# Transparent, Auditable, and Stepwise Verifiable Online E-Voting Enabling an Open and Fair Election

^{1}

^{2}

^{*}

## Abstract

**:**

## 1. Introduction

**1. Light-weight ballot generation and tallying.**The new e-voting protocol needs only (modular) addition and subtraction in ballot generation and vote tallying, rather than encryption/decryption or modular exponentiations. Thus, the newly proposed protocol is efficient.

**2. Seamless transition from ballots to plain votes.**In our protocol, individual ballots can be aggregated one by one and the final aggregation reveals all individual votes (in their plain/clear format). The aggregation is simply modular addition and can be performed by any one (with modular addition knowledge and skills) without involvement of a third-party entity. The aggregation has the all-or-nothing effect in the sense that all partial sums reveal no information about individual votes but the final (total) sum exposes all individual votes. Thus, the newly proposed protocol delivers fairness in the voting process.

**3. Viewable/visual tallying and verification.**The cast ballots, sum(s) of ballots, votes, and sum(s) of votes (for each candidate) are all displayed on a public bulletin board. A voter or any one can view them, verify them visually, and even conduct summations of ballots (and as well as votes) himself. Thus, the newly proposed protocol delivers both individual verification and universal verification.

**4. Transparency of the entire voting process.**Voters can view and verify their ballots, plain votes, and transition from ballots to votes and even perform self-tallying [21,22]. There is no gap or black-box [20] which is related to homomorphic encryption or mix-net in vote-casting, tallying and verification processes. Thus, in the newly proposed protocol, the voting process is straightforward and it delivers visible transparency.

**5. Voter assurance.**The most groundbreaking feature of our voting protocol, different from all existing ones, is the separation and guarantee of two distinct voter assurances: (1) vote-casting assurance on secret ballots—any voter is assured that the vote-casting is indeed completed (i.e., the secret ballot is confirmatively cast and viewably aggregated), thanks to the openness of secret ballots and incremental aggregation, and (2) vote-tallying assurance—any voter is assured that his vote is visibly counted in the final tally, thanks to the seamless transition from secret ballots having no information to public votes having complete (but anonymous) information offered by the simplified ($n,n$)-secret sharing scheme. In addition, step-wise individual verification and universal verification allow the public to verify the accuracy of the count, and political parties to catch fraudulent votes. Thus, the newly proposed protocol delivers broader voter assurance.

**Sub-protocol 1**which suffered a possible brute-force attack originally in [25] in Section 3.2.1, along with the rigorous proof of the revised

**Sub-protocol 1**in Section 4.1, and provide an example of bulletin board dynamics in Section 3.4. The attack model covers more diverse scenarios as mentioned in Section 2.1, with corresponding security analysis later in Section 4. Additional experiments were conducted and the results are presented in Section 5. The related work in Section 6 is more comprehensive. Section 7 is new for further discussion.

## 2. Mutual Restraining Voting Overview

#### 2.1. Assumptions and Attack Models

#### 2.2. Cryptographic Primitives

#### 2.2.1. Simplified ($n,n$)-Secret Sharing (($n,n)$-SS)

**Theorem**

**1.**

#### 2.2.2. Tailored Secure Two-Party Multiplication (STPM)

- (1)
- ${M}_{1}$ chooses a private key d and a public key e for an additively homomorphic public-key encryption scheme, with encryption and decryption functions being E and D, respectively.
- (2)
- ${M}_{1}$ sends $E({x}_{1},e)$ to ${M}_{2}$.
- (3)
- ${M}_{2}$ selects a random number ${r}_{2}$, computes $E{({x}_{1},e)}^{{x}_{2}}E{({r}_{2},e)}^{-1}$, and sends the result back to ${M}_{1}$.
- (4)
- ${M}_{1}$ decrypts the received value into $D(E{({x}_{1},e)}^{{x}_{2}}E{({r}_{2},e)}^{-1},d)$, resulting in ${r}_{1}$.

#### 2.3. Web Based Bulletin Board

#### 2.4. Technical Components (TPs)

**TP1: Universal verifiable voting vector.**For N voters and M candidates, a voting vector ${\mathbf{v}}_{i}$ for ${V}_{i}$ is a binary vector of $L=N\times M$ bits. The vector can be visualized as a table with N rows and M columns. Each candidate corresponds to one column. Via a robust location anonymization scheme described in Section 3.5, each voter secretly picks a unique row. A voter ${V}_{i}$ will put 1 in the entry at the row and column corresponding to a candidate ${V}_{i}$ votes for (let the position be ${L}_{c}^{i}$), and put 0 in all other entries. During the tally, all voting vectors will be aggregated. From the tallied voting vector (denoted as ${\mathbf{V}}_{\mathbf{A}}$), the votes for candidates can be incrementally tallied. Any voter can check his vote and also visually verify that his vote is indeed counted into the final tally. Furthermore, anyone can verify the vote total for each candidate.

**TP2: Forward and backward mutual lock voting.**From ${V}_{i}$’s voting vector (with a single entry of 1 and the rest of 0), a forward value ${v}_{i}$ (where ${v}_{i}={2}^{L-{L}_{c}^{i}}$) and a backward value ${v}_{i}^{\prime}$ (where ${v}_{i}^{\prime}={2}^{{L}_{c}^{i}-1}$) can be derived. Importantly, ${v}_{i}\times {v}_{i}^{\prime}={2}^{L-1}$, regardless which candidate ${V}_{i}$ votes for. During the vote-casting, ${V}_{i}$ uses simplified ($n,n$)-SS to cast his vote using both ${v}_{i}$ and ${v}_{i}^{\prime}$ respectively. ${v}_{i}$ and ${v}_{i}^{\prime}$ jointly ensure the correctness of the vote-casting process, and enforce ${V}_{i}$ to cast one and only one vote; any deviation, such as multiple voting, will be detected.

**TP3: In-process check and enforcement.**During the vote-casting process, collectors will jointly perform two cryptographic checks on the voting values from each voter. The first check uses tailored STPM to prevent a voter from wrongly generating his share in the vote-casting stage. The second check prevents a voter from publishing an incorrect secret ballot when collectors collect it from him. The secret ballot is the modular addition of a voter’s own share and the share summations that the voter receives from other voters in the interactive protocol or from collectors in the non-interactive protocol.

#### 2.5. High-Level Description of the E-Voting Protocol

- Voter registration. This is independent of the voting protocol. Each registered voter ${V}_{i}$ obtains a secret index ${L}_{i}$ using a Location Anonymity Scheme (LAS) described in Section 3.5.
- Voting. The voter ${V}_{i}$ votes for the candidate ${c}_{j}$ as follows:
- (a)
- Set ${b}_{{L}_{i},j}=1$ and all other bits in ${B}_{{L}_{i}}$ and the other ${B}_{k}$, $k\ne {L}_{i}$, to 0. Call this set bit ${L}_{c}^{i}=({L}_{i}-1)\times M+j-1$; it is simply the number of the bit when ${\mathbf{v}}_{i}$ is seen as a bit vector. See
**TP1**in Section 2.4. - (b)
- Compute ${v}_{i}={2}^{L-{L}_{c}^{i}}$ and ${v}_{i}^{\prime}={2}^{{L}_{c}^{i}-1}$. This converts the bit vector to integers. Note ${v}_{i}\times {v}_{i}^{\prime}={2}^{L-1}$, which is a constant. See
**TP2**in Section 2.4. - (c)
- Think of shares of all voters’ ballots forming an $N\times N$ matrix (as shown in Table 2). Row i represents the vote ${v}_{i}$ and Column i represents the ballot ${p}_{i}$. ${V}_{i}$ computes and casts his ballot ${p}_{i}$ as follows:
- i.
- In the non-interactive protocol, ${C}_{1}$ and ${C}_{2}$ generate (about) $\frac{N-1}{2}$ shares each for ${V}_{i}$. They send the sum of the shares, ${S}_{i,{C}_{1}}$ and ${S}_{i,{C}_{2}}$ respectively, to ${V}_{i}$. In the interactive protocol, ${V}_{i}$ himself generates these $N-1$ shares. ${V}_{i}$ then computes his own share as ${s}_{ii}={v}_{i}-{S}_{i,{C}_{1}}-{S}_{i,{C}_{1}}$, which corresponds to all elements on the main diagonal of the matrix.
- ii.
- In the non-interactive protocol, ${C}_{1}$ sends voter ${V}_{i}$ the sum ${\tilde{S}}_{i,{C}_{1}}$ of the shares ${C}_{1}$ generated for the first half of the voters (the “lower half”). Similarly, ${C}_{2}$ sends voter ${V}_{i}$ the sum ${\tilde{S}}_{i,{C}_{2}}$ of the shares ${C}_{2}$ generated for the second half of the voters (the “upper half”). In the interactive protocol, ${V}_{i}$ receives them from other voters. Then ${V}_{i}$ computes and publishes his ballot ${p}_{i}={s}_{ii}+{\tilde{S}}_{i,{C}_{1}}+{\tilde{S}}_{i,{C}_{2}}$.

