#### Abstract

There is no quantum election protocol that can fulfil the eight requirements of an electronic election protocol, i.e., completeness, robustness, privacy, legality, unreusability, fairness, verifiability, and receipt-freeness. To address this issue, we employ the general construction of quantum digital signature and quantum public key encryption, in conjunction with classic public key encryption, to develop and instantiate a general construction of quantum election protocol. The proposed protocol exhibits the following advantages: (i) no pre-shared key between any two participants is required, and no trusted third party or anonymous channels are required. The protocol is suitable for large-scale elections with numerous candidates and voters and accommodates the situation in which multiple voters vote simultaneously. (ii) It is the first protocol that dismantles the contradiction between verifiability and receipt-freeness in a quantum election protocol. It satisfies all eight requirements stated earlier under the physical assumptions that there exists a one-way untappable channel from the administrator to the voter and that there is no collusion between any of the three parties in the protocol. Compared with current election protocols with verifiability and receipt-freeness, this protocol relies upon fewer physical assumptions. (iii) This construction is flexible and can be instantiated into an election scheme having post-quantum security by applying cryptographic algorithms conveying post-quantum security. Moreover, utilizing quantum digital signature and public key encryption yields a good result: the transmitted ballots are in quantum states, so owing to the no-cloning theorem, ballot privacy is less likely to be compromised, even if private keys of the signature and public key encryption are leaked after the election. However, in existing election protocols employing classic digital signatures and public key encryption, ballot privacy can be easily violated if attackers obtain private keys. Thus, our construction enhances privacy.

#### 1. Introduction

We employ elections for various work- and life-related scenarios. There are several forms and numerous applications of elections, such as the elections of student cadres in universities, chairmen in companies, and presidents in countries. The aforementioned applications require strict and secure election protocols. Fair and reasonable election systems can accommodate the interests of all aspects of a society and reduce or prevent social conflicts and are conducive to the long-term stability of a society. Furthermore, security problems in elections may affect the stability of a group or even an entire society. Therefore, it is of great significance to study election protocols. With the rapid development of the information age, electronic elections are widely replacing traditional paper voting methods, as they are more in line with our everyday lives and work. Designing a secure and effective electronic election protocol is, at present, a prevalent research topic.

Electronic elections generally consist of three parties: the voters, administrator, and counter. The role of the voter is to forward his/her ballot anonymously to the counter, who counts the ballots and publishes the election results on a bulletin board; the administrator is responsible for helping the election run smoothly. Ever since the concept of elections was first proposed, cryptographers have been committed to constructing a secure and practical election scheme. The first electronic election protocol was proposed by Chaum [1] in 1981, which was followed by numerous other classic electronic election protocols. These classic election protocols can be mainly divided into three categories: electronic election protocols based on hybrid networks [1–4], electronic election protocols based on homomorphic encryption [5–7], and electronic election protocols based on blind signatures [3, 8–10].

Furthermore, for the security of election protocols, Fujioka et al. [9] proposed that a voting scheme should satisfy all of the following seven requirements. : all valid votes are counted correctly by the system when all parties in the protocol are honest; : inappropriate behaviour of dishonest participants or nonparticipants cannot undermine the conduct of the election, and the system is fault-tolerant; : the vote message of the ballot is secret, and only the corresponding voter and the counter can know it. In addition, no one, except the voters themselves, can associate it with the corresponding voter identity; : only legitimate voters can vote; : no voter can vote twice; : during the voting process, the statistics of the votes cast shall not be announced, because the intermediate results of the voting would affect the voting tendency of voters who have not yet voted; : voters can finally verify whether their votes have been counted correctly. Subsequently, in response to the possibility of vote-buying and coercive vote fraud in the election protocol, Benaloh et al. [11] proposed the requirement of , that is, the voters cannot prove to a third party the content of their vote. This requirement prevents voters from being bribed or forced to vote. Owing to the contradiction between being receipt-free and verifiable, it is difficult to construct an electronic election with the receipt-freeness property. Presently known receipt-free election schemes are based on the physical assumption that the attackers cannot monitor when voters are voting, because if attackers can monitor, then receipt-free voting cannot be realized. We believe that this assumption is necessary for the receipt-freeness of an election. Most receipt-free classic elections are based on the physical assumption that there is a one-way or two-way untappable channel. In addition, some protocols [4] require large amounts of zero-knowledge proof, which reduces the efficiency of the protocol, while some protocols require an anonymous channel [10] or randomizer [7], which increases the complexity of the protocol.

