# Distributed quantum election scheme

## Abstract

In an electronic voting protocol, a distributed scheme can be used for forbidding the malicious acts of the voting administrator and the counter during the election, but it cannot prevent them from collaborating to trace the ballots and destroy their privacy after the election. We present a distributed anonymous quantum key distribution scheme and further construct a distributed quantum election scheme with a voting administrator made up of more than one part. This quantum election scheme can resist the malicious acts of the voting administrator and the counter after the election and can work in a system with lossy and noisy quantum channels.

###### keywords:

quantum election, distributed scheme, conjugate codingcompress

## 1 Introduction

In a large-scale election, the problem that most concerns the voters is the privacy of the election. That is, an eligible voter does not want anybody to track his/her ballot at any time. Further, eligibility and unreusability are other serious problems. That is, only eligible voters are permitted to vote, and each eligible voter can vote successfully only once. In view of the properties described in earlier papers, an ideal election scheme should have the following properties: completeness, soundness, privacy, eligibility, unreusability, fairness and verifiability. In order to ensure these properties, considerable attention has been paid to election schemes. These schemes can be divided to two parts: electronic election and quantum election. The homomorphic-encryption-based scheme, mix-net-based scheme, and blind signature-based scheme are there main types of electronic voting schemes. These schemes can efficiently solve the drawback of achieving privacy and fairness at the same time. However, the security of these schemes is based on the difficulty of solving certain mathematical problems; it will be threatened by the use of a quantum computer. When a quantum computer is used, mathematical security can no longer prevent the attacker from knowing whom a voter voted for in the election.

Quantum cryptography can be used for solving the problem of unconditional security and privacy that mentioned in the earlier electronic voting schemes, which use the fundamental laws of quantum physics to ensure unconditional security. For example, we can use the quantum non-cloning theorem for unconditionally secure quantum key distribution, and we can use quantum anonymous transmission to conceal the identity of the sender of the messages. Considerable attention has been paid to quantum election protocols. Vaccaro et al. propose a quantum election protocol by adding different local quantum operations to an entangled quantum state that distributed over separated sites in 2007, the physical inaccessibility of any one site is sufficient to guarantee the anonymity of the votes; Hillery et al. presents a similar protocol, in which the initial state of the system is denoted by a quantum state , and the eligible voter expresses his choice through different operations to the initial quantum state(the value of depends on his choice). The counter extracts the outcome of the election through a complicated measurement of the final quantum state and cannot traces the ballot of a specific voter. These protocols are relatively significant progress in the field of quantum elections. On the one hand, these protocols efficiently guarantee the security of the election and ensure the anonymity of the voters; however, on the other hand, as the outcome of the measurement is the number statistics of all the votes, no voter can trace his ballot from the outcome, and thus, he cannot ensure whether he has voted successfully or not. Further, the reading of the outcome statistics is a complicated measurement: there is no reliable way of knowing whether a voter has voted more than once, and the voting for the candidates of the election is restricted to yes or no. The protocol in presents a quantum election scheme without complicated measurements: this scheme uses a Fourier transform for executing voting and can be implemented as soon as the implementation of the discrete Fourier transform becomes possible. proposes a new protocol for quantum anonymous voting, which protects both the voters from a curious tallyman and all the participants from a dishonest voter in an unconditional way. The voting for the candidates of the ballots is still restricted to yes or no. presents a traveling ballot scheme based on quantum mechanics, the main idea of this scheme is that the voters cast their votes in an orderly manner with a traveling quantum state. In this scheme, the voters can vote for many candidates, and they can determine whether to cast their ballots to the traveling state. As there is still no reliable way to avoid the voters from voting more than once, a malicious voter may try to detect the execution of the election. All the protocols mentioned above are based on entangled quantum states.

Unlike these protocols, in paper , Okamoto et al. present a relatively expedient quantum voting scheme based on conjugate coding, in which a ballot is an unknown quantum state that enables a voter to exercise his right to vote. This scheme ensures the unconditional security and anonymity of the election without the use of entangled quantum states, and the quantum blank votes generated in advance avoid a voter from voting more than once. As the quantum ballot is randomized by the voter before sending it to the voting administrator, nobody can trace the voter’s ballot. This efficiently protects the private of the voter, but at the same time makes it impossible for the voter to check whether he has voted successfully or not; that is, verifiability is not guaranteed. On the basis of this protocol, in paper , we present a new quantum election scheme, which depends on the security of the anonymous quantum key distribution to ensure unconditional security. This scheme ensures the completeness, soundness, privacy, eligibility, unreusability, fairness and verifiability of an election while the voting administrator and the counter are semi-honest; it can efficiently avoid a voter from voting more than once and works even when there exist losses and errors in the quantum channels. However, in this scheme, the security of the election depends considerably on the credibility of the voting administrator and the counter, as the administrator may try to forge valid votes by impersonating the voters and there is no reliable way to solve the dispute between the administrator and the voters. Further, the security will be threatened by a collusion of the administrator and the counter.

