Electronic Voting Protocol Using Identity-Based Cryptography

Electronic voting protocols proposed to date meet their properties based on Public Key Cryptography (PKC), which offers high flexibility through key agreement protocols and authentication mechanisms. However, when PKC is used, it is necessary to implement Certification Authority (CA) to provide certificates which bind public keys to entities and enable verification of such public key bindings. Consequently, the components of the protocol increase notably. An alternative is to use Identity-Based Encryption (IBE). With this kind of cryptography, it is possible to have all the benefits offered by PKC, without neither the need of certificates nor all the core components of a Public Key Infrastructure (PKI). Considering the aforementioned, in this paper we propose an electronic voting protocol, which meets the privacy and robustness properties by using bilinear maps.


Introduction
Since 1964, considerable efforts have been made to improve the efficiency of election processes that has brought, as a consequence, a wide range of proposals on such topic.
Electronic voting has been mentioned in different media as the use of computers or computerized voting equipment to cast ballots in an election, which nowadays are a reasonable alternative to conventional elections and other opinion expressing processes [1][2][3][4][5]. Roughly speaking an electronic voting protocol, used to develop an electronic voting process, involves three main entities: voters, registration authorities, and counting authorities who interact with each other during four main phases: registration, authentication, voting, and counting [6,7], from which authentication is out of our scope.
In order to use an electronic voting protocol inside an electronic voting process, it should satisfy several properties [8]. However, proposed protocol meets privacy and robustness properties by using bilinear maps.
(i) Privacy: a vote must be kept secret from any coalition of authorities.
(ii) Robustness: the protocol can be developed even if there are entities who do not give correct information.
In other words, this property is against dishonest users. In this paper a voting protocol based on bilinear maps [9,10] satisfying privacy, uncoercibility, and robustness is proposed. The paper is organized as follows: in Section 2 some intractable problems on finite groups are recalled. The security of the proposed protocol is based on these intractable problems. In Section 3 the proposed protocol is presented. An analysis of privacy and robustness properties is given in Section 4. Obtained results are showed in Section 5. Section 6 presents concluding remarks and final references are listed.

Preliminaries
Let ( 1 , +) be a cyclic group of order written additively. With such a group 1 , the following hard cryptographic problems are defined: (i) Discrete Logarithm Problem (DLP): given , ∈ 1 , find an integer such that = whenever such integer exists. (ii) Computational Diffie-Hellman Problem (CDHP): given a triple , , ∈ 1 for , ∈ Z , find the element ( ) .
We assume throughout the paper that DLP and CDHP are intractable, which means that there does not exist a Polynomial Time Algorithm to solve them with nonnegligible probability. When the DDHP is easy but the CDHP is hard on the group 1 , 1 is called a Gap Diffie-Hellman (GDH) group. Such a group can be found on supersingular elliptic curves or hyperelliptic curves over finite fields [11,12]. The proposed electronic voting protocol can be built on any GDH group.

The Proposed Electronic Voting Protocol
The protocol is divided into three phases: setup, voting, and counting. In the setup stage the key pairs to be used during the voting and counting phases are generated. The generation of these key pairs involves the participation of entities , where 1 ≤ ≤ [12][13][14]. Each entity broadcasts and receives specific information by using Shamir's secretsharing scheme in order to generate its public and private shares [15]. In the voting phase voters encrypt votes and ask a blind signature [13,14]. In the counting phase, a Combining Entity reconstructs the signatures of the votes and verifies and decrypts them [13,14,16,17].
The Combining Entity, who does not have any private key, decrypts the votes by combining decryption shares, which are generated by each entity , after which the votes are counted and the tally is published.
The three phases are detailed as follows.

Setup Phase
(1) Let ( 1 , +) and ( 2 , * ) be cyclic groups of the same order which is assumed to be a prime number, with 1 = ⟨ 1 ⟩, and let̂: 1 × 1 → 2 be a nondegenerated bilinear mapping. Let 1 : {0, 1} * → 1 and 2 : 2 → {0, 1} be two hash functions. This information is known to all entities , = 1, 2, . . . , , where ≤ −1. Furthermore, each entity chooses a binary string, an element of {0, 1} , corresponding to information identifying this entity, for example, an e-mail address, an IP address, and telephone number. The entity sends information to each to generate the public encryption key pub and its respective private decryption key as follows: (2) After receives ( ) from entity , = 1, 2, . . . , , ̸ = , it does the following: (b) It computes its private share = ∑ =1 ( ) and keeps it in secret. This may be considered as an element of Z .
(3) With the above calculations, the public key is pub = 1 and its respective private key, that is distributed to every entity , is = ∑ =1 0 .
(4) Let ID be the binary sequence identifying the receiver, also called Combining Entity, and let pub ID = 1 (ID) ∈ 1 ; all entities compute their private encryption private share ID = 0 pub ID .
(5) In order to generate the signature and verification key pair, each entity sends the following information to each . This is done by using the same (additive) group 1 = ⟨ 1 ⟩ as follows: With the above calculations, the public key is = (∑ =1 0 ) 1 ; it means that = 1 and its respective private key that is distributed to every entity is The Scientific World Journal 3

