A Review of Cryptographic Electronic Voting

: A vast number of e-voting schemes including mix-net-based e-voting, homomorphic evoting, blind signature-based e-voting, blockchain-based e-voting, post-quantum e-voting, and hybrid e-voting have been proposed in the literature for better security and practical implementation. In this paper, we review various e-voting approaches to date. We ﬁrst compare the structures, advantages, and disadvantages of the different e-voting approaches. We then summarise the security properties of the e-voting approaches in terms of their functional requirements and security requirements. In addition, we provide a comprehensive review of various types of e-voting approaches in terms of their security properties, underlying tools, distinctive features, and weaknesses. We also discuss some practical considerations in the design of e-voting systems. Subsequently, some potential research directions are suggested based on our observations. pre-voting phase, voting phase, and post-voting phase. comparison was conducted on the speciﬁc schemes in each approach. We also discussed some practical


Introduction
Electronic voting (e-voting) is an electronic system that allows users to make a collaborative decision or vote for candidates in an election. It handles the registration of voters, input of vote, vote casting, vote encryption, the transmission of the ballot to the server, vote storing, vote counting, and tabulation of the election result. The e-voting system can be used in various applications such as punched cards, smart cards, direct-recording e-voting systems (DRE), optical scan systems, and computers connected to the Internet. The e-voting system offers more accurate election results, faster result tabulation, minimises human errors, more convenience towards disabled or handicapped people, and self-tallying election results [1]. However, according to Peng [2] and Oo and Aung [3], e-voting faces challenges of scalability for large-scale elections, security challenges, unpredictable malfunctions of servers, and others. Some people feel uncomfortable adopting e-voting systems due to voter privacy as voter identity might be disclosed. The most important security properties to preserve as mentioned by Peng [2] and Sebé et al. [4] are the privacy of the voter, fairness, receipt-freeness, coercion-resistance, individual verifiability, universal verifiability, robustness, double-voting prevention, etc. Thus, many researchers have proposed schemes to enhance the security of e-voting systems and put e-voting systems in practice. In this paper, we focus on conventional approaches which cover mix-net-based e-voting, homomorphic e-voting, and blind signature-based e-voting, and latest developments which cover blockchain-based e-voting, post-quantum e-voting, and hybrid e-voting. We aim to draw a bigger picture of past and present e-voting scheme developments to provide readers with an overview of various e-voting approaches, in terms of their structure, advantages, and disadvantages. We then aim to provide a comprehensive review of each e-voting approach in terms of its security properties, underlying tools, distinctive features, and weaknesses. We also discuss some critical practical considerations in the design of e-voting systems. Finally, we conclude our analysis with some potential future research directions.

Structure of e-Voting System
The structure of e-voting systems consists of three phases [6], namely, pre-voting, prevoting, and post-voting. The processes in the pre-voting phase include the nomination of candidates, computation of the list of candidates, registration of voters, and computation of the list of eligible voters. Eligible voters cast their ballots during the voting phase. The postvoting phase mainly deals with the counting of votes and announcing the election results. Figure 1 shows the general structure of mix-net-based e-voting, homomorphic e-voting, blind signature-based e-voting, blockchain-based e-voting, and post-quantum e-voting in the pre-voting phase, voting phase, and post-voting phase.

Advantages and Disadvantages of Various e-Voting Approaches
The summary presented in Table 1 are compiled from the works of [2,4,[7][8][9][10][11][12][13][14]. As observed from the comparison analysis in Table 1, it is worth mentioning that hybrid schemes are more practical and efficient than other approaches. A hybrid scheme refers to the scheme that is constructed by integrating two or more approaches. A hybrid scheme inherits the advantages and security properties of combined cryptographic tools and eliminates the weaknesses of cryptographic tools individually. However, the use of these e-voting approaches varies depending on the application to which they are applied [15]. Therefore, different e-voting approaches may be suited for different applications.  Larger key size than public key algorithms, thus requires more storage space • Large sizes of data for signature and key establishment to be transmitted over communication channels, thus limits the speed of transmission and vulnerable to unforeseen quantum attacks

Organisation of This Paper
We review the security properties for a secure e-voting system in Section 2. We discuss some common cryptographic preliminaries in Section 3. We review various approaches of e-voting schemes in Section 4. We discuss some practical considerations in the design of e-voting systems in Section 5. We provide potential research directions based on our observations in Section 6. Finally, we conclude our results in Section 7.
• Encryption: Bob encrypts message m with the public key of Alice. Bob first converts m into the element of G and selects a random r ∈ Z * q . Second, he computes d = m · y r and c = g r . The cryptogram is a tuple (c, d).
• Decryption: Alice uses her private key to decrypt (c, d) by computing m = d c x in G. ElGamal cryptosystem supports (t, k) threshold secret sharing scheme. Paillier cryptosystem. The computational hardness is based on the factoring problem. It has three algorithms, namely, Key generation, Encryption and Decryption.
• Key generation: Let N = pq where N is RSA modulus and p, q are the prime integers. Let g be the integer order of multiple of N modulo N 2 . The private key, x = λ(N), where λ(N) = lcm((p − 1)(q − 1)) and the public key, y = (N, g).

