MVP: An Efficient Anonymous E-voting Protocol

Transcription

1 MVP: An Efficient Anonymous E-voting Protocol You Zhou Yin Zhou Shigng Chen Smuel S. Wu Deprtment of Computer & Informtion Science & Engineering Deprtment of Biosttistics University of Florid, Ginesville, FL 32611, USA Emil: {youzhou, yin, Abstrct Thnks to the Internet, voters cn cst their bllots over the electronic voting (E-voting) systems conveniently nd efficiently without going to the polling sttions. However, existing E-voting protocols suffer from nonymity issues nd/or high deployment overhed. In this pper, we design prcticl nonymous E-voting protocol (referred to s MVP) bsed on novel dt collection technique clled dul rndom mtrix msking (DRMM), which gurntees nonymity with low overhed of computtion, nd chieves the security gols of receipt-freeness, double voting detection, firness, bllot secrecy, nd integrity. Through extensive nlyses on correctness, efficiency, nd security properties, we demonstrte our proposed MVP protocol cn be pplied to E-voting in vriety of situtions with ccurcy nd nonymity. I. INTRODUCTION The prcticl importnce of electronic voting (E-voting) technology hs ttrcted significnt reserch interest in recent yers [1] [4]. E-voting provides gret convenience for people to prticipte in votings without geogrphicl restriction nd time limittion. In prticulr, nonymous E-voting systems incorporte n importnt feture of nonymity [5] [8], which gurntees tht ny bllot cnnot be trced bck to the individul person who csts it. Anonymity is criticl in encourging voters to voice their true opinions on sensitive issues nd promoting prticiption in voting. There re mny importnt requirements for nonymous E-voting system design: Double Voting Detection: Only eligible nd verified voters re llowed to cst bllots. In ddition, ech qulified voter cn only cst one vlid vote. If voter csts multiple bllots, only one vote will be counted. Correctness: All votes must be counted correctly. All vlid bllots must be correctly counted into the finl tlly. No invlid bllot cn be counted into the finl tlly. Firness: No intermedite results cn be obtined before the voting period ends (so tht such informtion cnnot be used to ffect people who hve not voted). Receipt-freeness: An essentil property tht prevents voter from proving to ny third prty tht he/she hs voted for prticulr cndidte in order to void bllot buying. Bllot Secrecy: Besides the voter himself/herself, others cnnot know the ctul bllot tht the voter hs cst. Integrity: Any vlid bllot cst by ny individul voter cnnot be modified, duplicted, or removed. Any ttempt to tmper with the correct finl tlly will be detected. Efficiency: The computtion for individul voters nd voting servers should be s efficient s possible. There re two types of ttck ginst nonymous E-voting systems: pssive ttck nd ctive ttck. In pssive ttck, the dversry tries to obtin s much originl bllot dt nd voter identity informtion s possible. Active ttck is more severe: the dversry ttempts to sbotge the voting process by ltering the finl tlly. Existing reserch minly focuses on the pssive ttck. Most of the prior protocols rely on expensive cryptogrphic techniques [4] [10], nd they cn be clssified into three ctegories bsed on mix-nets, blind signtures, nd homomorphic encryption. While the existing protocols re ble to ddress mny importnt issues through different mens, they lso hve limittions in prcticlity, fetures nd efficiency, s we will explin in Section IV. None of them meets ll the bove requirements. Addressing those limittions will require us to explore new pproches tht differ from the pst ones. In this pper, we design prcticl nonymous E-voting protocol (referred to s MVP) bsed on novel dt collection technique clled dul rndom mtrix msking (DRMM), which gurntees nonymity with low computtion overhed nd chieves the forementioned requirements of receiptfreeness, double voting detection, firness, bllot secrecy nd integrity, under both pssive nd ctive ttcks. In the MVP protocol, voters cn cst bllots without disclosing their votes nd identity informtion. Through extensive nlyses on correctness, efficiency, nd security properties, we demonstrte our proposed MVP protocol cn be pplied to E-voting in vriety of situtions with ccurcy nd nonymity. II. PRELIMINARIES A. System Model We consider n nonymous electronic voting (E-voting) system s illustrted in Figure 1, which consists of three prties: Voters: The people who hve been uthorized to prticipte in the voting. Ech uthenticted voter cn only cst one vlid vote. If voter csts multiple bllots, only one vote should be counted into the finl tlly. Dt mngement center (DMC): An orgniztion tht holds the voting ctivities. It is the center of the voting, nd responsible for uthentiction of voters, counting vlid bllots, nd the nnouncement of the finl tlly. Voting Proxy Server (VPS): A server tht is responsible for collecting vlid msked bllots from uthenticted voters, nd forwrding msked group votes to the DMC. In our model, n nonymous E-voting system consists of voters, one or multiple VPS, DMC with bckend servers, /16/$ IEEE

