Efficient Homomorphic E-Voting Based On Batch
Proof Techniques — An Improvement to Secure
MPC Application
2022 19th Annual International Conference on Privacy, Security & Trust (PST) | 978-1-6654-7398-9/22/$31.00 ©2022 IEEE | DOI: 10.1109/PST55820.2022.9851967
Kun Peng
Huawei Technology Ltd
China
Kun Peng CPU@hotmail.com
Abstract—E-voting is an important application of secure
MPC (multi-party computation) and its achievement of secu-
rity through verifiable MPC can be based on homomorphic
encryption or shuffling. Homomorphic-encryption-based e-voting
is often less costly than shuffling-based e-voting, but depends
on validity of the encrypted ballots. Proof and verification of
validity of all the encrypted ballots is the efficiency bottleneck to
overcome. So homomorphic e-voting schemes still need efficiency
improvements to support users with low-capability. In this paper,
a novel e-voting scheme is proposed on the basis of an efficiency-
improving technology, batch ZK proof of 1-out-of-2 knowledge.
It achieves much higher efficiency in ballot validity proof and
can improve efficiency of homomorphic e-voting to achieve an
obvious advantage over the existing solutions. It is a good example
to illustrate how efficiency of secure MPC can be improved by
batch cryptology.
I. I NTRODUCTION
In the wide range of secure MPC applications, e-voting
has more real-world implementations than the others, run-
ning in many elections in multiple countries very day. It is
also a typical example to show how MPC can be publicly
verified against the attacks by active adversaries. There are
two main approaches to secure electronic voting: based-
on-homomorphic-encryption and based-on-mix-net. Both of
them must satisfy three security requirements: correctness,
soundness and privacy. Correctness requires that when all the
participants (voters and talliers) are trusted and strictly go
through the e-voting protocol all the votes are counted without
being tampered with. Soundness requires that without any trust
assumption on them if all the public verifications are passed all
the votes are guaranteed to be counted without being tampered
with. Privacy requires that no voter’s selection is revealed.
Homomorphic e-voting [1], [19], [27], [14], [4], [15], [11],
[16], [17], [18], [24], [12], [23], [3], [25], [26], [2], [7],
[28], [29] in general is more efficient than mix-net-based e-
voting, especially in the tallying phase. Homomorphic tallying
does not decrypt the encrypted votes separately but exploits
homomorphism of the employed encryption algorithm to col-
lectively open the encrypted votes using a small number of
decryptions. The homomorphic e-voting schemes employ a
homomorphic encryption algorithm with decryption function
Authorized licensed use limited to: Australian National University. Downloaded on November 15,2023 at 23:20:07 UTC from IEEE Xplore. Restrictions apply.
D() to seal the votes such that D(c1 ) + D(c2 ) = D(c1 c2 )
holds for any ciphertexts c1 and c2 . Every voter encrypts
a selection for each candidate and then homomorphism of
the encryption algorithm is exploited to calculate the sum of
the votes for every candidate. The homomorphism property
requires that each ballot must adopt a certain format, so
that the number of the selections for each candidate can be
correctly counted. More precisely, in homomorphic e-voting
every ballot contains one or more sections (each representing
a section for the candidates or a possible of their combination)
and every section must be one of two pre-defined integers (e.g.
0 and 1), each representing support or rejection of a candidate
or choice. So each ballot must be publicly proved to be valid
(in the special format). In terms of MPC security, the active
malicious model must be adopted to deal with the participants
who may deviate from the the MPC protocol when launching
an attack such that their operations must be verified to be
valid. The ballot validity proof is a heavy burden (especially
when the election rule is complex, e.g. when the number of
the candidates is large) on the voters, who may be using low-
capability mobile devices to cast their ballots.
Ballot validity proof is the bottleneck of homomorphic e-
voting. When it is naively carried out, it depends on multiple
instances of ZK proof of partial knowledge [9], each for
a selection, obviously an inefficient implementation. When
studying how to improve efficiency of ballot validity proof
we notice that Chida and Yamamoto propose a batch proof
technology [8] to batch prove multiple instances of zero
knowledge proof of partial knowledge. There are four batch
proof protocols in [8], which can be employed to batch prove
partial knowledge of the messages in multiple commitments in
various circumstances. We find that the batch proof technology
in [8] can be modified and extended to optimise ballot validity
proof in homomorphic e-voting. Although it is imperfect in
theory and may let deliberately malleated incorrect proofs pass
its verification, in practice it can still be used to process normal
inputs in some real-world applications like e-voting. So, we
upgrade it to support our new homomorphic e-voting scheme.
In this paper, besides adjusting and extending the batch
proof technology in [8], we also develop the idea of homo-
morphic tallying in a novel e-voting scheme to suit the batch
proof techniques to guarantee ballot validity when noticing
that the batch proof technology in [8] cannot be directly
applied to general ballot validity proof in homomorphic e-
voting, More precisely, we propose two new homomorphic
e-voting schemes in Section III and Section IV respectively.
