Title An anonymous distributed electronic voting system ... anonymous distributed electronic voting system using ... An anonymous distributed electronic voting system using ... we de ne basic concepts on e-voting sys-

Download Title An anonymous distributed electronic voting system ...  anonymous distributed electronic voting system using ... An anonymous distributed electronic voting system using ... we de ne basic concepts on e-voting sys-

Post on 24-Apr-2018




6 download

Embed Size (px)


<ul><li><p>Title An anonymous distributed electronic voting system usingZerocoin</p><p>Author(s) Takabatake, Yu; Kotani, Daisuke; Okabe, Yasuo</p><p>Citation IEICE Technical Report = (2016), 116(282): 127-131</p><p>Issue Date 2016-11</p><p>URL http://hdl.handle.net/2433/217329</p><p>Right 2016 by IEICE</p><p>Type Conference Paper</p><p>Textversion publisher</p><p>Kyoto University</p></li><li><p>An anonymous distributed electronic voting system using Zerocoin</p><p>Yu Takabatake, Daisuke Kotani, and Yasuo Okabe</p><p> Graduate School of Informatics, Kyoto University Academic Center for Computing and Media Studies, Kyoto University</p><p>Yoshida-Honmachi, Sakyo-ku, Kyoto, 606-8501 Japan</p><p>AbstractExisting e-voting systems rely on a database managed by an administrator, and hence the administrator may possiblycounterfeits a vote. To solve this problem, there have been proposed utilization of Bitcoin, which we can use as a publicdatabase. However, the Bitcoin system has pseudonymity and does not have anonymity that is needed in systems likee-voting. We propose utilization of Zerocoin that gives anonymity to Bitcoin. In addition, our system fixes the groupof voters before the voting, and our system makes an administrators fraudulent voting difficult.</p><p>Key words E-Voting, Zerocoin, Bitcoin</p><p>1 Introduction</p><p>E-voting systems will be beneficial to all people who areinvolved in elections. For example, administrators canimprove operation of tasks for elections, and voters canvote in an election anytime and anywhere. In addition,ideal e-voting systems have transparency, completeness(only voters have the right to vote and their votes arecorrectly counted), and verifiability (voters can checkthat their vote is correctly counted), and therefore it isbetter than existing voting system.These e-voting systems generally use an administra-</p><p>tors database, and it is easy for the administrator tocounterfeit a vote. Various e-voting systems have beenstudied to prevent such injustice. One solution is to usea database without an administrator.Recently there are some e-voting systems using the</p><p>Bitcoin[1] system as a database. Bitcoin is a one of themost popular digital currency, and has a feature that alldata is public. We can use it to improve transparencyand to prevent fraudulent voting made by an adminis-trator.An e-voting system consists of two entities: voters</p><p>Vi(i = 1, 2, , n) and an administrator A. Vi is usuallyauthenticated as eligible by A then votes. A must checkeligibility of Vi, but must not know the vote polled byVi. This restriction, which needs eligibility checks andanonymity, is not satisfied with Bitcoin because Bitcoinprovides only a pseudonymous and have a public ledger.For example, if once A authenticates Vis address thenA can link the address with Vi and the votes anonymitywill be broken. Also, Vi needs at least a bit money toconduct a transaction in Bitcoin, and if A sends themoney to Vi for voting preparation, A need to send toVis address or to give addresss ownership. However, inthat time, A can link the address with Vi.To clear these problems about anonymity of Bitcoin</p><p>address and voter, we use Zerocoin[2] which can givea limited anonymity to Bitcoin address using a zero-</p><p>knowledge proof.Zerocoin is one of the Bitcoin laundry[3] system. He</p><p>or she has to show a list of Zerocoin including his or herZerocoin when exchanging Zerocoin for Bitcoin. Thelist is a sublist of all available Zerocoin. Using zero-knowledge proof, others can check that his or her Zero-coin is included the list or not, but cannot know whichone the Zerocoin is. If we simply use Zerocoin, thewashed Bitcoin address is anonymous, and others can-not check whether it is voters one or not. However, ifhe or she use voters Zerocoin as a input list, others canverify that he or she is a voter.In Section 2, we define basic concepts on e-voting sys-</p><p>tem. Section 3 we discuss existing e-voting systems,Bitcoin, and Zerocoin. Section 4 describes our proposedsystem. Section 5 provides a consideration of the pro-posed system. Section 6 provides concluding remarksand future work.</p><p>2 E-Voting System</p><p>A minimum e-voting system consists of two entities:voters and an administrator. Voters are authenticatedas eligible by an administrator, then vote for a candi-date. The administrator checks the votes and publiclyannounces the results.General e-voting systems have to satisfy the following</p><p>properties[4].</p><p> Completeness: An eligible voter is always acceptedby the administrator and all valid votes are countedcorrectly.</p><p> Robustness/Soundness: Dishonest voters and otherparticipants cannot disturb/disrupt an election.</p><p> Anonymity/Privacy: All votes must be secret andno entity can link a vote with the voter who hascast a vote.</p><p>1- 127 -</p><p> THE INSTITUTE OF ELECTRONICS, INFORMATION AND COMMUNICATION ENGINEERS</p><p>This article is a technical report without peer review, and its polished and/or extended version may be published elsewhere. Copyright 2016 by IEICE</p><p>IEICE Technical Report IA2016-54(2016-11)</p></li><li><p> Unreusability: All voters cannot vote more thanonce.</p><p> Fairness: Early results should not be obtained, asthey could influence the remaining voters.</p><p> Eligibility: Only legitimate voters can vote.</p><p> Individual verifiability: A voter can verify thathis/her vote was really counted.</p><p> Universal verifiability: Anybody can verify that thepublished outcome really is the sum of all votes.</p><p>We add the following meaning to Eligibility.</p><p> Even the administrator cannot counterfeiting a voteafter a voting preparation.</p><p>3 Related Work</p><p>3.1 E-Voting Systems</p><p>As one of simple e-voting system which does not use Bit-coin, Fujioka et al. proposed a voting scheme for largescale elections[5]. It consists of three entities: voters,an administrator, and a counter. It also uses a blindsignature. Even if the administrator colludes with thecounter, they cannot link a voter with a vote. However,Koening et al. pointed out that it has a single point offailure[6], wherein the authority can provide votes forthe voters who did not cast their votes.Foroglou et al.[7] and Czepluch et al.[8] reported that</p><p>an e-voting is a good application of Bitcoin. The for-mer explained that Blockchain is useful for preventingmultiple voting and stuffing. The latter explained thatcrackers always attack a government s database, andhence it is not safe. A peer-to-peer database is suitablefor managing voting data.Kobler et al.[9] proposed that an e-voting system us-</p><p>ing Zerocoin like ours. The construction is as follows.A group of people sets up a bulletin board like the onesfor Zerocoin. In the Registration phase, every voter maygenerate a ticket c, and keeps skc = (S, r) his secret. cis published on the bulletin board as the users ticket.In the Voting phase, each user collects the tickets fromthe bulletin board, checking that no user has posted twoof them, and includes them into an accumulator basedin params. He then generates a vote, using his vote(e.g. name of the candidate) as string R and publishedthe result in proof and the serial number S. In theCounting phase, the validity of all voters is verified andthe votes get counted. However, they did not explainthat how to authorize voters, and that how to check thevoter generate only one ticket in detail.Cruz et al.[4] proposed that an e-voting system us-</p><p>ing Bitcoin and blind signatures[10]. It uses PrepaidBitcoin cards (PBCs), which contain a public Bitcoinaddress with a pre-loaded amount of Bitcoin and thecorresponding private key. Using these cards, voters get</p><p>Bitcoin for voting. They said that when an administra-tor issues PBCs, PBCs must be put inside an envelope toensure that it cannot be trace back to voters. Howeverthis is not prevented by technically and an dishonestadministrator may reveal these information such as Bit-coin address or private key. If the administrator knowsa voters Bitcoin address, the administrator can link thevoter with a vote.Also, they proposed that in voter Vi selects a vote</p><p>v1, and creates the commitment xi. Then, Vi generatesthe blinded message xi. A check voter Vi and sign x</p><p>i.</p><p>When all voters have requested the signature from A, Apublishes the xi list. After the publication, even A can-not add, delete, or modify votes. However, it assumesthat all voters do the requesting the signature, and it isnot distant idea. If some voters do not requesting thesignature, A can spoof the voters.</p><p>3.2 Bitcoin</p><p>Bitcoin[1] is a digital currency and is in widespread use.This system is robust and steadily scale expansion. It isa peer-to-peer system, and there are thousands of peersall over the world. There is one public ledger shared byall peers and it records all past transactions. To preventfrom fraudulent transaction, this system adopts a Proofof Work concept. Thus attacker who does not have overhalf of all peers cannot force others to accept fraudulenttransactions.Bitcoin is a pseudonymous system, and a user use a</p><p>Bitcoin address, which is an identifier of 26-35 alphanu-meric characters for a transaction. In Bitcoin, one trans-action includes pointers to from address, to address,and how much is sent. History of transactions constructsa monetary system. All transactions are recorded inone ledger, which is shared by all Bitcoin network. Thismechanism enables any Bitcoin user to search arbitarytransactions and addresses that are related to a partic-ular transaction.We use Bitcoin as a database, because the system is</p><p>completely open. A traditional system, which has anadministrator, generally manages a database inside ofit. Even if it disclose enough amount of information,they can easily change the data, and thus it has the de-fect of poor transparency. Bitcoin is originally designedfor various participants to update data, and no need toconsider the possibility of fraudulence. Also it is dis-tributed system, thus it is expected to be resilient tomalicious attacks.One transaction also has an element called</p><p>OP RETURN[11], and this element can containany string up to 80 bytes. Thus we can also use it as asimple database.</p><p>3.3 Zerocoin</p><p>Zerocoin[2] is one of the Bitcoin laundry system usingzero-knowledge proof. One coin in Zerocoin is a fixedamount of Bitcoin.</p><p>2- 128 -</p></li><li><p>The following explains how to mint and spend Zero-coin simply. This description is slightly modified fromthat in the original Zerocoin paper[2].</p><p>MintingMinting is a process of exchanging Bitcoin for Zero-coin. When Alice has the fixed amount of Bitcoinv and exchange it to Zerocoin, Alice first generatesa random coin serial number S, then commits to Susing a secure digital commitment scheme. The re-sulting commitment is a coin, denoted by C, whichcan only be opened by a random number r to re-veal the serial number S. Alice pins C to the publicbulletin board, along with sending v to a given ad-dress. Other users check the Alices transaction andassume C as valid.</p><p>SpendingAlice first scans at the bulletin board to obtain theset of valid commitments (C1, , CN ) that havebeen posted by all users in the system. She nextproduces a non-interactive zero-knowledge proof for the following two statements: (1) she knows Cwhich is included in (C1, , CN ) and (2) she knowsa hidden value r such that the commitment C opensto S. She posts a spend transaction containing(, S). The remaining users verify the proof andcheck that S has not previously appeared in anyother spend transaction. If these conditions aremet, the users allow Alice to convert Zerocoin toBitcoin at the amount of v; otherwise they rejecther transaction and prevent her from converting it.</p><p>In this way, Alice gets a new Bitcoin address throughin and out, and others cannot trace the address to Alice.We can use an arbitary subset of (C1, , CN ) in</p><p>s statement (1). We use this characteristic to assureanonymity of votes while all votes are eligible. He orshe uses Zerocoin of voters as the subset of the commit-ments. In this way, we can create anonymous but canvoting right-verified Bitcoin address.</p><p>4 Proposed E-Voting System</p><p>The proposed system consists of two entities: a voter Viand an administrator A. Vi acquires the right to votefrom A, then vote vi for a candidate. A checks vi andpublicly discloses the results.Data is consistently on the Bitcoin or Zerocoin</p><p>Blockchain from the begining (the Preparation stage)to the end (the Counting stage).A operates an administrative system. Only voters</p><p>have accounts and they register Bitcoin addresses andcommitments of Zerocoin, which appear in the votingprocess. A publish these information without connec-tion with accounts.</p><p>Preparation first stageA prepares the administrative system and Vi cre-ates an account and registers Bitcoin address BAi1</p><p>which Vi creates for this voting. At the end of thisstage, A publishes a list of BAi1, and accounts thatdo not register Bitcoin addresses, lose their rightsto vote. Thus a set of voters is fixed.</p><p>Preparation second stageA pays a fixed amount of Bitcoin to each BAi1 forvoting costs. Vi exchanges received Bitcoin for acommitment of Zerocoin Ci. Then Vi registers Cito the administrative system. At the end of thisstage, A publishes a list of Ci.</p><p>Preparation third stageVi exchanges Zerocoin for Bitcoin. Vi sets the pub-lished commitments of Zerocoin as commitments ofZerocoin in the zero-knowledge proof (which con-tain Ci). Thus, Vi acquires new Bitcoin addressBAi2.</p><p>Voting stageVi selects a vote vi, completes the ballot. Then Vicreates a commitment xi = enc(vi, ki) to preventvoting data leakage until the opening stage, whereki is a randomly chosen key. Vi creates a Bitcointransaction from BAi2 to BAv which A preparesfor this voting to receive voting. This transactionincludes xi in the OP RETURN part of the proto-col.</p><p>Opening stageVi creates a Bitcoin transaction from BAi2 toBAv again. This transaction includes ki in theOP RETURN part of the protocol to open xi.</p><p>Counting stageA checks all transactions sent to BAv so that theyset valid commitments of Zerocoin when they ex-changed Zerocoin for Bitcoin. Thus A acquiresvalid Bitcoin addresses. If multiple transaction issent by one voter, A validate the first one. A opensthe commitment xi using the key ki to retrive vi.Finally, A counts the votes and announces the re-sults.</p><p>5 Consideration</p><p>Completeness: Voters register Bitcoin addresses andcommitments of Zerocoin, then A recognizes that votersintend to vote. Voters who have valid Bitcoin addressescan create transactions from the addresses to BAv andthe transactions include votes and keys, thus A countstheir votes correctly.</p><p>Robustness/Soundness: In the Preparation sec-ond stage, voters may not use unregistered Bitcoin ad-dresses when converting to Zerocoin, then register com-mitments of Zerocoin to the administrative system. Thiscase does not cause any problem because eligibility ofvoters are checked when registering the commitments ofZerocoin to the administrative system.</p><p>3- 129 -</p></li><li><p>Preparedstage Vo-ng&amp;OpeningstageFirst Second Third</p><p>Voter VoterAdministrator AdministratorBitcoinLaundry</p><p>Bitcoin</p><p>Zerocoin(Mint)</p><p>Zerocoin(Spend) Bitcoin</p><p>Figure 1: Proposed E-Voting System</p><p>In the Preparation t...</p></li></ul>


View more >