Most classic electronic election protocols are based on the difficulty assumptions of large integer decomposition or discrete logarithms. The development of quantum computers poses a considerable threat to the security of these protocols. Therefore, constructing quantum election protocols with the property of resisting quantum computer attacks has become a prevalent research topic. Current quantum election protocols are mainly classified into two types: entangled states-based protocols [12–20] and nonentangled states-based protocols [21–23]. Some entangled state-based protocols can only perform a binary vote for “yes” or “no” [13, 14, 16, 17], which is not suitable for scenarios with numerous candidates. Some nonentangled state-based protocols [22, 23] require numerous keys to be pre-shared among the participants. Furthermore, the current quantum election protocols cannot fulfil all eight electoral requirements mentioned above. A quantum election protocol that can resolve the contradiction between receipt-freeness and verifiability has not been developed yet.

To solve the abovementioned problems, considering the advantages of the physical properties of quantum states in the context of an election protocol, we propose the general construction of a quantum election protocol. Our construction is flexible and can thus be instantiated into an election scheme having post-quantum security by applying cryptographic algorithms, which possess post-quantum security properties. The proposed protocol is suitable for scenarios with numerous candidates and can simultaneously achieve all eight election protocol requirements, i.e., completeness, robustness, privacy, legality, unreusability, fairness, receipt-freeness, and verifiability. Our protocol requires fewer assumptions as compared with the classic election protocol.

##### 1.1. Our Contributions

In this study, we utilise the proposed general construction of quantum digital signature [24] and quantum public key encryption [25], in conjunction with classic public key encryption, to develop a general construction of a quantum election protocol.

In our construction, we utilise public key cryptographic algorithms, so no pre-shared key is required for any two participants. The protocol can resist an attack from participants, so there is no need for a trusted third party. Anonymous channels are not required because ballots are delivered with the help of an administrator. The protocol is suitable for large-scale elections with numerous candidates and voters and can accommodate scenarios in which multiple voters vote simultaneously.

The protocol is the first to resolve the conflict between verifiability and receipt-freeness in a quantum election protocol, simultaneously achieving completeness, robustness, privacy, legality, unreusability, fairness, verifiability, and receipt-freeness under only two physical assumptions. The first assumption is that there exists a one-way untappable channel from the administrator to the voter. The second assumption is that there is no collusion between any of the three parties in the protocol. In the actual elections, the administrator and the counter are generally composed of multiple people representing different interested parties; thus, their mutual supervision makes the second assumption easy to implement.

We utilise quantum public key encryption [25] with information theory security, quantum digital signature [24] with post-quantum security, and classic public key encryption with post-quantum security to instantiate the proposed construction into election schemes with post-quantum security. In the existing election protocols with classic digital signature and public key encryption, the transmitted ballots are classic ciphertexts, and the attacker may intercept and copy the ciphertexts. Once the corresponding private keys are known in the future, the attacker could then decrypt the ciphertexts, thus violating the privacy of the ballots. However, in our construction, the use of quantum digital signature and public key encryption yields a good result: the transmitted votes are delivered in the form of quantum states, which are unknown to the attacker. Therefore, according to the no-cloning theorem, the privacy of the ballots is not compromised even if the corresponding private keys are leaked after the election is completed. As an added benefit, private keys do not need to be kept secret after the election is complete. Furthermore, the keys of the quantum digital signature are classic; thus, classic public key infrastructure (PKI) can be used for key management and distribution.

##### 1.2. Outline of the Paper

The remainder of this paper is organised as follows: Section 2 describes the basic knowledge and definitions of the cryptographic primitives used in the protocol, including public key encryptions and digital signatures, and presents two existing models for quantum public key encryption and quantum digital signatures. Section 3 describes the generic construction of the proposed quantum election. Section 4 analyses the security of the generic construction described in Section 3, including completeness, robustness, privacy, legality, unreusability, fairness, verifiability, and receipt-freeness. Section 5 instantiates the general construction of the election protocol into election schemes with post-quantum security by applying cryptographic algorithms with post-quantum security, analyses the efficiency of the instantiation, and compares the efficiency and security with current protocols. Section 6 summarises our work and presents directions for future work.

#### 2. Preliminaries

For the remainder of this paper, we assume the reader is familiar with the basic notions and notation of quantum computing. These can be found in textbooks such as [26].

Given and as input, quantum transformation computing a function is defined aswhere denotes bitwise addition. In addition, when given and as input, we can use unitary transformation again and get

Unitary transformation implemented via quantum circuits of is shown in Figure 1.

