A privacy-preserving, decentralized and functional Bitcoin e-voting protocol Acknowledgement. The authors thank the editors and the anonymous reviewers for their valuable comments. This study is supported by the National Science foundation of China (No. 61472074,U1708262) and the Fundamental Research Funds for the Central Universities (No.N172304023).

A privacy-preserving, decentralized and functional Bitcoin e-voting protocol 1


Bitcoin, as a decentralized digital currency, has caused extensive research interest. There are many studies based on related protocols on Bitcoin, Bitcoin-based voting protocols also received attention in related literature.

In this paper, we propose a Bitcoin-based decentralized privacy-preserving voting mechanism. It is assumed that there are n voters and m candidates. The candidate who obtains t ballots can get x Bitcoins from each voter, namely nx Bitcoins in total. We use a shuffling mechanism to protect voter’s voting privacy, at the same time, decentralized threshold signatures were used to guarantee security and assign voting rights. The protocol can achieve correctness, decentralization and privacy-preservings. By contrast with other schemes, our protocol has a smaller number of transactions and can achieve a more functional voting method.

Bitcoin; Anonymous voting; shuffling mechanism

I introduction

Voting plays an important role in modern life. Electronic voting has aroused the attention of many scholars for a long time. However, how to design a voting protocol which is decentered and privacy-preserving is an open issue. Bitcoin[1], as a new type of decentralized digital currency, has a wide range of applications in the fields of voting[2, 3, 4], secure multiparty computations[5], public randomness source[6] and designing fair protocols[7].

In the field of voting, Zhao and Chan[3] first proposed how to vote privately using Bitcoin. There are n voters that each has 1 Bitcoin and votes for 2 candidates. The winner can obtain all the n Bitcoins. The scheme only supports election mode. Tian et al.[2] propose a simple Bitcoin voting protocol which can produce a ballot by a voter selecting at least at most winners from L candidates. Silvia et al.[4] proposed the circle shuffle mechanism for Bitcoin voting to provide privacy protection, but it requires a centralized dealer. Meanwhile, there are many papers focusing on solving the Bitcoin anonymity problem[9], coinjoin[8] was first to achieve security against stealing mixes by using group transactions. However, it requires a centralized service to confuse output addresses. CoinShuffle[8] improves over Coinjoin by using decryption mixnets for address shuffling which achieves anonymity against insiders. It has a flaw that the last one of the shuffling may put his own output address in the specified location.

The main goals of bitcoin-based e-voting protocols should include:

  • Correctness: The most basic and important nature of an e-voting agreement is to ensure the correctness of voting which prevents voters from being falsified, discard or repeat votes.

  • Decentralization: In the entire voting process, in addition to voters and candidates, no other third-party institutions or trusted agencies are required to assist in the whole process.

  • Privacy protection: Voting information of voters cannot be known by anyone else. In reality, privacy protection is one of the most important attributes of voting protocol.

  • Functionality: More forms of voting should be supported, such as office voting, large-scale election voting, candidate voting, multiple candidate voting, etc.

Fig. 1: Entire voting protocol flow diagram.

Ii preliminaries

Ii-a Bitcoin transactions

In this article, we do not consider attacks on Bitcoin such as 51% attacks, routing attacks[9], as well as transaction fee. We assume that all voters and candidates have access to the Bitcoin network and the blockchain does not will be forked.

In a simplified bitcoin model, Bitcoin transaction contains inputs, outputs and value prices. Output can be seen as a validation of transaction and input script is the papameters(e.g. signature of the previous input)for the program script in the output. Among them, optional item [5] can ensure that the transaction will become efftive only after a period of time t. After(t)[10] means that a single output script can be made unspendable until t time.

This article also uses a special form of Bitcoin script, P2SH[11] (Pay-to-Script-Hash), which was introduced in 2012 as a new, powerful transaction type that greatly simplifies complex scripts. We use a specific script, the output script is:

The input script is x. As to get the corresponding Bitcoins, user needs to expose the value of x.

