Transformation from e-voting to e-cheque

Yun-Xing Kho; Swee-Huay Heng; Syh-Yuan Tan; Ji-Jian Chin

doi:10.1371/journal.pone.0302659

Abstract

Although e-voting scheme and e-cheque scheme are two different applications, they have similarities in the scheme definitions and security properties. This inspires us to establish a relationship between the two schemes by formalising a generic transformation from e-voting to e-cheque scheme. Firstly, we define the scheme definitions and security models for both e-voting scheme and e-cheque scheme. Subsequently, we demonstrate a generic transformation framework from e-voting to e-cheque with asymptotic complexity of and design a formal proof to show that a secure e-voting scheme can be transformed into a secure e-cheque scheme. As a proof of concept, we apply our newly proposed transformation technique to the e-voting scheme proposed by Li et al. and obtain a concrete e-cheque scheme.

Citation: Kho Y-X, Heng S-H, Tan S-Y, Chin J-J (2024) Transformation from e-voting to e-cheque. PLoS ONE 19(6): e0302659. https://doi.org/10.1371/journal.pone.0302659

Editor: Letterio Galletta, IMT Alti Studi: Scuola IMT Alti Studi Lucca, ITALY

Received: July 25, 2023; Accepted: April 10, 2024; Published: June 20, 2024

Copyright: © 2024 Kho et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

Data Availability: This paper does not report data and the data availability policy is not applicable.

Funding: -Initials of the authors who received each award: PROF. TS. DR. HENG SWEE HUAY -Grant numbers awarded to each author: RDTC/221045 -The full name of the funder: Telekom Malaysia Research & Development Grant -Did the sponsors or funders play any role in the study design, data collection and analysis, decision to publish, or preparation of the manuscript: NO.

Competing interests: NO authors have competing interests.

1 Introduction

There are many studies of electronic systems (e-systems) in the literature such as e-voting [1–4] and e-cheque [5–8]. Chaum in 1981 first introduced the concept of e-voting scheme [9] that serves as a platform that permits an individual to collaboratively make a decision or to choose a representative through online means while Chaum et al. in 1988 [10] first introduced the concept of e-cheque scheme in which e-cheque is a digital analogy to a paper cheque. Even though these systems may seem very different in their respective applications, they share similarities in their scheme definitions and security properties which lead to the possibility of establishing a generic transformation framework, that is we can derive one scheme from another scheme. However, the research communities are disjointed [11] and to the best of our knowledge, there is no transformation frameworks between e-voting and e-cheque have been explored. The beauty of transformation is that we do not need to build the entire scheme from scratch, and a transformed scheme inherits the security guarantee from the original scheme.

1.1 Related work

e-Auction was first proposed by Franklin and Reiter in 1996 [12]. In an e-auction, the auctioneer can place products or services on the website for auction and the bidder can bid for their desired products or services on the bidding website. The bidder with the highest bid wins the game. McCarthy et al. [13] and Quaglia and Smyth [14] presented some transformations from e-voting to e-auction subsequently. More specifically, McCarthy et al. [13] proposed two specific transformations from e-voting to e-auction, namely, from Helios e-voting to Hawk e-auction scheme and from Civitas e-voting to Aucitas e-auction. McCarthy et al. [13] claimed that the Hawk e-auction satisfied indistinguishability under chosen-plaintext attack (IND-CPA) while the Aucitas e-auction satisfied collusion resistance without providing security proofs [14]. Quaglia and Smyth [14] proposed a generic transformation framework from e-voting to a secret, verifiable e-auction. Quaglia and Smyth [14] revised the proposed scheme of McCarthy et al. [13] by providing strong theoretical foundation where the scheme satisfied correctness, injectivity, completeness, verifiability and bid secrecy. Yeow et al. [15] presented a generic transformation framework from e-auction to e-cheque. Their proposed transformation framework satisfied existential unforgeability under chosen account attack (EUF-CAA), payer anonymity under chosen account attack (PA-CAA), and indistinguishability under chosen cheque attack (IND-CCeA). We observed that since e-voting can be transformed into e-auction and e-auction can be transformed into e-cheque as shown in Fig 1. To the best of our knowledge, there is no direct transformation from e-voting to e-cheque has been proposed in the literature. Hence, it would be natural to explore the possibility of direct transformation between e-voting and e-cheque as the two schemes possess high similarities in terms of scheme definitions and security properties. In this work, we demonstrate that the disjoint research fields of e-voting and e-cheque are related. Our work unifies e-voting and e-cheque, and thus expedite the development of both fields. Particularly, a secure e-cheque scheme can now be directly derived from an e-voting scheme without first transforming the e-voting to an e-auction and then only transforming the e-auction to an e-cheque.

Download:

Fig 1. Transformation between e-auction, e-voting, and e-cheque.

https://doi.org/10.1371/journal.pone.0302659.g001

While Quaglia and Smyth [14] proposed a generic transformation framework from e-voting to e-auction with asymptotic complexity of , Yeow et al. [15] presented a generic transformation framework from e-auction to e-cheque with asymptotic complexity of . Therefore, using current transformation frameworks to obtain e-cheque from e-voting scheme required first transforming the e-voting to an e-auction and then only transforming the e-auction to an e-cheque, thus required as shown in Table 1. We propose a direct transformation from e-voting to e-cheque which only required the complexity of .

Download:

Table 1. Comparison with related generic transformation frameworks.

https://doi.org/10.1371/journal.pone.0302659.t001

1.2 Our contribution

In this paper, we first review the scheme definitions of e-voting and e-cheque, followed by their security models respectively. While a rigorous security model for e-cheque schemes has been established [15], it is not the case for e-voting schemes. Therefore, we define some important security properties for e-voting, namely, confidentiality, anonymity, and unforgeability that are required to perform the transformation before presenting the generic transformation from e-voting to e-cheque. With that, we can support the proposed transformation with rigorous security proofs which shows that if the underlying e-voting scheme fulfills confidentiality, anonymity, and unforgeability, then the transformed e-cheque scheme is also fulfills confidentiality, anonymity, and unforgeability. Finally, we demonstrate this established transformation framework by providing an instance in which we exhibit how to derive an e-cheque scheme by employing the e-voting scheme proposed by Li et al. [16] as the underlying scheme.

2 Definitions

2.1 e-voting

Since the existing definitions for e-voting schemes are more specific based on the respective constructions, we make an effort to provide a more general definition which applies to all construction.

The e-voting scheme consists of three algorithms:

Register (1^k) → {(pk_T, sk_T), (pk_V, sk_V)}: This algorithm is executed by a trusted third party (TTP). It takes the security parameters 1^k as the input and outputs a pair of public and private keys for the tallier (pk_T, sk_T) and the voter (pk_V, sk_V).
Vote (pk_T, sk_V, v) → (Bal): This algorithm is executed by the voter. It takes the tallier’s public key pk_T, the voter’s private key sk_V, and the voter’s choice of candidates (v) as input and outputs ballot (Bal). The voter submits Bal to the tallier to cast a vote.
Tally (sk_T, pk_V, Bal) → (Result_V): This algorithm is executed by the tallier. The tallier takes the tallier’s private key sk_T, the voter’s public key pk_V, and the ballot Bal as input, verifies if the Bal is valid then computes the tally result (Result_V) of the valid Bal.