•
Encryption: Let m ∈ Z n as the plaintext message, select x ∈ Z * n randomly and generate the ciphertext, c = g M x N mod N 2 .
• Decryption: Compute m = L(c λ(N) mod N 2 L(g λ(N) mod N 2 mod N to decrypt c, where L -function takes set S N = {u < N 2 | u = 1 mod N} as the input and output (u) = u−1 N . Cryptography over an elliptic curve. A public key cryptosystem can be constructed over a prime order subgroup of a group of points on elliptic curve and the computational hardness is based on the discrete logarithms problem. An elliptic curve E over a finite field Z p can be defined by Secret sharing scheme. An election scheme with a single authority may corrupt the election results. This problem can be solved by introducing multi-authorities to share the secret such as the decryption key. There are variants of secret sharing schemes.

•
(t, k) threshold secret sharing scheme proposed by Shamir [23], a secret is shared among k authorities where t ≤ k. This scheme required a trusted party T to compute the shared-key generation protocol to generate the private key X = K −1 , publish the public key and compute k shares for the private key. T sends a share x i to the authority via private communication channels. t or more honest authorities are required to submit their shares to be combined and construct the private key. The private key can resist collusion up to t − 1 corrupt and k − 1 dishonest authorities. • Verifiable secret sharing scheme proposed by Chor et al. [24], trusted party T distributedly implementing by k authorities themselves with increase in the communication and computation. The verification of the protocol can only be done by k authorities; thus, any dispute requires a trusted third party to resolve. • Publicly verifiable secret sharing scheme (PVSS) proposed by Schoenmakers [25], the verification of the correctness of each protocol can be conducted by any external party. This scheme provides the dispute-freeness property.

Homomorphic encryption. Given
can be obtained without decrypting m 1 and m 2 .
Homomorphic signcryption. Zhang et al. [26] first proposed a homomorphic signcryption scheme. This scheme combines homomorphism and signcryption, thereby allowing voters to encrypt and sign a ballot in a single step. The scheme consists of six algorithms, namely, Setup, Key Generation for Receiver (KeyGenR), Key Generation for Sender (KeyGenS), Signcrypt, Unsigncrypt, and Verification.  [27] allows the signer to sign on the message in such a way that anyone can verify that the signature is signed by a signer from the signer group but cannot identify the real signer. This signature scheme enjoys the property of anonymity; no one can identify the identity of the real signer except for the signer himself. A linkable ring signature was first proposed by Liu et al. [28]. In addition to the ring signature scheme, this scheme enables anyone to identify whether the two signatures are signed by the same signer. Linking can be performed by linking authority in the escrowed linkable ring signature scheme. The linkability tag is encrypted with probabilistic encryption and cannot prove the non-authorship of others' signatures. In e-voting, a linkable ring signature can prevent double-voting and the escrowed linkable ring signature can detect the dishonest voting authority. • Blind signature: It enables one to sign the message without revealing any information about the message, thus guaranteeing anonymity. There are five algorithms in this signature scheme, namely, Key Generation, Blinding, Signing, Unblinding, and Verification.
-Key Generation: Compute the private key and public key of the signer. Lattices. Lattice L is a set of points in n− dimensional space, typically R n with periodic structure, the two conditions are as follows [29].

•
It is an additive subgroup: 0 ∈ L and ∀x, y ∈ L − x, x + y ∈ L. • It is discrete: ∀x ∈ L, there exists a neighbourhood of x in R n such that x is the only point of the lattice.
The common lattice computational problems are as follows [30].