A distributed scheme can be used for solving a dispute between the voting administrator and the voters. The distributed scheme is a scheme in which several independent parties, e.g., several candidates of the election, collaborate to act as the voting administrator. A combination of a traditional one-time pad and a distributed scheme can efficiently ensure information security and avoid the voting administrator from impersonating a voter. However, the security of the protocol is difficult to achieve in real life because there is no effective way to guarantee that the parties that form the voting administrator will not cooperate to trace the ballots forever. Whenever they cooperate, the privacy of the election is at risk even when there are a sufficient number of key strings. In this paper, we propose a new distributed quantum election scheme, in which we use a combination of a distributed scheme and quantum cryptography to construct an unconditionally secure distributed anonymous quantum key distributed scheme and to remove the threat posed by the voting administrator and the counter. The security of the anonymous quantum key distribution is based on the security of the quantum key distribution. With the help of the voting administrator, the voter can anonymously establish a key string with the counter; this key is invisible to the administrator. In the new distributed scheme, when the election is completed, nobody can trace the ballot to detect the privacy of the election even if the voting administrator and the counter collaborate to do so; this to an extent improves the security level of the scheme.

The rest of this paper is organized as follows: In Section 2, we present our former quantum election scheme based on anonymous quantum key distribution, and then we discuss a traditional election scheme that uses the distributed scheme and analysis its security. In Section 3, we present distributed anonymous quantum key distribution schemes that will be used in the distributed quantum election scheme proposed in the next section. We present the proposed distributed quantum election scheme in Section 4, and in Section 5, we discuss the advantages of the proposed quantum election scheme. Finally, we present our conclusions in Section 6.

## 2 Preliminary

We use the notation to denote the concatenation of strings. denotes an unconditionally secure symmetric encryption algorithm, and denotes an information-secure one-way function:

(1) |

where and are bit strings having the same length.

In view of the properties described in , a secure quantum election scheme should satisfy following: It is complete, if one ballot is valid, it should be countable. It should be sound so that a dishonest voter cannot disturb the election. It is anonymous, the owner of a ballot is invisible to others. It should be non-repeatable, and hence, no voter can vote successfully twice. It should be fair so that the earlier voters cannot affect the later voters. It should be verifiable, a voter should be able to check his ballot at the end of the election. We use to represent the identity of the eligible voter .

As introduced in , a scheme with covert security can guarantee that once an adversary attempts to cheat in order to destroy some security properties of the scheme, the honest parties will notice the cheating attempt with some constant probability. In other words, any irregularity in the scheme should be detected with some constant probability. We believe that a distributed quantum election scheme in a sense should ensure covert security.

### 2.1 Quantum election based on anonymous quantum key distribution

We presented an election scheme based on an anonymous quantum key distribution scheme using a semi-honest model in , this scheme can efficiently satisfy all the properties mentioned above. Four phases are included in the scheme: initial phase, authentication phase, key distribution phase and voting phase. Several voters , j=1,2,,N, the voting administrator Bob, and the counter Charlie are also involved.

Initial phase: In the initial phase, the voting administrator Bob publishes a set . Each element of the set is randomly chosen by Bob to represent an eligible candidate. In the election scheme, an eligible voter chooses an element as his ballot .

The voting administrator Bob establishes a key with every eligible voter , j=1,2,,N, by directly contacting or using an unconditionally secure quantum key distribution protocol. All the four parts of are selected uniquely for .

All these tasks should be completed in advance.

Authentication phase: When the eligible voter wants to vote, he sends a request by sending the group to Bob. Then Bob checks whether has successfully applied for voting before. If not, Bob verifies whether the string is correct: if it is correct, Bob accepts ’s request.

At the end of the authentication phase, Bob announces the number of verified voters(we denote it by n) and publishes a set that contains all the verified , . Now the scheme turns to the key distribution phase.

Key distribution phase: In this phase, Bob helps each verified voter to execute an anonymous quantum key distribution protocol to establish a key between and Charlie. Here . The anonymous quantum key distribution scheme is unconditional secure under semi-honest model, and can verifies whether the anonymous quantum key distribution process is successful.