2.2 e-cheque

The e-cheque scheme consists of three algorithms [15]:

Register (1^k) → {(pk_B, sk_B), (pk_P, sk_P)}: This algorithm is executed by a trusted third party (TTP). It takes the security parameters 1^k as input and outputs a pair of public and private keys for the bank (pk_B, sk_B) and the payer (pk_P, sk_P).
Write (pk_B, sk_P, M) → (ϑ): This algorithm is executed by the payer. It takes the bank’s public key pk_B, the payer’s private key sk_P, and M where M = (I, $), I is the account information and $ is the amount as input and outputs a concealed cheque (ϑ). The payer submits ϑ to the bank system.
Transfer (sk_B, pk_P, ϑ) → (Result_T): This algorithm is executed by the bank. The bank takes its own private key sk_B, payer’s public key pk_P, and a concealed cheque ϑ as input and verifies if the ϑ is valid then the bank processes the transaction (Result_T) according to the M embedded in valid ϑ.

3 Security model

3.1 Security requirements for e-voting

Confidentiality. According to Bernhard et al. [17], confidentiality and privacy are synonymous in most security applications. In an e-voting scheme, privacy means the cast votes are anonymous to any party except when the election result reveals the vote [18]. We define for the first time the following game as indistinguishability under chosen ballot attack (IND-CBAA). We define the game between the Adversary and Challenger as follows.
- Registration phase: The Challenger provides the system parameters to the Adversary.
- Training phase: The Adversary can query v_i to the Vote oracle and get a ballot Bal_i in return where i is the number of iterations run by the Adversary. The Adversary can verify Bal_i by issuing Bal_i to the Tally oracle. The Tally oracle will reply tally result to the Adversary, the Adversary extracts the validity result either valid or invalid from the tally result.
- Identifying phase: The Adversary chooses v₀ and v₁ and sends both to the Challenger. The Challenger chooses a random b ∈ {0, 1} and returns Bal* where Bal* is generated from v_b. The Adversary makes a guess b′ = {0, 1} and wins the game if b′ = b.
Definition 1 (IND-CBAA). An e-voting scheme is (ε, t)-indistinguishable under chosen ballot attack (IND-CBAA) if no probabilistic polynomial time Adversary can win the game above in time t, Adversaries advantage ε, and .
Anonymity. According to Zaghloul et al. [1], anonymity in an e-voting scheme means the identity of the voter remains anonymous. We define for the first time the following game as indistinguishability under chosen voter’s vote attack (IND-CVA). We define the game between the Adversary and Challenger as follows.
- Registration phase: The Challenger provides the system parameters to the Adversary.
- Training phase: The Adversary can query v_i to the Vote oracle and get a ballot Bal_i in return where i is the number of iterations run by the Adversary. The Adversary can verify Bal_i by issuing Bal_i to the Tally oracle. The Tally oracle will reply tally result to the Adversary, the Adversary extracts the validity result either valid or invalid from the tally result.
- Identifying phase: The Adversary chooses v* and sends it to the Challenger. The Challenger returns Bal_b where b ∈ {0, 1} and one of them is generated by using v*. The Adversary makes a guess b′ = {0, 1} and wins the game if b′ = b.
Definition 2 (IND-CVA). An e-voting scheme is (ε, t)-indistinguishable under chosen voter’s vote attack (IND-CVA) if no probabilistic polynomial time Adversary can win the game above in time t, Adversaries advantage ε, and .
Unforgeability. According to Li and Lai [19], unforgeability in an e-voting scheme means it is infeasible to forge a valid ballot for another voter. We define for the first time the following game as existential unforgeability under chosen vote attack (EUF-CVA). We define the game between the Adversary and Challenger as follows.
- Registration phase: The Challenger provides the system parameters to the Adversary.
- Training phase: The Adversary can query v_i to the Vote oracle and get a ballot Bal_i in return where i is the number of iterations run by the Adversary. The Adversary can verify Bal_i by issuing Bal_i to the Tally oracle. The Tally oracle will reply tally result to the Adversary, the Adversary extracts the validity result either valid or invalid from the tally result.
- Forging phase: The Adversary chooses v* and forges Bal*. If the Bal* is a valid ballot, the Adversary wins the game.
Definition 3 (EUF-CVA). An e-voting scheme is (ε, t)-existential unforgeable under chosen vote attack (EUF-CVA) if no probabilistic polynomial time Adversary can win the game above in time t, Adversaries advantage ε, and Pr[Bal* is valid] ≤ ε.

3.2 Security requirements of e-cheque

Confidentiality. According to Yeow et al. [15], confidentiality in the e-cheque scheme means the invalid and unused e-cheques are anonymous to any party. The following game is the indistinguishability under chosen cheque attack (IND-CCEA) security notion for an e-cheque scheme. The security model proposed by Yeow et al. [15] is as follows.
- Registration phase: The Challenger provides the system parameters to the Adversary.
- Training phase: The Adversary can query M_i to the Write oracle and get a cheque ϑ_i in return where i is the number of iterations the Adversary runs. The Adversary can verify ϑ_i by issuing ϑ_i to the Transfer oracle. The Transfer oracle will reply transaction result to the Adversary, the Adversary extracts the validity result either valid or invalid from the transaction result.
- Identifying phase: The Adversary chooses M₀ and M₁ and sends both to the Challenger. The Challenger chooses a random b ∈ {0, 1} and returns ϑ* where ϑ* is generated from M_b. The Adversary makes a guess and wins the game if .
Definition 4 (IND-CCEA). An e-cheque scheme is (ε′, t)-indistinguishable under chosen cheque attack (IND-CCEA) if no probabilistic polynomial time Adversary can win the game above in time t, Adversaries advantage ε, and .
Anonymity. According to Yeow et al. [15], anonymity in the e-cheque scheme means the identity of the payer remains secret from others except for the bank. The following game is the indistinguishability under chosen cheque’s information attack (IND-CIA) security notion for an e-cheque scheme. The security model proposed by Yeow et al. [15] is as follows.
- Registration phase: The Challenger provides the system parameters to the Adversary.
- Training phase: The Adversary can query M_i to the Write oracle and get a cheque ϑ_i in return where i is the number of iterations the Adversary runs. The Adversary can verify ϑ_i by issuing ϑ_i to the Transfer oracle. The Transfer oracle will reply transaction result to the Adversary, the Adversary extracts the validity result either valid or invalid from the transaction result.
- Identifying phase: The Adversary chooses M* and sends it to the Challenger. The Challenger returns ϑ_b where b ∈ {0, 1} and one of them is generated by using M*. The Adversary makes a guess and wins the game if .
Definition 5 (IND-CIA). An e-cheque scheme is (ε′, t)-indistinguishable under chosen cheque’s information attack (IND-CIA) if no probabilistic polynomial time Adversary can win the game above in time t, Adversaries advantage ε, and .
Unforgeability. According to Yeow et al. [15], unforgeability in an e-cheque scheme means it is infeasible to forge a valid signed e-cheque of another user. The following game is the existential unforgeability under chosen cheque’s information attack (EUF-CIA) security notion for an e-cheque scheme. The security model proposed by Yeow et al. [15] is as follows.
- Registration phase: The Challenger provides the system parameters to the Adversary.
- Training phase: The Adversary can query M_i to the Write oracle and get a cheque ϑ_i in return where i is the number of iterations the Adversary runs. The Adversary can verify ϑ_i by issuing ϑ_i to the Transfer oracle. The Transfer oracle will reply transaction result to the Adversary, the Adversary extracts the validity result either valid or invalid from the transaction result.
- Forging phase: The Adversary chooses M* and forges ϑ*. If the ϑ* is a valid cheque, the Adversary wins the game.
Definition 6 (EUF-CIA). An e-cheque scheme is (ε′, t)-existential unforgeable under chosen cheque’s information attack (EUF-CIA) if no probabilistic polynomial time Adversary can win the game above in time t, Adversaries advantage ε, and .

