group F
∗
p
km
. We can now define a bilinear pairing on
(G
1
, G
2
) as the mapping ˆe : G
1
× G
1
−→ G
2
satisfy-
ing the following properties:
1. Bilinearity: ∀ R, S, T ∈ G
1
ˆe(S+ R, T) = ˆe(S, T) · ˆe(R, T)
ˆe(S, R+ T) = ˆe(S, R) · ˆe(S, T)
2. Non-degeneracy: ˆe(P, P) 6= 1
3. Computability: ˆe can be efficiently computed.
2.1 Blind Signatures
Blind signatures are digital signatures with the prop-
erty that the message to be signed is hidden from
the Signer authority by means of a blind factor.
This property can be exploited to offer anonymity
in the electoral process to all the participants. The
RSA blind signature scheme introduced by Chaum in
(Chaum, 1983), allows to obtain a signed document
but at the same time it guarantees that the signer en-
tity will not be able to know the document that has
just signed. Across the years, several blind signature
schemes have been proposed. Some examples include
a DSA-based blind signature scheme proposedin (Ca-
menisch et al., 1994), an Elliptic Curve Cryptography
(ECC) based blind signature presented in (Jena et al.,
2007), among others.
In 2003, Boldyreva (Boldyreva, 2003) proposed a
blind signature scheme based on pairings. That sig-
nature is computed into three steps, two of them must
be performed by the requester and one by the signer
entity. The required operations are summarized in Al-
gorithm 1. The algorithm starts when the requester
hash the message m to be signed to a nonzero group
element M ∈ G
1
. Then, the requester blinds M, by
computing a scalar multiplication as,
ˆ
M = bM, where
b is a random blind factor generated by her. Then,
the requester sends
ˆ
M to the signer entity. The signer
entity signs the message by performing a scalar mul-
tiplication on
ˆ
M using its private key d. Thereafter,
it sends the blind signed document to the requester.
After receiving the blind signature, the requester re-
moves the blind factor, using, b
−1
ˆ
γ = b
−1
· b · γ = γ.
Taking advantage of the pairing bilinear properties,
that signature can be verified by checking whether,
ˆe(Q, H
1
(m)) = ˆe(dP, M) = ˆe(P, M)
d
= ˆe(P, γ),
holds.
3 PROTOCOL DATAFLOW
Our scheme requires three entities: one of them re-
sponsible for authenticating, another responsible of
receiving and validating the votes and the last one
specifically responsible of performing the vote tally.
In the rest of this paper, these three authorities will be
called Authentication Server (AS), Voting Server (VS)
and Counting Server (CS), respectively.
Algorithm 1: BlindSignature (Boldyreva, 2003)
Blind factor: b ∈ Z
n
M = H
1
(m) where H
1
: {0, 1}
∗
−→ G
1
\ O .
Blindness:
ˆ
M = bM
Signing:
ˆ
γ = d
ˆ
M
Unblindness: γ = b
−1
ˆ
γ
Verification: ˆe(Q, H
1
(m)) = ˆe(P, γ)
In Figure 1, the interaction among the voter and the
three servers is depicted. The most important ex-
changed object, is the electoral ballot that contains the
vote. In the initial authentication phase, the voter re-
quests a blank electoral ballot B from the AS. This
request will be granted only in the case that the AS
authenticates the voter. If everything works fine, the
voter will receive a blank ballot blind signed by the
AS. Once that this action is accomplished the voter
fills out the ballot and then sends it to the VS. This
is done in a second phase called Voting phase. It is
worth remarking that the ballot must be signed by
the voter but using a public/privatekey pair especially
generated for signing the ballot. Finally, in the third
phase called the Counting phase, all the receivedvotes
are counted by the CS so that the election result can
be obtained.
4 THE PROPOSED PROTOCOL
Notation
o {d
AS
, Q
AS
} AS’ public/private key pair.
o {d
V
, Q
V
}, Cert
V
V’ public/private key pair and
digital certificate.
o {d, Q} public/private key of the vote.
o k
1
, k
2
∈ Z
n
, where k
1
is a unique identifier cho-
sen by V, whereas k
2
denotes a unique identifier
chosen by the AS.
o t a time stamp.
Figure 1: Structure and functionality of the proposed
scheme.
AN E-VOTING PROTOCOL BASED ON PAIRING BLIND SIGNATURES
215