In the first scheme, batch proof technology in [8] is directly
adjusted to build a secure and efficient homomorphic e-voting
system. In the second scheme, we optimise the ballot validity
proof into a membership proof of an encryption in a set S and
modify/upgrade the original batch proof technology in [8] to
support the membership proof. In such way, we can batch not
only validity of one ballot but also all the votes the further
improve efficiency. We show that an invalid vote cannot pass
our new ballot validity proof protocols except for a negligible
probability. Our new e-voting scheme overcome the efficiency
bottleneck and achieve better performance than the existing
homomorphic e-voting schemes.
II. BACKGROUND
In this section, homomorphic e-voting and batch ZK proof
of knowledge of partial knowledge are recalled to give the
readers more background knowledge
A. Homomorphic E-voting
Homomorphic e-voting usually works as follows.
1) Suppose w voters and n candidates take part in the
election such that each voter has to make his selection
form the candidates in his ballot.
2) Each voter Vi prepares his ballot (si,1 , si,2 , . . . , si,n )
where si,j = 0 or si,j = 1 for j = 1, 2, . . . , n. A
principle is adopted: si,j = 1 iff the j th candidate is
Vi ’s election.
3) Each Vi encrypts (si,1 , si,2 , . . . , si,n ) into
(ei,1 , ei,2 , . . . , ei,n ) where the message space of
the employed encryption algorithm is Zq such that
q > w.
4) For i = 1, 2, . . . , w, each Vi has to prove that
ei,j = E(0) or ei,j = E(1) for j = 1, 2, . . . , n. (1)
where E() denotes the vote-sealing encryption algo-
rithm. The proof must be successfully verified, oth-
erwise the following homomorphic tallying cannot be
completed.
a) The talliers verify the voters’ proof of validity of all
the ballots. The votes failing to pass the verification
are deleted.
b) For simplicity of description, the tallying proce-
dure is present when all the votes pass the vote
validity check. Since w < q and all the votes
are successfully verified, any T honest talliers
among A1 , A2 , . . . , AM can cooperate to decrypt
Qw
i=1 ei,l to obtain the number of votes for the
lth candidate for l = 1, 2, . . . , n. While doing the
decryption, each Aj has to publicly prove that that
his partial decryption operation is correct.
Authorized licensed use limited to: Australian National University. Downloaded on November 15,2023 at 23:20:07 UTC from IEEE Xplore. Restrictions apply.
c) The candidate(s) obtaining the most votes wins the
election according to the concrete rule.
Proof of (1) can be naively implemented by the zero
knowledge proof protocol of partial knowledge by Cramer et al
[9], which addresses the question in its simplest form, proof
of knowledge of one of multiple secrets. It proves that the
secret in question may be each of the possible choices one by
one and then link the multiple proofs with OR logic. It has a
drawback: the number of computations it needs is linear to the
number of all the possible choices. In homomorphic e-voting,
it means that the cost of vote validity check is O(nw), which
makes it the efficiency bottle.
B. Zero Knowledge Proof Technologies — Can Vote Validity
Proof Be Improved?
Since the proposal of ZK proof of partial knowledge [9],
there are not many attempts to upgrade the existing vote
validity proof to overcome the efficiency bottleneck of ho-
momorphic e-voting. For example, the pairing based batch
cryptology in [10] aims at other applications and is not an
ideal solution for homomorphic e-voting. Peng and Bao in
[22] and [21] design alternative ZK proof solutions of OR
logic, which significantly improve efficiency of ZK proof of
partial knowledge [9]and addresses the e-voting applications.
Unfortunately, They are only secure under a very strict con-
dition and cannot be employed in most practical applications
including e-voting, as found in [13]. The proof technology
to fix the problem in [13] reduces the computational cost
of proof of partial knowledge from in [9] to O(λ log n)
(where λ is a system parameter), but the new ZK proof of
partial knowledge in [13] is not always more efficient and
its relative advantage in efficiency is not great. The other
related technologies [6], [20], [5], [30] try to improve security
and/or performance of partial ZK proof (e.g. pursuing stronger
security at the cost of lower efficiency) but none of them
achieves a satisfactory balance. The proof protocol in [5] has
unlimited generality and strong security but cost O(n √ log2 n).
The exclusion proof in [20] reduces the cost to O( n) while
maintaining generality and security, but is still not efficient
enough. The proof protocol in [6] proposes a up-level protocol
which achieves formal security but its lower-level operations
are not fully implemented to guarantee high efficiency in
practice although it claims to be independent of the size of
the set S. The proof protocol in [30] depends on alternative
cryptographic basis to achieve strong security but ignores
efficiency. A comprehensive summary of their properties can
be found in Table I where
• K is a system parameter linear in the bit length of an
exponent in [5]and depending on the underlying imple-
mentation of the calculations;
• in [20], n = kt.
