Page 245 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)

P. 245

Anonymous One-Time Broadcast Using Non-interactive Dining Cryptographer Nets
on one half of the bit commitment, without revealing its value. We describe the scheme
here informally, using a simple example. A more formal description is given in [11],
which also shows that the scheme generalizes to proving linear relations between many
bit commitments. 237
Using this approach, a bit commitment to x =1 could for instance be represented
− →
by: x = (0, 1),(1, 0),(0, 1),(0, 1),(1, 0) ,where K =5, an artificially low value. The
two components (columns) are labeled 0 and 1, also named left and right;the rows
are labeled from 1 to K. Suppose A is committed to x =1 and also to y =0 as
− →
follows: y = (1, 1),(1, 1),(0, 0),(1, 1),(0, 0) , and that she needs to prove that the two
bit commitments are different, i.e. that x ⊕ y =1.
− →
− →
1. A tells for each pair of x and y whether the left component is equal or different.
Or, equivalently, she opens the values z k = x k0 ⊕ y k0 for k =1,... ,K.
2. A receives K challenge bits b 1 ,...,b K from the trusted random source.
3. For each b k =0, A is required to open the left component, x k0 and y k0 ,ofthe kth
− →
− →
pair of x and y ,and B must check that they are equal; if b 1 =1 then A opens
x k1 and y k1 and B must check that they are different (their mod 2 sum adds to 1).
This must be executed for each challenge bit b 1 ,... ,b K .
It is easy to see that A does not reveal the actual values of the bit commitments through
this protocol since only either the left or the right component of each pair is revealed,
while the value is defined as the xor of both. As far as the binding property is con-
cerned: obviously, for each row in which she tries to cheat, A gets caught with a
probability 1/2.
It is important to observe that in the protocol of (in)equality between two BCXs,
the unopened halves are not lost (useless), implying that the BCX can (and must) be
− →
− →
preserved for future use. For instance, after a proof that x = y , the remaining halves
− →
can constitute a new BCX t with the property that t = x = y. Note that the view of the
protocol showing inequality has the effect of flipping the semantics of the corresponding
bit commitment for the kth pair: t = x kb ⊕ y kb ⊕ z k ,where b =1 ⊕ b k ,the

k k k
complement of b k .
3.3 Preliminary Phase
As in the original DC protocol, during the preliminary phase each pair of neighbors
creates their random bit string R ij of size N. But unlike the original protocol, we re-
quire that both P i and P j commit individually to each bit of R ij using the BCX bit
commitment scheme explained above. To avoid any type of collusion between them, it
is essential that they show to the world (the other participants, and any other observer)
that they are committed to the same value.
We do this as follows: we ﬁrst consider P i and P j as one party, written P ij ,who
will jointly create a set of N BCXs, but of size 2K instead of K. (If they cannot agree
on how to do this jointly, we assume that at least one party aborts and that this par-
ticular pair of parties will not contribute to the overall protocol.) They prove the well-
− →
formedness to the other participants by showing that all pairs of the same BCX x
encode the same values, i.e. that x k0 ⊕ x k1 = x for k ∈{1,..., 2K}. This is done as
follows:

240 241 242 243 244 245 246 247 248 249 250