Voting Phase
(1) Let̂: 1 × 1 → 2 be the bilinear pairing mentioned above. To encrypt a vote as a message, the voter chooses an option V and selects 0 ̸ = ∈ Z . Then, it codifies V as an element of {0, 1} . After that, the voter selects any pub ID and computes one scalar multiplication and one bilinear pairing obtaining the encrypted vote given by ( , ), where = 1 ∈ 1 and = V ⊕ 2 (̂( pub , pub ID ) ) ∈ {0, 1} .
(2) The voter gets the blinded encrypted vote V by choosing randomly 0 ̸ = ∈ Z and calculating V = ( + 1 ( )). After that, V is sent to each entity in order to ask for an -shadow-blind signature to each entity , with 1 ≤ ≤ .
(3) Each entity computes = V and sends it back to the voter. Since V ∈ 1 , ∈ 1 as well.
Since is an element of 1 so is .
(5) Considering a storage device, the vote ( , ) and the i-shadow-signatures are stored as ( , where is computed as in the previous step.
(2) To decrypt the votes, the procedure is as follows: (a) Each entity calculates its decryption sharê ( , ID ) for every vote cast and sends to the Combining Entity, who selects a set (3) Once is determined, the vote is decrypted by computing V = ⊕ 2 ( ).

Properties Analysis
4.1. Privacy. The proposed electronic voting protocol meets the privacy property by using a threshold encryption scheme and its respective signature version, which is probably secure under the Computational Bilinear Diffie-Hellman Problem.
With this, only the Combining Entity, jointly with at least entities, is the only one who is able to decrypt votes and verify signatures during the counting stage. The correctness is shown as follows from the signature verification in Section 3.3: and from the decryption votes, also in Section 3.3: Then,

Robustness.
The proposed electronic voting protocol meets robustness property by using bilinear properties in such way that each entity has to prove, in a noninteractive way, the equality of two inverses of the isomorphism 1 = ( 1 , ⋅) induced by the bilinear map̂.

Security Analysis.
In the proposed protocol we assume that any attacker who wishes to break the privacy in the proposed electronic voting protocol is fully aware of the public key and any algorithms that may be used as part of the protocol. The information that is denied to the attacker is the private key for encryption during the voting phases. The nature of the relation between the public and private keys means that it is possible for any asymmetric scheme to achieve a perfect notion of security. Public keys, by definition, must contain enough information to compute their associated private key. In such case it may be theoretically possible to recover the private key from the public key; it is not computationally feasible to do so. Considering that and that we cannot derive definite mathematical statements about the security of the protocol, we do prove that a reduction exists between the difficulty of breaking the protocol and the difficulty of solving a well-studied mathematical problem.
The reductionist approach is used to prove the security in our protocol relying on assumptions about the hardness of some mathematical problems. All of this is made in order to prove its security. We give some definitions as follows. Definition 1. Given two groups 1 and 2 of the same prime order , a bilinear map̂: 1 × 1 → 2 , and a generator of 1 , the Decisional Bilinear Diffie-Hellman Problem (DBDHP) in ( 1 , 2 ,̂) is to decide whether ℎ =̂( , ) given ( , , , ) ∈ 4 1 and an element ℎ ∈ 2 .
In other words, security of proposed protocol is based on hardness assumptions for problems in groups equipped with a pairing. The advantage of solving such assumptions is given as follows.
where , , $ ← * and we assume that parameters ( 1 , 2 , , , ) as output by the algorithm PairingGen on input 1 are given to as additional inputs. We say that the BDHP is hard in ( 1 , 2 ) if no Polynomial Time Algorithm that solves the BDHP in ( 1 , 2 ) has a nonnegligible advantage, as a function of the security parameter .
where , , $ ← * and $ ← 2 . Moreover, we assume that parameters ( 1 , 2 , , , ) as output by the algorithm PairingGen on input 1 are given to as additional inputs. We say that the DBDHP is hard in ( 1 , 2 ) if no Polynomial Time Algorithm that solves the DBDHP in ( 1 , 2 ) has a nonnegligible advantage, as a function of the security parameter .
where , , $ ← * and ℎ =̂( , ) $ ← 2 . Moreover, we assume that parameters ( 1 , 2 , , , ) as output by the algorithm PairingGen on input 1 are given to as additional inputs. We say that the CBDHP is hard in ( 1 , 2 ) if no Polynomial Time Algorithm that solves the CBDHP in ( 1 , 2 ) has a nonnegligible advantage, as a function of the security parameter .
Considering the aforementioned, to break our protocol from the privacy point of view, first of all, attacker must break the atomic primitives our cryptographic protocol is based on in addition to getting nonnegligible advantage in the above definitions.