4 Transformation

We now present a generic transformation from e-voting scheme to an e-cheque scheme. We first explain the entities and associated information at below:

Tallier in e-voting scheme plays the role as the bank in e-cheque scheme.
Voter in e-voting scheme plays the role as the payer in e-cheque scheme.
Candidate in e-voting scheme plays the role as the payee in e-cheque scheme.
Ballot in e-voting scheme is viewed as the cheque in e-cheque scheme.
Vote in e-voting scheme is viewed as the account information and amount in e-cheque scheme.

Subsequently, a transformed e-cheque scheme can be constructed as follows:

Register (1^k) → {(pk_B, sk_B), (pk_P, sk_P)}. A TTP runs the registration of e-voting Register (1_k) → {(pk_T, sk_T), (pk_V, sk_V)} to set the (pk_B, sk_B) = (pk_T, sk_T) and (pk_P, sk_P) = (pk_V, sk_V).
Write (pk_B, sk_P, M) → ϑ. A payee runs the voting algorithm of e-voting Vote (pk_T, sk_V, v) → Bal, where pk_T = pk_B, sk_V = sk_P, v = M, and the output Bal = ϑ.
Transfer (sk_B, pk_P, ϑ) → Result_T. The bank runs the tally algorithm of the e-voting Tally (sk_T, pk_V, Bal) → Result_V, where sk_T = sk_B, pk_V = pk_P, Bal = ϑ, and the verification result of the e-voting Result_V = the verification result of the e-cheque Result_T

We note that there exists an implementation process to which we may need to pay more attention. More specifically, a bulletin board is required in an e-voting scheme but it is not required in an e-cheque scheme. Therefore, we propose to treat the bulletin board in the e-voting scheme as a platform in the banking system to verify the status of the cheque transaction process, which somehow seems natural.

We also noticed that the transformation from e-cheque to e-voting cannot be performed directly due to the security requirements for e-voting are more stringent than e-cheque. In precise, an e-voting scheme requires receipt-freeness, where the voter cannot attain any information that can be used to prove how he voted for any party. It also demands coercion-resistance, where the coercers cannot insist that voters vote in a certain way and the voter cannot prove his vote to the information buyer [20]. On the contrary, e-cheque scheme does not require these properties. Nevertheless, extensive studies are required to affirm if such a transformation is possible.

5 Security analysis

We provide the security analysis to show that the transformed e-cheque scheme fulfils the respective security requirements which follow directly from those of the underlying e-voting scheme. Theorem 1, Theorem 2, and Theorem 3 present respectively the security analysis of confidentiality, anonymity and unforgeability of the transformed e-cheque scheme from e-voting scheme.

5.1 Confidentiality

Theorem 1. Let e-voting = {Register, Vote, Tally} be the secure e-voting scheme and let e-cheque = {Register, Write, Transfer} be the transformed e-cheque scheme. If the underlying e-voting scheme is (t, q_v, ε)-secure against indistinguishability under chosen ballot attack (IND-CBAA), then the transformed e-cheque scheme is (t′, q_w, ε′)-secure against indistinguishability under chosen cheque attack (IND-CCEA), where (1) q_w, q_v are the total write and vote query, respectively, and n is a negligible function parameterised by the security parameter k.

Proof. Suppose that A₂ is an Adversary who (t′, q_w, ε′)-breaks the IND-CCEA of e-cheque scheme. We show that e-voting scheme is not (t, q_v, ε)- secure. Hence, we show how A₁ can use A₂ to (t, q_v, ε)-break the IND-CBAA of e-voting scheme. A₁ runs A₂ as a subroutine and simulates its attack environment. Fig 2 shows the simulated Adversary game and the environment between A₁ and A₂.

Download:

Fig 2. Proof of contradiction—Confidentiality.

https://doi.org/10.1371/journal.pone.0302659.g002

The Challenger passes Params to A₁. A₁ passes Params to A₂ and completed the Register phase. In the Training phase, A₂ issues M as a write query to A₁. A₁ sets v = M and inputs v to Vote oracle using vote query to produce Bal. A₁ sets ϑ = Bal, A₁ returns ϑ to A₂. A₂ issues ϑ as a transfer query to A₁. A₁ sets Bal = ϑ and inputs Bal to Tally oracle to verify if Bal is valid. The Tally oracle returns the tally result to A₁, A₁ extracts the validity result from the tally result and returns the validity result either valid or invalid to A₂.

At some point, A₂ decides that the Training phase is over and starts the Identifying phase. A₂ chooses M₀ and M₁. A₂ passes M₀ and M₁ to A₁. A₁ sets v₀ = M₀, v₁ = M₁. A₁ sends v₀ and v₁ to Vote oracle to obtain Bal_b. A₁ sets ϑ_b = Bal_b, A₁ delivers ϑ_b as the problem in IND-CBAA as the challenge to A₂. With a probability , A₂ outputs a correct guess b′ in return. A₁ uses A₂’s answer as its guess. Since b′ = b, A₁ thus breaks IND-CBAA security.

As A₁ simulates the environment perfectly, we have ε = ε′ and t = t′ as required where A₁ runs in time t while A₂ runs in time t′.

5.2 Anonymity

Theorem 2. Let e-voting = {Register, Vote, Tally} be the secure e-voting scheme and let e-cheque = {Register, Write, Transfer} be the transformed e-cheque scheme. If the underlying e-voting scheme is (t, q_v, ε)-secure against indistinguishability under chosen voter’s vote attack (IND-CVA), then the transformed e-cheque scheme is (t′, q_w, ε′)-secure against indistinguishability under chosen cheque’s information attack (IND-CIA), where (2) q_w, q_v is the total write and vote query, respectively, and n is a negligible function parameterised by the security parameter k.

Proof. Suppose that A₂ is an Adversary who (t′, q_w, ε′)-breaks the IND-CIA of e-cheque scheme. We show that e-voting scheme is not (t, q_v, ε)- secure. Hence, we show how A₁ can use A₂ to (t, q_v, ε)-break the IND-CVA of e-voting scheme. A₁ runs A₂ as a subroutine and simulates its attack environment. Fig 3 shows the simulated adversarial game and environment between A₁ and A₂.

Download:

Fig 3. Proof of contradiction—Anonymity.

https://doi.org/10.1371/journal.pone.0302659.g003

The Challenger passes Params to A₁. A₁ passes Params to A₂ and completed the Register phase. In the Training phase, A₂ issues M as a write query to A₁. A₁ sets v = M and inputs v to Vote oracle using vote query to produce Bal. A₁ sets ϑ = Bal, A₁ returns ϑ to A₂. A₂ issues ϑ as a transfer query to A₁. A₁ sets Bal = ϑ and inputs Bal to Tally oracle to verify if Bal is valid. The Tally oracle returns the tally result to A₁, A₁ extracts the validity result from the tally result and returns the validity result either valid or invalid to A₂.

