Page 156 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 156
J. Furukawa, K. Mori, and K. Sako
148
n
2
j=1
n
n
n
3 [λ ]g = u + [c j ]u j
3
2
[λ ]t +[r]v +[ (r j − c j )]g =˙v + [c j ] ˙ t j + [c j ]˙v j
j=1 j=1 j=1
n
2
2
[r]w +[sumj(r j − c j )]g =˙w + [c j ]˙w j
j=1
[r ]g =[c ]y + y , [r ]ζ =[c ]η + η .
3.3 Complete Permutation Hiding
We discuss here the notion of complete permutation hiding (CPH) as a core
requirement of unlinkability in verifiable shuffle-decryption. If a verifiable shuffle-
decryption is CPH, honest verifiers will learn nothing new about its permutation
from an interaction with a prover in an overwhelming number of cases of
random tape that a prover has chosen uniformly and randomly, whereas, if the
protocol is zero-knowledge, verifiers will learn nothing new in every case of the
random tape. In other words, we define CPH so that verifiers learn nothing about
the permutation in an overwhelming number of cases of common input X n and
witness W n that the generator G R (defined below) outputs.
n
Let I n be a set of domain parameters 1 ,q, E,where q is prime and is of
the length of the polynomial of n,and E is an elliptic curve of an order q,
private key ¯, plain texts {M i ∈ E} i=1,...,k , and random tape Z n .Let enc(U)be
x
an encoding of a probabilistic polynomial time (PPT) Turing machine U which
generates cipher-texts (g i ,m i ) i=1,...,k input to the shuffle-decryption procedure.
We assume the existence of a knowledge extractor that can concurrently extract
{¯ i } i=1,...,k such that [¯r i ]g 0 = g i from U. This assumption is satisfied if all
r
generators of cipher-texts are imposed to run a concurrent proof of knowledge
of ¯ i , and such a compulsion prevents an adaptively chosen cipher-text attack.
r
n
Definition 1. Given I n (= {1 ,q, E, ¯x ∈ Z/qZ, {M i ∈ E} (i=1,...,n) ,Z n }) and
enc(U), instance Generator G R chooses g 0 ∈ R E,x ∈ R Z/qZ,
{s i ∈ U Z/qZ} i=1,...,k , and a permutation π uniformly and randomly and computes;
m 0 =[x +¯x]g 0 ,y =[x ]g 0
(g i ,m i )= U(I n ,g 0,y) ∈ E × E
i
i
(g ,m )= ([s i ]g 0 + g π −1 (i) , [−x ]g i +[s i ]m 0 + m π −1 (i) ).
G R then outputs common input X n and witness W n :
i
i
X n = {q, E,y, ¯x, g 0 ,m 0 , {(g i ,m i )} (i=1,...,n) , {(g ,m )} (i=1,...,n) },
W n = {π, {s i } (i=1,...,n) ,x }.
In the above definition, U is a PPT Turing machine that plays the role of (mali-
cious and colluding) players who generate cipher-texts {(g i ,m i )}. Although U is
