Title An anonymous distributed electronic voting system usingZerocoin

Author(s) Takabatake, Yu; Kotani, Daisuke; Okabe, Yasuo

Citation IEICE Technical Report = 信学技報 (2016), 116(282): 127-131

Issue Date 2016-11

URL http://hdl.handle.net/2433/217329

Right © 2016 by IEICE

Type Conference Paper

Textversion publisher

Kyoto University

An anonymous distributed electronic voting system using Zerocoin

Yu Takabatake†, Daisuke Kotani‡, and Yasuo Okabe‡

† Graduate School of Informatics, Kyoto University‡ Academic Center for Computing and Media Studies, Kyoto University

Yoshida-Honmachi, Sakyo-ku, Kyoto, 606-8501 Japan

AbstractExisting e-voting systems rely on a database managed by an administrator, and hence the administrator may possiblycounterfeits a vote. To solve this problem, there have been proposed utilization of Bitcoin, which we can use as a publicdatabase. However, the Bitcoin system has pseudonymity and does not have anonymity that is needed in systems likee-voting. We propose utilization of Zerocoin that gives anonymity to Bitcoin. In addition, our system fixes the groupof voters before the voting, and our system makes an administrator’s fraudulent voting difficult.

Key words E-Voting, Zerocoin, Bitcoin

1 Introduction

E-voting systems will be beneficial to all people who areinvolved in elections. For example, administrators canimprove operation of tasks for elections, and voters canvote in an election anytime and anywhere. In addition,ideal e-voting systems have transparency, completeness(only voters have the right to vote and their votes arecorrectly counted), and verifiability (voters can checkthat their vote is correctly counted), and therefore it isbetter than existing voting system.These e-voting systems generally use an administra-

tor’s database, and it is easy for the administrator tocounterfeit a vote. Various e-voting systems have beenstudied to prevent such injustice. One solution is to usea database without an administrator.Recently there are some e-voting systems using the

Bitcoin[1] system as a database. Bitcoin is a one of themost popular digital currency, and has a feature that alldata is public. We can use it to improve transparencyand to prevent fraudulent voting made by an adminis-trator.An e-voting system consists of two entities: voters

Vi(i = 1, 2, · · · , n) and an administrator A. Vi is usuallyauthenticated as eligible by A then votes. A must checkeligibility of Vi, but must not know the vote polled byVi. This restriction, which needs eligibility checks andanonymity, is not satisfied with Bitcoin because Bitcoinprovides only a pseudonymous and have a public ledger.For example, if once A authenticates Vi’s address thenA can link the address with Vi and the vote’s anonymitywill be broken. Also, Vi needs at least a bit money toconduct a transaction in Bitcoin, and if A sends themoney to Vi for voting preparation, A need to send toVi’s address or to give address’s ownership. However, inthat time, A can link the address with Vi.To clear these problems about anonymity of Bitcoin

address and voter, we use Zerocoin[2] which can givea limited anonymity to Bitcoin address using a zero-

knowledge proof.Zerocoin is one of the Bitcoin laundry[3] system. He

or she has to show a list of Zerocoin including his or herZerocoin when exchanging Zerocoin for Bitcoin. Thelist is a sublist of all available Zerocoin. Using zero-knowledge proof, others can check that his or her Zero-coin is included the list or not, but cannot know whichone the Zerocoin is. If we simply use Zerocoin, thewashed Bitcoin address is anonymous, and others can-not check whether it is voter’s one or not. However, ifhe or she use voters’ Zerocoin as a input list, others canverify that he or she is a voter.In Section 2, we define basic concepts on e-voting sys-

tem. Section 3 we discuss existing e-voting systems,Bitcoin, and Zerocoin. Section 4 describes our proposedsystem. Section 5 provides a consideration of the pro-posed system. Section 6 provides concluding remarksand future work.

2 E-Voting System

A minimum e-voting system consists of two entities:voters and an administrator. Voters are authenticatedas eligible by an administrator, then vote for a candi-date. The administrator checks the votes and publiclyannounces the results.General e-voting systems have to satisfy the following

properties[4].

• Completeness: An eligible voter is always acceptedby the administrator and all valid votes are countedcorrectly.

• Robustness/Soundness: Dishonest voters and otherparticipants cannot disturb/disrupt an election.

• Anonymity/Privacy: All votes must be secret andno entity can link a vote with the voter who hascast a vote.

1- 127 -

一般社団法人　電子情報通信学会 信学技報THE INSTITUTE OF ELECTRONICS, INFORMATION AND COMMUNICATION ENGINEERS

This article is a technical report without peer review, and its polished and/or extended version may be published elsewhere. 　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　 Copyright ©2016 by IEICE

IEICE Technical Report IA2016-54(2016-11)

• Unreusability: All voters cannot vote more thanonce.

