Design and Implementation of a Mobile Voting System Using ...

Research ArticleDesign and Implementation of a Mobile Voting System Usinga Novel Oblivious and Proxy Signature

Shin-Yan Chiou123 Tsung-Ju Wang1 and Jiun-Ming Chen1

1Department of Electrical Engineering College of Engineering Chang Gung University 259 Wen-Hwa 1st Road KweishanTaoyuan Taiwan2Department of Nuclear Medicine Linkou Chang Gung Memorial Hospital Taoyuan Taiwan3Center for Biomedical Engineering Chang Gung University Taoyuan Taiwan

Correspondence should be addressed to Shin-Yan Chiou anselmailcguedutw

Received 2 August 2017 Revised 18 October 2017 Accepted 31 October 2017 Published 24 December 2017

Academic Editor Georgios Kambourakis

Copyright copy 2017 Shin-Yan Chiou et alThis is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

Electronic voting systems can make the voting process much more convenient However in such systems if a server signs blankvotes before users vote it may cause undue multivoting Furthermore if users vote before the signing of the server votinginformation will be leaked to the server and may be compromised Blind signatures could be used to prevent leaking votinginformation from the server however malicious users could produce noncandidate signatures for illegal usage at that time orin the future To overcome these problems this paper proposes a novel oblivious signature scheme with a proxy signature functionto satisfy security requirements such as information protection personal privacy and message verification and to ensure that noone can cheat other users (including the server) We propose an electronic voting system based on the proposed oblivious andproxy signature scheme and implement this scheme in a smartphone application to allow users to vote securely and convenientlySecurity analyses and performance comparisons are provided to show the capability and efficiency of the proposed scheme

1 Introduction

In recent years network transactions for applications suchas Internet auctions and banking have increased greatlyNetwork and mobile security technologies [1ndash6] play impor-tant roles in protecting usersrsquo privacy In this regard digitalsignatures have attracted considerable attention By usingpublic-key cryptography a signer can sign a message usinghis or her private key which is owned only by the signer tocreate a digital signature for the message Then any verifiercan validate the correctness of this signature by using thesignerrsquos public key

However it is necessary to protect the privacy of sig-nature receivers in some situations such as the contentsof signed message in a digital cash system or the choicesfrom candidates in an e-voting situation In 1983 Chaum[7] introduced a blind signature scheme to offer blindnesswhich protects the signeersquos privacy In 2013 Nayak et al [8]proposed a blind signature scheme based on an elliptic curvediscrete logarithm problem In 2005 Rabin [9] introduced

the concept of oblivious transfer In 1994 Chen [10] proposedthe concept of oblivious signatures and considered two typesof oblivious signature schemes In 2008 Tso et al [11]provided formal definitions and security requirements foran oblivious signature scheme In 2012 Chou [12] proposeda more efficient and secure 119896-out-of-119899 oblivious transferscheme

In 1996 Mambo et al [13] proposed the concept ofproxy signature Various proxy signature schemes have beenproposed [14 15] In 2000 Lin and Jan [16] proposedthe first proxy blind signature scheme that combines thefunctionalities of both proxy signatures and blind signaturesIn 2002 Tan et al [17] proposed a proxy blind signaturescheme however in 2003 Lal and Awasthi [18] showed thisscheme to be insecure and further proposed a new schemethat is secure and more efficient than Tan et alrsquos schemeIn 2013 Yang and Liang [19] proposed a new proxy blindsignature scheme that allows revocation

For electronic voting systems in 2001 Ray and Narasim-hamurthi [20] introduced an online anonymous electronic

HindawiSecurity and Communication NetworksVolume 2017 Article ID 3075210 16 pageshttpsdoiorg10115520173075210

2 Security and Communication Networks

voting protocol that allows a voter to cast his or her ballotanonymously by exchanging untraceable authentic messagesIn 2013 Pan et al [21] proposed an electronic voting schemethat is based on the ring signature and is resistant to a clashattack Several schemes with delegated voting functionalityhave been proposed In 2013 Zwattendorfer et al [22] pro-posed a proxy voting scheme that allows a voter to delegate hisor her voting power to a proxy who actually casts the ballotsfor all represented voters Norway has used an Internet-basedvoting protocol for some years and the vote privacy andcorrectness of this scheme have been demonstrated [23] In2016 Kulyk et al [24] proposed a new coercion-resistantproxy voting scheme by extending the coercion-resistantJCJCivitas theme aiming to prevent direct voter coerciondelegation coercion and proxy coercionThey also proposeda new proxy voting scheme [25] to extend the Helios votingsystem [26] with delegated voting functionality In 2017Cohensius et al [27] considered a social choice problem anddemonstrated that the mechanism using proxy voting betterapproximates the optimal outcome

11 Motivation Compared with a blind signature schemea oblivious signature scheme used in e-voting provides onemore property ambiguity in selected messages A signercannot find out which message a voter has selected whilesigning the messages but the signer can be certain thatthe message the voter chooses is one of the predeterminedmessages otherwise the signature would not be accepted bya verifierTherefore in oblivious signature systemswhich dif-fer from blind signature schemes the limited signed contentscan prevent potential malicious users from obtaining validsignatures of some candidates for unauthorized purposes

In addition because each unit of a group (such as eachstate of a country each county of a state each campus of aschool or each approved bank of a group) may use differentmethods to authorize their members (using different keys)polling booths with proxy ability are required Additionalbenefits include reducing the load at voting centers andavoiding network jams Moreover the mobility of the votingfunctionality allows people to vote from anywhere using theirmobile devices thereby making the electronic voting systemmore convenient

The goal in this research is a design of novel schemeswhich combine oblivious andproxy signatures and extend thedesigned schemes to an electronic voting system which pro-vides the following properties mobility instant voting proxysigner completeness unforgeability unlinkability undenia-bility accuracy distinguishability ambiguity nonduplicationeligibility verifiability fairness and privacy where fairnessmeans that no one can know the current total number ofvotes received by every candidate before the end of the votingperiod

12 Our Contribution In this paper based on the Schnorrsignature [28] we propose two novel 1-out-of-119899 blind(oblivious) and proxy signature schemes that combine theadvantages of oblivious signatures and proxy signaturesand satisfy the security properties of these two signatureschemes One of the proposed proxy oblivious schemes is of

the proxy-unprotected type and the other is of the proxy-protected type Based on our schemes we also propose ananonymous electronic voting system with proxy signer Byusing the concept proposed in [29] we conduct security anal-yses and performance comparisons The results showed thatour scheme has good performance and is efficient Finallywe implement the voting system on Android mobile phonesto prove that our scheme is workable This paper extendsthe research [30] which presents the concept of 1-out-of-119899oblivious and proxy signature schemes of proxy-unprotectedtype without the voting system application security analysesand formal proofs and mobile phone implementation

2 Related Works

In this section we present two representative protocols thatare relevant to our scheme oblivious signature and proxysignature

21 Oblivious Signature In 1983 Chaum [7] introduced ablind signature scheme Compared with a normal signaturea blind signature offers an additional property blindness thatprovides it with the ability to protect the signeersquos privacy In ablind signature scheme a signee could get a messagersquos digitalsignature signed by a signer without revealing any informa-tion about themessageThis is vital in some applications suchas electronic payment systems and secure voting systems [31ndash35] because the requesterrsquos messages may be sensitive Nayaket al [8] also proposed a blind signature scheme based on anelliptic curve discrete logarithm problem

In 2005 Rabin [9] introduced the concept of oblivioustransfer In this protocol a sender sends some subsets of somemessages but does not know what the receiver has receivedThus the receiver can get the particular message he or shewants without revealing any information about the messageto the sender In 2012 Chou [12] proposed a more efficientand secure 119896-out-of-119899 oblivious transfer scheme

In 1994 Chen [10] proposed the concept of oblivioussignatures He considered two types of oblivious signatureschemes The first one comprises 119899 keys and one messagethe receiver can get a message signed with one of 119899 keysthat are chosen by him or her while the signers cannot knowwhich key has been used for the signature by the receiverThesecond one comprises 119899 messages and one key a signee canchoose one predetermined message to get signed while notrevealing any information about the selected message to thesigner In contrast to blind signatures oblivious signaturescan guarantee that the signed message is actually one of thepredetermined messages therefore if the receiver were tosubmit some additional messages the signature would not beaccepted by the scheme

In 2008 Tso et al [11] noted that Chenrsquos proposal doesnot crisply formalize the notion and security properties ofthe scheme Consequently they provided formal definitionsand security requirements for an oblivious signature schemeincluding completeness unforgeability and ambiguity andproposed a 1-out-of-119899 oblivious signature agreement basedon Schnorrrsquos blind signature [28] They also improvedthe schemersquos performance The preceding properties render

Security and Communication Networks 3

Signer Recipient Verifier

for i = 1 2 n

Ki = gk ＧＩ＞ p

ei = H(mi Kic(gℎ)i ＧＩ＞ p)

si = ki minus xei ＧＩ＞ q

c m1 m2 mn

if correct

for i = 1 2 n

c = grℎl ＧＩ＞ p

(ml isin m1 m2 mn)

i = g(rminusi)ℎ(lminusi) ＧＩ＞ p

ei = H(mi g

s ye i ＧＩ＞ p)

e = el

s = r minus l + sl Ｇod q

= (e s)ml

e = H(ml gsye ＧＩ＞ p)

ki isinR Zlowastq

r isinR Zlowastq

(ei si) 1 le i le n

Figure 1 Oblivious signature scheme

oblivious signatures very suitable for electronic voting appli-cations

In their scheme [11] it first creates a normalized definitionfor the oblivious signature agreement and proposes thefollowing properties to ensure security

(1) Completeness as long as the recipient and the signercan implement the agreement honestly once theagreement is completed the recipient can obtain thesigned message

(2) Unforgeability despite the algorithm being publiclypublished attackers still have difficulty creating aforged signature within an acceptable time frame

(3) Ambiguity in selected messages the signer is unableto determine the recipientrsquos selection

This system provides for three roles namely the signerthe recipient and the verifier The operation proceedsthrough three phases namely initiation signing and veri-fication Figure 1 shows their scheme and the steps in thisscheme are as follows

(1) System Initiation Phase In this phase the signer generatespublic parameters and a pair of asymmetric keys for use inthe following process

The signer first establishes security parameter 1119896 to inputinto the system to establish the algorithm G which can beused to obtain the public parameters for the agreement

(A) 119901 119902 are two large prime numbers and 119902 | (119901 minus 1)(B) 119892 ℎ isin119877119885

lowast119901 are two parameters with order 119902

(C) 119867() is a hash function

The signer also selects a random number 119909 isin119877119885lowast119902 as a

private key to calculate the public key 119910 = 119892119909mod119901

(2) Signing Phase This phase explains how the recipientobtains the signature value from the signerrsquos signature (seeFigure 1)

Step 1 Assume the recipient wants to obtain the signaturevalue for message 119898119897 isin 1198981 1198982 119898119899 First the recipientselects 119903 isin119877119885

lowast119902 then calculates 119888 = 119892119903ℎ119897mod119901 and then

transmits 119888 and 1198981 1198982 119898119899 to the signer

Step 2 After the signer receives these he selects randomnumbers 119896119894 isin119877119885119902

lowast 119894 = 1 2 119899 using 119896119894 to calculate 119870119894 =119892119896119894 mod119901 followed by 119890119894 = 119867(119898119894 119870119894119888(119892ℎ)

119894mod119901) and usesprivate key 119909 to obtain 119904119894 = 119896119894 minus 119909119890119894mod 119902 for the signedmessage Finally (119890119894 119904119894) 119894 = 1 2 119899 is transmitted to therecipient

Step 3 Once the recipient has received (119890119894 119904119894) heshe thencalculates 120575119894 = 119892(119903minus119894)ℎ(119897minus119894)mod119901 119894 = 1 2 119899 andverifies (119890119894 119904119894) to determine whether it satisfies 119890119894

= 119867(119898119894

119892119904119894119910119890119894120575119894mod119901) where only the 119897th message initially selectedby the recipient will be successfully verified

Step 4 The successful verification (119890119897 119904119897) is then used tocalculate 119890 = 119890119897 and 119904 = 119903 minus 119897 + 119904119897mod 119902 Finally we obtainthe119898119897rsquos signature value 120590(119898119897) = (119890 119904)

(3) Verification Phase This phase explains how the verifierverifies the correctness of the signature obtained by therecipient (see Figure 3)

Step 1 The recipient sends the obtained signature value120590(119898119897)and the selection119898119897 to the verifier

Step 2 After the verifier obtains (119898119897 120590(119898119897)) heshe deter-mines whether (119898119897 120590(119898119897)) satisfies 119890

= 119867(119898119897 119892

119904119910119890mod119901)


If it does this represents that the signature obtained by therecipient is genuine

Note that in Step 2 of signing phase the signer cannotlearn which message is selected by the recipient this iscalled the ambiguity of the protocol Moreover in Step 2 ofverification phase unless the selected message 119898119897 is one ofthe elements of 119898119894 the signature will not be accepted by averifier This protocol ensures that a signeersquos message is oneof the predetermined messages which is one of the featuresof an oblivious signature scheme

22 Proxy Signature Although the aforementioned signatureschemes seem practical they are unsuitable for applicationsin which the signers are not always available To overcomethis problem in 1996Mambo et al [13] proposed the conceptof proxy signature Various proxy signature schemes havebeen proposed [14 15] Such schemes consist of three entitiesan original signer a proxy signer and a signee The originalsigner can delegate his or her signing power to one or moreproxy signers to enable them to sign messages submittedon his or her behalf Mambo et al discussed two typesof proxy signature schemes proxy unprotected and proxyprotected

Proxy-unprotected proxy signatures include two casesfull delegation and partial delegation In full delegation theoriginal signer gives his or her private key to the proxysigner to sign messages therefore the original signer takesfull responsibility for the signatures produced by the proxysigner In partial delegation the original signer creates aproxy signature key using his or her private key and securelyforwards it to the proxy signer then the proxy signer usesthis proxy signature key to sign messages on the originalsignerrsquos behalf

Proxy-protected proxy signature schemes allow the orig-inal signer to use his or her private key to create a proxysignature key and securely forward it to the proxy signerThe proxy signer computes a new proxy signature signingkeymdashwhich contains both the original signerrsquos original proxysignature signing key and the private key of the proxysignermdashand then signs messages using the new proxy sig-nature key Therefore the original signer and proxy signershare the responsibility for the valid proxy signatures gen-erated by the proxy signer Both of these schemes affordsecurity properties such as verifiability unforgeability andundeniability

