An electronic voting scheme based on homomorphic encryption and decentralization

The basics

In this subsection, we will give the definitions of semi-honest attacker model, malicious attacker model, Paillier homomorphic encryption mechanism, and ElGamal public key encryption mechanism used in this article.

Key notations

For presentation convenience, we list the key notations used in our work in Table 1.

HED-voting model

The goal of the model is to use the Paillier homomorphic encryption enabling specific computational operations even when the data is encrypted. This enables data to be processed and computed without exposing the plaintext, effectively preserving data privacy, method to ensure that the ballot results are not compromised until the election is over. By signing the ballot and encrypting it in two layers, the security of the ballot during transmission and the establishment of the decentralized scheme is guaranteed. The decentralized scheme is established by distributing decision-making and control among different independent entities through the allocation of dual-layer encrypted keys to different candidates.

Suppose in a real-life election campaign, the candidates have a competitive relationship with each other, and two candidates with opposing relationships are randomly selected and given different privileges, one of them is responsible for the management of the key, and the other is responsible for the management of the cloud-based CC, with no interference between them. After the ballots are encrypted and signed, they are sent directly to the tally center for verification and homomorphic operation, and when the voting is over, the results are sent to the public center, and then the results are decrypted and publicized using the homomorphic private key. Since both the organization in charge of managing the KC and the organization in charge of the cloud-based CC lack the conditions for decryption, neither of them can obtain the voting results before the election ends. A schematic diagram of the HED-Voting is shown in Fig. 1.

Definition 5 HED-Voting system. The HED-Voting system consists of Voter, Counting Center, Certificate Authority, Key Center, Publicity Center, and algorithm 10-tuple

$E_{\text{HED-Voting}}=\{Setup\_HE,Setup\_CC,User\_KeyGen,Enc\_HE,Rsa\_Sig,Enc\_CC,$ $Dec\_CC,Rsa\_Ver,Count\_CC,Dec\_HE\text{}}$, where

$Setup\mathrm{\_}HE$ $\to$ $(H{E}_{pub},H{E}_{priv})$. Generate the public-private key pair for the KC. Enter the security parameters to generate the public-private key pair for homomorphic encryption at $(H{E}_{pub},H{E}_{priv})$.

$Setup\mathrm{\_}CC$ $\to$ $C{C}_{pub}$. Initialize and generate the CC public-private key pair $(C{C}_{pub},C{C}_{priv})$ and output the CC public key $C{C}_{pub}$.

$User\mathrm{\_}KeyGen$ $\to$ $(u_{pub},u_{priv})$. Generate the user’s public-private key pair $(u_{pub},u_{priv})$.

$Enc\mathrm{\_}HE$ $\to$ $c_i^{\mathrm{\prime }}$. The ballot is homomorphically encrypted for each voter. The ballot $m_i$ is encrypted using $H{E}_{pub}$ to obtain $c_i^{\mathrm{\prime }}$.

$Rsa\mathrm{\_}Sig$ $\to$ $(c_i^{\mathrm{\prime }},s)$. Use $u_{priv}$ to sign $c_i^{\mathrm{\prime }}$ to obtain $(c_i^{\mathrm{\prime }},s)$.

$Enc\mathrm{\_}CC$ $\to$ C. Use $C{C}_{pub}$ to encrypt to obtain C.

$Dec\mathrm{\_}CC$ $\to$ $(c_i^{\mathrm{\prime }},s)$. Decrypt C using to obtain $(c_i^{\mathrm{\prime }},s)$.

$Rsa\mathrm{\_}Ver$ $\to$ $c_i^{\mathrm{\prime }}$. Use $u_{pub}$ to verify and get $c_i^{\mathrm{\prime }}$ when it passes.

$Count\mathrm{\_}CC$ $\to$ $c^{\mathrm{\prime }}$. Update $c^{\mathrm{\prime }}$ by homomorphic the ciphertext $c_i^{\mathrm{\prime }}$ with the previously counted votes $c^{\mathrm{\prime }}$.