To the best of our knowledge, the only appropriate ZK
proof technology to be modified and extended to support
efficient vote validity proof is the batch zero knowledge
proof technology in [8], which is the only commercialised
 TABLE I
C OMPARISON OF PARTIAL ZK PROOF
scheme inputs assumption set choice statistical or communi- computation
standard ZK -cation of proof
[5] any format underlying no limit standard 7 log2 n 15 log2 n+
computational 2n(log2 n
assumption ZK +1)/K
[20] any format no additional no limit standard 3k + 7t 7k + 13t − 3
assumption ZK
[13] any format no additional no limit statistical O(λ log n) O(λ log n)
assumption ZK
[6] any format no additional no limit intuitively argued 9n + 31 claimed O(1) but not
assumption to be statistical fully instantiated
[30]a any format underlying no limit intuitively seemingly seemingly
computational depending on O(n) O(n log2 n)
assumption implementation

a The proof protocol in [30] only focuses on the security properties but does not mind the cost or performance. Its communicational and computational cost
can only be approximately estimated as its implementation description and analysis have not reached the most atomic level.

(by NTT) batch proof technique to address ZK proof of OR
logic. Chida and Yamamoto design a batch zero knowledge
proof technology [8] to enhance the performance of proof of
knowledge of partial knowledge when they are carried out
simultaneously in multiple instances. Zero knowledge proof
is a common secure protocol in applied cryptology, where a
prover claims he knows some secret in a certain language and
then proves his claim without revealing any secret. Usually,
the proof must face a random challenge, to which it has to
give a correct response to pass a verification. The certain zero
knowledge proof protocol Chida and Yamamoto are interested
in is to prove that some of multiple knowledge statements
is true. This proof technique enables a prover to prove that
he processes a subset of multiple secret ID tokens, signs
some messages using a subset of multiple private keys or has
committed to a subset of multiple secret inputs etc., while the
zero knowledge property of the proof protocol prevents the
verifiers from obtaining any information about which of the
multiple secrets the prover knows.
Chida and Yamamoto’s proposal applies batch proof, a tech-
nique traditionally used to improve the efficiency of multiple
proofs linked with AND logic, to batch multiple proofs linked
with both AND and OR logic. Although in theory it cannot
achieve the perfect security as claimed in [8] and may let
deliberately malleated incorrect proofs pass its verification,
it can be flexibly adjusted to suit special applications with
practical inputs.
Chida and Yamamoto propose alltogether four batch proof
protocols (Protocols 3, 4, 6 and 9 in [8]) to improve the
speed of proof of partial knowledge in different settings, all
involving n knowledge statements of OR logic. They recom-
mend application of their batch proof technique to NTT’s IT
products which need to process multiple crypto-based objects
like digital signatures. More precisely, in [8], a prover wants
to simultaneously run n instances of ZK proof of partial
knowledge. For example, Protocol 3 in [8] deals with a typical
question: n instances of the partial knowledge proof protocols
by [9] as recalled in Figure 1 must be proved simultaneously
P claims that he knows at least one of
logg y1 ,logg y2 , . . . , logg ym where y1 , y2 , . . . , ym are in G.
1) P → V : a1 , a2 , . . . , am ∈ G
where the concrete algorithm to generate them is not
involved in this paper and can be found in [9], so is
not described here for simplicity.
2) V → P : c ∈R Zq
3) P → V : c1 , c2 , . . . , cm , w1 , w2 , . . . , wm
where the concrete algorithm to generate them is not
involved in this paper and can be found in [9], so is
not described here for simplicity.
Verification: yici mod p for i = 1, 2, . . . , m
g wi = aiP
m
c = i=1 ci mod q
Fig. 1. ZK proof of knowledge of one of multiple discrete logarithms
when m = 2.
The principle of the proof protocol in Figure 1 is that if after
publishing y1 , y2 , . . . , ym and a1 , a2 , . . . , am and then given
a random challenge c the prover ci
Pmcan provide logg ai yi for
i = 1, 2, . . . , m such that c = i=1 ci mod q then he knows
at least one of logg y1 , logg y2 , . . . , logg ym . If the prover gives
the n instances of proof one by one separately, the total
computational cost may reach a high level especially when
n is a large number. So Chida and Yamamoto invent a batch
proof technology to prove n instances of partial knowledge
as a whole, such that too high a cost can be avoided. They
design four batch proof protocols (Protocols 3, 4, 6 and 9 in
[8]) to batch prove various knowledge statements. The first of
them, Protocol 3, is a batch proof of n instances of the proof
protocol in Figure 1 when m = 2, as described in Figure 2,
where for consistence with [9] simpler denotations than the
original ones are used.

