#
NetVote: A Strict-Coercion Resistance Re-Voting Based Internet Voting Scheme with Linear Filtering^{ †}

^{1}

^{2}

^{*}

^{†}

## Abstract

**:**

## 1. Introduction

## 2. Related Work and Contributions

#### 2.1. Related Work

#### 2.2. Our Contribution

## 3. Parties and Building Blocks

#### 3.1. Parties and Threat Model

**Ballot privacy**guarantees that an adversary cannot determine more information on the vote of a specific voter than the one given by the final results. In our model, ballot secrecy is achieved assuming a subset of the tellers is honest.**Practical everlasting privacy**assures that ballot secrecy will be maintained with no limit in time. This is, even considering a computationally unbounded adversary, ballot secrecy is not broken. Assuming the certification authority follows the protocol honestly, our construction satisfies, in addition, practical everlasting privacy.**Verifiability**allows any third party to verify that the last ballot per voter is tallied, the adversary cannot include more votes than the number of voters it controls, and that honest ballots cannot be replaced. Assuming that CA is honest, the protocol provides verifiability. This assumption is required to grant voters voting certificates. The existence of a trusted entity creating and assigning authentication credentials to eligible voters is intrinsic in the remote voting scenario.**Strict coercion resistance**allows voters to escape coercion without the coercer noticing. This is, if the voter escapes coercion resistance, the adversary is incapable of detecting it. NetVote satisfies strict coercion given that the tallying server is honest. Note that this assumption is not required for verifiability. However, to reduce the filtering complexity from quadratic to linear, we let TS learn which are the valid votes.

#### 3.2. Building Blocks

## 4. Description of Our Protocol

#### 4.1. Overview

#### 4.2. Pre-Election Phase

**Procedure 1**(Setup)

**.**

- PBB publishes the list of candidates, $\mathcal{C}=\{{C}_{1},\dots ,{C}_{{n}_{C}}\}$, and initialises a counter $\mathsf{Counter}=0$.
- CA, VS and TS generate their key-pairs $(p{k}_{\mathrm{CA}},s{k}_{\mathrm{CA}}),(p{k}_{\mathrm{VS}},s{k}_{\mathrm{VS}})$ and $(p{k}_{\mathrm{TS}},s{k}_{\mathrm{TS}})$ respectively, by calling $\mathsf{KeyGen}(\mathbb{G},g,p)$. They proceed by publishing their public keys in PBB.
- The trustees distributively run $\mathsf{VoteKeyGen}({1}^{\u03f5},k,t)$, where the voting key, $p{k}_{\mathrm{T}}$, is generated, and each trustee owns a share of the private key $s{k}_{{\mathrm{T}}_{i}}$. They proceed by publishing the voting key, $p{k}_{\mathrm{T}}$ in PBB.
- CA takes as input the total number of voters, ${n}_{e}$, and generates random and distinct voting identifiers, $VI{d}_{i}{\leftarrow}_{\$}{\mathbb{Z}}_{p}$ for $1\le i\le {n}_{e}$ with $VI{d}_{i}\ne VI{d}_{j}$ for $i\ne j$. It keeps the relation between $VId$ and voter private. Next, it encrypts all identifiers:$${w}_{i}:=\mathsf{Enc}(p{k}_{\mathrm{TS}},VI{d}_{i})\phantom{\rule{4.pt}{0ex}}\mathrm{for}\phantom{\rule{4.pt}{0ex}}1\le i\le {n}_{e},\phantom{\rule{4.pt}{0ex}}\mathrm{with}\phantom{\rule{4.pt}{0ex}}{r}_{i}{\leftarrow}_{\$}{\mathbb{Z}}_{p}.$$Next, it signs each encrypted identifier, ${w}_{i}$:$${\sigma}_{i}=\mathsf{Sign}(s{k}_{\mathrm{CA}},{w}_{i}).$$Finally, it commits to these values by publishing the pair $({w}_{i},{\sigma}_{i})$ in PBB.

#### 4.3. Election Phase

**Procedure 2**(Certificate generation)

**.**

- The voter authenticates to CA and requests an anonymous certificate generation $\mathsf{ReqCred}\left(auth\right)$.
- CA selects the corresponding encrypted voter identifier, ${w}_{i}$, an randomises the ciphertext by levering the homomorphic property:$$({\Pi}_{R},{w}_{i}^{\prime})=\mathsf{Rand}({w}_{i},{r}_{i}),$$
- CA generates an anonymous certificate, $\mathsf{Cert}\left({w}_{i}^{\prime}\right)=\mathsf{CredGen}\left(\left\{{w}_{i}^{\prime}\right\}\right)$, with ${w}_{i}^{\prime}$ as an attribute, and sends it to the user together with ${w}_{i}$ and the proof of re-encryption ${\Pi}_{R}$,$$\left(\mathsf{Cert}\left({w}_{i}^{\prime}\right),{w}_{i},{\Pi}_{R}\right).$$
- The user verifies that the attribute of the certificate is an encryption of ${w}_{i}$ by verifying ${\Pi}_{R}$. If it is not the first time it casts a vote, it may also verify that it has received the same ${w}_{i}$ during both vote cast phases.

**Procedure 3**(Vote cast)

**.**

- The voter encrypts the chosen candidate, $C\in \mathcal{C}$ and generates a proof of correctness by calling$$(\mathcal{V},\Pi )=\mathsf{VoteEnc}(p{k}_{\mathrm{T}},C)$$$$\sigma =\mathsf{Sign}(s{k}_{C},\mathcal{V}),$$Finally, they send it to VS,$$\left(\mathsf{Cert}\left({w}_{i}^{\prime}\right),\mathcal{V},\Pi ,\sigma \right).$$
- VS verifies that the certificate was issued by the CA, the signature is a valid signature by $\mathsf{Cert}$, and the proofs ensures that the encrypted vote corresponds to a valid candidate:$$\mathsf{CertVerify}(p{k}_{\mathrm{CA}},\mathsf{Cert}\left({w}_{i}^{\prime}\right))=\top \wedge \mathsf{SignVerify}(p{k}_{C},\sigma )=\top \wedge \mathsf{VoteVerify}\left(\right)=\top .$$If everything verifies correctly, it sends the vote to PBB and sends an acknowledgement to the voter.
- PBB augments the counter $\mathsf{Counter}=\mathsf{Counter}+1$ and publishes the vote in the board$$\left(\mathsf{Counter},\mathsf{Cert}\left({w}_{i}^{\prime}\right),\mathcal{V},\Pi ,\sigma \right).$$