- (d)
- The previous step (c) is repeated, but with ${v}_{i}^{\prime}$ instead of ${v}_{i}$. The share ${V}_{i}$ retains from this is ${s}_{ii}^{\prime}$ and the ballot from this is called ${p}_{i}^{\prime}$ and is also public.
- (e)
- Simultaneously with the previous step, the voter also publishes his commitments $({g}^{{s}_{ii}},{g}^{{s}_{ii}^{\prime}},{g}^{{s}_{ii}{s}_{ii}^{\prime}})$, where g is the base for the discrete logarithm problem. Two authorities jointly verify the validity of each cast ballot. See
**TP3**in Section 2.4.

- Tally and verification. The authorities (in fact any one can) sum all the ballots to get $P={\sum}_{i=1}^{N}{p}_{i}$ (and the corresponding ${P}^{\prime}={\sum}_{i=1}^{N}{p}_{i}^{\prime}$). P and ${P}^{\prime}$ are public too. ${\mathbf{V}}_{\mathbf{A}}$ and ${\mathbf{V}}_{\mathbf{A}}^{\prime}$ are in a binary form of P and ${P}^{\prime}$, respectively. ${\mathbf{V}}_{\mathbf{A}}$ and ${\mathbf{V}}_{\mathbf{A}}^{\prime}$ are bit-wise identical in reverse directions. Any voter (authority, or a third party) can verify individual ballots, tallied voting vectors ${\mathbf{V}}_{\mathbf{A}}$ and ${\mathbf{V}}_{\mathbf{A}}^{\prime}$, individual plain votes exposed in ${\mathbf{V}}_{\mathbf{A}}$ and ${\mathbf{V}}_{\mathbf{A}}^{\prime}$, sum of each candidate’s votes, and final tally.

## 3. Mutual Restraining Voting Protocol

#### 3.1. Interactive Voting Protocol

**Stage 1: Registration (and initialization).**The following computations are carried out on a cyclic group ${\mathbf{Z}}_{\mathbf{A}}^{*}$, on which the Discrete Logarithmic Problem (DLP) is intractable. $\mathbf{A}=max\{{\mathbf{A}}_{1},{\mathbf{A}}_{2}\}$, in which ${\mathbf{A}}_{1}$ is a prime larger than ${2}^{1024}$ and ${\mathbf{A}}_{2}$ is a prime larger than ${2}^{2L}-{2}^{L+1}+1$.

**TP1**). This arrangement of vector can support voting scenarios including “yes-no” voting for one candidate and 1-out-of-M voting for M candidates with abstaining or without.

**Stage 2: Vote-casting.**From the voting vector ${\mathbf{v}}_{i}$ (with a singleton 1 and all other entries 0), ${V}_{i}$ derives two decimal numbers ${v}_{i}$ and ${v}_{i}^{\prime}$. ${v}_{i}$ is the decimal number corresponding to the binary string represented by ${\mathbf{v}}_{i}$, while ${v}_{i}^{\prime}$ is the decimal number corresponding to ${\mathbf{v}}_{i}$ in reverse.

**TP2**). This feature will lead to an effective enforcement mechanism that enforces the single-voting rule with privacy guarantee: The vote given by a voter will not be disclosed as long as the voter casts one and only one vote.

- ${V}_{i}$ randomly selects $N-1$ shares ${s}_{il}$ ($1\le l\le N$, $l\ne i$) and distributes them to the other $N-1$ voters with ${V}_{l}$ getting ${s}_{il}$. When i is odd, ${V}_{i}$ sends ${s}_{il}$ to ${C}_{1}$ if l is odd and otherwise to ${C}_{2}$; when i is even, ${V}_{i}$ sends ${s}_{il}$ to ${C}_{1}$ if l is even and otherwise to ${C}_{2}$. The objective is to prevent a single collector from obtaining enough information to infer a voter’s vote. ${V}_{i}$ then computes his own share ${s}_{ii}={v}_{i}-{\sum}_{l=1,l\ne i}^{N}{s}_{il}$, and publishes the commitment ${g}^{{s}_{ii}}$.Let the sum of shares that ${C}_{j}(j=1,2)$ receives from ${V}_{i}$ be ${S}_{i,{C}_{j}}$. ${V}_{i}$’s own share can also be denoted as: ${s}_{ii}={v}_{i}-{S}_{i,{C}_{1}}-{S}_{i,{C}_{2}}$.
- Upon receiving $N-1$ shares from other voters, ${V}_{i}$ computes the secret ballot, ${p}_{i}={\sum}_{l=1}^{N}{s}_{li}$, which is the sum of the received $N-1$ shares and his own share ${s}_{ii}$, and then broadcasts ${p}_{i}$.Two collectors also have these $N-1$ shares, with each having a subset. Let the sum of the subset of shares held by the collector ${C}_{j}(j=1,2)$ be ${\tilde{S}}_{i,{C}_{j}}$. The secret ballot can also be denoted as: ${p}_{i}={s}_{ii}+{\tilde{S}}_{i,{C}_{1}}+{\tilde{S}}_{i,{C}_{2}}$.

**Stage 3: Collection/Tally.**Collectors (and voters if they want to) collect secret ballots ${p}_{i}$ ($1\le i\le N$) from all voters and obtain $P={\sum}_{i=1}^{N}{p}_{i}$. P is decoded into a tallied binary voting vector ${\mathbf{V}}_{\mathbf{A}}$ of length L. The same is done for ${p}_{i}^{\prime}$ ($1\le i\le N$) to obtain ${P}^{\prime}$, and consequently ${\mathbf{V}}_{\mathbf{A}}^{\prime}$. If voters have followed the protocol, these two vectors will be reverse to each other by their initialization in Stage 1.

**Stage 4: Verification.**Anyone can verify whether ${\mathbf{V}}_{\mathbf{A}}$ is a reverse of ${\mathbf{V}}_{\mathbf{A}}^{\prime}$ and whether each voter has cast one and only one vote. ${V}_{i}$ can verify the entry ${L}_{c}^{i}$ (corresponding to the candidate that ${V}_{i}$ votes for) has been correctly set to 1 and the entries for other candidates are 0. Furthermore, the tallied votes for all candidates can be computed and verified via ${\mathbf{V}}_{\mathbf{A}}$ and ${\mathbf{V}}_{\mathbf{A}}^{\prime}$. In summary, both individual and universal verification are naturally supported by this protocol.