$Dec\mathrm{\_}HE$ $\to$ $m$. Use $H{E}_{priv}$ to decrypt the plaintext $m$ corresponding to the ciphertext $c^{\mathrm{\prime }}$.

The behavior of the HED-Voting system includes the following four stages. And the encryption, decryption, and counting of ballots during the voting process is shown in Fig. 2.

• (1)

  Initialization (corresponding algorithms $Setup\mathrm{\_}HE$ and $Setup\mathrm{\_}CC$): First, initialize the KC and CC to generate homomorphic encryption public-private key pairs and CC public-private key pairs. The generated homomorphic encryption private key and CC private key are sent to two candidates with direct competition. Due to the direct conflict of interest, the two candidates will not conspire to exchange the private keys held by both parties. Due to the double-layer encryption used by the scheme, the private key held by one candidate alone is not enough to decrypt the voting information in advance.

• (2)

  Authentication (corresponding algorithm $User\mathrm{\_}KeyGen$): After initialization, users are registered. Users are required to register locally in the corresponding software and bring their personal information to the CA to obtain a public-private key pair and a trusted certificate after identity verification. Before the voting process, the CA sends the user’s certificate to the CC.

• (3)

  Voting phase (corresponding algorithm $Enc\mathrm{\_}HE$, $Rsa\mathrm{\_}Sig$, and $Enc\mathrm{\_}CC$, $Dec\mathrm{\_}CC$, and $Rsa\mathrm{\_}Ver$ and $Count\mathrm{\_}CC$): In the voting stage, the voter signs and encrypts the ballot using $H{E}_{pub}$, $u_{priv}$ and $C{C}_{pub}$ in turn, and then sends the ballot ciphertext and $u_{pub}$ to the CC. After the ballot reaches the CC, $u_{pub}$ is tokenized and the encrypted ballot is stored in the $C{C}^{\mathrm{\prime }}s$ database. After receiving the ballot, the CC decrypts the ballot with $C{C}_{priv}$ and then verifies the signature with the corresponding voter’s public key, after which the ciphertext is homomorphic with the previous voting result and the voting result is updated.

• (4)

  Result Announcement (corresponding algorithm $Dec\mathrm{\_}HE$): After the voting is finished, the final voting results are sent to the PC. The organization in charge of managing KC decrypts the ciphertext.

HED-voting solution

The concrete construction scheme of HED-Voting includes the following 10 algorithms.

$Setup\mathrm{\_}HE$. For the KC, randomly select two large prime numbers $p$ and $q$ that satisfy $gcd(pq,(p-1)(q-1))=1$. For $p$ and $q$, perform the following operations.

① Calculate $n_1=pq$ and $\lambda =lcm(p-1,q-1)$.

② Choose a random large integer $g\in Z_{n_1^2}^{\ast }$ and calculate $\mu =[L(g^{\lambda }\mathrm{m}\mathrm{o}\mathrm{d}{n}_1^2){]}^{-1}\mathrm{m}\mathrm{o}\mathrm{d}{n}_1$. Where $L(x)=\frac{x-1}{n_1}$.

Obtain the public key $H{E}_{pub}=(n_1,g)$ and private key $H{E}_{priv}=(\lambda ,\mu )$ of the homomorphic encryption.

$Setup\mathrm{\_}CC$. For the CC, perform the following operations.

① A randomly selected generating element $g_1$ is used to generate a $q_1$ order cyclic group G using $g_1$.

② Randomly select $x$, and $x$ from G, satisfy $1<x<q_1-1$.

③ Calculate $h=g_1^x\mathrm{m}\mathrm{o}\mathrm{d}{q}_1$.

Obtain the public key $C{C}_{pub}=(q_1,g_1,h)$ and private key $C{C}_{priv}=x$ of the CC.