Voting phase: While ensures that the anonymous quantum key distribution is successful, he has anonymously established a 2s-bit key with Charlie successfully. Then, he chooses an element from set as his ballot and uses to encrypt his ballot. Next, he anonymously sends the encrypted ballot along with to Charlie.

Charlie checks whether is correct and whether he has accepted it before. If it is correct and he has not accepted it before, he extracts the corresponding and uses it to decrypt the encrypted ballot. If the outcome , Charlie counts and accepts .

While all the verified voters vote successfully, Charlie counts the number of each candidate’s ballots. Subsequently, he randomly arranges all the accepted groups and publicly publishes them for the voters to trace their ballots. The scheme is now completed.

The quantum election scheme satisfies all the properties mentioned above efficiently, and any irregularity in the scheme is sensible while the administrator and the counter are semi-honest. When an attacker attempts to impersonate a voter to vote, he will be detected by the voter. However, in an election scheme, the administrator and the counter may also try to adversely affect the election: If Bob is malicious, he can easily impersonate eligible voters and help a candidate to forge ballots; at the same time, a malicious counter may also tamper the ballot of an eligible voter. Although eligible voters can discover these irregularities, there is no reliable way to prove their discovery. In order to solve this problem, we propose a new quantum election scheme, which combines the distributed scheme with quantum cryptography to improve the security level of the quantum election. In the distributed scheme, the voting administrator is made up of several independent parties who will not collaborate to adversely affect the election during the scheme. While the scheme is completed, the security and privacy of the voters will not be threatened by the voting administrator and the counter, even if the two parties collaborate.

### 2.2 Traditional distributed election scheme

Durette et al. use a combination of public key cryptography and multiple administrators to improve the security of the overall voting system by avoiding a single administrator from forging valid votes in ; presented a scheme in which the work for a voter is linear in the number of authorities but can be instantiated to yield information-theoretic privacy. When there are authorities, voters, the security parameter is , the total amount of communication will be bits, and the required effort for any authority and any voter will be and operations, respectively. In this scheme for any threshold , privacy will be assured against coalitions that include at most authorities, and robustness against coalitions that includes at most authorities. An information security traditional distributed election scheme can be described as follows:

As mentioned in the previous paper, there are three parties involved in the scheme: the voters, the voting administrator Bob, and the counter Charlie. In particular, the voting administrator Bob is made up of multiple independent entities. For the sake of simplicity, we assume that it is made up of two independent entities and , who will not cooperate to cheat. Before the voting, the voting administrator publishes a set . Each element of the set is a y-bit string that randomly chosen by Bob to represent an eligible candidate.

The voting administrator establishes a secret number to each eligible voter in advance. The secret number is visible to both and .

#### Initial phase

(1) applies for voting by sending his/her identity along with the secret number to Bob.

(2) After getting ’s request, Bob checks whether has applied for voting before. If he has, Bob rejects his request; otherwise, Bob checks whether is correct. If it is correct, the scheme moves to the next step.

(3) and respectively establish a secret string with by directly contacting or using an unconditionally secure quantum key distribution protocol. We denote these strings by

(2) | |||

(3) |

and uses the function to generate

(4) | |||

(5) |

(4) and respectively establish the secret strings and with Charlie in the same manner as that used in the previous step, and Charlie also uses function to get the strings and .

#### Voting and counting phase

(1) chooses one candidate as his vote and encrypts it by . Then, he sends to Charlie along with .

(2) When he receives , Charlie checks whether he has received before. If not, he uses to get the corresponding recorded in his database and decrypts to get the plaintext . After extracting , Charlie checks whether is correct. If it is correct, Charlie counts this vote.

After all the votes have been counted, Charlie publishes all the groups for the eligible voter to check whether he/she has voted successfully.

The scheme is now completed.

#### Security analysis

In this election scheme, the voting administrator will check the identity of each voter before accepting a voting request and will not respond to one voter twice; Charlie will check whether he has received before counting so that the eligibility and unreusability criteria are satisfied. At the same time, the earlier voters¡¯ votes will have no effect on the later ones, and all the eligible votes will be count correctly. Hence, the fairness and completeness criteria are satisfied. Charlie will check each ballot before counting it, thus guaranteeing the soundness of the process. At the end of the scheme, Charlie will publish all the counted ballots for each voter to check whether he/she has voted successfully; hence, the scheme satisfies the verifiability criterion. The properties mentioned above are easy to prove; hence, now, we mainly discuss the privacy of the scheme.