Ii-B Decentralized threshold signature

Threshold secret sharing[12, 13] is a way to split a secret value into several shares that can be given to different participants. However, there is an important issue is how to generate and distribute these shares. The simplest way is to introduce a trusted dealer who begins with the constructed key, generates the shares and distributes them to each party. Of course, this has a weakness in that the trusted dealer is a single point of failure. Another way is to generate shares of a key in a distributed manner without ever constructing the key in the process. Scheme[13] is the ECDSA scheme that works for arbitrary n and any which is also compatible with Bitcoin.

While most Bitcoin transactions are spent with a single signature, Bitcoin in fact specifies a script written in a stack-based programming language which defines the conditions under which a transaction may be redeemed. This scripting languag require at least t-of-n specified ECDSA public keys to provide a signature on the redeeming transaction. A relatively recent feature of Bitcoin, pay-to-scripthash, enables payment to an address that is the hash of a script. When this is used, senders specify a script hash, and the exact script is provided by the recipient when funds are redeemed. A quirk of pay-to-script hash is that the restriction is removed from t-outof-n multisignature transactions. However, due to a hardcoded limit on the overall size of a hashed script, the recipients are still limited to .

All of our constructions that use threshold signatures can be instantiated with the threshold signature scheme in [13]. We argue that threshold signatures offer fundamental advantages stemming from the fact that in the multisignature approach:

  • Flexibility. Threshold signatures are more flexible than multisignatures in the access policies that they permit as well as in the ability to modify the access policies. Threshold signatures also allow more flexibility for making changes to the access control policy.

  • Anonymity. While Bitcoin allows users to be pseudonymous, it does not provide any anonymity guarantees. Indeed, it has been shown that it is not difficult to link various addresses belonging to a single user. Moreover, because the entire transaction log is public, once an address has been associated with a real world identity, one can immediately view every other transaction associated with that address.

Iii our voting protocol

The entire process of our scheme is shown in Fig.1. The specific process includes registration on the bulletin board[14], generation of the threshold signature address, anonymous voting, and Bitcoin transaction stage. We assume that our Bitcoin voting protocol is used in a small-scale, limited-power scenario. Suppose there are n voters, each one has his own Bitcoin address and sufficient balance, and there are m candidates, if one of them gets t votes or more, then he can get x Bitcoins from each voter.

Iii-a Registration

For a voter , each voter needs to have an address i (abbreviated as ) which contains at least x + z Bitcoins that x represents the Bitcoins used to vote and z is used to guarantee the security of the decryption of vote commitment, the voter needs to generate and publish his own key pair for the shuffling operation in Section III-B. All voters negotiate the last time of revealing the vote commitment and the latest time for returning the deposit. If there is no candidate to win finally. Each candidate needs to prepare an address to obtain Bitcoin after winning and reveal the key pair (x indicates the id of the candidate, ). All the above information is published on the bulletin board. Related information is also shown in Fig.1.

Iii-B Generation of the threshold signature address

We use the decentralized threshold signature scheme mentioned in SectionII-B and each voter interacts to generate the t-of-n threshold signature address T. For each voter’s which is the share of T is considered as a valid vote. Each voter can vote his share to the candidate whom he supports and the candidate who reaches t shares can receive the nx Bitcoin rewards at last.

Iii-C Anonymous voting

Based on the relevant design of the shuffle[15], we propose a new anonymous voting mechanism. Also, we solved the defect for the last one of shuffling to place his own vote in a specific position and provided additional verification. This phase is illustrated in Fig.2.

  1. Voter has already known the remaining voters’ public key through the bulletin board and generates his own vote according to his selection. , x indicates the candidate chosen by the voter. The is encrypted by using to generate , where is a random permutation offered by . Constructing set and sending it to .

  2. gets after decryption using his own private key . Meanwhile, selects his and generates and then sends to after construction.

  3. The rest can be done in the same manner, until gets the final , the lexicographic order is then sent to all voters.

  4. Each voter hashes the content to get and broadcasts to each other to determine if all are equal. If equals, each one generates the last round of random permutation with pseudo-random number generator[16] and . The purpose of this round is mainly to prevent from being able to place his vote in specific positions.