Review of Various e-Voting Approaches
In this section, we perform a comprehensive review on various e-voting approaches and discuss the development of each approach. We also provide a comparison analysis of the different schemes under each approach in terms of their structure, security properties, underlying tools, distinctive features, and weaknesses. Please note that the weaknesses summarised in Tables 2-7 are presented to the best of our knowledge based on the available information from the existing literature. Further study is required to be conducted in order to find out if there exists any possible weakness in some other mentioned schemes. Mix-net-based e-voting was first proposed by Chaum [21], the function of mix-net is to create an anonymous channel for anonymous communication. It is a trusted third party that breaks the link (shuffles) between the sender, recipient and the message, thus eavesdropping does not work in this case. In the e-voting scheme, it breaks the link between voters and their ballots. As highlighted by Jakobsson et al. [31], mix-net should be robust, guarantee privacy and operate correctly.
Mix-net schemes have two categories, decryption mix-net and re-encryption mix-net. The first proposed mix-net was decryption mix-net by Chaum [21]; it is a simple RSA decryption mix-net. Every mix server contains a key pair; the sender encrypts the message iteratively with the public keys of mix servers reversely (onion encryption). The first mix server decrypts the outer layer of the ciphertexts, shuffles it, and passes the result to the next server. The second mix server repeats the same process as the first mix server. The process is completed if all the mix servers perform the process simultaneously. The encryptions were all removed and the messages were posted in random order.
The second type of mix-net is the re-encryption mix-net proposed by Park et al. [32] based on randomisation. It has two phases: mixing and decryption phases. In the mixing phase, the encrypted messages are shuffled and re-encrypted. In the decryption phase, the output is decrypted from the mixing phase. The server in the mixing and decryption phases can be either a different server or the same server. The proposed scheme of Park et al. [32] works as follows: the ElGamal cryptosystem is used in the proposed re-encryption mix-net. Several trustees share the key pair and the sender encrypts the message with the public key of the trustees. The first mix server re-encrypts the encrypted message of the sender, shuffles it, and sends it to the next mix servers. All the mix servers repeat the same process once. The results were posted in random order. The presence of decryption process depends on different applications. The recently proposed schemes mostly employed the re-encryption mix-net in the e-voting system as it is more efficient, robust and flexible. Re-encryption mix-net is more lightweight than the decryption mix-net as the input message is encrypted only once with a public key, whereas in the decryption mix-net, the input message is encrypted iteratively (onion encryption). In addition, the reencryption mix-net has an advantage over the decryption mix-net in terms of its robustness. In a re-encryption mix-net, a single faulty mix does not affect the election process, unlike in a decryption mix-net. This is because of the re-encryption step in the mixing phase of the re-encryption mix-net. During the mixing phase of the re-encryption mix-net, the inputs are mixed and re-encrypted. However, in the decryption mix-net, a fixed set of mixes is required to be selected and to provide their keys in advance of voting, which leads to the decryption mix-net prompting failure to complete the election process if a single faulty mix exists.
According to Lee et al. [7], the decryption mix-net and re-encryption mix-net can be further categorised into optimistic mix-net and verifiable mix-net based on their correctness proof. In an optimistic mix-net, each mix server will not generate its proof of correct shuffling and the proof is generated as a whole after the plaintext shuffling results are produced by the mix-net. The limitations of the optimistic mix-net are that the malicious mix server cannot be detected instantly and plaintext shuffling results are generated even if the shuffling is inaccurate. While in verifiable mix-net, each mix server will generate its proof of correct shuffling after the shuffling operation. Peng [2] pointed out that verifiable mix-nets have low efficiency and optimistic mix-nets have weak robustness and are vulnerable to attack against privacy via malicious mix-nets. Table 2 shows the detailed comparison of mix-net based e-voting schemes since 1994.   Voters are able to prove their votes to coercers; no real-time troubleshooting protocols that can withstand integrity attacks [58] Park et al. [32] improved the efficiency of the mix-net based e-voting scheme proposed by Chaum [21]. However the Park et al. [32]'s scheme was broken by Pfitzmann [33]. Ogata et al. [59] then improved the Park et al. [32] scheme.

Comparison Analysis
Sako and Kilian [19] proposed the first receipt-free mix-net-based e-voting, Michels and Horster [34] performed cryptanalysis on the proposed scheme of Sako and Kilian [19] and proved that the Sako and Kilian [19] scheme has robustness and privacy problems.
Aditya et al. [40] modified both Lee et al. [7]'s scheme from verifiable mix-net to optimistic mix-net and Golle et al. [60]'s optimistic mix-net scheme to offer receipt-freeness. The modified schemes are then combined to form an efficient receipt-free mix-net-based e-voting scheme.
Chaum [38] proposed a voter-verifiable e-voting scheme that provides maximum transparency while preserving vote secrecy using visual cryptography. The Prêt à Voter scheme was proposed by Ryan [39], which employed onion encryption to guarantee privacy of the voter. It is an end-to-end verifiable paper-based scheme that issues the voter a receipt after receiving the voter's vote; thus, the voter can verify that the vote is not altered. This proposed scheme replaced visual cryptography in the Chaum [38] scheme with an encoded vote in two aligned columns of paper strips.
Juels et al. [43] introduced the first coercion-resistance mix-net-based e-voting scheme. Civitas [48] was the first e-voting scheme that satisfied both verifiability and coercionresistance. The construction of Civitas was based on the construction of Juels et al. [43]. Spycher et al. [44] claimed that Juels et al. [43]'s scheme is impractical to implement due to the poor efficiency in removing duplicated and illegal votes. Spycher et al. [44] solved the efficiency problem in Juels et al. [43]'s scheme while maintaining the same security properties and trust assumptions. Spycher et al. [44] employed a linear time scheme to remove duplicated votes and implement an electoral roll to identify illegal votes.
Adida [61] proposed a web-based open audit e-voting scheme, namely, Helios 1.0, which is based on Benaloh [62]'s scheme. However, the mix-net integrity proof cannot be directly verifiable and the verification cost is high due to the implementation of zeroknowledge interactive proof in the setting. Thus, Helios 1.0 is not efficient in large-scale elections. Chang et al. [55] improved Helios 1.0 by employing a more easy mix-net integrity proof and faster computations in the mixing phase. The proposed scheme is called Apollo. Bulens et al. [51] proposed a variant of Helios that uses a mix-net-based tallying method.
Rønne et al. [57] proposed an end-to-end verifiable e-voting scheme, namely Selene. The scheme was designed for use in the voting booth at the polling station using paper ballots. The system employed a smartcard-based public-key scheme to achieve verifiability. The authors left the security model with analysis and proofs for future work. Potential future work will also include user experience, usability testing, and exploring the postal version of the voting scheme.