2 cndidte, etc. We ssume the communiction chnnels between the three prties (voters, VPS, nd DMC) in our E-voting system re secure, which cn be esily relized through some known protocols (e.g., TLS or SSL), nd untppble (i.e., no listening or recording device cn be plced to record the voting process). With secure communiction chnnels nd proper uthentiction, no dt in the system will be disclosed to ny outsider dversry. Fig. 1. Anonymous E-voting system model. nd communictions between them. The DMC tht holds the voting builds server with dtbse of ll voters informtion, nd it is responsible for registrtion, uthentiction nd prevoting communictions with voters. Voters need to register themselves with the DMC before the voting. After obtining the uthentiction from the DMC, voters cn then cst their msked bllots through n E-voting website or n pp on their mobile devices to the dt collector VPS. For the purpose of nonymity, only msked vote dt will be sent to the VPS. The VPS cn be compny s web server or some other proxy server. It collects msked bllots from voters bsed on groups, then ggregtes nd msks ech group of bllots, nd trnsmits the msked group bllots to the DMC. Finlly, the DMC will count the votes bsed on the msked group bllots, nd publish the finl tlly result. B. Security Model We ssume the DMC is semi-honest. On the one hnd, it honestly fulfils its duty, including registrtion, uthentiction nd pre-voting communictions with voters, nd counting ech group s poll result bsed on the msked group bllots from the VPS. On the other hnd, the DMC my be curious bout nd intend to obtin the originl votes of individul voters. Other potentil dversry cn be either compromised VPS or some misbehved voter(s). Misbehved voters im to lter the tlly by double voting, but they re outnumbered by the honest voters. A sbotged VPS my try to obtin voters identity nd their individul or group vote informtion, or even modify the finl tlly, without being detected. In spot of ny dversry behvior during the voting process, the reputtion of the VPS will be dmged, nd the E-voting cn be efficiently restrted. More specificlly, we consider n ttck model with two outstnding potentil ttcks: the pssive ttck nd the more severe ctive ttck. In the pssive ttck, the dversry tries to obtin s much originl bllot dt nd voter identity informtion s possible in the voting process. For exmple, sbotged VPS my try to mine the voting result before the DMC publishes it, or digest individul vote informtion from the msked bllots. In the more severe ctive ttck, the dversry ttempts to sbotge the voting process to lter the finl tlly result without being detected. For instnce, misbehved voters my try to cst multiple bllots, or compromised VPS my modify or remove some collected bllots nd try to crete fke tlly result in fvor of prticulr C. Mtrix Msking Mtrix msking is the most populr technique used for dt collection with disclosure limittions [11] [14]. It refers to clss of sttisticl disclosure limittion (SDL) methods used to protect the confidentility of sttisticl dt, through some specific mtrices trnsforming dt mtrix to msked mtrix vi pre- nd post- multipliction nd possible ddition of noise or perturbtions. For exmple, Duncn [11] proposes to trnsform n n p (cses by vribles) dt mtrix X to the msked dt of the form: X AXB + C, where mtrix A is row opertor, mtrix B is column opertor, nd mtrix C is the noise or perturbtions dded to the dt. In our protocol, we dopt mtrix msking s building block to propose novel dul rndom mtrix msking (DRMM) technique. In prticulr, two mtrices A nd B reusedtomsk the originl dt X, where A is rndom orthogonl mtrix s row opertor only known to the dt collector VPS, nd B is rndom invertible mtrix s column opertor only known to the voting orgniztion DMC. We will prove tht our dt collection protocols bsed on DRMM chieves nonymity nd gurntees the sme finl tlly result s the originl dt X. 1) Msked dt disclosure limittion: In this pper, we use n invertible mtrix B to msk the originl dt X, nd the msked dt XB will be sent to the dt collector VPS: X XB. Since B is invertible, there exits sequence of row opertions P 1,P 2..., P s nd column opertions Q 1,Q 2,..., Q t such tht P s...p 2 P 1 BQ 1 Q 2...Q t = E B = P1 1 P2 1...Ps 1 EQ 1 t...q 1 2 Q 1 1, where P 1,P 2..., P s nd Q 1,Q 2,..., Q t re elementry invertible mtrices, nd E is the unit mtrix. In this cse, the msked dt cn be presented s follows: XB = XP1 1 P2 1...Ps 1 EQ 1 t...q 1 2 Q 1 1. (1) Since P1 1,P2 1..., Ps 1 nd Q 1 1,Q 1 2,..., Q 1 t in (1) re ll rndom column opertion mtrices used to do the rndom column switching, multipliction nd dding, without knowing ll these rndom mtrices in dvnce, the dversry cnnot get ny informtion relted to the columns of the originl dt X.