**Procedure 4**(Vote verification)

**.**

#### 4.4. Tallying Phase

**Procedure 5**(Public filtering)

**.**

- TS begins stripping the information from the ballot, keeping only the necessary information to proceed the filtering phase, mainly the counter, the encrypted identifier and the encrypted vote, $(\mathsf{Counter},{w}_{i}^{\prime},\mathcal{V})$ and adds them to the PBB.
- Next, the TS decrypts the voter identifier and ads a random number of dummy voters per voter. We describe how the TS chooses the number of voters to add per voter in Section 5. We want the counter to be always less than the counters of honest voters, and hence, TS always adds a dummy with a zero counter. Moreover, every added dummy will have the zero vector and zero randomness, $\mathsf{VoteZEnc}(p{k}_{\mathrm{T}},0)$,$$(0,{w}_{i}^{\u2033},\mathsf{VoteZEnc}(p{k}_{\mathrm{T}},0)).$$
- Next, TS encrypts each of the counters with randomness zero for verification purposes $\mathsf{EncCounter}=\mathsf{Enc}(p{k}_{\mathrm{TS}},i)$ for every counter i, resulting in each entry of PBB as follows:$$({\mathsf{EncCounter}}_{i},{\mathcal{V}}_{i},{w}_{i}^{\prime}).$$
- Now, TS proceeds by performing a verifiable shuffle to all the entries in the bulletin board. Let $B=[{B}_{1},\dots ,{B}_{L}]$ be the stripped ballots with the encrypted counter. It uses a provable shuffle to obtain a shuffled list of ballots, ${B}^{\prime}=[{B}_{1}^{\prime},\dots ,{B}_{L}^{\prime}]$ and a proof of correctness ${\Pi}_{s}$. It appends ${B}^{\prime}$ and ${\Pi}_{s}$ to PBB.
- Next, it proceeds to group encrypted votes cast by the same voters. To achieve this, it proceeds by decrypting each identifier, $VI{d}_{i}=\mathsf{Dec}(s{k}_{\mathrm{TS}},{w}_{i}^{\prime})$ and adding a proof of correct decryption, ${\Pi}_{d}$,$$({\mathsf{EncCounter}}_{i},{\mathcal{V}}_{i},VI{d}_{i},{\Pi}_{d}).$$
- Finally, TS filters the votes by taking the encrypted vote with the higher counter. To do this, it locally decrypts every counter and selects the one with the highest counter. It proceeds by publishing the filtered votes, and together with ${S}_{i}^{G}$ proves that the counter is greater than all the other counters related to votes cast by the same voter, where ${S}_{i}^{G}$ is the number of votes cast by voter ${V}_{i}$. It publishes it in the bulletin board$$({\mathsf{EncCounter}}_{i},{\mathcal{V}}_{i},VI{d}_{i},{\left({\Pi}_{GT,j}\right)}_{j\in {S}_{i}}),$$

**Procedure 6**(Tallying)

**.**

## 5. Including Dummy Votes

- It is straightforward to see why a fixed number of dummies for all voters would not serve the purpose here. So say that a random number of dummies for voter ${V}_{i}$, ${n}_{i,dum}$, is added. If the set where we take ${n}_{dum}$ from is $\mathbb{Z}$, then the overhead would become prohibitive, as there is no upperbound. However, if ${n}_{dum}{\leftarrow}_{\$}{\mathbb{Z}}_{u}$, where u is the upperbound, then with probability $1/u$, ${n}_{i,dum}=u$ which would blow the wistle if voter ${V}_{i}$ decided to re-vote to escape coercion (as now a total of $u+1$ votes would have been added, where not all could have been dummies).

- However, while we want to hide the groups of votes with unusual group sizes (e.g., 1009), we do not need to add an overhead to small groups (which are not prone to receive the 1009 attack). To this end, our solution adds random votes to voters depending on the votes they have cast, following the negative binomial distribution, defined as:$$f(\mu ;\rho ,p):=Pr[X=\mu ]=\left(\genfrac{}{}{0pt}{}{\mu +\rho -1}{\mu}\right){(1-p)}^{\rho}{p}^{\mu}.$$

## 6. Security Analysis

- $\mathsf{Setup}(\mathcal{E},\mathcal{C})$. In the pre-election phase, the scheme runs $\mathsf{Setup}$ to prepare the voting scheme for voting. This protocol takes as input the electoral roll $\mathcal{E}$, the list of all eligible voters, and the list of candidates $\mathcal{C}$.
- $\mathsf{Register}\left(i\right)$. Before casting a vote, voter ${V}_{i}$ run $\mathsf{Register}\left(i\right)$ to obtain a token $\tau $ that allows them to cast a vote.
- $\mathsf{CastVote}(\tau ,C)$. After registering, voters use their token $\tau $ and selected candidate C to cast their vote using the $\mathsf{CastVote}(\tau ,C)$ protocol. The user produces a ballot $\beta $ containing their choice, and interacts with the voting scheme. If the user’s ballot $\beta $ is accepted by the voting scheme, the ballot $\beta $ is added to the public bulletin board.
- $\mathsf{VoteVerify}(\beta ,PBB)$. After casting a vote, voters can verify that the ballot was recorded as cast, i.e., they verify that the vote was successfully stored in $PBB$.
- $\mathsf{Valid}(\beta ,PBB)$. Once the scheme receives a vote, it verifies that it is valid.
- $\mathsf{Tally}\left(\mathcal{B}\right)$. After the voting phase, the voting scheme runs $\mathsf{Tally}$. This protocol takes as input the set $\mathcal{B}$ of ballots on the bulletin board. It filters the votes and outputs an election result, z, and a proof of correctness $\Pi $ of the election results.
- $\mathsf{Verify}(\mathcal{B},z,\Pi )$. Finally, any third party can run $\mathsf{Verify}$. This protocol takes the set $\mathcal{B}$ of ballots, the result, z, the proof of correct tally, $\Pi $, and checks its correctness.

#### 6.1. Ballot Privacy

- $O\mathtt{board}\left(\right)$ which allows the adversary to see the information posted until that moment in the bulletin board. It can call this oracle at any point of the game.
- $O\mathtt{LRvote}(i,{C}_{0},{C}_{1})$ where $\mathcal{A}$ selects two possible candidates, ${C}_{0},{C}_{1}$ for voter ${V}_{i}$. The challenger produces voting tokens $\tau $ and generates one ballot for each candidate, ${\beta}_{0},{\beta}_{1}$. It then places ${\beta}_{0}$ and ${\beta}_{1}$ in ${\mathrm{PBB}}_{0}$ and ${\mathrm{PBB}}_{1}$ respectively. It can call this oracle at any point of the game.
- $O\mathtt{cast}\left(\beta \right)$ where $\mathcal{A}$ has the ability to cast a vote for any voter. The same ballot, $\beta $, is generated for both bulletin boards. It can call this oracle at any point of the game.
- $O\mathtt{tally}\left(\right)$, which allows $\mathcal{A}$ to request the result of the election. To avoid information leakage of the tally result, the result is always counted on ${\mathrm{PBB}}_{0}$, so in the experiment 1, the results and proofs are simulated. It can call this oracle once, and after receiving the answer, $\mathcal{A}$ must output a guess of the bit (representing the world the game is happening in).