For example the president of a company could ask his orher reliable secretary (using the proxy-unprotected signaturescheme) or employee (using the proxy-protected signaturescheme) to sign some important documents on his or herbehalf Then if some illegal situation arises in relation tothe proxy signature the employeersquos privacy can be uncoveredwhile the secretaryrsquos privacy cannot

Moreover delegation can be categorized as full delega-tion partial delegation and delegation by warrant as follows

(1) Full delegation the proxy signer obtains a copyof the original signerrsquos signature key to produce aproxy signature value identical to the signature of theoriginal signer

(2) Partial delegation the proxy signerrsquos signature key isobtained through a calculation based on the originalsignerrsquos private key However the proxy signature keycannot be used to obtain information related to theoriginal signerrsquos private key Partial delegation can becategorized as one of two types proxy-unprotectedor proxy-protected In the former the original signerand proxy signer can both provide valid proxy signa-tures In the latter only the proxy signer can providea valid proxy signature

(3) Delegation by warrant a warrant based on the orig-inal signerrsquos signature is used to validate the proxysignerrsquos signing authority The proxy signerrsquos autho-rization message and proxy signature content isincluded in the proxy signature and the verifier is usedto determine the legitimacy of the authorization

The original signer first delegates hisher signing rights toone or more proxy signers so that the proxy signers can signa message in the name of the original signer Each type of thescheme proxy unprotected or proxy protected has to satisfythree security requirements

(1) Verifiability the proxy signature created by the proxysigner can convince anyone of the permission fromthe original signer

(2) Unforgeability only the authorized proxy signers cansign a valid signature this cannot be done even by theoriginal signer

(3) Undeniability neither the proxy signer nor the orig-inal signer can deny the signature they created afterthe signature creation

The earliest proxy signature scheme (Figure 2) (proposedby Mambo et al [13]) is a proxy signature of the proxy-unprotected type for the ElGamal scheme [36] The steps inthis scheme are as follows

(1) Key Generation Phase In this phase the system generatestwo primes and a pair of keys public and private keys for usein the following process

Step 1 Choose two large prime numbers p q such that 119902 |(119901 minus 1)

Step 2 Select random numbers 119892 isin 119885lowast119901 such that Ord119901119892 = 119902

Step 3 Each of the original signer and the proxy signerchoose a random number 119909 isin119877119885

lowast119902 as their private keys

Step 4 Each of the original signer and the proxy signercompute 119910 = 119892119909mod119901 as their public keys

(2) Proxy Phase

Step 1 The original signer chooses a random number119896 isin119877119885

lowast119901minus1

Step 2 The original signer computes 119870 = 119892119896mod119901


m

(secure manner)

Original signer Proxy signer Signee Verifier

K = gk ＧＩ＞ p

= x + kKＧＩ＞(p minus 1) ( K)

g = yKKＧＩ＞ p

R = gr ＧＩ＞ p

s = rminus1 (m minus R)ＧＩ＞(p minus 1)(R s K)

get (R s K)(m (R s K))

gm = (yKK)RRs ＧＩ＞ p

message m

kisinR Zlowastpminus1

r isinR Zlowastpminus1

Figure 2 Proxy signature scheme

(secure manner)

ℬ

r = gk ＧＩ＞ p

sp = xAr + kＧＩ＞ q

yp = gs

publish yp

(r sp)

if correct acceptgs = ryrAＧＩ＞ p

k isinR Zlowastq

Figure 3 Proxy phase (proxy-unprotected type)

Step 3 The original signer calculates 120590 = 119909 + 119896119870mod(119901 minus 1)and sends 120590 to the proxy signer via a secure channel

Step 4 After receiving 120590 the proxy signer checks whether119892120590= 119910119870119870mod119901 is correct If it is the proxy signer accepts

delegation

(3) Signing Phase After receiving a message 119898 from arequestor the proxy signer processes the follow steps

Step 1 Choose a random number 119903 isin119877119885lowast119901minus1

Step 2 Compute 119877 = 119892119903mod119901

Step 3 Evaluate 119904 = 119903minus1(119898 minus 119877120590)mod(119901 minus 1) and sendsignature (R s K) to the requestor

(4) Verification Phase After receiving a message (m (R sK)) from the requestor a verifier checks the validation ofthe signature via the following verification equation 119892119898 =(119910119870119870)119877119877119904mod119901

Note that (119910119870119870)119877119877119904 = (119892119909119892119896119870)119877119892119903119904 =119892119877(119909+119896119870)119892119903[119903minus1(119898minus119877120590)]

= 119892119877(119909+119896119870)+(119898minus119877120590) = 119892119877(119909+119896119870)+119898minus119877(119909+119896119870) = 119892119898mod119901

3 System Goal and Security Requirements

In this sectionwe define the attackermodel propose twonewsignature schemes and present one electronic voting systembased on the proposed signature schemes

31 Attacker Model for Signature Scheme The proposedsignature schemes consist of four entities an original signerA a proxy signer B a receiver R and a verifier V Inour scheme we assume the channels between A and B aresecure Any identity (ieR orV) communicates withB viaan insecure public channel offering adversaries opportunitiesto intercept In the following we present the assumptions ofthe attacker model [37 38]

(1) An adversary may eavesdrop on all communicationsbetween protocol actors over the public channel

(2) An attacker can modify delete resend and reroutethe eavesdropped message

(3) An attacker cannot intercept a message over a securechannel

(4) An attacker cannot be a legitimate original signer orproxy signer

(5) The attacker knows the protocol description whichmeans the protocol is public

32 Signature Scheme We define the security properties of aproxy oblivious signature scheme as follows

Definition 1 (security requirements of our signature scheme)Our signature scheme is secure if it achieves (1) completeness(2) unforgeability (3) unlinkability (4) undeniability (5)verifiability (6) distinguishability and (7) ambiguity

The security requirements of our proposed scheme arelisted as follows

(1) Completeness if all entities follow the protocol hon-estly then at the end of the protocol R will obtainthe valid signature 120590 of the selected message


(2) Unforgeability in a proxy-unprotected type schemeB can sign messages on behalf of A without takingresponsibility for the signature V can merely knowthat the signature is signed by some proxy delegatedbyA and no one exceptB (orA) can produce a validsignature In a proxy-protected type scheme A andB share the responsibility for the signature and onlyB can create a valid signature for R Consequentlythe proxy signing key is practically unbreakablemaking it almost impossible for an attacker to createa valid signature

(3) UnlinkabilityB can identify neither themessage northe proxy signature he or she generates associatedwith the scheme after the signature is revealed whennecessary

(4) Undeniability neither A nor B can deny the signa-ture they have created after signature generation

(5) Verifiability the signature that R receives should beable to convinceV of the agreement fromA andB

(6) Distinguishability the proxy signature is distinguish-able from a normal one

(7) AmbiguityB cannot find out which messageR hasselected while signing the messages but B can becertain that the message he or she signs is one ofthe predeterminedmessages otherwise the signaturewould not be accepted by a verifier

33 Attacker Model for Voting Scheme The proposed elec-tronic voting system consists of five entities a creator Aa proxy creator B a voter R a voting center V and abulletin boardBB In our scheme we assume the channelsbetween A and B are secure Any identity (ie R Vor BB) communicates with B via an insecure publicchannel offering adversaries opportunities to intercept Inthe following we present the assumptions of the attackermodel [37 38]




(4) An attacker cannot be a legitimate creator or proxycreator


34 Voting System The proposed electronic voting systemconsists of five entities A B R V and BB which ina practical situation would correspond to a central govern-ment a local government a voter a voting center computerand a bulletin website respectively Anane et al [39] presentthe core properties of the voting system and indicated that aviable e-voting system should possess (1) accuracy (2) privacy(untraceability) (3) individual and universal verifiability

(4) eligibility and (5) fairness Based on [39] we definethe system requirements of the proposed electronic votingsystem as follows

Definition 2 (system requirements of our electronic votingsystem) Our electronic voting system is secure if it achieves(1) proxy completeness (2) eligibility (3) nonduplication (4)fairness (5) accuracy (6) verifiability and (7) privacy

This system requirements of our electronic voting systemare listed as follows

(1) Proxy completeness the proxy creator should notdeny the fact that he or she has accepted the delega-tion from the creator

(2) Eligibility only voters who have the right to vote canparticipate in the voting event

(3) Nonduplication every legal voter is allowed to castonly one ballot

(4) Fairness before the end of the voting period no onecan know the current total number of votes receivedby every candidate

(5) Accuracy the validity of all ballots can be verified byusing the proper public key

(6) Verifiability every voter should be able to confirm hisor her voting condition and verify all other votersrsquoballots

(7) Privacy no one except for the voter can find outwhich candidate has been chosen even at the end ofvoting

4 Proposed Signature Scheme

Two types of proxy oblivious signature schemes are pro-posed proxy-unprotected type and proxy-protected typeEach scheme includes four phases (1) system setup phase(2) proxy phase (Figure 3) (3) signing phase (Figure 4)and (4) verification phase (Figure 5) Notation illustrates thenotations used in the protocol

41 Proxy-Unprotected Type For a proxy-unprotected typescheme our protocol is as follows

(1) System Setup Phase

Step 1 Two large primes 119901 119902 ni 119902 | (119901 minus 1) are chosen

Step 2 Two generators 119892 ℎ isin 119885lowast119901 where Ord119901119892 = 119902 andOrd119901ℎ = 119902 are chosen

Step 3 The original signerA chooses 119909119860 isin 119885lowast119902 and computes

119910119860 = 119892119909119860 mod119901

Step 4 The proxy signer B chooses 119909119861 isin 119885lowast119902 and computes119910119861 = 119892119909119861 mod119901


for i = 1 2 n

Ki = gk ＧＩ＞ p

i = c(gℎ)i ＧＩ＞ p

ei = H(mi Kii ＧＩ＞ p)

si = ki minus spei ＧＩ＞ q

m1 m2 mn c

if correct

for i = 1 2 n


decide n messagesm1 m2 mn

c = gℎminusb ＧＩ＞ p

(mb isin m1 m2 mn)

ei = H(mi gs y

ep i ＧＩ＞ p)

e = eb

s = sb + + bＧＩ＞ q

= (e s)

ℬ ℛ

ki isinR Zlowastq

isinR Zlowastq

(ei si) 1 le i le n

Figure 4 Signing phase

(mb )e = H(mb g

syep ＧＩ＞ p)

ℛ

Figure 5 Verification phase

(2) Proxy Phase

Step 1 (commission generation) A randomly chooses119896 isin119877119885

lowast119902 and computes 119903 = 119892119896mod119901 119904119901 = 119909119860119903 + 119896mod 119902

and 119910119901 = 119892119904119901 mod119901

Step 2 (proxy delivery) A securely forwards the pair (119903 119904119901)to the proxy signerB and publishes 119910119901

Step 3 (proxy verification) B checks whether 119892119904119901 =119903119910119903119860mod119901 holds If it doesB accepts the proxy and uses 119904119901as his or her secret proxy signature key

(3) Signing Phase

Step 1 R decides 119899 messages 1198981 1198982 119898119899 and thenselects a message 119898119887 isin 1198981 1198982 119898119899 randomly choosesV isin119877119885

lowast119902 computes 119888 = 119892Vℎminus119887mod 119901 and finally sends the

determined messages and 119888 toB

Step 2 For 119894 = 1 2 119899 B chooses 119899 random numbers119896119894 isin119877119885

lowast119902 computes 119870119894 = 119892119896119894 mod119901 120575119894 = 119888(119892ℎ)119894mod119901

119890119894 = 119867(119898119894 119870119894120575119894mod119901) and 119904119894 = 119896119894 minus 119904119901119890119894mod 119902 and sends(119890119894 119904119894) toR where 1 le 119894 le 119899

Step 3 For 119894 = 1 2 119899 R computes 120575119894 = 119888(119892ℎ)119894mod119901and accepts the oblivious signature if and only if 119890119894 =

119867(119898119894 119892119904119894119910119890119894119901 120575119894mod119901)

(secure manner)

ℬ

r = gk ＧＩ＞ p

sA = xAr + kＧＩ＞ q

yp = gs ＧＩ＞ p

publish yp yB

(r sA)

if correctgs = ryrA ＧＩ＞ p

sp = sA + xB ＧＩ＞ q

k isinR Zlowastq

Figure 6 Proxy phase (proxy-protected type)

Step 4 To convert the oblivious signature into a genericsignature R lets 119890 = 119890119887 and computes 119904 = 119904119887 + V + 119887mod 119902The signature for119898119887 is 120590 = (119890 119904)

(4) Verification Phase As shown in Figure 5 the verifier Vaccepts the signature 120590 as a valid signature if and only if 119890 =119867(119898119887 119892

119904119910119890119901mod119901)

42 Proxy-Protected Type For a proxy-protected typescheme the signing phase and verification phase are thesame as those in the case of a proxy-unprotected type schemeexcept for one more computation 119910119901 = 1199101015840119901119910119861mod119901 (asshown in Figure 6)The proxy phase is modified as describedsubsequently

(1) Proxy Phase



and 1199101015840119901 = 119892119904119860 mod119901


Step 3 (proxy verification) B checks whether 119892119904119860 =119903119910119903119860mod119901 holds If it does B accepts the proxy and com-putes 119904119901 = 119904119860 + 119909119861mod 119902 as his or her secret proxy signaturekey

5 Proposed Voting System

51 System Overview Based on the proposed signaturescheme our electronic voting system allows a creator (centralgovernment) to delegate one or more proxy creators (localgovernment) and a voter can get a legal ballot from a proxycreator and send his or her vote to a verifier (center votingcomputer)

This system includes six phases (1) system setup phase(2) proxy phase (Figure 8) (3) register phase (Figure 9) (4)circling phase (Figure 10) (5) voting phase (Figure 11) and(6) counting phase (Figure 12) as shown in Figure 7