In this scheme, two independent parties collaborate to act as the voting administrator, the function is information security, and the final key string and between and Charlie is invisible to others(the independent parties and are included). As long as one of the two parties does not cooperate with the other, the communication key strings are secure. However, the security of the protocol is difficult to achieve in real life because there is no effective way to guarantee that the two parties and will not cooperate to trace the ballots forever. Whenever the two parties cooperate, the privacy of the election is compromised.

## 3 Distributed anonymous quantum key distribution

Considering the problem that mentioned in the case of the traditional distributed election scheme, it is impossible to ensure that the two distributed parties and will not cooperate forever. However, according to common sense, in a real election, we can think that there exists an overseeing body to monitor the elections; this institution will supervise both sides for a certain period of time so as to ensure that they do not cooperate with one another within this time period. On the basis of this viewpoint, we assume that the administrator is made up of two parties and , who cannot collaborate to cheat during the scheme. When the scheme is complete, the private of the voter will not be compromised even if and cooperate.

Anonymous quantum key distribution(AQKD) can be used for ensuring the private of the voter in the case of a semi-honest model. If one voter can share a key string with Charlie anonymously, he/she can easily encrypts his/her ballot anonymously. Once others cannot match the key string with the voter, they also cannot trace the ballot. In view of the problems in the earlier paper, we present an improved distributed AQKD protocol that will be used in the new distributed quantum election scheme.

### 3.1 Qubit-based distributed AQKD protocol

Suppose a voter wants to anonymously establish a key string with the counter Charlie with the help of the voting administrator Bob(made up of two independent parties and ). The voter wants to ensure that nobody except himself/herself and Charlie can get the key string, which is difficult to achieve through traditional key distribution, because there is no reliable way to avoid others from copying the information. The quantum non-cloning theorem guarantees that it is impossible to measure or copy an unknown qubit without being detected. Based on this, we present a qubit-based AQKD protocol:

Prerequisite: has established a secret string with and Charlie, and has established a secret string with and Charlie. Both and Charlie compute , .

Step 1. randomly chooses a string , and generates his qubits by the method of conjugate coding:

(6) |

where and denote the -th bit of ,, and , , .

Then, anonymously transmits the quantum state with the secret string to Charlie.

Step 2. Charlie checks whether he has received before. If not, he uses to get the corresponding string , and measures the quantum state depending on the value of : if , he measures the qubit with the rectilinear basis ; otherwise he measures it with the diagonal basis . After obtaining the outcome, Charlie publishes a subset of the outcome with and all the location information of the bits of the subset; we denote the subset by .

Step 3. checks whether the subset is equal to the corresponding subset of . If it is, knows that the quantum key distribution is successful. Then, he/she deletes the checking bits and extracts the remaining bits of as the final encrypted key string

(7) |

now has anonymously established a key string with Charlie.

Security analysis

In this protocol, we assume that and will not cooperate until the protocol is complete, and the function is information security; thus, neither nor can get the strings or during the AQKD protocol. The quantum state is an unknown quantum state to others( included); hence, it is impossible to make a copy of the strings. A malicious entity has to measure the initial qubits if he wants to get some useful information about the final encryption key string. However, without the encoding basis of the qubits, he will choose the wrong measuring basis with a probability for each qubit and then introduce no less than error rate in Charlie’s measuring outcome. This implies that without it is impossible to make a correct measurement on the quantum state , and an incorrect measurement will affect Charlie’s measuring outcome and be detected by in the last step of the anonymous key distribution phase; will then stop the scheme. As a result, nobody except and Charlie can get the final encryption key string . The probability that others except and Charlie guess the correct x-bit key string is not more than . When x is sufficiently large, the probability is negligible. In other words, when the anonymous key distribution phase is complete, there is no effective way for and to get the final encryption key string even if they cooperate to do so.

Practicability analysis

Considering the problem mentioned in the case of the traditional distributed election scheme, we just assume that the two independent entities and will not cooperate for a limited period of time(just limited to the end of the election). This is reasonable and easy to achieve in practice.

This AQKD protocol can also work even if there exist losses and errors in the quantum channels. In order to establish an error-free key, Charlie can publish all the qubits that he has received and then publish the check string and its serial numbers in Step 2 of the anonymous key distribution phase. If the error rate of the check string is acceptable, can ensure that the key distribution is successful. After verifying that the key distribution is successful, extracts the string from and subsequently uses and a key redistribution protocol for establishing the final error-free key and then uses the error-free key to encrypt his/her ballot.

