1 Introduction

Many voting protocols based on classical cryptography have been developed and successfully applied since Chaum et al. [9]. However, the security of protocols based on classical cryptography is based on the unproven complexity of some computational algorithms, such as the factoring of large numbers. The research in quantum computation shows that quantum computers are able to factor large numbers in a short time, which means that classical protocols based on such algorithms are already insecure. To react to the risk posed by forthcoming quantum computers, a number of quantum voting protocols have been developed in the last decade [3, 15, 16, 18, 24, 25, 38, 40, 41, 43].

To be reliable and useful in practice, voting protocols should satisfy some essential requirements, such as:

  1. 1.

    Anonymity. Only the voter knows how he or she voted.

  2. 2.

    Binding. Nobody can change the ballot after its submission.

  3. 3.

    Non-reusability. Every voter can vote only once.

  4. 4.

    Verifiability. Every voter can verify whether his or her ballot has been counted properly.

  5. 5.

    Eligibility. Only eligible voters can vote.

  6. 6.

    Fairness. Nobody can obtain a partial tally of ballots before the tallying phase.

  7. 7.

    Self-tallying. Everyone who is interested in the voting result can tally ballots by himself or herself.

To the best of our knowledge, among all existing quantum voting protocols, only the protocol proposed by Wang et al. [43] satisfies all of the above requirements. However, their protocol is difficult to implement using available technology. Our aim, presented in this paper, was to develop a voting protocol that satisfies all of the above requirements, and in addition, can be implemented by presently available technology.

The key feature of our protocol is its utilization of the Quantum Blockchain developed and described in [21, 34]. It turns out that Blockchain can significantly simplify the design of the protocol for electronic voting. A quantum bit commitment protocol is also needed to ensure some essential properties of voting. There are quantum bit commitment protocols in existence, which are both highly secure and implementable by the current technology. See, for example [14, 33, 42]. Either of these solutions can be used in our voting protocol.

We first review some background knowledge on the Quantum Blockchain and the quantum bit commitment (Section 2). Then, in Section 3, we present our voting protocol based on Quantum Blockchain. We finish this paper in Section 4, with conclusions and remarks on the future work.

2 Background

2.1 Quantum Blockchain

Blockchain is a distributed, transparent and append-only database technology which incorporates the mechanisms for achieving consensus over data in a large decentralised network of agents who do not trust each other. It is distributed in the sense that each of its nodes and every miner (an agent in charge of updating the database) have an identical copy of the database. One of the most prominent applications of Blockchain technology is to enable the creation and existence of cryptocurrencies, such as Bitcoin [30]. Another important application is the implementation of self-executable “smart contracts” [2, 35] - computational protocols for execution of trustworthy transactions without involvement of any third party.

The concept of the Quantum Blockchain presented in [21, 34], which we are going to explore for our voting protocol, assumes that each pair of nodes (agents) is connected by an authenticated quantum channel and by a classical channel which does not need to be fully authenticated. Every pair of nodes can establish a sequence of secret keys by using Quantum Key Distribution [5] mechanisms. Those keys will later be used for message authentication.

Updates (new transactions or new messages) on Blockchain are initiated by those nodes who wish to append some new data to the chain. The classical data of an update is sent via classical channels to all miners, while the quantum data of the update is sent via quantum channels. Each miner checks the consistency of the update with respect to their local copy of the database and works out a judgement regarding the update’s admissibility.

Then all the miners apply a (quantum) Byzantine agreement protocol [4, 10, 11, 17, 22, 31, 37] to the update, arriving at a consensus regarding the correct version of the update and whether the update is admissible. Finally, if at least half of the miners agree that the update is admissible, the update is added to the copies of the database of every node.

2.2 Quantum Bit Commitment

Bit commitment, used in a wide range of cryptographic protocols (e.g. zero-knowledge proof, multiparty secure computation, and oblivious transfer), typically consists of two phases, namely: commitment and opening. In the commitment phase, Alice the sender, chooses a bit a (a = 0 or 1) which she wishes to commit to Bob, the receiver. Then Alice presents Bob some evidence about the bit. The committed bit cannot be known by Bob prior to the opening phase. Later, in the opening phase, Alice discloses some information needed for the reconstruction of a. Then, Bob reconstructs a bit a using Alice’s evidence and the disclosure. A correct bit commitment protocol will ensure that a = a. A bit commitment protocol is concealing if Bob cannot know the bit Alice committed before the opening phase, and is binding if Alice cannot change the bit she committed after the commitment phase.

