Page 126 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 126
A. Otsuka and H. Imai
118
Initial Information: Private Keys
Voter i
S i1 ,S i2 ∈ GF(q)[x, y]of degree T and t
VSS-key
OPE-key R ij ∈ GF(q)[x]of degree 2T (0 ≤ j ≤ N)
Authority
j
{ OPE-key R ij ∈ GF(q)[x]of degree 2T (1 ≤ i ≤ M)
Verifier k
VSS v-key v k ∈ GF(q)
⎧
⎪
⎪
⎪ S i1 (v k ,y),S i2 (v k ,y) ∈ GF(q)[y]
⎨
of degree t (1 ≤ i ≤ M)
⎪ OPE h-key v k ,R ij (v k ) ∈ GF(q)
⎪
⎪
⎩
(1 ≤ i ≤ M, 0 ≤ j ≤ N)
All private kyes are chosen randomly and uniformly.
Every tallying authority in our scheme is given a private key as Verifier:
{Verifier} = {Voter}∪ {Authority}∪ {Public Verifier}.
Also note that OPE-key R ij is shared between Voter i and Authority j except
for R i0 .
Voting Phase
Each participating Voter i (i =1,...,m) prepares his vote as follows:
1. Voter i decides his vote s ∈{0, 1} and compute a commitment α i satisfying:
s = S i1 (0, 0) + α i S i2 (0, 0).
2. He computes all encrypted shares E ij (x)for each j =1,... ,N as E ij (x)=
S i1 (x, j)+ α i S i2 (x, j)+ R ij (x).
3. Then, Voter i computes a proof
P i (x)= f(x)(f(x) − 1) + xR i0 (x)
where f(x)= S i1 (x, 0) + α i S i2 (x, 0).
(Note that this random polynomial R i0 (x) is only known to the Voter i ,and
also note that f(0) = s on the second equation.)
4. Finally, Voter i writes i, α i ,E i1 (x),...,E iN (x),P i (x) on the Bulletin Board.
Verification Phase
Let V k (i, j, α)= S i1 (v k ,j)+ αS i2 (v k ,j) be a verification function for Verifier k .
Everyone (say Verifier k ) accept (or reject) the Voter i ’s vote if the following
conditions satisfied:
⎧
⎨ E ij (v k )= V k (i, j, α i )+ R ij (v k ) for all j =1,... ,N
P i (0) = 0
P i (v k )= V k (i, 0,α i )(V k (i, 0,α i ) − 1) + R i0 (v k )
⎩