### 3.2 Qubit-string-based distributed AQKD protocol

The former qubit-based distributed AQKD protocol can efficiently avoid Bob from impersonating the voters to vote or tracing the ballots after the election. The combination of anonymous quantum key distribution and the distributed scheme guarantees the private of the voter. When the protocol is completed, neither nor can get the final encrypted key string even if they collaborate to do so. However, there is a further problem: in this scheme Bob and Charlie should be two independent parties that will never cooperate. Once the two parties cooperate the privacy of the voter is not guaranteed. An ideal AQKD protocol should ensure that once the protocol is completed nobody can compromise the private of the voter even if the voting administrator and the counter cooperate to do so.

A qubit-string-based scheme can be used for solving this problem. The improved AQKD protocol is as follows:

Prerequisite: and respectively establish specific key strings with , we denote the key strings by and ; at the same time, and respectively establish a specific key string with Charlie, we denote the two strings by and . Here,

(8) |

where

(9) | |||

(10) | |||

(11) |

The strings are the same for every voter.

Step 1. and respectively use the random number generator to prepare a random string

(12) | |||

(13) |

where

(14) | |||

(15) |

and collaborate to generate a quantum state by using conjugate coding:

(16) |

Here denotes an -dimensional zero vector, and , ,, .

Then Bob sends the quantum state to via a secure quantum channel. In order to avoid the attacker from intercepting the qubits to extract information, we can assume that both and use a secret key to flip the qubits and the voter uses the keys to get the initial qubits.

Step 2. After receiving , randomly chooses a strings and computes

(17) |

then, he randomly chooses a string , where

(18) |

and

(19) |

Step 3. generates

(20) |

Then sends to Charlie anonymously via a secure quantum channel.

Step 4. Charlie computes , , and in advance. When he receives , Charlie measures it depending on the value of the string : if , he measures the qubit with the rectilinear basis , where j throughout; otherwise he measures it with the diagonal basis . After getting the outcome , where

(21) |

Charlie computes with

(22) |

and uses the string M to extract

(23) |

then, he can obtain the strings by decrypting with the key . Then he checks whether is correct. If it is correct, Charlie ensures that he gets the correct key string .

After verifying all the key strings, Charlie will publicly publish a subset of the string for the voter to verify whether the anonymous quantum key distribution is successful; every voter publishes whether the quantum key distribution is successful, and the voting administrator helps the failed ones to restart a new anonymous quantum key distribution.

Security and practicability analysis

In this protocol we use m-qubits to transmit one key bit. Further, the quantum state has been randomized by , and hence, the voting administrator and the counter cannot match the key string with the voter even if they collaborate to do so.

When there exist losses and errors in the quantum channels, we can improve the protocol as follows:

In the voting phase, uses the random number generator to generate a random number

(24) |

then he uses a classic error correction coding(ECC) to encode it and get the corresponding code .

When he receives the qubits from Bob, adds an operation as follows:

(25) |

adds to only if he receives this qubit. After doing so, generates the key string , where

(26) |

then he sends to Charlie along with the serial numbers of the qubits that he receives from Bob. Charlie measures the qubits and extracts the code . He uses to recover the string and then generates the key string . A dishonest voter or an attacker may also try to forge a ballot. As he/she is not aware of the string and , he/she will introduce no less than 75% error rate in the string . While the error correction ability of the ECC is not available to correct such a large error rate, it is impossible to recover the string .

## 4 Quantum distributed election schemes

A complete voting process in our quantum election scheme includes four phases: initial phase, anonymous quantum key distribution phase, voting phase and counting phase. Several voters , j=1,2,,N, the voting administrator Bob(made up of two independent parties and ), and the counter Charlie are also involved.

If Bob and Charlie are two independent parties that will not collaborate forever, we can use both the qubit-based distributed AQKD protocol and the qubit-string-based AQKD protocol that presented in Section 2; in order to ensure that the private of the voter will not be threatened by the collaboration of the voting administrator Bob and the counter Charlie forever, we use the qubit-string-based AQKD protocol in our distributed quantum election scheme.

### 4.1 Initial phase

and respectively establish a specific key string with every eligible voter, we denote the key strings by ,. At the same time, and respectively establish a specific key string with Charlie, we denote these two strings by ,. Here

(27) |

where .

### 4.2 Anonymous key distribution phase

In this phase each eligible voter anonymously establishes an encrypted key string with the counter Charlie by using the qubit-string-based AQKD protocol. The key string is used for encrypting the ballot and it is invisible to the others( and included) except for and Charlie.

After all the voters anonymously establish key strings with Charlie, the scheme moves to the voting phase.

