A provably secure coercion-resistant e-voting scheme with confidentiality, anonymity, unforgeability, and CAI verifiability

Yun-Xing Kho; Swee-Huay Heng; Syh-Yuan Tan; Ji-Jian Chin

doi:10.1371/journal.pone.0324182

Abstract

Ensuring both cast-as-intended (CAI) verifiability and coercion-resistance in e-voting remains a critical challenge. The e-voting scheme proposed by Finogina and Herranz in 2023 represents the first notable advancement in reconciling these conflicting requirements. CAI verifiability allows voters to confirm that their intended vote has been correctly recorded, even without a secure channel to the election committee, while coercion-resistance prevents external influence and vote-selling. However, essential security properties such as confidentiality, anonymity, unforgeability, and double-voting prevention fall outside the scope of Finogina and Herranz’s e-voting scheme, leaving significant gaps in its security guarantees. To address this limitation, we propose a novel e-voting scheme that simultaneously achieves CAI verifiability, coercion-resistance, confidentiality, anonymity, unforgeability, and double-voting prevention while maintaining an asymptotic complexity of . To the best of our knowledge, no existing scheme satisfies all these properties concurrently. Moreover, we establish that anonymity inherently implies CAI verifiability in e-voting schemes, a result of independent interest. By strengthening security and privacy guarantees, our work bridges existing gaps and provides a comprehensive security model that serves as a foundation for the design of future e-voting systems.

Citation: Kho Y-X, Heng S-H, Tan S-Y, Chin J-J (2025) A provably secure coercion-resistant e-voting scheme with confidentiality, anonymity, unforgeability, and CAI verifiability. PLoS One 20(6): e0324182. https://doi.org/10.1371/journal.pone.0324182

Editor: Hu Xiong, University of Electronic Science and Technology of China, CHINA

Received: October 12, 2024; Accepted: April 22, 2025; Published: June 9, 2025

Copyright: © 2025 Kho et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

Data Availability: All relevant data supporting the findings of this study are within the paper. No additional data are available.

Funding: Telekom Malaysia Research & Development Grant (RDTC/221045). Initials of the authors who received each award: PROF. T.S. DR. Heng Swee Huay. The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.

Competing interests: No authors have competing interests.

1 Introduction

The world of electronic voting systems (e-voting) has evolved significantly since it was first introduced by Chaum in 1981. Sections have been renumbered sequentially to maintain order in text, please check and verify.It is a platform designed to facilitate collaborative decision-making and enables voters to cast their votes and the election committee to count ballots electronically. A typical e-voting scheme contains three phases, namely, register, vote, and tally. Several entities are involved in the system, including voters, the election committee, a certificate authority, candidates, and adversaries, as presented in Fig 1. From Fig 1, we can see that during the register phase, both voters and the election committee are registered and obtain certificates from the certificate authority. Additionally, the list of candidates is prepared, and the public parameters of the e-voting system are distributed. The voting phase involves voters casting their votes, while the tallying phase encompasses counting the ballots and announcing the election results.

Download:

Fig 1. Overview of an e-voting scheme.

https://doi.org/10.1371/journal.pone.0324182.g001

Several security properties must be in place to ensure the security of an e-voting system. According to Kho et al. [1], these essential properties include confidentiality, anonymity, unforgeability, coercion-resistance, and cast-as-intended (CAI) verifiability. Various schemes with security enhancements have been proposed and put into practice [2–9]. These schemes aim to ensure that e-voting is secure and that voters can cast their votes without fear of coercion or privacy violations.

Finogina and Herranz [3] were the first to address the compatibility issue between CAI verification and coercion-resistance. CAI verifiability ensures that voters can verify whether their intended vote has been accurately recorded, even in the absence of a secure channel between voters and the election committee. According to Finogina and Herranz [3], several techniques in the literature aim to achieve CAI verifiability, such as using proofs to verify the cast ballot, tracking numbers, cast-and-audit, voting codes, QR codes, hardware tokens or voting cards with return codes. However, all these techniques often generate some form of evidence or receipt containing voting information for the voter, which directly contradicts the requirement of coercion-resistance, as it must prevent the creation of evidence that could be used to prove a voter’s choice.

In addition to CAI verifiability, the risk of coercion and vote buying is another significant concern. Coercers may attempt to influence how voters cast their ballots, or malicious voters may sell their votes to coercers, undermining the fairness and legitimacy of the electoral process. Therefore, coercion-resistance is a critical property of any e-voting system that aims to ensure the integrity and fairness of the electoral process.

The JCJ protocol proposed by Juels et al. in 2005 [5] is a well-known protocol that provides coercion-resistance. The protocol enables voters to deceive coercers by generating fake voting credentials that are indistinguishable from genuine ones. According to Finogina and Herranz [3], existing coercion-resistant e-voting approaches often lack compatibility with CAI verifiability when trusted channels between voters and the election committee are removed. CAI verifiability is another critical property of secure e-voting systems, as it ensures that voters’ intentions are accurately reflected in the final tally. The core challenge in e-voting systems lies in balancing coercion-resistance and CAI verifiability, particularly when encryption is managed by the election committee and secure channels between voters and the election committee are absent. In such a setup, while encryption performed by the election committee ensures that voters cannot access vote verification materials, thereby guaranteeing coercion-resistance, it also raises concerns about whether voters can verify that their ballot is encrypted with their intended vote. Finogina and Herranz therefore addressed this issue by proposing an e-voting protocol that achieves both coercion-resistance and CAI verifiability without relying on secure channels between voters and election authorities.

As noted by Finogina and Herranz, it is reasonable to assume that a coercer cannot maintain continuous control over a voter and would not resort to severe threats, such as threatening the voter with a firearm, as the voter would have no choice but to comply in such cases. If such severe threats were involved, the issue would extend beyond the voting process and fall under the jurisdiction of law enforcement [3]. Therefore, coercion-resistance is meaningful only when the coercer has limited observational capabilities, allowing the voter to resist without incurring significant risks [3].

Consider a common scenario where a voter arrives at the polling station to cast their vote [3]. Could a coercer physically prevent the voter from gaining entry to the polling station? Could they compel the voter to produce a photocopy of their completed ballot as proof of their vote? In the context of e-voting, these concerns translate into questions such as: “Are forced abstention attacks permissible?" and “Can coercers extract vote-verification materials during the voting process?" These questions are critical when evaluating the integrity and security of an e-voting system under potential coercion.

To complicate matters further, some voters with malicious intent may deliberately choose to sell their votes, turning the process into a transaction. Additionally, e-voting introduces a separation between the stages of registration, vote casting, and vote verification, each of which can occur at different times. This separation brings forth a new and significant question: “At precisely which stage can the coercer observe or exert influence over the voter?"

In this work, we adopt the coercion-resistant protocol developed by Finogina and Herranz. In the coercion-resistance setting proposed by Finogina and Herranz, the coercer can communicate with the voter prior to the vote protocol execution and compel the voter to select a particular selection v^*. During the voting protocol execution, the secure channel between the voter and the election committee is not accessible to the coercer, which is crucial for maintaining meaningful coercion-resistance. However, the coercer can observe the public channel through which the ballot is posted to the bulletin board. After the voting protocol has been executed, the coercer expects to receive Trc, which includes the voter’s preference, the corresponding ballot, and the randomness used during the voting process.

To counteract coercion in this scenario, the key idea indicates that the voter should always retain the capability to trick the coercer [3]. The voter can execute the voting protocol with their chosen vote v and subsequently replicate all necessary parameters, such as challenges, to convince the coercer that the cast ballot corresponds to v^* [3]. The coercer can determine whether the voter adhered to their instructions and cast their vote for v^* [3].

Finogina and Herranz [3] addressed the compatibility issue between CAI verifiability and coercion-resistance in the literature. However, their work does not provide rigorous proofs for other essential security properties required by an e-voting system, namely, confidentiality, anonymity, unforgeability, as well as the prevention of double voting [1]. To the best of our knowledge, no existing concrete e-voting scheme simultaneously satisfies confidentiality, anonymity, and unforgeability while also being compatible with CAI verifiability and coercion-resistance.

To address these shortcomings, we propose an e-voting scheme that builds upon the coercion-resistance protocol compatible with CAI verifiability, as introduced by Finogina and Herranz [3]. Our approach enhances their system to ensure it meets the necessary security properties: coercion-resistance, CAI verifiability, confidentiality, anonymity, unforgeability, and prevention of double voting. We further demonstrate that anonymity inherently implies CAI verifiability in e-voting schemes, a result that may be of independent interest. By integrating additional security measures and refining the protocol, our scheme aims to provide a robust solution for secure and verifiable e-voting.

2 Related works

In this section, we review coercion-resistant e-voting schemes from the year 2019 till present.

Smyth [10] presented Athena, a verifiable, coercion-resistant e-voting with linear complexity in JCJ setting. Their scheme revealed anonymised credentials to eliminate ballots cast using identical private credential with linear complexity and utilised plaintext equality tests on every mixed ballot individually, containing a mixed public credential and to exclude any unauthorised mixed ballots also with linear complexity. Aranha et al. [11] argued that the coercion-resistant protocol proposed by Smyth offered lower security compared to the JCJ scheme, as it revealed the number of votes associated with each credential.