$User\mathrm{\_}KeyGen$. Obtain the user public key $u_{pub}=(n_2,e)$ and the user private key $u_{priv}=d$, and perform the following operations.

① Select two large prime numbers $p_2$ and $q_2$, and calculate the product $n_2=p_2{q}_2$.

② Compute $\phi (n_2)=(p_2-1)\cdot (q_2-1)$, the security of this step is based on Little Fermat’s theorem.

③ Randomly select $e$: $0<e<\phi (n_2)$, and $gcd(e,\phi (n_2))=1$.

④ $d=e^{-1}\mathrm{m}\mathrm{o}\mathrm{d}\phi (n_2)$. This gives the public-private key pair $u_{pub}=(n_2,e)$, $u_{priv}=(p_2,q_2,d)$.

$Enc\mathrm{\_}HE$. For each voter’s ballot $m_i$, encrypted with the homomorphic encryption public key $H{E}_{pub}$, perform the following operations.

① Mapping $m_i$ to $0\le x<n_1$ where $n_1=pq$.

② Select $r\in Z_{n_1}^{\ast }$ while satisfying $(r,n_1)=1$, i.e., $gcd(r,n_1)=1$.

③ Calculate the ciphertext at $c_i^{\mathrm{\prime }}=g^m{r}_1^n\mathrm{m}\mathrm{o}\mathrm{d}{n}_1^2$.

$Rsa\mathrm{\_}Sig$: This step uses the voter’s private key $u_{priv}$ to generate a digital signature $s=si{g}_{u_{priv}}(c_i^{\mathrm{\prime }})\equiv (c{}_i^{\mathrm{\prime }}{)}^d\mathrm{m}\mathrm{o}\mathrm{d}{n}_2$. This gets $c_{t\mathrm{\_}i}=(c_i^{\mathrm{\prime }},s)$.

$Enc\mathrm{\_}CC$. Here the ciphertext with the signature $c_{t\mathrm{\_}i}=(c_i^{\mathrm{\prime }},s)$ is encrypted again with the public key $C{C}_{pub}$. Perform the following operations.

① Randomly select $y$, and $y$ satisfy $1<y<q_1-1$.

② Calculate $a=g_1^y\mathrm{m}\mathrm{o}\mathrm{d}{q}_1,s_1=h^y\mathrm{m}\mathrm{o}\mathrm{d}{q}_1$.

③ Maps $c_{t\mathrm{\_}i}$ to an element $c_{t\mathrm{\_}i}^{\mathrm{\prime }}$ on G.

④ Calculate $b=c_{t\mathrm{\_}i}^{\mathrm{\prime }}{s}_1$.

Get the ciphertext $C=<a,b>$ and send C to the CC.

$Dec\mathrm{\_}CC$. The CC decrypts the ciphertext C with the private key $C{C}_{priv}$, perform the following operations.

① Calculate $b(a^{-1}{)}^x=c_{t\mathrm{\_}i}^{\mathrm{\prime }}{h}^y{g}_1^{xy}(g_1^{xy}{)}^{-1}=c_{t\mathrm{\_}i}^{\mathrm{\prime }}$.

② Remap $c_{t\mathrm{\_}i}^{\mathrm{\prime }}$ to $c_{t\mathrm{\_}i}=(c_i^{\mathrm{\prime }},s)$.

$Rsa\mathrm{\_}Ver$. Use the voter’s public key $u_{pub}$, $ve{r}_{u_{pub}}(c_i^{\mathrm{\prime }},s),c_i^{\mathrm{\prime }\mathrm{\prime }}\equiv s^e\mathrm{m}\mathrm{o}\mathrm{d}{n}_2$. If

$c_i^{\mathrm{\prime }\mathrm{\prime }}\equiv c_i^{\mathrm{\prime }}\mathrm{m}\mathrm{o}\mathrm{d}{n}_2$, then the signature is valid;

$c_i^{\mathrm{\prime }\mathrm{\prime }}\ne c_i^{\mathrm{\prime }}\mathrm{m}\mathrm{o}\mathrm{d}{n}_2$, then the signature is invalid.

