Introduction

Due to rapid growth of network technology, e-voting systems have been expected to make our modern social life more convenient, efficient and inexpensive. We even see that electronic polling is now a viable alternative for many non-governmental elections and surveys, and it is likely to become viable soon for governmental elections as well. Like in traditional election systems, democracy and privacy are very important issues to be considered carefully in the design of an e-voting system. The security characteristics of a secure voting system are summarized as follows :

1. Eligibility: only authorized voters can vote.

2. Unreusability: no one can vote more than once (no double voting).

3. Untraceability: no one can determine for whom anyone else voted.

4. Unduplicatability: no one can duplicate anyone else's vote.

5. Unchangeability: no one can change anyone else's vote without being discovered.

6. Verifiability: every voter can make sure that his vote has been taken into account in the final tabulation.

From the viewpoint of underlying cryptographic mechanisms, most existing e-voting schemes in recent years can be roughly classified into three categories:

1. all-or-nothing based schemes
2. blind signature based schemes , and
3. the schemes based on probabilistic encryption and homomorphic functions .

The first category of the schemes is inefficient because of the complexity of the all-or-nothing protocol. In order to keep different voters from being assigned the same tag, a method to avoid conflict is addressed in , the method is not quite acceptable because increasing number of identification tags can not efficiently reduce the probability of conflict, but tremendously increase the computational complexity. Actually, the computational complexity of these schemes goes far beyond what a practical system could handle. This is determined by the complexity of the all-or-nothing protocol itself, on which all the schemes are based.
Abstractly, the blind signature based schemes are similar to those based on all-or-nothing. The difference is that blind signature, instead of all-or-nothing protocol, is used to dissociate ballots from voters in signature based schemes. The schemes of the first two categories satisfy all of the properties mentioned above, but the blind signature based schemes are much more efficient because of their low complexity of computation and simplicity of protocols. This is why they are more practical.
The schemes based on probabilistic encryption and homomorphic functions are designed to be receipt-free. In such schemes, it is difficult for a voter to prove to someone else that how he voted, therefore buying and selling votes could be avoided. However, these schemes not only are very sophisticated with very high computational complexity (because of probabilistic encryption), but also have two physical assumptions: "secure booth" and "secure channel" (between the authority and booth) - even if the the assumption could come true , these kind of schemes make the election go back to the traditional fashion - the voters must go to the booth to cast their ballots, and it is thought inconvenient and practically unacceptable in most current applications of e-voting . Because of the computational complexity and physical assumptions, these schemes may only be theoretically interesting.
In fact, most current implementations of e-voting systems are based on blind signature due to the consideration of computational complexity .
In this paper, we propose a new practical e-voting scheme, which is also blind signature based. We achieve all the desired properties of eligibility, unreusability, untraceability, unduplicatability, unchangeability and verifiability at the cost of receipt-freeness. Unlike previous blind signature based schemes, in which the ballots of voters are signed by an authority, the authority in our scheme signed its blind signature on voters' public keys, called tallying keys. The voters keep and use their corresponding private keys, called voting keys to sign their ballots in elections hereafter. With the the blind signature of the authority on the tallying keys, the tallier (as well as other interested person) can verify the authenticity of tallying keys of authorized voters. And with the authenticated tallying keys, the validity of ballots can be verified. The blind signature is used in the scheme to dissociate tallying key from the identity of the voter to achieve untracebility. Having the authority sign blind signature on tallying keys instead of ballots, the voters are able to change their minds in voting period, and also, only one registration is needed for multiple selections - this simplifies the administration of elections. Moreover, it is more difficult for anyone (including the authority) to cast votes for abstaining voters in our scheme than the in previous ones , because after the registration, all of the validated tallying keys will be published and only the authorized voters who hold the corresponding voting keys can sign valid ballots. In our scheme, a voter also can correct his miscounted vote (if any) without revealing his ballots. Because of the simplicity of the protocols, low complexity of computation, as well as efficiency of administration, we believe it is a practical e-voting scheme, especially suitable for the elections of some community, such as campus election, no matter how large the election scale is.