##### 2.1. Public Key Encryption

Public key encryption algorithms enable participants to transfer information securely without sharing secret key. A classic public key encryption consists of three algorithms, a finite message space , and a ciphertext space . The key generation algorithm takes a security parameter as input and outputs a key pair . The encryption algorithm takes public key and a message as input and outputs a ciphertext . The deterministic decryption algorithm takes and a ciphertext as input and outputs either a message or a special symbol to indicate that is not a valid ciphertext. For correctness, we require that , where denotes a negligible function. We say that is deterministic if Enc is deterministic, while is probabilistic if is probabilistic.

###### 2.1.1. Quantum Public Key Encryption

The difference between quantum and classic public key encryption is that several of the six elements, including public and private keys generated by the key generation algorithm, encryption algorithm, decryption algorithm, plaintext, and ciphertext, may be represented in quantum states.

In 2000, Okamoto [27] proposed the concept of quantum public key encryption. Today, the existing quantum public key encryption schemes can be roughly classified into several categories according to different problems that schemes are based on coding [25, 28–32], quantum algorithms [27, 33], indistinguishable quantum states [34–37], induced trapdoor one-way transformations [24], quantum bit rotation [38–41], and interaction between bell state particles [42–46]. In 2015, Wu et al. [47] classified quantum public key encryption into 64 types, according to whether the six elements of public key encryption belong to quantum space or not.

Liang et al. [36] gave a generic quantum public key encryption construction for encrypting classic messages, where a private key corresponds to an exponent of different public keys. Then, Yang et al. [25] slightly improved the abovementioned scheme by using two Boolean functions instead of using one Boolean function. Every public key in [25] is an unknown quantum state for anyone except its generator, so the ciphertext quantum state obtained by encrypting a plaintext is also unknown to its encrypting party. Moreover, every public key is in different quantum state. These may be useful to achieve the receipt-freeness of election protocol. We briefly recall their generic quantum public key encryption construction . Let denote the number of messages to be encrypted, and denote the -th message for .(i). (1) Randomly select two functions from a set of polynomial computable functions . (2) For , randomly select and compute and . Then, the quantum state can be efficiently prepared according to and . (3) Upload all to the public key register. Function is the private key. (4) In a word, , where .(ii). (1) In order to encrypt the -th message , download the -th part of the classic and quantum public-key pair from the public key register. (2) Encrypt the classic plaintext by computing , where is a quantum encryption transformation, then output the ciphertext . (3) In a word, .(iii). (1) Given a ciphertext , use private key to compute . (2) According to the value of , use to decrypt and obtain the message , where is a quantum decryption transformation. (3) In a word, .

##### 2.2. Digital Signature

A classic digital signature, , consists of three algorithms and a finite message space . The key generation algorithm takes a security parameter as input and outputs a key pair . The signature algorithm takes the secret key and a message as input and outputs a signature . The verification algorithm inputs and a pair and outputs a bit message comprising either zero or one (this means that is a legal signature of message ). For correctness, we require that, pr where denotes a negligible function.

###### 2.2.1. Quantum Digital Signature

The difference between quantum and classic digital signature is that several of the six elements may be represented in quantum states. These elements include the signature key and the verification key generated by the key generation algorithm, the signature algorithm, the verification algorithm, the plaintext, and the signature results of the quantum digital signature. Because of the special properties of quantum states, it is difficult to achieve a true quantum digital signature, and most existing quantum digital signature schemes require the participation of arbitrators. Quantum digital signatures, such as classic digital signatures, achieve both the identity authentication of signer and the integrity verification of message.

With the development of quantum computer and quantum communication, it is necessary to study quantum digital signature. In 2001, Gottesman and Chuang [48] firstly proposed a quantum digital signature scheme for signing classic message. Subsequently, some arbitrated quantum digital signature protocols requiring the participation of trusted third parties [49–54] were proposed in succession. In 2010, Yang et al. [24] proposed an interactive quantum digital signature protocol for signing quantum message based on induced trapdoor one-way transformations. This protocol exploits the nature of quantum entangled states, realising the identity authentication of signer and protecting the integrity of messages without the participation of arbitrators. Subsequently, several quantum digital signature protocols without quantum memory were proposed [55, 56], thus improving the practicability of quantum signatures.

A general construction of quantum digital signature for signing quantum message is proposed by Yang et al. [24]. The signature scheme consists of three algorithms which are described as follows:(i). Randomly select a trapdoor one-way function which has a trapdoor . Then, is the verification key and is the signature secret key. In a word, .(ii). The signer signs a bits quantum message to the verifier as follows: (1) the verifier randomly generates a number and sends it to the signer. (2) The signer randomly generates a number and computes , where and . (3) Then, with , the signer performs the quantum transformation on the quantum message and obtains and sends quantum state to the verifier. (4) In a word, , where(iii). (1) The verifier tells the signer that they have received the quantum state. (2) The signer announces and . (3) The verifier computes and checks whether the first bits of equal . They then perform the transformation, and measure the second quantum register. They accept the signature if and only if the second register is in state . In a word, if and only if the second register is in state .