$Count\mathrm{\_}CC$. Update $c^{\mathrm{\prime }}$ by homomorphing the ciphertext $c_i^{\mathrm{\prime }}$ with the previously counted votes $c^{\mathrm{\prime }}$. For the ciphertexts $c_i^{\mathrm{\prime }},c^{\mathrm{\prime }}\in Z_{n_1^2}^{\ast }$, whose corresponding plaintexts are $m_i,m\in Z_n$ and $r_i,r\in Z_n^{\ast }$, we have $c_i^{\mathrm{\prime }}=E(m_i,r_i),c^{\mathrm{\prime }}=E(m,r)$, yielding

$c_i^{\mathrm{\prime }}\cdot c^{\mathrm{\prime }}=E(m_i,r_i)\cdot E(m,r)=g^{m_i+m}\cdot (r_i\cdot r{)}^{n_1}\mathrm{m}\mathrm{o}\mathrm{d}{n}_1^2=E((m_i+m),(r_i\cdot r))$.

After update, $c^{\mathrm{\prime }}=g^{m_i+m}\cdot (r_i\cdot r{)}^{n_1}\mathrm{m}\mathrm{o}\mathrm{d}{n}_1^2=E((m_i+m),(r_i\cdot r))$.

$Dec\mathrm{\_}HE$. Use $H{E}_{priv}$ to decrypt the ciphertext $c^{\mathrm{\prime }}$. For the ciphertext $c^{\mathrm{\prime }}\in Z_{n_1^2}^{\ast }$, compute the ciphertext $m$: The ciphertext will be decrypted.

$m=D(c^{\mathrm{\prime }})=\frac{L({(c^{\mathrm{\prime }})}^{\lambda }\mathrm{m}\mathrm{o}\mathrm{d}{n}_1^2)}{L(g^{\lambda }\mathrm{m}\mathrm{o}\mathrm{d}{n}_1^2)}\mathrm{m}\mathrm{o}\mathrm{d}{n}_1=L((c^{\mathrm{\prime }}{)}^{\lambda }\mathrm{m}\mathrm{o}\mathrm{d}{n}_1^2)\mu \mathrm{m}\mathrm{o}\mathrm{d}{n}_1$.

Potential threat security analysis

Theorem 1. Only certified voters are allowed to vote.

Proof. In the registration stage, voters must present their personal identification information to the trusted registration center and successfully authenticate before they can obtain their personal public-private key pair. Not only that, only after the certification center successfully verifies the authenticity of personal information will they obtain their personal certification, otherwise, the public-private key pair applied for in the registration stage is invalid. After successful authentication, the certification center synchronizes the voter’s public key to the CC. In the voting stage, voters need to select their target candidates in addition to entering their public keys. If the voter’s identity is illegal, his or her public key is invalid and he or she cannot participate in the voting. The theorem is proved.

Theorem 2. In this scheme, the results of election voting are fair and the probability of early leakage of results is extremely small, ensuring the completeness of the e-voting scheme.

Proof. In this scheme, $C{C}_{priv}$ and $H{E}_{priv}$ are held by different entities. Since there is an adversarial relationship between different candidates and there is no collusion between them, for the candidate holding the private key, cannot obtain the ballot without obtaining $C{C}_{priv}$ and thus cannot know the voting result; for the CC, since it does not obtain the homomorphic encryption private key and the probability of breaking the $H{E}_{priv}$ is negligible, he cannot know the voting. The result of the voting is not known to the candidate who holds the homomorphic encryption private key. The theorem is proved.

Theorem 3. After the polls close, each voter can check whether his or her ballot has been tampered with, ensuring the verifiability of the voting scheme.