Grontas et al. [12] presented the first e-voting scheme that achieved end-to-end verifiability and everlasting privacy in JCJ setting [5]. They proposed a new cryptographic primitive, namely, publicly auditable conditional blind signature where after the interaction, the voter will be issued a token by the signing server, the token can only be verified by the designated verifier. The everlasting privacy intends to protect votes from more powerful adversary (e.g. quantum computing). Their everlasting privacy property is achieved by assuming the existence of an anonymous channel to exchange private data between the election authorities. However, the work did not present a rigorous security analysis.

Estaji et al. [13] revisited the JCJ e-voting scheme [5] to enhance its usability and practicality. In particular, they addressed the issue where voters could not directly validate whether their cast ballots were valid and included in the final tally by introducing new methods for duplicate removal within the JCJ framework.

Lueks et al. [8] proposed VOTEAGAIN, an e-voting scheme that uses a revoting mechanism to provide coercion-resistance and can handle systems with millions of voters. However, Haines et al. [4] argued that VOTEAGAIN is insecure because it relies on a single, completely trusted voting authority to achieve verifiability and coercion-resistance. Furthermore, a malicious bulletin board could compromise the privacy, verifiability, and coercion-resistance of their scheme. Haines et al. [4] introduced a variant of VOTEAGAIN that reduces reliance on voting authorities without compromising the efficiency and usability of the original scheme. Their future work involves formally proving that their modifications to VOTEAGAIN maintain the scheme’s security properties.

Rønne et al. [14] introduced a quantum-safe, coercion-resistant e-voting scheme within the JCJ framework. They addressed the complexity challenges in the tally phase of the JCJ protocol by employing fully homomorphic encryption (FHE), allowing the tallying process to be executed in linear time while also ensuring quantum safety. It is worth noting that we do not compare the computational cost of this scheme, as it utilises different cryptographic tools. Aranha et al. [11] claimed the coercion-resistant protocol introduced by Rønne et al. offered lower security compared to the JCJ scheme, as it revealed the number of votes associated with each credential.

Cortier et al. [2] identified a major issue with the JCJ protocol: it leaks the total count of received ballots, valid ballots, and revotes during the revoting phase. Hence, they proposed CHide, a new coercion-resistance protocol that solves the leakage issues in JCJ protocol. However, Aranha et al. [11] argued that CHide requires a larger asymptotic complexity of . They reduced the CHide’s asymptotic complexity to logn) to speed up the tallying protocol. However, their improved scheme did not consider voter authentication.

Finogina and Herranz [3] proposed the first CAI verifiability and coercion-resistance setting without requiring a secure channel between election authorities and voters. However, their proposed scheme did not claim some important security properties such as confidentiality of ballot, voter’s anonymity, ballot unforgeability and double-voting prevention [1]. The scheme proposed by Finogina and Herranz focuses solely on the voting algorithm and omits the tallying process, as the tally can be conducted using various verifiable methods suggested in the literature, such as verifiable shuffling of ciphertexts, verifiable decryption, and verifiable homomorphic tallying of the final results.

Spadafora et al. [15] presented a decentralised e-voting protocol designed to resist coercion and vote-selling while ensuring complete transparency, although it does not achieve receipt-freeness. The protocol leverages blockchain technology to ensure decentralisation and benefits from blockchain’s transparency and non-repudiation properties. The security of the protocol is rigorously proven under the Decisional Diffie-Hellman (DDH) assumption for prime-order cyclic groups and standard blockchain robustness assumptions.

Giustolisi and Garjan [16] introduced an Internet voting scheme that balances efficiency with coercion-resistance. The scheme employs noise ballots to obscure legitimate votes and a cleansing process to eliminate invalid ballots without revealing sensitive information. The scheme supports coercion-resistance, including scenarios with revoting, and enables linear tallying without the use of mixnets or MPC, utilising exponential ElGamal encryption and non-interactive zero-knowledge proofs (NIZKPs).

Chen et al. [17] proposed an e-voting scheme aimed to prevent bribery and coercion. By utilising the advantages of a subliminal channel, the channel transmitted a secret message that was modified from the original, ensuring that the receiver only received the general signature without access to the hidden message. Consequently, the e-voting scheme remains secure even if the voting secret is leaked, as the briber or coercer cannot determine the voter’s actual vote. However, the briber or coercer could still attack the channel by preventing the voter’s vote from being sent. To mitigate this risk, Chen et al. employed a smart card, which served as a protective mechanism to prevent the subliminal channel from being compromised.

Several recent studies have explored advancements in secure e-voting protocols by leveraging emerging technologies and optimised cryptographic techniques. For instance, Elhabob et al. [18,19] proposed equality tests in public key encryption and identity-based encryption with cryptographic reverse firewalls, which could potentially be adapted for detecting duplicate ballots in e-voting while preserving voter privacy. Hadabi et al. [20] introduced a proxy re-encryption scheme with plaintext checkable encryption (PCE) for secure data sharing in Industrial IoT. PCE could enhance coercion-resistant e-voting by ensuring ballots are verifiable while safeguarding voter secrecy. Wang et al. [21] presented a secure cross-system encrypted data-sharing scheme based on attribute-based encryption (ABE), which could be utilised in e-voting to manage voter authentication and control access to encrypted ballots. Furthermore, Xiong et al. [22] proposed a scheme that could contribute to revocable authentication in e-voting, ensuring that voters cannot be linked to their past votes. However, further in-depth research is required to assess the feasibility of fully integrating these techniques into e-voting systems.

2.1 Our contributions

We introduce a secure e-voting scheme established on the anonymous authentication proposed by Li et al. [7] and Finogina and Herranz’s coercion-resistant voting protocol [3]. The main technical difficulty in this work is to rigorously model and prove the security of confidentiality, anonymity, unforgeability, coercion-resistance, and CAI verifiability, for the proposed scheme. This is a challenging but crucial task that could have laid the security foundation for future e-voting schemes. As an independent interest, we also prove that anonymity implies CAI verifiability for e-voting schemes.

2.2 Organisation of this paper

The remainder of this paper is organised as follows. Sect 3 discusses the cryptographic tools underlying our e-voting scheme. Sect 4 defines the security properties and requirements for generic e-voting schemes. In Sect 5, we prove that anonymity implies CAI verifiability within e-voting schemes. Our proposed scheme, along with its security analysis, is presented in Sect 6. Finally, we conclude the paper in Sect 8.

3 Cryptographic preliminaries

In this section, we describe the underlying cryptographic tools employed in constructing our e-voting scheme, namely, sigma protocol, commitment scheme, multi-signature, public key encryption (PKE) scheme and event-oriented linkable and traceable anonymous authentication scheme (EOLTAA).

3.1 Sigma protocol

A sigma protocol is a 3-move protocol for polynomial time relation, R. A sigma protocol for R runs as follows [23]:

Commit . The prover P runs algorithm Commit on common input x with corresponding witness w to output the first message a and submits a to the verifier.
Challenge . Once the verifier V receives a, chooses a random challenge where l is the challenge length and submits e to the prover.
Response . Once the prover P receives e, runs algorithm Response on (x,w,e) to produce z and submits z to the verifier.

The verifier V outputs decision 1 to accept or 0 to reject the transcript (a,e,z) on x.

Definition 1. A Sigma protocol for relation R is a 3-move protocol that requires to satisfy the three following properties [24,25]:

Completeness. If , then all honest 3-move transcripts for (x,w) are always accepted.
Special soundness. There exists a probabilistic polynomial time (PPT) extraction algorithm on input two valid transcripts (a,e,z) and for x with , produces a witness w such that .
Special honest-verifier zero-knowledge. There exists a PPT simulator that inputs on any instance x and any challenge e, creates a transcript (a,e,z) such that the resulting triple is distributed identically to a valid transcript created by an actual protocol execution between the honest prover P(x,w) and the verifier V(x).

3.2 Commitment scheme

A commitment scheme consists of three protocols [26]:

Setup . This protocol takes security parameters as input and produces public parameters param_com along with randomness RS_com, plaintext M_com and commitment spaces C_com.
Commit . This protocol takes param_com, a plaintext and a randomness as input and produces a commitment and an opening value d. The committer submits cmt to the verifier. Note that we denote throughout this paper.
Open . This protocol takes (e,cmt,d) as input and produces decision where 0 to reject or 1 to accept.

Definition 2. A commitment scheme is required to satisfy the three following properties [25]:

Correctness. A commitment scheme is considered correct if the protocol is executed honestly between the committer and the verifier, the verifier will always accept in the verification phase for all messages that can be committed.
Hiding. A commitment should not reveal any information about e. Formally, a commitment is computational hiding if for any PPT , it contains:
Binding. A commitment cannot be opened to two different messages. Formally, a commitment is computational binding if for any PPT , it contains:

3.3 Multi-signature

A multi-signature has four algorithms [27]:

MS.Setup . This algorithms takes as the input and produces parameters params of the signature scheme.
MS.KeyGen . This algorithms takes params as input and produces a set of public and secret keys of signer i.
MS.Sign . This is an interactive algorithm runs between signers to sign m. After a few interactions, the algorithm produces the multi-signature .
MS.Verify . This algorithm takes multi public key sets of signer i, m and as input and produces 1 if the is valid or 0 if the is invalid.