Algorithm 1 In the ballot privacy experiment ${\mathtt{Exp}}_{\mathcal{A},\mathcal{V}}^{\mathtt{bpriv},b}$, the adversary $\mathcal{A}$ has access to the oracles $O=\{O\mathtt{LRvote},O\mathtt{cast},O\mathtt{board},O\mathtt{tally}\}$. The adversary controls the tallying server (TS), the voting server (VS) and the certificate authority (CA). It can call $O\mathtt{tally}$ only once. |

1: ${\mathtt{Exp}}_{\mathcal{A},\mathcal{V}}^{\mathtt{bpriv},b}(\u03f5,\mathcal{E},\mathcal{C})$: |

2: $(pk,s{k}_{\mathrm{CA}},s{k}_{\mathrm{TS}},s{k}_{\mathrm{T}})\leftarrow \mathsf{Setup}({1}^{\u03f5},\mathcal{E},\mathcal{C})$ |

3: $b\leftarrow {\mathcal{A}}^{O}(pk,s{k}_{\mathrm{CA}},s{k}_{\mathrm{TS}})$ |

4: Output ${b}^{\prime}$ |

5: $O\mathtt{LRvote}(\tau ,{C}_{0},{C}_{1})$: |

6: Let ${\beta}_{0}=\mathsf{CastVote}(\tau ,{C}_{0})$ and ${\beta}_{1}=\mathsf{CastVote}(\tau ,{C}_{1})$ |

7: If $\mathsf{Valid}({\mathrm{PBB}}_{b},{\beta}_{b})=\perp $ return ⊥ |

8: Else ${\mathrm{PBB}}_{0}\leftarrow {\mathrm{PBB}}_{0}\Vert {\beta}_{0}$ and ${\mathrm{PBB}}_{1}\leftarrow {\mathrm{PBB}}_{1}\Vert {\beta}_{1}$ |

9: $O\mathtt{cast}\left(\beta \right)$: |

10: If $\mathsf{Valid}({\mathrm{PBB}}_{b},\beta )=\perp $ return ⊥ |

11: Else ${\mathrm{PBB}}_{0}\leftarrow {\mathrm{PBB}}_{0}\Vert \beta $ and ${\mathrm{PBB}}_{1}\leftarrow {\mathrm{PBB}}_{1}\Vert \beta $ |

12: $O\mathtt{board}\left(\right)$: |

13: return ${\mathrm{PBB}}_{b}$ |

14: $O\mathtt{tally}\left(\right)$ |

15: $(z,{\Pi}_{0})\leftarrow \mathsf{Tally}({\mathrm{PBB}}_{0},s{k}_{\mathrm{T}})$ |

16: ${\Pi}_{1}=\mathtt{SimTally}({\mathrm{PBB}}_{1},z)$ |

17: return $(z,{\Pi}_{b})$ |

**Definition**

**1.**

`SimTally`such that for all probabilistic polynomial time adversaries $\mathcal{A}$

**Theorem**

**1.**

**Proof.**

**Game**${G}_{0}$:- Let ${G}_{0}$ be ${\mathtt{Exp}}_{\mathcal{A},\mathcal{V}}^{\mathtt{bpriv},0}$ as defined in Algorithm 1 where the adversary has access to the bulletin board ${\mathrm{PBB}}_{0}$.
**Game**${G}_{1}$:- ${G}_{1}$ is defined exactly as ${G}_{0}$ with the exception that the tally proof is simulated. This is, the result is still computed from the votes in ${\mathrm{PBB}}_{0}$, but the proof of tally is simulated. The proofs to be simulated are the shuffle proof in Step 4, the proofs of correct decryption in Step 5, and the proofs of greater or equal relation in Step 6, of Procedure 5. Given that all these proofs are zero-knowledge proofs, they require (in order to have the zero-knowledge property) the existence of a simulator algorithm that generates simulations of the proofs that are indistinguishable from real proofs. We use the random oracle to describe as such our
`SimTally`algorithm.

**Game**${G}_{1}^{i}$:- The difference between ${G}_{1}^{i}$ and ${G}_{1}^{i-1}$ is only one. If ballot ${\beta}_{0}^{i}$ of ${\mathrm{PBB}}_{0}$ differs from ballot ${\beta}_{1}^{i}$ of ${\mathrm{PBB}}_{1}$, it exchanges ${\beta}_{0}^{i}$ by ${\beta}_{1}^{i}$.
**Game**${G}_{2}$:- We define ${G}_{2}$ as ${G}_{1}^{L}$. Note that this view is equivalent to the view of ${\mathtt{Exp}}_{\mathcal{A},\mathcal{V}}^{\mathtt{bpriv},1}$. Hence, all that remains to prove is that this set of transitions of games ${G}_{1}^{i}$ are indistinguishable among each other.

#### 6.2. Practical Everlasting Privacy

- $O\mathtt{RunElection}({V}_{0},{V}_{1},{C}_{0},{C}_{1})$ where the adversary chooses two voters and two candidates and requests the challenger to run the election. The challenger runs the election, by first running the Setup protocol, generating keys for all parties, and distinct random identifiers to each of the voters. It proceeds with the $\mathsf{Register}\left(i\right)$ protocol for each voter, generating voting credentials for each of the voters, then proceeds by casting votes for both voters in both worlds, and, finally, it runs the tally protocol.

Algorithm 2 In the practical everlasting privacy game, ${\mathtt{Exp}}_{\mathcal{A},\mathcal{V}}^{\mathtt{everbpriv},b}\left(\right)$, the adversary $\mathcal{A}$ has access to the oracle $O=\left\{O\mathtt{RunElection}\right\}$. In this scenario, the setup needs to happen inside the oracle, so that the voter identifiers are ‘reset’. |

1: ${\mathtt{Exp}}_{\mathcal{A},\mathcal{V}}^{\mathtt{everbpriv},b}(\u03f5,\mathcal{E},\mathcal{C})$: |

2: $b\leftarrow {\mathcal{A}}^{O}(pk,s{k}_{\mathrm{CA}},s{k}_{\mathrm{TS}},s{k}_{\mathrm{T}})$ |

3: Output ${b}^{\u2033}$ |

4: $O\mathtt{RunElection}(\u03f5,\mathcal{E},\mathcal{C})$: |

5: $(pk,s{k}_{\mathrm{CA}},s{k}_{\mathrm{TS}},s{k}_{\mathrm{T}})\leftarrow \mathsf{Setup}({1}^{\u03f5},\mathcal{E},\mathcal{C})$ |

6: Let ${\tau}_{0}=\mathsf{Register}\left({V}_{0}\right)$ and ${\tau}_{1}=\mathsf{Register}\left({V}_{1}\right)$ |

7: Let ${\beta}_{0}^{b}=\mathsf{CastVote}({\tau}_{0},{C}_{b})$ and ${\beta}_{1}^{b}=\mathsf{CastVote}({\tau}_{1},{C}_{1-b})$. |

8: ${\mathrm{PBB}}_{0}\leftarrow {\mathrm{PBB}}_{0}\Vert {\beta}_{0}^{0}\Vert {\beta}_{1}^{0}$ and ${\mathrm{PBB}}_{1}\leftarrow {\mathrm{PBB}}_{1}\Vert {\beta}_{1}^{1}\Vert {\beta}_{0}^{1}$ |

9: $({z}_{0},{\Pi}_{0})\leftarrow \mathsf{Tally}({\mathrm{PBB}}_{0},s{k}_{\mathrm{T}})$ |

10: $({z}_{1},{\Pi}_{1})\leftarrow \mathsf{Tally}({\mathrm{PBB}}_{1},s{k}_{\mathrm{T}})$ |

11: return $({z}_{b},{\Pi}_{b})$ |

**Definition**

**2.**

**Theorem**

**2.**

**Proof.**

**Game**${G}_{0}$:- This is defined as a run of ${\mathtt{Exp}}_{\mathcal{A},\mathcal{V}}^{\mathtt{everbpriv},0}$ as defined in Algorithm 2, where the adversary has access to the bulletin board ${\mathrm{PBB}}_{0}$.
**Game**${G}_{1}$:- This game is defined exactly as ${G}_{0}$ with the sole exception that now, we change the register phase, and instead run: ${\tau}_{1}=\mathsf{Register}\left({V}_{0}\right)$ and ${\tau}_{0}=\mathsf{Register}\left({V}_{1}\right)$

#### 6.3. Verifiability

- $O\mathtt{register}\left(i\right)$ to get a token for voter ${V}_{i}$.
- $O\mathtt{cast}(i,C)$, to make voter ${V}_{i}$ cast a vote for candidate C.