Scheme Development
Homomorphism allows the tallier to operate on ciphertext without decrypting it. For example, suppose there are E K (m 1 ) and E K (m 2 ) , then E K (m 1 m 2 ) can be obtained, can be either modular addition ⊕ or modular multiplication ⊗ . There are two types of homomorphic schemes: partially homomorphic and fully homomorphic. A partially homomorphic encryption scheme performs only addition operations on ciphertext. The Paillier cryptosystem [63], RSA cryptosystem [64] and ElGamal cryptosystem [65] are common choices for partially homomorphic schemes. However, ElGamal encryption distributed key generation is more efficient than the Paillier encryption scheme when the same security is required [66]. ElGamal is most often used in homomorphic encryption e-voting schemes due to its exponential form for achieving an additive homomorphism, whereas a fully homomorphic scheme was first proposed by Gentry [67]. A fully homomorphic encryption scheme can perform both addition and multiplication operations on the ciphertexts.
Homomorphic e-voting consists of two variants, additive ⊕ homomorphism first proposed by Cohen and Fischer [68] and multiplicative ⊗ homomorphism first proposed by Peng et al. [69]. Homomorphic e-voting is suitable for small-scale elections (YES/NO elections). The difference between additive homomorphic e-voting and multiplicative homomorphic e-voting schemes is in the tallying phase. In the additive homomorphic e-voting tallying phase, it recovers the sum of votes for the candidates: E(m 1 )E(m 2 ) = E(m 1 + m 2 ) . No vote is decrypted. In the multiplicative homomorphic e-voting tallying phase, the ballot is decrypted to recover the product of votes, and the product is then factorised to obtain votes: E(m 1 m 2 ) = E(m 1 )E(m 2 ) . Table 3 shows the detailed comparison of homomorphic e-voting schemes since 1986. Benaloh [71] Robustness, Verifiability Probabilistic Encryption, Threshold Decryption Multi-authority election Rely on r-th residuosity assumptions, once the assumption is broken, the ballots can be decrypted [22]   The homomorphic e-voting scheme proposed by Cohen and Fischer [68] was the first end-to-end verifiable scheme, but the scheme did not satisfy vote secrecy as the government could read any of the votes. Benaloh and Tuinstra [73], Cramer et al. [22] and Hirt and Sako [75] further improved the scheme of Cohen and Fischer [68].

