstheir ballots as 0 and then constructs the shared polynomialsonly using the masked values In proposed e-voting schemeif the candidate Cj (j isin 1 m ) obtains the sup-porting ballot of the voter Vi (i isin 1 2 n ) aij 1For one abstainer it can consider that all candidates do notget the supporting ballot from the abstainer VS setsaij 0 (i isin 1 2 n j 1 m) In this way thevoting system not only ensures the normal voting processbut also does not make a difference for the voting resultamperefore the improved e-voting scheme solves the issue ofabstainers and guarantees the correctness of the tallyingresult

5 Differences of Two Schemes

In this section the differences are expounded between Liuet alrsquos scheme [35] and the improved e-voting scheme Wedescribe these differences in terms of the following fivesecurity requirements

Coercion resistance coercion resistance means that noone voter can prove the content of his ballot to othersampe requirement is described from the aspect of thevoter When the voter acts as an internal attacker hecannot disclose the content of the original ballot In Liuet alrsquos scheme VS constructs the shared polynomialwith the ballot of one voter However if this votercolludes with at most m candidates he can recover theshared polynomial to disclose the content of theoriginal ballot and prove which candidate he has votedfor amperefore Liu et alrsquos scheme cannot resist thecoercive attack from the internal voter In the improvede-voting scheme the masked values are computed andadded to the coefficients of the original shared poly-nomial In this way even if the voter recovers theshared polynomial he also cannot prove the content ofhis ballot to others ampe improved e-voting schemeachieves the security requirement of coercionresistanceAbstention from voting in a real election there arevoters who may abstain from voting In Liu et alrsquosscheme all voters take part in the election Liu et alrsquosscheme does not consider the issue of the abstainerHowever in the improved e-voting scheme for anabstainer we set his ballot as 0 In this way all can-didates cannot obtain the supporting ballot from theabstainer which ensures the correctness of tallyingresult amperefore comparing Liu et alrsquos scheme theimproved e-voting scheme considers the issue of ab-stainer and can obtain the correct tallying result

Privacy in Liu et alrsquos scheme the voter can reveal thecontent of his ballot by colluding with some candidatesampe scheme does not meet the privacy requirement ine-voting However in the improved e-voting schemethe computation of the masked values prevents thevoter from revealing the content of his ballot More-over the participant can only obtain the tallying resultby recovering the polynomial in postvoting phaseampus the improved e-voting scheme satisfies the pri-vacy requirement of ballotSecurity security means that the voting scheme doesnot rely on the hard problem such as discrete loga-rithm and integer factorization and still can achieve theconfidentiality of the voting process ampis requirementis described from the aspect of the voting schemeWithout additionally complex conditions the votingscheme can resist attacks from external and internaladversaries respectively and achieve the confidenti-ality of the original ballot In Liu et alrsquos scheme itshows that the malicious adversary cannot obtain anyvoting information from some shares In factaccording to the executive process of secret sharing Liuet alrsquos scheme does not achieve the confidentiality ofthe original ballot First as described in the securityrequirement of the coercion resistance Liu et alrsquosscheme cannot resist the coercive attack from an in-ternal adversary Second since the number of share-holders exceeds the threshold m of secret sharing in Liuet alrsquos scheme Likewise Liu et alrsquos scheme is also hardto prevent external adversary from obtaining thecontent of the original ballot ampus Liu et alrsquos schemecannot guarantee the requirement of security How-ever in the improved e-voting scheme the sharescannot be served as an advantage for adversary to revealthe content of the original ballot ampe improvede-voting scheme guarantees the confidentiality oforiginal ballot forever which achieves the requirementof securityFairness fairness means that no one can know theballot information in advance In Liu et alrsquos scheme thevoter can prove the content of his ballot to corre-sponding some candidates In this way these candi-dates can know partial ballots in advance Liu et alrsquosscheme does not satisfy the fairness requirement ine-voting However in the improved e-voting schemeno one can know any ballot information in advanceand the correct tallying result can be obtained simul-taneously by each participant ampe improved e-votingscheme achieves the fairness requirement

6 System Analysis

ampe system analysis includes the security analysis and theperformance analysis

61 Security Analysis ampe improved e-voting scheme in-herits these security requirements which are correctnessanonymity confidentiality efficiency noncheating and


universal verifiability in Liu et alrsquos scheme [35] Moreoverthe improved e-voting scheme also achieves coercion-re-sistant security requirement which Liu et alrsquos scheme doesnot accomplish by adding masked values to the coefficientsof the original shared polynomial In this way the content ofone ballot can be protected and corresponding privacyrequirement can also be satisfied Meantime the improvede-voting scheme considers the abstention from votingwhich not only ensures the correct tallying result but alsoachieves integrity of ballots

In the following part of this section we give theoreticalanalysis and proof of the integrity of ballots privacy ofballots multiple-voting detection fairness and coercionresistance of the improved e-voting scheme

611 Integrity of Ballots

Theorem 1 For voters who submit the session key list VSshould hold their voting information to ensure the integrity ofballots and then achieve the correct tallying result

Proof In a real election the registered voter may give upcasting his ballot In the proposed e-voting system assumethat a voter Vt (t isin 1 2 n ) gives up voting for aballot after submitting the session key list to VS

For simplifying analysis assume that separately nego-tiates the session key with the remaining voters in votingphase First VS computes and divides λ as follows