Step 1 The system first generates the required parameters

Step 2a The creator delegates his or her authority to a proxycreator


(Step 1) System setup phase

(Step 2a) Proxy phase

(Step 2b) Publish public key

(Step 3a) Register phase

(Step 3b) Publish registrantrsquos certificate

(Step

3c) C

onfir

m regis

ter

(Step 4) Circling phase (Step 5a) Voting phase

(Step 5b) Publish message from R

(Step 6a) Counting phase

(Step 6b) Result announcement

A

B

BB

RV

(Step

5c) C

onfir

m ballo

t

Figure 7 System diagram

If correct

rA = gk ＧＩ＞ p

sA = xArA + kＧＩ＞ q

dlgAB = (rA sA)e ＧＩ＞NB

yp = gs ＧＩ＞ p

seAB ＧＩ＞NB = H(y

p)

publish yp yB in BB

dlgAB

sAB

if correct

gs = rAyrA ＧＩ＞ p

sAB = H(gs ＧＩ＞ p)d ＧＩ＞NB


ℬ

kisinR Zlowastq

Figure 8 Proxy phase

if id is validstores ( in system database

reg

Cert(R)

seB ＧＩ＞NB =

ℬ ℛ

(Ｃ＞ＪＨHR)

ＪＨHR)

= ＬＡd ＧＩ＞NB

flag(pn) = 0ＥＳR = H(HR eB)

sB = H(ＪＨ eB)d ＧＩ＞NB

Cert(R) = (ＪＨ eB sB)publishes Cert(R) H(ＥＳR) in BB

HR = H(ＪＱ)

ＬＡ = (Ｃ＞ＪＨHR)e ＧＩ＞NB

H(ＪＨ eB)

Figure 9 Register phase

Step 2b The creator publishes the public key of the proxycreator to the bulletin

Step 3a The proxy creator examines whether the registrantis a legal voter if so he or she distributes a certificate to thevoter

Step 3b The proxy creator publishes the certificate to thebulletin

Step 3c The voter checks whether he or she has registeredsuccessfully via the bulletin

Step 4 The voter chooses a candidate and receives thesignature on it from the proxy creator

Step 5a The voter casts his or her ballot and sends it to thevoting center

Step 5b The voting center publishes a message about theballot from the voter to the bulletin

Step 5c Every voter can confirmwhether his or her ballot hasbeen received by the voting center if not he or she can resendthe ballot

Step 6a At the end of the voting period the proxy creatorforwards the decrypting key to the voting canter and thevoting center starts to verify and count the ballots

Step 6b The voting center publishes the voting result to thebulletin where everyone can verify and count all ballots

52 System Process We assume that the system databasealready contains an identification list of legal voters andthat the bulletin is read-only to all entities except for theauthorities




ℬ ℛ

HR = H(HR r)

Ki = gk ＧＩ＞ p



r

(mb isin m1 m2 mn)

yp = ypyB ＧＩ＞ p

foralli = 1 2 n


e = eb


(mb) = (e s)

r isinR Zlowastq

flag(pn) = 0

ki isinR Zlowastq foralli = 1 2 n

ei = H(mi ＪＨ Kii ＧＩ＞ p)

set flag(pn) = 1 (ei si) 1 le i le n

(ＪＨHR c)

HR = H(H(ＪＱ) r)

isinR Zlowastq c = g

ℎminusb ＧＩ＞ p

ei = H(mi ＪＨ gs y

ep i ＧＩ＞ p)

Figure 10 Circling phase

seB ＧＩ＞NB =

ℛ

CR = EH(H(ＪＱ)e)(mb (mb))(Cert(R) CR)

public (Cert(R) CR) in BBH(ＪＨ eB)

Figure 11 Voting phase

ℬ

the ballot is counted


ＥＳR (mb (mb)) = DＥＳ(CR)

publishes (Cert(R) CR mb ＥＳR) in BB

e = H(mb ＪＨ gsyep ＧＩ＞ p)

Figure 12 Counting phase


Step 3 The creator A chooses 119909119860 isin 119885lowast119902 and computes 119910119860 =119892119909119860 mod119901

Step 4 The proxy creatorB chooses 119909119861 isin 119885lowast119902 and computes

119910119861 = 119892119909119861 mod119901

Step 5 B chooses two large primes 119901119861 119902119861

Step 6 B computes119873119861 = 119901119861 times 119902119861

Step 7 B computes 120601(119873119861) = (119901119861 minus 1)(119902119861 minus 1)

Step 8 B chooses 119890119861 ni GCD(119890119861 120601(119873119861)) = 1

Step 9 B computes 119889119861 = 119890minus1119861 mod120601(119873119861)

(2) Proxy Phase

Step 1 A randomly chooses 119896 isin119877119885lowast119902 and computes 119903119860 =

119892119896mod119901 119904119860 = 119909119860119903119860 + 119896mod 119902 and 1199101015840119901 = 119892119904119860 mod119901

Step 2 A encrypts the pair (119903119860 119904119860) using (119890119861 119873119861) forwardsit toB and publishes 1199101015840119901

Step 3 B decrypts (119903119860 119904119860) using (119889119861 119873119861) and checkswhether 119892119904119860 = 119903119860119910

119903119860119860 mod119901 holds If it does B accepts the

proxy and computes 119904119901 = 119904119860 + 119909119861mod 119902 as his or her secretproxy signature key

Step 4 B generates a signature 119904119860119861 =

119867(119892119904119860 mod119901)119889119861 mod119873119861 and forwards it toA

Step 5 A checks whether 119904119890119861119860119861 = 119867(1199101015840119901)mod119873119861 holds If itdoes he or she publishes 1199101015840119901 119910119861 to the bulletin

(3) Register Phase

Step 1 A voter R picks a pseudoname pn and a passwordpw computes 119867119877 = 119867(pw) encrypts (id pn 119867(pw)) using(119890119861 119873119861) and sends it to a proxy creator

Step 2 B decrypts (id pn 119867119877) using (119889119861 119873119861) and checkswhether R is a legal voter If so B stores (pn 119867119877) inthe system database sets flag(pn) = 0 calculates key119877 =

119867(119867119877 119890119861) and 119904119861 = 119867(pn 119890119861)119889119861 mod119873119861 returns Cert(119877) to

R and publishes Cert(119877) to the bulletin where Cert(119877) =(pn 119890119861 119904119861)

Step 3 R verifies whether 119904119890119861119861 = 119867(pn 119890119861)mod119873119861 is correctIf so he or she has the right to vote


(4) Circling Phase

Step 1 B sends a random number 119903 isin119877119885lowast119902 to R after

receiving a login request fromR

Step 2 R computes 1198671015840119877 = 119867(119867(pw) 119903) picks a randomnumber V isin119877119885

lowast119902 calculates 119888 = 119892Vℎminus119887mod119901 (119898119887 isin 1198981 1198982

119898119899) and forwards (pn 1198671015840119877 119888) toB

Step 3 B examines whether 1198671015840119877 = 119867(119867119877 119903) is correct Ifso B checks whether flag(pn) = 0 If it holds B chooses119896119894 isin119877119885

lowast119902 calculates 119870119894 = 119892119896119894 mod119901 120575119894 = 119888(119892ℎ)119894mod119901

119890119894 = 119867(119898119894 pn 119870119894120575119894mod119901) and 119904119894 = 119896119894 minus 119904119901119890119894mod 119902 forall119894 =1 2 119899 returns (119890119894 119904119894) 1 le 119894 le 119899 toR and sets flag(pn) =1

Step 4 R computes 119910119901 = 1199101015840119901119910119861mod119901 and for every 119894 =1 2 119899 he or she calculates 120575119894 = 119888(119892ℎ)119894mod119901 and checkswhether 119890119894 = 119867(119898119894 pn 119892

119904119894119910119890119894119901 120575119894mod119901) is correct If so Rcomputes 119904 = 119904119887 + V + 119887mod 119902 and 119890 = 119890119887 The final signatureis 120590(119898119887) = (119890 119904)

(5) Voting Phase

Step 1 R calculates119867(119867(pw) 119890119861) and uses it as a symmetrickey to encrypt (119898119887 120590(119898119887)) produces a cipher 119862119877 and sends(Cert(119877) 119862119877) to the voting center

Step 2 V first examines whether 119904119890119861119861 = 119867(pn 119890119861)mod119873119861holds If soV publishes (Cert(119877) 119862119877) to the bulletin

Step 3 Every voter can check whether his or her ballot isreceived by the voting center via the bulletin If it is not thevoter resends (Cert(119877) 119862119877)

(6) Counting Phase

Step 1 B forwards key119877 = 119867(119867119877 119890119861) to the voting center

Step 2 V decrypts 119862119877 using the symmetric key key119877publishes (Cert(119877) 119862119877 119898119887 key119877) to the bulletin and cal-culates 119910119901 = 1199101015840119901119910119861mod119901 and verifies whether 119890 =

119867(119898119887 pn 119892119904119910119890119901mod119901) is correct If so the signature is valid

and the ballot is counted

Step 3 V publishes the voting result Everyone can verify andcount the ballots via the bulletin

6 Security Analysis

In this section we analyze our protocol according to thesecurity requirements defined in Section 3

61 Signature Scheme

(1) The Proposed Scheme Is Complete Because the com-pleteness of the signature 120590 = (119890 119904) depends on the

Schnorr signature [28] we only show the completeness ofthe oblivious signature generated in the signing phase Forany (119890119894 119904119894) 119894 = 1 2 119899 we have 119867(119898119894 119892

119904119894119910119890119894119901 120575119894mod119901) =119867(119898119894 119892

119896119894minus119904119901119890119894119892119904119901119890119894120575119894mod119901) = 119867(119898119894 119892119896119894120575119894mod119901) =

119867(119898119894 119870119894120575119894mod119901) = 119890119894 Therefore the completeness of theproxy signature 120590 = (119890 119904) is proved

(2) Proxy Oblivious Signatures Are Unforgeable Unforgeabil-ity can be proved via Definitions 3 and 5 andTheorems 4 and6

Definition 3 (DLP) Let 1199011 be a large prime 1198921 be a primitiveroot modulo 119901 and 119910 = 1198921

119909mod1199011 where 119909 119910 isin 119885lowast1199011 If 119909can be evaluated fromgiven1199101199011 and1198921 thenwe say discretelogarithm problem (DLP) can be solved (the probability ofsolving this problem is denoted as Pr(119909 | 119910 1199011 1198921) = 1205761)

Theorem 4 (unforgeability) In our protocol if a recipient canforge the signerrsquos signature then DLP can be solved

Proof In our scheme assume an adversary tries to evaluate 119904119860by eavesdropping1199101015840119901 Let RO1 be a randomoracle input1199101015840119901119901and 119892 to output 119904119860 (ie RO1(119910

1015840119901 119901 119892) rArr 119904119860) In Definition 3

let 1199101015840119901 larr 119909 119901 larr 1199011 and 119892 larr 1198921 be input parameters ofRO1 and obtain output 119904119860 Let 119910 larr 119904119860 then 119910 is evaluatedTherefore Pr(119904119860 | 119910

1015840119901 119901 119892) le Pr(119910 | 119909 1199011 1198921) = 1205761 which

means the discrete logarithm problem can be solved if RO1exists

Definition 5 (DLP under known plaintext attack) Let 1199011 bea large prime 1198921 be a primitive root modulo 1199011 and 119910119894 =119892119909119894 mod1199011 where 119909119894 119910119894 isin 119885lowast1199011 If 119909119899+1 can be evaluatedfrom given 1199011 1198921 (119909119894 119910119894) and 119910119899+1 119894 = 1 2 119899 then wesay DLP under known plaintext attack can be solved (theprobability of solving this problem is denoted as Pr(119909119899+1 |(119909119894 119910119894) 119910119899+1 1199011 1198921) = 1205762)

Theorem 6 (unforgeability under replay attack) In our pro-tocol if a recipient can forge the signerrsquos signature from given119899 pairs (1199101015840(119894)119875 119904(119894)119860 ) 119894 = 1 2 119899 then DLP under knownplaintext attack can be solved

Proof In our scheme assume an adversary tries to eval-uate 119904(119894+1)119860 from eavesdropped (1199101015840(119894)119875 119904(119894)119860 ) and 1199101015840(119899+1)119875 119894 =

1 2 119899 Let RO2 be a random oracle input (1199101015840(119894)119875

119904(119894)119860 ) 1199101015840(119899+1)119875 119901 119892 to output 119904(119894+1)119860 (ie RO2((1199101015840(119894)119875 119904(119894)119860 )

1199101015840(119899+1)119875 119901 119892) rArr 119904(119894+1)119860 ) In Definition 5 let (1199101015840(119894)119875 119904(119894)119860 ) larr

(119909119894 119910119894) 1199101015840(119899+1)119875 larr 119910119899+1 119901 larr 1199011 and 119892 larr 1198921 be input

parameters of RO2 and obtain output 119904(119894+1)119860 Let 119909119899+1 larr

119904(119894+1)119860 then 119909119899+1 is evaluated Therefore Pr(119904(119894+1)119860 | (1199101015840(119894)119875

119904(119894)119860 ) 1199101015840(119899+1)119875 119901 119892) le Pr(119909119899+1 | (119909119894 119910119894) 119910119899+1 1199011 1198921) = 1205762

which means the DLP under known plaintext attack can besolved if RO2 exists

(3) Proxy Oblivious Signatures Are Unlinkable In the signingphase because B receives the disguised selection 119888 of the


Table 1 Computation cost comparison

Scheme Original signer (Proxy) signer Receiver VerifierYang and Liang [19] 119879ex 4119879ex 2119879ex 3119879exChen [10] - 3119899119879ex (2119899 + 10)119879ex 8119879exTso et al [11] - 2119899119879ex (2119899 + 2)119879ex 2119879exProposed 2119879ex (119899 + 2)119879ex

lowast (2119899 + 2)119879ex 2119879ex

message 119898119887 he or she cannot find out the selection of RMoreover because the blinding factor V is required duringthe conversion of the oblivious signature 119904119887 where V is knownonly by R B cannot make a linkage between the signatureandRrsquos selectionThus we can conclude thatB can discoverneither the message nor the proxy signature associated withthe protocol after the signature is verified

(4) Proxy Oblivious Signatures Are Undeniable Owing to theunforgeability of the proxy oblivious signature B cannotrepudiate any proxy signature produced by him or her

(5) Proxy Oblivious Signatures Are Verifiable In the ver-ification phase V checks whether the equation 119890 =

119867(119898119887 119892119904119910119890119901mod119901) holds because 119892119904119910119890119901 = 119892119904119887+V+119887119910119890119887119901 =