Comparison Analysis
Benaloh and Tuinstra [73] first introduced receipt-freeness in homomorphic e-voting based on the assumption of a voting booth. Hirt and Sako [75] claimed that in one tallying authority scheme of Benaloh and Tuinstra [73] satisfied receipt-freeness but did not satisfy vote secrecy, while in a multiple tallying authority scheme, it maintained vote secrecy but did not satisfy receipt-freeness. Hirt and Sako [75] improved the scheme by introducing the physical assumption of a one-way secret communication channel between voters and authorities.
Lee and Kim [77] proposed receipt-free e-voting by employing honest verifier to verify the validity of the first ballot of the voter and provide a randomisation service. The proposed scheme was constructed based on the Cramer et al. [22] scheme. However, the malicious honest verifier can falsify the result of the vote, the voter can cast an invalid vote with the assistance of the malicious honest verifier and the voter can obtain the voting receipt as the voter chooses the hash value for the first ballot. The value can serve as the receipt, which faces the same attack as the Benaloh and Tuinstra [73] scheme. Hirt [78] fixed the issues in the Lee and Kim [77] scheme by introducing a third party randomiser to replace the honest verifier.
Magkos et al. [79] proposed a receipt-free e-voting scheme using a tamper-resistance smartcard and the proposed scheme was based on the scheme proposed by Cramer et al. [22]. However, the scheme faced the same issues as Benaloh and Tuinstra [73] and Lee and Kim [77]. Lee and Kim [76] fixed the issue in Magkos et al. [79]'s scheme by introducing a tamper-resistant randomiser (TRR). The voter encrypts the vote via an interactive protocol using the TRR. Thus, the voter loses its randomness.
Peng et al. [69] noticed a limitation in all additive homomorphic e-voting schemes. The decryption key must be shared among talliers. The implementation of key generation in a distributed manner is inefficient for practical additive homomorphic encryption and requires a strong trust. It is impractical to implement in e-voting scheme. Thus, Peng et al. [69] proposed a multiplicative homomorphic e-voting scheme to overcome this limitation.
Bernhard et al. [86] claimed that the Helios 1.0 e-voting scheme did not fulfil vote privacy. Bernhard et al. [86] improved vote privacy in Helios 3.0, while maintaining the system architecture and trust assumptions.
Zhang et al. [26] first introduced homomorphic signcryption in an e-voting system. The security of the scheme was not tested properly because it does not verify the signature; it only verifies the encryption part and only a single authority to tally the election result. According to the concept proposed by Zhang et al. [26], Fan et al. [93] implemented a distributed homomorphic signcryption e-voting scheme called DHS-voting. This scheme can verify the signatures in less time and the election results can be tallied by anyone.
Microsoft developed an e-voting system used in voting booths, namely ElectionGuard. The system supports end-to-end verifiable elections and is an open-source software development kit freely available on GitHub [94]. The system uses ElGamal, homomorphic tallying, and sigma protocols to allow universal verifiability without adversely affecting privacy [95].

Scheme Development
A blind signature is a specially featured digital signature. The message was blinded before the message was signed. It was first proposed by Chaum [96] for an untraceable payment system. Fujioka et al. [97] first implemented a blind signature in an e-voting system. Blind signature-based e-voting allows the voter to blind his vote; thus, the voting authority can validate the vote without knowing the value. There are various types of blind signatures, such as threshold blind signatures and identity-based blind signatures. The threshold blind signature scheme avoids single point failure and thus enhances robustness. The process is repeated N times among the entities. It assumes at least t replicated works where the threshold t must be more than 1 and less than N . The signing process on blind message is carried out by each of the N entities and only if the message is signed by t entities is it considered a valid signature. An identity-based blind signature was first proposed by Zhang and Kim [98]. Kumar et al. [99] subsequently implemented an identity-based blind signature in an e-voting system. In this setting, the proposed system issues the receipt to the voter and the voting information can serve as proof. However, this may cause vote selling.
However, e-voting schemes that employ blind signatures as the underlying tools suffer from the abstaining voter problem [100], and it is challenging to design a blind signature system that does not allow a corrupted election authority to add votes of its choice. This problem could be resolved by employing multi-authority e-voting scheme so that the single corrupt authority does not have the power to control the entire election process [101,102]. Table 4 shows the detailed comparison of blind signature-based e-voting schemes since 1996.   Okamoto [105] improved the proposed scheme of Okamoto [104] as [104] did not provide a formal definition and formal proof for receipt-freeness. Although Benaloh and Tuinstra [73]'s scheme defined the formal definition of receipt-freeness, it did not fit in the Okamoto [104] proposed scheme.