3 2) ROMM: Ting et l. propose new perturbtion method clled rndom orthogonl mtrix msking (ROMM) to protect confidentil dt [14]. ROMM is specil cse of the stndrd mtrix msking, under the conditions tht B is the identity mtrix, C is the zero mtrix, nd A is some rndom orthogonl mtrix drwn from some known distribution D. Therefore, the trnsformtion of ROMM is X AX. ROMM hs one criticl feture. It preserves the smple men nd smple covrince mtrix fter orthogonl pre-mtrix msking. We provide theorem tht formlly codifies this feture. Interested reders cn refer to [14] for the forml proof. Theorem 1. Let X nd Y = AX be the originl dt nd msked dt produced by ROMM, respectively. Denote the smple men nd the smple covrince mtrix of the originl dt X s x nd Σ x, nd denote the smple men nd the smple covrince mtrix of the msked dt Y s y nd Σ y. Then x = y, nd Σ x = Σ y, nd colsum{x} = colsum{y }, (2) where colsum{} is vector contining the sum of ech column in the input mtrix. Theorem 1 sttes tht the ROMM trnsformtion preserves the smple men nd smple covrince of the originl dt, which further implies tht the colsum on the perturbed dt is n unbised estimte of the colsum obtined from the originl dt. Therefore, in our protocols, the dt collector VPS cn simply publish the perturbed dt produced by ROMM, while preserving the sttisticl fetures like colsum of the originl dt. D. Noise Flooding Lemm Now, we introduce the noise flooding lemm, which will be used in our protocols. Lemm 1. Let c be constnt rel number in R representing the useful informtion, nd w be rndom vrible representing the noise. Denote the distribution of w s f w (), which is continuous function. Assume tht w = w, nd >1, then [ lim fw (w + c) f w (w ) ] =0, lim f w (w + c) f w (w ) dw =0. Proof: Since the distribution of w is f w (w) nd w = w, the distribution of w nd w + c is f w (w )= 1 f (w ) 1 w = f w(w), f w (w + c) = 1 f (w + c) 1 w = f ( c ) w w +. Then, lim = lim = lim lim = lim = [ fw (w + c) f w (w ) ] [ 1 f w { [ 1 This completes the proof. ( c ) 1 w + f w ( w + c ] f w(w) ]} ) fw (w) =0, f w (w + c) f w (w ) dw { 1 f (w w + c ) (w ) } fw dw ( lim c ) fw w + fw (w) dw =0. Lemm 1 sttes tht, s increses to infinity, the difference between f w (w ) nd f w (w +c) decreses to 0. An impliction is, when the noise w floods mong the whole observtion spce, i.e.,, we cnnot tell the useful informtion c perturbed by the noise w. Suppose there re two rndom vribles w 1 nd w 2, nd they re independent nd hve the sme distribution f w (w ) with very lrge. We rndomly pick one vrible nd dd constnt c to it. Then others cnnot tell which vrible hs incresed by c given limited number of smples of the vribles w 1 nd w 2. In other words, the noise hs overwhelmed the useful informtion c, so the dversry won t be ble to obtin c from its perturbed formt w + c. III. MVP: A NOVEL ANONYMOUS VOTING PROTOCOL In this section, we propose novel efficient mtrix msking nonymous voting protocol (MVP) bsed on novel technique dul rndom mtrix msking (DRMM). We first introduce some bsic functions to be pplied in MVP, then describe the full MVP protocol in detils. Finlly, we nlyze the correctness, efficiency, nd security properties of MVP. A. Functions Before describing the full MVP protocol, we first introduce some bsic functions in the protocol. Setup: Setup(Reg v ) (,Cert v,gid v,index v ) is function tht tkes the registrtion informtion Reg v of voter v s input, nd outputs some setup prmeters, including v s initil bllot noise ( ), certifiction (Cert v ), group ID GID v, nd group index Index v.the pir (GID v,index v ) is defined s v s voting identifier. Key Genertion: KeyGen(Entity, GID) (key) is rndomized lgorithm tht tkes the entity s nme nd group ID s input, nd outputs key for the entity. Through this function, the DMC obtins rndom invertible msking mtrix B, nd the VPS obtins rndom orthogonl msking mtrix A, for ech group. Messge Forwrding: Send(Msg,dst) is relible communiction function tht tkes the destintion dst nd the messge Msg s input, nd ccomplishes the secure messge forwrding tsk. In our protocols, ll messge

