1. Introduction

E-voting systems are expected to make elections efficient, accurate and economical, but when elections are computerized, voters are faced with serious threats. For example, simple computerization enables election authorities to know correspondences between voters and their votes. Also, entity C that is coercing voter V becomes able to confirm whether V had chosen C’s designating candidate or not. E-voting systems applicable to real elections must satisfy the following requirements.

1. Privacy Correspondences between voters and their votes must be concealed from others including election authorities. It is preferable that voters can conceal also their abstentions from others.

2. Verifiability Anyone including voters and third parties must be able to verify the accuracy of elections, i.e. e-voting schemes must be able to convince anyone that only and all votes from eligible voters had been counted.

3. Fairness Interim election results influence ways voters choose candidates; therefore interim election results must be concealed from anyone including election authorities.

4. Incoercibility To disable entity C that is coercing voter V to confirm that V actually had chosen C’s designating candidate S, e-voting schemes must disable even V itself to identify its vote in election results. Here, C must be disabled to know whether V had chosen S or not even if S is unique to V.

5. Robustness To conduct elections fairly even when relevant entities behave dishonestly, voting schemes must be able to complete elections without reelections or any help of dishonest voters. Here if helps from dishonest voters are required, the schemes cannot complete the election when they disappear.

However, despite that many schemes had been developed, they cannot satisfy all of the above requirements completely ^{[2, 4, 6, 8, 10, 11, 12]}. For example, although many schemes satisfy receipt freeness, if entity C that is coercing voter V asks V to choose candidate S that is unique to V, C can easily know whether V had actually chosen S or not. Here, receipt freeness is the base of incoercibility, i.e. it disables C to force V to show its receipt that includes the candidate V had chosen.

This paper modifies simplified verifiable re-encryption mix-net (SVRM) ^[14] to revised-SVRM, and develops an e-voting scheme that satisfies all the above requirements based on it together with anonymous tag based credentials ^{[13, 15, 16]}. An anonymous credential enables voter V to convince others that it is eligible without revealing its identity, and provided that erasable-state voting booths are available, the verifiable feature of revised-SVRM ensures election authorities’ legitimate handling of votes while concealing correspondences between voters and their votes from entities including voters themselves. In addition, the scheme regards votes for candidates that could not obtain enough supports as inferior votes and does not count them in the tallying phase ^[13]. Then, entity C that is coercing V cannot confirm whether V had chosen C’s designating candidate or not even when the candidate is unique to V. About fairness and robustness, it is easy to satisfy them as same as in other schemes.

In the above, an erasable-state voting booth is a one that disables voters to memorize complete information exchanged between them and election authorities during they are constructing their votes.

2. Security Components

Re-encryption mix-net M consists of multiple mutually independent mix-servers M₁, M₂, ---, M_Q and M_Q, M_Q-1, ---, M₁ that are arrayed in encryption and decryption stages respectively as shown in Figure 1. Then, M enables entities V₁, V₂, ---, V_N that put their attribute values D₁, D₂, ---, D_N in it to conceal correspondences between them and D₁, D₂, ---, D_N from others including mix-servers [2-7]^[2].

Download as

• PPT
  PowerPoint Slide
• PNG
  Larger image(png format)

Veiw figureFigures index

•  NEW
  View larger figure in new window

View next figure

Figure 1. Re-encryption mix-net M

To conceal the above correspondences, firstly each V_j encrypts its attribute value D_j to {g^aj_{mod p}, D_jy_*^aj_{mod p}} while using its secret integer a_j, and M₁, M₂, ---, M_Q in the encryption stage repeatedly encrypt {g^aj_{mod p}, D_jy_*^aj_{mod p}} to {g^kj*(Q)_{mod p}, D_jy_*^kj*(Q)_{mod p}} by using their secret integers k_j(1), k_j(2), ---, k_j(Q) to be decrypted in the decryption stage. Here, provided that g and p are publicly known appropriate integers (p is a prime number), {x(q), y(q) = g^x(q)_{mod p}} is mix-server M_q’s secret decryption and public encryption key pair of an ElGamal encryption function, and <x_* = {x(1)+x(2)+ --- +x(Q)}_{mod p}, y_* = y(1)y(2)---y(Q)_{mod p} = g^x*_{mod p}> is a common secret decryption and public encryption key pair. Also, k_j^*(q) = a_j+k_j(1)+k_j(2)+ --- +k_j(q), and in the remainder, notation _{mod p} is omitted when confusions can be avoided.

In detail, each M_q in the encryption stage calculates {g^kj*(q-1)g^kj(q) = g^kj*(q), D_jy_*^kj*(q-1)y_*^kj(q) = D_jy_*^kj*(q)} from {g^kj*(q-1), D_jy_*^kj*(q-1)} received from M_q-1. After that M_q shuffles its calculation results, and forwards them to M_q+1. In the decryption stage, M_Q, M_Q-1, ---, M₁ decrypt each {g^kj*(Q), D_jy_*^kj*(Q) = D_jg^kj*(Q)∙x*} to {g^kj*(Q), D_j}. Namely, each M_q decrypts {g^kj*(Q), D_jg^{kj*(Q)∙x*(q)}} received from M_q+1 to {g^kj*(Q), D_jg^{kj*(Q)∙x*(q)}/g^{kj*(Q)∙x(q)} = D_jg^{kj*(Q)∙x*(q-1)}}} by using its secret key x(q), and forwards it to M_q-1. Here x^*(q) = x(1)+x(2)+ --- +x(q).

Then, no one except V_j can know V_j’s attribute value D_j unless all mix-servers conspire because any one cannot know all integers k_j(1), k_j(2), ---, k_j(Q) or all decryption keys x(1), x(2), ---, x(Q). Entities other than V_j cannot know integer a_j either.

However, because integers k₁(q), k₂(q), ---, k_N(q) and decryption key x(q) are known only to M_q and M_q in the encryption stage shuffles its encryption results, no one can notice even when mix-servers encrypt or decrypt attribute values dishonestly. SVRM M_* shown in Figure 2 enables any entity E to verify behaviors of mix-servers by preparing the unknown number generation stage ^[14]. In the following it is assumed that all information sent from each entity V_j and mix-server M_q is publicly disclosed.