Proof. After the polls close, the PC will publish all the encrypted ballots and the $C{C}_{priv}$ at the same time as the PC publishes the voting results. Each voter can find his or her ballot $C=<a,b>$ according to his or her public key, and the voter can check whether his or her ballot has been tampered with before it reaches the CC by decrypting the ciphertext according to the $C{C}_{priv}$ to get $c_{t\mathrm{\_}i}=(c_i^{\mathrm{\prime }},s)$. The theorem is proved.

Theorem 4. The e-voting scheme implemented in this scheme does not reveal the privacy of the voters and guarantees the anonymity of the e-scheme.

Proof. In the registration stage, this solution uses local software registration, and users do not need to go to the registration center to register. In the voting stage, the user does not need to present the identity verification information involving personal privacy, but only the public key obtained in the registration stage, so no personal information will be disclosed. The theorem is proved.

Theorem 5. In the election process, each voter can only vote once, which guarantees the uniqueness of the voting scheme.

Proof. We construct a database in the CC in which the fields consist of the voter’s encrypted ballot $c^{\mathrm{\prime }}$, the voter’s public key $u_{pub}$, and a flag bit. In the voting phase, voters select their target candidates and enter their public keys. When the voter’s ballot and the public key are sent to the CC if the public key is used for the first time, the voter’s ballot is stored in the database and then the flag is set to 1. If the public key is not used for the first time, the data is not stored in the database and does not participate in the homomorphic operation. The theorem is proved.

Theorem 6. The voter behind the ballot cannot repudiate his or her vote, and each voter is one-to-one and bound to the ballot he or she casts, which is difficult to tamper with by others.

Proof. Voters need to use their own signature key to sign the ballot they cast in the voting stage, and the ballot is allowed to enter the encryption and calculation process only after it is signed by the voter behind it. This guarantees that the voter’s ballot is difficult to be tampered with by others and that the voter cannot deny his or her vote, i.e., it guarantees the immutability and non-repudiation of the ballot.

Table 2 compares the characteristics of our HED-voting scheme and the HSE-voting scheme of Fan et al. (2020). Compared with the HSE scheme, in our scheme, the voter behind the ballot cannot deny the ballot he or she casts, each voter is one-to-one and bound to the ballot he or she casts, and the ballot is difficult to be tampered with by others, which guarantees the immutability and the non-repudiation of the scheme.

Semantic security analysis

We formalize here the analysis of the semantic security of cryptographic regimes by defining security games. In the security game, we statute the security of the regime to the security of Paillier encryption and Elgamal encryption. We define the security game $G_0$ simulate the regime in a real scenario, where the adversary $\mathcal{A}$ simulates an eavesdropper whose aim is to decipher the ciphertext, the challenger $\mathcal{C}$ simulates a user who honestly executes the protocol. We treat the hash function in the security game as a random prediction machine, and the challenger $\mathcal{C}$ needs to interrogate the random prophecy machine when computing the hash value. For each query, the prophecy machine will return a uniformly random output. For recurring queries, the prophecy machine will return the same result. The security game $G_0$ is described in detail as follows:

Initialization phase: Challenger $\mathcal{C}$ generates homomorphic encrypted public-private key pairs $\left(H{E}_{pub},H{E}_{priv}\right)$, random number $r_P\in Z_{p^{\ast }}$, $r_E\in Z_n^{\ast }$, CC public-private key pair $\left(C{C}_{pub},C{C}_{priv}\right)$, RSA signature public-private key pair $\left(u_{pub},u_{priv}\right)$.

Challenge phase: $\mathcal{A}$ outputs two equal-length challenge plaintexts $(M_0,M_1)$. $\mathcal{C}$ randomly chooses $b{\epsilon }_R\{0,1\}$, calculates $c_i^{\mathrm{\prime }}=g^{M_b}{r_P}^n(mod{n}^2)$, and $C=({g^{r_E}}_1,c_i^{\mathrm{\prime }}{s}_1)$. Finally, $\mathcal{C}$ returns $c_i^{\mathrm{\prime }}$ and C to $\mathcal{A}$.