4 forwrding between voters, the DMC, nd the VPS re secured through this function. B. MVP Now we present our novel nonymous voting protocol MVP, which includes the following four phses: initiliztion, uthentiction, voting, nd counting. Suppose there re p cndidtes in the voting. 1) Initiliztion phse: In the beginning, the DMC nd the VPS generte their own pirs of symmetric keys, i.e., (K D, K + D ) for the DMC nd (K V, K+ V ) for the VPS, nd shred symmetric key κ. Ech voter v lso genertes its privte key Kv nd public key K v +, then uses its unique identifiction informtion (e.g., identifiction number, dte of birth, etc.) to register with the DMC. Upon receipt of v s registrtion request nd verifying v is legitimte voter, the DMC genertes piece of registrtion informtion Reg v, nd sends the encrypted registrtion E(K v +,E(K + D,Reg v)) to v. After tht, the DMC uses the setup function to produce group ID GID v, group index Index v, n initil bllot noise, nd certifiction Cert v for v, nd stores the informtion (Reg v, GID v, Index v,, Cert v ) in its dtbse. The DMC will lso shre the uthentiction informtion (Cert v, GID v, Index v ) with the VPS for it to lter verify uthorized voters. Finlly, for ech group of voters, the DMC will use the group ID GID s the seed to generte rndom invertible mtrix B, nd store the informtion (GID, B) in its dtbse. Similrly, for ech group of voters, the VPS will use the group ID GID s the seed to generte rndom orthogonl mtrix A, nd store the informtion (GID, A) in its dtbse. The initiliztion phse is summrized in the following: DMC : Setup(Reg v ) (,Cert v,gid v,index v ), KeyGen(DMC, GID) invertible mtrix B. VPS: KeyGen(VPS,GID) orthogonl mtrix A. 2) Authentiction phse: To gurntee only verified voters re llowed to cst bllots, voters must uthenticte themselves with the DMC to obtin necessry informtion for voting. In the uthentiction phse, ech voter v will decrypt its encrypted registrtion informtion obtined from the DMC to get D(Kv, E(K v +,E(K + D,Reg v))) = E(K + D,Reg v), encrypt it with its privte key, nd send E(Kv,E(K + D,Reg v)) to the DMC for verifiction. After decrypting the messge with K D nd K+ v, i.e., D(K D,D(K+ v,e(kv,e(k + D,Reg v)))) = Reg v, nd verifying tht Reg v is in its dtbse, the DMC will perform the following opertions: (i) The DMC uses Reg v to fetch v s group ID GID v, group index Index v, initil bllot noise, nd certifiction Cert v, nd uses GID v to fetch v s group msking mtrix B, from its dtbse. (ii) The DMC genertes messge M = (GID v,index v ), nd M b = E(κ, Cert v GID v Index v ) by encrypting v s uthentiction informtion with the shred key κ. (iii) The DMC computes p originl bllots, {OBv, 1..., OBv, j..., OBv}, p where OBv j represents voting for the j-th cndidte, nd is just 1 p vector consisting of 0 s nd 1 s such tht OBv[j] j =1, nd OBv[i] j =0, i = j. (iv) The DMC dds voter v s initil bllot noise to ech originl bllot to generte p perturbed bllots, {NBv, 1..., NBv, j..., NBv}, p i.e., NBv j = + OBv, j j [1,p]. (v) The DMC multiplies ech perturbed bllot with v s group msking mtrix B to generte p msked bllots, {MBv, 1..., MBv, j..., MBv}, p i.e., MBv j = NBv j B, j [1,p]. (vi) The DMC encrypts ech msked bllot with the shred key κ to generte p encrypted msked bllots, {EBv, 1..., EBv, j..., EBv}, p i.e., EBv j = E(κ, MBv), j j [1,p]. (vii) The DMC conctentes the p encrypted msked bllots to generte messge M c, i.e., M c = (EBv... EB 1 v j... EBv). p Finlly, the DMC sends bck messge M 1 to the voter v, which is n encrypted conctention of M, M b nd M c : M 1 = E(K v +,M M b M c ) = E(K v +,M E(κ, Cert v GID v Index v ) M c ). When the voter v receives the messge M 1, it will decode M 1 with its privte key to get M, M b nd M c : D(K v,m 1 )= (M M b M c ). M is v s voting identifier. Since the certifiction M b = E(κ, Cert v GID v Index v ) is encrypted by the key κ shred between the DMC nd the VPS only, the voter v cnnot decrypt M b to ccess its uthentiction informtion (Cert v, GID v, Index v ). This serves n importnt purpose of ssuring double voting detection, which we will explin more lter. 3) Voting Phse: In the voting phse, voters cst encrypted msked bllots to the VPS. The VPS gthers the encrypted msked bllots bsed on voters groups, further msks the group bllots, nd sends to the DMC. There re four steps. ) Step 1: voters cst encrypted msked bllots. From the previous uthentiction phse, ech voter v receives its uthentiction informtion M b, nd M c which conctentes p encrypted msked bllots. During the voting process, ech voter v will decide which cndidte to vote, nd choose the corresponding encrypted msked bllot EB v = E(κ, MB v ) = E(κ, ( + OB v ) B) from M