#### 3.2. Two Sub-Protocols

**TP3**), ensure that each voter should put a single 1 in his voting vector, i.e., vote once and only once.

#### 3.2.1. Revised Sub-Protocol 1

- Execute tailored STPM, ${C}_{1}$ and ${C}_{2}$ obtain ${r}_{1}$ and ${r}_{2}^{\prime}$ respectively such that ${r}_{1}+{r}_{2}^{\prime}={S}_{i,{C}_{1}}{S}_{i,{C}_{2}}^{\prime}$.
- Execute tailored STPM, ${C}_{1}$ and ${C}_{2}$ obtain ${r}_{1}^{\prime}$ and ${r}_{2}$ respectively such that ${r}_{1}^{\prime}+{r}_{2}={S}_{i,{C}_{1}}^{\prime}{S}_{i,{C}_{2}}$. (Exchanging ${r}_{1}$ and ${r}_{2}^{\prime}$ or ${r}_{1}^{\prime}$ and ${r}_{2}$ between ${C}_{1}$ and ${C}_{2}$ will not work. (If ${C}_{1}$ and ${C}_{2}$ exchange ${r}_{1}$ and ${r}_{2}^{\prime}$ for an example, ${C}_{2}$ can obtain ${g}^{{S}_{i,{C}_{1}}}$ since he has ${r}_{2}^{\prime}$ and ${S}_{i,{C}_{2}}^{\prime}$. With ${g}^{{s}_{ii}}$ being public, and ${v}_{i}={s}_{ii}+{S}_{i,{C}_{1}}+{S}_{i,{C}_{2}}$, ${C}_{2}$ can get ${g}^{{v}_{i}}$ by trying out L values and consequently find out the vote ${v}_{i}$. Likewise, ${C}_{1}$ can also find out ${v}_{i}$.)
- ${C}_{1}$ computes ${g}^{{r}_{1}+{r}_{1}^{\prime}}$, ${C}_{2}$ computes ${g}^{{r}_{2}+{r}_{2}^{\prime}}$. Obviously ${g}^{{r}_{1}+{r}_{1}^{\prime}}\times {g}^{{r}_{2}+{r}_{2}^{\prime}}={g}^{{r}_{1}+{r}_{2}^{\prime}+{r}_{1}^{\prime}+{r}_{2}}={g}^{{S}_{i,{C}_{1}}{S}_{i,{C}_{2}}^{\prime}}\times {g}^{{S}_{i,{C}_{1}}^{\prime}{S}_{i,{C}_{2}}}$. (${C}_{1}$ and ${C}_{2}$ cannot exchange ${g}^{{r}_{1}+{r}_{1}^{\prime}}$ and ${g}^{{r}_{2}+{r}_{2}^{\prime}}$ directly. Doing so will result in a brute-force attack which is able to obtain the voter’s vote, as described in Section 4.1.)

#### 3.2.2. Sub-Protocol 2

#### 3.3. Non-Interactive Voting Protocol

**Stage 2**is different, while the rest of the stages are the same. Steps in this new

**Stage 2**are given below.

- The two collectors work together to generate all $N-1$ shares for each voter ${V}_{i}$ in advance as shown in Table 2, with $\widehat{{s}_{i,j}}$ ($i\ne j$) by ${C}_{1}$ and $\stackrel{\u02c7}{{s}_{i,j}}$ ($i\ne j$) by ${C}_{2}$. ${s}_{ii}$ is derived by ${V}_{i}$ himself. Specifically, for the voters ${V}_{1}$ to ${V}_{N/2}$, ${C}_{1}$ generates their first $N/2-1$ shares (up-left of the matrix) and ${C}_{2}$ generates their last $N/2$ shares (up-right of the matrix). For the voters ${V}_{N/2+1}$ to ${V}_{N}$, ${C}_{1}$ generates their last $N/2-1$ shares (lower-right of the matrix) and ${C}_{2}$ generates their first $N/2$ shares (lower-left of the matrix). Figure 1 (left) illustrates a case of four voters.
- Whenever a voter ${V}_{i}$ logs into the system to cast his vote, the two collectors will each send their half of $N-1$ shares (in fact, the sum of these shares, denoted as ${S}_{i,{C}_{j}}$ in Table 2, where $j=1$ or 2) to this voter. Specifically, ${C}_{1}$ sends ${S}_{i,{C}_{1}}$ (sum of shares in one half of the ith row) to the voter, and ${C}_{2}$ sends ${S}_{i,{C}_{2}}$ (sum of shares in the other half of the ith row) to the voter. The voter ${V}_{i}$ will compute his own share as ${s}_{ii}={v}_{i}-{S}_{i,{C}_{1}}-{S}_{i,{C}_{2}}$, and send the two collectors his commitments (i.e., ${g}^{{s}_{ii}}$, ${g}^{{s}_{ii}^{\prime}}$, ${g}^{{s}_{ii}{s}_{ii}^{\prime}}$). Figure 1 (middle) shows the communication between collectors and voters. Under the assumption that the two collectors have conflicting interests, neither of them can derive the voter’s vote from ${V}_{i}$’s commitment.
- The two collectors verify a voter’s vote using
**Sub-protocol 1**and if passed, send the shares from the other $N-1$ voters (one from each voter) to this voter. Specifically, ${C}_{1}$ sends ${\tilde{S}}_{i,{C}_{1}}$ (sum of shares in one half of the ith column as shown in Table 2) to the voter, and similarly ${C}_{2}$ sends ${\tilde{S}}_{i,{C}_{2}}$ (sum of shares in the other half of the ith column). The voter sums the shares from the two collectors and his own share, and then sends the secret ballot of ${s}_{ii}+{\tilde{S}}_{i,{C}_{1}}+{\tilde{S}}_{i,{C}_{2}}$ to the two collectors, as shown in Figure 1 (right) as an example. (Optionally, the voter can send to only one of the collectors to prevent the collector initiated voter coercion.) The two collectors can verify the voter’s ballot using**Sub-protocol 2**.

#### 3.4. One Example of Web Based Bulletin Board

#### 3.5. Design of a Robust and Efficient LAS

- Each voter ${V}_{i}$ initializes a location vector ${\mathbf{L}}_{i}$ (of length $\overline{L}$) with 0s. ${V}_{i}$ randomly selects a location $\widehat{{L}_{i}}$ ($1\le \widehat{{L}_{i}}\le \overline{L}$) and sets the $\widehat{{L}_{i}}$th element/bit of ${\mathbf{L}}_{i}$ to 1.
- From ${\mathbf{L}}_{i}$, ${V}_{i}$ obtains two values ${l}_{i}$ and ${l}_{i}^{\prime}$ by: (1) encoding ${\mathbf{L}}_{i}$ into a decimal number ${l}_{i}$ (A decimal encoding, instead of a binary one, is used to encode ${\mathbf{L}}_{i}$. The motivation is illustrated below. Assume that the binary encoding is adopted. Let the location vectors of voters ${V}_{i}$, ${V}_{j}$ and ${V}_{k}$ be ${\mathbf{L}}_{i}=000010$, ${\mathbf{L}}_{j}=000010$, and ${\mathbf{L}}_{k}=000100$, respectively. Therefore, ${\mathbf{L}}_{A}=001000$: Voters cannot tell if they have obtained unique locations. This will not be the case if ${\mathbf{L}}_{i}$ uses a larger base. However, encoding ${\mathbf{L}}_{i}$ in a larger base consumes more resources. Decimal is a trade-off we adopted to strike a balance between fault tolerance and performance. The probability of having more than 10 voters collide at the same location is considerably lower than that of 2); and (2) reversing ${\mathbf{L}}_{i}$ to be ${\mathbf{L}}_{i}^{\prime}$ and encoding it into a decimal number ${l}_{i}^{\prime}$. For example, if ${\mathbf{L}}_{i}=\left[000010\right]$, we obtain ${l}_{i}=10$ and ${l}_{i}^{\prime}=10,000$. Evidently, ${l}_{i}\times {l}_{i}^{\prime}={10}^{\overline{L}-1}$.
- ${V}_{i}$ shares ${l}_{i}$ and ${l}_{i}^{\prime}$ using ($n,n$)-SS as in Stage 2. All voters can obtain the aggregated location vector ${\mathbf{L}}_{A}$ and ${\mathbf{L}}_{A}^{\prime}$. If ${V}_{i}$ has followed the protocol, ${\mathbf{L}}_{A}$ and ${\mathbf{L}}_{A}^{\prime}$ are the reverse of the other.
- ${V}_{i}$ checks if the $\widehat{{L}_{i}}$th element/bit of ${\mathbf{L}}_{A}$ is 1. If so, ${V}_{i}$ has successfully selected a location without colliding with others. ${V}_{i}$ also checks if everyone has picked a non-colliding location by examining whether $max({\mathbf{L}}_{A})=1$. If there is at least one collision, steps 1 through 3 will restart. In a new round, voters who have successfully picked a location without collision in the previous round keep the same location, while others randomly select from locations not been chosen.
- The in-process check and enforcement mechanism (in Section 3.2) is concurrently executed by collectors to enforce that a voter will select one and only one location in each round. Furthermore, the mechanism, to be proved in Section 4.5, ensures that any attempt of inducing collision by deliberately selecting an occupied position will be detected. Hence, such misbehavior will be precluded.
- Once all location collisions are resolved in a round, each voter removes non-occupied locations ahead of his own and obtains his real location ${L}_{i}={\sum}_{j=1}^{{\widehat{L}}_{i}}{({\mathbf{L}}_{A})}_{j}$. After the adjustment, the occupied locations become contiguous. The length of the adjusted ${\mathbf{L}}_{i}$ equals to the number of voters, N.