`Corrupted`, and then honest voters are divided in two groups: (ii) the ones that check that a ballot cast after coercion has been recorded as cast,

`Checked`, and (iii) the ones that do not check their ballots were recorded as cast,

`Unchecked`, and have not been coerced. Similarly, the game tracks which are the candidates that the system is allowed to exchange for each voter,

`AllowedCandidates`. In particular, this list contains the candidates cast during or after the last checked vote cast. In other words, the final tally must contain the last checked vote or a later one.

**Definition**

**3.**

**Theorem**

**3.**

**Proof.**

Algorithm 3 Verifiability game presented by Lueks et al. [29]. In the verifiability game experiment ${\mathtt{Exp}}_{\mathcal{A},\mathcal{V}}^{\mathtt{verif},b}$, the adversary $\mathcal{A}$ has access to the oracles $O=\{O\mathtt{register},O\mathtt{cast}\}$. |

1: ${\mathtt{Exp}}_{\mathcal{A},\mathcal{V}}^{\mathtt{verif},b}(\u03f5,\mathcal{E},\mathcal{C})$: |

2: $(pk,s{k}_{\mathrm{CA}},s{k}_{\mathrm{TS}},s{k}_{\mathrm{T}})\leftarrow \mathsf{Setup}({1}^{\u03f5},\mathcal{E},\mathcal{C})$ |

3: Set $\mathfrak{H}\leftarrow \varnothing $ and $\mathfrak{C}\leftarrow \varnothing $ |

4: $(\mathrm{PBB},z,\Pi )\leftarrow {\mathcal{A}}^{O}(pk,s{k}_{\mathrm{TS}},s{k}_{\mathrm{T}})$ |

5: If $\mathsf{Verify}(\mathrm{PBB},z,\Pi )=\perp $ return 0 |

6: Let $\mathtt{Verified}=\{({i}_{1},{\mathsf{Counter}}_{1}),\dots ,({i}_{{n}_{\nu}},{\mathsf{Counter}}_{{n}_{\nu}})\}$ correspond to checked ballots. |

7: Let $\mathtt{Corrupted}=\left\{i\phantom{\rule{0.277778em}{0ex}}\right|\phantom{\rule{0.277778em}{0ex}}(i,\mathsf{Counter})\in \mathfrak{C}\wedge \forall (i,{\mathsf{Counter}}^{\prime})\in \mathtt{Verified}:{\mathsf{Counter}}^{\prime}<\mathsf{Counter}\}$ |

8: Let $\mathtt{Checked}=\left\{i\phantom{\rule{0.277778em}{0ex}}\right|\phantom{\rule{0.277778em}{0ex}}(i,\_)\in \mathtt{Verified}\}\setminus \mathtt{Corrupted}$ |

9: Let $\mathtt{Unchecked}=\left\{i\phantom{\rule{0.277778em}{0ex}}\right|\phantom{\rule{0.277778em}{0ex}}(i,\_,\_)\in \mathfrak{H}\wedge (i,\_)\notin \mathfrak{C}\}\setminus \mathtt{Checked}$ |

10: Let $\mathtt{AllowedCandidates}\left[i\right]=\left\{C\phantom{\rule{0.277778em}{0ex}}\right|\phantom{\rule{0.277778em}{0ex}}(i,\mathsf{Counter},C)\in \mathfrak{H}\mathrm{s}.\mathrm{t}.\forall (i,{\mathsf{Counter}}^{\prime})\in \mathtt{Verified}:\mathsf{Counter}\ge {\mathsf{Counter}}^{\prime}\}$ |

11: If $\exists \phantom{\rule{0.277778em}{0ex}}{C}_{1}^{V},\dots ,{C}_{{n}_{V}}^{V}\mathrm{s}.\mathrm{t}.{C}_{j}^{V}\in \mathtt{AllowedCandidates}\left[{i}_{j}^{V}\right]$ where $\mathtt{Checked}=\{{i}_{1}^{V},\dots ,{i}_{{n}_{V}}^{V}\}$ |

12: $\exists \phantom{\rule{0.277778em}{0ex}}({i}_{1}^{U},{C}_{1}^{U}),\dots ,({i}_{{n}_{U}},{C}_{{n}_{U}}^{U})\mathrm{s}.\mathrm{t}.{i}_{j}^{U}\in \mathsf{Unchecked},{C}_{j}^{U}\in \mathsf{AllowedVotes}\left[{i}_{j}^{U}\right]$, ${i}_{j}^{U}$ distinct |

13: $\exists \phantom{\rule{0.277778em}{0ex}}{C}_{1}^{B},\dots ,{C}_{{n}_{B}}^{B}\in \mathcal{C}$ s.t. $0\le {n}_{B}\le \left|\mathsf{Corrupted}\right|$ |

14: s.t. $z=\mathsf{Tally}\left({\left\{{C}_{i}^{V}\right\}}_{i=1}^{{n}_{V}}\right)\u2606\mathsf{Tally}\left({\left\{{C}_{i}^{U}\right\}}_{i=1}^{{n}_{U}}\right)\u2606\mathsf{Tally}\left({\left\{{C}_{i}^{B}\right\}}_{i=1}^{{n}_{B}}\right)$ |

15: Then return 0, otherwise return 1 |

16: $O\mathtt{cast}(i,C)$: |

17: $\tau =\mathsf{Register}\left(i\right)$ |

18: Add $(i,\#\mathtt{tokens}(i),C)$ to $\mathfrak{H}$ |

19: Return $\mathsf{CastVote}(\tau ,C)$ |

20: $O\mathtt{register}\left(i\right)$: |

21: Let $\tau =\mathsf{Register}\left(i\right)$ |

22: Add $(i,\#\mathtt{tokens}(i\left)\right)$ to $\mathfrak{C}$ |

23: return $\tau $ |

`Corrupted`. Notice that by the arguments above, the tally procedure cannot include any votes by voters who did not cast a vote. Moreover, only one vote per grouped votes is selected. Hence, it follows that the size of this group is at most the number of corrupted voters, ${n}_{\mathfrak{C}}$. □

#### 6.4. Strict Coercion Resistance

- $O\mathtt{voteDR}({i}_{0},{C}_{0},{i}_{1},{C}_{1})$, to make voter ${V}_{{i}_{0}}$ cast a vote for candidate ${C}_{0}$, and voter ${V}_{{i}_{1}}$ cast a dummy vote for a dummy candidate, 0, in ${\mathrm{PBB}}_{0}$, and to make voter ${V}_{{i}_{1}}$ cast a vote for candidate ${C}_{1}$, and voter ${V}_{{i}_{0}}$ cast a dummy vote for a dummy candidate, 0, in ${\mathrm{PBB}}_{1}$. We use, $\mathsf{Register}\mathsf{Dummy}\left(i\right)$ to denote the dummy registration of voter ${V}_{i}$. Moreover, we denote by $\mathsf{CastVote}\mathsf{Dummy}(\tau ,C)$ the dummy vote cast for candidate C using token $\tau $. The adversary is allowed to make this call multiple times.