Authorized licensed use limited to: Australian National University. Downloaded on November 15,2023 at 23:20:07 UTC from IEEE Xplore. Restrictions apply.
 where g is a generator of a large cyclic group G with order
q, h is the ElGamal public key in G and ri,j are randomly
chosen from Zq , the proof in (1) becomes each Vi ’s proof of
knowledge of ri,j such that
(ai,j = g ri,j and bi,j = hri,j )
or (ai,j = g ri,j and bi,j /g = hri,j )
for j = 1, 2, . . . , n.
This proof seems to match the batch proof protocols in
[8], which can be adapted to optimise the proof of (2) as
demonstrated in Fig 3.

• Vi claims that logg ai,j = logh bi,j or logg ai,j =

logh bi,j /g for j = 1, 2, . . . , n.
• Common input: q, g, h and ei,j for j = 1, 2, . . . , n.
• Secret input: ri,j and bj for j = 1, 2, . . . , n such
that bj = 0 if logg ai,j = logh bi,j and bj = 1 if
logg ai,j = logh bi,j /g.

1) The voter randomly chooses r, v, ci,1−bi ∈R Zq and

calculates
Q c
R0 = g r {j|bj =1} ai,jj,0
Q c
R00 = hr {i|bj =1} bi,jj,0
Q c
R1 = g v {j|bj =0} ai,jj,1
Q c
R10 = hv {j|bj =0} bi,jj,1
cj = H(CI||cj−1 ||cj−1,0 )
cj,bj = cj − cj,1−bj mod q
P
z0 = r − {j|bj =0} cj,0 ri,j mod q
P
z1 = v − {j|bj =1} cj,1 ri,j mod q
Fig. 2. ZK batch proof of multiple instances of knowledge of one out of two where CI is the same as defined in Protocol 3
discrete logarithms by Chida and Yamamoto
in [8], c0 = R0 + R00 , c0,0 = R1 + R10 . He
submits (z0 , z1 , c1 , c1,0 , . . . , cn,0 ) to the talliers for
Chida and Yamamoto have formally proved that their batch verification.
proof protocols are soundness, which requires that if the
proof passes its verification with an overwhelmingly large 2) Any one wanting to do a verification calculates
probability its claim is guaranteed to be correct. In the case
of Chida and Yamamoto’s batch proof protocol in Fig 2, cj,1 = cj − cj,0 mod q for j = 1, 2, . . . , n
its soundness requires that the probability that it passes its cj+1 = H(CI||cj ||cj,0 ) for j = 1, 2, . . . , n − 1
verification is negligible if the prover knows neither logarithm
in a pair logg yi,0 , logg yi,1 for any i = 1 or 2 . . . or n. and verifies
As the computational cost of the proof protocol in [8] is Qn c Qn c
c1 = H(CI||g z0 j=1 ai,jj,0 + hz0 j=1 bi,jj,0
O(1) and has no obvious drawback when supporting vote Qn c Qn c
validity proof, it is an ideal technology to be upgraded for ||g z1 j=1 ai,jj,1 + hz1 j=1 bi,jj,1 )
secure and efficient homomorphic e-voting. In this paper, Fig. 3. Batched ZK proof of ballot validity
the batch proof technology in [8] is adjusted, modified and
extended to support our new homomorphic e-voting schemes. This batch proof reduces the number of needed exponen-
tiations from 6n to 2n + 4 and the number of full-length
III. BATCHED BALLOT VALIDITY P ROOF integers (at least q-bit long) in the communication from 4n
Let us try to improve efficiency of proof of (1). When to n + 3 for every voter’s vote validity proof. Consequently,
ElGamal encryption is employed to seal the votes such that the performance of homomorphic e-voting greatly upgraded
as vote validity proof is its dominating overhead. Security of
ei,j = (ai,j , bi,j ) = (g ri,j , g si,j hri,j ) the batched proof of vote validity depends on Lemma 1 and

Authorized licensed use limited to: Australian National University. Downloaded on November 15,2023 at 23:20:07 UTC from IEEE Xplore. Restrictions apply.
Lemma 2 in [8]. The former illustrates zero knowledge of
the batch proof; which the latter give a detailed proof that in
Protocol 3 in [8], when the prover can pass the batch proof and
verification with only a negligible probability unless he knows
one discrete logarithm in all the n pairs of discrete logarithms.
The batch proof in Fig 3 is a slight extension of Protocol 3 in
[8], so does not need any additional lemma or theorem to prove
its security. However, the basic logic and analysis approach
in Lemma 2 in [8] are not very clear for readers not very
familiar with complex zero knowledge proof technologies to
understand how can the lemma work exactly? Let’s explain its
roadmap, explore its logic and fill the missing gaps. Firstly, it
needs the additional Protocol 10 in Fig 4, to be used only in the
proof of the lemma. Then a 9-step P ∗ -oracle machine, whose
steps are specified on the basis of Protocol 10, is employed.