Results
In order to get a comparison between the proposed protocol and related work, results are shown from two points of view; Table 1 shows the first one, which is viewed from the total number of PKI components that the proposed protocol The Scientific World Journal 5 1 * 0 D H P Ohkubo et al. [3] 1 * V 0 D H P Baudron et al. [4] 1 * 0 R C Gallegos-García et al. [5] 0 1 C B D H P Proposed protocol 0 0 CBDHP Table 2: Cryptographic operations developed in the proposed protocol. Op.
Ohkubo et al. [3] Crameretal. [1] Baudron et al. [4] Muetal. [2] Gallegos-García et al. [5] Proposed protocol would use to develop a voting process. In such table PKI Component 1 and PKI Component 2 mean certification and trust authorities, respectively. Both of them are main components in a PKI. In that table it is possible to see that the number of components required increases depending on the number of voters participating in the voting protocol. Moreover, the proposed electronic voting protocol meets privacy and robustness based on Diffie-Hellman problems, which become as secure as [5] and more secure than [1][2][3][4], as [5] reports. In this sense CBDHP means Computational Bilinear Diffie-Hellman Problem.
On the other hand, the second point of view is from the computations needed to develop the proposed protocol, which depends on the number of cryptographic operations used in comparison with the proposed one. Operations considered are modular addition (+), modular multiplication ( * ), exponentiation ( ), inversion ( −1 ), point addition ( + ), and scalar multiplication ( ). Moreover, V means voter and parameter represents the total number of shareholders who participate during the voting process with 1 ≤ ≤ and denotes the threshold that the voting protocol considers for counting stage. It is important to say that our protocol involves operations based on groups, finite fields, and field extensions, which are made by using polynomials to represent the field elements that bilinear maps use.
In Table 2 it is possible to see that even though the proposed protocol does not involve exponentiations and point additions, it does use several computations of bilinear maps, which involves additions and multiplications over a finite field and its extensions, a technique called tower fields.
However, even though the proposed protocol has the highest computational cost, bilinear maps can be addressed by using cryptoaccelerators, which efficiently develops such kind of cryptographic operations. The inclusion of such processors is considered to be cheaper and preferred than the components of a Public Key Infrastructure.

Conclusion
Electronic voting protocols that include as main construction blocks blind signatures and homomorphic and secret sharing techniques have been developed in last years. In this paper we present a protocol that is based on blind signatures and secret sharing techniques, using blind signatures and encryption schemes as the main construction blocks. The main difference with protocols proposed to date is that its functionality is based on bilinear maps and secret sharing schemes, which are used jointly with their respective properties to meet expectations of privacy and robustness. Bilinear maps develop high cost operations which can be addressed by using cryptoaccelerators to efficiently develop this sort of operations. As a result, we eliminate the need of implementing a Public Key Infrastructure (PKI).
In addition the proposed protocol is based on the difficulty of solving the Computational Diffie-Hellman Problem (CDHP) and the Bilinear Diffie-Hellman Problem (BDHP); due to its construction it can be found on supersingular elliptic curves or hyperelliptic curves over finite fields; as a consequence no algorithm exists as yet capable of solving such problems in polynomial time. 6 The Scientific World Journal According to what was mentioned above, it is easy to see that proposed protocol highlights the balance between security and efficiency. In other words, from the security point of view, the proposed protocol is based on the difficulty of solving the Computational Diffie-Hellman Problem (CDHP) and the Bilinear Diffie-Hellman Problem (BDHP). From the efficiency point of view, we eliminate the need of implementing the components of a Public Key Infrastructure (PKI) and leave as consideration the development of cryptographic operations by using cryptoaccelerators.
The protocol presented here could be used, for instance, in a voting system based on Direct Recording Electronic (DRE) systems, which provides authentication of the voter's identity based on official documents presented to the electoral authority.
Moreover, the voter's receipt could be used to meet requirements of verifiability and accuracy. Thus, in order to verify if the votes were recorded and counted, the receipt should appear on a bulletin board in which it is displayed together with the final tally. If any voter does not find his/her hash value on the bulletin board, he/she can register a complaint with election officials.