Fig. 2: Anonymous voting based on shuffling.

Iii-D Bitcoin transaction stage

After completing the shuffle operation, any voter can construct vote commitment transaction and refund transaction (see Fig.3) and then send them to all voters for signature. When the signature is completed, one voter just publishes the vote commitment transaction to Bitcoin network and the refund transaction is kept locally until time which is the last time for returning ballot funds. The input of vote commitment transaction includes the address i which owns z+x Bitcoins, .

The output includes two aspects:

  • There are 2 ways to take away z Bitcoins.

    Firstly, it means voter can reveal to obtain his own deposit z Bitcoins.

    Secondly, it means that the deposit can be taken away by the voters jointly construct the transaction or by the winner candidate who obtians the private key of T. The purpose of setting a deposit is to prevent voter from refusing to vote. Therefore, the handle of z Bitcoin deposit can actually be based on specific actual demands and designs.

  • T is the address which owns nx Bitcoins. For any candidate, when the received number of is greater than t, he can construct a win transaction to obtain the voting reward.

Claim transaction. Each voter reveals his before time . They revealed to recover the deposit simultaneously, at the same time, the candidate corresponding to x decrypt with his private key on the Bitcoin network.

Win transaction. Once a candidate has collected t different , he can initiate a win transaction and transfer nx Bitcions to his own to win the vote.

Fig. 3: Bitcoin transactions stage.

Refund transaction. If after time , the voting result fails to be generated which means no candidate has obtianed enough t shares, the refund transaction will be triggered, then each voter’s x Bitcoins will be returned to the original address .

Iv discussion

First of all, our solution is correct, vote commitment transaction can ensure that each voter has only one vote. They cannot tamper, discard or repeat the vote after being sent to Bitcoin network, discard and repeat the voting. The protocol is decentralized, because of the use of a non-central threshold signature algorithm, the decentralized shuffling mechanism and Bitcoin is also decentralized. Privacy protection is mainly in the shuffling mechanism in Section III-C. It uses the decryption mixnets to achieve the purpose of protecting vote privacy. The specific security analysis can be seen in [15]. Considering the number of transactions, our protocol needs a vote commitment transaction, n claim transactions, and win/refund transaction in the Bitcoin network, so the complete process requires transactions. For functionality, we can complete the t-of-n voting form. For example, we hope to hold a election that winner should have more than votes. We can set n as the number of voters and t as half the number of voters. Similarly , etc. It makes voting forms actually more flexible.

Zhao et al[3]
Tian et al[2]
Silvia et al[4]
Correctness \Checkmark \Checkmark \Checkmark \Checkmark
Decentralization \Checkmark \Checkmark \XSolid \Checkmark
Privacy protection \Checkmark \Checkmark \Checkmark \Checkmark
Transaction numbers n+1
Functionality winners from L candidates t-of-n t-of-n
TABLE I: comparsion between our protocol with others.

Zhao and Chan’s solution[3] used an complex cryptography tool such as zero-knowledge proof, it needs to run the zkSNARK 3 times, secure unicast and 2 times public broadcast, and the number of transactions is , the scheme can only achieve 1-of-2 election form. Tian et al.[2] proposed improvements based on the Chan’s protocol that can reduce the number of transactions to . Unfortunately, it also needs proofs of zkSNARK which L is the number of candidates, . Silvia et al.[4] put forward the circle shuffle technique for Bitcoin voting, which also requires only transactions, but it requires a centralized honest and trustable dealer. Once the dealer is malicious, the entire vote protocol will be destroyed. Table I summarizes the main differences of our protocol with others.

Future work. Our voting protocol is set in a small-scale (number of voters restrictions), permission voting scene. For large-scale voting, we recommend the use of centralized shamir’s secret sharing program[12], but in fact, Bitcoin is not a dedicated voting system, its performance will be limited. Designing a blockchain system that fully serves voting will probably solve this problem better.