At some point, A₂ decides that the Training phase is over and starts the Identifying phase. A₂ passes M* to A₁. A₁ sets v* = M* and sends v* to Vote oracle to obtain Bal_b where b ∈ {0, 1} and one of them is generated by using v*. A₁ sets ϑ_b = Bal_b and returns ϑ_b as the problem in IND-CVA as the challenge to A₂. With a probability , A₂ outputs a correct guess ϑ_b in return. A₁ uses A₂’s answer as its guess. Since ϑ_b is valid, then Bal_b is valid, A₁ thus breaks IND-CVA security.

As A₁ simulates the environment perfectly, we have ε = ε′ and t = t′ as required where A₁ runs in time t while A₂ runs in time t′.

5.3 Unforgeability

Theorem 3. Let e-voting = {Register, Vote, Tally} be the secure e-voting scheme and let e-cheque = {Register, Write, Transfer} be the transformed e-cheque scheme. If the underlying e-voting scheme is (t, q_v, ε)-secure against existential unforgeable under chosen vote attack (EUF-CVA), then the transformed e-cheque scheme is (t′, q_w, ε′)-secure against existential unforgeability under chosen cheque’s information attack (EUF-CIA), where (3) q_w, q_v is the total write and vote query, respectively, and n is a negligible function parameterised by the security parameter k.

Proof. Suppose that A₂ is an Adversary who (t′, q_w, ε′)-breaks the EUF-CIA of e-cheque scheme. We show that e-voting scheme is not (t, q_v, ε)- secure. Hence, we show how A₁ can use A₂ to (t, q_v, ε)-break the EUF-CVA of e-voting scheme. A₁ runs A₂ as a subroutine and simulates its attack environment. Fig 4 shows the simulated adversarial game and environment between A₁ and A₂.

Download:

Fig 4. Proof of contradiction—Unforgeability.

https://doi.org/10.1371/journal.pone.0302659.g004

The Challenger passes Params to A₁. A₁ passes Params to A₂ and completed the Register phase. In the Training phase, A₂ issues M as a write query to A₁. A₁ sets v = M and inputs v to Vote oracle using vote query to produce Bal. A₁ sets ϑ = Bal, A₁ returns ϑ to A₂. A₂ issues ϑ as a transfer query to A₁. A₁ sets Bal = ϑ and inputs Bal to Tally oracle to verify if Bal is valid. The Tally oracle returns the tally result to A₁, A₁ extracts the validity result from the tally result and returns the validity result either valid or invalid to A₂.

At some point, A₂ decides that the Training phase is over and starts the Forging phase. With a probability , A₂ outputs a guess ϑ* to A₁. A₁ uses A₂’s answer as its guess. Since ϑ* is valid, then Bal* is valid, A₁ thus breaks EUF-CVA security.

As A₁ simulates the environment perfectly, we have ε = ε′ and t = t′ as required where A₁ runs in time t while A₂ runs in time t′.

6 An instance

Li et al. [16] proposed an anonymous authentication scheme, namely, event-oriented linkable and traceable anonymous authentication (EOLTAA) and utilised the EOLTAA scheme with public key encryption scheme that is semantically secure to construct a blockchain e-voting scheme. We provide a review of the underlying PKE, EOLTAA and the scheme definitions of Li et al.’s e-voting scheme. We then formally prove that their proposed e-voting scheme possesses confidentiality, anonymity, and unforgeability. Lastly, we perform a transformation from Li et al.’s e-voting scheme to an e-cheque scheme as an instance.

6.1 Underlying cryptographic tools

We review the public key encryption scheme and event-oriented linkable and traceable anonymous authentication scheme as follows.

Public Key Encryption (PKE) Scheme [21]. A PKE scheme consists of three algorithms:
- E.KeyGen (1^λ) → (pk_e, sk_e). This algorithm takes security parameter (1^λ) as the input and outputs a pair of public and private key for the user (pk_e, sk_e).
- E.Encrypt (m, pk_e) → C. This algorithm takes a message m and a public key (pk_e) as input and outputs a ciphertext C.
- E.Decrypt (C, sk_e) → m. This algorithm takes a ciphertext C and a private key sk_e as input and outputs the message m.
The Event-Oriented Linkable and Traceable Anonymous Authentication (EOLTAA) Scheme [16]. An EOLTAA scheme contains seven algorithms:
- CSetup (1^λ) → (MSK, MPK). The master key generation algorithm takes security parameter (λ) as input and outputs a master secret key (MSK) and a master public key (MPK).
- UKeyGen (1^λ) → (usk, upk). The user key generation algorithm takes a security parameter (λ) as input and outputs a secret key (usk) and a public key (upk).
- CertGen (upk, MSK) → Cert. The certificate generation algorithm takes upk and MSK as input and outputs a certificate (Cert) that validates the corresponding upk.
- Auth (m = e ∥ p, upk, usk, Cert, MPK) → π. The authentication algorithm takes message (m), event identifier (e), payload (p), upk, usk, Cert, MPK as input and outputs an authentication token (π) on the m.
- Verify (m, π, MPK) → 0/1. The verification algorithm takes m, π, MPK as input and outputs 0 or 1 to verify if the proof is invalid or valid.
- Link (m₁, m₂, π₁, π₂) → 0/1. The linking algorithm takes two valid m, and authentication token pairs (m₁, π₁), (m₂, π₂) as input and outputs 1 if the two m bind with a common event that is authenticated by the same user; otherwise, outputs 0.
- Trace (m₁, m₂, π₁, π₂) → ⊥ /upk. The trace algorithm takes two valid m, and authentication token pairs (m₁, π₁), (m₂, π₂) as input and outputs upk of the user who authenticates two messages that bind with a common event; otherwise, outputs ⊥.

6.2 Li et al.’s e-voting scheme

We review the e-voting scheme definitions as follows.

Suppose E = {E.KeyGen, E.Encrypt, E.Decrypt} is a semantically secure public key encryption scheme and Φ = {Φ_⋅CSetup, Φ_⋅UKeyGen, Φ_⋅CertGen, Φ_⋅Auth, Φ_⋅Verify, Φ_⋅Link, Φ_⋅Trace} is the event-oriented linkable and traceable anonymous authentication scheme. The e-voting scheme consists of four phases, namely, Setup, Register, Vote, and Tally.

Setup 1^λ → MPK. Certificate authority uses Φ.CSetup to generate master public key MPK and sends the public parameters as a transaction to the blockchain.

Register 1^λ → (pk, sk);(pk, MSK) → Cert. Voters and the tallier set up their key pairs using Φ_⋅UKeyGen and register a certificate, Cert with certificate authority where the tallier holds {(pk_T, sk_T), Cert_T} and the voters holds {(upk_i, usk_i), Cert_i}.