λ11 minusH k12|1( 1113857( 1113857 + middot middot middot +(1 minus t)H k1t|1( 1113857 + middot middot middot +(1 minus n)H k1n|1( 1113857 b11 + middot middot middot + b1t + middot middot middot + b1n

middot middot middot

λ1m minusH k12|m( 1113857( 1113857 + middot middot middot +(1 minus t)H k1t|m( 1113857 + middot middot middot +(1 minus n)H k1n|m( 1113857 bm1 + middot middot middot + bmt + middot middot middot + bmn

⋮

⋮

λn1 (n minus 1)H kn1|1( 1113857 b11 + middot middot middot + b1t + middot middot middot + b1n


λnm (n minus 1)H kn1|1( 1113857 bm1 + middot middot middot + bmt + middot middot middot + bmn

⎧⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎩

(1)

Equation (1) shows 1113936ni1 λil 0 (l isin 1 2 m )

ampen VS computes the masked valuesB1i 1113936

nj1 b1i Bmi 1113936

nj1 bmi (i 1 2 n)

For the abstainer Vt (t isin 1 2 n ) if VS does notconstruct his shared polynomial and the sum of shares canbe computed as

1113944

n

i1inetfi(x) 1113944

n

i1ineta0i + 1113944

n

i1λi1 minus 1113944

n

j1b1t + 1113944

n

j1ai1

⎛⎝ ⎞⎠x + middot middot middot + 1113944n

i1λim minus 1113944

n

i1bmt + 1113944

n

i1inetaim

⎛⎝ ⎞⎠xmmodp

⎧⎪⎨

⎪⎩

1113944n

i1ineta0i + 1113944

n

j1b1t + 1113944

n

i1inetai1

⎛⎝ ⎞⎠x + middot middot middot + minus 1113944n

j1bmt + 1113944

n

i1inetaim

⎛⎝ ⎞⎠xmmodp

(2)

According to secret sharing homomorphism the tallyingresult is minus 1113936

nj1 b1t + 1113936

ni1ine t ai1 minus 1113936

nj1 bmt + 1113936

ni1ine t

aim instead of 1113936ni1ine t ai1 1113936

ni1ine t aim

ampus in order to obtain the correct tallying result VSshould ensure the integrity of ballots In our voting systemVS sets the ballot of abstainer Vt as 0 and constructs theshared polynomial ft(x) at0 + 1113936

nj1 b1tx + middot middot middot + 1113936

nj1 bmt

xmmodp In this way the sum of shares is1113936

ni1 fi(x) 1113936

ni1 a0i + 1113936

ni1 ai1x + middot middot middot + 1113936

ni1 aimxmmodp

ampe ballot of Vt is 0 amperefore the tallying result is1113936

ni1 ai1 1113936

ni1ine t ai1 1113936

ni1 aim 1113936

ni1ine t aim

To sum up in a real election abstention from votingneeds to be considered to ensure the integrity of ballots andobtain the correct tallying result

612 Privacy of Ballots

Theorem 2 No one voter or candidate can reveal any votinginformation

Proof In proposed voting scheme assume the voterVk (k isin 1 2 n ) colludes with m candidates afterreceiving credential and then recovers the shared polyno-mial fk(x) ak0 + (1113936

nj1 b1k + ak1 )x + middot middot middot + (1113936

nj1 bmk

+akm)xmmodp However the voting informationak1 akm cannot be revealed because of the maskedvalues 1113936

nj1 b1k 1113936

nj1 bmk amperefore in the proposed

e-voting scheme even if a voter or candidate has enoughcomputing power he also cannot reveal any voting


information ampe scheme achieves the privacy requirementof ballots

613 Multiple-Voting Detection

Theorem 3 A legal voter only can submit ballot to VS once

Proof In the proposed e-voting system assume thelegal voter Vh (h isin 1 2 n ) submits ballot to VS twiceIn this way VS can construct two shared polynomialsfh1(x) and fh2(x) for Vh according to twice differentsubmissions ampen the voter Vh can receive two credentialsand each candidate can receive n + 1 shares Howeveraccording to the computation of the sum of shares inpostvoting phase each candidate only can hold n sharesMoreover when all voters are published each candidate candiscover that the number of received shares is not equal to nampus the multiple-voting is detected for the voter Vh ampeimproved e-voting scheme satisfies the requirement that alegal voter casts a ballot once

614 Fairness

Theorem 4 No one candidate can know his own ballot inadvance

Proof For knowing the voting information about himselfthe candidate is willing to collude with one voter to revealthe content of one ballot after receiving shares However inthe proof of ampeorem 2 it shows that no one voter can leakany privacy of ballots ampus it is impossible for one can-didate to know the content of the single ballot in advanceMoreover in postvoting phase the sums of shares arepublished on the bulletin board and any participant canobtain the tallying result amperefore the improved e-votingscheme achieves the requirement of fairness in e-voting

615 Coercion Resistance

Theorem 5 No one voter can prove the content of his ballotto others

Proof In voting phase assume that VS constructs the sharedpolynomial fe(x) ae0 + (B1e + ae1)x + (B2e + ae2)x