**Notes:**(1) Location anonymization, a special component in our protocol, seems to be an additional effort for voters. However, it is beneficial since voters not only select their secret locations, but also learn/practice vote-casting ahead of the real election. The experiments show that 2 to 3 rounds are generally enough; (2) Location anonymization can be executed non-interactively; (3) A malicious participant deliberately inducing a collision by choosing an already occupied location will be identified.

## 4. Security and Property Analysis

#### 4.1. Analysis of Main Properties

**Attack-resistance.**A random attack against the tallied voting vector with this vector being valid will succeed with the probability of ${M}^{N}/{2}^{MN}=1/{2}^{(M-logM)N}$.

**Completeness (Correctness).**All votes are counted correctly in this voting protocol. That is, the aggregated voting vector ${\mathbf{V}}_{\mathbf{A}}$ of the length N in binary is the sum of all individual voting vector ${\mathbf{v}}_{i}$ from each voter (${\mathbf{V}}_{\mathbf{A}}={\sum}_{i=1}^{N}{\mathbf{v}}_{i}$). Likewise, ${\mathbf{V}}_{\mathbf{A}}^{\prime}={\sum}_{i=1}^{N}{\mathbf{v}}_{i}^{\prime}$.

**Verifiability.**Due to its transparency, the protocol provides a full range of verifiability with four levels:

- A voter can verify that his secret ballot is submitted correctly.
- A voter (and any third party) can verify that the aggregated voting vector is computed correctly.
- A voter can verify that his vote is cast correctly.
- A voter (and any third party) can verify that the final tally is performed correctly.

**Anonymity.**The protocol preserves anonymity if no more than $N-2$ voters collude. This claim follows the proof of Theorem 1. Also, the protocol splits trust, traditionally vested in a central authority, now between two non-colluding collectors with conflicting interests. One collector does not have enough information to reveal a vote.

**Ballot validity and prevention of multiple voting.**The forward and backward mutual lock voting allows a voter to set one and only one of his voting positions to 1 (enforced by Sub-protocol 1).

**Fairness.**Fairness is ensured due to the unique property of ($n,n$)-SS: no one can obtain any information before the final tally, and only when all N secret ballots are aggregated, all votes are obtained anonymously. It is this sudden transition that precludes any preannouncement of partial voting results, thus achieving fairness.

**Eligibility.**Voters have to be authenticated for their identities before obtaining voting locations. Traditional authentication mechanisms can be integrated into the voting protocol.

**Auditability.**Collectors collaboratively audit the entire voting process. Optionally we can even let collectors publish their commitment to all shares they generate (using hash functions, for example). With the whole voting data together with collectors’ commitments, two collectors or a third authority can review the voting process if necessary.

**Transparency and voter assurance.**Many previous e-voting solutions are not transparent in the sense that although the procedures used in voting are described, voters have to entrust central authorities to perform some of the procedures. Voters cannot verify every step in a procedure [34]. Instead, our voting protocol allows voters to visually check and verify their votes on the bulletin board. The protocol is transparent where voters participate in the whole voting process.

#### 4.2. Robustness Against Voting Misbehavior

- submit an invalid voting vector ${\mathbf{v}}_{i}$ (${\mathbf{v}}_{i}^{\prime}$) with more than one (or no) 1s;
- generate wrong ${s}_{ii}$ (${s}_{ii}^{\prime}$), thus wrong commitment ${g}^{{s}_{ii}}$ (${g}^{{s}_{ii}^{\prime}}$);
- publish an incorrect secret ballot ${p}_{i}$ (${p}_{i}^{\prime}$) such that ${p}_{i}\ne {s}_{ii}+{\tilde{S}}_{i,{C}_{1}}+{\tilde{S}}_{i,{C}_{2}}$ (${p}_{i}^{\prime}\ne {s}_{ii}^{\prime}+{\tilde{S}}_{i,{C}_{1}}^{\prime}+{\tilde{S}}_{i,{C}_{2}}^{\prime}$).

- One misbehavior mentioned above mistakenly passes both Sub-protocol 1 and Sub-protocol 2;
- ${V}_{i}$ does give up his own voting locations and cast vote at ${V}_{j}$’s locations ($i\ne j$).

#### 4.3. Robustness against Collusion

#### 4.3.1. Robustness against Collusion among Voters

#### 4.3.2. Robustness against Collusion among Voters and a Collector

#### 4.4. Robustness against Outside Attack

#### 4.5. Robustness of Location Anonymization

## 5. Complexity Analysis and Simulation

#### 5.1. Performance and Complexity Analysis

**Notes**: The commitments can typically be computed by a calculator efficiently, thus, the complexity of $O({T}^{3})$ will not become a performance issue.

#### 5.2. Simulation Result

## 6. Related Work and Comparison

**Comparison with Helios.**Helios [89] implements Benaloh’s vote-casting approach [90] on the Sako-Kilian mix-nets [91]. It is a well-known and highly-accepted Internet voting protocol with good usability and operability. Our voting protocol shares certain features with Helios including open auditing, integrity, and open source.

**Comparison with existing interactive voting protocols.**In aforementioned voting protocols, most are centralized. Our non-interactive protocol is similar in this regard. However, some e-voting protocols are decentralized or distributed: each voter bears the same load, executes the same protocol, and reaches the same result autonomously [94]. One interesting application domain of distributed e-voting is boardroom voting [21]. In such scenario, the number of voters is not large and all the voters in the voting process will interact with each other. Two typical boardroom voting protocols are the ones in [22,95] and our interactive voting protocol is similar to them too. In all these protocols including ours, tallying is called self-tallying: each voter can incrementally aggregate ballots/votes themselves by either summing the votes [95]) (as well as ours) or multiplying the ballots [22]) (and then verify the correctness of the final tally). One main advantage of our interactive voting protocol over other distributed e-voting protocols is its low computation cost for vote casting and tallying. As analyzed in [21], in terms of vote casting, the protocol in [22] needs $4N+10$ exponentiations per voter and the protocol in [95] needs $2N+2$. However, our interactive voting protocol needs only 6. In terms of tallying [21], the protocol in [22] needs $11N-11+$$\left(\genfrac{}{}{0pt}{}{N+M}{M}\right)$$/2$ and the protocol in [95] needs $19{N}^{2}+58N-14Nt-17t+35$ (here t is the threshold in distributed key generation scheme). However, our interactive voting protocol does not need any exponentiations beyond simple modular additions. Another property of our interactive voting protocol in terms of transparency is the viewability of the voter’s plain vote: each voter knows and can see which plain vote is his vote. However, in [22], plain votes are not viewable, and in [95], even though plain votes are viewable but the voter does not know which one is his because the shuffling process changes the correspondence between the initial ballots and (decrypted) individual plain votes.

## 7. Discussion of Scalability and Hierarchical Design

**Level 1**: Precinct based vote-casting. Voters belonging to a precinct form a voting group and execute the proposed vote-casting. Precincts may be based on the physical geography previously using voting booths or logically formed online to include geographically remote voters (e.g., overseas personnel in different countries).**Level 2**: Statewide vote tally. Perform anonymous tally among all precincts of a state.**Level 3**: Conversion of tallied votes. There can be a direct conversion. The numbers of votes for candidates from Level 2 remain unchanged and are passed to Level 4 (the popular vote). Otherwise, they may be converted from Level 2 by some rules before being passed to Level 4, to support hierarchies like the Electoral Colleges in the US.**Level 4**: National vote tally.