Comparison Analysis
Ohkubo et al. [103] improved the blind signature-based e-voting scheme of Fujioka et al. [97]. In the Fujioka et al. [97] scheme, the voter is required to join the election from the registration phase to the counting phase. Ohkubo et al. [103] enhanced the convenience of voters so that voters could leave the election once they cast their votes.
Xia and Schneider [8] claimed that the non-transferable proof employed in the schemes proposed by Hirt and Sako [75], Magkos et al. [79], Lee and Kim [76] and Lee et al. [7] only verified the ballot recording process, but not the ballot counting process. Xia and Schneider [8] introduced the security properties of individual verifiability and the secret ballot technique introduced by Chaum et al. [41] to the proposed scheme of Okamoto [104] to allow the voter to verify both the ballot recording process and ballot counting process with the receipt-freeness property by employing a two-way untappable channel assumption between administrator and voters and the one-way untappable channel between the voter and counter.
Cetinkaya and Levent Koc [110] overcame the privacy issue in DynaVote proposed by Cetinkaya and Doganaksoy [42]. Cetinkaya and Levent Koc [110] introduced the collector authority to minimise the power of the counter. Secondly, Cetinkaya and Levent Koc [110] replaced DateTime in the originally proposed scheme to sequence numbers to ease and enhance the efficiency of the recast process in the counting phase.
Nguyen and Dang [52] claimed that the schemes proposed by Juels et al. [43], Cetinkaya and Doganaksoy [42] and Spycher et al. [44] did not fulfil coercion-resistance. The adversaries can collude with the voter and voting authorities to learn how the voter votes and if the voter follows their instructions in the Cetinkaya and Doganaksoy [42] scheme, while the adversaries can communicate with the registrars in the schemes of Juels et al. [43] and Spycher et al. [44]. Furthermore, the [105] scheme implemented an untappable channel as the physical assumptions are impractical to implement over the Internet. Nguyen and Dang [52] proposed a system that overcame the drawbacks mentioned above and could defect powerful adversaries that colluded with voting authorities and the protocol claimed to be faster and more efficient.
Kumar et al. [99] extended Kumar et al. [114]'s scheme to ensure anonymity of the voter and enhanced the functional variant of the digital signature. In Kumar et al. [114]'s scheme, the identity-based blind signature scheme inherits the key escrow problem and is not suitable for large scale networks. Kumar et al. [99] adopted the short signature scheme proposed by Boneh et al. [125] to fulfil the integrity of votes with a smaller size for the ballot. In e-voting, blockchain stores cast ballots [13] where the votes stored in the blockchain cannot be deleted or altered. Blockchain is immutable as each block consists of a previous block hash, thus all blocks are linked. However, blockchain-based e-voting is immature as it has not been fully implemented in a large-scale election [128]. There are also inadequate testing tools to test whether blockchain-based e-voting is superior to current e-voting systems in terms of security, computation, communication, storage, etc.
Liu and Wang [129] stated that some of the proposed schemes involve a trusted third party because it is simple to control and implement in the system, but a powerful trusted third party in the e-voting system might corrupt the system. The integration of e-voting with blockchain technology can be implemented without a trusted third party and guarantees verifiability and anonymity. Furthermore, the blockchain is transparent, thus the entire election process is transparent to the public, and this offers validity and fairness.
However, blockchain-based e-voting introduces additional problems to e-voting systems [130,131]. Despite the fundamental security issues of elections that can be solved by introducing blockchain technology into voting systems, this also imposes new difficulties on the system. The decentralised nature of blockchain significantly increases the complexity of the system [130]. This leads to difficulties in managing the system, and more time is required to resolve or deploy the security fixes in a decentralised system. Ballots stored in a blockchain are difficult to verify and require software for the verification process. Verifiability can be deceived if the software is compromised. Thus, software independence is difficult to achieve if ballots are stored in the blockchain [131].
Furthermore, the immutability of blockchains is a significant challenge to the integrity of voting systems. In a scenario such as the alteration of a voter's vote before reaching the blockchain, the voter is unaware of this alteration, which causes an incorrect tally result in the voting system [131].
In addition, a permissioned blockchain does not satisfy the verifiability requirements of e-voting. Voters cannot read or verify whether their votes are included in the final tally. Moreover, there are key management issues in a permissioned blockchain [130].
For example, Voatz is a blockchain-based mobile voting application deployed in West Virginia to allow the overseas military to vote in US midterm elections in 2018 [132,133]. The system has serious vulnerabilities that allow the adversary to monitor the vote casting process and modify or stop ballots on a large scale without the awareness of election authorities and voters.
Therefore, the suitability of employing blockchain in current e-voting systems requires extensive study to propose a secure and efficient blockchain-based e-voting scheme. Table 5 shows the detailed comparison of blockchain-based e-voting schemes since 2017.  Self-tallying and decentralised blockchain-based e-voting was first proposed by Mc-Corry et al. [134] using smart contracts in Ethereum. The proposed scheme did not involve a trusted third party in the tally phase to maximise the privacy of voters.

Comparison Analysis
Srivastava et al. [147,148] proposed a model that can be integrated into any e-voting approach using PHANTOM, which is a blockchain protocol proven to be secure under any throughput that the network can support and secure against dishonest blocks. PHANTOM uses a directed acyclic graph of blocks that is suitable for large and fast blocks. Thus, the number of voters can be in millions. However, the proposed model is encouraged to be implemented in voting booths rather than in IoT devices to avoid malware and virus attacks.
The Chaieb and Yousfi [137] scheme was constructed based on the Araujo and Traore [149] scheme inspired by the Juels et al. [43]'s scheme. Both the schemes of Juels et al. [43] and Araujo and Traore [149] are mix-net based. Chaieb and Yousfi [137] combined the Araujo and Traore [149] scheme with blockchain technology.
Zhou et al. [138] improved the Fujioka et al. [97] blind signature-based e-voting scheme using blockchain technology and replaced the trusted third party with a smart contract. The proposed scheme is more practical and versatile and minimises the trust assumptions. The implementation of post-quantum cryptography in e-voting schemes is a new research direction and few have implemented it in e-voting. Fully homomorphic encryption and lattice-based cryptography are common tools used to construct a post-quantum evoting system. Post-quantum cryptography is based on different hardness assumptions, e.g., multivariate linear equations and lattices [12].
The security of schemes based on computational complexity/classical assumptions is not secure in terms of quantum attacks owing to the advancement of quantum computers on the horizon [150]. Example of computational hardness is the discrete logarithm problem, factoring problem, Diffie-Hellman problem, elliptic curve discrete logarithm problem, etc. Table 6 shows the detailed comparison of post-quantum e-voting schemes since 2016. Gentry [67] proposed the first fully homomorphic encryption method based on latticebased cryptography. Chillotti et al. [151] first combined the LWE fully homomorphic encryption scheme with Helios. Helios is a homomorphic e-voting system. The proposed scheme does not require intensive zero knowledge proof to prove that the voter's vote is valid and the decryption of result is correct. Dong and Yang [12] proposed an e-voting scheme based on post-quantum security and physical laws that fulfil the following security properties: completeness, privacy, robustness, unreusability, verifiability, eligibility and fairness. The proposed scheme employs a encrypted no-key (ENK) protocol and message authentication code (MAC). The function of the ENK protocol is to transmit the message in the channel that cannot be attacked by ion-trap quantum computing and the MAC ensures that the message cannot be tampered with by any part.