2+

middot middot middot + (Bme + aem)xmmodp for the voter Ve (e isin 1 2

n) and computes shares (IDC1 fe(IDC1

)) (IDCm

fe(IDCm)) (IDVS fe(IDVS)) and credential ae0 IDe fe(I1113966

De) ampe shares (IDC1 fe(IDC1

)) (IDCm fe(IDCm

))

are sent to corresponding candidates C1 Cm and thecredential ae0 IDe fe(IDe)1113966 1113967 is sent to the voter Ve Forproving the content of the ballot it is most likely for Ve torecover the shared polynomial fe(x) by colluding with m

candidates However different from the Liu et alrsquos scheme[35] the improved e-voting scheme masks the relationshipbetween coefficient of shared polynomial and voting in-formation Even if the voter Ve recovers the shared

polynomial fe(x) he cannot prove his voting intentionae1 aem to others ampus the scheme achieves the se-curity requirement of coercion resistance

62 Performance Analysis In this section the performanceof our proposed e-voting system is analysed ampe prevotingphase has no computation which only distributes thenumbers of the voters and candidates ampus we mainlyanalyse the computation cost of the voting phase andpostvoting phase In addition we compare our scheme with[32 33 35] for partial security requirement and computa-tion complexity which is shown in Table 2 Moreover wealso respectively test the total time cost for the differentnumbers of voters and candidates by using the 1024-bitsession key and the 512-bit shared secret on a laptop withIntel i5 31 GHz CPU and 800GB memory and the result isshown in Figures 3 and 4

621 Performance Analysis of the Voting Phase In thevoting phase the five steps are as follows registeringidentification for voters negotiating session keys amongvoters generating masked values constructing sharedpolynomials and computing shares Meanwhile the com-putation cost mainly concentrates upon generating maskedvalues and computing shares Assume that the computationcosts of one masked value and one share are separatelyexpressed as costmask and costshare ampe total computationcost in this phase can be expressed as costvoting_phase

n middot m middot costmask + n middot (m + 2) middot costshare

622 Performance Analysis of the Postvoting Phase Inpostvoting phase VS and candidates are responsible forcomputing the sum of shares and then publish Each par-ticipant reconstructs a polynomial to obtain the tallyingresult and then verifies it Meanwhile computing the sum ofshares recovering polynomial and verifying the tallyingresult are the main computation cost in this phase Assumethat they are separately expressed as costshare_sum costrecoverand costverify ampe total computation cost in this phase iscostpost_voting (m + 1) middot costshare_sum + costrecover + costverify

From the previously mentioned analysis of two phasesthe total computation cost is costtotal costvoting_phase+costpost_voting in the improved e-voting scheme and increaseswith the numbers of voters and candidates ampus thecomputation complexity is O(nm) in the improved e-votingscheme In Table 2 it shows that our e-voting scheme si-multaneously achieves privacy verifiability and coercionresistance and the computation complexity is less than thatmentioned in [32] due to m≪ n

In Figure 3 we select m 5 candidates to test the totaltime cost with different numbers of voters As shown inFigure 3 the total time cost of the improved e-voting schemeis slightly higher than the scheme [35] Liu et alrsquos scheme[35] is unaffected by the numbers of voters amperefore it hasan advantage in total time cost However it cannot achievethe security requirement of coercion resistance in e-votingAlthough the improved e-voting scheme increases the total


Table 2 Comparison of partial security requirement and computation complexity

Performance [35] [32] [33] Our schemePrivacy No Yes Yes YesCoercion resistance No No No YesVerifiability Yes Yes Yes YesComputation complexity O(nm) O(nlogn) O(nm) O(nm)

300

250

200

150

100

50

Tota

l Tim

e Cos

t (s)

210006000 1500030001000 10000e number of voters

e total time cost comparision of 5 candidates

e scheme [35]e scheme [32]

e scheme [33]e proposed scheme

Figure 3 ampe total time cost comparison for four schemes in the case of five candidates the number of voters is respectively 1000 30006000 10000 15000 and 21000

200

150

100

50

0

Tota

l Tim

e Cos

t (s)

3 5 6 7 82e number of candidates

e total time cost comparision of 10000 voters



Figure 4 ampe total time cost comparison for four schemes in the case of 10000 voters the number of candidates is respectively 2 3 5 6 7and 8


time cost it achieves the coercion-resistant security re-quirement Moreover comparing [32 33] the improvede-voting scheme takes less time overall

In Figure 4 we select n 10000 voters to test the totaltime cost with different numbers of candidates As shownin Figure 4 both the improved e-voting scheme and thescheme [35] increase with the numbers of candidates in thetotal time cost Similarly the total time cost of the im-proved e-voting scheme is slightly higher than the scheme[35] In order to achieve the security requirement of co-ercion resistance the improved e-voting scheme addsmasked values on the basis of the scheme [35] ampus thecomputation cost is higher than Liu et alrsquos scheme [35]However the total time consumption is still smaller thanthose in [32 33]

7 Conclusions

In this paper we first show that the e-voting scheme re-cently proposed by Liu et al in [35] suffers from the co-ercive attack by internal voter ampen we proposed animproved e-voting scheme to achieve coercion resistanceand solve abstention from voting Different from thescheme proposed by Liu et al the improved e-votingscheme uses the sum of the masked value and the value ofthe original ballot to achieve the construction of sharedpolynomial ampe scheme prevents malicious voter provingthe content of his ballot to others which achieves thesecurity requirement of coercion resistance Besides VSsets the ballot of the abstainer as 0 and correct tallyingresult can be obtained in subsequent voting processMoreover theoretical analysis shows that our proposedscheme not only inherits all security requirements of Liuet alrsquos scheme but also achieves the integrity of ballotsprivacy of ballots multiple-voting detection and fairnessampe performance evaluation results also indicate ourscheme can achieve higher efficiency than other e-votingschemes in terms of total time consumption In future withthe increasing application of blockchain we are going tocombine blockchain technology to propose novel and se-cure e-voting scheme