• Fairness: Early results should not be obtained, asthey could influence the remaining voters.

• Eligibility: Only legitimate voters can vote.

• Individual verifiability: A voter can verify thathis/her vote was really counted.

• Universal verifiability: Anybody can verify that thepublished outcome really is the sum of all votes.

We add the following meaning to Eligibility.

• Even the administrator cannot counterfeiting a voteafter a voting preparation.

3 Related Work

3.1 E-Voting Systems

As one of simple e-voting system which does not use Bit-coin, Fujioka et al. proposed a voting scheme for largescale elections[5]. It consists of three entities: voters,an administrator, and a counter. It also uses a blindsignature. Even if the administrator colludes with thecounter, they cannot link a voter with a vote. However,Koening et al. pointed out that it has a single point offailure[6], wherein the authority can provide votes forthe voters who did not cast their votes.Foroglou et al.[7] and Czepluch et al.[8] reported that

an e-voting is a good application of Bitcoin. The for-mer explained that Blockchain is useful for preventingmultiple voting and stuffing. The latter explained thatcrackers always attack a government ’s database, andhence it is not safe. A peer-to-peer database is suitablefor managing voting data.Kobler et al.[9] proposed that an e-voting system us-

ing Zerocoin like ours. The construction is as follows.A group of people sets up a bulletin board like the onesfor Zerocoin. In the Registration phase, every voter maygenerate a ticket c, and keeps skc = (S, r) his secret. cis published on the bulletin board as the user’s ticket.In the Voting phase, each user collects the tickets fromthe bulletin board, checking that no user has posted twoof them, and includes them into an accumulator basedin params. He then generates a vote, using his vote(e.g. name of the candidate) as string R and publishedthe result in proof ω and the serial number S. In theCounting phase, the validity of all voters is verified andthe votes get counted. However, they did not explainthat how to authorize voters, and that how to check thevoter generate only one ticket in detail.Cruz et al.[4] proposed that an e-voting system us-

ing Bitcoin and blind signatures[10]. It uses PrepaidBitcoin cards (PBCs), which contain a public Bitcoinaddress with a pre-loaded amount of Bitcoin and thecorresponding private key. Using these cards, voters get

Bitcoin for voting. They said that when an administra-tor issues PBCs, PBCs must be put inside an envelope toensure that it cannot be trace back to voters. Howeverthis is not prevented by technically and an dishonestadministrator may reveal these information such as Bit-coin address or private key. If the administrator knowsa voter’s Bitcoin address, the administrator can link thevoter with a vote.Also, they proposed that in voter Vi selects a vote

v1, and creates the commitment xi. Then, Vi generatesthe blinded message x′

i. A check voter Vi and sign x′i.

When all voters have requested the signature from A, Apublishes the x′

i list. After the publication, even A can-not add, delete, or modify votes. However, it assumesthat all voters do the requesting the signature, and it isnot distant idea. If some voters do not requesting thesignature, A can spoof the voters.

3.2 Bitcoin

Bitcoin[1] is a digital currency and is in widespread use.This system is robust and steadily scale expansion. It isa peer-to-peer system, and there are thousands of peersall over the world. There is one public ledger shared byall peers and it records all past transactions. To preventfrom fraudulent transaction, this system adopts a Proofof Work concept. Thus attacker who does not have overhalf of all peers cannot force others to accept fraudulenttransactions.Bitcoin is a pseudonymous system, and a user use a

Bitcoin address, which is an identifier of 26-35 alphanu-meric characters for a transaction. In Bitcoin, one trans-action includes pointers to “from” address, “to” address,and how much is sent. History of transactions constructsa monetary system. All transactions are recorded inone ledger, which is shared by all Bitcoin network. Thismechanism enables any Bitcoin user to search arbitarytransactions and addresses that are related to a partic-ular transaction.We use Bitcoin as a database, because the system is

completely open. A traditional system, which has anadministrator, generally manages a database inside ofit. Even if it disclose enough amount of information,they can easily change the data, and thus it has the de-fect of poor transparency. Bitcoin is originally designedfor various participants to update data, and no need toconsider the possibility of fraudulence. Also it is dis-tributed system, thus it is expected to be resilient tomalicious attacks.One transaction also has an element called

OP RETURN[11], and this element can containany string up to 80 bytes. Thus we can also use it as asimple database.

3.3 Zerocoin

Zerocoin[2] is one of the Bitcoin laundry system usingzero-knowledge proof. One coin in Zerocoin is a fixedamount of Bitcoin.

2- 128 -

The following explains how to mint and spend Zero-coin simply. This description is slightly modified fromthat in the original Zerocoin paper[2].

