Professional Documents
Culture Documents
Evoting, 2023 5
Evoting, 2023 5
2023 IEEE International Conference on Metaverse Computing, Networking and Applications (MetaCom) | 979-8-3503-3333-6/23/$31.00 ©2023 IEEE | DOI: 10.1109/MetaCom57706.2023.00081
424
Authorized licensed use limited to: Australian National University. Downloaded on November 15,2023 at 23:23:41 UTC from IEEE Xplore. Restrictions apply.
has provided the fake proof of vote and can initiate further d) p and q must be greater than the total number of
investigations. The group signature scheme works as follows:- voters. Thus ensuring token space is greater than
1) Setup: The election commission computes a signa- the voter space.
ture key pair KSP ub , KSP ri and encryption key pair A voter proposes a set of n denoted by N, whereas the
P ub P ri
KE , KE and publishes the two public keys as set N can have values :-
the group public key. A voter computes a membership
key z = f (s) where s is a random secret. The voter n1 , n2 , n3 , ..., nk
signs z and sends it to the election commission. The
election commission returns the voter v = KSP ri (z) if . Considering the election commission to be a trusted
the voter has casted a vote in the election. The election entity it will pick up a n such that the n is unique and
commission can find out the information regarding a has not been allocated to any other voter. The election
voter who has voted or not from the token redeem commission will pick up an n from the set in a random
transaction made by the voter. fashion. If there arises a collision on the value of an n
2) Sign: The voter encrypts m its address with his mem- picked, the election commission will randomly pick up
P ub
bership key z by using KE and computes a proof p. next n from the remaining proposed value of n.
The voter proof consists of voter address.
3) Verification: If KSP ub (v) = f (s) then the signature is 2) Argue that a voter can mint one and atmost one token
proved to be valid. to vote
4) Disclose : The election commission decrypts the cipher Argument - A voter can generate a token if and only if
P ri
text E(m) by using KE to obtain the membership key he can provide a zero knowledge proof of possesing
thus disclosing the identity. a p and a q such that it produces an n when p*q.
Once, an election is over a voter might need to prove that Whereas p and q are secret parameters which a voter
he has participated in the election. Proof of Vote can be is responsible to keep undisclosed. Once a voter mints a
seeked by the government bodies inorder to provide certain token by providing a valid p and q, the zero knowledge
incentives and subsidies to a voter thus motivating the general proof contract gets deactivated such that no one even
eligible voter public to participate in the elections. Under such the election commission cannot call the contract to
circumstances a voter need to provide a proof of vote without generate new token from the same verification contract.
disclosing the party to whom it has voted. At the same time as the token generation functionality
is implemented on the blockchain it will be always
available to a valid voter for generating one and only
one token for an election. So, it is the sole responsibility
of the voter to keep its generated p and q private.
3) Argue that once a valid token is issued to a valid voter.
The voter cannot be denied to cast vote.
Argument - Upon successful generation of a token the
one time vote permission for the address associated
with token is unlocked. The voter can cast a vote by
passing the address of the party of his choice. The
voter cannot be denied to cast a vote as the cast vote
functionality is implemented on the blockchain and is
publicly verifiable.
Fig. 2. Sequence Diagram for Proof of Vote 4) Argue that token generation procedure does not leak
private parameters, i.e. p and q
Argument - The private parameters i.e. p and q are
VI. S OUNDNESS OF THE P ROPOSED A PPROACH not passed on to the verification function as a function
1) Argue that no duplicate token can be generated. parameter instead a zero knowledge proof representation
Argument - The generation of a token depends on the is passed on which does not disclose any information
fact that n should be unique, and should not be derivable about the private parameters p and q.
from any other previously generated value of n. Given 5) Argue that a voter can vote only once with a minted
that n is generated as; n = p * q, whereas p and q are token. Or a minted token should not be used to cast
large prime numbers. multiple votes.
a) Miller-Rabin primarility test to check whether the Argument - As soon as a vote is recorded against a token,
proposed number is a prime. the minted token gets expired and can no longer be used
b) Will ensure p is not equal to q. to cast a vote further. The cast vote and token expiry
c) The prime numbers p and q are chosen indepen- functionality is implemented in a deterministic way. So,
dently and sufficiently far apart. that as a vote is casted the token is bound to expire.
425
Authorized licensed use limited to: Australian National University. Downloaded on November 15,2023 at 23:23:41 UTC from IEEE Xplore. Restrictions apply.