The first quantum bit commitment (QBC) protocol was proposed in 1984 by Bennett and Brassard [5]. A QBC protocol is unconditionally secure if any cheating can be detected with a probability arbitrarily close to 1. Here, Alice is cheating if she changes the committed bit after the commitment phase, while Bob is cheating when he learns about the committed bit before the opening phase. A number of QBC protocols have been designed to achieve unconditional security, such as those of [6, 7]. However, according to the Mayers-Lo-Chau (MLC) no-go theorem [26, 29], unconditionally secure QBC in principle can never be achieved.

Although unconditionally secure QBC seems to be impossible, several QBC protocols satisfy some other notions of security, such as cheat-sensitivity. For example, cheat-sensitive quantum bit commitment (CSQBC) protocols [8, 12, 23, 32, 45] and relativistic QBC protocols [1, 19, 20, 27, 28, 42] have been developed. In CSQBC protocols, the probability of detecting cheating is merely required to be non-zero. According to this less stringent security requirement, many QBC protocols which are not unconditional secure are regarded as secure within the notion of cheat-sensitivity. With well-designed mechanisms of punishment, the CSQBC protocols can be useful in practice and resilient to an attack of quantum computers.

In Sun and Wang [33] a CSQBC protocol is proposed which is more secure and efficient than all other existing CSQBC protocols. According to Tatar et al. [36], this protocol is also practically resilient to the entanglement attack, which damages the unconditional security of many QBC protocols [26, 29]. Moreover, this protocol is implementable by the current technology.

Relativistic QBC protocols achieve unconditional security by making use of the power of relativity theory. In [42], the authors implemented a relativistic QBC protocol in which the bit is concealed for 24 hours.

He [13, 14] proposed a QBC protocol based on the use of Mach-Zehnder interferometer. His protocol is immune to the cheating strategy in the light of MLC no-go theorem, because the density matrices of the committed states in his protocol do not satisfy an important condition required by the MLC no-go theorem. He’s protocol is also implementable by the current technology.

To sum up, practically useful QBC protocols are already available and are ready for applications to other computational tasks.

3 Voting on Quantum Blockchain

In the simplest setting for voting, n voters vote on an issue. Every voter Vi has a private binary value vi ∈{0,1}, where vi = 0 means disagreement, and vi = 1 means agreement, with the issue. Our protocol for simple voting, of which the structure is similar to (and simpler than) the voting protocol on the Bitcoin blockchain [39, 44], consists of two phases: the ballot commitment phase and the ballot tallying phase. Figure 1 presents simplified visualization of our protocol.

  1. 1.

    Ballot commitment.

    1. (a)

      For every i ∈{1,…,n}, voter Vi generates the i-th row of an n × n matrix of integers ri,1,…ri,n, of which the sum \({\sum }_{j} r_{i,j}\) and 0 are congruent modulo n + 1. That is, \({\sum }_{j} r_{i,j} \equiv 0 \text { } (mod \text { } n + 1)\).

    2. (b)

      For every i and j, voter Vi sends ri,j to Vj via quantum secure communication [5, 46].

    3. (c)

      Now for every i, voter Vi knows the i-th column r1,i,…,rn,i. Then he computes his masked ballot \(\widehat {v_{i}} \equiv v_{i} + {\sum }_{j} r_{j,i} \text { } (mod \text { } n + 1) \). Vi commits \(\widehat {v_{i}}\) to every miner of the blockchain by a QBC protocol.

  2. 2.

    Ballot tallying by decommitment.

    1. (a)

      For each i, Vi reveal \(\widehat {v_{i}}\) to every miner of the blockchain by opening his commitment.

    2. (b)

      All the miners run the quantum honest-success Byzantine agreement protocol [34] to achieve a consensus of on the masked ballot \(\widehat {v_{1}}, {\ldots } , \widehat {v_{n}}\).