Data Availability

All data generated or analysed during this study are includedin this published article

Conflicts of Interest

ampe authors declare that there are no conflicts of interestregarding the publication of this study

Acknowledgments

ampis work was supported by the Natural Science Foundation ofChina (grant nos 61966009 U1811264 U1711263 and62072133) and Natural Science Foundation of Guangxi Prov-ince (grant nos 2018GXNSFDA281045 and 2018GXNSFDA281040) ampe authors would like to thank everyone for theguidance of paper writing

References

[1] D L Chaum ldquoUntraceable electronic mail return addressesand digital pseudonymsrdquo Communications of the ACMvol 24 no 2 pp 84ndash90 1981

[2] A Shankar P Pandiaraja K Sumathi T Stephan andP Sharma ldquoPrivacy preserving E-voting cloud system basedon ID based encryptionrdquo Peer-to-Peer Networking and Ap-plications vol 14 no 4 pp 2399ndash2409 2021

[3] V S Anjima and N N Hari ldquoSecure cloud e-voting systemusing fully homomorphic elliptical curve cryptographyrdquo inProceedings of the 2019 International Conference on IntelligentComputing and Control Systems (ICCS) pp 858ndash864Secunderabad India June 2019

[4] N Kshetri and J Voas ldquoBlockchain-Enabled E-votingrdquo IEEESoftware vol 35 no 4 pp 95ndash99 2018

[5] S Panja and B Roy ldquoA secure end-to-end verifiable e-votingsystem using blockchain and cloud serverrdquo Journal of In-formation Security and Applications vol 59 Article ID102815 2021

[6] S Zhang L Wang and H Xiong ldquoChaintegrity blockchain-enabled large-scale e-voting system with robustness anduniversal verifiabilityrdquo International Journal of InformationSecurity vol 19 no 3 pp 323ndash341 2020

[7] A Juels D Catalano and M Jakobsson ldquoCoercion-resistantelectronic electionsrdquo in Towards Trustworthy Elections NewDirections in Electronic Voting D Chaum M JakobssonR L Rivest et al Eds Springer Berlin Heidelberg BerlinGermany 2010

[8] O Spycher R Koenig R Haenni and M Schlapfer ldquoA newapproach towards coercion-resistant remote E-voting inlinear timerdquo in Financial Cryptography and Data SecurityG Danezis Ed pp 182ndash189 Springer Berlin HeidelbergBerlin Heidelberg 2012

[9] P Grontas A Pagourtzis A Zacharakis and B ZhangldquoTowards everlasting privacy and efficient coercion resistancein remote electronic votingrdquo in Financial Cryptography andData Security A Zohar I Eyal V Teague et al Edspp 210ndash231 Springer Berlin Heidelberg Berlin Germany2019

[10] P Grontas A Pagourtzis and A Zacharakis ldquoCoercion re-sistance in a practical secret voting scheme for large scaleelectionsrdquo in Proceedings of the 2017 14th InternationalSymposium on Pervasive Systems Algorithms and Networks amp2017 11th International Conference on Frontier of ComputerScience and Technology amp 2017 ird International Sympo-sium of Creative Computing (ISPAN-FCST-ISCC) pp 514ndash519 Exeter United Kingdom June 2017

[11] A Kiayias T Zacharias and B Zhang ldquoAn efficient E2Everifiable E-voting system without setup assumptionsrdquo IEEESecurity amp Privacy vol 15 no 3 pp 14ndash23 2017

[12] R Kusters J Liedtke J Muller D Rausch and A VogtldquoOrdinos a verifiable tally-hiding E-voting systemrdquo in Pro-ceedings of the 2020 IEEE European Symposium on Securityand Privacy (EuroSampP) pp 216ndash235 Genoa Italy September2020

[13] C A Neff ldquoA verifiable secret shuffle and its application toE-votingrdquo in Proceedings of the 8th ACM Conference onComputer and Communications Security pp 116ndash125 As-sociation for Computing Machinery Philadelphia PA USANovember 2001

[14] X Boyen T Haines and J Muller ldquoA verifiable and practicallattice-based decryption mix net with external auditingrdquo inComputer Security ndash ESORICS 2020 L Chen N Li K Liang


and S Schneider Eds Springer International PublishingNew York NY USA pp 336ndash356 2020

[15] N Islam K M R Alam S Tamura and Y Morimoto ldquoA newe-voting scheme based on revised simplified verifiable re-encryption mixnetrdquo in Proceedings of the 2017 InternationalConference on Networking Systems and Security (NSysS)pp 12ndash20 Dhaka Bangladesh December 2017

[16] C Culnane A Essex S J Lewis O Pereira and V TeagueldquoKnights and knaves run elections internet voting and un-detectable electoral fraudrdquo IEEE Security amp Privacy vol 17no 4 pp 62ndash70 2019