## 8. Conclusions and Future Work

## Author Contributions

## Conflicts of Interest

## References

- Wikipedia. Help America Vote Act, The Free Encyclopedia. 2013. Available online: https://en.wikipedia.org/wiki/Help_America_Vote_Act (accessed on 1 July 2013).
- Wikipedia. The U.S. Election Assistance Commission. 2013. Available online: https://www.eac.gov/about/help-america-vote-act/ (accessed on 1 July 2013).
- Commission, T.U.E.A. 2008 Election Administration and Voting Survey. Available online: http://www.eac.gov/ (accessed on 1 September 2009).
- Campbell, B. The Usability Implications of Long Ballot Content for Paper, Electronic, and Mobile Voting Systems. Ph.D. Thesis, RICE University, Houston, TX, USA, 2014. [Google Scholar]
- Chevallier-Mames, B.; Fouque, P.A.; Pointcheval, D.; Stern, J.; Traoré, J. On some incompatible properties of voting schemes. (book chapter). In Towards Trustworthy Elections; Chaum, D., Jakobsson, M., Rivest, R.L., Ryan, P.A., Benaloh, J., Eds.; Springer: Berlin/Heidelberg, Germany, 2010; pp. 191–199. [Google Scholar]
- Grewal, G.S.; Ryan, M.D.; Bursuc, S.; Ryan, P.Y. Caveat Coercitor: Coercion-evidence in electronic voting. In Proceedings of the IEEE Symposium on Security and Privacy, Berkeley, CA, USA, 19–22 May 2013; pp. 367–381. [Google Scholar]
- Araújo, R.; Barki, A.; Brunet, S.; Traoré, J. Remote Electronic Voting Can Be Efficient, Verifiable and Coercion-Resistant. In Financial Cryptography and Data Security: FC 2016 International Workshops, BITCOIN, VOTING, and WAHC, Christ Church, Barbados, 26 February 2016, Revised Selected Papers; Springer: Berlin/Heidelberg, Germany, 2016; pp. 224–232. [Google Scholar]
- Li, C.; Hwang, M.; Lai, Y. A Verifiable Electronic Voting Scheme over the Internet. In Proceedings of the Sixth International Conference on Information Technology: New Generations (ITNG ’09), Las Vegas, NV, USA, 27–29 April 2009; pp. 449–454. [Google Scholar]
- Howlader, J.; Nair, V.; Basu, S.; Mal, A. Uncoercibility In E-Voting and E-Auctioning Mechanisms Using Deniable Encryptiony. Int. J. Netw. Secur. Appl.
**2011**, 3, 97–109. [Google Scholar] - Lee, C.; Chen, T.; Lin, S.; Hwang, M. A New Proxy Electronic Voting Scheme Based on Proxy Signatures. In Lecture Notes in Electrical Engineering; Springer: Berlin/Heidelberg, Germany, 2012; Volume 164, pp. 3–12. [Google Scholar]
- Spycher, O.; Koenig, R.; Haenni, R.; Schläpfer, M. A New Approach towards Coercion-Resistant Remote E-Voting in Linear Time. In Proceedings of the International Conference on Financial Cryptography and Data Security, Kralendijk, Bonaire, 27 February–2 March 2012; Springer: Berlin/Heidelberg, Germany, 2012; Volume 7035, pp. 182–189. [Google Scholar]
- Clarkson, M.; Chong, S.; Myers, A. Civitas: Toward a secure voting system. In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, USA, 18–22 May 2008; pp. 354–368. [Google Scholar]
- Juels, A.; Catalano, D.; Jakobsson, M. Coercion-resistant electronic elections. In Proceedings of the 2005 ACM Workshop on Privacy in the Electronic Society, Alexandria, VA, USA, 7 November 2005; ACM: New York, NY, USA, 2005; pp. 61–70. [Google Scholar]
- Chaum, D. Elections with unconditionally-secret ballots and disruption equivalent to breaking RSA. In Proceedings of the Workshop on the Theory and Application of Cryptographic Techniques (EUROCRYPT ’88), Davos, Switzerland, 25–27 May 1988; pp. 177–182. [Google Scholar]
- Rjaskova, Z. Electronic Voting Schemes. Ph.D. Thesis, Comenius University, Bratislava, Slovakia, 2002. [Google Scholar]
- Benaloh, J. Verifiable Secret Ballot Elections. Ph.D. Thesis, Yale University, New Haven, CT, USA, 1987. [Google Scholar]
- Jones, D.; Simons, B. Broken Ballots: Will Your Vote Count? The University of Chicago Press: Chicago, IL, USA, 2012. [Google Scholar]
- Shamos, M.I. Electronic Voting Records—An Assessment. In Developing an Analysis of Threats to Voting Systems: Preliminary Workshop Summary; NIST: Gaithersburg, MD, USA, 2004; pp. 227–251. [Google Scholar]
- McGaley, M.; McCarthy, J. Transparency and e-voting: Democratic vs. commercial interests. Proc. GI
**2012**, 47, 153–163. [Google Scholar] - Tsoukalas, G.; Papadimitriou, K.; Louridas, P.; Tsanakas, P. From Helios to Zeus. In Proceedings of the 2013 Electronic Voting Technology Workshop/Workshop on Trustworthy Elections (EVT/WOTE ’13), Washington, DC, USA, 12–13 August 2013; pp. 1–17. [Google Scholar]
- Kulyk, O.; Neumann, S.; Budurushi, J.; Volkamer, M.; Haenni, R.; Koenig, R.; Bergen, P. Efficiency Evaluation of Cryptographic Protocols for Boardroom Voting. In Proceedings of the 2015 10th International Conference on Availability, Reliability and Security (ARES), Toulouse, France, 24–27 August 2015; pp. 224–229. [Google Scholar]
- Khader, D.; Smyth, B.; Ryan, P.Y.; Hao, F. A fair and robust voting system by broadcast. In Proceedings of the EVOTE’12: 5th International Conference on Electronic Voting, Bregenz, Austria, 11–14 July 2012; pp. 1–13. [Google Scholar]
- Moran, T.; Naor, M. Split-ballot voting: Everlasting privacy with distributed trust. ACM Trans. Inf. Syst. Secur.
**2010**, 13, 16. [Google Scholar] [CrossRef] - Wikipedia. Vote Counting System 2012. Available online: https://en.wikipedia.org/wiki/Vote_counting (accessed on 21 June 2012).
- Zou, X.; Li, H.; Sui, Y.; Peng, W.; Li, F. Assurable, Transparent, and Mutual Restraining E-Voting Involving Multiple Conflicting Parties. In Proceedings of the IEEE INFOCOM, Toronto, ON, Canada, 27 April–2 May 2014; pp. 136–144. [Google Scholar]
- Stinson, D.R. Cryptography: Theory and Practice; CRC Press: Boca Raton, FL, USA, 1995; Chapter 11; pp. 330–331. [Google Scholar]
- Zhao, X.; Li, L.; Xue, G.; Silva, G. Efficient anonymous message submission. In Proceedings of the IEEE INFOCOM, Orlando, FL, USA, 25–30 March 2012; pp. 2228–2236. [Google Scholar]
- Samet, S.; Miri, A. Privacy preserving ID3 using Gini Index over horizontally partitioned data. In Proceedings of the IEEE/ACS International Conference on Computer Systems and Applications (AICCSA ’08), Doha, Qatar, 31 March–4 April 2008; pp. 645–651. [Google Scholar]
- Diffie, W.; Hellman, M. New directions in cryptography. IEEE Trans. Inf. Theory
**1976**, 22, 644–654. [Google Scholar] [CrossRef] - Benaloh, J.; Tuinstra, D. Receipt-free secret-ballot elections. In Proceedings of the 26th Annual ACM Symposium on Theory of Computing, Montréal, QC, Canada, 23–25 May 1994; ACM: New York, NY, USA, 1994; pp. 544–553. [Google Scholar]
- Schoenmakers, B. A Simple Publicly Verifiable Secret Sharing Scheme and Its Application to Electronic Voting. In Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology (CRYPTO ’99), Santa Barbara, CA, USA, 15–19 August 1999; pp. 148–164. [Google Scholar]
- Clark, J.; Hengartner, U. Selections: Internet Voting with Over-the-Shoulder Coercion-Resistance. In Financial Cryptography and Data Security; Lecture Notes in Computer Science; Danezis, G., Ed.; Springer: Berlin/Heidelberg, Germany, 2012; Volume 7035, pp. 47–61. [Google Scholar]