    3. (c)

      The result of voting is obtained by calculating \( {\sum }_{i} \widehat {v_{i}}\), which equals to \( {\sum }_{i} v_{i} \) because \( {\sum }_{i} \widehat {v_{i}} \equiv {\sum }_{i} (v_{i} + {\sum }_{j} r_{j,i} ) \equiv {\sum }_{i} v_{i} + {\sum }_{i,j} r_{j,i} \equiv {\sum }_{i} (v_{i} + {\sum }_{j} r_{i,j} ) \equiv {\sum }_{i} v_{i} \text { } (mod \text { } n + 1)\).

Fig. 1
figure 1

A network of voters and miners: Voters use quantum secure communication (QSC) to distribute matrix. Voters commit their masked ballots to miners. Miners use quantum Byzantine agreement (QBA) to achieve consensus about voters’ masked ballot

Full size image

Example 1

Assume there are 3 voters {V1,V2,V3} with v1 = v2 = 1,v3 = 0 and the matrix generated by those voters is

$$\left( \begin{array}{ccc} 2\text{ } & 0\text{ } & 2 \\ 1\text{ } & 1\text{ } & 2 \\ 3\text{ } & 0\text{ } & 1 \end{array} \right).$$

Then \(\widehat {v_{1}} = 1 + (2 + 1+ 3) = 7 \equiv 3 \text { } (mod \text { } 4) \), \(\widehat {v_{2}} = 1 + (0 + 1+ 0) = 2 \equiv 2 \text { } (mod \text { } 4) \), \(\widehat {v_{3}} = 0 + (2 + 2+ 1) = 5 \equiv 1 \text { } (mod \text { } 4) \) . Then we have \(\widehat {v_{1}}+\widehat {v_{2}}+\widehat {v_{3}}= 3 + 2+ 1 \equiv 2 \text { } (mod \text { } 4)\), which equals to v1 + v2 + v3 = 2.

3.1 Security Analysis

Our voting protocol satisfies the following security requirements:

  1. 1.

    Anonymity.

    The anonymity is guaranteed because the quantum secure communication prohibits other voters to know the entire matrix. Therefore, other voters can only know the masked ballot, while the original ballot stays unknown.

  2. 2.

    Binding.

    Other voters cannot change a voter’s ballot because of the authentication procedure of the quantum blockchain, while the success of authentication on the quantum blockchain is guaranteed by Quantum Key Distribution. The voter himself cannot change his submitted ballot because of the binding property of Quantum Bit Commitment.

  3. 3.

    Non-reusability.

    Non-reusability would be violated if a voter could successfully append two different ballots to the blockchain. This is exactly the same as the double-spending attack on Blockchain, which will not be achieved on Quantum Blockchain [34].

  4. 4.

    Verifiability.

    Every voter can easily check if his masked ballot is successfully uploaded to the blockchain because by design it is a transparent database.

  5. 5.

    Eligibility.

    This can be ensured by the authentication procedure of the blockchain: only authenticated voters can successfully communicate to the miners.

  6. 6.

    Fairness.

    Fairness will be destroyed if somebody can partially tally the ballots before the ballot tallying phase. To achieve this, he or she have to know some masked ballots before the ballot tallying phase. Note that according to the concealing property of quantum bit commitment, even the miners cannot know a single masked ballot before the tally phase. Therefore fairness is ensured.

  7. 7.

    Self-tallying.

    This requirement is satisfied because of the transparency of the blockchain. All data on the blockchain is accessible to every interested user. Users can tally ballots simply by calculating the sum of masked ballots.

4 Conclusion and Future Work

This paper proposes a simple voting protocol based on Quantum Blockchain. Besides of being simple, our protocol offers anonymous, binding, non-reusable, verifiable, eligible, fair and self-tallying voting. Besides Quantum Blockchain, other quantum techniques used in our protocol include quantum secure communication and quantum bit commitment. All these techniques are realizable by the current technology.

We have demonstrated that Quantum Blockchain can significantly simplify the task of electronic voting. In the future, we are interested in applying Quantum Blockchain to other fields such as quantum auction and quantum lottery. We believe that Quantum Blockchain will also simplify these interesting tasks.