[17] D Chaum ldquoBlind signatures for untraceable paymentsrdquo inAdvances in Cryptology D Chaum R L Rivest andA T Sherman Eds pp 199ndash203 Springer Boston MAUSA 1983

[18] A Fujioka T Okamoto and K Ohta ldquoA practical secretvoting scheme for large scale electionsrdquo in Advances inCryptology mdash AUSCRYPT rsquo92 J Seberry and Y Zheng EdsSpringer Berlin Heidelberg Berlin Germany pp 244ndash2511993

[19] X Chen Q Wu F Zhang et al ldquoNew receipt-free votingscheme using double-trapdoor commitmentrdquo InformationSciences vol 181 no 8 pp 1493ndash1502 2011

[20] M Kumar S Chand and C P Katti ldquoA secure end-to-endverifiable internet-voting system using identity-based blindsignaturerdquo IEEE Systems Journal vol 14 no 2pp 2032ndash2041 2020

[21] M Kumar C P Katti and P C Saxena ldquoA secure anony-mous E-voting system using identity-based blind signatureschemerdquo in Information Systems SecurityR K Shyamasundar V Singh and J Vaidya Eds SpringerInternational Publishing New York NY USA pp 29ndash492017

[22] W Wang H Xu M Alazab T R Gadekallu Z Han andC Su ldquoBlockchain-based reliable and efficient certificatelesssignature for IIoT devicesrdquo IEEE Transactions on IndustrialInformatics vol 14 p 1 2021

[23] W Wang H Huang L Zhang Z Han C Qiu and C SuldquoBlockSLAP blockchain-based secure and lightweight Au-thentication protocol for smart gridrdquo in Proceedings of the2020 IEEE 19th International Conference on Trust Securityand Privacy in Computing and Communications (TrustCom)pp 1332ndash1338 Guangzhou China December 2021

[24] R L Rivest L M Adleman and M L Dertouzos ldquoOn databanks and privacy homomorphismsrdquo Found SecureCompuationvol 4 pp 169ndash180 1978

[25] K Peng R Aditya C Boyd E Dawson and B Lee ldquoMul-tiplicative homomorphic E-votingrdquo in Progress in Cryptology -INDOCRYPT 2004 A Canteaut and K Viswanathan Edspp 61ndash72 Springer Berlin Heidelberg Berlin Germany 2005

[26] J Dossogne and F Lafitte ldquoBlinded additively homomorphicencryption schemes for self-tallying votingrdquo Journal of In-formation Security and Applications vol 22 pp 40ndash53 2015

[27] S M Toapanta Toapanta L J Chavez Chalen J G OrtizRojas and L E Mafla Gallegos ldquoA homomorphic encryptionapproach in a voting system in a distributed architecturerdquo inProceedings of the 2020 IEEE International Conference onPower Intelligent Computing and Systems (ICPICS)pp 206ndash210 Shenyang China July 2020

[28] X Fan T Wu Q Zheng Y Chen and X Xiao ldquoDHS-votinga distributed homomorphic signcryption E-votingrdquo in De-pendability in Sensor Cloud and Big Data Systems and Ap-plications G Wang M Z A Bhuiyan

S De Capitani di Vimercati and Y Ren Eds pp 40ndash53Springer Singapore Singapore Asia 2019

[29] B Schoenmakers ldquoA simple publicly verifiable secret sharingscheme and its application to electronic votingrdquo in Advancesin CryptologymdashCRYPTOrsquo 99 MWiener Ed Springer BerlinHeidelberg Berlin Germany pp 148ndash164 1999

[30] L Yuan M Li C Guo W Hu and X Tan ldquoA verifiableE-voting scheme with secret sharingrdquo in Proceedings of the2015 IEEE 16th International Conference on CommunicationTechnology (ICCT) pp 304ndash308 Hangzhou China October2015

[31] R Tso Z-Y Liu and J-H Hsiao ldquoDistributed E-voting andE-bidding systems based on smart contractrdquo Electronicsvol 8 no 4 p 422 2019

[32] X Yang X Yi S Nepal A Kelarev and F Han ldquoA secureverifiable ranked choice online voting system based on ho-momorphic encryptionrdquo IEEE Access vol 6 pp 20506ndash205192018

[33] X Fan T Wu Q Zheng Y Chen M Alam and X XiaoldquoHSE-Voting a secure high-efficiency electronic votingscheme based on homomorphic signcryptionrdquo Future Gen-eration Computer Systems vol 111 pp 754ndash762 2020

[34] J Li X Wang Z Huang L Wang and Y Xiang ldquoMulti-levelmulti-secret sharing scheme for decentralized e-voting incloud computingrdquo Journal of Parallel and Distributed Com-puting vol 130 pp 91ndash97 2019