c :ifv decides to vote for the j-th cndidte, v will select EBv j from M c, i.e., EB v = EBv. j After tht, v csts its vote by sending EB v with the uthentiction informtion M b in messge M 2 to the VPS: M 2 = E(K + V,EB v M b ) = E(K + V,EB (4) v E(κ, Cert v GID v Index v )). b) Step 2: VPS verifies ech individul vote. Upon receiving vote messge M 2, the VPS decodes M 2 with its own privte key K V nd the shred key κ: D(K V,M 2)=(EB v M b ), D(κ, EB v )=(MB v ), (5) D(κ, M b )=(Cert v GID v Index v ). The VPS looks up the uthentiction (Cert v GID v Index v ) in its dtbse, nd checks whether the voting identifier (GID v,index v ) is in the set S, which contins the (GID, Index) of ll lredy-voted voters to detect potentil double voting. If (Cert v GID v Index v ) exists in VPS s dtbse, nd (GID v,index v ) does not exist in S, it mens this bllot is the first (3)

5 vote of n uthenticted voter. So the VPS will ccept the bllot, store the MB v, nd insert (GID v,index v ) into S. Otherwise, the VPS will reject the bllot nd do nothing. c) Step 3: VPS genertes msked group bllots. When the voting period ends, the VPS finishes collecting ll voters msked bllots. Next, the VPS strts to ggregte these bllots bsed on voters groups: it will generte msked group bllot GB g for ech group g of voters. Suppose in group g, there re m voters {v 1, v 2,..., v m } who hve cst vlid bllots (i.e., their voting identifiers re in the set S), nd their msked bllots re {MB v1, MB v2,..., MB vm }. The msked group bllot GB g is n n p mtrix stisfying the following requirement: colsum{gb g B 1 } = m NB v. (6) To generte GB g bsed on the msked bllots {MB v1, MB v2,..., MB vm }, we provide the following Theorem 2. Theorem 2. If colsum{gb g } = colsum{ m k=1 MB v k }, then colsum{gb g B 1 } = m k=1 NB v k. Proof: For two rbitrry multiplible mtrices T 1 nd T 2, Therefore, colsum{t 1 T 2 } = colsum{t 1 } T 2. colsum{gb g B 1 } = colsum{gb g } B 1 m } =colsum{ k=1 MBv B 1 m } =colsum{ k k=1 MBv k B 1 =colsum { m k=1 NB } m v k = k=1 NB v k. This completes the proof. From Theorem 2, VPS cn esily generte GB g by producing pn 1column vectors GBg, 1..., GBg, j..., GBg, p such tht colsum{gbg} j = colsum{ m k=1 MB v k }[j], j [1,p]. To produce GBg, j VPS cn employ rndom number genertor to crete n 1 rndom numbers, r 1,r 2,...,r (n 1), s the first n 1 elements of GBg, j nd set the lst element of GBg j to be colsum{ m k=1 MB v k }[j] n 1 i=1 r i. Repeting this process by p times, VPS will obtin ll p column vectors of GB g. d) Step 4: VPS uplods dul-msked group bllots to the DMC. Now the VPS hs generted msked group bllot GB g for ech group g of voters. Next, it will multiply ech GB g by its corresponding group orthogonl mtrix A (note tht different groups hve different A, nd ech A is n n rndom orthogonl mtrix only known by the VPS), nd send A GB g with GID = g with the set S in messge M 3 to the DMC: M 3 = E(κ, {(A GB g,gid = g)} g {GID} S). (7) 4) Counting Phse: Upon receiving the messge M 3,the DMC decodes M 3 to obtin A GB g for ech group GID = g. Then the DMC uses the GID = g to fetch the group msking mtrix B from its dtbse, nd computes its inverse mtrix B 1. To obtin the ggregte tlly of ll voters in the group g, the DMC first multiplies A GB g by B 1 to recover the de-msked group bllot G g : G g = A GB g B 1. (8) Then, the DMC clcultes colsum{g g }, nd subtrcts the sum of the initil bllot noises of ll voters in the group g, who hve cst vlid bllots ccording to S, i.e., m k=1 k. The finl tlly result of group g is simply c g = colsum{g g } m. (9) In the next subsection, we will prove c g = x g, where x g = m k=1 OB v k is the sum of the originl bllots of ll voters who hve cst vlid bllots in group g. Finlly, for ech group g, the DMC verifies if the number of voters in group g mtches the number of votes in c g. If they ll mtch, the DMC will dd ll c g from every group g, nd publish the finl tlly nd the set S. This completes our MVP protocol. C. Correctness First, we prove tht for ech group g, the counting result of the DMC c g equls the ctul voting result x g = m k=1 OB v k. Proof: From (9), (8), Theorem 1, nd (6), we hve c g = colsum{g g } m = colsum{a GB g B 1 } m = colsum{gb g B 1 } m = m NB v m = m OB v = x g. This completes the proof. Next, the DMC clcultes the c g from (9) for ech group g {GID}, nd dds ll c g to obtins the finl result R. Clerly, R = c g = x g. (10) g {GID} g {GID} This demonstrtes the universl correctness of MVP. D. Efficiency Suppose there re totl of N voters in M groups. The computtion overhed of ech entity in MVP is given s follows: Ech voter only needs to pick one encrypted msked bllot nd cst it to the VPS. So its computtion cost is O(1). The VPS first ggregtes N voters msked bllots (1 p vectors) into M groups, whose cost is O(N p). Then it genertes M msked group bllots {GB g } g {GID} (n p mtrices), whose cost is O(M n p). Finlly, it multiplies ech of the M msked group bllots, GB g, with n n orthogonl mtrix A, to produce the dulmsked group bllots, whose cost is O(M n 2 p). So the totl computtion overhed of the VPS is O(N p + M n 2 p). The DMC needs to generte p msked bllots for ech voter, whose cost is O(N p 3 ). Also, for ech group g

6 of voters, the DMC needs to multiply the dul-msked group bllot A GB g by p p mtrix B 1 to recover the de-msked group bllot G g (n p mtrix), whose cost is O(M n p 2 ). Then it clcultes colsum{g g } nd subtrcts m k=1 k to compute c g, nd dd c g for ll M groups, whose cost is O(M n p + N p). SoDMC s totl computtion overhed is O(N p 3 + M n p 2 ). Since p nd n re constnt numbers fr smller thn M nd N, the computtion complexity for voters, the VPS, nd the DMC re ctully O(1), O(N + M), nd O(N + M), respectively. One cn see tht our MVP protocol is indeed very efficient. E. Security Anlysis 1) Receipt-freeness: Generlly speking, receipt-freeness mens voter cnnot provide ny proof to demonstrte to third prty tht he/she hs voted for prticulr cndidte, which mkes the vote-buying impossible. In our MVP protocol, receipt-freeness is chieved for the following three resons. First, the communiction chnnels in MVP re secure nd untppble, nd voters must uthenticte themselves with the DMC to vote. In other words, physicl recording nd msquerde re not possible. Second, the MVP protocol is designed in one-wy mnner. A voter v only obtins p encrypted msked bllots {EBv} j j [1,p] from the DMC, nd cn only cst one vlid bllot. After v csts his/her encrypted msked bllot EB v, the VPS will decrypt nd obtin its msked bllot MB v. But n honest VPS will not provide proof for v to demonstrte tht MB v is v s msked bllot. Even if the VPS is compromised to cooperte with the voter v, from its msked bllot MB v,thevoterv still cnnot prove his/her vote OB v, since neither the initil bllot noise nor the group msking mtrix B re known to v or the VPS. Finlly, since the DMC is semi-honest, it knows nd B, but will never prove to ny third prty tht nd B reusedtomskv s originl bllot OB v to llow vote-buying. Therefore, the voter v cnnot provide ny proof tht his/her cst bllot EB v indeed corresponds to the vote OB v fter he/she csts the bllot. 2) Double Voting Detection: In MVP, only verified voters re llowed to vote, nd ech qulified voter cn only cst one vlid vote. Voters must register nd uthenticte themselves with the DMC to obtin necessry informtion for voting. In prticulr, ech voter obtins unique voting identifier from the DMC, which must ccompny his/her vote for uthentiction. The VPS keeps trck of set S of the voting identifiers of ll lredy-voted voters. If misbehved voter v ttempts to cst multiple bllots, the VPS will only ccept v s first vote nd ignore v s other votes. Even if the VPS is compromised to cooperte with the voter to cst multiple bllots, the DMC cn esily detect this cheting behvior through mismtched number of voters nd the finl tlly derived from de-msking nd removing the initil bllot noises during the counting phse. Therefore, MVP chieves double voting detection. 3) Firness: MVP lso chieves firness by employing novel dt collection technique dul rndom mtrix msking (DRMM). Voters bllots re protected by two mtrices A nd B: the orthogonl msking mtrix A is only known to the VPS, while the invertible msking mtrix B is only known to the DMC. In MVP, voters individul msked bllots re collected by nd stored in the VPS. Since the group msking mtrix B is only known to the DMC, the VPS cnnot decode the msked bllots to obtin the originl bllots or the voting counts. Even if the VPS retrieves B, it still cnnot derive ny group bllot informtion without knowing the distribution of the initil bllot noise IB for this group of voters. Suppose the VPS tries to estimte the group voting result x g for the group g. The m originl bllots, u 1 = OB v1, u 2 = OB v2,..., u