V conclusion

We proposed a privacy-preserving, decentralized and functional Bitcoin e-voting protocol that uses a shuffling mechanism to complete privacy protection, decentralized threshold signatures to assign voting rights, use of Bitcoin transaction to make all voting transparency and immutability, and the P2SH scripts can prevent the phenomenon of discarding vote. The protocol reaches the correctness, decentralization, privacy protection and has more flexible voting forms. Meanwhile, the number of transactions maintaines small.


  1. thanks: Acknowledgement. The authors thank the editors and the anonymous reviewers for their valuable comments. This study is supported by the National Science foundation of China (No. 61472074,U1708262) and the Fundamental Research Funds for the Central Universities (No.N172304023).


  1. S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,” 2008.
  2. H. Tian, L. Fu, and J. He, “A simpler bitcoin voting protocol,” in International Conference on Information Security and Cryptology.   Springer, 2017, pp. 81–98.
  3. Z. Zhao and T.-H. H. Chan, “How to vote privately using bitcoin,” in International Conference on Information and Communications Security.   Springer, 2015, pp. 82–96.
  4. S. Bartolucci, P. Bernat, and D. Joseph, “Sharvot: secret share-based voting on the blockchain,” arXiv preprint arXiv:1803.04861, 2018.
  5. M. Andrychowicz, S. Dziembowski, D. Malinowski, and L. Mazurek, “Secure multiparty computations on bitcoin,” in Security and Privacy (SP), 2014 IEEE Symposium on.   IEEE, 2014, pp. 443–458.
  6. J. Bonneau, J. Clark, and S. Goldfeder, “On bitcoin as a public randomness source.” IACR Cryptology ePrint Archive, vol. 2015, p. 1015, 2015.
  7. I. Bentov and R. Kumaresan, “How to use bitcoin to design fair protocols,” in International Cryptology Conference.   Springer, 2014, pp. 421–439.
  8. G. Maxwell, “Coinjoin: Bitcoin privacy for the real world,” in Post on Bitcoin forum, 2013.
  9. M. Conti, C. Lal, S. Ruj et al., “A survey on security and privacy issues of bitcoin,” arXiv preprint arXiv:1706.00916, 2017.
  10. P. Todd, “Bip 65: Op_checklocktimeverify (2014),” URl: https://github. com/bitcoin/bips/blob/master/bip-0065. mediawiki (visited on 2015-10-08), 2014.
  11. A. M. Antonopoulos, Mastering Bitcoin: unlocking digital cryptocurrencies.   ” O’Reilly Media, Inc.”, 2014.
  12. A. Shamir, “How to share a secret,” Communications of the ACM, vol. 22, no. 11, pp. 612–613, 1979.
  13. S. Goldfeder, R. Gennaro, H. Kalodner, J. Bonneau, J. A. Kroll, E. W. Felten, and A. Narayanan, “Securing bitcoin wallets via a new dsa/ecdsa threshold signature scheme,” 2015.
  14. S. Rafaeli, “The electronic bulletin board: A computer-driven mass medium,” Social Science Micro Review, vol. 2, no. 3, pp. 123–136, 1984.
  15. T. Ruffing, P. Moreno-Sanchez, and A. Kate, “Coinshuffle: Practical decentralized coin mixing for bitcoin,” in European Symposium on Research in Computer Security.   Springer, 2014, pp. 345–364.
  16. C. L. Phillips, J. A. Anderson, and S. C. Glotzer, “Pseudo-random number generation for brownian dynamics and dissipative particle dynamics simulations on gpu devices,” Journal of Computational Physics, vol. 230, no. 19, pp. 7191–7201, 2011.
Comments 0
Request Comment
You are adding the first comment!
How to quickly get a good reply:
  • Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
  • Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
  • Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
The feedback must be of minimum 40 characters and the title a minimum of 5 characters
Add comment
Loading ...
This is a comment super asjknd jkasnjk adsnkj
The feedback must be of minumum 40 characters
The feedback must be of minumum 40 characters

You are asking your first question!
How to quickly get a good answer:
  • Keep your question short and to the point
  • Check for grammar or spelling errors.
  • Phrase it like a question
Test description