Page 152 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 152
J. Furukawa, K. Mori, and K. Sako
144
to the shuffling management center. The report is accompanied by the proof
y ,r j which ensures that SC j indeed knows the secret x j corresponding to
j
y j . The proof will be generated by SC j as follows.
j
y =[β j ]g
c j = H(p, q, g, y j ,y )
j
r j = c j x j + β j mod q
with a randomly generated β j ∈ Z/qZ.
2. The shuffling management center will verify the proof y ,r j for each public
j
key y j (j =1, ··· ,m) as follows.
c j = H(p, q, g, y j ,y )
j
[r j ]g − [c j ]y j = y j
y j ∈ E ,y j = O
The verified public keys are combined to compose the common public key
Y .
m
Y = y j
j=1
The proof for each public key is necessary to ensure that the common public
key Y corresponds to each of the secret keys that the mixers are aware of,
not those generated under a control of an adversary.
3. The election policy committee will certify the public keys y j and Y properly
generated as above.
Encryption of Votes
The Voter i will use the parameters Y and (q, E,g) certified by the election policy
committee and encrypt his vote m i as follows. (We assume here that m i is in
E.)
(G i ,M i)= ([¯r i ]g, m i +[¯r i ]Y )
where ¯ i is an element randomly chosen by the Voter i ,and ID i is information
r
that identifies the voter. He may then prove the knowledge of m i by generating
the proof α i ,t i by
α i =[γ i ]g
c i = H(p, q, g, Y, G i ,α i ,ID i )
t i = c i ¯r i + γ i mod q
with a randomly generated γ i . This proof ensures that the plaintext awareness
property: that is, a voter who knows the content of his vote has generated the
encrypted vote. A vote duplication attack by copying someone else’s encrypted
vote will be thwarted here.