Definition 3. A multi-signature is required to satisfy existential unforgeability under adaptively chosen message attacks (EUF-CMA). The EUF-CMA game is defined as follows [28]:

Register phase: The Challenger generates a target key pair (pk^*,sk^*) of the honest user and passes pk^* to .
Training phase: can query MS.Sign Oracle by preparing m and of purported signers where pk^* must happen at least once. can choose the public keys in any manner it desires, including as a function of pk^* and prior protocol interactions. is able to concurrently initiate the MS.Sign oracle and interact with multiple “clones" of the honest signer. Each clone operates independently, maintaining its own state and randomness, but all share the same keys pk^*,sk^*, and follow the signing protocol to generate responses to the messages they receive. Once the honest signer completes its process, the final output is returned to that whether be a valid multi-signature or .
Forging phase: outputs and and wins the game if the verification of and .

We say that the multi-signature scheme is EUF-CMA secure if for all PPT with negligible advantage:

3.4 Public Key Encryption (PKE) scheme

A PKE scheme has three algorithms [29]:

PKE.KeyGen . This algorithm takes 1^k as the input and generates user’s public and private key pair .
PKE.Encrypt . This algorithm takes a plaintext message m and pk_e as input and generates a ciphertext C.
PKE.Decrypt . This algorithm takes a C and a sk_e as input and generates the plaintext message m.

Definition 4. A PKE scheme has three PPT algorithms , is required to satisfy the two following properties [24]:

Correctness. For each , each , and each , we have .
Semantic security. Let be the PPT . Consider the following two experiments:
We say is secure if for every PPT there exists a negligible function such that:

3.5 Event-Oriented Linkable and Traceable Anonymous Authentication scheme (EOLTAA)

The EOLTAA Scheme has seven algorithms [7,30]:

CSetup . This algorithm takes 1^k as input and produces a pair of master public and private key (MPK,MSK).
UKeyGen . This algorithm takes 1^k as input and produces a pair of public and private key (upk,usk).
CertGen . This algorithm takes MSK and upk as input and produces a certificate (Cert) analogous to upk.
Auth . This algorithm takes payload (p), MPK, message (m), event identifier (e), (upk,usk), and Cert, as input and produces an authentication token () on m.
Verify . This algorithm takes m, , MPK as input to verify the validity of the proof. This algorithm will produce 0 or 1 as the output.
Link . This algorithm takes two valid m, and as input and produces 1 if the two m are associated with a common event that authenticated with the identical user; else, produces 0.
Trace . This algorithm takes two valid m, and as input and produces upk of the user who validates two messages associated with a common event. Else, it outputs .

An EOLTAA scheme is required to satisfy unforgeability, linkability, anonymity, and traceability [7].

Unforgeability. The unforgeability of EOLTAA schemes is defined as follows:

The Challenger executes CSetup to generate (MPK,MSK) and executes UKeyGen to create n public private key pairs , and passes to .
sends the Challenger a public key . The Challenger runs CertGen (upk_i,MSK) to obtain a certificate .
selects and sends m_i and upk_j to the Challenger. requests the Challenger to authenticate m_i. The Challenger runs to obtain the authentication token .
selects a new m^* and upk^* and generates . produces . wins if the and (upk^*,m^*) is not in the pairs that was created during the query phase.
The success probability of in winning the unforgeability game is wins the game].

Definition 5. An EOLTAA scheme is unforgeable if for all PPT , is negligible.

Linkability. The linkability of EOLTAA schemes is defined as follows:

The Challenger executes CSetup to create (MPK,MSK) and executes UKeyGen to create , and passes to .
runs UKeyGen to receive (upk,usk). sends upk to the Challenger. The Challenger executes CertGen(upk,MSK) and returns .
selects and sends m_i and upk_j to the Challenger. requests the Challenger to authenticate m_i. The Challenger runs to obtain the authentication token .
chooses two and to share a common event and produces two and , respectively. produces and . wins if for and .
The success probability of in winning the linkability game is wins the game].
Definition 6. An EOLTAA scheme is linkable if for all PPT , is negligible.

Anonymity. The anonymity of EOLTAA schemes is defined as follows:

runs CSetup to generate (MPK,MSK) and passes MPK to the Challenger.
The Challenger executes UKeyGen to create and , and passes to . returns two corresponding to the Challenger.
selects and sends m_i and to the Challenger. requests the Challenger to authenticate m_i. The Challenger executes to obtain the authentication token .
submits m^* to the Challenger that does not belong to the set m_i and the queried messages cannot share a common event. The Challenger selects , uses to authenticate m^* and submits to . then produces his guess . wins if .
The success probability of in winning the anonymity game is wins the game] .
Definition 7. An EOLTAA scheme is anonymous if for all PPT , is negligible.

Traceability. The traceability of EOLTAA schemes is defined as follows:

The Challenger runs CSetup to generate (MPK,MSK) and executes UKeyGen to create , and passes to .
runs UKeyGen to generate (upk,usk). sends upk to the Challenger. The Challenger executes CertGen(upk,MSK) and returns . passes a public key to the Challenger. The Challenger runs CertGen(upk_i,MSK) and sends back to .
selects and sends m_i and upk_j to the Challenger. requests the Challenger to authenticate m_i. The Challenger runs to obtain the authentication token .
chooses and that share a common event and produces two and , respectively. produces and . wins if for ; and where .
The success probability of in winning the traceability game is wins the game].
Definition 8. An EOLTAA scheme is linkable if for all PPT , is negligible.

4 Definition and security requirements for generic e-voting schemes

4.1 e-Voting scheme definition

The generic e-voting scheme is composed of three algorithms:

Register : This algorithm is performed by the election committee, voter, and certificate authority. This algorithm takes the as the input and produces system public parameters, master key pair (MPK,MSK), along with two sets of public-private keys for the election committee and the voter . The voter and election committee then enroll Cert with the certificate authority.
Vote : This interactive algorithm is executed by the voter and election committee over a secure channel. Voter takes in the election committee’s public key pk_e, and his choice of candidate . The election committee takes in pk_e, voter’s choice of candidates (v), and a random value r. If the protocol ends successfully, it outputs a ballot Bal, Trc, and outputs an error otherwise.
We denote coerc as an element that is either empty or a specific instruction coerc given to Adversary from the challenger, as the collection of all values deliberately selected by the voter throughout the vote protocol execution, including the challenges and Trc as communication transcript between the voter and election committee. Trc includes voter’s choice v and the ballot Bal but for clarity purposes, we still list Bal as one of the outputs from voting protocol.
Tally : This algorithm is performed by the election committee. The election committee takes sk_e, and Bal as input, checks validity of the Bal and generates the tally result (result) of all validated Bal.

If the election committee does not send any message to the voter, then it is essentially the same as the non-interactive generic e-voting version introduced by Kho et al. [30]. Therefore, the interactive generic e-voting scheme proposed in this section, which considers the election committee, is a generalised version. This generalisation is necessary to capture the coercion-resistance property and CAI verifiability, ensuring that the voter cannot access vote verification materials, as the encryption is performed by the election committee. At the same time, it ensures that an honest voter can verify that his ballot is encrypted with his intended vote.

In this work, we focus solely on the interactive communication between the election committee and the voter throughout the vote protocol execution, ensuring that the encryption of the voter’s vote reflects his intended choice. We leave the challenge of finding a non-interactive voting protocol that also possesses coercion-resistance as an open problem.

4.2 Security requirements for e-voting

As outlined in the previous section, our scheme definition diverges from that of Kho et al. [30] only in the vote algorithm. In our scheme, we consider an interactive voting process, allowing for communication between the voter and the election committee during the vote submission. In contrast, Kho et al.’s scheme follows a non-interactive model, where the voter independently encrypts and submits their ballot without interaction. Despite this key difference, we adopt Kho et al.’s broader security definition, making amendments solely to the voting-related components to accurately capture the interactive nature of our scheme.

Confidentiality. The confidentiality ensures that the ballot is confidential to all parties, except when the election results disclose the vote [30]. The following game demonstrates the indistinguishability under chosen ballot attack (IND-CBAA) security notion for an e-voting scheme. We describe the game between the PPT and Challenger as follows:
Algorithm 1. e-Voting Confidentiality Game.

Definition 9 (IND-CBAA). An e-voting scheme is -IND-CBAA if no PPT can win the game above in time t with an advantage .
Anonymity. The anonymity ensures that the identification of the voter remains secret [30]. The following game demonstrates indistinguishability under chosen voter’s vote attack (IND-CVA) security notion for an e-voting scheme. We describe the game between and the Challenger as follows:
Algorithm 2. e-Voting anonymity game..

Definition 10 (IND-CVA). An e-voting scheme is -IND-CVA if no PPT can win the game above in time t with an advantage .
Unforgeability. The unforgeability means the inability to forge a valid ballot intended for another voter [30]. The following game demonstrates existential unforgeability under chosen vote attack (EUF-CVA) security notion for an e-voting scheme. We describe the game between and the Challenger as follows:
Algorithm 3. e-Voting unforgeability game.

Definition 11 (EUF-CVA). An e-voting scheme is -EUF-CVA if no PPT can win the game above in time t with an advantage .
Coercion-Resistance. According to Kho et al. [1], coercion-resistance in an e-voting scheme means the coercers cannot insist that voters vote in a certain way and the voter cannot prove his vote to the information buyer. We describe the game between and the Challenger as follows:
Algorithm 4. e-Voting coercion-resistance game.