Vote (pk_e, v) → C_i; (C_i, upk_i, usk_i, Cert_i, MPK) → π_i. The tallier chooses a random number vid as e-voting’s ID and creates a key pair (sk_e, pk_e) used to encrypt the ballot. The tallier generates a new blockchain account address, addr_T and creates an authentication token, π_T to authenticate vid||addr_T where π_T = Φ_⋅Auth(vid||addr_T, pk_T, sk_T, Cert_T, MPK). Tallier then creates a smart contract (sc) that consists of vid, π_T, pk_e, MPK. Tallier sends (vid||addr_T, sc, π_T) to blockchain using addr_T.

After the voter receives this voting, the voter chooses one candidate and encrypts it with pk_e to generate C_i. Voter creates an authentication token π_i = Φ_⋅Auth(vid||C_i, upk_i, usk_i, Cert_i, MPK) and creates blockchain account address addr_i. Voter sends (C_i, π_i) to the blockchain using addr_i.

Tally (sk_e, C_i, π_i) → result. Smart contract runs Φ_⋅Verify(vid||C_i, π_i, MPK) to check each received ballot and its authentication pair. The invalid ballot is removed. Then, check if the valid ballot is double-vote by running Φ_⋅Link(C_i, C_*, π_i, π_*) for each (C_*, π_*) that is used before, and run Φ_⋅Trace(C_i, C_*, π_i, π_*) to detect the double-vote voter’s identity.

The tallier receives all valid ballots and decrypts them using (sk_e) and calculates the final election result (result). The tallier generates zero-knowledge proof π_result with sk_e as the witness. In the end, the tallier sends {result, π_result} to the blockchain and anyone can see the final election result.

6.3 The transformed e-cheque scheme

We perform a transformation from Li et al.’s [16] e-voting scheme to an e-cheque scheme as an instance. Li et al.’s e-voting scheme consists of four algorithms, namely, Setup, Register, Vote, Tally. We combine their Setup algorithm and Register algorithm to a single Register algorithm. We perform the transformation as follows.

Suppose E = {E.KeyGen, E.Encrypt, E.Decrypt} is a semantically secure public key encryption scheme and Φ = {Φ_⋅CSetup, Φ_⋅UKeyGen, Φ_⋅CertGen, Φ_⋅Auth, Φ_⋅Verify, Φ_⋅Link, Φ_⋅Trace} is the event-oriented linkable and traceable anonymous authentication scheme. The e-cheque scheme consists of three phases, namely, Register, Write, and Transfer.

Register 1^λ → (MPK, pk, sk);(pk, MSK) → Cert. Certificate authority uses Φ.CSetup to generate master public key MPK and sends the public parameters as a transaction to the blockchain. Payer and the bank set up their key pairs using Φ_⋅UKeyGen and register a certificate, Cert with certificate authority where the bank (pk_B, sk_B), Cert_B and payer (upk_i, usk_i), Cert_i.

Write (pk_e, M) → C_i; (C_i, upk_i, usk_i, Cert_i, MPK) → π_i. The bank chooses a random number vid as e-cheque’s ID and creates a key pair (sk_e, pk_e) used to encrypt the e-cheque. The bank generates a new blockchain account address, addr_B and creates an authentication token, π_B to authenticate vid||addr_B where π_B = Φ_⋅Auth(vid||addr_B, pk_B, sk_B, Cert_B, MPK). bank then creates a smart contact (sc) that consists of vid, π_B, pk_e, MPK. bank sends (vid||addr_B, sc, π_B) to blockchain using addr_B.

After the payer receives the e-cheque, the payer writes payee’s account information and amount M to the e-cheque and encrypts it with pk_e to generate C_i. Payer creates an authentication token π_i = Φ_⋅Auth(vid||C_i, upk_i, usk_i, Cert_i, MPK) and creates blockchain account address addr_i. Payer sends (C_i, π_i) to the blockchain using addr_i.

Transfer (sk_e, C_i, π_i) → result. Smart contract runs Φ_⋅Verify(vid||C_i, π_i, MPK) to check each received e-cheque and its authentication pair. The invalid e-cheque is removed. Then, check if the valid e-cheque is double-spent before by running Φ_⋅Link(C_i, C_*, π_i, π_*) for each (C_*, π_*) that is used before, and runs Φ_⋅Trace(C_i, C_*, π_i, π_*) to detect the double-spent payer’s identity.

The bank receives all valid cheque and decrypts them using (sk_e) and credits the amount from payer’s account to payee’s account. The bank generates zero-knowledge proof π_result with sk_e as the witness. In the end, the bank notifies payer and payee that the e-cheque transaction is completed.

6.4 Security analysis of Li et al.’s e-voting scheme

Li et al. claimed that their e-voting scheme is secure since the underlying tools are secure without formal security analysis of the e-voting scheme. Thus, we formally prove that their proposed e-voting scheme possesses confidentiality, anonymity, and unforgeability, following our formalised security notions, namely, IND-CBAA, IND-CVA, and EUF-CVA.

6.4.1 Confidentiality.

Theorem 4. Let AUTHPKE = {Register, Authentication, Verification} be the secure event-oriented linkable and traceable anonymous authentication scheme and public key encryption scheme. Let e-voting = {Register, Vote, Tally} be the e-voting scheme. If the underlying AUTHPKE scheme is (t, q_a, ε)-secure against indistinguishability under chosen-ciphertext attacks (IND-CCA), then the e-voting scheme is (t′, q_v, ε′)-secure against indistinguishability under chosen ballot attack (IND-CBAA), where (4) q_v is the vote query, q_a is the authentication query, ε is the non-negligible advantage to break the IND-CCA in AUTHPKE, ε′ is the non-negligible advantage to break the IND-CBAA in e-voting, n is a negligible function parameterised by the security parameter k, and t is the time required to complete the attack.

Proof. Suppose that A₂ is an Adversary who (t′, q_v, ε′)-breaks the IND-CBAA of e-voting scheme and A₁ = A_PKE is the Adversary which (t, q_a, ε)-breaks the IND-CCA of the AUTHPKE scheme. We show that AUTHPKE scheme is not (t, q_a, ε)- secure. Hence, we show how A₁ can use A₂ to (t, q_a, ε)-break the IND-CCA of AUTHPKE scheme. A₁ runs A₂ as a subroutine and simulates its attack environment.

The AUTHPKE Challenger passes Params, public key upk, private key usk, and certificate Cert to A₁ where the upk, usk, and Cert are from the EOLTAA scheme. We let A₁ possesses the (upk, usk, Cert) of the EOLTAA scheme so that it can simulate the Vote oracle and Tally oracle for A₂. Note that, even though A₁ possesses (upk, usk, Cert) of the EOLTAA scheme it does not help A₁ in breaking the IND-CCA security. A₁ passes Params to A₂ and completed the Register phase.

In the Training phase, A₂ issues v as a vote query to A₁ which is the Vote oracle from A₂’s view. A₁ sets m = v and encrypts m to produce C. Then, A₁ generates π on C and returns Bal = {C, π} = α to A₂. A₂ issues Bal as a tally query to A₁. A₁ sets α = Bal and uses its Decrypt oracle to simulate Tally oracle for A₂, that is, A₁ issues α to Decrypt oracle to verify if α is valid. The Decrypt oracle returns the decryption result to A₁, A₁ extracts the validity result from the decryption result and returns the validity result either valid or invalid to A₂.