Download as

• PPT
  PowerPoint Slide
• PNG
  Larger image(png format)

Veiw figureFigures index

•  NEW
  View larger figure in new window
• PREV
  View previous figure

View next figure

Figure 2. Simplified verifiable re-encryption mix-net M_*

Firstly, provided that b_j, c_j are integers secrets of entity V_j and r_j(q) and s_j(q) are integers secrets of each mix server M_q, V_j calculates {g^bj, c_jy_*^bj} and {g^cj, (D_jy_*)^cj}, and forwards them to M₁ in the unknown number generation stage. After that each M_q calculates <{g^sj*(q-1)g^sj(q) = g^sj*(q), R_j(q-1)r_j(q)y_*^sj*(q-1)y_*^sj(q) = R_j(q)y_*^sj*(q)}, {g^{Rj(q-1)∙rj(q)} = g^Rj(q), (D_jy_*)^{Rj(q-1)∙rj(q)} = (D_jy_*)^Rj(q)}> from <{g^sj*(q-1), R_j(q-1)y_*^sj*(q-1)}, {g^Rj(q-1), (D_jy_*)^Rj(q-1)}> calculated by M_q-1. As a result, finally M_Q calculates <{g^sj*(Q), R_jy_*^sj*(Q)}, {g^Rj, (D_jy_*)^Rj}> to forward it to V_j, and V_j constructs triplet E₀(D_j) = <{g^aj, D_jy_*^aj}, {g^sj*(Q), R_jy_*^sj*(Q)}, {g^Rj, D_j^ΛD_j^Rjy_*^Rj = D_j^Rj+Λy_*^Rj}> to put in mix-net M_*. Where, Λ is a publicly known constant integer, s_j^*(q) = b_j+s_j(1)+s_j(2)+ --- +s_j(q), R_j(q) = c_jr_j(1)r_j(2) --- r_j(q) and R_j = R_j(Q).

About mix-servers M₁, M₂, ---, M_Q in the encryption stage, they repeatedly encrypt E₀(D_j) to triplet E_Q(D_j) = <{g^kj*(Q), D_jy_*^kj*(Q)}, {g^uj*(Q), R_jy_*^uj*(Q)}, {g^vj*(Q), D_j^Rj+Λy_*^vj*(Q)}> while shuffling its all encryption results as same as in Figure 1, and M_Q, M_Q-1, ---, M₁ in the decryption stage decrypt it to F₀(D_j) = <{g^kj*(Q), D_j}, {g^uj*(Q), R_j}, {g^vj*(Q), D_j^Rj+Λ}>. Namely, M_q in the encryption stage calculates E_q(D_j) = <{g^kj*(q), D_jy_*^kj*(q)}, {g^uj*(q), R_jy_*^uj*(q)}, {g^vj*(q), D_j^Rj+Λy_*^vj*(q)}> from E_q-1(D_j) = <{g^kj*(q-1), D_jy_*^kj*(q-1)}, {g^uj*(q-1), R_jy_*^uj*(q-1)}, {g^vj*(q-1), D_j^Rj+Λy_*^vj*(q-1)}> calculated by M_q-1, and M_q in the decryption stage calculates F_q-1(D_j) = <{g^kj*(Q), D_jg^{kj*(Q)∙x*(q-1)}}, {g^uj*(Q), R_jg^{uj*(Q)∙x*(q-1)}}, {g^vj*(Q), D_j^Rj+Λg^{vj*(Q)∙x*(q-1)}}> from F_q(D_j) = <{g^kj*(Q), D_jg^{kj*(Q)∙x*(q)}}, {g^uj*(Q), R_jg^{uj*(Q)∙x*(q)}}, {g^vj*(Q), D_j^Rj+Λg^{vj*(Q)∙x*(q)}}> calculated by M_q+1. Where, u_j(q) and v_j(q) are secret integers of M_q and u_j^*(q) = s_j^*(Q) +u_j(1) +u_j(2)+ --- +u_j(q) and v_j^*(q) = R_j+v_j(1)+v_j(2)+ --- +v_j(q).

Then, the final decryption results enable M_* to convince any verifier E of its legitimate encryptions, decryptions and shuffling. Namely, because each attribute value D_j is finally decrypted to F₀(D_j) = <{g^kj*(Q), D_j = α_j}, {g^uj*(Q), R_j = β_j}, {g^vj*(Q), D_j^Rj+Λ = γ_j}>, at least one mix-server is dishonest when relation α_j^βj+Λ = γ_j does not hold for some j.

However, each M_q that knows public encryption keys y(1), y(2), ---, y(Q) can easily forge encryption and decryption forms E_q(D_j) and F_q-1(D_j) so that their final decryption result <{g^kj*(Q), α_j}, {g^uj*(Q), β_j}, {g^vj*(Q), γ_j}> satisfies relation α_j^βj+Λ = γ_j. M_* removes this possibility as below.

Firstly each M_q discloses κ_q = k₁(q)+k₂(q)+ --- +k_N(q), and verifier E convinces itself that the product of E_q(D₁), E_q(D₂), ---, E_q(D_N) calculated by M_q and that of E_q-1(D₁), E_q-1(D₂), ---, E_q-1(D_N) calculated by M_q-1 are consistent. In detail, E examines relations G_k1(q) = g^κqG_k1(q-1) and G_k2(q) = y_*^κqG_k2(q-1), and requests M_q to iterate the encryption stage until the relations hold. Where {G_k1(q), G_k2(q)} is a product pair {G_k1(q) = g^k1*(q)g^k2*(q) -- g^kN*(q) = g^{κ1+κ2+ --- +κq}, G_k2(q) = D₁y_*^k1*(q)D₂y_*^k2*(q) --- D_Ny_*^kN*(q) = D₁D₂ --- D_Ny_*^{κ1+κ2+ --- +κq}}. Therefore G_k1(q) = g^κqG_k1(q-1) and G_k2(q) = y_*^κqG_k2(q-1) necessarily hold if E_q(D₁), E_q(D₂), ---, E_q(D_N) are correct. But if encryption from E_q(D_j) is incorrect, because solving discrete logarithm problems is difficult, M_q that does not know x_* cannot find value κ_q so that G_k1(q) = g^κqG_k1(q-1) and G_k2(q) = y_*^κqG_k2(q-1) hold ^{[3, 4]}. On the other hand, although M_q discloses κ_q, it can maintain each k_j(q) as its secret.