6) Argue that voter profiling cannot be done by observing there n1 ,n2 such that p,q be the prime factors of n1
and analysing vote transactions on the blockchain. and p,r be the prime factor of n2 and q = r. If this is
Argument - As a voter casts a new vote from a newly the scenario, the one can easily find q and r. By the
generated address which does not have any trace on the prime number theorem, the number of n-bit prime is
blockchain except for the transaction that it has minted approximately 2n / (nlog2 ). If M people choose 2M
the vote token, it ensures that a voter casting votes for primes each n bits long, the probability of two of these
different election cannot be linked. primes being the same is roughly.
7) Argue that the fresh account will obtain the minimum
ETH required to perform the mandatory 2 transactions 22−n M nlog2
without breaking the unlinkability propoerty
Argument - A voter can transfer the minimum ETH value which has extremely negligible probability. Also, each
required for performing both the transactions:- voter generates their prime on their own device, we are
a) Token generation transaction thus able to eliminate the issue of faulty hardware.
b) Cast vote transaction 12) Argue that an ineligible voter cannot obtain a vote
token to redeem/vote .
via a zk coin mixing service which breaks the linkability
Argument - A set of vote tokens N is proposed by
between the sender and the receiver address.
a voter to the election commission through a secure
8) Argue that the political party be sure that the election
channel. The election commission picks up one vote
was fair.
token from N and deploys a verification smart contract.
Argument - For each vote casted the transaction is
Before deploying the verification smart contract for a
publicly verifiable by all the election parties, anonymous
voter, the election commission checks for the credibility
voters, election commission as well as by the general
of the voter for the election, if the voter address matches
public. As the vote counting procedure is also in pub-
in the list of eligible voter for the election then only the
lic domain and instantaneous the election commission
verification smart contract is deployed else the request
cannot be blamed for any discrepancies. Also, before
fails.
the election anyone is free to audit the code for any
13) Argue that a voter can prove that he has voted for the
discrepancies.
election without revealing his identity.
9) Argue that Total number of votes ≤ Total number of
Argument - For a democracy participation in an elec-
token = Number of voters
tion is a high requirement for a better governance. A
Argument - The total number of votes casted in an
voter might need to prove that he has participated in
election can be at maximum equal to the total number of
an election in order to receive some incentives from
eligible voters, as each voter gets a single token to cast a
either the government or from any other bodies. All the
single vote. However, some voters may wish not to cast
stakeholders form a group for the purpose of verifying
a vote to any contesting parties by either not redeeming
that a voter has actually voted in an election. A voter
the vote token or by not casting the vote after redeeming
will sign on behalf of the group and the verifier body
the the vote token.
will be able to know that the signature is a part of the
10) Argue that a duplicate token cannot be generated
group proving that the person has really voted in the
Argument -
election.
We prove this by proof of contradiction:-
14) Argue that if an attacker is able to obtain a p and a q
Let d and d’ be two tokens, such that d is a duplicate
equating to n when p * q, at a later stage post election
of d’ i.e. d=d’ where d = p*q and d’ = p’*q’, which
or after a valid voter has casted a vote, the election
implies either
will still remain safe and user privacy is not going to
a) p=p’ and q=q’ Equation 1 or be violated.
b) p=q’ and q=p’ Equation 2 Argument - Even if such a scenario happens the attacker
However, from Argument 1 the election commission cannot hamper anything as the knowledge of p and q
ensures that for any two tokens d and d’, where d=p*q can only allow to obtain the vote token,once a vote has
and d’=p’*q’, been casted neither a new token be issued based on the
neither knowledge of p and q, nor any changes in the vote can
a) p=p’ and q=q’ Equation 3 be made.
nor
b) p=q’ and q=p’ Equation 4 VII. ATTACK S CENARIOS
Which is a contradiction, to our assumption in Eq. 1 and 1) Transaction Starving Attack - An attacker, be it a
Eq. 2. Hence, our system assure that a duplicate token single entity or a group can arbitrarily delay a valid
cannot be generated. vote transaction or a token generation transaction by
11) Argue that a valid token cannot be derived from known flooding the blockchain with excessive transaction at the
valid token Argument - Suppose, that two voters chooses same time, thus increasing the processing workload of
426
Authorized licensed use limited to: Australian National University. Downloaded on November 15,2023 at 23:23:41 UTC from IEEE Xplore. Restrictions apply.
the network. However, such type of attack cannot go
for an infinite time as each transaction will have a cost
associated, and the attack will be over as and when the
attacker runs out of balance.