#### 3. Generic Construction of Quantum Election

In this section, we present a generic construction of quantum election protocol. Section 3.1 gives an overview of the construction and Section 3.2 gives a more detailed description.

##### 3.1. Overview of Our Construction

The proposed election protocol runs as follows. (1) A voter holds his/her vote message and performs quantum public key encryption on it by using the counter’s public key, obtaining the quantum ciphertext which is the ballot of the voter. (2) The ballot is signed by the voter and sent to the administrator. Then, the voter’s signature is verified by the administrator. (3) The ballot is signed by the administrator and sent to the counter. Then, the administrator’s signature is verified by the counter. (4) The ballot is decrypted by using the counter’s private key and verification information is generated by the counter. (5) The information is sent to the voter with the help of the administrator. Finally, the voter can verify whether his/her vote is counted correctly or not.

##### 3.2. Our Concrete Construction

In this section, we give a detailed description of quantum election protocol which consists of four cryptography primitives: classic probabilistic public key encryption , classic deterministic public key encryption , quantum digital signature , and quantum public key encryption , where quantum public key encryption and quantum digital signature are two generic constructions proposed by Yang et al. [25] and Yang et al. [24], respectively. Please refer to Sections 2.1 and 2.2 for more details.

###### 3.2.1. Initialization

Let denote the number of voters, and denote the -th voter for . Let denote the number of legitimate candidates, and represent the identity of the -th legitimate candidate for each . Moreover, let represent the administrator and represent the counter. In the protocol, each voter has a unique identity string denoted by , while Admin has an identity . Identity strings are publicly known. The participants carry on the following steps:(i). (1) runs the algorithm of and gets a pair of public and private keys . (2) runs the algorithm of and gets a pair of public and private keys . (3) runs the algorithm of and gets a pair of public and private keys .(ii). (1) In order to encrypt messages, runs the algorithm of and gets a pair of public and private keys , where and .(iii). runs the algorithm of and gets a pair of public and private keys .

###### 3.2.2. Election

(1)Preprocessing: Each voter randomly selects a public key from the quantum public key register. Taking the public key chosen by voter as an example and assuming that wants to vote for candidate , carries on the following steps:(i) downloads one classic and quantum public-key pair of from the public key register.(ii) generates a random string and selects a candidate to make up a vote message , where represents a simple concatenation of and .(iii)By performing quantum encryption transformation on the vote message , obtains ciphertext . is the quantum ballot and it is clear that it is an -bit quantum superposition state which can be denoted as .(2)Ballot-casting from voter to administrator: This process is briefly illustrated in Figure 2. For the purpose of authenticating the identity of and the integrity of ballot, the administrator needs to mutually communicate with so that can verify the correctness of the received signature sent by .(i)If wants to vote, they will send their to .(ii)Let denote the number of received by at the same time. After receiving , searches the local data set ; if or , the request for voting is rejected. Otherwise, randomly generates and sends it to .(iii) randomly generates a number and computes , where and .(iv)With , performs the quantum transformation on and obtains , where In a word, , and it is easy to see that .(v)By running the encryption algorithm , obtains classic ciphertext . Then, sends to .(vi)After receiving from , decrypts with their private key and obtains the plaintext . As a result, can get the signature of . If the output of is equal to 1, stores ’s information into their database. Note that in the computing process of , there exists the following operation to obtain quantum state: When all voters have completed this stage with , the protocol proceeds to the next stage.(3)Ballot-casting from administrator to counter: This process is briefly illustrated in Figure 3. For the purpose of authenticating the identity of and the integrity of ballot, the needs to mutually communicate with so that can verify the correctness of the received signature sent by .(i)If wants to send ’s ballot to , they firstly send to .(ii)After receiving , randomly generates and sends it to .(iii)randomly generates and computes , where and .(iv)With , performs the quantum transformation on and obtains , where In a word, , and it is easy to see that .(v) sends to .(vi)If the output of equals 1, can make sure the identity of . Note that in the process of the above computing , there exists the following operation to obtain quantum state ,(vii)With the quantum state , can obtain voter ’s ballot and can get the ciphertext . After receives and verifies all voters’ ballots from , the election enters the next stage.(4)Ballot-counting and result-publishing: Given the quantum ciphertexts , decrypts it and publishes the election result.(i) decrypts the ciphertext by using , i.e., .(ii)If the pre- bits of the decryption result do not represent a qualified candidate, rejects the ballot. Otherwise, accepts the decryption result and corresponding .(iii)After accepting all the decryption results from voters, computes the voting result of every voter in the form of , where is generated randomly by . Then, collects all the voting results and publishes them on the bulletin board.(5)Confirming vote and terminating the election: sends message to with the help of so that can verify whether their vote is counted correctly. Under the physical assumption that there is a one-way noneavesdropping channel from the administrator to the voter, the election satisfies the requirement of .(i)By running the encryption algorithm , obtains and sends to .(ii) utilises as a label to find the corresponding and sends to by the one-way untappable channel from to .(iii)When all voters receive the corresponding ciphertext, announces their private key . Then, obtains . Finally, gets with the knowledge of . With and , can compute and obtain . Then, can verify whether they have successfully voted. If does not succeed in the verification, they can request a reelection. If all voters can make sure that their votes have been successfully voted, the election is complete and terminated.