m = OB vm, re modeled s reliztions of m independent nd identiclly distributed (i.i.d.) rndom vribles (R.V.) U i, i [1,m], ech with the sme distribution s R.V. U. TheR.V.U cn only hve p different vlues {u j = OB j v j [1,p]}, where OB j v represents the originl bllot voting for the j-th cndidte. Similrly, the m initil bllot noises, w 1 = 1, w 2 = 2,..., w m = m,re viewed s reliztions of m i.i.d. R.V.s W i, i [1,m], ech with the sme distribution s R.V. W. The originl bllots re independent of the initil bllot noises, so U is independent of W. The VPS hs the perturbed bllot R.V. Z = U + W with m independent smples z 1 = NB v1 = u 1 + w 1, z 2 = NB v2 = u 2 + w 2,..., z m = NB vm = u m + w m, nd its purpose is to estimte the posterior probbility distribution of U, i.e., P (U = u i ), which cn revel the group voting result, with the perturbed bllots. Using Byes theorem, the posterior probbility distribution of U cn be written in terms of the density function f W of W s P (U = u j )= fz(z U=uj )P (U=u j ) f Z(z) = fz(z U=uj )P (U=u j ) p k=1 fz(z U=uk )P (U=u k ) = f W (z u j )P (U=u j ) p k=1 fw (z uk )P (U=u k ). However, since the VPS doesn t know the density function f W of W, it cnnot estimte the distribution of the originl bllots U from the m smples of perturbed bllots Z. Finlly, since the VPS will not uplod group bllots to the DMC for counting until ll voters hve finished voting, the DMC cn only count the finl tlly fter the voting period ends. Therefore, no intermedite results cn be obtined by ny entity. 4) Bllot Secrecy: MVP chieves bllot secrecy. In MVP, the VPS nd DMC ech holds key mtrix: VPS keeps the orthogonl mtrix A, nd DMC keeps the invertible mtrix B. They re both curious bout the originl bllot OB v of ech individul voter v, but they cnnot obtin OB v from MVP. For the DMC, it only hs ccess to dul-msked group bllot A GB g for ech group g, which is just rndom n p mtrix. Since A is only known to the VPS, the DMC cnnot decode the dul-msked group bllot to obtin ny individul bllot. Even if the DMC retrieves A, nd uses A 1 to recover the msked group bllot GB g, it still cnnot derive ny individul bllot from the group-rndomized bllot GB g. For the VPS, it hs ccess to the msked bllots MB v for ech voter v. However, since the group msking mtrix B is only known to the DMC, the VPS cnnot decode MB v to obtin v s originl vote OB v. Even if the VPS retrieves B, nd uses B 1 to recover the perturbed bllot NB v, it still cnnot derive the originl bllot OB v without the initil bllot

7 noise. Suppose the VPS ttempts to digest the originl bllot OB v from its perturbed bllot NB v = z. Through Lemm 1, when the noises flood mong the whole observtion spce, the VPS cnnot tell which noise hs been dded by 1 (the vote), which mens it cnnot retrieve the originl bllot OB v from the perturbed bllot NB v = z =[z 1,z 2,,z p ]= [w 1,w 2,,w p ]+OB v. In other words, if the noises fluctute with n mplitude higher thn certin vlue, the noises will overwhelm the originl bllot. Therefore, the bllot secrecy is preserved. 5) Integrity: In our MVP protocol, ech voter v only hs ccess to p encrypted msked bllots, ech corresponding to one vote for one prticulr cndidte. Since the bllots re encrypted nd msked by the DMC, v cnnot modify these bllots to throw multiple votes for some cndidte(s) in one bllot. In ddition, since the msking mtrix B nd the initil bllot noises re only known to the DMC, if compromised VPS ttempts to duplicte, modify, or replce ny individul bllot, the number of voters nd the finl tlly result will be mismtched during the counting phse, which cn be esily detected by the DMC. The VPS cnnot remove ny individul bllot either. When the DMC publishes the finl tlly result, ny voter v who hs voted cn check whether its voting identifer (GID v,index v )isinthesets or not. If (GID v,index v ) / S, then v cn detect the VPS hs removed its bllot nd report to the DMC. Therefore, no entity cn modify, duplicte, or remove ny individul bllot without being detected. The integrity of ech individul bllot is chieved in our MVP protocol. IV. RELATED WORK The existing nonymous E-voting protocols cn be briefly summrized into three ctegories: mix-nets, blind signtures, nd homomorphic encryption. Mix-net is chin of mixing servers (mixers) tht provide n nonymous communiction chnnel between the senders nd the receivers by re-rrnging the order of the messges