Speculation phase: Adversary $\mathcal{A}$ outputs $b^{\mathrm{\prime }}$ If $b=b^{\mathrm{\prime }}$, then $\mathcal{A}$ wins $G_0$. The probability advantage of having in is defined as $Ad\nu \left(\mathcal{A}\right)=\left|Pr\left[b=b^{\mathrm{\prime }}\right]-\frac{1}{2}\right|$.

Definition 6. If for any PPT adversary $\mathcal{A}$, there exists a negligible value $\epsilon$ that satisfies $Ad\nu \left(A\right)\le \epsilon$, then the eavesdropper in this scheme is considered to be unable to break the semantic security of the homomorphic encryption regime.

Theorem 7. If the Paillier encryption, Elgamal encryption used in the scheme is semantically secure, the eavesdropper in this scheme cannot break the semantic security of the encryption regime under the random prediction machine model.

Proof. Theorem 1 is proved here by defining multiple indistinguishable security games.

$G_0^I$: The game is the same as $G_0$.

$G_1^I$: The game is similar to $G_0^I$, except that the challenger $\mathcal{C}$ replaces $c_i^{\mathrm{\prime }}$ replaced by a random number of equal length $R_0$. Since Paillier encryption is semantically secure, the private key in $H{E}_{priv}$ to the adversary $\mathcal{A}$ in the case of secrecy $G_1^I$ with $G_0^I$ has indistinguishability.

$G_2^I$: The game is similar to $G_1^I$, except that the challenger $\mathcal{C}$ replaces C with a random binary of the same format $R_1$. Since Elgamal encryption is semantically secure, the private key in $C{C}_{priv}$ to the adversary $\mathcal{A}$ in the case of secrecy $G_2^I$ with $G_1^I$ has indistinguishability.

In $G_2^I$, adversary $\mathcal{A}$ receives the messages of $(R_0,R_1)$, all of which are uniformly random values, independent of the challenge plaintexts $(M_0,M_1)$. Therefore, $\mathcal{A}$ in the speculation phase only random output $b^{\mathrm{\prime }}$, its probability advantage is negligible, i.e., $Ad\nu \left(\mathcal{A}\right)=\left|Pr\left[b=b^{\mathrm{\prime }}\right]-\frac{1}{2}\right|\le \epsilon$. Since $G_2^I$ and $G_0$ are indistinguishable, while $G_0$, $\mathcal{A}$ and $(M_0,M_1)$ simulate the present system, the eavesdropper and the plaintext, respectively, it can be assumed that the eavesdropper cannot break the semantic security of the present encryption regime. The theorem is proved.

In summary, this scheme can guarantee the completeness, verifiability, anonymity, and uniqueness of the e-voting scheme, and only authenticated voters can vote, preventing illegitimate voters from leaking election information and interfering with the election results. Meanwhile, eavesdroppers cannot break the semantic security of this encryption scheme.

Attack model analysis

The scheme proposed in this article can effectively resist the following attacks.

Performance analysis of the voter client

In the voting stage, each voter needs to sign the ballot once and encrypt it twice: first, the ballot is encrypted with the $H{E}_{pub}$, and the homomorphic encryption algorithm chosen in this scheme is the Paillier encryption algorithm, which requires one multiplication decentralized operation during encryption; then, the voter signs the ballot with his or her own private key, and we choose the RSA signature algorithm to sign the ballot. Finally, the ballot is encrypted with the $C{C}_{pub}$, and the Elgamal algorithm is used to encrypt the ballot, which requires two decentralized multiplication operations. Therefore, for each voter client, the time cost of the voting phase.