119892119896119887minus119904119901119890119887+V+119887119892119904119901119890119887 = 119892119896119887+V+119887 = 119892119896119887119892Vℎminus119887119892119887ℎ119887 = 119892119896119887119888(119892ℎ)119887 =119870119887120575119887mod119901 and thus 119867(119898119887 119892

119904119910119890119901mod119901) = 119867(119898119887

119870119887120575119887mod119901) = 119890119887 = 119890 Therefore the signature can beverified by all verifiers

(6) Generated Signatures Are Distinguishable Evidently byusing different congruences to check the validity of theoriginal signatures and the proxy signatures everyonecan easily distinguish the proxy signature from a normalsignature

(7) The Proposed Scheme Provides Ambiguity of the MessageSelected by R That Is It Provides Perfect Security for R Ifan attacker A1 takes the place of B A1 needs to obtainb where 119888 = 119892Vℎminus119887mod119901 V isin119877119885

lowast119902 because we know that

for every 119887 of any 119888 there exists V119894 such that 119888 = 119892Vℎminus119887 =

119892V119894ℎminus119894mod119901 for 119894 = 1 2 119899 Finally we conclude that theprobability ofA1 getting the correct 119887 is 1119899 which achievestheoretical security

62 Voting System

(1) Delegation from Creator Is Complete In the proxy phaseB signs the proxy public key 1199101015840119901 using his or her private key119909119861 and passes the signature 119904119860119861 to A Therefore B cannotdeny the fact that he or she has accepted the delegation fromA

(2) Eligibility In the register phaseB checks whetherR is alegal voter by his or her idTherefore only legal voters can getthe certificate CERT(R) fromB and participate in the votingevent

(3) Nonduplication In the circling phase B checks whetherflag(pn) = 0 If it holds it means that pn has not voted

Table 2 Communication cost comparison

Scheme 119860 rarr 119861 119861 rarr 119877 119877 rarr 119861 119877 rarr 119881

Yang and Liang [19] 119897119902 + 119897119867 119897119901 + 119897119902 + 119897119867 119897119902 119897119902 + 2119897119867Chen [10] - 3119899119897119901 + 119899119897119902 119897119902 7119897119901 + 119897119902 + 119897119867Tso et al [11] - 119899(119897119902 + 119897119867) 119897119901 119897119902 + 119897119867Proposed 119897119901 + 119897119902 119899(119897119902 + 119897119867) 119897119901 119897119902 + 119897119867

yet otherwise the process will be terminated Consequentlyevery legal voter can cast at most one ballot

(4) Fairness In the voting phaseR encrypts his or her ballotusing the symmetric key 119867(119867(pw) 119890119861) and sends it to thevoting center Therefore no one can learn the current votingsituation before the voting period is over

(5) Accuracy The validity of all ballots can be verified usingthe examining equation 119890 = 119867(119898119887 pn 119892

119904119910119890119901mod119901)

(6) Verifiability In the voting phase every voter can checkhis or her own ballot via the bulletin and the ballot cannotbe modified by anyone Furthermore in the counting phaseevery voter can verify and count all other votersrsquo ballots onthe bulletin

(7) Privacy In the circling phase owing to the ambiguityof the proxy oblivious signature no one can learn a voterrsquosselection from 119888 = 119892Vℎminus119887mod119901 In the voting phase Rencrypts his or her ballot using the key119867(119867(pw) 119890119861) beforecasting it to V and therefore no one can obtain his orher plain ballot Finally in the counting phase becauseevery selected candidate on the bulletin corresponds to apseudoname pn no one can discover which person has madethe selection

7 Comparison

This section presents a comparison of our scheme againstother related schemes including blind signature [8] proxysignature [13] oblivious signature [10 11] and proxy blindsignature [19] Tables 1 2 and 3 present the computation costcommunication cost and ability comparison respectivelyBecause modular exponentiation is the most significantcomputational operation we denote its time cost as ldquo119879exrdquo andignore the other operations in the schemes

Compared with other related schemes our scheme pro-vides the most abilities with a low increment in computationcost Furthermore the communication cost is no higher thanthat of other oblivious signature schemes


Table 3 Ability comparison

Scheme Blindness Ambiguity Proxy abilityNayak et al [8]

Mambo et al [13]

Yang and Liang [19]

Chen [10]

Tso et al [11]

Proposed

Table 4 Computation time (milliseconds)

Phase PP RP CiP VP CoPRole A B R B R B R V VTime 424 315 2285 1955 312 31 198 1035 2025

In the proxy phaseB processes 2119879ex to examine whether119892119904119860 = 119903119910119903119860mod119901 holds (see asterisk in Table 1) In the signingphase B processes 119899119879ex to calculate 119870119894 = 119892119896119894 mod119901 for119894 = 1 2 119899 For 120575119894 = 119888(119892ℎ)119894mod119901 B may compute 120575119894by letting 1205750 = 119888 and generate 120575119894 = 120575119894minus1(119892ℎ)mod119901 for 119894 =1 2 119899 Consequently the computation cost is 119899 modularmultiplication rather than 119899119879ex

8 Implementation

This section demonstrates an application of an anonymousmobile electronic voting with proxy signer implemented onsmartphones Figure 13 shows a flowchart of this system Inthis system it is assumed that any signer who is asked forhis or her public key responds with his or her real public keyimmediately and that the requester would receive this publickey at once Tables 4 5 and 6 present the average computationtimes of each role in each phase the average communicationtimes of each communication direction in each phase andthe average computation and communication times in eachphase respectively where PP RP CiP VP and CoP stand forproxy phase register phase circling phase voting phase andcounting phase The steps in this system are as follows

Step 1 On the main page (Figure 14(a)) users are allowedto select a role and enter a pseudoname (Figure 14(b)) Anoriginal signer first runs the procedure and waits for proxysigners (Figure 14(c))

Step 2 A proxy signer runs Step 1 and selects a detectedoriginal signer to request delegation (Figure 14(d))

Step 3 The original signer selects the proxy signer on therequest list to process the delegation (Figure 14(e))

Step 4 After verifying the correctness of the delegation theproxy signer sets the voting issue (Figure 14(f)) and startswaiting for verifiers (Figure 14(g))

Step 5 A verifier runs Step 1 and waits for a proxy signer tosend him a voting event (Figure 14(h))

Step 6 The proxy signer selects a verifier to send the votingevent (Figure 14(i)) and starts holding the event (Figure 14(j))

Step 7 A receiver selects ldquoVoterrdquo on the main page andchooses a detected voting event (Figure 14(k))

Step 8 The receiver votes for a candidate and presses theldquoVoterdquo button (Figure 14(l)) to send his or her vote to theproxy signer Then he or she receives a proxy oblivioussignature and sends the extracted signature to the verifier bypressing the ldquoSendrdquo button (Figure 14(m))

Step 9 The verifier keeps collecting votes (Figure 14(n)) untilthe proxy signer ends the voting event by pressing the ldquoEndEventrdquo button shown in Figure 14(j)

Step 10 After the end of the voting event the verifier startsverifying the collected votes and displays the voting result(Figure 14(o))

9 Conclusion

We first construct 1-out-of-119899 proxy oblivious signatureschemes of proxy-unprotected and proxy-protected typesand discuss their security requirements The proposedschemes combine the advantages of a proxy signature andan oblivious signature and satisfy the security propertiesof both signatures including completeness unforgeabilityunlinkability undeniability verifiability distinguishabilityand ambiguity Compared with related schemes our schemesprovide extra proxy ability and perform well in terms ofboth complexity and usability Finally an anonymous proxyelectronic voting application is implemented on smartphonesbased on the proposed scheme

Nomenclature

Notation

A The original signerB The proxy signerR The recipientV The verifier119901 119902 Two large prime numbers such that

119902 | 119901 minus 1119892 ℎ Two elements of 119885119901

lowast of the same order 119902119885lowast119899 A set of the integers in 1 2 119899 minus 1 that

are coprime to 119899Ord119909119910 The order of 119910modulo 119909119909 isin119877119885

lowast119902 A chosen random number 119909 in 119885lowast119902

119909119860 119860rsquos private key119910119860 119860rsquos public key119904119901 The signing key119899 The number of messages119898119894 The 119894th message119887 The value of the subscript of the selected

message119898119887120590 The signature on119898119887119867(sdot) A public one-way hash function


Start Is PKI available

GeneratePKI Store PKI Select role Your role

Yes

No

Show list_B

End

Wait for delegation request

Receive a request from B

Add B to list_B

Broadcast mycredential

Wait for publickey request

Main thread

Show list_A

Start thread b1 Listen to Arsquoscredential

Receive Arsquoscredential

Add A to list_A

Request delegation

Start thread b2

Wait for Arsquosdelegation

Stop thread b2

Set issue

Listen to Vrsquoscredential

Receive Vrsquoscredential

Add V to list_V

Thread b3

Show list_V

Send event to V

End vote

EndWait for c from R

Start thread b7

Broadcast event

Thread b5


Receive a request

Thread b6

Generate signature

Return signature to R

Thread b7

Main thread

A B

Start thread r1

Listen to event

Receive an eventE from B

Add E to list_E

Thread r1

Show list_E

Select E

Stop thread r1

Vote

Send c to B

Start thread r3

Wait for Brsquossignature

Receive Brsquossignature

Verify delegation

Receive Arsquosdelegation

Delegationlegal

End

Yes

No

Stop thread b1

Verify signature

Calculate

Send to V

End

Main thread

R

Start thread v1 v2Broadcast my

credential

Thread v1

Listen to event

Receive an eventfrom B

Thread v2

Stop thread v1 v2

Listen to end signalfrom B

Receive an endsignal from B

Thread v3

Start thread v3 v4

Wait for

Receive

Thread v4

Add to list_

Stop thread v3 v4

Verify signatureson list_

End

Main thread

V



Start thread r2

End

Stop thread r2

End delegation

Yes

No

Publish the voting resultexcluding invalid rsquos

Start threada1sima3

Request yA

Add yp to list_y

Stop threada1sima3

Start threadb4simb6

Stop threadb4simb6

Return public key yA or yp from list_y

Receive a requestfor yA or yp Return public key yB

Request yp and yB

Request yp and yB

Thread r2

Thread r3

Thread b4

Receive c from R

end signalSend A R V

Select V

Start thread b3Thread b2

Thread b1

Select A

Thread a3

Thread a2

Thread a1

Delegate B

Select B

Figure 13 Flowchart of voting application


Table 5 Communication time (milliseconds)

Phase PP RP CiP VP CoPDirection 119860 rarr 119861 119861 rarr 119860 119877 rarr 119861 119861 rarr 119877 119861 rarr 119877 119877 rarr 119861 119861 rarr 119877 119877 rarr 119881 119861 rarr 119881

Time 6105 8165 321 428 4445 3875 472 447 396

(a) Main page (b) Enter a pseudoname (c) Wait for proxy signers (d) Request delegation (e) Delegation

(f) Set voting issue (g) Wait for verifiers (h) Wait for voting event (i) Send the voting event (j) Hold the voting event

(k) Choose a voting event (l) Vote for a candidate (m) Send the signature (n) Collect votes (o) Display result

Figure 14 Data transfer

Symbols Used in Performance Analysis

A The original signerB The proxy signerR The recipientV The verifier

119901 119902 Two large prime numbers such that119902 | 119901 minus 1

119892 ℎ Two elements of 119885119901lowast of the same order 119902

119909119860 119860rsquos private key119910119860 119860rsquos public key119904119901 The signing key


Table 6 Implementation time (milliseconds)

Phase PP RP CiP VP CoP TotalComputation time 739 424 622 3015 2025 2289Communication time 1427 749 1304 447 396 4323

119899 The number of messages119898119894 The 119894th message119887 The value of the subscript of the selected

message119898119887119899 Number of candidate messages in

oblivious signature scheme (eg 10)119879ex Time cost of a modular exponentiation

operation119897119902 Length of the parameter 119902 (eg 128 bits)119897119901 Length of the parameter 119901 (eg 1024 bits)119897119867 Length of the output of hash function

(eg 128 bits)120590 The signature on119898119887119867(sdot) A public one-way hash function

Disclosure

This article does not contain any studies with human partici-pants or animals performed by any of the authors

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

This work is partially supported and funded by the Ministryof Science and Technology under Grant MOST 104-2221-E-182-012 and by the CGMH project under Grant BMRPB46

References

[1] J Modic R Trapero A Taha J Luna M Stopar and NSuri ldquoNovel efficient techniques for real-time cloud securityassessmentrdquo Computers amp Security vol 62 pp 1ndash18 2016

[2] A V Uzunov ldquoA survey of security solutions for distributedpublishsubscribe systemsrdquo Computers amp Security vol 61 pp94ndash129 2016

[3] A V Uzunov E B Fernandez and K Falkner ldquoSecuritysolution frames and security patterns for authorization indistributed collaborative systemsrdquo Computers amp Security vol55 pp 193ndash234 2015

[4] A Castiglione F Palmieri U Fiore A Castiglione and A DeSantis ldquoModeling energy-efficient secure communications inmulti-mode wireless mobile devicesrdquo Journal of Computer andSystem Sciences vol 81 no 8 pp 1464ndash1478 2015

[5] T Li Z Liu J Li C Jia and K-C Li ldquoCDPS a cryptographicdata publishing systemrdquo Journal of Computer and System Sci-ences vol 89 pp 80ndash91 2016

[6] Q Shi N Zhang and M Merabti ldquoFair signature exchange viadelegation on ubiquitous networksrdquo Journal of Computer andSystem Sciences vol 81 no 4 pp 615ndash631 2015

[7] D Chaum ldquoBlind signatures for untraceable paymentsrdquoCryptovol 82 1983

[8] S K Nayak B Majhi and S Mohanty ldquoAn ECDLP baseduntraceable blind signature schemerdquo in Proceedings of theCircuits Power and Computing Technologies (ICCPCT) Interna-tional Conference on IEEE pp 829ndash834 India March 2013

[9] M O Rabin ldquoHow to exchange secrets by oblivious transferrdquoIACR Cryptology ePrint Archive vol 2005 p 187 2005

[10] L Chen ldquoOblivious signaturesrdquo in Computer SecurityndashESORICS 94 Lecture Notes in Computer Science 875 vol 875 ofLecture Notes in Computer Science pp 161ndash172 Springer BerlinHeidelberg Berlin Heidelberg 1994