from the senders [15]. The nonymous communiction chnnel offered by Mix-net cn be used to design nonymous voting protocols tht prevent the sever tht collects votes from knowing which vote comes from which voter [1], [5], [7], [10], [15]. However, the existing protocols bsed on Mix-net hve their deficiency [8]: They re generlly not efficient since computtionl effort is required for multiple mixers to prove the correctness. These mixers must be independently owned (such tht they will not collude), which increses the deployment difficulty in prctice. Protocols bsed on blind signtures [9], [16] re more prcticl with simpler procedures involving n uthorized uthentiction center tht produces blind signtures nd server tht collects the votes. Removing the need for trusted center tht genertes blind signtures, ring signture bsed protocol [8] is proposed for voters to sign their votes with linkble ring signtures [6]. The gretest drwbck of these protocols is the ssumption of n nonymous chnnel between the voters nd the server. Homomorphic encryption is nother technique frequently employed by nonymous E-voting protocols [4], [17]. Most of them do not conform to the receipt-freeness requirement. For the ones tht do [4], they cnnot ensure the integrity requirement when the proxy server (tht combines the homomorphiclly encrypted votes) is compromised. Moveover, the computtion overhed ssocited with homomorphic encryption is reltively high, nd ech voter must provide the proof of vlidity of his/her bllot, which needs to be verified by the proxy server. V. CONCLUSION In this pper, we propose two novel efficient nonymous E-voting protocol MVP. Unlike existing nonymous E- voting protocols which incur high computtion overhed for cryptogrphicl opertions, our protocols pply novel efficient dul rndom mtrix msking (DRMM) technique. Through nlysis, we demonstrte their correctness, receipt-freeness, double voting detection, firness, bllot secrecy, nd integrity. VI. ACKNOWLEDGMENT This work is supported in prt by the Ntionl Science Foundtion under grnt STC , nd grnt from Florid Cybersecurity Center. REFERENCES [1] A. Neff, A Verifible Secret Shuffle nd its Appliction to E-Voting, Proc. of ACM CCS, pp , [2] D. Chum, A. Essex, R. Crbck, J. Clrk, S. Popoveniuc, A. Shermn, nd P. Vor, Scntegrity: End-to-End Voter-Verifible Opticl- Scn Voting, Proc. of IEEE Security & Privcy, vol. 6, no. 3, pp , [3] B. Adid, Helios: Web-bsed Open-Audit Voting, Proc. of USENIX Security Symposium, vol. 17, pp , [4] A. P. Adewole, A. S. Sodiy, nd O. A. Arowolo, A Receipt-free Multi-Authority E-Voting System, Interntionl Journl of Computer Applictions, vol. 30, no. 6, pp , [5] M. Jkobsson, A. Juels, nd R. L. Rivest, Mking Mix Nets Robust For Electronic Voting By Rndomized Prtil Checking, Proc. of USENIX Security Symposium, pp , [6] J. Liu, V. Wei,, nd D. Wong, Linkble Spontneous Anonymous Group Signture for Ad Hoc Groups, Proc. of Informtion Security nd Privcy, pp , [7] D. Chum, Secret-Bllot Receipts: True Voter-Verifible Elections, Proc. of IEEE Security & Privcy, vol. 2, no. 1, pp , [8] S. Chow, J. Liu, nd D. Wong, Robust Receipt-Free Election System with Bllot Secrecy nd Verifibility, Proc. of NDSS, vol. 8, pp , [9] A. Fujiok, T. Okmoto,, nd K. Oht, A Prcticl Secret Voting Scheme for Lrge Scle Elections, Proc. of AUSCRYPT 92, pp , [10] A. Rier nd J. Borrell, Prcticl Approch to Anonymity in Lrge Scle Electronic Voting Schemes, Proc. of NDSS, [11] G. T. Duncn nd R. W. Person, Enhncing Access to Microdt While Protecting Confidentility: Prospects for the Future, Sttisticl Science, vol. 6, no. 3, pp , [12] S. Chwl, C. Dwork, F. McSherry, A. Smith, nd H. Wee, Towrd Privcy in Public Dtbses, Theory of Cryptogrphy, pp , [13] K. Murlidhr nd R. Srthy, Dt Shuffling-A New Msking Approch for Numericl Dt, Mngement Sci., vol. 52, no. 5, pp , [14] D. Ting, S. E. Fienberg, nd M. Trottini, Rndom Orthogonl Mtrix Msking Methodology for Microdt Relese, Interntionl Journl of Informtion nd Computer Security, vol. 2, no. 1, pp , [15] D. Chum, Untrceble Electronic Mil, Return Addresses, nd Digitl Pseudonyms, Communictions of the ACM, vol. 24, pp , [16], Elections with Unconditionlly-Secret Bllots nd Disruption Equivlent to Breking RSA, Proc. of EUROCRYPT 88, pp , [17] K. Peng, R. Adity, C. Boyd, E. Dwson, nd B. Lee, Multiplictive Homomorphic E-Voting, Proc. of INDOCRYPT 2004, pp , 2005.