Page 178 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 178
A. Kiayias and M. Yung
170
such cases we introduce an alternative generic vector ballot design for our e-
voting approach that is capable of dealing with such settings very efficiently. In
the variant of our approach of this section, the ballot of each voter consists of
c + 2 ciphertexts (instead of 3) and the only allowed ballot encodings are the
following (i) encrypt a single “1” in the first c ciphertexts and “0” everywhere
else, or (ii) enter a write-in ballot in the last ciphertext, encrypt a “0” in the first
c ciphertexts and encrypt a “1” in the (c+1)-th ciphertext (which plays the role
of the “flag-ciphertext”). The encoding can be thought of as “punch-hole/write-
in” voting because the voter either “punches” a hole in the first c locations (by
voting “1”) or enters his write-in choice in the last location. In the remaining we
briefly explain the approach, mentioning only the cases where there is significant
difference from our paradigm of section 3.
First we note that the capacity assumption will be relaxed as follows:
Assumption 2. Relaxed Capacity Assumption. The capacity a of the encryp-
tion function satisfies a>n (the number of voters).
Forming the Vector-Ballot. Each voter V i publishes a vector ballot C 1 [i],C 2 [i],
...,C c+1 [i],C c+2 [i] . If the voter wishes to select one of the predetermined
[i]:= E pk (1), where i ∈{1,...,c}
choices {1,... ,c} of the election she selects C i
is her choice, and then sets C [i]:= E pk (0) for all ∈{1,... ,c +2}− { i }.On
the other hand, if the voter wishes to enter a write-in she selects C c+2 [i]:=
E pk (string )where string is her write-in choice, and sets C c+1 [i]:= E pk (1) as well
i i
as C [i]:= E pk (0) for =1,... ,c. Together with her vector ballot the voter
publishes a proof of a consistent vector ballot encoding to ensure that her ballot
is formed properly. More specifically this is done as follows:
(Consistency Argument #1). V i shows that the first c + 1 locations of her vector
ballot contain only a single 1 among c 0’s; this is accomplished as follows: for
0,C [i] 1,C [i]
),
each =1,... ,c +1, V i produces a proof for the predicate (Q ∨ Q
cipher cipher
i.e., showing that the C [i] ciphertext either encrypts a 0 or a 1. Then she
calculates the ciphertext C agg [i]= C 1 [i] ... C c+1 [i] and produces a proof
1,C agg [i]
, i.e., she shows that it is an encryption of 1.
for the predicate Q
cipher
(Consistency Argument #2). The voter shows that either the two last ciphertexts
in the vector ballot encrypt 0, or that the (c+1)-th ciphertext encrypts a 1, i.e.,
0,C c+1[i] 0,C c+2[i] 1,C c+1 [i]
).
V i produces a proof for the predicate (Q ∧ Q ) ∨ (Q
cipher cipher cipher
Alltogether the voter will have to show the following predicate for ballot
consistency:
c+1 0,C [i] 1,C [i] 1,C agg [i] 0,C c+1 [i] 0,C c+2[i] 1,C c+1[i]
∧ )
=1 (Q cipher ∨ Q cipher ) ∧ Q cipher ∧ (Q cipher ∧ Q cipher ) ∨ (Q cipher
It is easy to verify that the above consistency arguments enforce the intended
ballot-encodings as stated in the following fact:
Fact 2. The only feasible ballot encodings allowed by the consistency arguments
above are:
