2023 IEEE International Conference on Metaverse Computing, Networking and Applications (MetaCom)
2023 IEEE International Conference on Metaverse Computing, Networking and Applications (MetaCom) | 979-8-3503-3333-6/23/$31.00 ©2023 IEEE | DOI: 10.1109/MetaCom57706.2023.00081
An Implementation and Analysis of Zero
Knowledge Based E-Voting Solution With Proof of
Vote on Public Ethereum Blockchain
Roshan Singh, Sukumar Nandi and Sunit Kumar Nandi
Department of CSE, Indian Institute of Technology, Guwahati, India
roshancsofficial@gmail.com,sukumar@iitg.ac.in, sunitnandi834@gmail.com
Abstract—Transparent e-voting is one of the applications that
the turing complete public blockchain aspires to deliver by as-
suring verifiable votes. Public blockchains are much transparent,
secure and have better auditing. In Blockchain based e-voting a
voter identity is established with his account, whereas one account
can cast a vote which leaves scope for user identity binding based
on other activities on the blockchain. In this work we propose
a privacy preserving and anonymous e-voting approach on the
public blockchain. We introduce the concept of Proof of Vote.
I. I NTRODUCTION
Till date we see a significant number of voters failing to
turnout to vote, thus affecting the election results sometimes.
There remains several reasons for failing to turnout, one of
the prominent reason is the need to travel to the polling booth
to cast the vote [1]. E-voting is a technological advancement
that offers the facility to an individual to cast the vote online
across distances. One of the reasons for hesitance for the use
of e-voting on large scale is due to the cyber threats. With, in-
troduction of decentralised technologies such as blockchain we
can design and develop e-voting solutions that can eliminate
risks associated with the existing traditional e-voting solutions.
The transparent, censorship resistance, highly available nature
of the public blockchain makes it an ideal choice as an
underlying platform for e-voting. Keeping the votes on the
public blockchain would allow anyone to verify the votes
and also the count of votes in the election. However, a voter
would not like to reveal his identity because of various known
reasons, such as public judgement. Again a voter might need to
prove to a third party that he has participated in an election, if
the address of the voter gets revealed then the trusted third
party may know to whom the voter has voted. In certain
scenarios it may be required to identify the voter. Thus we
introduce the concept of conditional privacy. Whereas, the
identity of the voter can be only reveled by the Election
Commission. In this work we consider the above mentioned
challenges and propose a zero knowledge blockchain based
solution for e-voting. The major contributions of this paper
can be threefold:-
1) Propose an anonymous e-voting approach.
2) Self tallying of votes.
3) Zero knowledge proof of voting with group signatures.
979-8-3503-3333-6/23/$31.00 ©2023 IEEE
DOI 10.1109/MetaCom57706.2023.00081
Authorized licensed use limited to: Australian National University. Downloaded on November 15,2023 at 23:23:41 UTC from IEEE Xplore. Restrictions apply.
II. R ELATED W ORKS
E-voting is well studied in the literature[4][3][1]. However,
as because of the issues associated with a centralised solution,
interests has been growing towards decentralised approaches.
There exists a number of works which proposes to use decen-
tralised technologies for e-voting[10][8][6]. Kiayias and Yung
proposed a novel dispute-free, self-tallying, and fault tolerant
voting scheme which supported perfect ballot secrecy[7]. The
scheme was for a boardroom election. A boardroom election
is a small scale election where the scheme is usually run by
the voters themselves. In the proposed scheme the voter does
not select the randomness to be used in the ballot instead
the random value is calculated in a distributed manner in a
pre-processing step. The scheme used a bulletin board for
communication purposes among the entities in the election.
The bulletin board authority was responsible for administering
the election, namely, it performed actions such as starting and
terminating the election, and maintaining a registry of the
eligible voters and so on.
Open Vote Network[5] is a two round anonymous election
that requires no trusted third parties neither voter-to-voter
communications. It preserves anonymity of the users until
all the voters are compromised. In the first phase the voters
registers themselves and in the next phase vote casting is
performed. McCorry et. al[9] were the first to provide an
implementation of a decentralised self tallying voting protocol.
The protocol was implemented on the Ethereum blockchain.
The protocol runs through five stages namely
1) SETUP : It involves enrollmenent of the voters and the
parties through the election administrator. The election
adminstrator also sets up different timers such as start
time of the election and the time when the voting will
be closed.
2) SIGNUP : The eligible voters can choose to register for
the vote after reviewing the voting question and other
parameters set by the election administrator.
3) COMMIT (optional) : All voters publish a hash of their
vote on the blockchain.
4) VOTE : All voters publish their encrypted vote and one
out of two zero knowledge proof that the vote is either
zero or one.
423
 5) TALLY : The election administrator notifies Ethereum
to compute the tally.
In the line of research we in this work propose a blockchain
and smart contract enabled self-tallying scheme for e-voting.
The scheme allows a voter to cast a vote to his/her desired
party without revealing his/her identity. In real world democ-
racies under certain circumstances explanations are seeked for
certain events from government and non-government organ-
isations. Keeping this in mind we introduce the notion of
conditional privacy, in order to reveal the real identity of the
voter as and when required. In our proposed scheme the voter
will be allowed to prove to yet another entity in the system
be it an another organisation that he has participated in an
election.
III. S YSTEM M ODEL
We identify the following four entities in our system.
Fig. 1. Proposed System Framework
1) Voter - A person who is eligible and authorised to vote
for a political party in an election.
2) Election Commission - The trusted entity responsible
for voter and political parties registration, deployment
of smart contracts for the election.
3) Political Parties - The entities contending in the election.
4) Stakeholders - Other government and private entities
interested to learn that a person has voted for an election
or not. Such as Ministry of Labor Reforms might wish
to learn that a person has voted for an election inorder
to give some incentives to the person thus further
motivating eligible voter population to increase turnout.
IV. S TEPS IN THE APPROACH
1) Registration - The election commission is responsible
for registration of the voters and the political parties. A
voter approaches the election commission with requisite
details for the registration.
2) Permanent Address Allocation - The election commis-
sion verifies the details and issues a key pair along
with the blockchain address. The mapping of the voter
real identity to the blockchain address is only known
to the election commission and is securely stored off
the chain. The election commission is also entrusted for
424
Authorized licensed use limited to: Australian National University. Downloaded on November 15,2023 at 23:23:41 UTC from IEEE Xplore. Restrictions apply.
the registration of the political parties going to contest
in the election. Like the voters political parties are also
allocated a blockchain address.
3) Secret Proposal and Secret Selection - A voter provides a
set of secrets n to the election commission. The election
commission picks up one of the secret from the set of
proposed secrets by a voter. The election commission
ensures that a picked secret is unique and is not used
for other voters in the election. The channel between the
voter and the election commission used for sharing the
secret is considered to be secure. The communication is
made off the chain so no trace of the communication is
available on the blockchain.
4) Contract Deployment - The election commission deploys
the Election contract which will be used to collect the
votes. The election smart contract maintains the state
count for the votes casted for each political parties. The
election commission also deploys the Secret Verifica-
tion and Redeem smart contract for each voter. A secret
redeem contract for a voter contains a large multiplicand
which is a product of two large prime numbers. The
voter needs to provide a zero knowledge proof that
he knows the two primes which when multiplied with
each other gives the multiplicand encoded in the smart
contract. A voter uses the redeem smart contract to
redeem the token issued by the election commission.
Once, a voter redeems the token the secret verification
smart contract gets deactivated so that a voter cannot
generate duplicate tokens.
5) Proof Verification and Token Redeeming - A eligible
voter provide a zero knowledge proof of knowing the
secret parameters. Upon successful submission of the
zero knowledge proof the token gets redeemed, which
the voter use to cast a vote. A voter generates a fresh
address to redeem the token in order to break the link
ability. The fresh address can be funded by the voter
using the mixing services.
6) Vote Casting - A voter uses its newly generated address
to which the token is redeemed to cast the vote, the voter
provides the address of the political party to which it
wish to cast a vote. Upon a successful cast of vote the
total vote count for the political party is incremented by
1.
7) Proof of Vote - The concept of group signature is utilised
to prove that a voter has voted in an election. The voters,
political parties and the stakeholders form a group.
V. P ROOF OF VOTE
In our use case scenario, the Election Commission acts
as the group manager. Election Commission generates and
provides each voter participating in the election a secret key.
Only a valid voter can sign on behalf of the group, the
signature can be verified with the group public key. In case of
any conflicts in the proof provided against a vote, the Election
commission can disclose the real identity of the claimer who
has provided the fake proof of vote and can initiate further
investigations. The group signature scheme works as follows:-
1) Setup: The election commission computes a signa-
ture key pair KSP ub , KSP ri and encryption key pair
P ub P ri
KE , KE and publishes the two public keys as
the group public key. A voter computes a membership
key z = f (s) where s is a random secret. The voter
signs z and sends it to the election commission. The
election commission returns the voter v = KSP ri (z) if
the voter has casted a vote in the election. The election
commission can find out the information regarding a
voter who has voted or not from the token redeem
transaction made by the voter.
2) Sign: The voter encrypts m its address with his mem-
P ub
bership key z by using KE and computes a proof p.
The voter proof consists of voter address.
3) Verification: If KSP ub (v) = f (s) then the signature is
proved to be valid.
4) Disclose : The election commission decrypts the cipher
P ri
text E(m) by using KE to obtain the membership key
thus disclosing the identity.
Once, an election is over a voter might need to prove that
he has participated in the election. Proof of Vote can be
seeked by the government bodies inorder to provide certain
incentives and subsidies to a voter thus motivating the general
eligible voter public to participate in the elections. Under such
circumstances a voter need to provide a proof of vote without
disclosing the party to whom it has voted.
Fig. 2. Sequence Diagram for Proof of Vote
VI. S OUNDNESS OF THE P ROPOSED A PPROACH
1) Argue that no duplicate token can be generated.
Argument - The generation of a token depends on the
fact that n should be unique, and should not be derivable
from any other previously generated value of n. Given
that n is generated as; n = p * q, whereas p and q are
large prime numbers.
a) Miller-Rabin primarility test to check whether the
proposed number is a prime.
b) Will ensure p is not equal to q.
c) The prime numbers p and q are chosen indepen-
dently and sufficiently far apart.
425
Authorized licensed use limited to: Australian National University. Downloaded on November 15,2023 at 23:23:41 UTC from IEEE Xplore. Restrictions apply.
d) p and q must be greater than the total number of
voters. Thus ensuring token space is greater than
the voter space.
A voter proposes a set of n denoted by N, whereas the
set N can have values :-
n1 , n2 , n3 , ..., nk
. Considering the election commission to be a trusted
entity it will pick up a n such that the n is unique and
has not been allocated to any other voter. The election
commission will pick up an n from the set in a random
fashion. If there arises a collision on the value of an n
picked, the election commission will randomly pick up
next n from the remaining proposed value of n.
2) Argue that a voter can mint one and atmost one token
to vote
Argument - A voter can generate a token if and only if
he can provide a zero knowledge proof of possesing
a p and a q such that it produces an n when p*q.
Whereas p and q are secret parameters which a voter
is responsible to keep undisclosed. Once a voter mints a
token by providing a valid p and q, the zero knowledge
proof contract gets deactivated such that no one even
the election commission cannot call the contract to
generate new token from the same verification contract.
At the same time as the token generation functionality
is implemented on the blockchain it will be always
available to a valid voter for generating one and only
one token for an election. So, it is the sole responsibility
of the voter to keep its generated p and q private.
3) Argue that once a valid token is issued to a valid voter.
The voter cannot be denied to cast vote.
Argument - Upon successful generation of a token the
one time vote permission for the address associated
with token is unlocked. The voter can cast a vote by
passing the address of the party of his choice. The
voter cannot be denied to cast a vote as the cast vote
functionality is implemented on the blockchain and is
publicly verifiable.
4) Argue that token generation procedure does not leak
private parameters, i.e. p and q
Argument - The private parameters i.e. p and q are
not passed on to the verification function as a function
parameter instead a zero knowledge proof representation
is passed on which does not disclose any information
about the private parameters p and q.
5) Argue that a voter can vote only once with a minted
token. Or a minted token should not be used to cast
multiple votes.
Argument - As soon as a vote is recorded against a token,
the minted token gets expired and can no longer be used
to cast a vote further. The cast vote and token expiry
functionality is implemented in a deterministic way. So,
that as a vote is casted the token is bound to expire.
 6) Argue that voter profiling cannot be done by observing
and analysing vote transactions on the blockchain.
Argument - As a voter casts a new vote from a newly
generated address which does not have any trace on the
blockchain except for the transaction that it has minted
the vote token, it ensures that a voter casting votes for
different election cannot be linked.
7) Argue that the fresh account will obtain the minimum
ETH required to perform the mandatory 2 transactions
without breaking the unlinkability propoerty
Argument - A voter can transfer the minimum ETH value
required for performing both the transactions:-
a) Token generation transaction
b) Cast vote transaction
via a zk coin mixing service which breaks the linkability
between the sender and the receiver address.
8) Argue that the political party be sure that the election
was fair.
Argument - For each vote casted the transaction is
publicly verifiable by all the election parties, anonymous
voters, election commission as well as by the general
public. As the vote counting procedure is also in pub-
lic domain and instantaneous the election commission
cannot be blamed for any discrepancies. Also, before
the election anyone is free to audit the code for any
discrepancies.
9) Argue that Total number of votes ≤ Total number of
token = Number of voters
Argument - The total number of votes casted in an
election can be at maximum equal to the total number of
eligible voters, as each voter gets a single token to cast a
single vote. However, some voters may wish not to cast
a vote to any contesting parties by either not redeeming
the vote token or by not casting the vote after redeeming
the the vote token.
10) Argue that a duplicate token cannot be generated
Argument -
We prove this by proof of contradiction:-
Let d and d’ be two tokens, such that d is a duplicate
of d’ i.e. d=d’ where d = p*q and d’ = p’*q’, which
implies either
a) p=p’ and q=q’ Equation 1 or
b) p=q’ and q=p’ Equation 2
However, from Argument 1 the election commission
ensures that for any two tokens d and d’, where d=p*q
and d’=p’*q’,
neither
a) p=p’ and q=q’ Equation 3
nor
b) p=q’ and q=p’ Equation 4
Which is a contradiction, to our assumption in Eq. 1 and
Eq. 2. Hence, our system assure that a duplicate token
cannot be generated.
11) Argue that a valid token cannot be derived from known
valid token Argument - Suppose, that two voters chooses
426
Authorized licensed use limited to: Australian National University. Downloaded on November 15,2023 at 23:23:41 UTC from IEEE Xplore. Restrictions apply.
there n1 ,n2 such that p,q be the prime factors of n1
and p,r be the prime factor of n2 and q = r. If this is
the scenario, the one can easily find q and r. By the
prime number theorem, the number of n-bit prime is
approximately 2n / (nlog2 ). If M people choose 2M
primes each n bits long, the probability of two of these
primes being the same is roughly.
22−n M nlog2
which has extremely negligible probability. Also, each
voter generates their prime on their own device, we are
thus able to eliminate the issue of faulty hardware.
12) Argue that an ineligible voter cannot obtain a vote
token to redeem/vote .
Argument - A set of vote tokens N is proposed by
a voter to the election commission through a secure
channel. The election commission picks up one vote
token from N and deploys a verification smart contract.
Before deploying the verification smart contract for a
voter, the election commission checks for the credibility
of the voter for the election, if the voter address matches
in the list of eligible voter for the election then only the
verification smart contract is deployed else the request
fails.
13) Argue that a voter can prove that he has voted for the
election without revealing his identity.
Argument - For a democracy participation in an elec-
tion is a high requirement for a better governance. A
voter might need to prove that he has participated in
an election in order to receive some incentives from
either the government or from any other bodies. All the
stakeholders form a group for the purpose of verifying
that a voter has actually voted in an election. A voter
will sign on behalf of the group and the verifier body
will be able to know that the signature is a part of the
group proving that the person has really voted in the
election.
14) Argue that if an attacker is able to obtain a p and a q
equating to n when p * q, at a later stage post election
or after a valid voter has casted a vote, the election
will still remain safe and user privacy is not going to
be violated.
Argument - Even if such a scenario happens the attacker
cannot hamper anything as the knowledge of p and q
can only allow to obtain the vote token,once a vote has
been casted neither a new token be issued based on the
knowledge of p and q, nor any changes in the vote can
be made.
VII. ATTACK S CENARIOS
1) Transaction Starving Attack - An attacker, be it a
single entity or a group can arbitrarily delay a valid
vote transaction or a token generation transaction by
flooding the blockchain with excessive transaction at the
same time, thus increasing the processing workload of
 the network. However, such type of attack cannot go
for an infinite time as each transaction will have a cost
associated, and the attack will be over as and when the
attacker runs out of balance.
2) DoS Attack - A voter will be connected to a full node,
to get information from the blockchain as well as inorder
to generate a token or cast a vote. The full node that the
voter is associated with, may play foul by intentionally
delaying the transaction propagation, and if the node is
also a miner further it may ignore the transaction and
may not put in any of the blocks that it is mining. Such
a kind of DoS attack may go on for an infinite amount
of time. The resolve for such a kind of attack is to either
switch the full node after a threshold period of time or
it setup a fully independent node for itself.
3) Voter Profiling by full node/miner - A full node or
a miner node can attempt profiling a user to which
the voter is associated with. Such an attack is possible
as the node can find out the IP address from which a
transaction is coming, other information that an attacker
can get is the timezone from which the transaction
is coming. Such a kind of attack can be mitigated
by switching a full node each time before sending a
transaction, or switching the peers before sending a
transaction in case the voter has setup its own full node.
4) Replay Attack - An non eligible voter may replay the
same zero knowledge proof of possessing the secret
parameters which he has obtained from other valid voter.
We invalidate this type of attack by destroying a token
redeem smart contract by destroying it as soon as a token
is redeemed so that the same token redeeming contract
cannot be used to redeem more than one token.
VIII. E XPERIMENTS AND O BSERVATION
We use the Ethereum[2] blockchain platform to test our
proposed approach. Circom circuit generator was used to write
the prime multiplication circuit. We also used snarkjs. Solidity
was the language of choice for writing the smart contract.
We wrote the Election.sol smart contract to count the number
of votes. A zero knowledge smart contract was deployed for
verification for each voter.
Fig. 3. Cost of Contract Deployment
Fig. 3 and Fig. 4 depicts the gas cost associated with
contract deployments and transactions. As of the day of
experiment a Token Verification and Redeem transaction costs
61.45 USD and Vote transaction costs 11.91 USD.
427
Authorized licensed use limited to: Australian National University. Downloaded on November 15,2023 at 23:23:41 UTC from IEEE Xplore. Restrictions apply.
Fig. 4. Cost for Vote transactions
IX. C ONCLUSION
In this work we proposed and implemented a prototype
of zero knowledge based e-voting on a public blockchain.
We considered the underlying hardness of prime factorisation
of a large number to serve as the problem, to which zero
knowledge solution is to be produced. In short we summarise
the contributions of our paper as follows:-
1) Self-Tallying Voting - Our proposed system allows for
self tallying of the votes and thus provide the result
outcome instantly after the election period is over.
2) ZK proof for a valid voter - A valid voter who has
voted in an election can prove that he has actually voted
without revealing his information.
3) Conditional Disclosure of Proof-of-Vote: The election
commission being the group manager can disclose the
identity of a voter in case of any conflicts.
4) Anonymous Voting - A vote casted by a voter leaks no
information about the real life identity of a voter.
R EFERENCES
[1] Matt Bishop and David Wagner. Risks of e-voting. Communications of
the ACM, 50(11):120–120, 2007.
[2] Vitalik Buterin et al. A next-generation smart contract and decentralized
application platform. white paper, 3(37):2–1, 2014.
[3] J Paul Gibson, Robert Krimmer, Vanessa Teague, and Julia Pomares. A
review of e-voting: the past, present and future. Annals of Telecommu-
nications, 71(7):279–286, 2016.
[4] Dimitris A Gritzalis. Principles and requirements for a secure e-voting
system. Computers & Security, 21(6):539–556, 2002.
[5] Feng Hao, Peter YA Ryan, and Piotr Zieliński. Anonymous voting
by two-round public discussion. IET Information Security, 4(2):62–67,
2010.
[6] Fririk Hjálmarsson, Gunnlaugur K Hreiarsson, Mohammad Hamdaqa,
and Gı́sli Hjálmtỳsson. Blockchain-based e-voting system. In 2018 IEEE
11th international conference on cloud computing (CLOUD), pages
983–986. IEEE, 2018.
[7] Aggelos Kiayias and Moti Yung. Self-tallying elections and perfect
ballot secrecy. In International Workshop on Public Key Cryptography,
pages 141–158. Springer, 2002.
[8] Nir Kshetri and Jeffrey Voas. Blockchain-enabled e-voting. Ieee
Software, 35(4):95–99, 2018.
[9] Patrick McCorry, Siamak F Shahandashti, and Feng Hao. A smart con-
tract for boardroom voting with maximum voter privacy. In International
conference on financial cryptography and data security, pages 357–375.
Springer, 2017.
[10] Emre Yavuz, Ali Kaan Koç, Umut Can Çabuk, and Gökhan Dalkılıç.
Towards secure e-voting using ethereum blockchain. In 2018 6th
International Symposium on Digital Forensic and Security (ISDFS),
pages 1–7. IEEE, 2018.