#### 4. Security Analysis

We assume that there exists no collusion between any two of the three parties in the protocol. In actual elections, the administrator and the counter are generally composed of multiple people representing different interest groups, so their mutual supervision makes this assumption easy to hold. Both participants and nonparticipants can potentially attack the protocol. We define an attack from participants as an internal attack and an attack from nonparticipants as an external attack. In this section, we prove that our proposed election protocol satisfies the eight requirements, namely, completeness, robustness, privacy, legality, unreusability, fairness, verifiability, and receipt-freeness.

##### 4.1. Completeness

Theorem 1. *(completeness). In the protocol, all valid votes are counted correctly when all participants are honest .*

*Proof. *(sketch). According to the definition of completeness, all valid votes are counted correctly when all parties in the protocol are honest. A qualified voter for encrypts the vote message which is a simple concatenation of binary string , representing a legal candidate and binary string generated randomly by , with a classic and quantum public-key pair which is selected randomly by from ’s public key pool. After the ballot is signed and verified twice, finally obtains the ciphertext . Then, can obtain the vote message of ’s ballot by decrypting the ciphertext with their private key . Hence, it is clear that the proposed protocol satisfies completeness.

##### 4.2. Robustness

Theorem 2. *(robustness). The inappropriate behaviour of dishonest participants or nonparticipants cannot disrupt the election; i.e., the protocol is fault-tolerant.*

*Proof. *We analyse the robustness of the protocol by considering the inappropriate behaviour of participants including voters, administrator and counter, and nonparticipants.(i)When a dishonest voter seeks to disrupt the election, they may have three strategies. In the first case, does not vote, that is, in the ballot-casting from voter to administrator stage, does not send or to . However, it is clear that will be aware of this missing vote. In the second case, sends an invalid message group to in the ballot-casting from voter to administrator stage. While the running result of achieved by will not equal 1, this wrong action will be detected by. In the third case, generates a random binary string , which does not represent a qualified candidate and encrypts with ’s public key . However, will find out the illegal in the ballot-counting and result-publishing stage and reject the ballot. In a word, the voter cannot succeed in disrupting the election.(ii)If the internal attacker wants to disrupt the election, they may have two strategies. In the first case, tampers with the quantum state from a legitimate voter in the ballot-casting from administrator to counter stage. However, because does not know the candidate that is going to vote for, their random tampering will result in a random decrypting of the result obtained by in the ballot-counting and result-publishing stage. Then, will reject the ballot with a high probability. Because the probability that successfully guesses the candidate that is voted for by is , the probability that they correctly tamper with the quantum state is also . Then, the probability that the decrypted result obtained by represents a legitimate candidate is also , so the probability that the ballot is rejected in the ballot-counting and result-publishing stage by is . In addition, even if the tampered ballot is accepted by , can be aware that their vote is not counted correctly in the confirming vote and terminating the election stage. Then, can request a reelection. In the second case, may substitute the quantum state . In this manner, will accept the decrypted result, but will find that their vote has not been counted correctly during the confirming vote and terminating the election stage, and they can request a reelection.(iii)If wants to destroy the election, they may modify the vote message of the accepted ballot and then publish the modified result in the ballot-counting and result-publishing stage. Suppose that tampers with the vote message of eligible voter to . To be unnoticed by , Counter must send a so that can verify their vote successfully. To achieve that, can find another vote message, such as , which is chosen by another legal voter and make satisfy . However, because does not have ’s private key , it is difficult for to provide a that can make verify their vote message on the bulletin board successfully. Therefore, the misbehaviour of cannot be successful if the classic deterministic public key encryption is secure.(iv)If external attackers want to tamper with the ballot from a legitimate voter , they can only attack during the transmission of in the ballot-casting from voter to administrator stage or during the transmission of in the ballot-casting from administrator to counter stage. However, the security of the quantum signature algorithm enables this attack to be detected by or .Hence, the protocol is robust.

