Page 168 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)

P. 168

A. Kiayias and M. Yung
160
abstracted as the “bulletin board” by Benaloh [3]. In principle one can employ
Byzantine agreement, c.f. [16,17,23,22], to ensure the integrity of such a record.
Moreover, in a practical implementation one can employ a publicly accessible
database server for storing the bulletin board data [32] and potentially rely on
database replication for maintaining the availability of the record.
Robustness. Ensures that the system can tolerate a certain number of faulty
participants while it maintains its secrecy and veriﬁability properties. Faults may
be non-malicious (e.g., processes crashing) or malicious (e.g., executing arbitrary
code).
Fairness. It should be ensured that no partial results become known prior to
the end of the election procedure to any subset of participants.
Another property, which we do not deal with here explicitly, is Receipt-
Freeness [5,41,34,27,30]. Standard techniques that use re-randomizers (see e.g.
[2]) can be readily employed in our schemes to allow certain forms of this property
assuming the independence of ciphertext randomizing entity from coercers or
malicious users.

Homomorphic Encryption Schemes. An encryption scheme is a triple K, E,
D . The key-generation K is a probabilistic TM which on input a parameter
1 w (which speciﬁes the key-length) outputs a key-pair pk, sk (public-key and
secret-key respectively). The encryption function is a probabilistic TM E pk :
R × P → C,where R is the randomness space, P is the plaintext space, and C

the ciphertext space. When P, for a given security parameter, equals Z a where a
is an integer that is a function of the parameter, we will say that the encryption
function has “additive capacity” (or just capacity) a. The correctness property
of the encryption scheme is that D sk (E sk (·,x)) = x for all x independently of the
coin tosses of the encryption function E. If we want to specify the coin tosses
of E we will write E pk (r, x) to denote the ciphertext that corresponds to the
plaintext x when the encryption function E pk makes the coin tosses r.Otherwise
we will consider E pk (x) to be a random variable. For homomorphic encryption,

deﬁned over the respective spaces
we assume additionally the operations +, ⊕,

are (families of) groups written additively
P, R, C,so that P, + , R, ⊕ , C,
(the ﬁrst two) and multiplicatively respectively.
Deﬁnition 1. An encryption function E is homomorphic if, for all r 1 ,r 2 ∈ R

and all x 1 ,x 2 ∈ P, it holds that E pk (r 1 ,x 1 ) E pk (r 2 ,x 2 )= E pk (r 1 ⊕ r 2 ,x 1 + x 2 ).
We will consider two examples of Homomorphic Encryption schemes: “additive”
ElGamal and Paillier Encryption. Both have been employed in the design of
e-voting schemes in the past, see [11] and [14,2] respectively (which are also part
of the current state-of-the-art schemes in the homomorphic encryption based
approach). We deﬁne them below:

Additive ElGamal Encryption. It is deﬁned by a triple K, E, D : the key-generation
K outputs the description of a ﬁnite multiplicative group G of prime order q,with
three generators g, h, f which are set to be the public-key of the system pk;the

163 164 165 166 167 168 169 170 171 172 173