- $O\mathtt{register}\left(i\right)$, allows the adversary to register and obtain a token, $\tau $, for voter ${V}_{i}$.
- $O\mathtt{cast}(\tau ,C)$, using a token $\tau $, the adversary can call this oracle to cast a vote for candidate C in ${\mathrm{PBB}}_{0}$ and ${\mathrm{PBB}}_{1}$.
- $O\mathtt{board}\left(\right)$ allows the adversary to see the bulletin board.
- $O\mathtt{tally}\left(\right)$ allows the adversary to compute the tally of the election. It can call this oracle only once.

Algorithm 4 In the strict coercion resistance experiment, ${\mathtt{Exp}}_{\mathcal{A},\mathcal{V}}^{\mathtt{coer},b}(\u03f5,\mathcal{E},\mathcal{C})$, adversary $\mathcal{A}$ has access to oracles $O=\{O\mathtt{voteDR},O\mathtt{cast},O\mathtt{board},,O\mathtt{register},O\mathtt{tally}\}$. It can call $O\mathtt{tally}$ only once. |

1: ${\mathtt{Exp}}_{\mathcal{A},\mathcal{V}}^{\mathtt{coer},b}(\u03f5,\mathcal{E},\mathcal{C})$: |

2: $(pk,s{k}_{\mathrm{CA}},s{k}_{\mathrm{TS}},s{k}_{\mathrm{T}})\leftarrow \mathsf{Setup}({1}^{\u03f5},\mathcal{E},\mathcal{C})$ |

3: ${b}^{\prime}\leftarrow {\mathcal{A}}^{O}(pk,p{k}_{\mathrm{CA}})$ |

4: Output ${b}^{\prime}$ |

5: $O\mathtt{voteDR}({i}_{0},{C}_{0},{i}_{1},{C}_{1})$: |

6: Let ${\tau}_{0}\leftarrow \mathsf{Register}\left({i}_{0}\right)$ and ${\tau}_{1}^{\prime}\leftarrow \mathsf{Register}\mathsf{Dummy}\left({i}_{1}\right)$ |

7: ${\tau}_{1}\leftarrow \mathsf{Register}\left({i}_{1}\right)$ and ${\tau}_{0}^{\prime}\leftarrow \mathsf{Register}\mathsf{Dummy}\left({i}_{0}\right)$ |

8: Let ${\beta}_{0}=\mathsf{CastVote}({\tau}_{0},{C}_{0})$ and ${\beta}_{1}^{\prime}=\mathsf{CastVote}\mathsf{Dummy}({\tau}_{1}^{\prime},0)$ |

9: ${\beta}_{1}=\mathsf{CastVote}({\tau}_{1},{C}_{1})$ and ${\beta}_{0}^{\prime}=\mathsf{CastVote}\mathsf{Dummy}({\tau}_{0}^{\prime},0)$ |

10: If $\mathsf{Valid}({\mathrm{PBB}}_{b},{\beta}_{b})=\perp $ or |

11: $\mathsf{Valid}({\mathrm{PBB}}_{b},{\beta}_{1-b}^{\prime})=\perp $ return ⊥ |

12: Else ${\mathrm{PBB}}_{0}\leftarrow {\mathrm{PBB}}_{0}\Vert {\beta}_{0}\Vert {\beta}_{1}^{\prime}$ and |

13: ${\mathrm{PBB}}_{1}\leftarrow {\mathrm{PBB}}_{1}\Vert {\beta}_{1}\Vert {\beta}_{0}^{\prime}$ |

14: $O\mathtt{register}\left(i\right)$: |

15: Let $\tau \leftarrow \mathsf{Register}\left(i\right)$ |

16: return $\tau $ |

17: $O\mathtt{cast}(\tau ,C)$: |

18: If $\mathsf{Valid}({\mathrm{PBB}}_{0},\beta )=\perp $ or |

19: $\mathsf{Valid}({\mathrm{PBB}}_{1},\beta )=\perp $ return ⊥ |

20: Else ${\mathrm{PBB}}_{0}\leftarrow {\mathrm{PBB}}_{0}\Vert \beta $ and |

21: ${\mathrm{PBB}}_{1}\leftarrow {\mathrm{PBB}}_{1}\Vert \beta $ |

22: $O\mathtt{board}\left(\right)$: |

23:; return ${\mathrm{PBB}}_{b}$ |

24: $O\mathtt{tally}\left(\right)$ |

25: Let $(z,{\Pi}_{0})\leftarrow \mathsf{Tally}({\mathrm{PBB}}_{0},s{k}_{\mathrm{T}})$ |

26: ${\Pi}_{1}=\mathtt{SimTally}({\mathrm{PBB}}_{1},z)$ |

27: return $(z,{\Pi}_{b})$ |

**Definition**

**4.**

`SimTally`such that for all probabilistic polynomial time adversaries $\mathcal{A}$

**Theorem**

**4.**

**Proof.**

`SimTally`algorithm by leveraging the zero-knowledge property of the zero-knowledge proofs used in the tally. Namely,

`SimTally`simulates the proofs of shuffle, decryption, greater than, and finally, the proof of decryption of the added votes (Procedures 5 and 6).

**Game**${G}_{1}$:- This game is defined as ${\mathtt{Exp}}_{\mathcal{A},\mathcal{V}}^{\mathtt{coer},b}(\u03f5,\mathcal{E},\mathcal{C})$ of Algorithm 4. Note that we differ from the proof of ballot privacy in that we do not start with a fixed value of b.
**Game**${G}_{2}$:- Later, we are going to replace all votes by random votes. To this end, in this game, we compute the result taking the decrypted ballots of ${\mathrm{PBB}}_{0}$. Consider the stripped ballots of Step 3 of Procedure 5, $(\mathsf{EncCounter},\mathcal{V},{w}^{\prime})$. It computes the tally of these ballots, $\mathsf{Tally}\left({(\mathsf{EncCounter},\mathcal{V},{w}^{\prime})}_{i=1}^{{n}_{l}}\right)$, where ${n}_{l}$ is the total number of votes cast. It does so by first decrypting $\mathsf{EncCounter},\mathcal{V},{w}^{\prime}$ using $s{k}_{\mathrm{TS}},s{k}_{\mathrm{T}}$ and $s{k}_{\mathrm{TS}}$ respectively. Now, it proceeds by computing the final result by taking the last vote cast per $VI{d}_{i}$. Note that, as the result is always taken from ${\mathrm{PBB}}_{0}$ and the game does not publish these decrypted values, game ${G}_{2}$ is indistinguishable from game ${G}_{1}$.
**Game**${G}_{3}$:- Same as the previous game, but now all zero-knowledge proofs, regardless of b, are replaced by simulations. This is, the proof of shuffle, ${\Pi}_{s}$, of all votes (including the dummies), the proof of correct decryption, ${\Pi}_{d}$, of each identifier, $VI{d}_{i}$, the greater than proofs used to filter all but the last vote, ${\Pi}_{GT,i}$, and finally, the proof of decryption of the final result, ${\Pi}_{z}$.