[11] R Tso T Okamoto and E Okamoto ldquo1-out-of-n oblivioussignaturesrdquo Information Security Practice and Experience vol4991 pp 45ndash55 2008 Springer Berlin Heidelberg

[12] J-S Chou ldquoA novel k-out-of-n oblivious transfer protocol frombilinear pairingrdquo Advances in Multimedia vol 2012 Article ID630610 2012

[13] M Mambo K Usuda and E Okamoto ldquoProxy signaturesdelegation of the power to sign messagesrdquo IEICE Transactionson Fundamentals of Electronics Communications and ComputerSciences vol E79-A no 9 pp 1338ndash1353 1996

[14] B T Lau ldquoProxy signature schemesrdquo in Proceedings of the 20061st IEEE Conference on Industrial Electronics and ApplicationsICIEA 2006 Singapore May 2006

[15] H Wang and R Yan ldquoA code-based multiple grade proxysignature schemerdquo in Proceedings of the 2013 8th InternationalConference on P2P Parallel Grid Cloud and Internet Comput-ing 3PGCIC 2013 pp 559ndash562 France October 2013

[16] W D Lin and J K Jan ldquoA security personal learning toolsusing a proxy blind signature schemerdquo in Proceedings of the IntlConference on Chinese Language Computing pp 273ndash277 2000

[17] A Z Tan Z Liu and C Tang ldquoDigital proxy blind signatureschemes based on DLP and ECDLPrdquo MM Research Preprintsvol 21 no 7 pp 212ndash217 2002

[18] S Lal and A K Awasthi ldquoProxy Blind Signature SchemerdquoJournal of Information Science and Engineering vol 72 2003

[19] F-Y Yang and L-R Liang ldquoA proxy partially blind signaturescheme with proxy revocationrdquo Journal of Ambient Intelligenceand Humanized Computing vol 4 no 2 pp 255ndash263 2013

[20] I Ray and N Narasimhamurthi ldquoAn anonymous electronicvoting protocol for voting over the internetrdquo Advanced Issuesof E-Commerce and Web-Based Information Systems ThirdInternational Workshop on IEEE pp 188ndash190 2001

[21] H Pan EHou andNAnsari ldquoRE-NOTEAnE-voting schemebased on ring signature and clash attack protectionrdquo in Pro-ceedings of the 2013 IEEE Global Communications ConferenceGLOBECOM 2013 pp 867ndash871 USA December 2013

[22] B Zwattendorfer C Hillebold and P Teufl ldquoSecure andprivacy-preserving proxy voting systemrdquo in Proceedings of the2013 IEEE 10th International Conference on e-Business Engineer-ing ICEBE 2013 pp 472ndash477 UK September 2013

[23] S Kardas M S Kiraz M A Bingol and F Birinci ldquoNorwe-gian internet voting protocol revisited ballot box and receiptgenerator are allowed to colluderdquo Security and CommunicationNetworks vol 9 no 18 pp 5051ndash5063 2016

[24] O Kulyk S Neumann K Marky J Budurushi and M Volka-mer ldquoCoercion-resistant proxy votingrdquo inProceedings of the 31stInternational Conference on ICT Systems Security and PrivacyProtection vol 471 pp 3ndash16 IFIP SEC 2016


[25] O Kulyk K Marky S Neumann and M Volkamer ldquoIntro-ducing proxy voting to Heliosrdquo in Proceedings of the 11thInternational Conference on Availability Reliability and Security(ARES) pp 98ndash106 Austria September 2016

[26] B Adida ldquoHelios Web-based open-audit votingrdquo USENIXSecurity Symposium vol 17 pp 335ndash348 2008

[27] G Cohensius S Mannor R Meir E Meirom and A OrdaldquoVoting for better outcomesrdquo in Proceedings of the 16th Confer-ence on Autonomous Agents and MultiAgent Systems pp 858ndash866 Sao Paulo Brazil 2017

[28] C P Schnorr ldquoEfficient signature generation by smart cardsrdquoJournal of Cryptology vol 4 no 3 pp 161ndash174 1991

[29] M Bellare and P Rogaway ldquoRandom oracles are practical aparadigm for designing efficient protocolsrdquo in Proceedings of the1st ACMConference onComputer andCommunications Securitypp 62ndash73 November 1993

[30] C Shin-Yan W Tsung-Ju and C Jiun-Ming ldquo1-out-of-n ProxyOblivious Signature Schemes and its e-voting applicationrdquoin Proceedings of the International Conference on ElectronicsSystems and Information Technology (ICESIT-15) pp 10ndash142015

[31] E Aljarrah H Elrehail and B Aababneh ldquoE-voting in JordanAssessing readiness and developing a systemrdquo Computers inHuman Behavior vol 63 pp 860ndash867 2016

[32] DA LopezGarcıa ldquoAflexible e-voting scheme for debate toolsrdquoComputers amp Security vol 56 pp 50ndash62 2016

[33] K Vassil M Solvak P Vinkel A H Trechsel and R MAlvarez ldquoThe diffusion of internet voting Usage patterns ofinternet voting in Estonia between 2005 and 2015rdquoGovernmentInformation Quarterly vol 33 no 3 pp 453ndash459 2016

[34] J Dossogne and L Frederic ldquoBlinded additively homomorphicencryption schemes for self-tallying votingrdquo Journal of Informa-tion Security and Applications vol 22 pp 40ndash53 2015

[35] N Andras A Marta and S Peter ldquoCould on-line voting boostdesire to vote ndash Technology acceptance perceptions of youngHungarian citizensrdquoGovernment InformationQuarterly vol 33no 4 pp 705ndash714 2016

[36] T ElGamal ldquoA public key cryptosystem and a signature schemebased on discrete logarithmsrdquo in Advances in Cryptology vol196 of Lecture Notes in Computer Science pp 10ndash18 SpringerBerlin Germany 1985

[37] S-Y Chiou Z Ying and J Liu ldquoImprovement of a privacyauthentication scheme based on cloud for medical environ-mentrdquo Journal of Medical Systems vol 40 no 4 article no 101pp 1ndash15 2016

[38] S-Y Chiou ldquoCommon friends discovery for multiple partieswith friendship ownership and replay-attack resistance inmobile social networksrdquoWireless Networks pp 1ndash15 2016

[39] R Anane R Freeland and G Theodoropoulos ldquoE-votingrequirements and implementationrdquo in Proceedings of the 9thIEEE International Conference on E-Commerce Technology The4th IEEE International Conference on Enterprise Computing E-Commerce and E-Services CECEEE 2007 pp 382ndash389 JapanJuly 2007

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Active and Passive Electronic Components

Control Scienceand Engineering

Journal of


International Journal of

RotatingMachinery


Hindawi Publishing Corporation httpwwwhindawicom

Journal of

Volume 201

Submit your manuscripts athttpswwwhindawicom

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics


Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of


Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation



DistributedSensor Networks



voting protocol that allows a voter to cast his or her ballotanonymously by exchanging untraceable authentic messagesIn 2013 Pan et al [21] proposed an electronic voting schemethat is based on the ring signature and is resistant to a clashattack Several schemes with delegated voting functionalityhave been proposed In 2013 Zwattendorfer et al [22] pro-posed a proxy voting scheme that allows a voter to delegate hisor her voting power to a proxy who actually casts the ballotsfor all represented voters Norway has used an Internet-basedvoting protocol for some years and the vote privacy andcorrectness of this scheme have been demonstrated [23] In2016 Kulyk et al [24] proposed a new coercion-resistantproxy voting scheme by extending the coercion-resistantJCJCivitas theme aiming to prevent direct voter coerciondelegation coercion and proxy coercionThey also proposeda new proxy voting scheme [25] to extend the Helios votingsystem [26] with delegated voting functionality In 2017Cohensius et al [27] considered a social choice problem anddemonstrated that the mechanism using proxy voting betterapproximates the optimal outcome

11 Motivation Compared with a blind signature schemea oblivious signature scheme used in e-voting provides onemore property ambiguity in selected messages A signercannot find out which message a voter has selected whilesigning the messages but the signer can be certain thatthe message the voter chooses is one of the predeterminedmessages otherwise the signature would not be accepted bya verifierTherefore in oblivious signature systemswhich dif-fer from blind signature schemes the limited signed contentscan prevent potential malicious users from obtaining validsignatures of some candidates for unauthorized purposes

In addition because each unit of a group (such as eachstate of a country each county of a state each campus of aschool or each approved bank of a group) may use differentmethods to authorize their members (using different keys)polling booths with proxy ability are required Additionalbenefits include reducing the load at voting centers andavoiding network jams Moreover the mobility of the votingfunctionality allows people to vote from anywhere using theirmobile devices thereby making the electronic voting systemmore convenient

The goal in this research is a design of novel schemeswhich combine oblivious andproxy signatures and extend thedesigned schemes to an electronic voting system which pro-vides the following properties mobility instant voting proxysigner completeness unforgeability unlinkability undenia-bility accuracy distinguishability ambiguity nonduplicationeligibility verifiability fairness and privacy where fairnessmeans that no one can know the current total number ofvotes received by every candidate before the end of the votingperiod

12 Our Contribution In this paper based on the Schnorrsignature [28] we propose two novel 1-out-of-119899 blind(oblivious) and proxy signature schemes that combine theadvantages of oblivious signatures and proxy signaturesand satisfy the security properties of these two signatureschemes One of the proposed proxy oblivious schemes is of

the proxy-unprotected type and the other is of the proxy-protected type Based on our schemes we also propose ananonymous electronic voting system with proxy signer Byusing the concept proposed in [29] we conduct security anal-yses and performance comparisons The results showed thatour scheme has good performance and is efficient Finallywe implement the voting system on Android mobile phonesto prove that our scheme is workable This paper extendsthe research [30] which presents the concept of 1-out-of-119899oblivious and proxy signature schemes of proxy-unprotectedtype without the voting system application security analysesand formal proofs and mobile phone implementation

2 Related Works

In this section we present two representative protocols thatare relevant to our scheme oblivious signature and proxysignature

21 Oblivious Signature In 1983 Chaum [7] introduced ablind signature scheme Compared with a normal signaturea blind signature offers an additional property blindness thatprovides it with the ability to protect the signeersquos privacy In ablind signature scheme a signee could get a messagersquos digitalsignature signed by a signer without revealing any informa-tion about themessageThis is vital in some applications suchas electronic payment systems and secure voting systems [31ndash35] because the requesterrsquos messages may be sensitive Nayaket al [8] also proposed a blind signature scheme based on anelliptic curve discrete logarithm problem

In 2005 Rabin [9] introduced the concept of oblivioustransfer In this protocol a sender sends some subsets of somemessages but does not know what the receiver has receivedThus the receiver can get the particular message he or shewants without revealing any information about the messageto the sender In 2012 Chou [12] proposed a more efficientand secure 119896-out-of-119899 oblivious transfer scheme

In 1994 Chen [10] proposed the concept of oblivioussignatures He considered two types of oblivious signatureschemes The first one comprises 119899 keys and one messagethe receiver can get a message signed with one of 119899 keysthat are chosen by him or her while the signers cannot knowwhich key has been used for the signature by the receiverThesecond one comprises 119899 messages and one key a signee canchoose one predetermined message to get signed while notrevealing any information about the selected message to thesigner In contrast to blind signatures oblivious signaturescan guarantee that the signed message is actually one of thepredetermined messages therefore if the receiver were tosubmit some additional messages the signature would not beaccepted by the scheme

In 2008 Tso et al [11] noted that Chenrsquos proposal doesnot crisply formalize the notion and security properties ofthe scheme Consequently they provided formal definitionsand security requirements for an oblivious signature schemeincluding completeness unforgeability and ambiguity andproposed a 1-out-of-119899 oblivious signature agreement basedon Schnorrrsquos blind signature [28] They also improvedthe schemersquos performance The preceding properties render



for i = 1 2 n

Ki = gk ＧＩ＞ p



c m1 m2 mn

if correct

for i = 1 2 n


(ml isin m1 m2 mn)


ei = H(mi g

s ye i ＧＩ＞ p)

e = el


= (e s)ml


ki isinR Zlowastq

r isinR Zlowastq

(ei si) 1 le i le n























= 119867(119898119894






= 119867(119898119897 119892

119904119910119890mod119901)























(2) Proxy Phase


lowast119901minus1



m

(secure manner)


K = gk ＧＩ＞ p


g = yKKＧＩ＞ p

R = gr ＧＩ＞ p




message m




(secure manner)

ℬ

r = gk ＧＩ＞ p


yp = gs

publish yp

(r sp)


k isinR Zlowastq




delegation



Step 2 Compute 119877 = 119892119903mod119901




= 119892119877(119909+119896119870)+(119898minus119877120590) = 119892119877(119909+119896119870)+119898minus119877(119909+119896119870) = 119892119898mod119901












































119910119860 = 119892119909119860 mod119901



for i = 1 2 n

Ki = gk ＧＩ＞ p




m1 m2 mn c

if correct

for i = 1 2 n




(mb isin m1 m2 mn)

ei = H(mi gs y

ep i ＧＩ＞ p)

e = eb


= (e s)

ℬ ℛ

ki isinR Zlowastq

isinR Zlowastq

(ei si) 1 le i le n


(mb )e = H(mb g

syep ＧＩ＞ p)

ℛ


(2) Proxy Phase



and 119910119901 = 119892119904119901 mod119901



(3) Signing Phase








119867(119898119894 119892119904119894119910119890119894119901 120575119894mod119901)

(secure manner)

ℬ

r = gk ＧＩ＞ p


yp = gs ＧＩ＞ p

publish yp yB

(r sA)



k isinR Zlowastq




119904119910119890119901mod119901)


(1) Proxy Phase



and 1199101015840119901 = 119892119904119860 mod119901














(Step

3c) C

onfir

m regis

ter





A

B

BB

RV

(Step

5c) C

onfir

m ballo

t


If correct

rA = gk ＧＩ＞ p



yp = gs ＧＩ＞ p


p)

publish yp yB in BB

dlgAB

sAB

if correct




ℬ

kisinR Zlowastq



reg

Cert(R)

seB ＧＩ＞NB =

ℬ ℛ

(Ｃ＞ＪＨHR)

ＪＨHR)





HR = H(ＪＱ)


H(ＪＨ eB)
















ℬ ℛ

HR = H(HR r)

Ki = gk ＧＩ＞ p



r

(mb isin m1 m2 mn)


foralli = 1 2 n


e = eb


(mb) = (e s)

r isinR Zlowastq

flag(pn) = 0




(ＪＨHR c)