Finally, the proof approach follows a special rewinding-and-
aborting strategy to exploit the P ∗ -oracle machine, rewinding
a step whenever needed and aborting a step whenever getting
lost to conclude that
1) the probability such that the P ∗ -oracle machine aborts
at Step 5 is negligible;
2) the probability such that the P ∗ -oracle machine aborts
at Step 7 is negligible in both of two possible situations;
3) ending at Step 9, the P ∗ -oracle machine’s output con-
tradicts an R-incompatibility.
The main trick in the proof of their Lemma 2 in [8] lies in
extensive usage of rewinding. The rewinding happens at Step
3 in its Lemma 2 using the P ∗ -oracle machine as detailed
in Fig 4. Firstly, when c1 , c2 , . . . , cl−1 are kept unchanged
but cl , cl+1 , . . . , cn are randomly chosen, it is unknown how
many rewinds are needed to find different cl , cl+1 , . . . , cn
to pass the verification, although it is still guaranteed that
a different set of such cl , cl+1 , . . . , cn exists for the set of
c1 , c2 , . . . , cl−1 met in Step 1 of the P ∗ -oracle machine and
there exist a set of c1 , c2 , m, cl−1 and two different instances of
cl , cl+1 , . . . , cn to pass the verification with a large probability Fig. 4. Protocol 10 and the P ∗ -oracle machine in [8]
when the proof is passed except for a negligible probability.
For example, in the initial state when l = n, for the set
c1 , c2 , . . . , cl−1 met in Step 1 of the P ∗ -oracle machine, as they assume that the same c1,0 , c2,0 , . . . , cl−1,0 denoted as
it is guaranteed that there exists a second cn to pass the c01,0 , c02,0 , . . . , c0l−1,0 are met in the rewinds.
verification after a certain number of rewinds. By assuming
IV. M ORE A DVANCED BATCH P ROOF OF BALLOT
that every time satisfactory cl , cl+1 , . . . , cn can be found after
VALIDITY
a limited number of rewinds, there is a guarantee that in
all the n rounds of repetition only a polynomial number of To further increase the effect of batch proof in homomorphic
rewinds are needed. More importantly, if for the same set of electronic voting, the batch proof technology in [8] can be
c1 , c2 , . . . , cl−1 two instances of cl , cl+1 , . . . , cn are found to further extended to upgrade batch proof of ballot validity.
pass the verification after some rewinds, it is guaranteed that Firstly, ballot validity checking is modified as follows.
the prover returns the same c1,0 , c2,0 , . . . , cl−1,0 to the two 1) The talliers A1 , A2 , . . . , AM collectively choose a set
different sets of challenges. While the search for a second set of public integers S = {s1 , s2 , . . . , sn }, where every
of cl , cl+1 , . . . , cn can be expected to finish after a polynomial sl randomly chosen from ZK and K is a large integer
number of rewinds by assuming that the proof is passed with acting as security parameter, which is smaller than q
at least a probability and using probability theory, expecting to but make n/K negligible. For example, the S can be
meet the same response c1,0 , c2,0 , . . . , cl−1,0 to the two sets of generated as follows.
challenges by rewinding is reasonable. So Equations (4) and a) Every Aj outputs a random integer Sl,j from ZK
(5) in Lemma 2 in [8] are sufficient to guarantee soundness and commits to Hl,j = Hj (Sl,j ) for l = 1, 2, . . . , n

Authorized licensed use limited to: Australian National University. Downloaded on November 15,2023 at 23:20:07 UTC from IEEE Xplore. Restrictions apply.
 where Hj () is a hash function with the one-way
and collision-resistent properties.
b) After all the commitments Hl,j s are published,
every Aj reveals Sl,j for l = 1, 2, . . . , n and any
observer can check their validity against the hash
functions Hl,j for l = 1, 2, . . . , n.
PM
c) sl = j=1 Sl,j mod K for l = 1, 2, . . . , n.
2) Given the challenge S, to prove validity of his encrypted
voting vector in (ei,1 , ei,2 , . . . , ei,n ), each
Qn Vi has to
prove that the plaintext encrypted in Ci = l=1 esi,ll is in
S. As guaranteed in Theorem 1, this proof is a reliable
evidence that the ballot encrypted in (ei,1 , ei,2 , . . . , ei,n )
is in the correct format with an overwhelmingly large
probability. When ElGamal encryption is employed for
ballot sealing and ei,l = (ai,l , bi,l ), the proof is imple-
mented by Vi using the following proof
Qn Qn
logg l=1 asi,ll = logh ( l=1 bsi,ll /g s1 )
Qn Qn
∨ logg l=1 asi,ll = logh ( l=1 bsi,ll /g s2 ) (2)
Qn sl Q n sl
∨ logg l=1 ai,l = logh ( l=1 bi,l /g ), sn
which is a proof of knowledge of equality of discrete
logarithm pairs in one of the n instances.
Theorem 1: If the ballot string encrypted in
(ei,1 , ei,2 , . . . , ei,n ) is not in the correct format, the probability
that the plaintext sealed in Ci falls in S is negligible.