2) DoS Attack - A voter will be connected to a full node,
to get information from the blockchain as well as inorder
to generate a token or cast a vote. The full node that the
voter is associated with, may play foul by intentionally
delaying the transaction propagation, and if the node is
also a miner further it may ignore the transaction and Fig. 4. Cost for Vote transactions
may not put in any of the blocks that it is mining. Such
a kind of DoS attack may go on for an infinite amount
of time. The resolve for such a kind of attack is to either IX. C ONCLUSION
switch the full node after a threshold period of time or In this work we proposed and implemented a prototype
it setup a fully independent node for itself. of zero knowledge based e-voting on a public blockchain.
3) Voter Profiling by full node/miner - A full node or We considered the underlying hardness of prime factorisation
a miner node can attempt profiling a user to which of a large number to serve as the problem, to which zero
the voter is associated with. Such an attack is possible knowledge solution is to be produced. In short we summarise
as the node can find out the IP address from which a the contributions of our paper as follows:-
transaction is coming, other information that an attacker 1) Self-Tallying Voting - Our proposed system allows for
can get is the timezone from which the transaction self tallying of the votes and thus provide the result
is coming. Such a kind of attack can be mitigated outcome instantly after the election period is over.
by switching a full node each time before sending a 2) ZK proof for a valid voter - A valid voter who has
transaction, or switching the peers before sending a voted in an election can prove that he has actually voted
transaction in case the voter has setup its own full node. without revealing his information.
4) Replay Attack - An non eligible voter may replay the 3) Conditional Disclosure of Proof-of-Vote: The election
same zero knowledge proof of possessing the secret commission being the group manager can disclose the
parameters which he has obtained from other valid voter. identity of a voter in case of any conflicts.
We invalidate this type of attack by destroying a token 4) Anonymous Voting - A vote casted by a voter leaks no
redeem smart contract by destroying it as soon as a token information about the real life identity of a voter.
is redeemed so that the same token redeeming contract
cannot be used to redeem more than one token. R EFERENCES
VIII. E XPERIMENTS AND O BSERVATION [1] Matt Bishop and David Wagner. Risks of e-voting. Communications of
the ACM, 50(11):120–120, 2007.
We use the Ethereum[2] blockchain platform to test our [2] Vitalik Buterin et al. A next-generation smart contract and decentralized
proposed approach. Circom circuit generator was used to write application platform. white paper, 3(37):2–1, 2014.
[3] J Paul Gibson, Robert Krimmer, Vanessa Teague, and Julia Pomares. A
the prime multiplication circuit. We also used snarkjs. Solidity review of e-voting: the past, present and future. Annals of Telecommu-
was the language of choice for writing the smart contract. nications, 71(7):279–286, 2016.
We wrote the Election.sol smart contract to count the number [4] Dimitris A Gritzalis. Principles and requirements for a secure e-voting
system. Computers & Security, 21(6):539–556, 2002.
of votes. A zero knowledge smart contract was deployed for [5] Feng Hao, Peter YA Ryan, and Piotr Zieliński. Anonymous voting
verification for each voter. by two-round public discussion. IET Information Security, 4(2):62–67,
2010.
[6] Fririk Hjálmarsson, Gunnlaugur K Hreiarsson, Mohammad Hamdaqa,
and Gı́sli Hjálmtỳsson. Blockchain-based e-voting system. In 2018 IEEE
11th international conference on cloud computing (CLOUD), pages
983–986. IEEE, 2018.
[7] Aggelos Kiayias and Moti Yung. Self-tallying elections and perfect
ballot secrecy. In International Workshop on Public Key Cryptography,
pages 141–158. Springer, 2002.
[8] Nir Kshetri and Jeffrey Voas. Blockchain-enabled e-voting. Ieee
Software, 35(4):95–99, 2018.
[9] Patrick McCorry, Siamak F Shahandashti, and Feng Hao. A smart con-
tract for boardroom voting with maximum voter privacy. In International
conference on financial cryptography and data security, pages 357–375.
Fig. 3. Cost of Contract Deployment Springer, 2017.
[10] Emre Yavuz, Ali Kaan Koç, Umut Can Çabuk, and Gökhan Dalkılıç.
Fig. 3 and Fig. 4 depicts the gas cost associated with Towards secure e-voting using ethereum blockchain. In 2018 6th
International Symposium on Digital Forensic and Security (ISDFS),
contract deployments and transactions. As of the day of pages 1–7. IEEE, 2018.
experiment a Token Verification and Redeem transaction costs
61.45 USD and Vote transaction costs 11.91 USD.
427
Authorized licensed use limited to: Australian National University. Downloaded on November 15,2023 at 23:23:41 UTC from IEEE Xplore. Restrictions apply.