- Fujioka, A.; Okamoto, T.; Ohta, K. A practical secret voting scheme for large scale elections. In Advances in Cryptology—AUSCRYPT ’92; Springer: Berlin/Heidelberg, Germany, 1993; pp. 244–251. [Google Scholar]
- Spafford, E.H. Voter Assurance. In Voting Technologies; National Academy of Engineering: Washington, DC, USA, 2007; pp. 28–34. [Google Scholar]
- Clarkson, M.; Chong, S.; Myers, A. Civitas: Toward a Secure Voting System; Technical Report; Cornell University: Ithaca, NY, USA, 2008. [Google Scholar]
- Shirazi, F.; Neumann, S.; Ciolacu, I.; Volkamer, M. Robust electronic voting: Introducing robustness in Civitas. In Proceedings of the International Workshop on REVOTE, Trento, Italy, 29 August 2011; pp. 47–55. [Google Scholar]
- Volkamer, M.; Grimm, R. Determine the Resilience of Evaluated Internet Voting Systems. In Proceedings of the International Workshop on REVOTE, Atlanta, GA, USA, 31 August 2009; pp. 47–54. [Google Scholar]
- Li, C.; Hwang, M. Security Enhancement of Chang-Lee Anonymous E-Voting Scheme. Int. J. Smart Home
**2012**, 6, 45–52. [Google Scholar] - Staff, C. Seven principles for secure e-voting. Commun. ACM
**2009**, 52, 8–9. [Google Scholar] [CrossRef] - Epstein, J. Electronic voting. IEEE Comput.
**2007**, 40, 92–95. [Google Scholar] [CrossRef] - Kusters, R.; Truderung, T.; Vogt, A. Clash Attacks on the Verifiability of E-Voting Systems. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 20–23 May 2012; pp. 395–409. [Google Scholar]
- Fouard, L.; Duclos, M.; Lafourcade, P. Survey on Electronic Voting Schemes. Available online: http://www-verimag.imag.fr/~duclos/paper/e-vote.pdf (accessed on 1 July 2013).
- Benaloh, J.; Byrne, M.; Kortum, P.; McBurnett, N.; Pereira, O.; Stark, P.; Wallach, D. STAR-Vote: A Secure, Transparent, Auditable, and Reliable Voting System. arXiv
**2012**, arXiv:1211.1904. [Google Scholar] - Chaum, D. Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM
**1981**, 24, 84–90. [Google Scholar] [CrossRef] - Chaum, D.; Ryan, P.; Schneider, S. A practical voter-verifiable election scheme. In Proceedings of the 10th European Conference on Research in Computer Security (ESORICS ’05), Milan, Italy, 12–14 September 2005; pp. 118–139. [Google Scholar]
- Lee, B.; Boyd, C.; Dawson, E.; Kim, K.; Yang, J.; Yoo, S. Providing Receipt-Freeness in Mixnet-Based Voting Protocols. In Proceedings of the International Conference on Information Security and Cryptology, Seoul, Korea, 27–28 November 2003; Volume 2971, pp. 245–258. [Google Scholar]
- Weber, S. A Coercion-Resistant Cryptographic Voting Protocol—Evaluation and Prototype Implementation. Master’s Thesis, Darmstadt University of Technology, Darmstadt, Germany, 2006. [Google Scholar]
- Chaum, D. Secret-ballot receipts: True voter-verifiable elections. IEEE Secur. Priv.
**2004**, 2, 38–47. [Google Scholar] [CrossRef] - Aditya., R.; Lee, B.; Boyd, C.; Dawson, E. An Efficient Mixnet-Based Voting Scheme Providing Receipt-Freeness. In Proceedings of the International Conference on Trust and Privacy in Digital Business, Zaragoza, Spain, 30 August–1 September 2004; Volume 3184, pp. 152–161. [Google Scholar]
- Okamoto, T. Receipt-free electronic voting schemes for large scale elections. In Proceedings of the International Workshop on Security Protocols, Paris, France, 7–9 April 1997; Springer: Berlin/Heidelberg, Germany, 1998; pp. 25–35. [Google Scholar]
- Radwin, M. An Untraceable, Universally Verifiable Voting Scheme. Available online: https://www.researchgate.net/publication/2867316_An_Untraceable_Universally_Verifiable_Voting_Scheme (accessed on 16 August 2017).
- Ohkubo, M.; Miura, F.; Abe, M.; Fujioka, A.; Okamoto, T. An Improvement on a Practical Secret Voting Scheme. In Proceedings of the 2nd International Workshop on Information Security (ISW ’99), Kuala Lumpur, Malaysia, 6–7 November 1999; pp. 225–234. [Google Scholar]
- Kim, K.; Kim, J.; Lee, B.; Ahn, G. Experimental Design of Worldwide Internet Voting System Using PKI. In Proceedings of the SSGRR, LÁquila, Italy, 6–12 August 2001; pp. 1–7. [Google Scholar]
- Boyd, C. A new multiple key cipher and an improved voting scheme. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT ’89), Houthalen, Belgium, 10–13 April 1989; pp. 617–625. [Google Scholar]
- García, D.L. A flexible e-voting scheme for debate tools. Comput. Secur.
**2016**, 56, 50–62. [Google Scholar] [CrossRef] - Chow, S.; Liu, J.; Wong, D. Robust Receipt-Free Election System with Ballot Secrecy and Verifiability. In Proceedings of the 16th Annual Network & Distributed System Security Symposium (NDSS), San Diego, CA, USA, 8–11 February 2008; pp. 81–94. [Google Scholar]
- Benaloh, J.; Yung, M. Distributing the power of a government to enhance the privacy of voters. In Proceedings of the Fifth Annual ACM Symposium on Principles of Distributed Computing (PODC ’86), Calgary, AB, Canada, 11–13 August 1986; pp. 52–62. [Google Scholar]
- Cramer, R.; Gennaro, R.; Schoenmakers, B. A secure and optimally efficient multi-authority election scheme. In Proceedings of the 16th Annual International Conference on Theory and Application of Cryptographic Techniques (EUROCRYPT ’97), Konstanz, Germany, 11–15 May 1997; pp. 103–118. [Google Scholar]
- Hirt, M.; Sako, K. Efficient receipt-free voting based on homomorphic encryption. In Proceedings of the 19th International Conference on Theory and Application of Cryptographic Techniques, Bruges, Belgium, 14–18 May 2000; pp. 539–556. [Google Scholar]
- Lee, B.; Kim, K. Receipt-free Electronic Voting through Collaboration of Voter and Honest Verifier. In Proceedings of the JW-ISC, Naha, Japan, 25–26 January 2000; pp. 101–108. [Google Scholar]
- Adewole, A.P.; Sodiya, A.S.; Arowolo, O.A. A Receipt-Free Multi-Authority E-Voting System. Int. J. Comput. Appl.
**2011**, 30, 15–23. [Google Scholar] - Kiayias, A.; Zacharias, T.; Zhang, B. DEMOS-2: Scalable E2E Verifiable Elections without Random Oracles. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, 12–16 October 2015; ACM: New York, NY, USA, 2015; pp. 352–363. [Google Scholar]
- Shamir, A. How to share a secret. Commun. ACM
**1979**, 22, 612–613. [Google Scholar] [CrossRef] - Iftene, S. General Secret Sharing Based on the Chinese Remainder Theorem with Applications in E-Voting. Electron. Notes Theor. Comput. Sci.
**2007**, 186, 67–84. [Google Scholar] [CrossRef] - Cramer, R.; Franklin, M.; Schoenmakers, B.; Yung, M. Multi-Authority Secret-Ballot Elections with Linear Work. In Advances in Cryptology— EUROCRYPT ’96; Springer: Berlin/Heidelberg, Germany, 1996; Volume 1070, pp. 72–83. [Google Scholar]
- Baudron, O.; Fouque, P.A.; Pointcheval, D.; Stern, J.; Poupard, G. Practical multi-candidate election system. In Proceedings of the 20th ACM Symposium on Principles of Distributed Computing (PODC ’01), Newport, RI, USA, 26–28 August 2001; pp. 274–283. [Google Scholar]
- Hirt, M. Receipt-free K-out-of-L voting based on elgamal encryption. In Towards Trustworthy Elections; Chaum, D., Jakobsson, M., Rivest, R.L., Ryan, P.A., Benaloh, J., Eds.; Springer: Berlin/Heidelberg, Germany, 2010; pp. 64–82. [Google Scholar]