##### 4.3. Privacy

Theorem 3. *(privacy). In the protocol, the vote message of the ballot is secret, and only the corresponding voter and the counter can know it. In addition, no one except the voters themselves can associate it with the corresponding voter identity .*

*Proof. *Nonparticipants of the protocol, the administrator, and the counter are all likely to attack the privacy of ballots, so we analyse the three cases in turn. Meanwhile, to prove our election can achieve privacy, we use the no-cloning theorem [57], which states that an exact copy of an unknown quantum state is impossible to achieve in quantum mechanics.(i)Resistance to attacks from nonparticipants: if a nonparticipant of the protocol wants to attack the privacy of ’s ballot, the only possible opportunity occurs during the transmission of information in the ballot-casting from voter to administrator stage and ballot-casting from administrator to counter stage. Assuming that the attacker intercepts in the ballot-casting from voter to administrator stage, the security of ensures that the attackers cannot decrypt to obtain and cannot obtain the signature of . Then, the attacker cannot untangle quantum state to obtain and the ciphertext , let alone obtain the vote message of the ballot, because they do not know ’s private key . Moreover, if the transmitted ballot is classic, the attacker may copy it during its transmission. Once the corresponding private keys are known in the future, the attacker could then violate the privacy of the ballot. However, in our construction, the ballot is transmitted in the form of a quantum state, and is unknown to the attacker. Owing to the no-cloning theorem, after the election is completed, even if the private keys and *sk _{ad}* are leaked, the privacy of the ballots is not compromised. If the attacker intercepts in the ballot-casting from administrator to counter stage, they can untangle with to obtain and the ciphertext . However, they cannot decrypt the ciphertext to obtain ’s vote message, because the attacker does not know ’s private key . In this case, is unknown to the attacker. Thus, the attacker cannot copy this state and obtain the vote message of the ballot even if the private key is leaked after the election.(ii)Resistance to an attack from : can obtain the ciphertext in the stage of ballot-casting from voter to administrator, but the security of ensures that they cannot obtain the vote message of the ballot, because ’s private key is unknown. Similar to the earlier analysis, is unknown to , so they cannot copy the ciphertext . Going further, they cannot obtain the vote message of the ballot even if the private key is leaked after the election.(iii)Resistance to an attack from : if wants to attack the privacy of ’s ballot, they may attack in the stages of ballot-casting from voter to administrator and ballot-casting from administrator to counter. In the stage of ballot-casting from voter to administrator, Counter may intercept during the transformation and attempt to obtain ’s vote message via the intercepted information. However, similar to this type of attack from nonparticipants, the security of ensures that cannot obtain and obtain the signature of . Thus, cannot untangle quantum state to obtain and the ciphertext . Therefore, it is impossible for to use the private key to decrypt the ciphertext to obtain ’s vote message. In this stage, is unknown to ; thus, they cannot copy it and associate ballot content with ’s identity even if ’s private key is leaked after the election. Moreover, it is worth noting that cannot utilise , which is obtained in the stage of ballot-casting from administrator to counter, as a label of identity to associate vote message with ’s identity because is encrypted by in the stage of ballot-casting from voter to administrator. In the stage of ballot-casting from administrator to counter, even though can finally obtain ’s vote message, they do not know which voter the decrypted ballot comes from because replaces the voter identity with at this stage.As a result, the protocol can satisfy the privacy requirement during an election, and the privacy will not be threatened even if corresponding private keys are leaked after the election.

##### 4.4. Legality

Theorem 4. *(legality). In the protocol, only legitimate voters can vote.*

*Proof. *(sketch). The security of ensures that only the vote cast by a legitimate voter for can be accepted. In the stage of ballot-casting from voter to administrator, performs the quantum algorithm to sign their ballot with their private key , i.e., . Then, verifies the signature with ’s public key , i.e., . The accepts the information from only if the output of equals 1, which ensures that only accepts the ballot from legitimate voter . Similarly, only accepts the ballot from . Therefore, only legitimate voters can vote successfully.

##### 4.5. Unreusability

Theorem 5. *(unreusability). In the protocol, no voter can vote twice.*

*Proof. *(sketch). In the stage of ballot-casting from voter to administrator, if the legal voter wants to vote, they send Admin to first. The condition that and ensures that accepts only once, so can vote only once. Furthermore, in the case where voter pretends to be another legitimate voter and sends to , the illegal ballot from will not be accepted by because has no private key and the security of ensures that the output of quantum verification algorithm is not 1. Thus, one legal voter can vote only once.