Here, actually M_q can find integer κ_q even if E_q(D_j) is incorrect when E_q(D_j) is calculated in a specific way, but in this case final decryption result <{g^kj*(Q), α_j}, {g^uj*(Q), β_j}, {g^vj*(Q), γ_j}> does not satisfy relation α_j^βj+Λ = γ_j. For example, if M_q encrypts {g^kj*(q-1), D_jy_*^kj*(q-1)} in E_q-1(D_j) and {g^kh*(q-1), D_hy_*^kh*(q-1)} in E_q-1(D_h) to {g^kj*(q), λD_jy_*^kj*(q)} and {g^kh*(q), (1/λ)D_hy_*^kh*(q)} instead of {g^kj*(q), D_jy_*^kj*(q)} and {g^kh*(q), D_hy_*^kh*(q)} (λ is an arbitrarily integer), value κ_q = k₁(q)+k₂(q)+ --- +k_N(q) still satisfies G_k1(q) = g^κqG_k1(q-1) and G_k2(q) = y_*^κqG_k2(q-1). However, M_q that does not know D_j, R_j, D_h or R_h cannot calculate {g^uj*(q), β_jy_*^uj*(q)}, {g^vj*(q), γ_jy_*^vj*(q)} in E_q(D_j) or {g^uh*(q), β_hy_*^uh*(q)}, {g^vh*(q), γ_hy_*^vh*(q)} in E_q(D_h) so that relations γ_i = (λD_j)^βj+Λ and γ_h = (D_h/λ)^βj+Λ hold.

Secondly to ensure legitimate behaviors of mix-servers in the decryption stage, after M₁ having decrypted all attribute values, verifier E calculates products D₁D₂ --- D_N and y_*^{a1+a2+ --- +aN} from {g^k1*(Q), D₁}, ---, {g^kN*(Q), D_N} in final decryption results F₀(D₁), ---, F₀(D_N) and {g^a1, D₁y_*^a1}, ---, {g^aN, D_Ny_*^aN} in initial encryption forms E₀(D₁), ---, E₀(D_N), where E can calculate y_*^{a1+a2+ --- +aN} as y_*^{a1+a2+ --- +aN} = D₁y_*^a1D₂y_*^a2 --- D_Ny_*^aN/(D₁D₂ --- D_N). E calculates also G_d from encryption forms E_Q(D₁), E_Q(D₂), ---, E_Q(D_N) as G_d = (D₁y_*^k1*(Q)D₂y_*^k2*(Q) --- D_Ny_*^kN*(Q))/(D₁D₂ --- D_N).

Under these settings, E determines mix-servers in the decryption stage are dishonest when relation G_d = y_*^{a1+a2+ --- +aN+κ1+κ2+ --- +κQ} does not hold. Namely, apparently G_d must be equal to y_*^{a1+a2+ --- +aN+κ1+κ2+ --- +κQ} if E_Q(D₁), ---, E_Q(D_N) are correctly decrypted. On the other hand, it is computationally infeasible to find different values that satisfy relation G_d = y_*^{a1+a2+ --- +aN+κ1+κ2+ --- +κQ} as the decryption forms. In detail, although M_q can forge F_q-1(D_j) while satisfying G_d = y_*^{a1+a2+ --- +aN+κ1+κ2+ --- +κQ} as M_q in the encryption stage calculates {g^kj*(q), λD_jy_*^kj*(q)}, it cannot make final decryption form <{g^kj*(Q), α_j}, {g^uj*(Q), β_j}, {g^vj*(Q), γ_j}> satisfy relation α_j^βj+Λ = γ_j because each M_q (q > 1) does not know value D_j at a time when it decrypts F_q(D_j). Also, anyone can examine relation G_d = y_*^{a1+a2+ --- +aN+κ1+κ2+ --- +κQ} because y_* and κ₁, κ₂, ---, κ_Q are publicly known.

In the above, mix-server M₁ in the decryption stage which calculates final decryption forms can know D₁, ---, D_N as an exception. But verifier E can detect dishonesties easily if the liable mix-server is M₁. Namely, when mix-servers M_L, M_L-1, ---, M₁ (L < Q) disclose their decryption keys x(L), x(L-1), ---, x(1) after all attribute values were decrypted, verification of M₁’s behavior is trivial. Nevertheless, correspondences between entities and their attribute values can be concealed because x(L+1), x(L+2), ---, x(Q) are still secrets of M_L+1, M_L+2, ---, M_Q.

Then, encryption and decryption forms E_q(D₁), E_q(D₂), ---, E_q(D_N) and F_q-1(D₁), F_q-1(D₂), ---, F_q-1(D_N) calculated by M_q necessarily satisfy G_k1(q) = g^κqG_k1(q-1) and G_k2(q) = y_*^κqG_k2(q-1) for each q and G_d = y_*^{a1+a2+ --- +aN+κ1+κ2+ --- +κQ}, and E becomes able to detect illegitimately calculated F₀(D_j) = <{g^kj*(Q), α_j}, {g^tj*(Q), β_j}, {g^vj*(Q), γ_j}> as the violation of relation α_j^βj+Λ = γ_j.

About entities that are liable for inconsistent decryption results, verifier E identifies them by tracing inconsistent decryption results back to initial encryption forms individually. In detail, provided that F₀(D_j) is inconsistent, firstly E asks M₁ in the decryption stage to show F₁(D_j) from which it had calculated F₀(D_j) and to prove correct calculation of F₀(D_j). In the same way, E asks each M_q to show F_q(D_j) from which it calculated F_q-1(D_j) and to prove correct calculation of F_q-1(D_j), and determines M_q that cannot show consistent pair {F_q(D_j), F_q-1(D_j)} is dishonest. E asks each M_q also in the encryption stage to show E_q-1(D_j) from which it had calculated E_q(D_j) and to prove correct calculation of E_q(D_j). Then it determines M_q is dishonest when M_q cannot show consistent pair {E_q-1(D_j), E_q(D_j)}.

Here, E can verify the consistency of {F_q(D_j), F_q-1(D_j)}, i.e. consistency between {g^kj*(Q), D_jg^{kj*(Q)∙x*(q)}} and {g^kj*(Q), D_jg^{kj*(Q)∙x*(q-1)}} without knowing secret key x(q) by exploiting the scheme of Diffie and Hellman. Firstly, E generates secret integer Ψ, and calculates g^kj*(Q)∙Ψ = G_* and {D_jg^{kj*(Q)∙x*(q)}/D_jg^{kj*(Q)∙x*(q-1)}}^Ψ = {g^{kj*(Q)∙x(q)}}^Ψ. After that it asks M_q to calculate G_*^x(q) by showing G_*, and determines M_q is dishonest when G_*^x(q) is not equal to {D_jg^{kj*(Q)∙x*(q)}/D_jg^{kj*(Q)∙x*(q-1)}}^Ψ.