- Han, W.; Chen, K.; Zheng, D. Receipt-Freeness for Groth’s E-Voting Schemes. J. Inf. Sci. Eng.
**2009**, 25, 517–530. [Google Scholar] - Ryan, P.; Peacock, T. Prêt à Voter: A Systems Perspective; Technical Report CS-TR-929; University of Newcastle: Newcastle, Australia, 2005. [Google Scholar]
- Rivest, R. The ThreeBallot Voting System. Available online: http://theory.lcs.mit.edu/rivest/Rivest-TheThreeBallotVotingSystem. pdf (accessed on 1 July 2013).
- Rivest, R.; Smith, W. Three voting protocols: ThreeBallot, VAV, and Twin. In Proceedings of the USENIX Workshop on Accurate Electronic Voting Technology (EVT ’07), Boston, MA, USA, 6–10 August 2007; Volume 16, pp. 1–14. [Google Scholar]
- Fisher, K.; Carback, R.; Sherman, A. Punchscan: Introduction and system definition of a high-integrity election system. Proceedings of Workshop on Trustworthy Elections, Cambridge, UK, 29–30 June 2006; pp. 19–29. [Google Scholar]
- Popoveniuc, S.; Hosp, B. An introduction to Punchscan. In Proceedings of the IAVoSS Workshop on Trustworthy Elections (WOTE 2006), Cambridge, UK, 29–30 June 2006; pp. 28–30. [Google Scholar]
- Chaum, D.; Essex, A.; Carback, R.; Clark, J.; Popoveniuc, S.; Sherman, A.; Vora, P. Scantegrity: End-to-end voter-verifiable optical-scan voting. IEEE Secur. Priv.
**2008**, 6, 40–46. [Google Scholar] [CrossRef] - Chaum, D.; Carback, R.; Clark, J.; Essex, A.; Popoveniuc, S.; Rivest, R.; Ryan, P.; Shen, E.; Sherman, A. Scantegrity II: End-to-end verifiability for optical scan election systems using invisible ink confirmation codes. EVT
**2008**, 8, 1–13. [Google Scholar] - Bohli, J.; Müller-Quade, J.; Röhrich, S. Bingo voting: Secure and coercion-free voting using a trusted random number generator. In Proceedings of the International Conference on E-Voting and Identity, Bochum, Germany, 4–5 October 2007; pp. 111–124. [Google Scholar]
- Sandler, D.; Wallach, D. Casting votes in the auditorium. In Proceedings of the USENIX Workshop on Accurate Electronic Voting Technology (EVT ’07), Boston, MA, USA, 6–10 August 2007; pp. 1–15. [Google Scholar]
- Sandler, D.; Derr, K.; Wallach, D. VoteBox: A tamper-evident, verifiable electronic voting system. In Proceedings of the USENIX Security Symposium, San Jose, CA, USA, 28 July–1 August 2008; Volume 4, pp. 349–364. [Google Scholar]
- Cross, E.V., II; McMillian, Y.; Gupta, P.; Williams, P.; Nobles, K.; Gilbert, J.E. Prime III: A user centered voting system. In Proceedings of the Extended Abstracts on Human Factors in Computing Systems (CHI ’07), San Jose, CA, USA, 28 April–3 May 2007; pp. 2351–2356. [Google Scholar]
- Dawkins, S.; Sullivan, T.; Rogers, G.; Cross, E.V., II; Hamilton, L.; Gilbert, J.E. Prime III: An innovative electronic voting interface. In Proceedings of the 14th International Conference on Intelligent User Interfaces (IUI ’09), Sanibel Island, FL, USA, 8–11 February 2009; pp. 485–486. [Google Scholar]
- Scytl. White paper: Auditability and Voter-Verifiability for Electronic Voting Terminals. Available online: http://www.scytl.com/images/upload/home/PNYX.VM_White_Paper.pdf (accessed on 1 July 2013).
- SCYTL. Pnyx.VM: Auditability and Voter-Verifiability for Electronic Voting Terminals; SCYTL: Barcelona, Spain, 2004. [Google Scholar]
- SCYTL. Pnyx.core: The Key to Enabling Reliable Electronic Elections; SCYTL: Barcelona, Spain, 2005. [Google Scholar]
- Clarkson, M.; Hay, B.; Inge, M.; Wagner, D.; Yasinsac, A. Software Review and Security Analysis of Scytl Remote Voting Software. Available online: http://www.cs.cornell.edu/~clarkson/papers/scytl-odbp.pdf (accessed on 16 August 2017).
- Kiayias, A.; Korman, M.; Walluck, D. An Internet voting system supporting user privacy. In Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC’06), Miami Beach, FL, USA, 11–15 December 2006; IEEE Computer Society: Washington, DC, USA, 2006; pp. 165–174. [Google Scholar]
- Karlof, C.; Sastry, N.; Wagner, D. Cryptographic Voting Protocols: A Systems Perspective. In Proceedings of the 14th conference on USENIX Security Symposium, Baltimore, MD, USA, 31 July–5 August 2005; Volume 5, pp. 33–50. [Google Scholar]
- Bernhard, D.; Cortier, V.; Galindo, D.; Pereira, O.; Warinschi, B. SoK: A comprehensive analysis of game-based ballot privacy definitions. In Proceedings of the IEEE Symposium on Security and Privacy, San Jose, CA, USA, 18–20 May 2015; IEEE Computer Society: Los Alamitos, CA, USA, 2015; pp. 499–516. [Google Scholar]
- Cortier, V.; Galindo, D.; Küsters, R.; Müller, J.; Truderung, T. SoK: Verifiability Notions for E-Voting Protocols. In Proceedings of the 37th IEEE Symposium on Security and Privacy (S&P ’16), San Jose, CA, USA, 23–25 May 2016; pp. 779–798. [Google Scholar]
- Adida, B. Helios: Web-based open-audit voting. In Proceedings of the USENIX Security Symposium, San Jose, CA, USA, 28 July–1 August 2008; USENIX Association: Berkeley, CA, USA, 2008; Volume 17, pp. 335–348. [Google Scholar]
- Benaloh, J. Simple verifiable elections. In Proceedings of the USENIX/Accurate Electronic Voting Technology Workshop 2006 on Electronic Voting Technology Workshop (EVT/WOTE. USENIX), Vancouver, BC, Canada, 1 August 2006; pp. 1–10. [Google Scholar]
- Sako, K.; Kilian, J. Receipt-free mix-type voting scheme. In Advances in Cryptology—UROCRYPT ’95; Springer: Berlin/Heidelberg, Germany, 1995; pp. 393–403. [Google Scholar]
- Adida, B.; De Marneffe, O.; Pereira, O.; Quisquater, J. Electing a University President Using Open-Audit Voting: Analysis of Real-World Use of Helios. In Proceedings of the Conference on Electronic Voting Technology/Workshop on Trustworthy Elections (EVT/WOTE), Montreal, QC, Canada, 10–11 August 2009. [Google Scholar]
- Cortier, V.; Fuchsbauer, G.; Galindo, D. BeleniosRF: A Strongly Receipt-Free Electronic Voting Scheme.Cryptology ePrint Archive, Report 2015/629, 2015. Available online: http://eprint.iacr.org/2015/629 (accessed on 16 August 2017).
- Nakajima, A. Decentralized voting protocols. In Proceedings of the International Symposium on Autonomous Decentralized Systems, Kawasaki, Japan, 30 March–1 April 1993; IEEE Computer Society Press: Los Alamitos, CA, USA, 1993; pp. 247–254. [Google Scholar]
- Kulyk, O.; Neumann, S.; Feier, C.; Volkamer, M.; Koster, T. Electronic voting with fully distributed trust and maximized flexibility regarding ballot design. In Proceedings of the 6th International Conference on Electronic Voting (EVOTE), Lochau, Austria, 29–31 October 2014; IEEE: Piscataway, NJ, USA; pp. 1–10. [Google Scholar]
- Commission, T.U.E.A. Polling Places 2004 General Election: EAC Election Day Survey. Available online: https:/ electioncenter.org/documents/EAC-2004%20election%20surveyFull_Report_wTables.pdf (accessed on 16 August 2017).
- Benaloh, J. Rethinking Voter Coercion: The Realities Imposed by Technology. In Proceedings of the 2013 Electronic Voting Technology Workshop/Workshop on Trustworthy Elections (EVT/WOTE ’13), Washington, DC, USA, 12–13 August 2013; USENIX: Berkeley, CA, USA, 2013; pp. 82–105. [Google Scholar]

