Page 123 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 123
Unconditionally Secure Electronic Voting
115
Recover:Let A ∈A be the set of players trying to recover a secret. Now they have
a set of encrypted shares {s j (x) | j ∈ A}. To recover a secret, simply compute
the interpolate the secret from the decrypted shares {s j (0) − R j (0) | j ∈ A}.
PubVerify : Verifier k will accept (or reject) the encrypted share s j (x)with the
commitment α if the following conditions satisfied:
= F 1 (v k ,y)| y=j + αF 2 (v k ,y)| y=j + R j (v k )
s j (x)| x=v k
Theorem 3. The above protocol is a US-PVSS satisfying perfect-completeness,
-soundness and perfect-secrecy. Moreover, if the above protocol is constructed over
GF(q) and the number of public verifiers is upper-bounded by L, then the success
probability for all adversary to break the soundness property is at most L/q.
Proof. Completeness is obvious. Since if the dealer is honest, all honest Verifier k
accept all encrypted shares in PubVerify with probability 1.
To prove soundness, let A, B ∈A be the set of players which outputs different
value: Recover({D i (S i ) | i ∈ A}) = Recover({D i (S i ) | i ∈ B}). Then there exists
at least 1 share S i where i ∈ A ∪ B such that S i is invalid, thus S i = F 1 (x, i)+
αF 2 (x, i)+ R i (x), and there exists at least 1 honest verifier k ∈{1,... ,L} who
accepts the invalid encrypted share S i . From integrity (Lemma 1) and unanimity
(Corollary 1), the probability that this situation happen is less than L/q.This
probability is exponentially small with the security parameter |q|.
Secrecy is also trivial from the secrecy property of the underlying Shamir’s
polynomial-based secret sharing scheme and the secrecy property of US-OPE.
4 Unconditionally Secure Electronic Voting
4.1 Model
We follow the bulletin board model for electronic voting as introduced by Be-
naloh et al. [8,2]. The model assumes public bulletin board with which every
player can post their message to it. Players are comprised of a set of tallying
authorities, a set of voters Voter, and a set of passive public verifiers. An election
proceeds in two phases. The first phase is the voting phase. In this phase, each
voter posts his ballot to the bulletin board. Each ballot consists of encrypted
shares of his vote, its commitment to prove the consistency of the shares and a
proof that the ballot contains 0 or 1 in the two-value vote. Since the voters need
not be anonymous in this scheme, it is trivial to prevent double voting. Only
valid ballots will be accepted. The second phase is the tallying phase. In this
phase, tallying authorities are involved. They will check each ballot posted on
the bulletin board. Then, they decrypt and sum up the shares, like multiparty
computation, and post each sum! of the shares.
The property required to voting schemes is informally stated as follows.
– Eligibility
Ensures every eligible voter posts at most one ballot.
– Privacy
Ensures the secrecy of the contents of ballots.