At some point, A₂ decides that the Training phase is over and starts the Identifying phase. A₂ chooses v₀ and v₁ as the challenge and passes v₀ and v₁ to A₁. A₁ sets m₀ = v₀, m₁ = v₁ and selects a random bit b = {0, 1}. A₁ computes C_b from v_b and generates π_b for C_b. A₁ sets Bal_b = α_b = {C_b, π_b} and delivers Bal_b as the challenge to A₂. With a probability , A₂ outputs a correct guess b′ in return. A₁ uses A₂’s answer as its guess. Since b′ = b, A₁ thus breaks IND-CCA security.

As A₁ simulates the environment perfectly, we have ε = ε′ and t = t′ as required where A₁ runs in time t while A₂ runs in time t′.

6.4.2 Anonymity.

Theorem 5. Let AUTHPKE = {Register, Authentication, Verification} be the secure event-oriented linkable and traceable anonymous authentication scheme and public key encryption scheme and let e-voting = {Register, Vote, Tally} be the secure e-voting scheme. If the underlying AUTHPKE is (t, q_a, ε)-anonymous, then the e-voting scheme is (t′, q_v, ε′)-secure against indistinguishability under chosen voter’s vote attack (IND-CVA), where (5) q_v is the vote query, q_a is the authentication query, ε is the non-negligible advantage to break the anonymity in AUTHPKE, ε′ is the non-negligible advantage to break the IND-CVA in e-voting, n is a negligible function parameterised by the security parameter k, and t is the time required to complete the attack.

Proof. Suppose that A₂ is an Adversary who (t′, q_v, ε′)-breaks the IND-CVA of e-voting scheme and A₁ = A_AUTH where A_AUTH is the Adversary who (t, q_a, ε)-breaks the anonymity of the AUTHPKE scheme. We show that AUTHPKE scheme is not (t, q_a, ε)- secure. Hence, we show how A₁ can use A₂ to (t, q_a, ε)-break the anonymity of AUTHPKE scheme. A₁ runs A₂ as a subroutine and simulates its attack environment.

The AUTHPKE Challenger passes Params and public, private key (pk_e, sk_e) to A₁ where the (pk_e, sk_e) are from the PKE scheme. We let A₁ possesses the public key and private key (pk_e, sk_e) of the PKE scheme so that it can simulate the Vote oracle and Tally oracle for A₂. Note that, even though A₁ possesses (pk_e, sk_e) of the PKE scheme it does not help A₁ in breaking the anonymity security. A₁ passes Params to A₂ and completed the Register phase.

In the Training phase, A₂ issues v as a vote query to A₁ which is the Vote oracle from A₂’s view. A₁ sets m = v and encrypts m to produce C. Then, A₁ generates π on C and returns Bal = {C, π} = α to A₂. A₂ issues Bal as a tally query to A₁. A₁ sets α = Bal and uses its Decrypt oracle to simulate Tally oracle for A₂, that is, A₁ issues α to Decrypt oracle to verify if α is valid. The Decrypt oracle returns decryption result to A₁, A₁ extracts the validity result from the decryption result and returns the validity result either valid or invalid to A₂.

At some point, A₂ decides that the Training phase is over and starts the Identifying phase. A₂ passes v* as the challenge to A₁. A₁ sets m* = v*, encrypts m* to obtain C_b where b ∈ {0, 1}. A₁ generates π_b on C_b. A₁ sets {C_b, π_b} = α_b = Bal_b. A₁ returns Bal_b as the challenge to A₂. With a probability , A₂ outputs a correct guess Bal_b in return. A₁ uses A₂’s answer as its guess. Since Bal_b is valid, then α_b is valid, thus A₁ breaks anonymity security.

As A₁ simulates the environment perfectly, we have ε = ε′ and t = t′ as required where A₁ runs in time t while A₂ runs in time t′.

6.4.3 Unforgeability.

Theorem 6. Let AUTHPKE = {Register, Authentication, Verification} be the secure event-oriented linkable and traceable anonymous authentication scheme and public key encryption scheme and let e-voting = {Register, Vote, Tally} be the secure e-voting scheme. If the underlying AUTHPKE is (t, q_a, ε)-unforgeable, then the e-voting scheme is (t′, q_v, ε′)-secure against existential unforgeable under chosen vote attack (EUF-CVA), where (6) q_v is the vote query, q_a is the authentication query, ε is the non-negligible advantage to break the unforgeability in AUTHPKE, ε′ is the non-negligible advantage to break the EUF-CVA in e-voting, n is a negligible function parameterised by the security parameter k, and t is the time required to complete the attack.

Proof. Suppose that A₂ is an Adversary who (t′, q_v, ε′)-breaks the EUF-CVA of e-voting scheme and A₁ = A_AUTH where A_AUTH is the Adversary who (t, q_a, ε)-breaks the unforgeability of AUTHPKE scheme. We show that AUTHPKE scheme is not (t, q_a, ε)- secure. Hence, we show how A₁ can use A₂ to (t, q_a, ε)-break the unforgeability of AUTHPKE scheme. A₁ runs A₂ as a subroutine and simulates its attack environment.

The AUTHPKE Challenger passes Params and public, private key (pk_e, sk_e) to A₁ where the (pk_e, sk_e) are from the PKE scheme. We let A₁ possesses the public key and private key (pk_e, sk_e) of the PKE scheme so that it can simulate the Vote oracle and Tally oracle for A₂. Note that, even though A₁ possesses (pk_e, sk_e) of the PKE scheme it does not help A₁ in breaking the unforgeability security. A₁ passes Params to A₂ and completed the Register phase.

In the Training phase, A₂ issues v as a vote query to A₁ which is the Vote oracle from A₂’s view. A₁ sets m = v and encrypts m to produce C. Then, A₁ generates π on C and returns Bal = {C, π} = α to A₂. A₂ issues Bal as a tally query to A₁. A₁ sets α = Bal and uses its Decrypt oracle to simulate Tally oracle for A₂, that is, A₁ issues α to Decrypt oracle to verify if α is valid. The Decrypt oracle returns the decryption result to A₁, A₁ extracts the validity result from the decryption result and returns the validity result either valid or invalid to A₂.

At some point, A₂ decides that the Training phase is over and starts the Forging phase. With a probability , A₂ outputs a guess Bal* to A₁. A₁ uses A₂’s answer as its guess. Since Bal* is valid, then α* is valid, A₁ thus breaks unforgeability security.

As A₁ simulates the environment perfectly, we have ε = ε′ and t = t′ as required where A₁ runs in time t while A₂ runs in time t′.

6.5 Security of Li et al’s transformed e-cheque scheme

We have shown that the e-voting scheme proposed by Li et al. [16] possesses confidentiality, anonymity, and unforgeability as proven in Theorem 4, Theorem 5, and Theorem 6 respectively. Therefore, it is obvious that following from Theorem 1, Theorem 2, and Theorem 3 respectively, the transformed e-cheque scheme also enjoys the corresponding security properties and fulfills the security requirements of an e-cheque scheme.

7 Discussion

Our e-voting to e-cheque transformation also benefits from Li et al.’s generic construction. Specifically, one can replace their authentication scheme Φ with other candidates yet our transformation would work as expected. However, we note that except anonymity, Φ should also satisfy linkability and traceability [16]. Therefore, anonymous authentication schemes such as the password-authenticated key exchange protocols based on oblivious pseudorandom function [22] and multi-factor authentication protocol based on “Honeywords” and “Fuzzy-Verifier” [23, 24] are not readily applicable.