Definition 12 (Coercion-Resistance). An e-voting scheme is -coercion-resistance if no PPT can win the game above in time t with an advantage .
Cast-As-Intended (CAI) Verifiability. According to Finogina and Herranz [3], CAI verifiability in an e-voting scheme guarantees that the malicious election committee cannot deceive the voter by sending an encryption of a voting option different from the one the voter selected to the bulletin board. In other words, the honest voter (not coerced) can verify whether his ballot contains the encryption of his vote. Thus, this property is formalised by considering a dishonest election committee that attempts to deceive the voter by sending the ballot to the bulletin board, which decrypts to v ′ ≠ v *. We define the following game as indistinguishability under chosen voter’s cast vote attack (IND-CAI). We describe the game between and the Challenger as follows:
Algorithm 5. e-Voting CAI verifiability game.

Definition 13 (Cast-As-Intended Verifiability). An e-voting scheme is -indistinguishability under chosen voter’s cast vote attack (IND-CAI) if no PPT can win the game above in time t with an advantage .

5 Anonymity implies CAI verifiability

We notice that the security game of anonymity and CAI verifiability have high similarities, this motivates us to demonstrate the relationships between the security game of anonymity and CAI verifiability. The one-way equivalency demonstrates if the e-voting scheme possesses anonymity (IND-CVA), then it also possesses CAI verifiability (IND-CAI). The following theorem presents the one-way equivalency between the security game of anonymity and CAI verifiability.

Theorem 1. If an e-voting scheme possesses anonymity (IND-CVA), then it also possesses CAI verifiability (IND-CAI).

Proof: Assume A₂ is an Adversary who -compromises the IND-CAI security of the e-voting scheme and A₁ is the Adversary who -compromises the IND-CVA security of e-voting scheme. We aim to demonstrate that e-voting scheme is not -secure by showing how A₁ can utilise A₂ to -compromise the IND-CVA security of the e-voting scheme. Here, represents the number of vote queries, q_a represents the number of authentication queries, represents the non-negligible advantage in breaking the IND-CVA in e-voting, represents the non-negligible advantage in breaking IND-CAI in the e-voting, and t represents the attack completion time. In this scenario, A₁ can run A₂ as a subroutine while simulating its attack environment.

The CVA Challenger gives Params to A₁. A₁ gives Params to A₂ and completes the Registration phase. During the Training phase, A₂ sends a vote query to A₁. A₁ submits v to Vote oracle via a vote query to generate and returns to A₂. A₂ submits a tally query Bal to A₁. A₁ submits Bal to Tally oracle to check its validity. The Tally oracle provides the tally result to A₁ and A₁ retrieves the validation result from the tally result. A₁ then sends the validation result whether it is invalid or valid to A₂.

Eventually, A₂ concludes the Training phase and initiates the Identification phase. During this phase, A₂ issues v^* to A₁. A₁ assigns v^* to Vote oracle to generate C_b and C_1−b where and one of them is created with v^*. A₁ generates on C_b and on C_1−b. A₁ sets and . A₁ randomly guesses and delivers as the IND-CAI challenge to A₂. A₂ outputs its guess and A₁ uses A₂’s answer as its guess.

Now, we analyse the probability of A₁ winning the IND-CVA game. If the correct guess is b, we have:

(1)

When , we have ; this implies:

(2)

On the other hand, if the correct guess is 1–b, we have:

(3)

which gives:

(4)

Combining (2) and (4), we obtain:

(5)

Given that A₁ accurately simulates the environment, we conclude that and , as required. In this setup, A₁ runs in time t, while A₂ runs in time .

6 Our proposed scheme

6.1 Scheme construction

Let represent a semantically secure public key encryption scheme, represent the EOLTAA scheme, represent the secure multi-signature scheme, represent the secure -protocol and represent the secure commitment scheme. Our e-voting scheme contains three algorithms, that is, Register, Vote, and Tally. Note that the bulletin board implemented in our scheme is publicly readable, append-only storage and its contents cannot be altered or forged by any party.

Register( }. Election committee runs MS.Setup to generate public parameters, params_MS. Election committee runs setup algorithm in the Commitment to produce param_com along with where param_com is the public parameter, M_com is the plaintext, RS_com is the randomness, C_com is the commitment spaces. Suppose that the -protocol <P,V> for the Relation R_e consists of the challenge space Chl . All these public parameters (param) are sent to the bulletin board.

Certificate authority utilises to create master public key MPK and master private key MSK. Election committee runs PKE.KeyGen to generate where pk_e is the public key, sk_e is the secret key. Voters and the election committee create their set of keys with and register Cert with the certificate authority. Certificate authority checks the eligibility of the voter and election committee. If the voter and the election committee are eligible, certificate authority will return a certificate to the voter and the election committee where the election committee holds and the voters holds . The election committee uses params_MS as input to the MS.KeyGen to receive their public key and secret key for signing.

Vote . The vote protocol comprising four communication rounds between the voter and the election committee, operates as follows:

The election committee selects a random value vid as ID of the e-voting. The election committee generates to validate vid where . Election committee sends to the bulletin board.
Once the voter receives this voting, the voter selects and one candidate v, computes a commitment cmt and sends (v,cmt) to the election committee.
If v is not a valid voting option, the election committee aborts. Else election committee jointly chooses a random value r, uses pk_e to jointly encrypt (v,r) to obtain C_i. The election committee then runs MS.Sign to produce signature on the C_i. This is to demonstrate that a group of n signers jointly create a for (v,r) in such a way that persuades the voter that all n signers have jointly signed (v,r). Then it executes first round of the -protocol using the public input and witness w = r to create value a. The election committee issues to the voter.
The voter replies to the election committee.
The election committee verifies if , if and if cmt is valid. If the verification fails, the election committee aborts. Else, the election committee utilises challenge e to produce value z, and transmits z to voter.
Voter runs MS.Verify to verify if the is valid. Voter accepts the interaction if and only if the transcript (a,e,z) is valid on the public input and is a valid signature. If the voter accepts the interaction, voter produces . Voter sends to the bulletin board.

Note that we denote and .

Tally . The election committee runs to verify every received ballot along with its authentication pair. Any invalid ballot is discarded. Then, verify if the valid ballot is being double-vote before by executing for every that has been utilised before, and execute identify the identification of the double-vote voter.

The election committee then jointly decrypts all valid ballots using (sk_e) and computes the final election result (result). The election committee creates zero-knowledge proof using sk_e. Finally, the election committee submits to the bulletin board and the final election result is publicly verifiable.

6.2 Security analysis

We present a security analysis to demonstrate that the proposed e-voting scheme satisfies the relevant security requirements outlined in Theorems 2 to 6, specifically confidentiality, anonymity, unforgeability, coercion-resistance, and CAI verifiability, as follows:

Confidentiality: If the underlying PKE scheme satisfies IND-CCA, then our proposed e-voting scheme ensures confidentiality. Anonymity: If the underlying anonymous authentication scheme (EOLTAA) is anonymous, then our proposed e-voting scheme guarantees anonymity. Unforgeability: If the underlying authentication scheme (EOLTAA) is unforgeable, then our proposed e-voting scheme upholds unforgeability. Coercion-resistance: If the underlying PKE scheme satisfies IND-CCA, the commitment scheme satisfies the binding property, and the sigma protocol satisfies the special honest-verifier zero-knowledge property, then our proposed e-voting scheme ensures coercion-resistance. CAI Verifiability: If our proposed e-voting scheme ensures anonymity, as demonstrated in Theorem 2, it also guarantees CAI verifiability, as demonstrated in Theorem 1.

Note that our scheme does not require a direct proof (i.e., a detailed proof) because its security follows from our previous work on the transformation framework from e-voting to e-cheque [30]. The key benefit of the proposed transformation framework is that it significantly reduces the complexity of proving security. Specifically, by leveraging the security relationships among e-voting, e-auction, e-cheque, and e-cash in terms of security definitions and requirements, we can derive new schemes from existing ones without starting from scratch, with the assurance that the transformed scheme inherits the security guarantees of the underlying scheme or building block.

6.2.1 Confidentiality.

Theorem 2. Let APKE = {Setup, Identification, Validation} represent the secure EOLTAA scheme and PKE scheme. Let e-voting = {Register, Vote, Tally} represent the e-voting scheme. If the underlying APKE scheme is -indistinguishability under chosen-ciphertext attacks (IND-CCA), then the e-voting scheme is -IND-CBAA, where

(6)

Here, represents the number of vote queries, q_a represents the number of authentication queries, represents the non-negligible advantage in breaking IND-CCA in APKE, represents the non-negligible advantage in breaking IND-CBAA in e-voting, n represents a negligible function parameterised by , and t represents the attack completion time.

Proof: Assume A₂ is an Adversary who -compromises the IND-CBAA security of the e-voting scheme, and is the Adversary who -compromises the IND-CCA security of the APKE scheme. We aim to demonstrate that APKE scheme is not -secure by showing how A₁ can utilise A₂ to -compromise the IND-CCA security of APKE. In this scenario, A₁ runs A₂ as a subroutine while simulating its attack environment.