**Game**${G}_{4}$:- We define ${G}_{4}$ the same as ${G}_{3}$ with the exception that we exchange all ciphertexts ${w}^{\prime}$ in the certificates by random ciphertexts. Note that due to the changes of ${G}_{2}$, the result is correctly calculated from the votes initially in ${\mathrm{PBB}}_{0}$ and hence this does not affect the filtering stage. A hybrid argument reduces the indistinguishability of games ${G}_{4}$ and ${G}_{3}$ to the CPA security of ElGamal encryption. Note that this reduction is possible as we no longer need to decrypt the ciphertexts in the tallying.
**Game**${G}_{5}$:- We follow by replacing all votes cast by $O\mathtt{voteDR}\left(\right)$ by zero votes. Again, following the lines of the ballot privacy proof, the indistinguishability of this step is reduced to the NM-CPA security of ElGamal.
**Game**${G}_{6}$:- To ensure that the filter does not leak information to the coercer, we also replace all ciphertexts generated thereafter. We replace the encryption of the counters, $\mathsf{EncCounter}$, by random ciphertexts. We do the same with all ciphertexts that exit the shuffle. Namely, we replace the shuffled encrypted counters, encrypted votes and encrypted $VId$s. This exchange is possible as we do not need to decrypt the ciphertexts (as of game ${G}_{2}$). Moreover, the indistinguishability of this step follows from the simulation of the zero-knowledge proofs (of game ${G}_{3}$) and the NM-CPA security of the encryption scheme.

## 7. Discussion on the Assumptions of Fake Credentials vs. Re-Voting

- User needs inalienable means of authentication.
- User needs to lie convincingly while being coerced.
- User needs to store cryptographic material securely and privately.
- Coercer needs to be absent during the registration and at some point during the election.

- User needs inalienable means of authentication.
- Coercer needs to be absent at the end of the election.