It is also interesting to explore the reverse transformation, that is, from an e-cheque scheme to an e-voting scheme. From our transformation, we know that the tallier and voter in an e-voting scheme is the bank and payer, respectively, in the resulting e-cheque scheme. While a voter needs to be anonymous to the tallier, a payer needs not be anonymous to the bank. In fact, Yeow et al. exploited this weaker anonymity requirement to instantiate an efficient e-cheque scheme from an e-auction scheme that does not protect the winning bidder’s anonymity [15]. Thus, we conjecture that to realise the reverse transformation, the underlying e-cheque scheme needs to possess an anonymity property that is stronger than IND-CIA. With that said, if there exists a generic approach to upgrade the IND-CIA security in an e-cheque scheme, e-voting schemes is equivalent to e-cheque schemes. We leave this as an open problem.

8 Conclusion

We presented a generic transformation from e-voting to e-cheque and showed that the transformed e-cheque scheme possesses the security properties of indistinguishability under chosen cheque attack (IND-CCEA), indistinguishability under chosen cheque’s information attack (IND-CIA) and existential unforgeability under chosen cheque’s information attack (EUF-CIA) if the underlying e-voting scheme is indistinguishability under chosen ballot attack (IND-CBAA), indistinguishability under chosen voter’s vote attack (IND-CVA) and existential unforgeability under chosen vote attack (EUF-CVA) respectively. Finally, we demonstrated the newly proposed transformation by deriving a concrete e-cheque scheme from Li et al.’s e-voting scheme as an instance.

Supporting information

S1 Data.

https://doi.org/10.1371/journal.pone.0302659.s001

(BST)

S2 Data.

https://doi.org/10.1371/journal.pone.0302659.s002

(BIB)

Acknowledgments

This work was supported by the Telekom Malaysia Research & Development Grant (RDTC/221045).

References

1. Zaghloul E, Li T, Ren J. d-BAME: distributed blockchain-based anonymous mobile electronic voting. IEEE Internet of Things Journal. 2021;8(22):16585–16597.
- View Article
- Google Scholar
2. Rathore D, Ranga V. Secure Remote E-Voting using Blockchain. In: 2021 5th International Conference on Intelligent Computing and Control Systems (ICICCS); 2021. p. 282–287.
3. ElSheikh M, Youssef AM. Dispute-free scalable open vote network using zk-SNARKs. arXiv preprint arXiv:220303363. 2022;.
4. Vangujar AK, Ganesh B, Palmieri P. A Novel Approach to e-Voting with Group Identity Based Identification and Homomorphic Encryption. Cryptology ePrint Archive. 2023;.
- View Article
- Google Scholar
5. Sertkaya I, Kalkar O. A Privacy Enhanced Transferable Electronic Checkbook Scheme. Wireless Personal Communications. 2022;123(3):2895–2921.
- View Article
- Google Scholar
6. Hinarejos MF, Ferrer-Gomila JL, Draper-Gil G, Huguet-Rotger L. Anonymity and transferability for an electronic bank check scheme. In: 2012 IEEE 11th international conference on trust, security and privacy in computing and communications. IEEE; 2012. p. 427–435.
7. Chen CL, Wu CH, Lin WC. Improving an on-line electronic check system with mutual authentication. In: International Conference on Advanced Information Technologies; 2010.
8. Sun Y, Chai J, Liang H, Ni J, Yu Y. A secure and efficient e-Cheque protocol from chameleon hash function. In: 2013 5th International Conference on Intelligent Networking and Collaborative Systems. IEEE; 2013. p. 470–475.
9. Chaum DL. Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM. 1981;24(2):84–90.
- View Article
- Google Scholar
10. Chaum D, Fiat A, Naor M. Untraceable electronic cash. In: Advances in Cryptology—CRYPTO’88: Proceedings 8. Springer; 1990. p. 319–327.
11. Kho YX, Heng SH. Comparison Analysis Of Cryptographic Electronic Systems. In: Proceedings of the 7th International Cryptology and Information Security Conference 2020. CRYPTOLOGY 2020; 2020. p. 151–164.
12. Franklin MK, Reiter MK. The design and implementation of a secure auction service. IEEE Transactions on Software Engineering. 1996;22(5):302–312.
- View Article
- Google Scholar
13. McCarthy A, Smyth B, Quaglia EA. Hawk and Aucitas: e-auction schemes from the Helios and Civitas e-voting schemes. In: Financial Cryptography and Data Security: 18th International Conference, FC 2014, Christ Church, Barbados, March 3-7, 2014, Revised Selected Papers 18. Springer; 2014. p. 51–63.
14. Quaglia EA, Smyth B. Secret, verifiable auctions from elections. Theoretical Computer Science. 2018;730:44–92.
- View Article
- Google Scholar
15. Yeow KW, Heng SH, Tan SY. From Sealed-Bid Electronic Auction to Electronic Cheque. In: Information Science and Applications 2017: ICISA 2017 8. Springer; 2017. p. 366–376.
16. Li P, Lai J, Wu Y. Event-oriented linkable and traceable anonymous authentication and its application to voting. Journal of Information Security and Applications. 2021;60:102865.
- View Article
- Google Scholar
17. Bernhard M, Benaloh J, Alex Halderman J, Rivest RL, Ryan PY, Stark PB, et al. Public evidence from secret ballots. In: Electronic Voting: Second International Joint Conference, E-Vote-ID 2017, Bregenz, Austria, October 24-27, 2017, Proceedings 2. Springer; 2017. p. 84–109.
18. Fraser A, Quaglia EA, Smyth B. A critique of game-based definitions of receipt-freeness for voting. In: Provable Security: 13th International Conference, ProvSec 2019, Cairns, QLD, Australia, October 1–4, 2019, Proceedings 13. Springer; 2019. p. 189–205.
19. Li P, Lai J. LaT-Voting: Traceable anonymous E-voting on blockchain. In: Network and System Security: 13th International Conference, NSS 2019, Sapporo, Japan, December 15–18, 2019, Proceedings 13. Springer; 2019. p. 234–254.
20. Lee B, Boyd C, Dawson E, Kim K, Yang J, Yoo S. Providing receipt-freeness in mixnet-based voting protocols. In: Information Security and Cryptology-ICISC 2003: 6th International Conference, Seoul, Korea, November 27-28, 2003. Revised Papers 6. Springer; 2004. p. 245–258.
21. Ak M, Hanoymak T, Selçuk AA. IND-CCA secure encryption based on a Zheng–Seberry scheme. Journal of Computational and Applied Mathematics. 2014;259:529–535.
- View Article
- Google Scholar
22. Jarecki S, Krawczyk H, Xu J. OPAQUE: an asymmetric PAKE protocol secure against pre-computation attacks. In: Advances in Cryptology–EUROCRYPT 2018: 37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tel Aviv, Israel, April 29-May 3, 2018 Proceedings, Part III 37. Springer; 2018. p. 456–486.
23. Wang D, Wang P. Two birds with one stone: Two-factor authentication with security beyond conventional bound. IEEE transactions on dependable and secure computing. 2016;15(4):708–722.
- View Article
- Google Scholar
24. Qiu S, Wang D, Xu G, Kumari S. Practical and provably secure three-factor authentication protocol based on extended chaotic-maps for mobile lightweight devices. IEEE Transactions on Dependable and Secure Computing. 2020;19(2):1338–1351.
- View Article
- Google Scholar

[ref1] 1. Zaghloul E, Li T, Ren J. d-BAME: distributed blockchain-based anonymous mobile electronic voting. IEEE Internet of Things Journal. 2021;8(22):16585–16597.
View Article
Google Scholar

[2] View Article

[3] Google Scholar

[ref2] 2. Rathore D, Ranga V. Secure Remote E-Voting using Blockchain. In: 2021 5th International Conference on Intelligent Computing and Control Systems (ICICCS); 2021. p. 282–287.