[35] Y Liu and Q Zhao ldquoE-voting scheme using secret sharingand K-anonymityrdquo World Wide Web vol 22 no 4pp 1657ndash1667 2019


due to the high overhead mix-net is hard to be applied forthe actual election Although blind signature has betterpracticality in e-voting it does not satisfy the security re-quirement of receipt-freeness and verifiability to some ex-tent At present in order to achieve secure and feasiblee-voting homomorphic encryption is popular in conjunc-tion with other encryption techniques such as zero-knowledge proof [32] and partial knowledge proof [33]However the computation burden becomes a problem thatneeds to be solved ampus avoiding these disadvantages ofabove encryption techniques secret sharing is applied toe-voting because of its better completeness and feasibilityand also achieves running time in linear [34] Based on suchadvantages Liu and Zhao [35] recently proposed an e-votingscheme using secret sharing and k-anonymity which ach-ieves the correct tallying result and satisfies the necessarysecurity requirements Concretely the content of one ballotis used to sever as the coefficients of the shared polynomialampe calculated shares are regarded as the encrypted form ofone ballot respectively held by voter voting system and allcandidates ampen according to the additive homomorphismof secret sharing the total number of ballots can be correctlyobtained for each candidate Liu and Zhao [35] declare theire-voting scheme achieves the security requirement of co-ercion resistance which means the voter cannot prove thecontent of his ballot to others

However in this paper we observe that Liu et alrsquosscheme cannot achieve the security requirement of coercionresistance ampe voter can collude with candidates to provethe content of his ballot ampus we propose an improvedcoercion-resistant e-voting scheme to cover up the contentof ballot with masked values which achieves the securityrequirement of coercion resistance Meantime we also solvethe abstention from voting Additionally through theoret-ical analysis and data simulation we indicate that ourproposed e-voting scheme can solve the shortcoming in [35]and has higher time efficiency compared with [32 33] Ourcontributions are shown in details as follows

(1) In Liu et alrsquos scheme [35] all voters and candidateshold shares ampe shared polynomial constructedfrom the original ballot information can be recov-ered if the voter colludes with corresponding can-didates ampe voter can prove which candidate he hasvoted for Liu et alrsquos scheme does not satisfy thecoercion-resistant security requirement ampus wepropose an improved e-voting scheme which re-places the content of the original ballot with maskedvalues to achieve the construction of the sharepolynomial In this way even if the voter colludeswith corresponding candidates to recover the sharedpolynomial he cannot prove the content of his ballotto others ampe improved e-voting scheme achievescoercion-resistant security requirement

(2) ampe improved e-voting scheme considers abstentionwhich Liu et alrsquos scheme [35] does not accomplishIn the improved e-voting scheme voting systemconstructs the shared polynomial of abstainer onlyusing masked values and then performs subsequent

voting process Finally all participants can obtain thecorrect tallying result

(3) ampe security analysis shows that the improvede-voting scheme not only inherits some securityrequirements in Liu et alrsquos scheme [35] but alsoachieves coercion-resistant security requirementwhich Liu et alrsquos scheme does not satisfy Moreoverthe scheme also achieves additional security prop-erties which consist of the integrity of ballots theprivacy of ballots multiple-voting detection andfairness ampe performance analysis shows that theproposed e-voting scheme has higher time efficiencywhen candidates and voters are respectively specificnumber

ampe rest of this paper is organized as follows In Section2 the steps of Liu et alrsquos e-voting scheme are reviewed ampesystem model and threat model are presented in Section 3Section 4 proposes our improved e-voting scheme in detailIn Section 5 we state the differences between Liu et alrsquosscheme and the improved e-voting scheme Finally thesystem analysis and conclusion are respectively presentedin Section 6 and Section 7

2 Review

In this section Liu et alrsquos scheme [35] is reviewed It mainlyconsists of three phases prevoting phase voting phase andpostvoting phase And the process of communication isshown in Figure 1

21 Prevoting Phase Assume that there are n voters and m

candidates respectively ampe voters are divided into severalsets and each set contains k voters

22 Voting Phase

Step 1 Each voter Vi(i 1 n) registers to a trustedauthority centre (AC) ampen the voting system (VS)issues a temporary identity IDi for each voter and noone knows the relationship between voter and histemporary identity IDiStep 2 If the candidate Cj(j 1 m) is selected bythe voter Vi aij 1 otherwise aij 0 ampen VSgenerates the shared polynomial fi(x) ai0 + ai1x +

ai2x2 + middot middot middot + aimxmmodp and computes m + 2 shares

(xj yij) (j 1 2 m + 2) by using the IDs ofvoter Vi candidate Cj (j 1 m) and VSStep 3 VS stores the share (xm+1 yim+1) and thensends shares (xj yij) (j 1 2 m) to corre-sponding candidate Cj and credential CRi ai0 xm+21113966

yim+2 to the voter Vi

23 Postvoting Phase In this phase first voters are ran-domly divided into some sets and each set contains k votersampe process can be briefly described in the following steps








ki1 ai0 If the











322 Attack Process




AC

Candidates

1 Register

Voterv1 v2 2 Vote

3 Credentials

VS

YES

NO

4 Shares

AC

1 Register

oterv1 v2 2 Vote

3 Credentials

YES

NO

4 Shares

vk

C1

C1

C2

C2

C3

C3

Cm-1

Cm-1

Cm

Cm























βi





nj1 b1i B1i 1113936

nj1 b2i















ni1 aij (j











Voter1 Voter2

ACRegister Register

Session key k12

Session key k21

Masked values

B11 B21

Maskedvalues

B12 B22

Ballota11 a12

Cast


Construct




(x1y11) (x2y12)(x1y21) (x2y22)

VS

CR1 CR2

Sum of shares(x1y1)

Sum of shares(x2y2)