HR = H(H(ＪＱ) r)




ep i ＧＩ＞ p)


seB ＧＩ＞NB =

ℛ




ℬ










119910119861 = 119892119909119861 mod119901






(2) Proxy Phase


119892119896mod119901 119904119860 = 119909119860119903119860 + 119896mod 119902 and 1199101015840119901 = 119892119904119860 mod119901








(3) Register Phase







(4) Circling Phase











(5) Voting Phase




(6) Counting Phase






6 Security Analysis


61 Signature Scheme



119904119894119910119890119894119901 120575119894mod119901) =119867(119898119894 119892

119896119894minus119904119901119890119894119892119904119901119890119894120575119894mod119901) = 119867(119898119894 119892119896119894120575119894mod119901) =









1015840119901 119901 119892) le Pr(119910 | 119909 1199011 1198921) = 1205761 which






119904(119894)119860 ) 1199101015840(119899+1)119875 119901 119892 to output 119904(119894+1)119860 (ie RO2((1199101015840(119894)119875 119904(119894)119860 )





119904(119894)119860 ) 1199101015840(119899+1)119875 119901 119892) le Pr(119909119899+1 | (119909119894 119910119894) 119910119899+1 1199011 1198921) = 1205762






lowast (2119899 + 2)119879ex 2119879ex






119904119910119890119901mod119901) = 119867(119898119887







62 Voting System










119904119910119890119901mod119901)



7 Comparison






Mambo et al [13]

Yang and Liang [19]

Chen [10]

Tso et al [11]

Proposed




8 Implementation












9 Conclusion


Nomenclature

Notation











Yes

No

Show list_B

End



Add B to list_B



Main thread

Show list_A



Add A to list_A

Request delegation

Start thread b2


Stop thread b2

Set issue



Add V to list_V

Thread b3

Show list_V

Send event to V

End vote


Start thread b7

Broadcast event

Thread b5


Receive a request

Thread b6

Generate signature


Thread b7

Main thread

A B

Start thread r1

Listen to event


Add E to list_E

Thread r1

Show list_E

Select E

Stop thread r1

Vote

Send c to B

Start thread r3



Verify delegation


Delegationlegal

End

Yes

No

Stop thread b1

Verify signature

Calculate

Send to V

End

Main thread

R


credential

Thread v1

Listen to event


Thread v2

Stop thread v1 v2



Thread v3

Start thread v3 v4

Wait for

Receive

Thread v4

Add to list_

Stop thread v3 v4


End

Main thread

V



Start thread r2

End

Stop thread r2

End delegation

Yes

No


Start threada1sima3

Request yA

Add yp to list_y

Stop threada1sima3

Start threadb4simb6

Stop threadb4simb6



Request yp and yB

Request yp and yB

Thread r2

Thread r3

Thread b4

Receive c from R


Select V


Thread b1

Select A

Thread a3

Thread a2

Thread a1

Delegate B

Select B





Time 6105 8165 321 428 4445 3875 472 447 396


















Disclosure




Acknowledgments


References









































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation











for i = 1 2 n

Ki = gk ＧＩ＞ p



c m1 m2 mn

if correct

for i = 1 2 n


(ml isin m1 m2 mn)


ei = H(mi g

s ye i ＧＩ＞ p)

e = el


= (e s)ml


ki isinR Zlowastq

r isinR Zlowastq

(ei si) 1 le i le n























= 119867(119898119894






= 119867(119898119897 119892

119904119910119890mod119901)























(2) Proxy Phase


lowast119901minus1



m

(secure manner)


K = gk ＧＩ＞ p


g = yKKＧＩ＞ p

R = gr ＧＩ＞ p




message m




(secure manner)

ℬ

r = gk ＧＩ＞ p


yp = gs

publish yp

(r sp)


k isinR Zlowastq




delegation



Step 2 Compute 119877 = 119892119903mod119901




= 119892119877(119909+119896119870)+(119898minus119877120590) = 119892119877(119909+119896119870)+119898minus119877(119909+119896119870) = 119892119898mod119901












































119910119860 = 119892119909119860 mod119901



for i = 1 2 n

Ki = gk ＧＩ＞ p




m1 m2 mn c

if correct

for i = 1 2 n




(mb isin m1 m2 mn)

ei = H(mi gs y

ep i ＧＩ＞ p)

e = eb


= (e s)

ℬ ℛ

ki isinR Zlowastq

isinR Zlowastq

(ei si) 1 le i le n


(mb )e = H(mb g

syep ＧＩ＞ p)

ℛ


(2) Proxy Phase



and 119910119901 = 119892119904119901 mod119901



(3) Signing Phase








119867(119898119894 119892119904119894119910119890119894119901 120575119894mod119901)

(secure manner)

ℬ

r = gk ＧＩ＞ p


yp = gs ＧＩ＞ p

publish yp yB

(r sA)



k isinR Zlowastq




119904119910119890119901mod119901)


(1) Proxy Phase



and 1199101015840119901 = 119892119904119860 mod119901














(Step

3c) C

onfir

m regis

ter





A

B

BB

RV

(Step

5c) C

onfir

m ballo

t


If correct

rA = gk ＧＩ＞ p



yp = gs ＧＩ＞ p


p)

publish yp yB in BB

dlgAB

sAB

if correct




ℬ

kisinR Zlowastq



reg

Cert(R)

seB ＧＩ＞NB =

ℬ ℛ

(Ｃ＞ＪＨHR)

ＪＨHR)





HR = H(ＪＱ)


H(ＪＨ eB)
















ℬ ℛ

HR = H(HR r)

Ki = gk ＧＩ＞ p



r

(mb isin m1 m2 mn)


foralli = 1 2 n


e = eb


(mb) = (e s)

r isinR Zlowastq

flag(pn) = 0




(ＪＨHR c)

HR = H(H(ＪＱ) r)




ep i ＧＩ＞ p)


seB ＧＩ＞NB =

ℛ




ℬ










119910119861 = 119892119909119861 mod119901






(2) Proxy Phase


119892119896mod119901 119904119860 = 119909119860119903119860 + 119896mod 119902 and 1199101015840119901 = 119892119904119860 mod119901








(3) Register Phase







(4) Circling Phase











(5) Voting Phase




(6) Counting Phase






6 Security Analysis


61 Signature Scheme



119904119894119910119890119894119901 120575119894mod119901) =119867(119898119894 119892

119896119894minus119904119901119890119894119892119904119901119890119894120575119894mod119901) = 119867(119898119894 119892119896119894120575119894mod119901) =









1015840119901 119901 119892) le Pr(119910 | 119909 1199011 1198921) = 1205761 which






119904(119894)119860 ) 1199101015840(119899+1)119875 119901 119892 to output 119904(119894+1)119860 (ie RO2((1199101015840(119894)119875 119904(119894)119860 )





119904(119894)119860 ) 1199101015840(119899+1)119875 119901 119892) le Pr(119909119899+1 | (119909119894 119910119894) 119910119899+1 1199011 1198921) = 1205762






lowast (2119899 + 2)119879ex 2119879ex






119904119910119890119901mod119901) = 119867(119898119887







62 Voting System










119904119910119890119901mod119901)



7 Comparison






Mambo et al [13]

Yang and Liang [19]

Chen [10]

Tso et al [11]

Proposed




8 Implementation












9 Conclusion


Nomenclature

Notation











Yes

No

Show list_B

End



Add B to list_B



Main thread

Show list_A



Add A to list_A

Request delegation

Start thread b2


Stop thread b2

Set issue



Add V to list_V

Thread b3

Show list_V

Send event to V

End vote


Start thread b7

Broadcast event

Thread b5


Receive a request

Thread b6

Generate signature


Thread b7

Main thread

A B

Start thread r1

Listen to event


Add E to list_E

Thread r1

Show list_E

Select E

Stop thread r1

Vote

Send c to B

Start thread r3



Verify delegation


Delegationlegal

End

Yes

No

Stop thread b1

Verify signature

Calculate

Send to V

End

Main thread

R


credential

Thread v1

Listen to event


Thread v2

Stop thread v1 v2



Thread v3

Start thread v3 v4

Wait for

Receive

Thread v4

Add to list_

Stop thread v3 v4


End

Main thread

V



Start thread r2

End

Stop thread r2

End delegation

Yes

No


Start threada1sima3

Request yA

Add yp to list_y

Stop threada1sima3

Start threadb4simb6

Stop threadb4simb6



Request yp and yB

Request yp and yB

Thread r2

Thread r3

Thread b4

Receive c from R


Select V


Thread b1

Select A

Thread a3

Thread a2

Thread a1

Delegate B

Select B





Time 6105 8165 321 428 4445 3875 472 447 396


















Disclosure




Acknowledgments


References









































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation































(2) Proxy Phase


lowast119901minus1



m

(secure manner)


K = gk ＧＩ＞ p


g = yKKＧＩ＞ p

R = gr ＧＩ＞ p




message m




(secure manner)

ℬ

r = gk ＧＩ＞ p


yp = gs

publish yp

(r sp)


k isinR Zlowastq




delegation



Step 2 Compute 119877 = 119892119903mod119901




= 119892119877(119909+119896119870)+(119898minus119877120590) = 119892119877(119909+119896119870)+119898minus119877(119909+119896119870) = 119892119898mod119901












































119910119860 = 119892119909119860 mod119901



for i = 1 2 n

Ki = gk ＧＩ＞ p




m1 m2 mn c

if correct

for i = 1 2 n




(mb isin m1 m2 mn)

ei = H(mi gs y

ep i ＧＩ＞ p)

e = eb


= (e s)

ℬ ℛ

ki isinR Zlowastq

isinR Zlowastq

(ei si) 1 le i le n


(mb )e = H(mb g

syep ＧＩ＞ p)

ℛ


(2) Proxy Phase



and 119910119901 = 119892119904119901 mod119901



(3) Signing Phase








119867(119898119894 119892119904119894119910119890119894119901 120575119894mod119901)

(secure manner)

ℬ

r = gk ＧＩ＞ p


yp = gs ＧＩ＞ p

publish yp yB

(r sA)



k isinR Zlowastq




119904119910119890119901mod119901)


(1) Proxy Phase



and 1199101015840119901 = 119892119904119860 mod119901














(Step

3c) C

onfir

m regis

ter





A

B

BB

RV

(Step

5c) C

onfir

m ballo

t


If correct

rA = gk ＧＩ＞ p



yp = gs ＧＩ＞ p


p)

publish yp yB in BB

dlgAB

sAB

if correct




ℬ

kisinR Zlowastq



reg

Cert(R)

seB ＧＩ＞NB =

ℬ ℛ

(Ｃ＞ＪＨHR)

ＪＨHR)





HR = H(ＪＱ)


H(ＪＨ eB)
















ℬ ℛ

HR = H(HR r)

Ki = gk ＧＩ＞ p



r

(mb isin m1 m2 mn)


foralli = 1 2 n


e = eb


(mb) = (e s)

r isinR Zlowastq

flag(pn) = 0




(ＪＨHR c)

HR = H(H(ＪＱ) r)




ep i ＧＩ＞ p)


seB ＧＩ＞NB =

ℛ




ℬ










119910119861 = 119892119909119861 mod119901






(2) Proxy Phase


119892119896mod119901 119904119860 = 119909119860119903119860 + 119896mod 119902 and 1199101015840119901 = 119892119904119860 mod119901








(3) Register Phase







(4) Circling Phase











(5) Voting Phase




(6) Counting Phase






6 Security Analysis


61 Signature Scheme



119904119894119910119890119894119901 120575119894mod119901) =119867(119898119894 119892

119896119894minus119904119901119890119894119892119904119901119890119894120575119894mod119901) = 119867(119898119894 119892119896119894120575119894mod119901) =









1015840119901 119901 119892) le Pr(119910 | 119909 1199011 1198921) = 1205761 which






119904(119894)119860 ) 1199101015840(119899+1)119875 119901 119892 to output 119904(119894+1)119860 (ie RO2((1199101015840(119894)119875 119904(119894)119860 )





119904(119894)119860 ) 1199101015840(119899+1)119875 119901 119892) le Pr(119909119899+1 | (119909119894 119910119894) 119910119899+1 1199011 1198921) = 1205762






lowast (2119899 + 2)119879ex 2119879ex






119904119910119890119901mod119901) = 119867(119898119887







62 Voting System










119904119910119890119901mod119901)



7 Comparison






Mambo et al [13]

Yang and Liang [19]

Chen [10]

Tso et al [11]

Proposed




8 Implementation












9 Conclusion


Nomenclature

Notation











Yes

No

Show list_B

End



Add B to list_B



Main thread

Show list_A



Add A to list_A

Request delegation

Start thread b2


Stop thread b2

Set issue



Add V to list_V

Thread b3

Show list_V

Send event to V

End vote


Start thread b7

Broadcast event

Thread b5


Receive a request

Thread b6

Generate signature


Thread b7

Main thread

A B

Start thread r1

Listen to event


Add E to list_E

Thread r1

Show list_E

Select E

Stop thread r1

Vote

Send c to B

Start thread r3



Verify delegation


Delegationlegal

End

Yes

No

Stop thread b1

Verify signature

Calculate

Send to V

End

Main thread

R


credential

Thread v1

Listen to event


Thread v2

Stop thread v1 v2



Thread v3

Start thread v3 v4

Wait for

Receive

Thread v4

Add to list_

Stop thread v3 v4


End

Main thread

V



Start thread r2

End

Stop thread r2

End delegation

Yes

No


Start threada1sima3

Request yA

Add yp to list_y

Stop threada1sima3

Start threadb4simb6

Stop threadb4simb6



Request yp and yB

Request yp and yB

Thread r2

Thread r3

Thread b4

Receive c from R


Select V


Thread b1

Select A

Thread a3

Thread a2

Thread a1

Delegate B

Select B





Time 6105 8165 321 428 4445 3875 472 447 396


















Disclosure




Acknowledgments


References









































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










m

(secure manner)


K = gk ＧＩ＞ p


g = yKKＧＩ＞ p

R = gr ＧＩ＞ p




message m




(secure manner)

ℬ

r = gk ＧＩ＞ p


yp = gs

publish yp

(r sp)


k isinR Zlowastq




delegation



Step 2 Compute 119877 = 119892119903mod119901




= 119892119877(119909+119896119870)+(119898minus119877120590) = 119892119877(119909+119896119870)+119898minus119877(119909+119896119870) = 119892119898mod119901












