[ref3] 3. ElSheikh M, Youssef AM. Dispute-free scalable open vote network using zk-SNARKs. arXiv preprint arXiv:220303363. 2022;.

[ref4] 4. Vangujar AK, Ganesh B, Palmieri P. A Novel Approach to e-Voting with Group Identity Based Identification and Homomorphic Encryption. Cryptology ePrint Archive. 2023;.
View Article
Google Scholar

[7] View Article

[8] Google Scholar

[ref5] 5. Sertkaya I, Kalkar O. A Privacy Enhanced Transferable Electronic Checkbook Scheme. Wireless Personal Communications. 2022;123(3):2895–2921.
View Article
Google Scholar

[10] View Article

[11] Google Scholar

[ref6] 6. Hinarejos MF, Ferrer-Gomila JL, Draper-Gil G, Huguet-Rotger L. Anonymity and transferability for an electronic bank check scheme. In: 2012 IEEE 11th international conference on trust, security and privacy in computing and communications. IEEE; 2012. p. 427–435.

[ref7] 7. Chen CL, Wu CH, Lin WC. Improving an on-line electronic check system with mutual authentication. In: International Conference on Advanced Information Technologies; 2010.

[ref8] 8. Sun Y, Chai J, Liang H, Ni J, Yu Y. A secure and efficient e-Cheque protocol from chameleon hash function. In: 2013 5th International Conference on Intelligent Networking and Collaborative Systems. IEEE; 2013. p. 470–475.

[ref9] 9. Chaum DL. Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM. 1981;24(2):84–90.
View Article
Google Scholar

[16] View Article

[17] Google Scholar

[ref10] 10. Chaum D, Fiat A, Naor M. Untraceable electronic cash. In: Advances in Cryptology—CRYPTO’88: Proceedings 8. Springer; 1990. p. 319–327.

[ref11] 11. Kho YX, Heng SH. Comparison Analysis Of Cryptographic Electronic Systems. In: Proceedings of the 7th International Cryptology and Information Security Conference 2020. CRYPTOLOGY 2020; 2020. p. 151–164.

[ref12] 12. Franklin MK, Reiter MK. The design and implementation of a secure auction service. IEEE Transactions on Software Engineering. 1996;22(5):302–312.
View Article
Google Scholar

[21] View Article

[22] Google Scholar

[ref13] 13. McCarthy A, Smyth B, Quaglia EA. Hawk and Aucitas: e-auction schemes from the Helios and Civitas e-voting schemes. In: Financial Cryptography and Data Security: 18th International Conference, FC 2014, Christ Church, Barbados, March 3-7, 2014, Revised Selected Papers 18. Springer; 2014. p. 51–63.

[ref14] 14. Quaglia EA, Smyth B. Secret, verifiable auctions from elections. Theoretical Computer Science. 2018;730:44–92.
View Article
Google Scholar

[25] View Article

[26] Google Scholar

[ref15] 15. Yeow KW, Heng SH, Tan SY. From Sealed-Bid Electronic Auction to Electronic Cheque. In: Information Science and Applications 2017: ICISA 2017 8. Springer; 2017. p. 366–376.

[ref16] 16. Li P, Lai J, Wu Y. Event-oriented linkable and traceable anonymous authentication and its application to voting. Journal of Information Security and Applications. 2021;60:102865.
View Article
Google Scholar

[29] View Article

[30] Google Scholar

[ref17] 17. Bernhard M, Benaloh J, Alex Halderman J, Rivest RL, Ryan PY, Stark PB, et al. Public evidence from secret ballots. In: Electronic Voting: Second International Joint Conference, E-Vote-ID 2017, Bregenz, Austria, October 24-27, 2017, Proceedings 2. Springer; 2017. p. 84–109.

[ref18] 18. Fraser A, Quaglia EA, Smyth B. A critique of game-based definitions of receipt-freeness for voting. In: Provable Security: 13th International Conference, ProvSec 2019, Cairns, QLD, Australia, October 1–4, 2019, Proceedings 13. Springer; 2019. p. 189–205.

[ref19] 19. Li P, Lai J. LaT-Voting: Traceable anonymous E-voting on blockchain. In: Network and System Security: 13th International Conference, NSS 2019, Sapporo, Japan, December 15–18, 2019, Proceedings 13. Springer; 2019. p. 234–254.

[ref20] 20. Lee B, Boyd C, Dawson E, Kim K, Yang J, Yoo S. Providing receipt-freeness in mixnet-based voting protocols. In: Information Security and Cryptology-ICISC 2003: 6th International Conference, Seoul, Korea, November 27-28, 2003. Revised Papers 6. Springer; 2004. p. 245–258.

[ref21] 21. Ak M, Hanoymak T, Selçuk AA. IND-CCA secure encryption based on a Zheng–Seberry scheme. Journal of Computational and Applied Mathematics. 2014;259:529–535.
View Article
Google Scholar

[36] View Article

[37] Google Scholar

[ref22] 22. Jarecki S, Krawczyk H, Xu J. OPAQUE: an asymmetric PAKE protocol secure against pre-computation attacks. In: Advances in Cryptology–EUROCRYPT 2018: 37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tel Aviv, Israel, April 29-May 3, 2018 Proceedings, Part III 37. Springer; 2018. p. 456–486.

[ref23] 23. Wang D, Wang P. Two birds with one stone: Two-factor authentication with security beyond conventional bound. IEEE transactions on dependable and secure computing. 2016;15(4):708–722.
View Article
Google Scholar

[40] View Article

[41] Google Scholar

[ref24] 24. Qiu S, Wang D, Xu G, Kumari S. Practical and provably secure three-factor authentication protocol based on extended chaotic-maps for mobile lightweight devices. IEEE Transactions on Dependable and Secure Computing. 2020;19(2):1338–1351.
View Article
Google Scholar

[43] View Article

[44] Google Scholar

Figures

Abstract

1 Introduction

1.1 Related work

1.2 Our contribution

2 Definitions

2.1 e-voting

2.2 e-cheque

3 Security model

3.1 Security requirements for e-voting

3.2 Security requirements of e-cheque

4 Transformation

5 Security analysis

5.1 Confidentiality

5.2 Anonymity

5.3 Unforgeability

6 An instance

6.1 Underlying cryptographic tools

6.2 Li et al.’s e-voting scheme

6.3 The transformed e-cheque scheme

6.4 Security analysis of Li et al.’s e-voting scheme

6.4.1 Confidentiality.

6.4.2 Anonymity.

6.4.3 Unforgeability.

6.5 Security of Li et al’s transformed e-cheque scheme

7 Discussion

8 Conclusion

Supporting information

S1 Data.

S2 Data.

Acknowledgments

References