MintingMinting is a process of exchanging Bitcoin for Zero-coin. When Alice has the fixed amount of Bitcoinv and exchange it to Zerocoin, Alice first generatesa random coin serial number S, then commits to Susing a secure digital commitment scheme. The re-sulting commitment is a coin, denoted by C, whichcan only be opened by a random number r to re-veal the serial number S. Alice pins C to the publicbulletin board, along with sending v to a given ad-dress. Other users check the Alice’s transaction andassume C as valid.

SpendingAlice first scans at the bulletin board to obtain theset of valid commitments (C1, · · · , CN ) that havebeen posted by all users in the system. She nextproduces a non-interactive zero-knowledge proof ωfor the following two statements: (1) she knows Cwhich is included in (C1, · · · , CN ) and (2) she knowsa hidden value r such that the commitment C opensto S. She posts a “spend” transaction containing(ω, S). The remaining users verify the proof ω andcheck that S has not previously appeared in anyother spend transaction. If these conditions aremet, the users allow Alice to convert Zerocoin toBitcoin at the amount of v; otherwise they rejecther transaction and prevent her from converting it.

In this way, Alice gets a new Bitcoin address throughin and out, and others cannot trace the address to Alice.We can use an arbitary subset of (C1, · · · , CN ) in

ω’s statement (1). We use this characteristic to assureanonymity of votes while all votes are eligible. He orshe uses Zerocoin of voters as the subset of the commit-ments. In this way, we can create anonymous but canvoting right-verified Bitcoin address.

4 Proposed E-Voting System

The proposed system consists of two entities: a voter Vi

and an administrator A. Vi acquires the right to votefrom A, then vote vi for a candidate. A checks vi andpublicly discloses the results.Data is consistently on the Bitcoin or Zerocoin

Blockchain from the begining (the Preparation stage)to the end (the Counting stage).A operates an administrative system. Only voters

have accounts and they register Bitcoin addresses andcommitments of Zerocoin, which appear in the votingprocess. A publish these information without connec-tion with accounts.

Preparation first stageA prepares the administrative system and Vi cre-ates an account and registers Bitcoin address BAi1

which Vi creates for this voting. At the end of thisstage, A publishes a list of BAi1, and accounts thatdo not register Bitcoin addresses, lose their rightsto vote. Thus a set of voters is fixed.

Preparation second stageA pays a fixed amount of Bitcoin to each BAi1 forvoting costs. Vi exchanges received Bitcoin for acommitment of Zerocoin Ci. Then Vi registers Ci

to the administrative system. At the end of thisstage, A publishes a list of Ci.

Preparation third stageVi exchanges Zerocoin for Bitcoin. Vi sets the pub-lished commitments of Zerocoin as commitments ofZerocoin in the zero-knowledge proof (which con-tain Ci). Thus, Vi acquires new Bitcoin addressBAi2.

Voting stageVi selects a vote vi, completes the ballot. Then Vi

creates a commitment xi = enc(vi, ki) to preventvoting data leakage until the opening stage, whereki is a randomly chosen key. Vi creates a Bitcointransaction from BAi2 to BAv which A preparesfor this voting to receive voting. This transactionincludes xi in the OP RETURN part of the proto-col.

Opening stageVi creates a Bitcoin transaction from BAi2 toBAv again. This transaction includes ki in theOP RETURN part of the protocol to open xi.

Counting stageA checks all transactions sent to BAv so that theyset valid commitments of Zerocoin when they ex-changed Zerocoin for Bitcoin. Thus A acquiresvalid Bitcoin addresses. If multiple transaction issent by one voter, A validate the first one. A opensthe commitment xi using the key ki to retrive vi.Finally, A counts the votes and announces the re-sults.

5 Consideration

Completeness: Voters register Bitcoin addresses andcommitments of Zerocoin, then A recognizes that votersintend to vote. Voters who have valid Bitcoin addressescan create transactions from the addresses to BAv andthe transactions include votes and keys, thus A countstheir votes correctly.

Robustness/Soundness: In the Preparation sec-ond stage, voters may not use unregistered Bitcoin ad-dresses when converting to Zerocoin, then register com-mitments of Zerocoin to the administrative system. Thiscase does not cause any problem because eligibility ofvoters are checked when registering the commitments ofZerocoin to the administrative system.

3- 129 -

����

����

Preparedstage� Vo-ng&OpeningstageFirst� Second� Third�

Voter� Voter�Administrator� Administrator�BitcoinLaundry�

Bitcoin�

Zerocoin(Mint)�

Zerocoin(Spend)� Bitcoin

Figure 1: Proposed E-Voting System

In the Preparation third stage, if voters do not ex-change Zerocoin for Bitcoin with certain commitmentsof Zerocoin, they simply lose the rights to vote.

In the Voting or the Opening stages, if voters do notcorrectly include votes or keys into transactions, theirvotes are not counted.

If a third party try to interrupt this system, Bitcoinand Zerocoin systems are peer-to-peer and they are tol-erant of attacks.