##### 4.6. Fairness

Theorem 6. *(fairness). In the protocol, the intermediate results of the voting do not affect the preference of those who have not yet voted.*

*Proof. *(sketch). After accepting all the vote messages from voters, collects the voting result of every voter and then publishes all results on the bulletin board in the stage of ballot-counting and result-publishing. Therefore, no one can obtain the intermediate results of the election, and the protocol is fair.

##### 4.7. Verifiability

Theorem 7. *(verifiability). In the protocol, voters can finally verify whether their votes have been counted correctly.*

*Proof. *(sketch). announces the voting result of every voter in the form of . Subsequently, running the encryption algorithm , obtains ; they then send to with the help of . After receives it, publishes their private key . Running the decryption algorithm , obtains . obtains with the knowledge of . With , , and , can compute . By searching for on the bulletin board and verifying whether the candidate information corresponding to is , can verify whether their vote has been counted correctly.

##### 4.8. Receipt-Freeness

Theorem 8. *(receipt-freeness). In the protocol, the voter cannot prove to a third party the content of their vote.*

*Proof. *The protocol can achieve receipt-freeness under the physical assumption that there is a one-way untappable channel from the authority (i.e., the administrator) to the voter [4, 58]. By a standard exclusive-OR trick, this assumption can be implemented by having a number of one-way channels, assuming that the adversary cannot simultaneously tap every one of them [4].

Suppose that voter wants to vote for candidate , while there is a briber who requires to vote for candidate . In this protocol, under the premise that the number of ballots for candidate displayed on the bulletin board does not affect the judgment of the briber (for example, the number of votes for candidate is zero, and this case can be ignored in a large-scale election), and can vote for candidate according to their preferences, but lie to the briber successfully by providing the briber with false evidence to prove that they voted for candidate .

In the pre-voting stage, the briber may have asked voter to provide as evidence for future verification. In this stage, performs quantum encryption transformation on , obtaining the ciphertext . In ’s view, the density operator of the quantum public key isThat is, in ’s view, the quantum public key is in the maximum mixed state. Then, the quantum ciphertext is also in the maximum mixed state for . So, even if sells all known information to the briber, the briber cannot obtain any information about the vote message of by eavesdropping on the channel from to in the ballot-casting from voter to administrator stage. Therefore, the step of computing the ciphertext, i.e., , avoids the requirement that the channel from the to is untappable.

In the stage of confirming vote and terminating the election, receives by the one-way untappable channel from and obtains by performing . Finally, obtains f_{i} with the knowledge of . Now, we show that cannot prove their vote to the briber according to . first searches for a vote for candidate on the bulletin board. Assuming the voter has voted for the candidate , then their corresponding message, which is published by on the bulletin board, is , where and are binary strings of lengths randomly generated by and , respectively. As is known, can obtain which satisfies . Then, can obtain by running the algorithm, i.e., . Then, tells to the briber, such that the briber can find on the bulletin board. Therefore, with , cannot prove to the briber how they voted. In conclusion, the protocol is receipt-free.

#### 5. Instantiation of Our Generic Construction

In this section, we instantiate the general construction of the election protocol.

##### 5.1. Instantiation

###### 5.1.1. Quantum Public Key Encryption

To achieve post-quantum security for the protocol, we instantiate the construction of quantum public key cryptography with quantum public key encryption scheme [25] based on conjugate encoding which is information-theoretic secure.

Let and be two of the Pauli matrices and be the Hadamard transformation, where

For , we define , where is the Hadamard transformation mentioned as above, , and is the tensor product. Similarly, we also define , where is one of the Pauli matrices defined as above. Let denote the number of messages to be encrypted, and denote the -th message for .(i). (1) Randomly select two functions as private key from a set of polynomial computable functions . (2) Randomly select and compute and . (3) Apply to and obtain . Take as one public key. (4) In a word, , where .(ii). (1) In order to encrypt the classic message , download the classic and quantum public-key pair from the public key register. (2) Encrypt by applying to , then get the ciphertext . It is clear that . (3) In a word, .(iii). (1) Given the ciphertext , use private key to compute . (2) According to , apply to and measure on the basis to obtain . Then, with , perform an exclusive OR on to get . (3) It is clear that the algorithm is the whole process of step (2) described as above. (4) In a word, .