Verification of {E_q-1(D_j), E_q(D_j)} is trivial, i.e. M_q can disclose integer k_j(q), because its value is changed at every encryption different from secret key x(q). Also, although E must verify behaviors of mix-servers in the unknown number generation stage if mix-servers in the encryption and decryption stages are honest, these verifications are trivial. As same as in the encryption stage each M_q can disclose its secret integers s_j(q) and r_j(q).

Provided that a dishonest mix-server is not M₁ in the encryption stage or a mix-server in the unknown number generation stage, it is also straightforward to recalculate consistent final decryption result F₀(D_j) without knowing corresponding entity V_j. But, when M₁ in the encryption stage or a mix-server in the unknown number generation stage is dishonest, entities other than V_j may know the correspondence between V_j and D_j, i.e. E_Q(D_j) was decrypted already and the above procedure for identifying dishonest mix-servers reaches E₀(D_j) that was put by V_j. By the same reason, V_j cannot maintain D_j as its secret when it put D_j illegitimately. M_* removes these threats by making V_j anonymous. In addition about the latter threat, V_j itself is responsible for the disclosure of its secrets.

Finally, it must be noted that because y_*, g^{a1+ --- +aN} and κ₁, κ₂, ---, κ_Q are publicly known, any entity can confirm correct behaviors of SVRM without communicating with mix-servers. Therefore, although Diffie and Hellman scheme that requires interactions between a verifier and mix-servers is necessary to identify dishonest mix-servers, actual efficiency of SVRM is not degraded. Usually mix-servers are honest, i.e. they cannot continue their businesses once their dishonesties are detected.

Provided that A is an authority that issues credentials and Z is a secret integer of entity V, anonymous tag based credential T(A, V, Z) enables V to show its eligibility to any entity E without revealing its identity. In addition, E can force V to calculate used seal U^Z_{mod B} from given integer U by using integer Z in T(A, V, Z) honestly without knowing Z itself (B is a publicly known appropriate integer associated with T(A, V, Z), and notation _{mod B} is omitted in the following). Then, E can use U^Z as an evidence that V had shown T(A, V, Z) to it. Here, actually V shows T(A, V, Z) to E in form T(A, V, Z)^W while generating secret integer W. Also, to maintain uniqueness of used seal U^Z, V calculates a set of values U₁^Z, U₂^Z, ---, U_T^Z from multiple integers U₁, U₂, ---, U_T.

In conclusion, together with used seal U^Z anonymous credential T(A, V, Z) satisfies unforgeability, soundness, anonymity, unlinkability, revocability and verifiability as below ^{[13, 15, 16]}.

Unforgeability： no one other than A can generate valid credentials,

Soundness： entities that do not know Z in T(A, V, Z) cannot prove the ownership of T(A, V, Z) to other entity E. In addition, when E illegitimately accepts T(A, V, Z) shown by other entity V_* possibly while conspiring with it, A can detect that and identify liable entities,

Anonymity： anyone except V cannot identify V from T(A, V, Z)^W shown by V,

Unlinkability： even if V shows T(A, V, Z) n-times in forms T(A, V, Z)^W1, T(A, V, Z)^W2, ---, T(A, V, Z)^Wn while generating different secret integers W₁, W₂, ---, W_n, no one except V can know links between them,

Revocability： A can invalidate T(A, V, Z) without knowing secrets of honest entities, when its holder V behaved dishonestly while showing T(A, V, Z)^W or when A reissued new credential to V as a replacement of T(A, V, Z), and

Verifiability： anyone can verify the validity of T(A, V, Z), in other words, entities can verify the validity without knowing any secret of A.

3. Revised-SVRM

To adapt SVRM to e-voting systems this section modifies it to revised-SVRM. Provided that V_j and D_j in Figure 2 are a voter and its vote respectively, SVRM cannot protect V_j from coercer C, who is forcing V_j to choose C’s designating candidate S. Namely, V_j must disclose integers b_j, c_j and pair <{g^bj, c_jy_*^bj}, {g^cj, (D_jy_*)^cj}> that it had put in the unknown number generation stage in Figure 2 when C requests. Then, C can know whether V_j actually had chosen S or not by examining the consistency between <{g^bj, c_jy_*^bj}, {g^cj, (D_jy_*)^cj}> and S. In the same way, C can confirm V_j’s choice also from {g^aj, D_jy_*^aj} in E₀(D_j).

To disable entities to force V_j to reveal attribute value D_j, revised-SVRM modifies the unknown number generation stage as shown in Figure 3. Here, as same as in Figure 2, although there is an exception information sent from mix-servers and each entity V_j is publicly disclosed also in revised-SVRM. The modified unknown number generation stage proceeds as follow.

Download as

• PPT
  PowerPoint Slide
• PNG
  Larger image(png format)

Veiw figureFigures index

•  NEW
  View larger figure in new window
• PREV
  View previous figure

Figure 3. Modified unknown random number generation stage

1. Each mix-server M_q in the unknown number generation stage generates its secret integers s_j(q), u_j(q) and r_j(q).

2. Each entity V_j generates its secret integers δ_j1, δ_j2, δ_j3, calculates {g^δj1, y_*^δj2, (gy_*)^δj3}, and sends them to M₁. At the same time V_j decomposes its attribute value D_j into a set of values {D_j(1), D_j(2), ---, D_j(Q)} so that product D_j(1)D_j(2) --- D_j(Q) becomes equal to D_j, and sends each D_j(q) to M_q. Here as an exception V_j discloses D_j(q) only to M_q. About δ_j1, δ_j2, δ_j3, no one except V_j can know them from g^δj1, y_*^δj2, (gy_*)^δj3.

3. M₁ calculates pairs {g^sj(1), D_j(1)y_*^sj(1)} and {g^uj(1), r_j(1)y_*^uj(1)} and triplet {g^δj1∙sj(1), y_*^δj2∙sj(1), (gy_*)^δj3∙sj(1)}, and sends them to M₂.