The APKE Challenger gives (Params,upk,usk,Cert) to A₁. These keys and certificate (upk,usk,Cert) are generated from the EOLTAA scheme. We allow A₁ to possess the (upk,usk,Cert) of the EOLTAA scheme, enabling it to simulate the Vote and Tally oracles for A₂. Although A₁ has access to (upk,usk,Cert) from the EOLTAA scheme, this does not provide an advantage in breaking the IND-CCA security. After this, A₁ gives Params to A₂ and completes the Registration phase.

During the Training phase, A₂ sends a vote query to A₁ which represents the Vote oracle from A₂’s perspective. Here, A₁ takes , encrypts m to generate to obtains C, and creates for C. A₁ then returns the result to A₂. After that, A₂ submits a tally query as Bal to A₁. At this point, A₁ assigns and uses the Decrypt oracle to simulate the tallying process for A₂. Specifically, A₁ passes to the Decrypt oracle to check its validity. The oracle provides the decryption result and A₁ retrieves the validation result from the decryption result and returns the validation result whether it is invalid or valid to A₂.

Eventually, A₂ concludes the Training phase and initiates the Identification phase. During this phase, A₂ selects and and gives them to A₁. A₁ assigns and randomly chooses a bit . A₁ generates and obtains C_b from m_b and creates for C_b. A₁ then assigns . A₁ delivers Bal_b as the challenge in IND-CBAA to A₂. With a probability , A₂ guesses the correct value of . A₁ takes A₂’s guess as its own guess. Since , A₁ successfully compromises the IND-CCA security.

Given that A₁ accurately simulates the environment, we conclude that and , as required. In this setup, A₁ runs in time t, while A₂ runs in time .

6.2.2 Anonymity.

Theorem 3. Let APKE = {Setup, Identification, Validation} represent the secure EOLTAA scheme and PKE scheme. Let e-voting = {Register, Vote, Tally} represent the e-voting scheme. If the underlying APKE is -anonymous, then the e-voting scheme is -IND-CVA, where

(7)

Here, represents the number of vote queries, q_a represents the number of authentication queries, represents the non-negligible advantage in breaking the anonymity in APKE, represents the non-negligible advantage in breaking IND-CVA in e-voting, n represents a negligible function parameterised by , and t represents the attack completion time.

Proof: Assume A₂ is an Adversary who -compromises the IND-CVA security of the e-voting scheme, and is the Adversary who -compromises the anonymity security of the APKE scheme. We aim to demonstrate that APKE scheme is not -secure by showing how A₁ can utilise A₂ to -compromise the anonymity security of APKE scheme. In this scenario, A₁ runs A₂ as a subroutine while simulating its attack environment.

The APKE Challenger gives to A₁. These keys are generated from the PKE scheme. We allow A₁ to possess the of the PKE scheme, enabling it to simulate the Vote and Tally oracles for A₂. Although A₁ has access to from the PKE scheme, this does not provide an advantage in breaking the anonymity security. After this, A₁ gives Params to A₂ and completes the Registration phase.

During the Training phase, A₂ sends a vote query to A₁ which represents the Vote oracle from A₂’s perspective. Here, A₁ takes , encrypts m to generate to obtains C, and creates for C. A₁ then returns the result to A₂. After that, A₂ submits a tally query as Bal to A₁. At this point, A₁ assigns and uses the Decrypt oracle to simulate the tallying process for A₂. Specifically, A₁ passes to the Decrypt oracle to check its validity. The oracle provides the decryption result and A₁ retrieves the validation result from the decryption result and returns the validation result whether it is invalid or valid to A₂.

Eventually, A₂ concludes the Training phase and initiates the Identification phase. During this phase, A₂ issues v^* to A₁. A₁ assigns and obtains C_b by encrypting m^* where . A₁ creates for C_b. A₁ then assigns . A₁ delivers Bal_b as the challenge in IND-CVA to A₂. With a probability ε ′ ≤ 1 2 + n ( k ), A₂ correctly guesses b ′. A₁ takes A₂’s guess as its own guess. Since b′ = b, A₁ successfully compromises the anonymity security.

Given that A₁ accurately simulates the environment, we conclude that ε = ε ′ and t ′, as required. In this setup, A₁ runs in time t, while A₂ runs in time t ′.

6.2.3 Unforgeability.

Theorem 4. Let APKE = {Setup, Identification, Validation} represent the secure EOLTAA scheme and PKE scheme. Let e-voting = {Register, Vote, Tally} represent the e-voting scheme. If the underlying APKE is -unforgeable, then the e-voting scheme is -EUF-CVA, where

(8)

Here, represents the number of vote queries, q_a represents the number of authentication queries, represents the non-negligible advantage in breaking the anonymity in APKE, represents the non-negligible advantage in breaking EUF-CVA in e-voting, n represents a negligible function parameterised by , and t represents the attack completion time.

Proof: Assume A₂ is an Adversary who -compromises the EUF-CVA security of the e-voting scheme, and is the Adversary who -compromises the unforgeability security of the APKE scheme. We aim to demonstrate that APKE scheme is not -secure by showing how A₁ can utilise A₂ to -compromise the unforgeability security of APKE scheme. In this scenario, A₁ runs A₂ as a subroutine while simulating its attack environment.

The APKE Challenger gives to A₁. These keys are generated from the PKE scheme. We allow A₁ to possess the of the PKE scheme, enabling it to simulate the Vote and Tally oracles for A₂. Although A₁ has access to from the PKE scheme, this does not provide an advantage in breaking the unforgeability security. After this, A₁ gives Params to A₂ and completes the Registration phase.

During the Training phase, A₂ sends a vote query to A₁ which represents the Vote oracle from A₂’s perspective. Here, A₁ takes , encrypts m to generate to obtains C, and creates for C. A₁ then returns the result to A₂. After that, A₂ submits a tally query as Bal to A₁. At this point, A₁ assigns and uses the Decrypt oracle to simulate the tallying process for A₂. Specifically, A₁ passes to the Decrypt oracle to check its validity. The oracle provides the decryption result and A₁ retrieves the validation result from the decryption result and returns the validation result whether it is invalid or valid to A₂.

Eventually, A₂ concludes the Training phase and initiates the Forging phase. During this phase, A₂ forges Bal^* and issues Bal^* as its answer to A₁, A₁ assigns and takes A₂’s guess as its own guess. With a probability ε ′ ≤ n ( k ), A₂ correctly forges Bal^*. Since Bal^* is valid, then is valid, A₁ successfully compromises the unforgeability security.

Given that A₁ accurately simulates the environment, we conclude that and , as required. In this setup, A₁ runs in time t, while A₂ runs in time .

6.2.4 Coercion-resistance.

Theorem 5. Let PKE = {PKE.KeyGen, PKE.Encrypt, PKE.Decrypt}, Commitment = {Setup, Commit, Open} and - protocol = {Commit, Challenge, Response} represent the secure public key encryption scheme, secure commitment scheme and secure -protocol respectively. Let e-voting = {Register, Vote, Tally} represent the e-voting scheme. If the underlying PKE scheme is IND-CCA, Commitment satisfies binding property and -protocol satisfies special honest-verifier zero-knowledge property, then the e-voting scheme satisfies coercion-resistance.

Proof: Lemmas 1, 2 and 3 prove Theorem 5.

Lemma 1. Let PKE = {PKE.KeyGen, PKE.Encrypt, PKE.Decrypt} represent the secure public key encryption scheme. Let e-voting = {Register, Vote, Tally} represent the e-voting scheme. If the underlying PKE scheme is -IND-CCA, then the e-voting scheme is -coercion-resistance, where

(9)

Here, represents the number of vote queries, q_e represents the number of encrypt queries, represents the non-negligible advantage in breaking IND-CCA in PKE, represents the non-negligible advantage in breaking coercion-resistance in e-voting, n represents a negligible function parameterised by , and t represents the attack completion time.

Proof: Theorem 2 proved that if there exists a secure PKE scheme that is IND-CCA, then there exists a secure e-voting scheme that is IND-CBAA. From Theorem 5, if the underlying PKE scheme is IND-CCA, then the e-voting scheme satisfies coercion-resistance. This completes the proof.

Lemma 2. Let Commitment = {Setup, Commit, Open} represent the secure commitment scheme with binding property. If the underlying Commitment is -binding, then the e-voting scheme is -coercion-resistance, where

(10)

Here, represents the number of vote queries, q_com represents the number of commitment queries, represents the non-negligible advantage in breaking binding property in Commitment, represents the non-negligible advantage in breaking coercion-resistance in e-voting, n represents a negligible function parameterised by , and t represents the attack completion time.

Proof: Assume A₂ is an Adversary who -compromises the coercion-resistance security of the e-voting scheme, and is the Adversary who -compromises the binding property of the Commitment scheme. We aim to demonstrate that Commitment scheme is not -secure by showing how A₁ can utilise A₂ to -compromise the binding property of Commitment scheme. In this scenario, A₁ runs A₂ as a subroutine while simulating its attack environment.

The Commitment Challenger gives to A₁. These keys are generated from the PKE scheme. We allow A₁ to possess the of the PKE scheme, enabling it to simulate the Vote and Tally oracles for A₂. Although A₁ has access to from the PKE scheme, this does not provide an advantage in breaking the coercion-resistance security. After this, A₁ gives Params to A₂ and completes the Registration phase.