Comparison Analysis
Rønne et al. [153] introduced a fully homomorphic encryption scheme in the tallying phase of Juels et al. [43]'s e-voting scheme in linear time to enhance the scheme to be quantum resistant.
Kaim et al. [158] improved Fujioka et al. [97]'s scheme by introducing threshold version of the blind signature scheme that can resist quantum attacks and the voter "Vote and Go" concept. The proposed scheme does not implement the intensive zero-knowledge proof.
4.6. Hybrid e-Voting 4.6.1. Scheme Development The hybrid e-voting system combines the advantages of both underlying schemes and building blocks to form an efficient e-voting system. A hybrid e-voting scheme that combines mix-net based e-voting and homomorphic e-voting enjoys the advantages of a homomorphic e-voting scheme that has a simple tallying process along with the advantage of mix-net based e-voting that does not require vote validity checking and supports complex elections.
A hybrid e-voting scheme that combines homomorphic e-voting and blind signaturebased e-voting enjoys the advantage of additive homomorphic property, and the election result is able to tally without performing decryption on the ballots. While the RSA blind signature blinds the identity of the voter and their votes, anonymity is achieved.
According to Lee et al. [7], there is no combination of mix-net based e-voting and blind signature-based e-voting because a blind signature-based e-voting scheme employs an anonymous channel that is implemented using mix-net and a secure mix-net does not need a blind signature. Table 7 shows the detailed comparison of hybrid e-voting schemes since 2004. Aditya [160] combined the vector ballot approach proposed by Kiayias and Yung [159] with multiplicative homomorphic encryption and mix-net to form a hybrid scheme. The proposed scheme accepts write-in ballots.

Comparison Analysis
Peng and Bao [66] claimed that the multiplicative homomorphic e-voting scheme proposed by Peng et al. [69] has weak privacy and is inefficient due to the vote validity checking and overflow of product of votes in the multiplicative modulus, which leads to the failure of factorising process. Invalid votes must be detected and removed before the tallying process to ensure the correctness of the election results. However, vote validity checking is performed using a zero knowledge proof, which is costly. Peng and Bao [66] improved Peng et al. [69]'s scheme by designing a mechanism for vote validity checking represented in prime integers. The second improvement employed a mechanism for vote grouping to solve the overflow of product of votes and to enhance the privacy of the groups by shuffling the groups. Receipt-freeness and coercion-resistance were not the focus of the proposed scheme.

Practical Considerations in e-Voting
According to the technical report presented by National Academies of Sciences, Engineering, and Medicine in 2018 [131], e-voting is a cybersecurity issue that has many factors to be considered before it can be implemented in real-world applications. Cybersecurity is a continuous challenge because adversaries constantly implement new techniques to breach system defences. e-Voting systems connected to the Internet are the most vulnerable to attack via wireless or physical access and during data transmission. All e-voting schemes, including voting at polling stations and remote e-voting, are vulnerable to the following attacks. • Denial-of-service (DoS) attacks. The main goal of DoS attacks is to slow down computer systems and to the extent that it affects the casting of votes, tallying of votes, and the auditing process. • Malware attacks. Malicious software that can disrupt the casting of votes and the auditing process, and alter or destroy stored ballots. • Malicious individuals or servers break into the system to retrieve administrator-level sensitive data such as voters' credentials.
The following are some of the factors that affect an adversary's ability to breach the system.