4. M_q (q > 1) that receives {g^sj*(q-1), D_j*(q-1)y_*^sj*(q-1)}, {g^uj*(q-1), r_j*(q-1)y_*^uj*(q-1)} and {g^{δj1∙sj*(q-1)}, y_*^{δj2∙sj*(q-1)}, (gy_*)^{δj3∙sj*(q-1)}} from M_q-1 calculates pairs {g^sj*(q), D_j*(q)y_*^sj*(q)}, {g^uj*(q), r_j*(q)y_*^uj*(q)} and triplet {g^{δj1∙sj*(q)}, y_*^{δj2∙sj*(q)}, (gy_*)^{δj3∙sj*(q)}}, and forwards them to M_q+1. Where, s_j*(q) = s_j(1)+ --- +s_j(q), u_j*(q) = u_j(1)+ --- +u_j(q), D_j*(q) = D_j(1)D_j(2) --- D_j(q), r_j*(q) = r_j(1)r_j(2) --- r_j(q) and D_j*(Q) = D_j, r_j*(Q) = R_j.

5. M_Q that calculates pairs {g^sj*(Q), D_jy_*^sj*(Q)}, {g^uj*(Q), R_jy_*^uj*(Q)} and triplet {g^{δj1∙sj*(Q)} = μ_j1, y_*^{δj2∙sj*(Q)} = μ_j2, (gy_*)^{δj3∙sj*(Q)} = μ_j3} in the previous step forwards the pairs to V_j and M₁. M_Q sends also {μ_j1, μ_j2, μ_j3} to V_j.

6. V_j which receives {g^sj*(Q), D_jy_*^sj*(Q)}, {g^uj*(Q), R_jy_*^uj*(Q)} and {μ_j1, μ_j2, μ_j3} confirms that {g^sj*(Q), D_jy_*^sj*(Q)} is a correct encryption form of D_j, i.e. g^sj*(Q) and y_*^sj*(Q) (= D_jy_*^sj*(Q)/D_j) in it are calculated as g and y_* to the power of same unknown integer s_j*(Q).

7. If encryption form {g^sj*(Q), D_jy_*^sj*(Q)} is successfully verified, provided that Λ is a publicly known integer and D_j(q) = D_j(q)², D_j*(q) = (D_j(1)D_j(2) --- D_j(q))² and D_j = D_j², each M_q calculates {g^{uj*(Q)∙Dj*(q)}, (R_jy_*^uj*(Q))^Dj*(q)} and {g^{uj*(Q)∙Λ∙Dj*(q)}, (R_jy_*^uj*(Q))^Λ∙Dj*(q)} from {g^{uj*(Q)∙Dj*(q-1)}, (R_jy_*^uj*(Q))^Dj*(q-1)} and {g^{uj*(Q)∙Λ∙Dj*(q-1)}, (R_jy_*^uj*(Q))^{Λ∙Dj*(q-1)}} calculated by M_q-1 to forward them to M_q+1.

8. V_j calculates {g^{uj*(Q)∙Dj∙(Dj+Λ)}}, (R_jy_*^uj*(Q))^Dj∙(Dj+Λ)} from {g^{uj*(Q)∙Dj*(Q)}, (R_jy_*^uj*(Q))^Dj*(Q)} and {g^{uj*(Q)∙Λ∙Dj*(Q)}, (R_jy_*^uj*(Q))^Λ∙Dj*(Q)} sent by M_Q.

9. V_j verifies legitimate calculation of {g^{uj*(Q)∙Dj∙(Dj+Λ)}, (R_jy_*^uj*(Q))^Dj∙(Dj+Λ)} and constructs initial encryption form E₀^*(D_j) = <{g^sj*(Q), D_jy_*^sj*(Q)}, {g^uj*(Q), R_jy_*^uj*(Q)}, {g^{uj*(Q)∙Dj∙(Dj+Λ)}, (R_jy_*^uj*(Q))^Dj∙(Dj+Λ)}> to put in the encryption stage.

Then, no one can know integer u_j*(Q) or R_j unless all mix-servers conspire. Therefore, entities cannot calculate D_j from pair {g^uj*(Q), g^{uj*(Q)∙Dj∙(Dj+Λ)}} or {R_jy_*^uj*(Q), (R_jy_*^uj*(Q))^Dj∙(Dj+Λ)} even if they examine every possible value of D_j. In addition, each D_j(q) sent to M_q is a secret of V_j and M_q, and as a result, V_j can conceal D_j even from entity C that is coercing it if erasable-state voting booths are available. Namely, at a time when C asks V_j to disclose D_j, V_j can convince C that any value S is consistent with E₀^*(D_j). Here, an erasable-state voting booth is a one of which memory states are initialized after an entity in it exits. It also disables entities to record the information that they had received and generated in it. This means V_j does not need to reply with the correct value when it is asked about D_j by others.

Nevertheless both V_j and mix-servers can confirm that E₀^*(D_j) finally generated by V_j is legitimate, i.e. V_j verifies them as below and components of E₀^*(D_j) put by V_j were calculated by mix-servers themselves. Although V_j and M_q can construct inconsistent E₀^*(D_j) if they conspire, this dishonesty can be disabled by making V_j anonymous, i.e. among attribute values of other anonymous entities M_q cannot identify V_j’s one.

About the verification of {g^sj*(Q), D_jy_*^sj*(Q)} at step 6, V_j can verify it by confirming relations g^{sj*(Q)∙δj1} = μ_j1, y_*^{sj*(Q)∙δj2} = μ_j2 and (g^sj*(Q)y_*^sj*(Q))^δj3 = μ_j3 through the scheme of Diffie and Hellman. Namely, because discrete logarithm problems are difficult to solve mix-servers that do not know δ_j1, δ_j2 or δ_j3 must calculate g^sj*(Q) and y_*^sj*(Q) by using same s_j*(Q) to satisfy the above relations. Verification of {g^{uj*(Q)∙Dj∙(Dj+Λ)}, (R_jy_*^uj*(Q))^Dj∙(Dj+Λ)} at step 9 is easy; for V_j that knows D_j and Λ it is trivial to confirm that g^{uj*(Q)∙Dj∙(Dj+Λ)} and (R_jy_*^uj*(Q))^Dj∙(Dj+Λ) in it are calculated as g^uj*(Q) and R_jy_*^uj*(Q) to the power of D_j(D_j+Λ), i.e. {g^{uj*(Q)∙Dj∙(Dj+Λ)}, (R_jy_*^uj*(Q))^Dj∙(Dj+Λ)} is a consistent encryption form of R_j^Dj∙(Dj+Λ).