### 4.3 Voting and counting phase

(1) chooses a candidate as his vote and encrypts it with . Then, he sends to Charlie along with .

(2) After receiving , Charlie checks whether he has received before. If the check succeeds, Charlie uses to extract the corresponding . Then, he decrypts to get the ballot . If the outcome is eligible, Charlie counts this vote.

After all the votes has been count, Charlie publishes all the groups for the eligible voter to check whether he/she has voted successfully.

The scheme is now completed.

### 4.4 Security and practicability analysis

Privacy: The quantum state is randomized by before it is sent to Charlie. The initial quantum state is generated by both and . After ’s operation, the qubits can be denoted as

(28) |

then the qubits are transmitted to . As the strings are not aware to , the density matrix of the qubits can be expanded as

(29) |

where denotes the density matrix of . flips the quantum state depending on the value of , as are randomly distributed, after ’s operation, the density matrix of the qubits that transmitted to can be written as

(30) |

here . We can verify that the set of unitary matrices forms an orthonormal basis. In view of the quantum one-time pad in , in this basis the density matrix can be expanded as

(31) |

where . Now the density matrix can be expanded as

(32) |

After receiving the quantum state, adds quantum operation to it depending on the value of the strings . We use to denote the density matrix of the randomized quantum state. As is randomly distributed, after ’s operation, for the attacker who cannot obtain the generation basis and values, the density matrix of the qubits can be expanded as

(33) |

where . This implies the information that determines the unitary transformation after ’s operation. For and , the density matrix of the qubits can be respectively expanded as

(34) | |||

(35) |

where , and . The two density matrices are in a completely mixed state. Hence, and cannot obtain any useful information about identity from the state. For the counter Charlie, the density matrix can be expanded as

(36) |

where = and satisfies the condition that

(37) |

We can see that the density matrix of the final quantum state that sends to Charlie is a totally mixed state. Hence, the attacker(Charlie and included) cannot extract any useful information about ’s identity even if he intercepts the entire state. At the same time, his attack will change the initial qubits and then be discovered by the honest parties. Although this discovery is not verifiable and the honest parties cannot point out the specific attacker, the attacker cannot compromise the private of a voter. Further, Charlie’s measurement outcome is randomized and will not reveal any information of the voter’s identity, Charlie cannot match the ballot with the voter even if he collaborates with and , hence, the voters’ private is guaranteed.

Unreusability and soundness: In the case of any two voters and , Bob respectively sends a quantum state and to them. The density matrix of these two quantum states can be expressed as

(38) | |||

(39) |

both the states are totally mixed state. Hence, the voters cannot distinguish between and . Thus the voters cannot obtain any information about the preparation basis and values ,, and of the quantum states that generated by Bob.

According to the quantum no-cloning theorem it is impossible to copy an unknown quantum state without the preparation basis of the state. If an attacker wants to forge a valid ballot, he has to prepare a quantum state and send it to Charlie. As the quantum state is randomly prepared, Charlie will get the correct value of each bit of with the probability . Thus, the probability that a forged quantum state passes Charlie’s identity check is not more than , while is large enough, the probability is close to 0. Hence, an attacker has to obtain the information of the state preparation basis, that is, he has to obtain the value of the string .

Suppose several voters collaborate to guess the string . For example, we consider the first bits of . Suppose voters collaborate to guess these bits. A subset(e.g., the number is ) of the voter guess a random -bit string and use it to measure the first m-qubit of their quantum state that received from Bob. After obtaining the outcome every voter computes the XOR of all the m bits of his/her outcome. If all the m voters obtain the same value, they believe that the string that they choose is correct; otherwise, they think that the string is wrong. The probability that the voters obtain the same XOR value is

(40) |

hence, they can exclude a wrong string with the probability

(41) |

When is sufficiently large, the probability is close to 1. After excluding an invalid string, another set of voters can exclude another wrong string with probability in the same manner. In order to find the correct , the voters have to exclude all the wrong strings. This requires at least voters to collaborate. When the number of the voters is considerably less than this number, it is impossible to obtain the correct generation basis even if all the voters collaborate up to find it. Without the basis the voters cannot forge quantum states to execute malicious anonymous quantum key distribution for cheating. Therefore, it is impossible for the voters to disturb an election by forging valid ballot to vote more than twice; their forged ballots will be discovered and discarded by Charlie. Hence, Soundness and unreusability are guaranteed.