**Figure 1.**Collectors interact with voters to avoid voters’ interaction among themselves:

**left**—generate shares for voters;

**middle**—interact with a casting voter;

**right**—interact with the casting voter.

($n,n$)-SS | ($n,n$)-secret sharing |

LAS | Location Anonymization Scheme |

STPM | Secure Two-Party Multiplication |

${V}_{1},\dots ,{V}_{N}$ | Voters. $1,\dots ,N$ are voters’ indices |

N | Number of voters |

M | Number of candidates |

${C}_{1}$, ${C}_{2}$ | Collectors |

${\mathbf{Z}}_{\mathbf{A}}^{*}$, g | Finite cyclic group, and generator of the group |

${\mathbf{v}}_{\mathbf{i}}$ | ${V}_{i}$’s voting vector |

${v}_{i}$; ${v}_{i}^{\prime}$ | ${V}_{i}$’s forward and backward voting values |

${\mathbf{V}}_{\mathbf{A}}$; ${\mathbf{V}}_{\mathbf{A}}^{\prime}$ | Aggregated voting vector, and its reverse |

${\mathbf{L}}_{\mathbf{i}}$ | ${V}_{i}$’s location vector |

${\mathbf{L}}_{\mathbf{A}}$ | Aggregated location vector |

$\widehat{{L}_{i}}$ | ${V}_{i}$’s Chosen location in one round |

$\overline{L}$ | Length of location vector |

L | Length of each voter’s voting vector |

${L}_{i}$ | Voter ${V}_{i}$’s real location (which is private to ${V}_{i}$) |

or to say, voter ${V}_{i}$’s row number | |

${L}_{B}^{i},{L}_{B+1}^{i},\dots ,{L}_{E}^{i}$ | ${V}_{i}$’s voting positions/bits |

or to say, the columns in row ${L}_{i}$ | |

${L}_{c}^{i}$ | A voting position where ${V}_{i}$ sets to 1 (cast vote) |

(${L}_{B}^{i}\le {L}_{c}^{i}\le {L}_{E}^{i}$) | also referred to as a voting element or bit |

${s}_{ij}({s}_{ij}^{\prime})$ | ${V}_{i}$’s share of ${v}_{i}$ (${v}_{i}^{\prime}$) |

${p}_{i};{p}_{i}^{\prime}$ | ${V}_{i}$’s secret ballots for ${v}_{i}$ and ${v}_{i}^{\prime}$, respectively |

$P;{P}^{\prime}$ | Sum of ${p}_{i}$, and sum of ${p}_{i}^{\prime}$ $(1\le i\le N)$ |

${S}_{i,{C}_{j}};{S}_{i,{C}_{j}}^{\prime}$ | Sum of ${V}_{i}$’s shares that ${C}_{j}$ (j = 1, 2) creates in the interactive protocol or receives in the non-interactive protocol |

${\tilde{S}}_{i,{C}_{j}};{\tilde{S}}_{i,{C}_{j}}^{\prime}$ | Sum of shares sent to ${V}_{i}$ from other voters in the interactive protocol or ${C}_{j}$ sends in the non-interactive protocol |

${\mathbf{L}}_{\mathbf{i}}$ | ${V}_{i}$’s location vector (used in LAS) |

${\mathbf{L}}_{\mathbf{A}}$ | Aggregated location vector (used in LAS) |

$\widehat{{L}_{i}}$ | ${V}_{i}$’s chosen location in one round (used in LAS) |

$\overline{L}$ | Length of location vector (used in LAS) |

**Table 2.**The collectors generate all shares for each voter, with each collector generating half of $N-1$ shares. ${v}_{i}$ is ${V}_{i}^{\prime}$s vote. $\widehat{{s}_{i,j}}$ ($i\ne j$) is generated by ${C}_{1}$, and $\stackrel{\u02c7}{{s}_{i,j}}$ ($i\ne j$) is by ${C}_{2}$. ${S}_{i,{C}_{1}}$ is the sum of all shares ($\widehat{{s}_{i,j}}$) in Row i generated by ${C}_{1}$ (for ${V}_{i}$), and ${S}_{i,{C}_{2}}$ is the sum of all shares ($\stackrel{\u02c7}{{s}_{i,j}}$) in Row i by ${C}_{2}$ (for ${V}_{i}$). ${s}_{i,i}={v}_{i}-{S}_{i,{C}_{1}}-{S}_{i,{C}_{2}}$. ${\tilde{S}}_{i,{C}_{1}}$ is the sum of all shares ($\widehat{{s}_{j,i}}$) in Column i generated by ${C}_{1}$, and ${\tilde{S}}_{i,{C}_{2}}$ is the sum of all shares ($\stackrel{\u02c7}{{s}_{j,i}}$) in Column i by ${C}_{2}$.

$\leftarrow -$ | ${C}_{1}$ | $-\to $ | $\leftarrow -$ | ${C}_{2}$ | $-\to $ | ||||

${\tilde{S}}_{i,{C}_{1}}$ | ${\tilde{S}}_{i,{C}_{2}}$ | ||||||||

⇓ | ⇓ | ||||||||

${v}_{1}$ | ${s}_{1,1}$ | $\widehat{{s}_{1,2}}$ | ⋯ | $\widehat{{s}_{1,N/2}}$ | $\stackrel{\u02c7}{{s}_{1,N/2+1}}$ | ⋯ | $\stackrel{\u02c7}{{s}_{1,N}}$ | ||

${C}_{1}$, ${S}_{i,{C}_{1}}$⇒ | ⋮ | ⋮ | ⋮ | ⋮ | ⋮ | ⋮ | ⋮ | ⋮ | ⇐${S}_{i,{C}_{2}}$, ${C}_{2}$ |

${v}_{N/2}$ | $\widehat{{s}_{N/2,1}}$ | $\widehat{{s}_{N/2,2}}$ | ⋯ | ${s}_{N/2,N/2}$ | $\stackrel{\u02c7}{{s}_{N/2,N/2+1}}$ | ⋯ | $\stackrel{\u02c7}{{s}_{N/2,N}}$ | ||

${v}_{N/2+1}$ | $\stackrel{\u02c7}{{s}_{N/2+1,1}}$ | $\stackrel{\u02c7}{{s}_{N/2+1,2}}$ | ⋯ | $\stackrel{\u02c7}{{s}_{N/2+1,N/2}}$ | ${s}_{N/2+1,N/2+1}$ | ⋯ | $\widehat{{s}_{N/2+1,N}}$ | ||

${C}_{2}$, ${S}_{i,{C}_{2}}$⇒ | ⋮ | ⋮ | ⋮ | ⋮ | ⋮ | ⋮ | ⋮ | ⋮ | ⇐${S}_{i,{C}_{1}}$, ${C}_{1}$ |

${v}_{N}$ | $\stackrel{\u02c7}{{s}_{N,1}}$ | $\stackrel{\u02c7}{{s}_{N,2}}$ | ⋯ | $\stackrel{\u02c7}{{s}_{N,N/2}}$ | $\widehat{{s}_{N,N/2+1}}$ | ⋯ | ${s}_{N,N}$ | ||

⇑ | ⇑ | ||||||||

${\tilde{S}}_{i,{C}_{2}}$ | ${\tilde{S}}_{i,{C}_{1}}$ | ||||||||

$\leftarrow -$ | ${C}_{2}$ | $-\to $ | $\leftarrow -$ | ${C}_{1}$ | $-\to $ |

Voter | Location | Vote | Shares | Secret Ballot |
---|---|---|---|---|

${V}_{1}$ | 2 | B (32) | $\underline{12}+5+8+7$ | $45\phantom{\rule{3.33333pt}{0ex}}(=12+1+15+17)$ |

${V}_{2}$ | 3 | R (4) | $1+\underline{13}+(-3)+(-7)$ | $28\phantom{\rule{3.33333pt}{0ex}}(=5+13+7+3)$ |

${V}_{3}$ | 4 | B (2) | $15+7+(\underline{-10})+(-10)$ | $30\phantom{\rule{3.33333pt}{0ex}}(=8+(-3)+(-10)+35)$ |

${V}_{4}$ | 1 | R (64) | $17+3+35+\underline{9}$ | $-1\phantom{\rule{3.33333pt}{0ex}}(=7+(-7)+(-10)+9)$ |

© 2017 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Zou, X.; Li, H.; Li, F.; Peng, W.; Sui, Y. Transparent, Auditable, and Stepwise Verifiable Online E-Voting Enabling an Open and Fair Election. *Cryptography* **2017**, *1*, 13.
https://doi.org/10.3390/cryptography1020013

**AMA Style**

Zou X, Li H, Li F, Peng W, Sui Y. Transparent, Auditable, and Stepwise Verifiable Online E-Voting Enabling an Open and Fair Election. *Cryptography*. 2017; 1(2):13.
https://doi.org/10.3390/cryptography1020013

**Chicago/Turabian Style**

Zou, Xukai, Huian Li, Feng Li, Wei Peng, and Yan Sui. 2017. "Transparent, Auditable, and Stepwise Verifiable Online E-Voting Enabling an Open and Fair Election" *Cryptography* 1, no. 2: 13.
https://doi.org/10.3390/cryptography1020013