Mix-servers in the encryption and decryption stages behave in the same way as in Figure 1. Namely, each M_q in the encryption stage encrypts E_q-1^*(D_j) = <{g^kj*(q-1), D_jy_*^kj*(q-1)}, {g^vj*(q-1), R_jy_*^vj*(q-1)}, {g^wj*(q-1), R_j^Dj∙(Dj+Λ)y_*^wj*(q-1)}> received from M_q-1 to E_q^*(D_j) = <{g^kj*(q), D_jy_*^kj*(q)}, {g^vj*(q), R_jy_*^vj*(q)}, {g^wj*(q), R_j^Dj∙(Dj+Λ)y_*^wj*(q)}>. And M_q in the decryption stage receives F_q^*(D_j) = <{g^kj*(Q), D_jg^{kj*(Q)∙x*(q)}}, {g^vj*(Q), R_jg^{vj*(Q)∙x*(q)}}, {g^wj*(Q), R_j^Dj∙(Dj+Λ)g_*^{wj*(q)∙x*(q)}}> from M_q+1, and while using decryption key x(q) decrypts it to F_q-1^*(D_j) = <{g^kj*(Q), D_jg^{kj*(Q)∙x*(q-1)}}, {g^vj*(Q), R_jg^{vj*(Q)∙x*(q-1)}}, {g^wj*(Q), R_j^Dj∙(Dj+Λ)g_*^{wj*(q)∙x*(q-1)}}>. Then, M₁ finally decrypts F₁^*(D_j) to F₀^*(D_j) = <{g^kj*(Q), D_j}, {g^vj*(Q), R_j}, {g^wj*(Q), R_j^Dj∙(Dj+Λ)}>, and convinces others that F₀^*(D_j) is legitimate by pair {R_j, R_j^Dj∙(Dj+Λ)}. Here, k_j(q), v_j(q) and w_j(q) are secret integers of M_q, k_j*(q) = s_j*(Q)+k_j(1)+k_j(2)+ --- +k_j(q), v_j*(q) = u_j*(Q)+v_j(1)+v_j(2)+ --- +v_j(q), w_j*(q) = u_j*(Q)D_j(D_j+Λ)+w_j(1)+w_j(2)+ --- +w_j(q) and x_*(q) = x(1)+x(2)+ ---+x(q).

About illegitimate behaviors in the revised-SVRM, R_j^Dj∙(Dj+Λ) in the 3rd term in E_q^*(D_j) means that final decryption result F₀^*(D_j) = <{g^k*(Q), α}, {g^v*(Q), β}, {g^w*(Q), γ}> must satisfy relation γ = β^α∙(α+Λ). By using this relation, although each encryption form E_q^*(D_j) differs from E_q(D_j), illegitimate behaviors of revised-SVRM can be detected and liable entities can be identified as same as in the original SVRM. But to verify behaviors in the decryption stage, M_q must disclose also σ_q = s₁(q)+s₂(q)+ --- +s_N(q) in addition to κ_q = k₁(q)+k₂(q)+ --- +k_N(q) because G_d in Sec. 3 is calculated as y_*^{k1*(Q)+ --- +KN*(Q)}.

When compared with the original SVRM, identification of dishonest entities becomes simpler. Namely, because V_j and mix-servers in the unknown number generation stage had mutually confirmed their legitimate behaviors already, examination of behaviors in the unknown number generation stage is not necessary.

4. Revised-SVRM Based Voting Scheme

This section develops a voting scheme while exploiting revised-SVRM, anonymous tag based credentials and erasable-state voting booths. The scheme consists of voters V₁, V₂, ---, V_N, election authority A and mix-servers M₁, M₂, ---, M_Q in the encryption, decryption and unknown number generation stages. Elections proceed through the voter registration, voting, pre-tallying and tallying phases as below.

Firstly, each voter V_j shows its identity to election authority A at an entrance of an election site. After that, A gives credential T(A, V_j, Z_j) to V_j if it is eligible, and in exchange for the credential V_j issues a receipt to A.

Then, because A knows who is V_j, V_j cannot obtain multiple credentials. On the other hand, the receipt ensures that V_j certainly can obtain its credential, i.e. A must show the receipt issued by V_j to reject V_j’s request.

Each voter V_j shows its credential T(A, V_j, Z_j) to authority A and calculates used seal U₀^Zj of the credential from publicly known integer U₀ defined by A, and if T(A, V_j, Z_j) is legitimate and U₀^Zj was not calculated before, V_j is allowed to enter its choosing voting booth. Then features of credentials and used seals allow only eligible voters to enter voting booths only once.

In the voting booth, V_j constructs pair E₀^*(D_j) = <{g^sj*(Q), D_jy_*^sj*(Q)}, {g^uj*(Q), R_jy_*^uj*(Q)}, {g^{uj*(Q)∙Dj∙(Dj+Λ)}, (R_jy_*^uj*(Q))^Dj∙(Dj+Λ)}> and E₀^*(D_j, Ω) = <{g^sj*(Q), Γ_jy_*^sj*(Q)}, {g^uj*(Q), R_jy_*^uj*(Q)}, {g^{uj*(Q)∙Γj∙(Γj+Λ)}, (R_jy_*^uj*(Q))^{Γj∙(Γj+Λ)}}> as an initial encryption form of its vote, and forwards it to mix-server M₁ in the encryption stage. Where, Λ is a publicly known constant integer, R_j is an integer no one knows and D_j represents a candidate V_j chooses. Also, provided that each s_j(q), u_j(q), s_j(q) and Ω(q) are M_q’s secret integers, s_j*(Q) = s_j(1)+ --- +s_j(Q), u_j*(Q) = u_j(1)+ --- +u_j(Q), s_j*(Q) = s_j(1)+ --- +s_j(Q), Ω = Ω(1)Ω(2) --- Ω(Q) and Γ_j = D_j^Ω.

In detail, V_j decomposes D_j into {D_j(1), D_j(2), ---, D_j(Q)} so that D_j = D_j(1)D_j(2) --- D_j(Q) holds, and informs each mix-server M_q in the unknown number generation stage of D_j(q). After that, jointly with the mix-servers V_j calculates E₀^*(D_j) as in Sec. 3. About E₀^*(D_j, Ω), firstly each M_q generates its secret integer Ω(q) and calculates D_j(q)^Ω(q) to forward it to M_q+1. Then, M_q* that receives D_j(q)^{Ω(q)∙Ω(q+1) ---Ω(q*-1)} from M_q*-1 calculates D_j(q)^{Ω(q)∙Ω(q+1) ---Ω(q*-1)∙Ω(q*)}, and sends it to M_q*+1 (M₁ is regarded as M_Q+1). As a result, M_q receives D_j(q)^Ω = Γ_j(q) from M_q-1, and V_j and mix-servers can calculate E₀^*(D_j, Ω) from values Γ_j(1), Γ_j(2), ---, Γ_j(Q) as they calculated E₀^*(D_j).