Proof: As (ei,1 , ei,2 , . . . , ei,n ) is invalid, there must be the
following two possibilities where (si,1 , si,2 , . . . , si,n ) is the
ballot string sealed into (ei,1 , ei,2 , . . . , ei,n ).
• Only one integer in si,1 , si,2 , . . . , si,n is not zero.
• More than one integers in si,1 , si,2 , . . . , si,n are not zero.
In the first case, without losing generality we suppose si,l0 6=
0. As (ei,1 , ei,2 , . . . , ei,n ) is invalid, si,l0 6= 1. So
Qn Pn
D(Ci ) = D( l=1 esi,ll ) = l=1 si,l sl = si,l0 sl0 6= sl0
and the probability that
Qn Pn
D(Ci ) = D( l=1 esi,ll ) = l=1 si,l sl = si,l0 sl0 = sl00
and l00 6= l0 and 1 ≤ l00 ≤ n
is (n − 1)/K as s1 , s2 , . . . , sn are randomly chosen in ZK .
Therefore, the probability that
D(Ci ) = sl00 and 1 ≤ l00 ≤ n
is negligible.
In the second case, without losing generality we suppose
only si,T1 , si,T2 , . . . , si,Tπ are not zero in si,1 , si,2 , . . . , si,n
where 1 ≤ T1 , T2 , . . . , Tπ ≤ n and π > 1. Then
Qn Pn Pπ
D(Ci ) = D( l=1 esi,ll ) = l=1 si,l sl = l=1 si,Tl sTl .
So, as s1 , s2 , . . . , sn are randomly chosen in ZK the proba-
bility that
D(Ci ) = sl00 mod N and 1 ≤ l00 ≤ n
is n/K and thus negligible.
Authorized licensed use limited to: Australian National University. Downloaded on November 15,2023 at 23:20:07 UTC from IEEE Xplore. Restrictions apply.
Therefore, in any case the probability that the plaintext
sealed in Ci falls in S is negligible. 2
The ballot validity proof in (2) for all the w voters can be
batched in Fig 5, which further extends the batch proof in Fig 3
into batched proof of w instances of ZK proof of equality of
1-out-of-n pairs of DL.
This new batch proof straightforwardly extends batching of
multiple cases of ZK proof of equality of 1-out-of-2 pairs of
DL into batching of w cases of ZK proof of equality of 1-
out-of-n pairs of DL, using the same batching principle and
simply enlarging the batching scale. So, we do not worry for
its security, which has the same guarantee as the batch proof
in [8] and our first batch proof in Fig 3.
We note that this extended batch proof actually proves
validity of all the voters’ ballots. So it should be run in
the very beginning of vole validity check. If it is passed, all
the votes are guaranteed to be valid with an overwhelmingly
large probability and homomorphic tallying can be performed.
If it fails, there must be some dishonest voters who submit
invalid ballots. In that case, the batched vote validity proof in
Section III as detailed in Fig 3 is run by the voters respectively
to prove validity of their ballots one by one to detect the invalid
vote(s). Anyway, invalid votes can be deleted finally such that
the valid votes can be efficiently counted.
Alternatively, when the extended batch proof of all the votes
fail, some kind of binary search through batch validity proof
of subsets of the votes can be performed to fasten the course
of identifying the cheating voter. At the same time, a penalty
can be introduced to deter misconducts of dishonest voters.
Due to space limit, more detials are left for future work.
V. C OMPARISON AND C ONCLUSION
Our new solution is compared in Table II with the existing
homomorphic e-voting technology recalled in Section I. In
assessment of computational cost, it is counted in terms of
modular exponentiations which have full length exponents. In
assessment of communicational cost, the number of full length
integers tranmitted between the participants is estimated. Full
length integers (including exponents) here refer to the large
integers used in the cryptographic operations in the form of
the integers generating large cyclic groups, the vote-sealing
ciphertexts or the exponents on the basis of the ciphertexts,
which are thousands of bits long in the current standard
and thus cause the main overhead in computational cost and
communicational cost. For fairness of the comparison, we
assume that there may be some invalid votes and the basic
batch proof of ballot validity of Section III is employed.
TABLE II
C OMPARISON AGAINST THE EXISTING E-VOTING S CHEMES
E-Voting Computation Communication
voter talliers
unbatched ≥ 6n ≥ 4nw + 3M n ≥ 8nw
batched 2n + 4 2nw + 3M n (2n + 3)w
 • Each Vi claims satisfaction of (2) for i = 1, 2, . . . , w. The comparison table convincingly demonstrates that on the
• Common input: q, g, h and ei,l for i = 1, 2, . . . , w and basis of the existing homomorphic e-voting schemes our new
l = 1, 2, . . . , n. e-voting proposal achieves higher efficient and stricter privacy.