$$COS{T}_{voter}=4\times Cos{t}_e\times N_c.$$

Performance analysis of the CC

In the election process, the CC needs to decrypt the encrypted ballot and verify the signature. In addition, the CC also needs to perform homomorphic addition on the ciphertext, but since homomorphic addition is essentially a multiplication of large integers, the time consumed is negligible compared to the decentralized multiplication operation. After analysis, we know that the CC performs one multiplication decentralized operation for both decryption and signature verification of ballots, so the time cost for processing a ballot in the CC is

$$COS{T}_{CC}=2\times Cos{t}_e\times N_c$$

We assume that each voter only needs to cast one vote for his or her target candidate during the voting process and does not need to perform any operation on the other candidates, and when the votes are counted, the number of votes for the selected candidate increases by one and the number of votes for the other candidates who are not selected remains the same. Based on this assumption, we compared the time cost required for the proposed HED-Voting scheme and the HSE-Voting scheme (Fan et al., 2020), as shown in Table 3.

We ran five scenario simulations based on different numbers of voters ( $N_v=$ 1,000, 2,000, 4,000, 7,000, 10,000) and counted the time spent by the CC to process all ballots. In the simulations, we assume that the number of candidates is five, That is, $N_c=5$ and that each voter also needs to vote for only one candidate. The results are shown in Fig. 3.

As can be seen from Fig. 3, the actual time costs required for both scenarios are consistent with the theoretical estimates of the time costs in Table 3. In all five scenario simulations, the computational cost of the HED-Voting scheme is lower than that of the HSE-Voting scheme, and the computational efficiency of the HED-Voting scheme is improved by about 66.7% compared with that of the HSE-Voting scheme. The scheme has the capability to handle a large number of voters and counting within an acceptable time frame.

HED-voting scheme computational complexity

For computational complexity analysis, we chose 512 bits for large primes and 1,024 bits for n. Modulo power and modulo inverse operations are performed using Python’s gmpy2 module, and Paillier key generation is performed using Python’s phe module. The program is executed on an Intel(R) Core (TM) i5-10210U CPU @ 1.60 GHz 2.11 GHz processor, 64-bit host, 16 GB RAM, and Python version 3.9.8. After executing the program, for a modulo multiplication operation Mul on the program, the operation time is about 0.0035 ms. To make the computational results independent of computer performance, the computational cost of the relevant basic operations in the program is calculated using the time consumption of Mul1 as the basic weight, as shown in Table 4.

Based on the relative elapsed time of the relevant base operations in Table 4, the computational complexity of the following algorithms is calculated (some of them are no longer given because their elapsed time is negligible due to their short elapsed time), as in Table 5, For $Setup\mathrm{\_}HE$, it needs a Paillier key generation operation, so its base operation is Key. For $Setup\mathrm{\_}CC$, it needs a modulo power operation, so the base operation is $Mu{l}_2$. For $User\mathrm{\_}KeyGen$, a simulation operation is required, so the base operation is $Inv$. For $Enc\mathrm{\_}HE$, there is a modulo multiplication operation and a modulo power operation. Therefore, the basic operation is $Pow+Mu{l}_1$. For $Enc\mathrm{\_}CC$, there are two modulo power operations, so the base operation is $2Pow$. For $Dec\mathrm{\_}CC$, there a For $Rsa\mathrm{\_}Sig$, there is one modulo power operation, so the base operation is $Pow$.re 3 modulo multiplications, three modulo powers, and one simulation operation, so the base operation is $3Mu{l}_2+3Pow+Inv$. For $Rsa\mathrm{\_}Ver$, there is one modulo power operation, so the base operation is $Pow$. For $Count\mathrm{\_}CC$, there are two modulo operations and two modulo operations, so the base operation is $2Pow+2Mu{l}_1$. For $Dec\mathrm{\_}HE$, there is one modulo operation and one modulo operation, so the base operation is $Pow+Mu{l}_2$.