## 8. Conclusions and Future Work

## Author Contributions

## Funding

## Conflicts of Interest

## Abbreviations

DDH | Decisional Diffie–Hellman |

CPA | Chosen Plaintext Attack |

NM-CPA | Non-Malleability under Chosen Plaintext Attack |

V | Voters |

T | Trustees |

CA | Certificate Authority |

VS | Voting Server |

TS | Tallying Server |

PBB | Public Bulletin Board |

## References

- The Guardian. Dutch Will Count All Election Ballots by Hand to Thwart Hacking. May 2018. Available online: https://www.theguardian.com/world/2017/feb/02/dutch-will-count-all-election-ballots-by-hand-to-thwart-cyber-hacking (accessed on 3 May 2020).
- Reuters. France Drops Electronic Voting for Citizens Abroad Over Cybersecurity Fears. 2017. Available online: http://www.reuters.com/article/us-france-election-cyber-idUSKBN16D233 (accessed on 3 May 2020).
- Hapsara, M.; Imran, A.; Turner, T. E-Voting in Developing Countries. Lect. Notes Comput. Sci.
**2017**, 10141, 36–55. [Google Scholar] [CrossRef] - Electoral-Comission. The Administration of the June 2017 UK General Election. May 2018. Available online: https://www.electoralcommission.org.uk/__data/assets/pdf_file/0003/238044/The-administration-of-the-June-2017-UK-general-election.pdf (accessed on 3 May 2020).
- Chase, J. German Election Could Be Won by Early Voting. May 2018. Available online: http://www.dw.com/en/german-election-could-be-won-by-early-voting/a-40296550 (accessed on 3 May 2020).
- Ministerio del Interior. Voto Desde Fuera de España. 2013. Available online: http://www.infoelectoral.mir.es/voto-desde-fuera-de-espana (accessed on 3 May 2020).
- Ministère de l’Europe et des Affaires étrangères. Vote par Correspondance. May 2018. Available online: https://www.diplomatie.gouv.fr/fr/services-aux-francais/voter-a-l-etranger/modalites-de-vote/vote-par-correspondance/ (accessed on 3 May 2020).
- United Kingdom Government. Completing and Returning Your Postal Vote. May 2018. Available online: https://www.gov.uk/voting-in-the-uk/postal-voting (accessed on 3 May 2020).
- Barker, E.B. SP 800-57. Recommendation for Key Management, Part 1: General. Available online: http://dx.doi.org/10.6028/NIST.SP.800-57pt1r4 (accessed on 3 May 2020).
- Ministerio del Interior. La Subsecretaria Soledad López Explica en el Senado las Características del DNI Electrónico. 2006. Available online: https://goo.gl/r6MVYJ (accessed on 3 May 2020).
- Gimeno, M.; Villamía-Uriarte, B.; Suárez-Saa, V. eEspaña—Informe Anual Sobre el Desarrollo de la Sociedad de la Información en España. 2014. Available online: https://www.proyectosfundacionorange.es/docs/eE2014/Informe_eE2014.pdf (accessed on 3 May 2020).
- Cripps, H.; Standing, C.; Prijatelj, V. Smart health case cards: Are they applicable in the australian context? In Proceedings of the 25th Bled eConference eDependability: Reliable and Trustworthy eStructures, eProcesses, eOperations and eServices for the Future, Bled, Slovenia, 17–20 June 2012. [Google Scholar]
- Hernandez-Ardieta, J.L.; Gonzalez-Tablas, A.I.; De Fuentes, J.M.; Ramos, B. A Taxonomy and Survey of Attacks on Digital Signatures. Comput. Secur.
**2013**, 34, 67–112. [Google Scholar] [CrossRef] - Bernstein, D.J.; Chang, Y.A.; Cheng, C.M.; Chou, L.P.; Heninger, N.; Lange, T.; van Someren, N. Factoring RSA Keys from Certified Smart Cards: Coppersmith in the Wild. Advances in Cryptology—ASIACRYPT’2013. In Proceedings of the 19th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, 1–5 December 2013; Sako, K., Sarkar, P., Eds.; pp. 341–360. [Google Scholar] [CrossRef] [Green Version]
- Nemec, M.; Sys, M.; Svenda, P.; Klinec, D.; Matyas, V. The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli. In Proceedings of the 24th ACM Conference on Computer and Communications Security (CCS’2017), Dallas, TX, USA, 30 October–3 November 2017; ACM: New York, NY, USA, 2017; pp. 1631–1648. [Google Scholar] [CrossRef] [Green Version]
- Juels, A.; Catalano, D.; Jakobsson, M. Coercion-resistant Electronic Elections. In Proceedings of the 2005 ACM Workshop on Privacy in the Electronic Society; WPES ’05, Alexandria, VA, USA, 7 November 2005; ACM: New York, NY, USA, 2005; pp. 61–70. [Google Scholar] [CrossRef] [Green Version]
- Araújo, R.; Barki, A.; Brunet, S.; Traoré, J. Remote electronic voting can be efficient, verifiable and coercion-resistant. In Financial Cryptography and Data Security—2016 International Workshops, BITCOIN, VOTING, and WAHC; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2016; Volume 9604, pp. 224–232. [Google Scholar] [CrossRef]
- Bursuc, S.; Grewal, G.S.; Ryan, M.D. Trivitas: Voters Directly Verifying Votes. In E-Voting and Identity: Proceedings of the Third International Conference, VoteID 2011, Tallinn, Estonia, 28–30 September 2011; Revised Selected Papers; Kiayias, A., Lipmaa, H., Eds.; Springer: Berlin/Heidelberg, Germany, 2012; pp. 190–207. [Google Scholar] [CrossRef] [Green Version]
- Clark, J.; Hengartner, U. Selections: Internet voting with over-the-shoulder coercion-resistance. In Financial Cryptography and Data Security; Springer: Berlin/Heidelberg, Germany, 2012; pp. 47–61. [Google Scholar] [CrossRef]
- Myers, A.C.; Clarkson, M.; Chong, S. Civitas: Toward a secure voting system. In IEEE Symposium on Security and Privacy; IEEE: Piscataway, NJ, USA, 2008; pp. 354–368. [Google Scholar] [CrossRef] [Green Version]
- Grontas, P.; Pagourtzis, A.; Zacharakis, A.; Zhang, B. Towards everlasting privacy and efficient coercion resistance in remote electronic voting. In Financial Cryptography and Data Security; Zohar, A., Eyal, I., Teague, V., Clark, J., Bracciali, A., Pintore, F., Sala, M., Eds.; Springer: Berlin/Heidelberg, Germany, 2019; pp. 210–231. [Google Scholar] [CrossRef]
- Rønne, P.B.; Atashpendar, A.; Gjøsteen, K.; Ryan, P.Y.A. Short paper: Coercion-resistant voting in linear time via fully homomorphic encryption. In Financial Cryptography and Data Security; Bracciali, A., Clark, J., Pintore, F., Rønne, P.B., Sala, M., Eds.; Springer International Publishing: Cham, Switzerland, 2020; pp. 289–298. [Google Scholar]
- Spycher, O.; Haenni, R.; Dubuis, E. Coercion-resistant hybrid voting systems. Proceedings of Electronic Voting 2010, EVOTE 2010, 4th International Conference, Bregenz, Austria, 21– 24 July 2010; pp. 269–282. [Google Scholar]
- Gjøsteen, K. Analysis of an Internet Voting Protocol; Technical Report. Available online: https://eprint.iacr.org/2010/380.pdf (accessed on 3 May 2020).
- Dimitriou, T. Efficient, Coercion-free and Universally Verifiable Blockchain-based Voting. Comput. Netw.
**2020**, 174, 107234. [Google Scholar] [CrossRef] - Achenbach, D.; Kempka, C.; Löwe, B.; Müller-Quade, J. Improved Coercion-Resistant Electronic Elections through Deniable Re-Voting. USENIX J. Elect. Technol. Syst. JETS
**2015**, 3, 26–45. [Google Scholar] - Locher, P.; Haenni, R.; Koenig, R.E. Coercion-resistant internet voting with everlasting privacy. In Financial Cryptography and Data Security; Springer: Berlin/Heidelberg, Germany, 2016; pp. 161–175. [Google Scholar] [CrossRef]
- Locher, P.; Haenni, R. Verifiable Internet Elections with Everlasting Privacy and Minimal Trust. In E-Voting and Identity; Springer International Publishing: Berlin/Heidelberg, Germany, 2015; pp. 74–91. [Google Scholar] [CrossRef]
- Lueks, W.; Querejeta-Azurmendi, I.; Troncoso, C. VoteAgain: A scalable coercion-resistant voting system. Proceedings of 29th USENIX Security Symposium (USENIX Security 20), Boston, MA, USA, 12–14 August 2020; pp. 1553–1570. [Google Scholar]
- Moran, T.; Naor, M. Receipt-Free Universally-Verifiable Voting with Everlasting Privacy. In Proceedings of the 26th Annual International Conference on Advances in Cryptology; CRYPTO’06, Santa Barbara, CA, USA, 20–24 August 2006; Springer: Berlin/Heidelberg, Germany, 2006; pp. 373–392. [Google Scholar] [CrossRef] [Green Version]
- Querejeta-Azurmendi, I.; Hernández Encinas, L.; Arroyo Guardeño, D.; Hernandez-Ardieta, J.L. An internet voting proposal towards improving usability and coercion resistance. In Advances in Intelligent Systems and Computing, Proceedings of the International Joint Conference: 12th International Conference on Computational Intelligence in Security for Information Systems (CISIS 2019) and 10th International Conference on EUropean Transnational Education (ICEUTE 2019), Seville, Spain, 13–15 May 2019; Martínez-Álvarez, F., Lora, A.T., Muñoz, J.A.S., Quintián, H., Corchado, E., Eds.; Springer: Cham, Switzerland, 2019; Volume 951, pp. 155–164. [Google Scholar] [CrossRef]
- Pedersen, T.P. A Threshold Cryptosystem without a Trusted Party. In Advances in Cryptology—EUROCRYPT’91; Springer: Berlin/Heidelberg, Germany, 1991; Volume 547, pp. 522–526. [Google Scholar] [CrossRef] [Green Version]
- Groth, J. A Verifiable Secret Shuffle of Homomorphic Encryptions. J. Cryptol.
**2010**, 23, 546–579. [Google Scholar] [CrossRef] - Bayer, S.; Groth, J. Efficient Zero-Knowledge Argument for Correctness of a Shuffle. Available online: http://www0.cs.ucl.ac.uk/staff/J.Groth/MinimalShuffle.pdf (accessed on 3 May 2020).
- Goldwasser, S.; Micali, S.; Rackoff, C. The Knowledge Complexity of Interactive Proof-Systems. In STOC ’85: Proceedings of the Seventeenth Annual ACM Symposium on Theory of Computing; Sedgewick, R., Ed.; Association for Computing Machinery: New York, NY, USA, 1985; pp. 291–304. [Google Scholar] [CrossRef] [Green Version]
- Fiat, A.; Shamir, A. How to Prove Yourself: Practical Solutions to Identification and Signature Problems. In Proceedings of the Conference on Advances in Cryptology—CRYPTO ’86; Springer: Berlin/Heidelberg, Germany, 1987; pp. 186–194. [Google Scholar] [CrossRef] [Green Version]
- Camenisch, J.; Stadler, M. Efficient Group Signature Schemes for Large Groups (Extended Abstract). In Proceedings of the Conference 17th Annual International Cryptology Conference, Santa Barbara, CA, USA, 17–21 August 1997; Available online: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.33.1954&rep=rep1&type=pdf (accessed on 3 May 2020).
- Bünz, B.; Bootle, J.; Boneh, D.; Poelstra, A.; Wuille, P.; Maxwell, G. Bulletproofs: Short Proofs for Confidential Transactions and More. In Proceedings of the 2018 IEEE Symposium on Security and Privacy, SP 2018, Proceedings, San Francisco, CA, USA, 21–23 May 2018; IEEE Computer Society: Piscataway, NJ, USA, 2018; pp. 315–334. [Google Scholar] [CrossRef]
- Camenisch, J.; Lysyanskaya, A. A Signature Scheme with Efficient Protocols. In Security in Communication Networks: Proceedings of the Third International Conference, SCN 2002 Amalfi, Italy, 11–13 September 2002; Revised Papers; Cimato, S., Persiano, G., Galdi, C., Eds.; Springer: Berlin/Heidelberg, Germany, 2003; pp. 268–289. [Google Scholar] [CrossRef]
- Brands, S.A. Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy; MIT Press: Cambridge, MA, USA, 2000. [Google Scholar]
- Park, S.; Park, H.; Won, Y.; Lee, J.; Kent, S. Traceable Anonymous Certificate. Available online: https://tools.ietf.org/pdf/rfc5636 (accessed on 3 May 2020).
- Heather, J.; Lundin, D. The append-only web bulletin board. In Formal Aspects in Security and Trust; Springer: Berlin/Heidelberg, Germany, 2009; pp. 242–256. [Google Scholar] [CrossRef] [Green Version]
- McCorry, P.; Shahandashti, S.F.; Hao, F. A smart contract for boardroom voting with maximum voter privacy. In Financial Cryptography and Data Security; LNCS; Springer: Berlin/Heidelberg, Germany, 2017; pp. 357–375. Available online: https://dblp.org/rec/bib/conf/fc/McCorrySH17 (accessed on 3 May 2020). [CrossRef] [Green Version]
- Smith, W. New cryptographic election protocol with best-known theoretical properties. In Proceedings of the ECRYPT-Frontiers in Electronic Elections (FEE), Milan, Italy, 15–16 September 2005. [Google Scholar]
- Bernhard, D.; Cortier, V.; Galindo, D.; Pereira, O.; Warinschi, B. SoK: A Comprehensive Analysis of Game-Based Ballot Privacy Definitions. In Proceedings of the 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, 17–21 May 2015; IEEE Computer Society: Piscataway, NJ, USA, 2015; pp. 499–516. [Google Scholar] [CrossRef] [Green Version]
- Adida, B. Helios: Web-based Open-audit Voting. In Proceedings of the 17th Conference on Security Symposium, SS’08; USENIX, Boston, MA, USA, 22–27 June 2008; Association: Berkeley, CA, USA, 2008; pp. 335–348. [Google Scholar]
- Bernhard, D.; Pereira, O.; Warinschi, B. How Not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios. Available online: https://eprint.iacr.org/2016/771.pdf (accessed on 3 May 2020).
- Arapinis, M.; Cortier, V.; Kremer, S.; Ryan, M. Practical everlasting privacy. In Principles of Security and Trust—Proceedings of the Second International Conference, POST 2013, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2013, Rome, Italy, 16–24 March 2013; Lecture Notes in Computer, Science; Basin, D.A., Mitchell, J.C., Eds.; Springer: Berlin/Heidelberg, Germany, 2013; Volume 7796, pp. 21–40. [Google Scholar] [CrossRef]
- Grontas, P.; Pagourtzis, A.; Zacharakis, A. Security Models for Everlasting Privacy. Available online: https://eprint.iacr.org/2019/1193.pdf (accessed on 3 May 2020).
- Cortier, V.; Galindo, D.; Küsters, R.; Müller, J.; Truderung, T. SoK: Verifiability Notions for E-Voting Protocols. In Proceedings of the IEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA, 22–26 May 2016; IEEE Computer Society: Piscataway, NJ, USA, 2016; pp. 779–798. [Google Scholar] [CrossRef] [Green Version]
- CryptoZ. Chainanalysis—3.8 Million Bitcoin Is Lost Forever. Steemit. 2018. Available online: https://steemit.com/cryptocurrency/@crypto-z/chainanalysis-3-8-million-bitcoin-is-lost-forever (accessed on 3 May 2020).
- Neto, A.S.; Leite, M.; Araújo, R.; Mota, M.P.; Neto, N.C.S.; Traoré, J. Usability Considerations For Coercion-Resistant Election Systems. In Proceedings of the 17th Brazilian Symposium on Human Factors in Computing Systems (IHC 2018), Belém, Brazil, 22–26 October 2018. [Google Scholar] [CrossRef]
- Marea Granate. Calendario Electoral Voto Exterior 2019. Available online: https://mareagranate.org/2019/02/calendario-electoral-voto-exterior-2019/ (accessed on 3 May 2020).