Sum of shares(x3y3)




a1a2Verify Publish

Construct

(x3y13) (x3y23)

a0 = ai0

3

i=1




ni1 ai0 If the







6 System Analysis













⋮

⋮




⎧⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎩

(1)



nj1 b1i Bmi 1113936

nj1 bmi (i 1 2 n)


1113944

n

i1inetfi(x) 1113944

n

i1ineta0i + 1113944

n


n

j1b1t + 1113944

n

j1ai1



n

i1bmt + 1113944

n

i1inetaim

⎛⎝ ⎞⎠xmmodp

⎧⎪⎨

⎪⎩

1113944n

i1ineta0i + 1113944

n

j1b1t + 1113944

n

i1inetai1


j1bmt + 1113944

n

i1inetaim

⎛⎝ ⎞⎠xmmodp

(2)


nj1 b1t + 1113936


nj1 bmt + 1113936

ni1ine t


ni1ine t aim



nj1 bmt


ni1 fi(x) 1113936

ni1 a0i + 1113936


ni1 aimxmmodp


ni1 ai1 1113936


ni1 aim 1113936

ni1ine t aim






nj1 bmk


nj1 b1k 1113936








614 Fairness






2+



)) (IDCm



)) (IDCm fe(IDCm

))













300

250

200

150

100

50

Tota

l Tim

e Cos

t (s)






200

150

100

50

0

Tota

l Tim

e Cos

t (s)









7 Conclusions


Data Availability




Acknowledgments


References














































ki1 ai0 If the











322 Attack Process




AC

Candidates

1 Register

Voterv1 v2 2 Vote

3 Credentials

VS

YES

NO

4 Shares

AC

1 Register

oterv1 v2 2 Vote

3 Credentials

YES

NO

4 Shares

vk

C1

C1

C2

C2

C3

C3

Cm-1

Cm-1

Cm

Cm























βi





nj1 b1i B1i 1113936

nj1 b2i















ni1 aij (j











Voter1 Voter2

ACRegister Register

Session key k12

Session key k21

Masked values

B11 B21

Maskedvalues

B12 B22

Ballota11 a12

Cast


Construct




(x1y11) (x2y12)(x1y21) (x2y22)

VS

CR1 CR2

Sum of shares(x1y1)

Sum of shares(x2y2)

Sum of shares(x3y3)




a1a2Verify Publish

Construct

(x3y13) (x3y23)

a0 = ai0

3

i=1




ni1 ai0 If the







6 System Analysis













⋮

⋮




⎧⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎩

(1)



nj1 b1i Bmi 1113936

nj1 bmi (i 1 2 n)


1113944

n

i1inetfi(x) 1113944

n

i1ineta0i + 1113944

n


n

j1b1t + 1113944

n

j1ai1



n

i1bmt + 1113944

n

i1inetaim

⎛⎝ ⎞⎠xmmodp

⎧⎪⎨

⎪⎩

1113944n

i1ineta0i + 1113944

n

j1b1t + 1113944

n

i1inetai1


j1bmt + 1113944

n

i1inetaim

⎛⎝ ⎞⎠xmmodp

(2)


nj1 b1t + 1113936


nj1 bmt + 1113936

ni1ine t


ni1ine t aim



nj1 bmt


ni1 fi(x) 1113936

ni1 a0i + 1113936


ni1 aimxmmodp


ni1 ai1 1113936


ni1 aim 1113936

ni1ine t aim






nj1 bmk


nj1 b1k 1113936








614 Fairness






2+



)) (IDCm



)) (IDCm fe(IDCm

))













300

250

200

150

100

50

Tota

l Tim

e Cos

t (s)






200

150

100

50

0

Tota

l Tim

e Cos

t (s)









7 Conclusions


Data Availability




Acknowledgments


References




























































βi





nj1 b1i B1i 1113936

nj1 b2i















ni1 aij (j











Voter1 Voter2

ACRegister Register

Session key k12

Session key k21

Masked values

B11 B21

Maskedvalues

B12 B22

Ballota11 a12

Cast


Construct




(x1y11) (x2y12)(x1y21) (x2y22)

VS

CR1 CR2

Sum of shares(x1y1)

Sum of shares(x2y2)

Sum of shares(x3y3)




a1a2Verify Publish

Construct

(x3y13) (x3y23)

a0 = ai0

3

i=1




ni1 ai0 If the







6 System Analysis













⋮

⋮




⎧⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎩

(1)



nj1 b1i Bmi 1113936

nj1 bmi (i 1 2 n)


1113944

n

i1inetfi(x) 1113944

n

i1ineta0i + 1113944

n


n

j1b1t + 1113944

n

j1ai1



n

i1bmt + 1113944

n

i1inetaim

⎛⎝ ⎞⎠xmmodp

⎧⎪⎨

⎪⎩

1113944n

i1ineta0i + 1113944

n

j1b1t + 1113944

n

i1inetai1


j1bmt + 1113944

n

i1inetaim

⎛⎝ ⎞⎠xmmodp

(2)


nj1 b1t + 1113936


nj1 bmt + 1113936

ni1ine t


ni1ine t aim



nj1 bmt


ni1 fi(x) 1113936

ni1 a0i + 1113936


ni1 aimxmmodp


ni1 ai1 1113936


ni1 aim 1113936

ni1ine t aim






nj1 bmk


nj1 b1k 1113936








614 Fairness






2+



)) (IDCm



)) (IDCm fe(IDCm

))