During the Training phase, A₂ sends a vote query to A₁ which represents the Vote oracle from A₂’s perspective. Here, A₁ takes , computes a commitment cmt and corresponding opening value on m, encrypts m to generate to obtains C, and creates for C. A₁ then returns the result to A₂. After that, A₂ submits a tally query as Bal to A₁. At this point, A₁ assigns and uses the Decrypt oracle to simulate the tallying process for A₂. Specifically, A₁ passes to the Decrypt oracle to check its validity. The oracle provides the decryption result and A₁ retrieves the validation result from the decryption result and returns the validation result whether it is invalid or valid to A₂.

Eventually, A₂ concludes the Training phase and initiates the Identification phase. During this phase, A₂ issues to A₁. A₁ assigns , where and only one of them contained v^*. A₁ computes cmt and corresponding opening values rand_b for the same cmt. A₁ obtains C_b by encrypting m^* and generates for C_b. A₁ returns and as the challenge to A₂. With a probability , A₂ can identify that and verification of b , b ′ return true. A₁ takes A₂’s guess as its own guess. Since and b , b ′return true, A₁ successfully compromises the coercion-resistance security.

Given that A₁ accurately simulates the environment, we conclude that and , as required. In this setup, A₁ runs in time t, while A₂ runs in time .

Lemma 3. Let -protocol = {Commit, Challenge, Response} represent the secure -protocol with special honest-verifier zero-knowledge property. If the underlying -protocol is -special honest-verifier zero-knowledge, then the e-voting scheme is -coercion-resistance, where

(11)

Here, represents the number of vote queries, represents the number of challenge queries, represents the non-negligible advantage in breaking the special honest-verifier zero-knowledge in -protocol, represents the non-negligible advantage in breaking coercion-resistance in e-voting, n represents a negligible function parameterised by , and t represents the attack completion time.

Proof: Assume A₂ is an Adversary who -compromises the coercion-resistance security of the e-voting scheme, and is the Adversary who -compromises the special honest-verifier zero-knowledge of the -protocol. We aim to demonstrate that -protocol is not -secure by showing how A₁ can utilise A₂ to -compromise the special honest-verifier zero-knowledge of -protocol. In this scenario, A₁ runs A₂ as a subroutine while simulating its attack environment.

The -protocol Challenger gives to A₁. These keys are generated from the PKE scheme. We allow A₁ to possess the of the PKE scheme, enabling it to simulate the Vote and Tally oracles for A₂. Although A₁ has access to from the PKE scheme, this does not provide an advantage in breaking the coercion-resistance security. After this, A₁ gives Params to A₂ and completes the Registration phase.

During the Training phase, A₂ sends a vote query to A₁ which represents the Vote oracle from A₂’s perspective. Here, A₁ takes , encrypts m to generate to obtains C, and creates for C, and runs -protocol to obtain transcript (a,e,z) on public input . A₁ then returns the result to A₂. After that, A₂ submits a tally query as Bal to A₁. At this point, A₁ assigns and uses the Decrypt oracle to simulate the tallying process for A₂. Specifically, A₁ passes to the Decrypt oracle to check its validity. The oracle provides the decryption result and A₁ retrieves the validation result from the decryption result and returns the validation result whether it is invalid or valid to A₂.

Eventually, A₂ concludes the Training phase and initiates the Identification phase. During this phase, A₂ issues to A₁. A₁ computes C^*, generates on C^*, and runs -protocol to receive transcript (a^*,e^*,z^*) on . A₁ returns and (a^*,e^*,z^*) as the real view to A₂. Based on the special honest-verifier zero-knowledge of -protocol, if a simulator exists that takes x and random challenge e, it can produce a simulation view (a valid transcript ) that is indistinguishable to (equal as probability distributions) the real view (a^*,e^*,z^*) with a probability , A₂ can simulate same view as A₁’s view, A₁ uses A₂’s answer as its guess. Since the simulation view is indistinguishable from real view (a^*,e^*,z^*), A₁ successfully compromises the coercion-resistance security.

Given that A₁ accurately simulates the environment, we conclude that and , as required. In this setup, A₁ runs in time t, while A₂ runs in time .

6.2.5 Cast-As-Intended (CAI) verifiability.

Theorem 6. The coercion-resistant e-voting scheme proposed above has CAI verifiability.

Proof: From Theorem 1, it is proven that IND-CVA implies IND-CAI, and the proposed scheme is secure against IND-CVA as proven in Theorem 3. So, the proposed scheme is IND-CAI secure.

6.3 Correctness

The correctness of our e-voting scheme follows from the correctness of its cryptographic building blocks:

Public Key Encryption (PKE): Given a correctly generated key pair , decryption recovers the original vote.
Multi-Signature Scheme (MS): The signature on C_i is valid if and only if it is produced by all signers, ensuring that ballots are verifiably issued by the election committee.
Commitment Scheme: The binding and hiding properties ensure that the committed value cannot be altered or revealed prematurely.
-Protocol: The transcript (a,e,z) guarantees that the voter correctly follows the proof of knowledge protocol without revealing r.
EOLTAA Scheme: The authentication proof ensures that only registered voters can submit ballots, and the linking mechanism prevents duplicate voting.
Final Tally: The correctness of decryption and verification ensures that all votes are accurately counted, and the zero-knowledge proof guarantees correctness without revealing private information. Specifically, the Tally phase ensures that all valid votes are included in the final election result:
1. Verification: The election committee verifies each ballot using to check its validity and to detect double votes. Any invalid or duplicate votes are discarded.
2. Decryption: The election committee uses to decrypt each valid ciphertext C_i, recovering the original vote v and randomness r. The correctness of PKE guarantees that decryption is consistent with encryption:(12)
3. Result Computation: The election result is computed by aggregating the decrypted votes. The correctness of the multi-signature scheme ensures that the signature for each vote was valid, confirming the integrity of the decryption process.
4. Zero-Knowledge Proof: The election committee generates a zero-knowledge proof to demonstrate the correctness of the tally process without revealing sensitive information.
  Thus, the final election result satisfies public verifiability, ensuring that any third party can verify the accuracy of the tally without compromising voter privacy.

This correctness guarantees that the proposed e-voting scheme operates securely and reliably.

7 Result

Table 1 shows the comparison analysis of our scheme with the existing coercion-resistant e-voting schemes while Table 2 shows the comparison on the computation cost of our scheme compared to the existing coercion-resistant e-voting schemes.

Download:

Table 1. Comparison analysis of the existing coercion-resistance e-voting schemes.

https://doi.org/10.1371/journal.pone.0324182.t001

Download:

Table 2. Comparison on the computation cost of existing coercion-resistant e-voting schemes.

https://doi.org/10.1371/journal.pone.0324182.t002

We observed that our scheme provided the most comprehensive security requirements, incorporating CAI verifiability within a coercion-resistance setting, as shown in Table 1. Most of the coercion-resistance schemes proposed in the literature conflict with CAI verifiability, as discussed in the Introduction. Another distinctive feature of our scheme is that, despite offering the richest security requirements, the computational cost for the Vote and Tally algorithms remains linear (). Furthermore, our scheme ensured robust in-protocol coercion-resistance, which is achieved through prevention rather than detection. Prevention is more effective as it proactively addresses coercion, eliminating the problem before it occurs, and safeguarding voters’ freedom and autonomy from the start. In contrast, detection only addresses coercion after it has already taken place. Prevention mechanisms can be integrated directly into the system design, ensuring that the voting process is secure from the outset. Detection mechanisms, however, typically rely on monitoring or auditing, which may not always be effective and are prone to loopholes or false negatives. Additionally, prevention is often more efficient in the long term, as it avoids the need for complex detection and auditing processes. Detection systems may require extensive surveillance, legal processes, and additional resources to identify and act on instances of coercion.

In addition, we observed that the proposed scheme by Chen et al. [17] has the same computational cost for the Vote and Tally algorithms as our proposed scheme from Table 2. The main difference between our scheme and Chen et al.’s [17] is that we incorporate CAI verifiability in our Vote algorithm, whereas their scheme does not satisfy CAI verifiability in the coercion-resistant setting. Additionally, our scheme offers a more robust in-protocol coercion-resistance. We primarily highlight the significant differences between our scheme and Chen et al.’s [17] in terms of the voter’s role, the approaches to achieving coercion-resistance and technical mechanisms employed, and the overall security models and assumptions as follows:

The Voter’s Role in Coercion-Resistance:

In Chen et al.’s [17] coercion-resistant protocol, the voter actively participates by embedding subliminal information (PIN and subliminal messages) to resist coercion. However, this approach requires the voter to take action after being coerced, and the coercion is detected after the voting phase.
In our proposed scheme, the voter’s interaction is fully secure during the voting process itself. The cryptographic protocol ensures that even if the voter is coerced, they cannot reveal their vote to the coercer, thus preventing coercion from occurring in the first place.

Mechanism and Coercion Discovery (Detection vs. Prevention):

Chen et al. [17] focuses on detecting coercion after the voting process. The AAC analyses the subliminal message during the dispute phase to uncover the true intent of the voter. Coercion is not directly prevented during the voting phase, but if coercion is suspected, it can be revealed after the ACC analyses the subliminal messages.
Our scheme focuses on preventing coercion during the voting process. We build coercion-resistant directly into the voting protocol through cryptographic commitments, multi-signature verification, and zero-knowledge proofs, the voter’s interaction with the election committee is secure, and the voter cannot be forced to reveal a verifiable vote, making coercion much harder to execute.