• Secret input: ri,l for i = 1, 2, . . . , w and l = Although the batch proof technology in [8] is theoretically
1, 2, . . .Q
, n and bi for i =Q1, 2, . . . , w such that bi = L imperfect and not so strong in security as claimed, it can
n n
if logg l=1 asi,ll = logh ( l=1 bsi,ll /g sL ). benefit MPC applications with a verifiability requirement and
1) Each Vi selects ci,l ∈R Zq for 1 ≤ l ≤ n and l 6= bi shows a clue to improve efficiency of secure MPC.
and ci,bi = 0. They cooperate (just like choosing each
sl by combining their pre-committed inputs, which R EFERENCES
are released later and then used after being verified [1] James M. Adler, Wei Dai, Richard L. Green, and C. Andrew
against the commitments) to choose a random integer Neff. Computational details of the votehere homomorphic election
rl ∈ Zq for l = 1, 2, . . . , n and compute system. Technical report, VoteHere Inc, 2000. Available from
http://www.votehere.net/technicaldocs/hom.pdf, last accessed 22 June
Q c 2002.
R1 = g r1 1≤i≤w Ai i,1 [2] Ayman Alharbi, Haneen Zamzami, and Eman Samkri. Survey on
Q
R10 = hr1 1≤i≤w (Bi /g s1 )ci,1 homomorphic encryption and address of new trend. Int. J. Adv. Comput.
Q c Sci. Appl, 11(7):618–626, 2020.
R2 = g r2 1≤i≤w Ai i,2 [3] Kannan Balasubramanian, M Jayanthi, et al. A homomorphic crypto sys-
Q tem for electronic election schemes. Circuits and Systems, 7(10):3193,
R20 = hr2 1≤i≤w (Bi /g s2 )ci,2 2016.
...... [4] Olivier Baudron, Pierre-Alain Fouque, David Pointcheval, Jacques Stern,
rn
Q i,n c and Guillaume Poupard. Practical multi-candidate election system.
Rn = g 1≤i≤w Ai In Twentieth Annual ACM Symposium on Principles of Distributed
Q Computing, pages 274–283, 2001.
Rn0 = hrn 1≤i≤w (Bi /g sn )ci,n
[5] Stephanie Bayer and Jens Groth. Zero-knowledge argument for polyno-
ci = H(CI||ci−1 ||ci−1,1 ||ci−1,2 || . . . ||ci−1,n−1 ) mial evaluation with application to blacklists. In EuroCrypt ‘13, pages
646–663. Springer, 2013.
for i = 1, 2, . . . , w [6] Olivier Blazy, Céline Chevalier, and Damien Vergnaud. Non-interactive
P zero-knowledge proofs of non-membership. In Cryptographers’ Track
ci,bi = ci − j6=bi ci,j mod q for i = 1, 2, . . . , w
P at the RSA Conference, pages 145–164. Springer, 2015.
z1 = r1 − ci,1 vi,1 mod q [7] Ratnakumari Challa. Homomorphic encryption: Review and applica-
P{i|bi =1} tions. Advances in Data Science and Management, pages 273–281,
z2 = r2 − {i|bi =2} ci,2 vi,2 mod q 2020.
...... [8] K Chida and G Yamamoto. Batch processing for proofs of partial
P knowledge and its applications. In IEICE TRANS. FUNDAMENTALS,
zn = rn − {i|bi =n} ci,n vi,n mod q VOL.E91-CA, NO.1 JANUARY 2008, pages 150–159, 2008.
[9] Ronald Cramer, Ivan Damgård, and Berry Schoenmakers. Proofs of
where CI is the same as defined in Protocol 3 in [8] partial knowledge and simplified design of witness hiding protocols. In
and CRYPTO ’94, volume 839 of Lecture Notes in Computer Science, pages
174–187, Berlin, 1994. Springer-Verlag.
Qn Qn
Ai = l=1 asi,ll , Bi = l=1 bsi,ll , [10] E. Goh D. Boneh and K. Nissim. Evaluating 2-dnf formulas on
ciphertexts. In TCC ’05, volume 3378 of Lecture Notes in Computer
c0 = R1 + R10 , c0,1 = R2 + R20 , Science, pages 325–341, 2005.
[11] Ivan Damgaård and Mats Jurik. A generalisation, a simplification and
c0,2 = R3 + R3 , . . . , c0,k−1 = Rn + Rn0 .
0
some applications of paillier’s probabilistic public-key system. In Public
Key Cryptography—PKC 01, pages 119–136, 2001.
They then send (z1 , z2 , . . . , zn , c1 , c1,1 , c1,2 . . . , [12] J Groth. Non-interactive zero-knowledge arguments for voting. In
c1,n−1 , c2,1 , c2,2 . . . , c2,n−1 , . . . cw,1 , cw,2 . . . , cw,n−1 ) ACNS ’05, volume 3531, pages 467–482, Berlin, 2005. Springer-Verlag.
Lecture Notes in Computer Science.
to the verifier.
[13] Ryan Henry and Ian Goldberg. Batch proofs of partial knowledge.