119910119860 = 119892119909119860 mod119901



for i = 1 2 n

Ki = gk ＧＩ＞ p




m1 m2 mn c

if correct

for i = 1 2 n




(mb isin m1 m2 mn)

ei = H(mi gs y

ep i ＧＩ＞ p)

e = eb


= (e s)

ℬ ℛ

ki isinR Zlowastq

isinR Zlowastq

(ei si) 1 le i le n


(mb )e = H(mb g

syep ＧＩ＞ p)

ℛ


(2) Proxy Phase



and 119910119901 = 119892119904119901 mod119901



(3) Signing Phase








119867(119898119894 119892119904119894119910119890119894119901 120575119894mod119901)

(secure manner)

ℬ

r = gk ＧＩ＞ p


yp = gs ＧＩ＞ p

publish yp yB

(r sA)



k isinR Zlowastq




119904119910119890119901mod119901)


(1) Proxy Phase



and 1199101015840119901 = 119892119904119860 mod119901














(Step

3c) C

onfir

m regis

ter





A

B

BB

RV

(Step

5c) C

onfir

m ballo

t


If correct

rA = gk ＧＩ＞ p



yp = gs ＧＩ＞ p


p)

publish yp yB in BB

dlgAB

sAB

if correct




ℬ

kisinR Zlowastq



reg

Cert(R)

seB ＧＩ＞NB =

ℬ ℛ

(Ｃ＞ＪＨHR)

ＪＨHR)





HR = H(ＪＱ)


H(ＪＨ eB)
















ℬ ℛ

HR = H(HR r)

Ki = gk ＧＩ＞ p



r

(mb isin m1 m2 mn)


foralli = 1 2 n


e = eb


(mb) = (e s)

r isinR Zlowastq

flag(pn) = 0




(ＪＨHR c)

HR = H(H(ＪＱ) r)




ep i ＧＩ＞ p)


seB ＧＩ＞NB =

ℛ




ℬ










119910119861 = 119892119909119861 mod119901






(2) Proxy Phase


119892119896mod119901 119904119860 = 119909119860119903119860 + 119896mod 119902 and 1199101015840119901 = 119892119904119860 mod119901








(3) Register Phase







(4) Circling Phase











(5) Voting Phase




(6) Counting Phase






6 Security Analysis


61 Signature Scheme



119904119894119910119890119894119901 120575119894mod119901) =119867(119898119894 119892

119896119894minus119904119901119890119894119892119904119901119890119894120575119894mod119901) = 119867(119898119894 119892119896119894120575119894mod119901) =









1015840119901 119901 119892) le Pr(119910 | 119909 1199011 1198921) = 1205761 which






119904(119894)119860 ) 1199101015840(119899+1)119875 119901 119892 to output 119904(119894+1)119860 (ie RO2((1199101015840(119894)119875 119904(119894)119860 )





119904(119894)119860 ) 1199101015840(119899+1)119875 119901 119892) le Pr(119909119899+1 | (119909119894 119910119894) 119910119899+1 1199011 1198921) = 1205762






lowast (2119899 + 2)119879ex 2119879ex






119904119910119890119901mod119901) = 119867(119898119887







62 Voting System










119904119910119890119901mod119901)



7 Comparison






Mambo et al [13]

Yang and Liang [19]

Chen [10]

Tso et al [11]

Proposed




8 Implementation












9 Conclusion


Nomenclature

Notation











Yes

No

Show list_B

End



Add B to list_B



Main thread

Show list_A



Add A to list_A

Request delegation

Start thread b2


Stop thread b2

Set issue



Add V to list_V

Thread b3

Show list_V

Send event to V

End vote


Start thread b7

Broadcast event

Thread b5


Receive a request

Thread b6

Generate signature


Thread b7

Main thread

A B

Start thread r1

Listen to event


Add E to list_E

Thread r1

Show list_E

Select E

Stop thread r1

Vote

Send c to B

Start thread r3



Verify delegation


Delegationlegal

End

Yes

No

Stop thread b1

Verify signature

Calculate

Send to V

End

Main thread

R


credential

Thread v1

Listen to event


Thread v2

Stop thread v1 v2



Thread v3

Start thread v3 v4

Wait for

Receive

Thread v4

Add to list_

Stop thread v3 v4


End

Main thread

V



Start thread r2

End

Stop thread r2

End delegation

Yes

No


Start threada1sima3

Request yA

Add yp to list_y

Stop threada1sima3

Start threadb4simb6

Stop threadb4simb6



Request yp and yB

Request yp and yB

Thread r2

Thread r3

Thread b4

Receive c from R


Select V


Thread b1

Select A

Thread a3

Thread a2

Thread a1

Delegate B

Select B





Time 6105 8165 321 428 4445 3875 472 447 396


















Disclosure




Acknowledgments


References









































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation








































119910119860 = 119892119909119860 mod119901



for i = 1 2 n

Ki = gk ＧＩ＞ p




m1 m2 mn c

if correct

for i = 1 2 n




(mb isin m1 m2 mn)

ei = H(mi gs y

ep i ＧＩ＞ p)

e = eb


= (e s)

ℬ ℛ

ki isinR Zlowastq

isinR Zlowastq

(ei si) 1 le i le n


(mb )e = H(mb g

syep ＧＩ＞ p)

ℛ


(2) Proxy Phase



and 119910119901 = 119892119904119901 mod119901



(3) Signing Phase








119867(119898119894 119892119904119894119910119890119894119901 120575119894mod119901)

(secure manner)

ℬ

r = gk ＧＩ＞ p


yp = gs ＧＩ＞ p

publish yp yB

(r sA)



k isinR Zlowastq




119904119910119890119901mod119901)


(1) Proxy Phase



and 1199101015840119901 = 119892119904119860 mod119901














(Step

3c) C

onfir

m regis

ter





A

B

BB

RV

(Step

5c) C

onfir

m ballo

t


If correct

rA = gk ＧＩ＞ p



yp = gs ＧＩ＞ p


p)

publish yp yB in BB

dlgAB

sAB

if correct




ℬ

kisinR Zlowastq



reg

Cert(R)

seB ＧＩ＞NB =

ℬ ℛ

(Ｃ＞ＪＨHR)

ＪＨHR)





HR = H(ＪＱ)


H(ＪＨ eB)
















ℬ ℛ

HR = H(HR r)

Ki = gk ＧＩ＞ p



r

(mb isin m1 m2 mn)


foralli = 1 2 n


e = eb


(mb) = (e s)

r isinR Zlowastq

flag(pn) = 0




(ＪＨHR c)

HR = H(H(ＪＱ) r)




ep i ＧＩ＞ p)


seB ＧＩ＞NB =

ℛ




ℬ










119910119861 = 119892119909119861 mod119901






(2) Proxy Phase


119892119896mod119901 119904119860 = 119909119860119903119860 + 119896mod 119902 and 1199101015840119901 = 119892119904119860 mod119901








(3) Register Phase







(4) Circling Phase











(5) Voting Phase




(6) Counting Phase






6 Security Analysis


61 Signature Scheme



119904119894119910119890119894119901 120575119894mod119901) =119867(119898119894 119892

119896119894minus119904119901119890119894119892119904119901119890119894120575119894mod119901) = 119867(119898119894 119892119896119894120575119894mod119901) =









1015840119901 119901 119892) le Pr(119910 | 119909 1199011 1198921) = 1205761 which






119904(119894)119860 ) 1199101015840(119899+1)119875 119901 119892 to output 119904(119894+1)119860 (ie RO2((1199101015840(119894)119875 119904(119894)119860 )





119904(119894)119860 ) 1199101015840(119899+1)119875 119901 119892) le Pr(119909119899+1 | (119909119894 119910119894) 119910119899+1 1199011 1198921) = 1205762






lowast (2119899 + 2)119879ex 2119879ex






119904119910119890119901mod119901) = 119867(119898119887







62 Voting System










119904119910119890119901mod119901)



7 Comparison






Mambo et al [13]

Yang and Liang [19]

Chen [10]

Tso et al [11]

Proposed




8 Implementation












9 Conclusion


Nomenclature

Notation











Yes

No

Show list_B

End



Add B to list_B



Main thread

Show list_A



Add A to list_A

Request delegation

Start thread b2


Stop thread b2

Set issue



Add V to list_V

Thread b3

Show list_V

Send event to V

End vote


Start thread b7

Broadcast event

Thread b5


Receive a request

Thread b6

Generate signature


Thread b7

Main thread

A B

Start thread r1

Listen to event


Add E to list_E

Thread r1

Show list_E

Select E

Stop thread r1

Vote

Send c to B

Start thread r3



Verify delegation


Delegationlegal

End

Yes

No

Stop thread b1

Verify signature

Calculate

Send to V

End

Main thread

R


credential

Thread v1

Listen to event


Thread v2

Stop thread v1 v2



Thread v3

Start thread v3 v4

Wait for

Receive

Thread v4

Add to list_

Stop thread v3 v4


End

Main thread

V



Start thread r2

End

Stop thread r2

End delegation

Yes

No


Start threada1sima3

Request yA

Add yp to list_y

Stop threada1sima3

Start threadb4simb6

Stop threadb4simb6



Request yp and yB

Request yp and yB

Thread r2

Thread r3

Thread b4

Receive c from R


Select V


Thread b1

Select A

Thread a3

Thread a2

Thread a1

Delegate B

Select B





Time 6105 8165 321 428 4445 3875 472 447 396


















Disclosure




Acknowledgments


References









































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










for i = 1 2 n

Ki = gk ＧＩ＞ p




m1 m2 mn c

if correct

for i = 1 2 n




(mb isin m1 m2 mn)

ei = H(mi gs y

ep i ＧＩ＞ p)

e = eb


= (e s)

ℬ ℛ

ki isinR Zlowastq

isinR Zlowastq

(ei si) 1 le i le n


(mb )e = H(mb g

syep ＧＩ＞ p)

ℛ


(2) Proxy Phase



and 119910119901 = 119892119904119901 mod119901



(3) Signing Phase








119867(119898119894 119892119904119894119910119890119894119901 120575119894mod119901)

(secure manner)

ℬ

r = gk ＧＩ＞ p


yp = gs ＧＩ＞ p

publish yp yB

(r sA)



k isinR Zlowastq




119904119910119890119901mod119901)


(1) Proxy Phase



and 1199101015840119901 = 119892119904119860 mod119901














(Step

3c) C

onfir

m regis

ter





A

B

BB

RV

(Step

5c) C

onfir

m ballo

t


If correct

rA = gk ＧＩ＞ p



yp = gs ＧＩ＞ p


p)

publish yp yB in BB

dlgAB

sAB

if correct




ℬ

kisinR Zlowastq



reg

Cert(R)

seB ＧＩ＞NB =

ℬ ℛ

(Ｃ＞ＪＨHR)

ＪＨHR)





HR = H(ＪＱ)


H(ＪＨ eB)
















ℬ ℛ

HR = H(HR r)

Ki = gk ＧＩ＞ p



r

(mb isin m1 m2 mn)


foralli = 1 2 n


e = eb


(mb) = (e s)

r isinR Zlowastq

flag(pn) = 0




(ＪＨHR c)

HR = H(H(ＪＱ) r)




ep i ＧＩ＞ p)


seB ＧＩ＞NB =

ℛ




ℬ










119910119861 = 119892119909119861 mod119901






(2) Proxy Phase


119892119896mod119901 119904119860 = 119909119860119903119860 + 119896mod 119902 and 1199101015840119901 = 119892119904119860 mod119901








(3) Register Phase







(4) Circling Phase











(5) Voting Phase




(6) Counting Phase






6 Security Analysis


61 Signature Scheme



119904119894119910119890119894119901 120575119894mod119901) =119867(119898119894 119892

119896119894minus119904119901119890119894119892119904119901119890119894120575119894mod119901) = 119867(119898119894 119892119896119894120575119894mod119901) =









1015840119901 119901 119892) le Pr(119910 | 119909 1199011 1198921) = 1205761 which






119904(119894)119860 ) 1199101015840(119899+1)119875 119901 119892 to output 119904(119894+1)119860 (ie RO2((1199101015840(119894)119875 119904(119894)119860 )





119904(119894)119860 ) 1199101015840(119899+1)119875 119901 119892) le Pr(119909119899+1 | (119909119894 119910119894) 119910119899+1 1199011 1198921) = 1205762






lowast (2119899 + 2)119879ex 2119879ex






119904119910119890119901mod119901) = 119867(119898119887







62 Voting System










119904119910119890119901mod119901)



7 Comparison






Mambo et al [13]

Yang and Liang [19]

Chen [10]

Tso et al [11]

Proposed




8 Implementation












9 Conclusion


Nomenclature

Notation











Yes

No

Show list_B

End



Add B to list_B



Main thread

Show list_A



Add A to list_A

Request delegation

Start thread b2


Stop thread b2

Set issue



Add V to list_V

Thread b3

Show list_V

Send event to V

End vote


Start thread b7

Broadcast event

Thread b5


Receive a request

Thread b6

Generate signature


Thread b7

Main thread

A B

Start thread r1

Listen to event


Add E to list_E

Thread r1

Show list_E

Select E

Stop thread r1

Vote

Send c to B

Start thread r3



Verify delegation


Delegationlegal

End

Yes

No

Stop thread b1

Verify signature

Calculate

Send to V

End

Main thread

R


credential

Thread v1

Listen to event


Thread v2

Stop thread v1 v2



Thread v3

Start thread v3 v4

Wait for

Receive

Thread v4

Add to list_

Stop thread v3 v4


End

Main thread

V



Start thread r2

End

Stop thread r2

End delegation

Yes

No


Start threada1sima3

Request yA

Add yp to list_y

Stop threada1sima3

Start threadb4simb6

Stop threadb4simb6



Request yp and yB

Request yp and yB

Thread r2

Thread r3

Thread b4

Receive c from R


Select V


Thread b1

Select A

Thread a3

Thread a2

Thread a1

Delegate B

Select B





Time 6105 8165 321 428 4445 3875 472 447 396


















Disclosure




Acknowledgments


References









































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation















(Step

3c) C

onfir

m regis

ter





A

B

BB

RV

(Step

5c) C

onfir

m ballo

t


If correct

rA = gk ＧＩ＞ p



yp = gs ＧＩ＞ p


p)

publish yp yB in BB

dlgAB

sAB

if correct




ℬ

kisinR Zlowastq



reg

Cert(R)

seB ＧＩ＞NB =

ℬ ℛ

(Ｃ＞ＪＨHR)