Anonymity/Privacy: Bitcoin and Zerocoin consistof peer-to-peer, and the connection is not anonymous. IfA operate a node, A can link votes with IP addresses ofvoters who use the node for creating their voting trans-actions. Thus, these systems do not assure anonymity.Voters who need anonymity have to use anonymous net-work like Tor1.

Using Zerocoin, we propose the limited anonymity,thus votes are not linked to voters.

Unreusability: If voters vote multiple times, A allowonly the first one for each voters.

When the Voting stage, voters can create multipletransactions, and each transactions’ vote commitmentusing a different key. When the Opening stage, votersmust select and disclose only one key.

Fairness: Voters transfer their keys after the Votingstage, thus votes are encrypted and they cannot affectthe voting during the Voting stage.

Eligibility: Only voters have accounts on the ad-ministrative system. After the registration of Bitcoinaddresses, a set of voters is fixed. Also after the reg-istration of commitments of Zerocoin, A cannot imper-sonates voters. A can impersonates voters who onlyregister Bitcoin addresses, however we can automatizethese Preparation stages, thus we can prepare simpleapplications and avoid that.

1https://www.torproject.org/

As against the system proposed by Cruz et al. is easyfor A to spoof the voters, it is difficult to do so in oursystem. We fix the group of voters before the Votingstage. A is hard to disguise votes. If A tries to do so,A needs to prepare accounts in the administrative sys-tem artificially. However, A cannot forcast how manyaccounts is enough to change the results, and A needsso many artificial accounts, thus people other than theadministrator will see much more commitments of Zero-coin than they expect, voters can check the fraudulence.

Individual verifiability: Each voters’ vote and keyare published on the Bitcoin’s Blockchain, and it is eas-ily verifiable.

Universal verifiability: All voting contents arepublic, thus the results cannot be falsified.

We use Bitcoin and Zerocoin, but their processingspeed is not so fast (Bitcoin processes only 7 transac-tions per second), thus it is difficult to use for votingfor Diet members (for example, voters’ number is onehundred million), but it is acceptable to use for votingfor city council members (for example, voters’ numberis ten thousand) using a week per stage.

6 Concluding remarks and Fu-ture Work

We propose an e-voting system using Bitcoin and Zero-coin. Bitcoin is used as a public database. If it use onlyBitcoin, an administrator can link voters to votes. Thatis a problem, but we also use Zerocoin, which is oneof the Bitcoin laundry systems, to solve privacy issuescaused by Bitcoin. As a result, an administrator andothers can verify he or she is voter, but cannot knowwho he or she is. In addition, this system can fix thegroup of voters before the Voting stage, and the admin-istrator is more hard to disguise votes than the previous

4- 130 -

e-voting system using Bitcoin.As discussed in the previous section, our system has

the problem about processing speed. In future work, wepropose an e-voting system that we can use in real life,which do not rely on Bitcoin’s or Zerocoin’s processingspeed, or alternate them with other systems.

References

[1] Satoshi Nakamoto, Bitcoin: A peer-to-peer elec-tronic cash system, (2008).

[2] Ian Miers, Christina Garman, Matthew Green, andAviel D Rubin, Zerocoin: Anonymous distributede-cash from bitcoin, Security and Privacy (SP),2013 IEEE Symposium on, (IEEE, 2013), pp. 397–411.

[3] Bitcoin Wiki Bitcoin Laundry ,(accessed October 11, 2016),https://en.bitcoin.it/wiki/Bitcoin Laundry.

[4] Cruz Jason, Paul and Kaji Yuichi, E-voting systembased on the bitcoin protocol and blind signatures,(2016).

[5] Atsushi Fujioka, Tatsuaki Okamoto, and KazuoOhta, A practical secret voting scheme for largescale elections, International Workshop on the The-ory and Application of Cryptographic Techniques,(Springer, 1992), pp. 244–251.

[6] Reto E Koenig, Eric Dubuis, and Rolf Haenni, Whypublic registration boards are required in e-votingsystems based on threshold blind signature proto-cols, Electronic Voting , (2010), pp. 255–266.

[7] George Foroglou and Anna-Lali Tsilidou, Furtherapplications of the blockchain, (2015).

[8] Jacob Stenum Czepluch, Nikolaj Zangenberg Lol-like, and Simon Oliver Malone, The use of blockchain technology in different application domains,(2015).

[9] Kobler Johannes and Reinhardt Klaus, Zero-knowledge protocols: Leakage resilience and anony-mous signatures, (2014).

[10] David Chaum, Blind signatures for untraceablepayments, Advances in cryptology , (Springer,1983), pp. 199–203.

[11] Bitcoin Wiki OP RETURN , (accessed October 11,2016), https://en.bitcoin.it/wiki/OP RETURN.

5- 131 -