Security Models and Assumptions:

Chen et al. [17] assumes the presence of a trusted AAC that will act during a post-election phase to resolve disputes using subliminal messages. It also relies on subliminal communication channels for the voter to transmit additional covert information about their true vote.
Our proposed scheme is based on the hardness of the cryptographic assumptions. The voter’s choices are hidden through commitments and zero-knowledge proofs, making it impossible for an adversary (coercer) to extract or force the voter’s true choice during or after the protocol.

8 Conclusion

We presented a provably secure coercion-resistant e-voting scheme and proved that our proposed e-voting scheme possesses the security properties of confidentiality, anonymity, unforgeability, and CAI verifiability with asymptotic complexity of O(n). We also proved that anonymity implies CAI verifiability for e-voting schemes. By enhancing the security and privacy guarantees of the existing e-voting scheme, we believe that we address the shortcomings of the current system and our comprehensive security models can be a useful reference for the design of future e-voting schemes.

The limitation of this work is that it focuses solely on the interactive communication between the election committee and the voter during the execution of the voting protocol, ensuring that the encryption of the voter’s choice accurately reflects their intent. The development of a non-interactive voting protocol that also achieves coercion-resistance remains an open challenge and is left as a direction for future research. Besides that, our proposed coercion-resistant e-voting scheme could be extended to satisfy post-quantum security requirements. Current public key encryption schemes are vulnerable to adversaries equipped with quantum computing capabilities. Lattice-based cryptography appears to be the most promising approach to address this challenge. For instance, a suitable public key encryption scheme could be constructed using the Ring Learning With Errors (RLWE) problem. The sigma protocol could be replaced with a lattice-based zero-knowledge interactive system, while a lattice-based commitment scheme offers a strong candidate for a quantum-safe commitment mechanism. However, these suggestions serve only as a foundational concept for a post-quantum coercion-resistant e-voting scheme. A more in-depth investigation would be required to fully explore and realise this idea. Additionally, we plan to implement the proposed scheme to assess its practical performance and computational efficiency in real-world scenarios.

References

1. Kho Y-X, Heng S-H, Chin J-J. A Review of Cryptographic Electronic Voting. Symmetry. 2022;14(5):858.
- View Article
- Google Scholar
2. Cortier V, Gaudry P, Yang Q. Is the JCJ voting system really coercion-resistant?. Cryptology ePrint Archive. 2022.
- View Article
- Google Scholar
3. Finogina T, Herranz J. On remote electronic voting with both coercion resistance and cast-as-intended verifiability. Journal of Information Security and Applications. 2023;76:103554.
- View Article
- Google Scholar
4. Haines T, Müller J, Querejeta-Azurmendi I. Scalable Coercion-Resistant E-Voting under Weaker Trust Assumptions. In: Proceedings of the 38th ACM/SIGAPP Symposium on Applied Computing. ACM. 2023. 1576–84. https://doi.org/10.1145/3555776.3578730
5. Juels A, Catalano D, Jakobsson M. Coercion-resistant electronic elections. In: Proceedings of the 2005 ACM Workshop on Privacy in the Electronic Society. ACM. 61–70.
6. Li P, Lai J. Lat-voting: traceable anonymous e-voting on blockchain. Network and System Security: 13th International Conference NSS 2019 Proceedings. Sapporo, Japan: Springer. 2019. p. 234–54.
7. Li P, Lai J, Wu Y. Event-oriented linkable and traceable anonymous authentication and its application to voting. Journal of Information Security and Applications. 2021;60:102865.
- View Article
- Google Scholar
8. Lueks W, Querejeta-Azurmendi I, Troncoso C. Voteagain: A scalable coercion-resistant voting system. In: Proceedings of the 29th USENIX Security Symposium (USENIX Security 20). 2020. 1553–70.
9. Zaghloul E, Li T, Ren J. d-BAME: Distributed Blockchain-Based Anonymous Mobile Electronic Voting. IEEE Internet Things J. 2021;8(22):16585–97.
- View Article
- Google Scholar
10. Smyth B. A verifiable, coercion-resistant voting system with linear complexity. Cryptology ePrint Archive. 2019.
- View Article
- Google Scholar
11. Aranha DF, Battagliola M, Roy L. Faster coercion-resistant e-voting by encrypted sorting. Cryptology ePrint Archive. 2023.
- View Article
- Google Scholar
12. Grontas P, Pagourtzis A, Zacharakis A, Zhang B. Towards everlasting privacy and efficient coercion resistance in remote electronic voting. Financial cryptography and data security: FC 2018 international workshops, bitcoin, voting, and WTSC, Nieuwpoort, Curaçao, March 2, 2018, revised selected papers. Berlin: Springer. 2019. p. 210–31.
13. Estaji E, Haines T, Gjøsteen K, Rønne P, Ryan P, Soroush N. Revisiting practical and usable coercion-resistant remote e-voting. In: Electronic voting: 5th international joint conference, E-Vote-ID 2020, Bregenz, Austria, October 6–9, 2020, proceedings 5. Springer. 2020. 50–66.
14. Rønne P, Atashpendar A, Gjøsteen K, Ryan P. Short paper: Coercion-resistant voting in linear time via fully homomorphic encryption: Towards a quantum-safe scheme. In: Financial Cryptography and Data Security: FC 2019 International Workshops, VOTING and WTSC. Springer. 2020. 289–98.
15. Spadafora C, Longo R, Sala M. A coercion-resistant blockchain-based E-voting protocol with receipts. AMC. 2023;17(2):500–21.
- View Article
- Google Scholar
16. Giustolisi R, Garjan M. Efficient cleansing in coercion-resistant voting. In: International Joint Conference on Electronic Voting. Springer. 2024. 72–88.
17. Chen T, Liu C, Ou Y, Huang Y, Wu Z. An improved and efficient coercion-resistant measure for electronic voting system. Int J Inf Secur. 2024;:1–18.
- View Article
- Google Scholar
18. Elhabob R, Eltayieb N, Xiong H, Kumari S. Equality test on identity-based encryption with cryptographic reverse firewalls for telemedicine systems. IEEE Internet Things J. 2024.
- View Article
- Google Scholar
19. Elhabob R, Eltayieb N, Xiong H, Khan F, Bashir AK, Kumari S. Equality test public key encryption with cryptographic reverse firewalls for Cloud-based e-commerce. IEEE Trans Consum Electron. 2024;2024.
20. Hadabi A, Qu Z, Elhabob R, Kumar S, Yeh K-H, Kumari S, et al. Proxy re-encryption with plaintext checkable encryption for integrating digital twins into IIoT. Computers and Electrical Engineering. 2024;116:109164.
- View Article
- Google Scholar
21. Wang L, Lin Y, Yao T, Xiong H, Liang K. FABRIC: Fast and Secure Unbounded Cross-System Encrypted Data Sharing in Cloud Computing. IEEE Trans Dependable and Secure Comput. 2023;20(6):5130–42.
- View Article
- Google Scholar
22. Xiong H, Qu Z, Huang X, Yeh K. Revocable and unbounded attribute-based encryption scheme with adaptive security for integrating digital twins in internet of things. IEEE J Sel Areas Commun. 2023.
- View Article
- Google Scholar
23. Ciampi M, Persiano G, Scafuro A, Siniscalchi L, Visconti I. Improved or-composition of sigma-protocols. In: Theory of Cryptography: 13th International Conference, TCC 2016-A, Tel Aviv, Israel, January 10-13, 2016, Proceedings, Part II. Springer. 2016. 112–41.
24. Ciampi M, Parisella R, Venturi D. On adaptive security of delayed-input sigma protocols and Fiat-Shamir NIZKs. In: Security and Cryptography for Networks. Springer. 2020. 670–90.
25. Zhang M, Chen Y, Yao C, Wang Z. Sigma protocols from verifiable secret sharing and their applications. In: Int Conf Theory Appl Cryptol Inf Secur. Springer. 208–42.
26. Butler D, Lochbihler A, Aspinall D, Gascón A. Formalising $$\varSigma $$-Protocols and Commitment Schemes Using CryptHOL. J Autom Reasoning. 2020;65(4):521–67.
- View Article
- Google Scholar
27. Kılınc AH, Burdges J. Two-round trip schnorr multi-signatures via delinearized witnesses. In: Advances in Cryptology–CRYPTO 2021: 41st Annual International Cryptology Conference, CRYPTO 2021, Virtual Event, August 16–20, 2021, Proceedings, Part I. Springer. 2021. 157–88.
28. Ma C, Weng J, Li Y, Deng R. Efficient discrete logarithm based multi-signature scheme in the plain public key model. Des Codes Cryptogr. 2009;54(2):121–33.
- View Article
- Google Scholar
29. Ak M, Hanoymak T, Selçuk AA. IND-CCA secure encryption based on a Zheng–Seberry scheme. Journal of Computational and Applied Mathematics. 2014;259:529–35.
- View Article
- Google Scholar
30. Kho Y-X, Heng S-H, Tan S-Y, Chin J-J. Transformation from e-voting to e-cheque. PLoS One. 2024;19(6):e0302659. pmid:38900761
- View Article
- PubMed/NCBI
- Google Scholar

[ref1] 1. Kho Y-X, Heng S-H, Chin J-J. A Review of Cryptographic Electronic Voting. Symmetry. 2022;14(5):858.
View Article
Google Scholar

[2] View Article

[3] Google Scholar

[ref2] 2. Cortier V, Gaudry P, Yang Q. Is the JCJ voting system really coercion-resistant?. Cryptology ePrint Archive. 2022.
View Article
Google Scholar

[5] View Article

[6] Google Scholar

[ref3] 3. Finogina T, Herranz J. On remote electronic voting with both coercion resistance and cast-as-intended verifiability. Journal of Information Security and Applications. 2023;76:103554.
View Article
Google Scholar

[8] View Article

[9] Google Scholar

[ref4] 4. Haines T, Müller J, Querejeta-Azurmendi I. Scalable Coercion-Resistant E-Voting under Weaker Trust Assumptions. In: Proceedings of the 38th ACM/SIGAPP Symposium on Applied Computing. ACM. 2023. 1576–84. https://doi.org/10.1145/3555776.3578730

[ref5] 5. Juels A, Catalano D, Jakobsson M. Coercion-resistant electronic elections. In: Proceedings of the 2005 ACM Workshop on Privacy in the Electronic Society. ACM. 61–70.

