Page 154 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 154
J. Furukawa, K. Mori, and K. Sako
146
i
i
3. SC j will decrypt each of (G
(j)
(j)
(j)
(j)
i
i
i
i
i
= G
− [x j ]G
G
(j) M (j) = M (j) ,M (j) ) using his secret key x j as follows:
(j)
The list (G i ,M i ) i will be returned to the shuffling management center.
Proving Correctness
Details of procedure for mixers to prove they have correctly shuffled and de-
crypted the input is described in the next section.
3 Details of Correctness Proof
For simplicity, we concentrate on one shuffling center and denote his secret key
as x. We represent by ¯ the product of the public keys of subsequent centers.
y
What we need to prove is the correctness of the following shuffle-and-decrypt
procedure.
Given n ciphertexts (G i ,M i ) i ,where all {G i } and {M i } are in E, the shuffling
center randomly chooses a permutation π and a random element s i ∈ U Z/qZ to
obtain shuffle-and-decrypt result as follows:
i
i
(G ,M )= [s i ]g + G π(i) , [s i ]¯y + M π(i) − [x]G i
for i =1,... ,n.
3.1 Generation of the Proof
We now provide the scheme to generate a proof that the shuffling center (which
will be denoted as the prover in the sequel) indeed shuffled and decrypted honestly.
We describe the scheme in a non-interactive way, where a challenge from a
verifier is given as an output of some universal one-way hash functions. We as-
sume here that all elements of input ciphertexts (G i ,M i ) and output ciphertexts
(G ,M )are in E.
i i
To prove (G ,M ) are generated correctly from (G i ,M i ), the prover computes
i i
the following equations for randomly chosen z, z i ,ρ,σ,τ, λ and λ i ,z ∈ U Z/qZ
˜
(i =1,... ,n): We use H and H to denote universal one-way hash functions
which output an element of Z/qZ and E, respectively.
˜
˜ ˜ g i = H(p, q, g, Y, i)
˜ g = H(p, q, g, Y, 0),
v =[ρ]g, w =[σ]g, t =[τ]g, u =[λ]g, u i =[λ i ]g
n
˜ g =[z]˜ +
i
g
˜ g =[s i ]˜g +˜g π(i) , g [z j ]˜ j
j=1
n n
g =[z]g + [z j ]G j , m =[z]¯ + [z j ]M j
y
j=1 j=1