In International Conference on Applied Cryptography and Network
2) The verifier computes Security, pages 502–517. Springer, 2013.
Pk−1 [14] Martin Hirt and Kazue Sako. Efficient receipt-free voting based on ho-
ci,n = ci − j=1 ci,j mod 2L for i = 1, 2, . . . , w momorphic encryption. In Advances in Cryptology—EUROCRYPT 00,
pages 539–556, 2000.
ci = H(CI||ci−1 ||ci−1,1 ||ci−1,2 || . . . ||ci−1,n−1 ) [15] Jonathan Katz, Steven Myers, and Rafail Ostrovsky. Cryptographic
for i = 1, 2, . . . , w counters and applications to electronic voting. In Advances in
Cryptology—EUROCRYPT 01, pages 78–92, 2001.
[16] Aggelos Kiayias and Moti Yung. Self-tallying elections and perfect bal-
and verifies lot secrecy. In Public Key Cryptography, 5th International Workshop—
c1 = PKC 02, pages 141–158, 2002.
z1
Qw ci,1 Qw
H(CI||g i=1 Ai + hz1 i=1 (Bi /g s1 )ci,1 [17] Byoungcheon Lee and Kwangjo Kim. Receipt-free electronic voting
Qw c Qw through collaboration of voter and honest verifier. In JW-ISC 2000,
||g z2 i=1 Ai i,2 + hz2 i=1 (Bi /g s2 )ci,2 pages 101–108, 2000.
Qw c Qw [18] Byoungcheon Lee and Kwangjo Kim. Receipt-free electronic voting
|| . . . ||g zn i=1 Ai i,n + hzn i=1 (Bi /g sn )ci,n ) scheme with a tamper-resistant randomizer. In Information Security and
Cryptology, ICISC 2002, volume 2587 of Lecture Notes in Computer
Fig. 5. Extended Batch ZK proof of ballot validity
Science, pages 389–406. Springer-Verlag, 2002.
[19] Andrew Neff. Conducting a universally verifiable electronic election
using homomorphic encryption. White paper, VoteHere Inc, 2000.

Authorized licensed use limited to: Australian National University. Downloaded on November 15,2023 at 23:20:07 UTC from IEEE Xplore. Restrictions apply.
[20] Kun Peng. A general, flexible and efficient proof of inclusion and
exclusion. In Cryptographers’ Track at the RSA Conference, pages 33–
48. Springer, 2011.
[21] Kun Peng and Feng Bao. A shuffling scheme with strict and strong
security. In SecureWare 2010, pages 201–206.
[22] Kun Peng and Feng Bao. Batch zk proof and verification of or logic.
In INSCRYPT ’08, volume 5487 of Lecture Notes in Computer Science,
pages 141–156, Berlin, 2008. Springer-Verlag.
[23] Kun Peng and Feng Bao. Efficient vote validity check in homomorphic
electronic voting. In ICISC 2008, volume 5461 of Lecture Notes in
Computer Science, pages 202–217, 2008.
[24] Kun Peng, Colin Boyd, Ed Dawson, and Byoungcheon Lee. Multi-
plicative homomorphic e-voting. In INDOCRYPT 2004, volume 3348
of Lecture Notes in Computer Science, pages 61–72, Berlin, 2004.
Springer-Verlag.
[25] Manish Ranjan, Ayub Hussain Mondal, and Monjul Saikia. A cloud
based secure voting system using homomorphic encryption for android
platform. International Journal of Electrical and Computer Engineering,
6(6):2994, 2016.
[26] Wang Rong-Bing, Li Ya-Nan, Xu Hong-Yan, Feng Yong, and Zhang
Yong-Gang. Electronic scoring scheme based on real paillier encryption
algorithms. IEEE Access, 7:128043–128053, 2019.
[27] Berry Schoenmakers. Fully auditable electronic secret-ballot elections.
XOOTIC Magazine, July 2000.
[28] AC Santha Sheela and Ramya G Franklin. E-voting system using
homomorphic encryption technique. In Journal of Physics: Conference
Series, volume 1770, page 012011. IOP Publishing, 2021.
[29] Segundo Moisés Toapanta Toapanta, Luis José Chávez Chalén, Javier
Gonzalo Ortiz Rojas, and Luis Enrique Mafla Gallegos. A homomorphic
encryption approach in a voting system in a distributed architecture. In
2020 IEEE International Conference on Power, Intelligent Computing
and Systems (ICPICS), pages 206–210. IEEE, 2020.
[30] Zuoxia Yu, Man Ho Au, Rupeng Yang, Junzuo Lai, and Qiuliang Xu.
Lattice-based universal accumulator with nonmembership arguments. In
Australasian Conference on Information Security and Privacy, pages
502–519. Springer, 2018.

Authorized licensed use limited to: Australian National University. Downloaded on November 15,2023 at 23:20:07 UTC from IEEE Xplore. Restrictions apply.