Eligibility: Charlie will check the identity of the voter before counting his ballot; therefore, only eligible voters will be permitted to vote. At the same time, without the quantum state generated by the voting administrator, it is impossible for an attacker to forge a valid ballot; his invalid ballot will be discovered and discarded by Charlie, and hence, eligibility is guaranteed.

Verifiability and fairness: In this scheme, Charlie will publish the result of the election, so that every voter can check his/her ballot at the end of the scheme; the earlier voters have no effect on the later voters, and the scheme is fair to all the voters. Hence, verifiability and fairness are guaranteed.

Completeness: As the voting administrator and the counter are monitored during the election, and any dishonest attempt by the two will be detected. Further, if Charlie attempts to tamper with the statistics of the ballots, he will be detected by the voters. Hence completeness is guaranteed.

As the qubit-string-based AQKD protocol can resist the losses and errors of the quantum channels, the distributed quantum election scheme works well even when the quantum channels have losses and errors. The only request in this scheme is the existence of the overseeing body that monitors the participants of the election during the protocol; under such a body, neither the voting administrator nor the counter can cheat during the election, thereby ensuring the security of the scheme.

## 5 Discussion

Considering the problem mentioned in the previous papers, we present a new type of unconditionally secure distributed election scheme, in which the voting administrator is made up of independent entities that cannot cooperate to cheat during an election. The security of the distributed election scheme is based on the security of the distributed anonymous quantum key distribution protocol, which depends on the quantum key distribution to ensure unconditional security. Once a voter anonymously establishes a key string with the counter, nobody can match him/her with his/her ballot as the ballot is encrypted by the key string and it is impossible to trace the key string in the anonymous quantum key distribution scheme. This distribution scheme is used for removing the threat posed by the collaboration of the voting administrator and the counter.

Compared with the traditional distributed election scheme mentioned in Section 2, the proposed scheme can not only efficiently solve a dispute between a voter and the administrator but also solve the difficulty of monitoring the independent parties forever. In the new scheme, we just assume that there exists an overseeing body to monitor the two entities during the election, thereby guaranteeing the security and the privacy of the election. When the scheme is completed, nobody can match the key string and the corresponding voter even if the administrator and the voter collaborate to do so; hence, it is impossible to track the ballot. In the qubit-sting-based anonymous quantum key distribution scheme, we use an optical encryption method to randomize the initial quantum state and conceal the voter’s identity information. After ’s operation nobody(Bob and Charlie included) can obtain any information of . Although this anonymous quantum key distribution consumes a considerable number of key bits pre-shared between the parties, it can efficiently solve the problem that is not solved in the traditional distributed election scheme, and avoid the voting administrator and the counter from matching a voter with his ballot after the election even if they collaborate.

In view of the problems mentioned in the existing quantum election schemes, the proposed distributed quantum election scheme uses qubit-string-based anonymous quantum key distribution to ensure unconditional security and privacy. It ensures the completeness, soundness, privacy, eligibility, unreusability, fairness, and verifiability of the election, and removes the threat posed by the collaboration up of the administrator and the counter. Nobody can trace the ballot to destroy the privacy of the voters, and the voters can at the same time check whether they have voted successfully or not. Further, the proposed distributed quantum election scheme is relatively easy to implement because we have not used a quantum entanglement state and the scheme does not require any complicated quantum measurement.

Considering the definition of covert security discussed in , we can state that a protocol with covert security can guarantee that an honest party will notice the cheating attempt of the adversary with constant probability. In the proposed distributed quantum election scheme, the security of the voting depends on the security of the quantum key distribution; as the voting administrator is made up of some entities that will not cooperate to cheat during the voting, a cheating attempt to forge ballots by any member of the voting administrator will be discovered by the counter in the counting phase. At the same time, a dishonest attempt of the counter to tamper with the statistics will be discovered or detected in the final counting phase. Therefore, neither the voting administrator nor the counter can cheat successfully without being discovered. Further, an attacker¡¯s attempt to forge a valid ballot will be discovered by Charlie with the probability ; if is sufficiently large, the probability is close to 1. Therefore, the scheme in a sense satisfies the requirement of the security and the privacy of the information.

A more secure scheme which ensures covert security with public verification requires that the honest parties can not only discover the existence of cheat but also determine the dishonest parties or attackers. Anonymous quantum communication designed for the anonymous transmission of a quantum state against an active adversary with information-theoretical security may probably be helpful to achieve this propose. Though our scheme is constructed without the use of entangle states to guarantee the practicality of the quantum election, we would like to try employing the anonymous quantum communication to construct new quantum election schemes with public verification security.