In the above, it must be noted that no one knows the value of Ω because only M_q knows Ω(q). Also, V_j can verify legitimate calculation of each Γ_j(q) through the scheme of Diffie and Hellman by asking mix-servers to calculate D_j(q)^Φ∙Ω from D_j(q)^Φ (Φ is V_j’s secret integer).

Before exiting the voting booth, V_j approves that pair {E₀^*(D_j), E₀^*(D_j, Ω)} put in the encryption stage is legitimate. Namely, after confirming that the pair disclosed by M₁ is correct, V_j calculates another used seal U₁^Zj of T(A, V_j, Z_j) from publicly known integer U₁ defined by A, and A discloses it publicly with U₀^Zj. Here, used seal U₁^Zj is V_j’s approval of pair {E₀^*(D_j), E₀^*(D_j, Ω)}, i.e. V_j can replace it with new ones until it discloses U₁^Zj. On the other hand, because only V_j can calculate U₁^Zj, A can reject V_j’s requests about replacements of the pair after U₁^Zj is disclosed.

Once, {E₀^*(D_j), E₀^*(D_j, Ω)} is approved, mix-servers in the encryption stage encrypt it to E_Q^*(D_j) = <{g^kj*(Q), D_jy_*^kj*(Q)}, {g^vj*(Q), R_jy_*^vj*(Q)}, {g^wj*(Q), R_j ^Dj∙(Dj+Λ)y_*^wj*(Q)}> and E_Q^*(D_j, Ω) = <{g^kj*(Q), Γ_jy_*^kj*(Q)}, {g^vj*(Q), R_jy_*^vj*(Q)}, {g^wj*(Q), R_j^{Γj∙(Γj+Λ)}y_*^wj*(Q)}> while shuffling their encryption results. Where, provided that k_j(q), v_j(q), w_j(q), k_j(q), v_j(q) and w_j(q) are M_q’s secret integers, k_j*(q) = s_j*(Q)+k_j(1)+ --- +k_j(q), v_j*(q) = u_j*(Q)+v_j(1)+ --- +v_j(q), w_j*(q) = u_j*(Q)D_j(D_j+Λ)+w_j(1)+ --- +w_j(q), k_j*(q) = s_j*(Q)+k_j(1)+ --- +k_j(q), v_j*(q) = u_j*(Q)+v_j(1)+ --- +v_j(q) and w_j*(q) = u_j*(Q)Γ_j(Γ_j+Λ)+w_j(1)+ --- +w_j(q).

Votes encrypted in the voting phase are decrypted by mix-servers M_Q, M_Q-1, ---, M₁ in the decryption stage, but they decrypt only selected ones. The pre-tallying phase determines these votes. Namely, mix-servers in this phase decrypt only E_Q^*(D_j, Ω) in each pair {E_Q^*(D_j), E_Q^*(D_j, Ω)}, and as a result only decryption form F₀^*(D_j, Ω) = <{g^kj*(Q), Γ_j = D_j^Ω}, {g^vj*(Q), R_j}, {g^wj*(Q), R_j^{Γj∙(Γj+Λ)}}> is disclosed.

Then, election authority A compares disclosed D₁^Ω, D₂^Ω, ---, D_N^Ω, and determines E_Q^*(D_h) that corresponds to E_Q^*(D_h, Ω_*(Q)) is an inferior vote that will not be decrypted when value D_h^Ω appears less than the predefined number of times in set {D₁^Ω, D₂^Ω, ---, D_N^Ω}. Here, because no one knows integer Ω anyone cannot know D_j from D_j^∙Ω. Decryption of E_Q^*(D_j, Ω) itself is carried out totally in the same way as in Sec. 3.

Because authority A can determine election winners without decrypting inferior votes, mix-servers in the tallying phase decrypt encryption form E_Q^*(D_j) only when it corresponds to a non-inferior vote. As a result, voters can conceal correspondences between them and their votes from others even when they are forced to choose candidates unique to them.

As same as E_Q^*(D_j, Ω), decryption of E_Q^*(D_j) is carried out as in Sec. 3. But mix-servers do not need to decrypt all non-inferior votes because E_Q^*(D_j) and E_Q^*(D_h) are decrypted to same value D_j if E_Q^*(D_j, Ω) and E_Q^*(D_h, Ω) were decrypted to D_j^Ω. Therefore, mix-servers decrypt only 1 encryption form E_Q^*(D_j) from a set of encryption forms that are accompanied by same value D_j^Ω.

Revised-SVRM used in the developed e-voting scheme enables any entity to detect illegitimately handled votes efficiently as discussed in Sec. 3. It also enables election authority A to identify entities liable for dishonesties without revealing votes of honest voters.

In addition, in cases when mix-servers are determined dishonest, A can force them to correctly reprocess illegitimately handled votes. Namely, because voters and mix-servers in the unknown number generation stage had verified their behaviors mutually, initial encryption forms put in the encryption stage are ensured to be legitimate. Then, once all voters had approved initial encryption forms of their votes, A and mix-servers can reprocess illegitimately handled votes until their decryption results become consistent without reelections.

In the above, even if voter V_j and mix-server M_q in the unknown number generation stage conspire, they cannot put an inconsistent initial encryption form. The reason is that V_j is anonymous and M_q cannot identify V_j’s vote. To handle V_j’s vote illegitimately M_q must take a risk that its dishonesty is revealed, i.e. V_h claims M_q is dishonest if M_q generates an initial encryption form of V_h’s vote inconsistently instead of V_j’s one. In the same way, V_j can protect itself from threats where conspiring mix-server M₁ and entity C that coerces V_j know V_j’s vote. In detail, when M₁ in the encryption stage encrypts initial encryption form {E₀^*(D_j), E₀^*(D_j, Ω)} of V_j inconsistently, the dishonest entity identification procedure reveals the correspondence between final decryption form {F₀^*(D_j), F₀^*(D_j, Ω)} and {E₀^*(D_j), E₀^*(D_j, Ω)}. But M₁ cannot identify {E₀^*(D_j), E₀^*(D_j, Ω)} because V_j is anonymous.

5. Features of the Developed Scheme

The e-voting scheme developed based on revised-SVRM satisfies all essential requirements of elections as follow.