###### 5.1.2. Quantum Digital Signature The function of quantum signature in the election protocol is to make the verifier get the information that the signer wants to send authenticatively

To achieve post-quantum security for the protocol, we instantiate the construction of quantum digital signature with quantum digital signature [24] which is constructed based on the McEliece cryptosystem with post-quantum security [59]. The McEliece secret key consists of a nonsingular matrix ; a generator matrix size of for a Goppa code; and a permutation matrix . The McEliece public key is the matrix . In the following, and .(i). (1) Generate the McEliece public and secret key . (2) Let the secret key be and the verification key be .(ii). The signer signs a bits quantum message to the verifier as follows: (1) the verifier randomly generates a number and sends it to the signer. (2) The signer randomly generates a number . (3) With the knowledge of , the signer can get which satisfy that , where . (4) Note that is the whole process of step (3) described as above and . (5) Then, with , the signer performs the quantum transformation on the quantum message and obtains and sends quantum state to the verifier. (4) In a word, , where(iii). (1) The verifier tells the signer that they have received the quantum state. (2) The signer announces and . (3) The verifier computes and checks whether the first bits of equal . They then perform the transformationand measure the second quantum register. They accept the signature if and only if the second register is in state . In a word, if and only if the second register is in state .

###### 5.1.3. Classic Public Key Encryption and

The classic probabilistic public key encryption in the instantiation can be any classic public key encryption schemes with post-quantum security such as public key encryption based on coding [59], lattices [60], and multivariates [61].

Bellare et al. [62] proposed a generic deterministic public key encryption construction from probabilistic public key encryption, i.e., if there exists a probabilistic public key encryption , then there is a classic deterministic public key encryption scheme which is illustrated in Figure 4. In the deterministic construction, denotes a hash function, such as SHA2 and SHA3.

##### 5.2. Efficiency Analysis

According to Ref. [18], quantum bit efficiency of quantum election protocol is defined aswhere the total number of transmitted classic bits (message bits) is and the total number of quantum bits generated is .

We can split this protocol into two parts. In the first part, the voter passes the vote message to with the help of . In the second part, passes the verification information to the corresponding voter with the help of . In the first part, the valid classic information transmitted is , and its number of bits is . To transmit , the bits quantum public key , bits quantum ciphertext , and , are generated, where , are both bits quantum states generated during the signature process. Hence, in this part, total of quantum bits are generated. In the second part, the valid classic information transmitted is , whose length is , where there is no quantum bit generated. Thus, the number of valid classic bits transmitted in the protocol is , and the number of quantum bits generated in the protocol is . Subsequently, the efficiency of the protocol is

When is equal to , the efficiency is greater than 1/4.

###### 5.2.1. Performance Comparison

There exist many quantum election protocols based on entangled states [12–14, 16–20]. However, some [13, 14, 16, 17] of these protocols can only perform a binary vote for “yes” or “no.” As a result, we make a performance comparison between our protocol and the quantum election protocols [12, 15, 18–20] which are applicable for scenarios with numerous candidates. Please read Table 1 for more details.

##### 5.3. Security Comparison

This protocol is an instantiation of our general construction. We have proved that our general construction satisfies the eight requirements of election, so the instantiation also satisfies the eight requirements. For the same reason which is described in Section 5.2, we make a security comparison between our protocol and the quantum election protocols [12, 15, 18–20] which are applicable for scenarios with numerous candidates. Please read Table 2 for more details. It is clear that our election protocol is much more secure than other schemes.

#### 6. Conclusion

In this paper, we utilise the general construction of quantum digital signature [24] and quantum public key encryption [25], in conjunction with classic public key encryption, to develop a general construction of a quantum election protocol. The protocol is suitable for large-scale elections with numerous candidates and voters and accommodates scenarios in which multiple voters vote simultaneously. The protocol does not require any two participants to pre-share a secret key, nor does it require anonymous channels or a trusted third party. This construction is the first to achieve the properties of completeness, robustness, privacy, legality, unreusability, fairness, verifiability, and receipt-freeness under attacks from both external and internal agents in the current quantum election protocols. We instantiate the general construction into an election scheme with post-quantum security by applying cryptographic algorithms having post-quantum security. Furthermore, our election protocol has higher security than that of existing protocols. All the keys of the quantum digital signature are classic so that the classic PKI can be used for key management and distribution.

This construction is a theoretical achievement, and any practical application remains a distant goal. The quantum public key cryptosystem has significant room for development in comparison with the relatively well-established conventional public key cryptosystem. Numerous problems remain to be solved, such as developing the quantum PKI.

#### Data Availability

The data used are available within the article.

#### Conflicts of Interest

The authors declare that they have no conflicts of interest.

#### Acknowledgments

This work was supported by the National Natural Science Foundation of China (Grant No. 61672517), National Natural Science Foundation of China (Key Program, Grant No. 61732021), National Cryptography Development Fund (Grant No. MMJJ20170108), and Beijing Municipal Science & Technology Commission (Grant no. Z191100007119006).