**Figure 1.**Diagram presenting a summary of the pre-election and election phases involving the voters, certificate authority, voting server and public bulletin board.

**Figure 2.**Diagram showing a summary of the tallying phase, involving the voters, the public bulletin board, the tallying server and the tellers.

**Figure 3.**Negative binomial distribution (

**left**) with probability of success $0.8$ (

**top**) and $0.2$ (

**bottom**). This distribution is used to select the number of dummies to add per voter, depending on how many votes a voter cast. Overhead caused by the dummy addition (

**right**), having used the corresponding distributions (

**top**and

**bottom**), where the overhead is counted as $\left(\right(\#votes+\#dummies)/\#votes)$.

**Table 1.**Comparison of existing schemes. NetVote constitutes the first re-voting scheme with linear complexity, which is verifiable and does not depend on immature cryptography (IC). We introduce the new notion of strict coercion resistance to achieve linear filtering.

Filtering | Coercion | ||||||
---|---|---|---|---|---|---|---|

Deniable | Verifiable | Complexity | Crypto State | Assumption | Strict | IC | |

JCJ [16,18,20] | No | Yes | ${n}^{2}$ | yes | k-out-of-t + AC | No | No |

Rønne et al. [22] | No | Yes | n | yes | k-out-of-t + AC | No | Yes |

Blackbox [24] | TTP | No | n | Yes | TTP | No | No |

Achenbach et al. [26] | k-out-of-t | Yes | ${n}^{2}$ | Yes | k-out-of-t + AC | No | No |

Locher et al. [27] | k-out-of-t | Yes | ${n}^{2}$ | Yes | k-out-of-t + AC | No | No |

Lueks et al. [29] | TTP | Yes | $nlogn$ | No | TTP | No | No |

NetVote | TTP | Yes | n | No | TTP | Yes | No |

© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Querejeta-Azurmendi, I.; Arroyo Guardeño, D.; Hernández-Ardieta, J.L.; Hernández Encinas, L.
NetVote: A Strict-Coercion Resistance Re-Voting Based Internet Voting Scheme with Linear Filtering. *Mathematics* **2020**, *8*, 1618.
https://doi.org/10.3390/math8091618

**AMA Style**

Querejeta-Azurmendi I, Arroyo Guardeño D, Hernández-Ardieta JL, Hernández Encinas L.
NetVote: A Strict-Coercion Resistance Re-Voting Based Internet Voting Scheme with Linear Filtering. *Mathematics*. 2020; 8(9):1618.
https://doi.org/10.3390/math8091618

**Chicago/Turabian Style**

Querejeta-Azurmendi, Iñigo, David Arroyo Guardeño, Jorge L. Hernández-Ardieta, and Luis Hernández Encinas.
2020. "NetVote: A Strict-Coercion Resistance Re-Voting Based Internet Voting Scheme with Linear Filtering" *Mathematics* 8, no. 9: 1618.
https://doi.org/10.3390/math8091618