Privacy: As discussed in Sec. 3 and 5, no one except voter V_j itself can know candidate D_j that V_j had chosen. But V_j that did not register itself cannot conceal its abstention because voters register themselves by showing their identities. To conceal its abstention from others V_j must register itself and put an invalid vote or leave the election site without entering a voting booth.

Verifiability: Anonymous credential ensures that only eligible entities can put votes, and used seals of credentials disable voters to put votes multiple times. About tallying, all votes put by voters and vote forms handled by mix-servers are publicly disclosed and revised-SVRM is verifiable. Then, anyone including third parties can verify the accuracy of elections.

Fairness: No one can know the interim election results because the scheme does not disclose votes in their plain forms until the end of the pre-tallying phase.

Incoercibility: Voter V_j can conceal candidate D_j in {E₀^*(D_j), E₀^*(D_j, Ω)} from C that is coercing it, i.e. because D_j is encrypted by using unknown integers, V_j can declare that {E₀^*(D_j), E₀^*(D_j, Ω)} is an encryption form of any candidate S. Also, erasable-state voting booths disable C to obtain enough information from V_j to reconstruct D_j even if C is conspiring with several mix-servers. Because inferior votes are not decrypted, C cannot confirm whether V_j had chosen C’s designating candidate S or not even when S is unique to V_j.

Here because V_j is anonymous, as discussed at the end of Sec. 4.5, C cannot know the correspondence between initial encryption form {E₀^*(D_j), E₀^*(D_j, Ω)} and final decryption result {F₀^*(D_j), F₀^*(D_j, Ω)} even if it conspires with 1st mix-server M₁ in the encryption stage or mix-servers in the unknown number generation stage. In detail, A in the voter registration phase gives credential T(A, V_j, Z_j) to V_j just before V_j enters a voting booth, therefore V_j cannot inform C or mix-servers of integer Z_j in T(A, V_j, Z_j) so that they can identify V_j’s vote.

But it must be noted that C which is forcing V_j to abstain from the election can confirm whether V_j actually had abstained or not by asking V_j to recalculate the used seal V_j had calculated in the voter registration phase. This threat exists also in usual paper based elections, and currently an only way to remove this thereat is to introduce regulations that force all voters to visit election sites regardless that they choose valid candidates or not. Even if election authority A gives 2 anonymous credentials T_α and T_β to V_j, C can know whether V_j actually had abstain or not. Namely, although V_j can visit an election site without revealing its identity by showing T_β (where V_j obtains T_β by showing T_α that it had obtained in advance while showing its identity), C can know V_j even from T_β if it asks V_j to disclose secrets in T_β.

Robustness: Because initial encryption form {E₀^*(D_j), E₀^*(D_j, Ω)} of a vote put by voter V_j is verified by mix-servers and V_j itself, V_j cannot claim that mix-servers had constructed it illegitimately. Therefore, once encrypted votes are successfully disclosed, revised-SVRM enables reprocessing of votes until final decryption forms are disclosed correctly without reelections.

6. Conclusion

Based on revised-SVRM an e-voting scheme that satisfies all essential requirements of elections was developed, i.e. it satisfies requirements about privacy, verifiability, fairness, incoercibility and robustness. But the scheme assumes state-erasable voting booths. Therefore as one of future works, efficient schemes for implementing state-erasable voting booths must be developed.

References

[1]	Diffie and M. E. Hellman, “New directions in cryptography,” IEEE Trans. On Information Theory, IT-22(6), 644-654, 1976.
	In article
[2]	D. Boneh and P. Golle, “Almost entirely correct mixing with applications to voting,” ACM Conference on Computer and Communication Security, 68-77, 2002.
	In article		View Article
[3]	P. Golle, S. Zhong, D. Boneh, M. Jakobsson and A. Juels, “Optimistic mixing for exit-polls,” Asiacrypt 2002, 451-465, 2002.
	In article		View Article
[4]	M. Jakobson, A. Juels and R. Rivest, “Making mix nets robust for electronic voting by randomized partial checking,” USENIX Security ’02, 339-353, 2002.
	In article
[5]	L. Nguen, R. Dafavi-Naini and K. Kurosawa, “Verifiable shuffles: A formal model and a Paillier-based efficient construction with provable security,” PKC 2004, 61-75, 2004.
	In article		View Article
[6]	B. Lee, C. Boyd, E. Dawson, K. Kim, J. Yang and S. Yoo, “Providing receipt-freeness in mixnet-based voting protocols,” Proceedings of the ICISC ’03, 261-74, 2003.
	In article
[7]	J. Furukawa, “Efficient, Verifiable shuffle decryption and its requirement of unlinkability,” PKC 2004, 319-332, 2004.
	In article		View Article
[8]	K. Sampigethaya and R. Poovendran, “A framework and taxonomy for comparison of electronic voting schemes,” Elsevier Computers and Security, 25, 137-153, 2006.
	In article		View Article
[9]	S. Weber, “A coercion-resistant cryptographic voting protocol -evaluation and prototype implementation,” Diploma thesis, Darmstadt University of Technology; 2006
	In article
[10]	P. Y. A. Ryan, D. Bismark, J. Heather, S,Schneider and Z. Xia, “A voter verifiable voting system,” IEEE Trans. On Information Forensics and Security, 4(4), 662-673, 2009.
	In article		View Article
[11]	K. A. Md Rokibul, S. Tamura, S. Taniguchi and T. Yanase, “An anonymous voting scheme based on confirmation numbers,” IEEJ Trans. EIS. 130(11), 2065-2073, 2010.
	In article		View Article
[12]	C. C. Lee, T. Y. Chen, S. C. Lin and M. S. Hwang, “A new proxy electronic voting scheme based on proxy signatures,” Lecture Notes in Electrical Engineering, 164, Part 1 3-12, 2012.
	In article		View Article
[13]	S. Tamura, “Anonymous security systems and applications: requirements and solutions,” Information Science Reference, 2012.
	In article		View Article
[14]	S. Tamura and S. Taniguchi, “Simplified verifiable re-encryption mix-nets,” Information Security and Computer Fraud, 1(1), 1-7, 2013.
	In article
[15]	S. Tamura and S. Taniguchi, “Enhancement of anonymous tag based credentials,” Information Security and Computer Fraud, 2(1), 10-20, 2014.
	In article
[16]	S. Tamura, “Elements of schemes for preserving privacies in e-society systems,” Lambert Academic Publishing, 2015.
	In article