•
If the system is designed properly. • If the system is configured and updated accordingly. • If the system is operated and managed accordingly. • Resources and skills of potential attackers.
We do not have the technology to offer a secure method to support e-voting at present. The Internet is unsuitable for transmitting ballots, and currently, there is no realistic mechanism to fully secure the casting of votes and tabulation of election results from cyberattacks. In addition, there are no technical mechanisms to guarantee that a computer system can generate accurate results, and each layer of the computer system is not modified. Furthermore, e-voting schemes that deploy emails are more vulnerable than other forms of e-voting because the emails do not utilise a secure channel. Moreover, not all vendors follow the best practices in developing, maintaining, and operating e-voting systems. Therefore, to achieve strong defenses against cyber threats, it is necessary to deploy state-of-the-art technologies and practices and expand new cybersecurity knowledge.

Potential Research Directions
Many current studies rely on strong assumptions, such as perfect random oracles, honest registrars, and honest bulletin boards. Most of the schemes suffer from high computational costs, thus it is desirable to consider developing more lightweight systems that can still satisfy the necessary security properties.
Post-quantum e-voting is still in its initial stages and has not been fully developed. Further research is expected to improve the current results and implement it in a fully practical scenario. Post-quantum e-voting has drawn great attention in recent years to design a system that can resist quantum adversaries. Chillotti et al. [151] first proposed an LWE-based e-voting scheme. The bulletin board in the proposed scheme has an additional function that is required to check whether the ballot is generated correctly before the ballot is cast with an additional secret key. Their proposed scheme relies on the honest bulletin board, which leads to an open problem if the proposed scheme is secure against dishonest bulletin boards and can be improved to be more practical. The scheme proposed by Dong and Yang [12] can be further extended to explore whether the proposed e-voting scheme is secure in quantum computing environments, such as cavity quantum electrodynamics. Rønne et al. [153] employed a fully homomorphic encryption scheme in linear time in the Juels et al. [43]'s coercion-resistance e-voting scheme. The proposed scheme was not supported by a formal security proof to prove that the modified Juels et al. [43] scheme can be secure against classical adversaries.
Meanwhile, further research is expected to analyse, study, and improve the scalability of blockchain-based e-voting systems, such as the implementation of blockchain-based e-voting in large-scale elections, as the current blockchain-based e-voting systems are only implemented in boardroom and small organisation elections [128]. Further research is also expected to improve the computational cost, reduce delays, and high bandwidth. According to Liu and Wang [129], the coercion-resistance property is difficult to fulfill owing to the transparency property of the blockchain. Thus, future research could be carried out to balance the properties of transparency and coercion-resistance.
Additionally, it would be interesting to study blockchain-based e-voting using postquantum algorithms that can resist quantum attacks [136,164]. According to Fernández-Caramés and Fraga-Lamas [165], the challenges of post-quantum blockchain include the key size required for post-quantum cryptosystems which is larger than that required for public-key cryptosystems, typically between 128 and 4096 bits. Moreover, some postquantum schemes restrict the number of messages that can be signed by using a single key for security reasons. Consequently, continuous generation of new keys is required, which leads to high computational resource consumption and slacking of certain blockchain processes.Therefore, further research is required to balance the efficiency of blockchain and key generation and key size issues. Esgin et al. [164] suggested that their proposed post-quantum blockchain scheme can be implemented in privacy preserving applications such as e-voting systems. Gao et al. [136] constructed their scheme with code-based cryptography proposed by McEliece [166], which has not been broken so far, to be secure against quantum attacks.
From the latest works on various e-voting schemes, we observed that the current research trend for e-voting schemes has been diverted towards blockchain technology and post-quantum cryptography. In mix-net-based e-voting, Pinilla [29], Boyen et al. [154], Rønne et al. [153] migrated mix-net-based e-voting to post-quantum cryptography. On the other hand, Gong et al. [135] and Chaieb and Yousfi [137] integrated mix-net with blockchain technology. In homomorphic e-voting, recent studies on post-quantum homomorphic evoting schemes have been conducted by Aziz et al. [152] and Liao [155]. Some studies have proposed homomorphic e-voting with lattice-based cryptography and fully homomorphic encryption because fully homomorphic encryption and lattice-based cryptography are new research directions. In blind signature-based e-voting, recent studies by Liu and Wang [129], Cruz and Kaji [112], and Zhou et al. [138] integrated blind signature-based e-voting with blockchain technology. Kaim et al. [158] proposed a blind signature-based e-voting scheme that can resist quantum attacks.
It is also interesting to find out the possibility of performing generic transformation from e-voting to e-cash and e-voting to e-cheque, as conjectured by Kho and Heng [167]. They showed that e-cash and e-cheque have high similarities with e-voting in terms of their structure and security properties.

Conclusions
We performed a comprehensive comparison analysis between the various e-voting approaches, namely, mix-net based e-voting, homomorphic e-voting, blind signaturebased e-voting, blockchain-based e-voting, post-quantum e-voting, and hybrid e-voting. The development of the respective approaches was reviewed, and a detailed comparison was conducted on the specific schemes in each approach. We also discussed some practical considerations in the design of e-voting systems. Finally, we outlined some potential research directions based on our observations.