ＪＨHR)





HR = H(ＪＱ)


H(ＪＨ eB)
















ℬ ℛ

HR = H(HR r)

Ki = gk ＧＩ＞ p



r

(mb isin m1 m2 mn)


foralli = 1 2 n


e = eb


(mb) = (e s)

r isinR Zlowastq

flag(pn) = 0




(ＪＨHR c)

HR = H(H(ＪＱ) r)




ep i ＧＩ＞ p)


seB ＧＩ＞NB =

ℛ




ℬ










119910119861 = 119892119909119861 mod119901






(2) Proxy Phase


119892119896mod119901 119904119860 = 119909119860119903119860 + 119896mod 119902 and 1199101015840119901 = 119892119904119860 mod119901








(3) Register Phase







(4) Circling Phase











(5) Voting Phase




(6) Counting Phase






6 Security Analysis


61 Signature Scheme



119904119894119910119890119894119901 120575119894mod119901) =119867(119898119894 119892

119896119894minus119904119901119890119894119892119904119901119890119894120575119894mod119901) = 119867(119898119894 119892119896119894120575119894mod119901) =









1015840119901 119901 119892) le Pr(119910 | 119909 1199011 1198921) = 1205761 which






119904(119894)119860 ) 1199101015840(119899+1)119875 119901 119892 to output 119904(119894+1)119860 (ie RO2((1199101015840(119894)119875 119904(119894)119860 )





119904(119894)119860 ) 1199101015840(119899+1)119875 119901 119892) le Pr(119909119899+1 | (119909119894 119910119894) 119910119899+1 1199011 1198921) = 1205762






lowast (2119899 + 2)119879ex 2119879ex






119904119910119890119901mod119901) = 119867(119898119887







62 Voting System










119904119910119890119901mod119901)



7 Comparison






Mambo et al [13]

Yang and Liang [19]

Chen [10]

Tso et al [11]

Proposed




8 Implementation












9 Conclusion


Nomenclature

Notation











Yes

No

Show list_B

End



Add B to list_B



Main thread

Show list_A



Add A to list_A

Request delegation

Start thread b2


Stop thread b2

Set issue



Add V to list_V

Thread b3

Show list_V

Send event to V

End vote


Start thread b7

Broadcast event

Thread b5


Receive a request

Thread b6

Generate signature


Thread b7

Main thread

A B

Start thread r1

Listen to event


Add E to list_E

Thread r1

Show list_E

Select E

Stop thread r1

Vote

Send c to B

Start thread r3



Verify delegation


Delegationlegal

End

Yes

No

Stop thread b1

Verify signature

Calculate

Send to V

End

Main thread

R


credential

Thread v1

Listen to event


Thread v2

Stop thread v1 v2



Thread v3

Start thread v3 v4

Wait for

Receive

Thread v4

Add to list_

Stop thread v3 v4


End

Main thread

V



Start thread r2

End

Stop thread r2

End delegation

Yes

No


Start threada1sima3

Request yA

Add yp to list_y

Stop threada1sima3

Start threadb4simb6

Stop threadb4simb6



Request yp and yB

Request yp and yB

Thread r2

Thread r3

Thread b4

Receive c from R


Select V


Thread b1

Select A

Thread a3

Thread a2

Thread a1

Delegate B

Select B





Time 6105 8165 321 428 4445 3875 472 447 396


















Disclosure




Acknowledgments


References









































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










ℬ ℛ

HR = H(HR r)

Ki = gk ＧＩ＞ p



r

(mb isin m1 m2 mn)


foralli = 1 2 n


e = eb


(mb) = (e s)

r isinR Zlowastq

flag(pn) = 0




(ＪＨHR c)

HR = H(H(ＪＱ) r)




ep i ＧＩ＞ p)


seB ＧＩ＞NB =

ℛ




ℬ










119910119861 = 119892119909119861 mod119901






(2) Proxy Phase


119892119896mod119901 119904119860 = 119909119860119903119860 + 119896mod 119902 and 1199101015840119901 = 119892119904119860 mod119901








(3) Register Phase







(4) Circling Phase











(5) Voting Phase




(6) Counting Phase






6 Security Analysis


61 Signature Scheme



119904119894119910119890119894119901 120575119894mod119901) =119867(119898119894 119892

119896119894minus119904119901119890119894119892119904119901119890119894120575119894mod119901) = 119867(119898119894 119892119896119894120575119894mod119901) =









1015840119901 119901 119892) le Pr(119910 | 119909 1199011 1198921) = 1205761 which






119904(119894)119860 ) 1199101015840(119899+1)119875 119901 119892 to output 119904(119894+1)119860 (ie RO2((1199101015840(119894)119875 119904(119894)119860 )





119904(119894)119860 ) 1199101015840(119899+1)119875 119901 119892) le Pr(119909119899+1 | (119909119894 119910119894) 119910119899+1 1199011 1198921) = 1205762






lowast (2119899 + 2)119879ex 2119879ex






119904119910119890119901mod119901) = 119867(119898119887







62 Voting System










119904119910119890119901mod119901)



7 Comparison






Mambo et al [13]

Yang and Liang [19]

Chen [10]

Tso et al [11]

Proposed




8 Implementation












9 Conclusion


Nomenclature

Notation











Yes

No

Show list_B

End



Add B to list_B



Main thread

Show list_A



Add A to list_A

Request delegation

Start thread b2


Stop thread b2

Set issue



Add V to list_V

Thread b3

Show list_V

Send event to V

End vote


Start thread b7

Broadcast event

Thread b5


Receive a request

Thread b6

Generate signature


Thread b7

Main thread

A B

Start thread r1

Listen to event


Add E to list_E

Thread r1

Show list_E

Select E

Stop thread r1

Vote

Send c to B

Start thread r3



Verify delegation


Delegationlegal

End

Yes

No

Stop thread b1

Verify signature

Calculate

Send to V

End

Main thread

R


credential

Thread v1

Listen to event


Thread v2

Stop thread v1 v2



Thread v3

Start thread v3 v4

Wait for

Receive

Thread v4

Add to list_

Stop thread v3 v4


End

Main thread

V



Start thread r2

End

Stop thread r2

End delegation

Yes

No


Start threada1sima3

Request yA

Add yp to list_y

Stop threada1sima3

Start threadb4simb6

Stop threadb4simb6



Request yp and yB

Request yp and yB

Thread r2

Thread r3

Thread b4

Receive c from R


Select V


Thread b1

Select A

Thread a3

Thread a2

Thread a1

Delegate B

Select B





Time 6105 8165 321 428 4445 3875 472 447 396


















Disclosure




Acknowledgments


References









































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










(4) Circling Phase











(5) Voting Phase




(6) Counting Phase






6 Security Analysis


61 Signature Scheme



119904119894119910119890119894119901 120575119894mod119901) =119867(119898119894 119892

119896119894minus119904119901119890119894119892119904119901119890119894120575119894mod119901) = 119867(119898119894 119892119896119894120575119894mod119901) =









1015840119901 119901 119892) le Pr(119910 | 119909 1199011 1198921) = 1205761 which






119904(119894)119860 ) 1199101015840(119899+1)119875 119901 119892 to output 119904(119894+1)119860 (ie RO2((1199101015840(119894)119875 119904(119894)119860 )





119904(119894)119860 ) 1199101015840(119899+1)119875 119901 119892) le Pr(119909119899+1 | (119909119894 119910119894) 119910119899+1 1199011 1198921) = 1205762






lowast (2119899 + 2)119879ex 2119879ex






119904119910119890119901mod119901) = 119867(119898119887







62 Voting System










119904119910119890119901mod119901)



7 Comparison






Mambo et al [13]

Yang and Liang [19]

Chen [10]

Tso et al [11]

Proposed




8 Implementation












9 Conclusion


Nomenclature

Notation











Yes

No

Show list_B

End



Add B to list_B



Main thread

Show list_A



Add A to list_A

Request delegation

Start thread b2


Stop thread b2

Set issue



Add V to list_V

Thread b3

Show list_V

Send event to V

End vote


Start thread b7

Broadcast event

Thread b5


Receive a request

Thread b6

Generate signature


Thread b7

Main thread

A B

Start thread r1

Listen to event


Add E to list_E

Thread r1

Show list_E

Select E

Stop thread r1

Vote

Send c to B

Start thread r3



Verify delegation


Delegationlegal

End

Yes

No

Stop thread b1

Verify signature

Calculate

Send to V

End

Main thread

R


credential

Thread v1

Listen to event


Thread v2

Stop thread v1 v2



Thread v3

Start thread v3 v4

Wait for

Receive

Thread v4

Add to list_

Stop thread v3 v4


End

Main thread

V



Start thread r2

End

Stop thread r2

End delegation

Yes

No


Start threada1sima3

Request yA

Add yp to list_y

Stop threada1sima3

Start threadb4simb6

Stop threadb4simb6



Request yp and yB

Request yp and yB

Thread r2

Thread r3

Thread b4

Receive c from R


Select V


Thread b1

Select A

Thread a3

Thread a2

Thread a1

Delegate B

Select B





Time 6105 8165 321 428 4445 3875 472 447 396


















Disclosure




Acknowledgments


References









































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation












lowast (2119899 + 2)119879ex 2119879ex






119904119910119890119901mod119901) = 119867(119898119887







62 Voting System










119904119910119890119901mod119901)



7 Comparison






Mambo et al [13]

Yang and Liang [19]

Chen [10]

Tso et al [11]

Proposed




8 Implementation












9 Conclusion


Nomenclature

Notation











Yes

No

Show list_B

End



Add B to list_B



Main thread

Show list_A



Add A to list_A

Request delegation

Start thread b2


Stop thread b2

Set issue



Add V to list_V

Thread b3

Show list_V

Send event to V

End vote


Start thread b7

Broadcast event

Thread b5


Receive a request

Thread b6

Generate signature


Thread b7

Main thread

A B

Start thread r1

Listen to event


Add E to list_E

Thread r1

Show list_E

Select E

Stop thread r1

Vote

Send c to B

Start thread r3



Verify delegation


Delegationlegal

End

Yes

No

Stop thread b1

Verify signature

Calculate

Send to V

End

Main thread

R


credential

Thread v1

Listen to event


Thread v2

Stop thread v1 v2



Thread v3

Start thread v3 v4

Wait for

Receive

Thread v4

Add to list_

Stop thread v3 v4


End

Main thread

V



Start thread r2

End

Stop thread r2

End delegation

Yes

No


Start threada1sima3

Request yA

Add yp to list_y

Stop threada1sima3

Start threadb4simb6

Stop threadb4simb6



Request yp and yB

Request yp and yB

Thread r2

Thread r3

Thread b4

Receive c from R


Select V


Thread b1

Select A

Thread a3

Thread a2

Thread a1

Delegate B

Select B





Time 6105 8165 321 428 4445 3875 472 447 396


















Disclosure




Acknowledgments


References









































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation












Mambo et al [13]

Yang and Liang [19]

Chen [10]

Tso et al [11]

Proposed




8 Implementation












9 Conclusion


Nomenclature

Notation











Yes

No

Show list_B

End



Add B to list_B



Main thread

Show list_A



Add A to list_A

Request delegation

Start thread b2


Stop thread b2

Set issue



Add V to list_V

Thread b3

Show list_V

Send event to V

End vote


Start thread b7

Broadcast event

Thread b5


Receive a request

Thread b6

Generate signature


Thread b7

Main thread

A B

Start thread r1

Listen to event


Add E to list_E

Thread r1

Show list_E

Select E

Stop thread r1

Vote

Send c to B

Start thread r3



Verify delegation


Delegationlegal

End

Yes

No

Stop thread b1

Verify signature

Calculate

Send to V

End

Main thread

R


credential

Thread v1

Listen to event


Thread v2

Stop thread v1 v2



Thread v3

Start thread v3 v4

Wait for

Receive

Thread v4

Add to list_

Stop thread v3 v4


End

Main thread

V



Start thread r2

End

Stop thread r2

End delegation

Yes

No


Start threada1sima3

Request yA

Add yp to list_y

Stop threada1sima3

Start threadb4simb6

Stop threadb4simb6



Request yp and yB

Request yp and yB

Thread r2

Thread r3

Thread b4

Receive c from R


Select V


Thread b1

Select A

Thread a3

Thread a2

Thread a1

Delegate B

Select B





Time 6105 8165 321 428 4445 3875 472 447 396


















Disclosure




Acknowledgments


References









































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation












Yes

No

Show list_B

End



Add B to list_B



Main thread

Show list_A



Add A to list_A

Request delegation

Start thread b2


Stop thread b2

Set issue



Add V to list_V

Thread b3

Show list_V

Send event to V

End vote


Start thread b7

Broadcast event

Thread b5


Receive a request

Thread b6

Generate signature


Thread b7

Main thread

A B

Start thread r1

Listen to event


Add E to list_E

Thread r1

Show list_E

Select E

Stop thread r1

Vote

Send c to B

Start thread r3



Verify delegation


Delegationlegal

End

Yes

No

Stop thread b1

Verify signature

Calculate

Send to V

End

Main thread

R


credential

Thread v1

Listen to event


Thread v2

Stop thread v1 v2



Thread v3

Start thread v3 v4

Wait for

Receive

Thread v4

Add to list_

Stop thread v3 v4


End

Main thread

V



Start thread r2

End

Stop thread r2

End delegation

Yes

No


Start threada1sima3

Request yA

Add yp to list_y

Stop threada1sima3

Start threadb4simb6

Stop threadb4simb6



Request yp and yB

Request yp and yB

Thread r2

Thread r3

Thread b4

Receive c from R


Select V


Thread b1

Select A

Thread a3

Thread a2

Thread a1

Delegate B

Select B





Time 6105 8165 321 428 4445 3875 472 447 396


















Disclosure




Acknowledgments


References









































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation












Time 6105 8165 321 428 4445 3875 472 447 396


















Disclosure




Acknowledgments


References









































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation

















Disclosure




Acknowledgments


References









































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation

























RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation









Design and Implementation of a Mobile Voting System Using ...

Documents

Transcript of Design and Implementation of a Mobile Voting System Using ...