300

250

200

150

100

50

Tota

l Tim

e Cos

t (s)






200

150

100

50

0

Tota

l Tim

e Cos

t (s)









7 Conclusions


Data Availability




Acknowledgments


References
















































Voter1 Voter2

ACRegister Register

Session key k12

Session key k21

Masked values

B11 B21

Maskedvalues

B12 B22

Ballota11 a12

Cast


Construct




(x1y11) (x2y12)(x1y21) (x2y22)

VS

CR1 CR2

Sum of shares(x1y1)

Sum of shares(x2y2)

Sum of shares(x3y3)




a1a2Verify Publish

Construct

(x3y13) (x3y23)

a0 = ai0

3

i=1




ni1 ai0 If the







6 System Analysis













⋮

⋮




⎧⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎩

(1)



nj1 b1i Bmi 1113936

nj1 bmi (i 1 2 n)


1113944

n

i1inetfi(x) 1113944

n

i1ineta0i + 1113944

n


n

j1b1t + 1113944

n

j1ai1



n

i1bmt + 1113944

n

i1inetaim

⎛⎝ ⎞⎠xmmodp

⎧⎪⎨

⎪⎩

1113944n

i1ineta0i + 1113944

n

j1b1t + 1113944

n

i1inetai1


j1bmt + 1113944

n

i1inetaim

⎛⎝ ⎞⎠xmmodp

(2)


nj1 b1t + 1113936


nj1 bmt + 1113936

ni1ine t


ni1ine t aim



nj1 bmt


ni1 fi(x) 1113936

ni1 a0i + 1113936


ni1 aimxmmodp


ni1 ai1 1113936


ni1 aim 1113936

ni1ine t aim






nj1 bmk


nj1 b1k 1113936








614 Fairness






2+



)) (IDCm



)) (IDCm fe(IDCm

))













300

250

200

150

100

50

Tota

l Tim

e Cos

t (s)






200

150

100

50

0

Tota

l Tim

e Cos

t (s)









7 Conclusions


Data Availability




Acknowledgments


References









































ni1 ai0 If the







6 System Analysis













⋮

⋮




⎧⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎩

(1)



nj1 b1i Bmi 1113936

nj1 bmi (i 1 2 n)


1113944

n

i1inetfi(x) 1113944

n

i1ineta0i + 1113944

n


n

j1b1t + 1113944

n

j1ai1



n

i1bmt + 1113944

n

i1inetaim

⎛⎝ ⎞⎠xmmodp

⎧⎪⎨

⎪⎩

1113944n

i1ineta0i + 1113944

n

j1b1t + 1113944

n

i1inetai1


j1bmt + 1113944

n

i1inetaim

⎛⎝ ⎞⎠xmmodp

(2)


nj1 b1t + 1113936


nj1 bmt + 1113936

ni1ine t


ni1ine t aim



nj1 bmt


ni1 fi(x) 1113936

ni1 a0i + 1113936


ni1 aimxmmodp


ni1 ai1 1113936


ni1 aim 1113936

ni1ine t aim






nj1 bmk


nj1 b1k 1113936








614 Fairness






2+



)) (IDCm



)) (IDCm fe(IDCm

))













300

250

200

150

100

50

Tota

l Tim

e Cos

t (s)






200

150

100

50

0

Tota

l Tim

e Cos

t (s)









7 Conclusions


Data Availability




Acknowledgments


References

















































⋮

⋮




⎧⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎩

(1)



nj1 b1i Bmi 1113936

nj1 bmi (i 1 2 n)


1113944

n

i1inetfi(x) 1113944

n

i1ineta0i + 1113944

n


n

j1b1t + 1113944

n

j1ai1



n

i1bmt + 1113944

n

i1inetaim

⎛⎝ ⎞⎠xmmodp

⎧⎪⎨

⎪⎩

1113944n

i1ineta0i + 1113944

n

j1b1t + 1113944

n

i1inetai1


j1bmt + 1113944

n

i1inetaim

⎛⎝ ⎞⎠xmmodp

(2)


nj1 b1t + 1113936


nj1 bmt + 1113936

ni1ine t


ni1ine t aim



nj1 bmt


ni1 fi(x) 1113936

ni1 a0i + 1113936


ni1 aimxmmodp


ni1 ai1 1113936


ni1 aim 1113936

ni1ine t aim






nj1 bmk


nj1 b1k 1113936








614 Fairness






2+



)) (IDCm



)) (IDCm fe(IDCm

))













300

250

200

150

100

50

Tota

l Tim

e Cos

t (s)






200

150

100

50

0

Tota

l Tim

e Cos

t (s)









7 Conclusions


Data Availability




Acknowledgments


References












































614 Fairness






2+



)) (IDCm



)) (IDCm fe(IDCm

))













300

250

200

150

100

50

Tota

l Tim

e Cos

t (s)






200

150

100

50

0

Tota

l Tim

e Cos

t (s)









7 Conclusions


Data Availability




Acknowledgments


References










































300

250

200

150

100

50

Tota

l Tim

e Cos

t (s)






200

150

100

50

0

Tota

l Tim

e Cos

t (s)









7 Conclusions


Data Availability




Acknowledgments


References










































7 Conclusions


Data Availability




Acknowledgments


References
































































Documents

ResearchArticle AnImprovedCoercion-ResistantE-VotingScheme