## 6 Conclusion

In this paper, we use a combination of a distributed scheme and quantum cryptography to construct an unconditionally secure distributed anonymous quantum key distributed scheme, based on which we developed a new type of unconditionally secure election scheme. In the anonymous quantum key distribution, we used the optimal encryption of quantum bits to help a voter to anonymously establish a key string with the counter and efficiently removed the threat posed by the voting administrator and the counter. In the proposed distributed quantum election scheme, after the election, nobody could trace the ballot to compromise the privacy of the voter even if the voting administrator and the counter collaborated to do so. The new distributed quantum election scheme satisfies the completeness, soundness, privacy, eligibility, unreusability, fairness, and verifiability requirements of an election. As long as the two parties that made up the administrator did not cooperate to cheat during the election, the privacy of the election was not compromised by the administrator and the counter after the election even if they collaborated to do so. The distributed quantum election scheme also worked when the quantum channels contained losses and errors.

## Acknowledgement

This work was supported by the National Natural Science Foundation of China under Grant No.61173157.

### References

- Chaum D 1988 Advances in Cryptology-Eurocrypt 1988 (Berlin: Springer-Verlag) p177
- Fujioka A, Okamoto T and Ohta K 1993 Lecture Notes in Computer Science 718 244
- Cranor L F and Cytron R K 1996 Washington University Computer Science Technical Report 1996
- Chaum D 1988 Journal of cryptology 1 65
- Sako K and Killian J 1995 Advances in Cryptology-Crypto 1994 (Berlin: Springer-Verlag) p411
- Jafari S, Karimpour J, and Bagheri N 2011 International Journal on Computer Science and Engineering 3 2191
- Cohen J D and Fischer M J 1985 26th Annual Symposium on Foundations of Computer Science p372
- Chaum D 1981 Communications of the ACM 24 84
- Marius I and Ionut P 2011 Computer Science Master Research 1 67
- Ibrahim S, Kamat M, Salleh M, and Aziz S R A 2003 National Conference on Telecommunication Technology Proceedings p193
- Ambainis A, Mosca M, Tapp A and Wolf R 2000 Proceedings of the 41st Annual Symposium on Foundations of Computer Science p547, IEEE Computer Society Press 2000
- Boykin P and Roychowdhury V 2003 Phys. Rev. A 67 042317
- Chen K and Lo H K 2005 arXiv:quant-ph/0404133
- Deng F G, Li X H, Zhou H Y, and Zhang Z J 2005 Phys. Rev. A 72 044302
- Wang T Y and Wen Q Y 2010 Chin. Phys. B 19 060307
- Bennett C H and Brassard G 1984 Advances in Proceedings of the IEEE International Conference on Computers, Systems and Signal Processing, India:Bangalore, December 10–12, 1984 p175
- Ekert A K 1991 Phys. Rev. Lett. 67 661
- Bennett C H 1992 Phys. Rev. Lett. 68 3121
- Gisin N, Ribordy G, Tittel W, and Zbinden H 2002 Rev. Mod. Phys. 74 145
- Christandl M and Wehner S 2005 Advances in Cryptology-Asiacrypt 2005 3788 217
- Vaccaro J A, Spring J, and Chefles A 2007 Phys. Rev. A 75 012333
- Hillery M, Ziman M, Buzek v, and Bielikov M 2006 Phys. Lett. A 349 75
- Dolev S, Pitowsky I, and Tamir B 2006 arXiv:quant-ph/0602087
- Horoshko D and Kilin S 2011 Phys. Lett. A 375 1172
- Li Y and Zeng G 2009 Chinese Optics Letters 7 152
- Okamoto T, Suzuki K, and Tokunaga Y 2008 NTT Thchnical Review 6
- Zhou R R and Yang L 2012 Chin. Phys. B 21 8
- Asharov G and Orlandi C 2012 Advances in Cryptology-Asiacrypt 2012 p681
- Durette B W 1999 Bachelor thesis, Massachusetts Institute of Technology
- Cramer R, Franklin M, Schoenmakers B and Yung M 1996 Advances in EUROCRYPT’96 Proceedings (Berlin: Springer-Verlag) p72
- Wiesner S 1983 ACM Sigact News 15 78
- Yang L, Wu L A and Liu S H 2002 Acta Phys. Sin. 51 961(in Chinese)
- Brassard G, Broadbent A, Fitzsimons J, Gambs S and Tapp A 2007 Advances in Cryptology-Asiacrypt 2012 p460
- Bouda J and Sprojcar J 2007 In Proceedings of the First International Conference on Quantum, Nano, and Micro Technologies 2007