[ref6] 6. Li P, Lai J. Lat-voting: traceable anonymous e-voting on blockchain. Network and System Security: 13th International Conference NSS 2019 Proceedings. Sapporo, Japan: Springer. 2019. p. 234–54.

[ref7] 7. Li P, Lai J, Wu Y. Event-oriented linkable and traceable anonymous authentication and its application to voting. Journal of Information Security and Applications. 2021;60:102865.
View Article
Google Scholar

[14] View Article

[15] Google Scholar

[ref8] 8. Lueks W, Querejeta-Azurmendi I, Troncoso C. Voteagain: A scalable coercion-resistant voting system. In: Proceedings of the 29th USENIX Security Symposium (USENIX Security 20). 2020. 1553–70.

[ref9] 9. Zaghloul E, Li T, Ren J. d-BAME: Distributed Blockchain-Based Anonymous Mobile Electronic Voting. IEEE Internet Things J. 2021;8(22):16585–97.
View Article
Google Scholar

[18] View Article

[19] Google Scholar

[ref10] 10. Smyth B. A verifiable, coercion-resistant voting system with linear complexity. Cryptology ePrint Archive. 2019.
View Article
Google Scholar

[21] View Article

[22] Google Scholar

[ref11] 11. Aranha DF, Battagliola M, Roy L. Faster coercion-resistant e-voting by encrypted sorting. Cryptology ePrint Archive. 2023.
View Article
Google Scholar

[24] View Article

[25] Google Scholar

[ref12] 12. Grontas P, Pagourtzis A, Zacharakis A, Zhang B. Towards everlasting privacy and efficient coercion resistance in remote electronic voting. Financial cryptography and data security: FC 2018 international workshops, bitcoin, voting, and WTSC, Nieuwpoort, Curaçao, March 2, 2018, revised selected papers. Berlin: Springer. 2019. p. 210–31.

[ref13] 13. Estaji E, Haines T, Gjøsteen K, Rønne P, Ryan P, Soroush N. Revisiting practical and usable coercion-resistant remote e-voting. In: Electronic voting: 5th international joint conference, E-Vote-ID 2020, Bregenz, Austria, October 6–9, 2020, proceedings 5. Springer. 2020. 50–66.

[ref14] 14. Rønne P, Atashpendar A, Gjøsteen K, Ryan P. Short paper: Coercion-resistant voting in linear time via fully homomorphic encryption: Towards a quantum-safe scheme. In: Financial Cryptography and Data Security: FC 2019 International Workshops, VOTING and WTSC. Springer. 2020. 289–98.

[ref15] 15. Spadafora C, Longo R, Sala M. A coercion-resistant blockchain-based E-voting protocol with receipts. AMC. 2023;17(2):500–21.
View Article
Google Scholar

[30] View Article

[31] Google Scholar

[ref16] 16. Giustolisi R, Garjan M. Efficient cleansing in coercion-resistant voting. In: International Joint Conference on Electronic Voting. Springer. 2024. 72–88.

[ref17] 17. Chen T, Liu C, Ou Y, Huang Y, Wu Z. An improved and efficient coercion-resistant measure for electronic voting system. Int J Inf Secur. 2024;:1–18.
View Article
Google Scholar

[34] View Article

[35] Google Scholar

[ref18] 18. Elhabob R, Eltayieb N, Xiong H, Kumari S. Equality test on identity-based encryption with cryptographic reverse firewalls for telemedicine systems. IEEE Internet Things J. 2024.
View Article
Google Scholar

[37] View Article

[38] Google Scholar

[ref19] 19. Elhabob R, Eltayieb N, Xiong H, Khan F, Bashir AK, Kumari S. Equality test public key encryption with cryptographic reverse firewalls for Cloud-based e-commerce. IEEE Trans Consum Electron. 2024;2024.

[ref20] 20. Hadabi A, Qu Z, Elhabob R, Kumar S, Yeh K-H, Kumari S, et al. Proxy re-encryption with plaintext checkable encryption for integrating digital twins into IIoT. Computers and Electrical Engineering. 2024;116:109164.
View Article
Google Scholar

[41] View Article

[42] Google Scholar

[ref21] 21. Wang L, Lin Y, Yao T, Xiong H, Liang K. FABRIC: Fast and Secure Unbounded Cross-System Encrypted Data Sharing in Cloud Computing. IEEE Trans Dependable and Secure Comput. 2023;20(6):5130–42.
View Article
Google Scholar

[44] View Article

[45] Google Scholar

[ref22] 22. Xiong H, Qu Z, Huang X, Yeh K. Revocable and unbounded attribute-based encryption scheme with adaptive security for integrating digital twins in internet of things. IEEE J Sel Areas Commun. 2023.
View Article
Google Scholar

[47] View Article

[48] Google Scholar

[ref23] 23. Ciampi M, Persiano G, Scafuro A, Siniscalchi L, Visconti I. Improved or-composition of sigma-protocols. In: Theory of Cryptography: 13th International Conference, TCC 2016-A, Tel Aviv, Israel, January 10-13, 2016, Proceedings, Part II. Springer. 2016. 112–41.

[ref24] 24. Ciampi M, Parisella R, Venturi D. On adaptive security of delayed-input sigma protocols and Fiat-Shamir NIZKs. In: Security and Cryptography for Networks. Springer. 2020. 670–90.

[ref25] 25. Zhang M, Chen Y, Yao C, Wang Z. Sigma protocols from verifiable secret sharing and their applications. In: Int Conf Theory Appl Cryptol Inf Secur. Springer. 208–42.

[ref26] 26. Butler D, Lochbihler A, Aspinall D, Gascón A. Formalising $$\varSigma $$-Protocols and Commitment Schemes Using CryptHOL. J Autom Reasoning. 2020;65(4):521–67.
View Article
Google Scholar

[53] View Article

[54] Google Scholar

[ref27] 27. Kılınc AH, Burdges J. Two-round trip schnorr multi-signatures via delinearized witnesses. In: Advances in Cryptology–CRYPTO 2021: 41st Annual International Cryptology Conference, CRYPTO 2021, Virtual Event, August 16–20, 2021, Proceedings, Part I. Springer. 2021. 157–88.

[ref28] 28. Ma C, Weng J, Li Y, Deng R. Efficient discrete logarithm based multi-signature scheme in the plain public key model. Des Codes Cryptogr. 2009;54(2):121–33.
View Article
Google Scholar

[57] View Article

[58] Google Scholar

[ref29] 29. Ak M, Hanoymak T, Selçuk AA. IND-CCA secure encryption based on a Zheng–Seberry scheme. Journal of Computational and Applied Mathematics. 2014;259:529–35.
View Article
Google Scholar

[60] View Article

[61] Google Scholar

[ref30] 30. Kho Y-X, Heng S-H, Tan S-Y, Chin J-J. Transformation from e-voting to e-cheque. PLoS One. 2024;19(6):e0302659. pmid:38900761
View Article
PubMed/NCBI
Google Scholar

[63] View Article

[64] PubMed/NCBI

[65] Google Scholar

Figures

Abstract

1 Introduction

2 Related works

2.1 Our contributions

2.2 Organisation of this paper

3 Cryptographic preliminaries

3.1 Sigma protocol

3.2 Commitment scheme

3.3 Multi-signature

3.4 Public Key Encryption (PKE) scheme

3.5 Event-Oriented Linkable and Traceable Anonymous Authentication scheme (EOLTAA)

4 Definition and security requirements for generic e-voting schemes

4.1 e-Voting scheme definition

4.2 Security requirements for e-voting

5 Anonymity implies CAI verifiability

6 Our proposed scheme

6.1 Scheme construction

6.2 Security analysis

6.2.1 Confidentiality.

6.2.2 Anonymity.

6.2.3 Unforgeability.

6.2.4 Coercion-resistance.

6.2.5 Cast-As-Intended (CAI) verifiability.

6.3 Correctness

7 Result

8 Conclusion

References