Page 246 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 246
J. van de Graaf
238
− →
1. P ij creates an additional BCX y of thesamevalue,i.e. x = y.
2. The trusted source of randomness supplies 2K challenge bits b i ,as wellas a ran-
dom permutation σ on {1,... , 2K}.
− →
− →
3. P ij proves equality between x and y , applying the permutation σ to shuffle the
pairs, i.e. by showing that either x k0 = y σ(k)0 or x k1 = y σ(k)1 , depending on the
value b k .
If P ij tries to cheat on a subset A, this remains undetected only if the permutation σ
2K
maps A onto itself. If a = #A > 1 this happens with probability /(2K)!.By
a
repeating the protocol this probability can be reduced to any desired level of security.
After this protocol has completed, P i and P j split their double BCX of size 2K in
two BCXs of size K by dividing the pairs evenly between them, for instance P i stays
with the first K pairs 1,... ,K and P j stays with the second K pairs K +1,... , 2K.
3.4 Publication Phase
During the second phase of the protocol each participant decides which message v i he
wants to publish, for instance a signed vote.
This part consists of the following substeps:
1. P i commits to his input M i , which contains v i , and proves that it has the proper
format;
2. P i commits to the contribution C i and proves that it has the proper format.
Commitment and proof of M i
1. Let v i be the message that P i wants to publish. P i now creates M i by selecting a
slot s ∈{1,... ,S} randomly. He sets M i [s]:= v i , whereas for s = s he sets
L
M i [s ]:= 0 , a slot with only zeroes.
2. P i commits to M i [[1..N]], the individual bits of M i .
3. Through a proof, P i must show that M i has the proper format, i.e. that at least S−1
slots are zero. To this end we use a straightforward subprotocol:
i P i chooses a random permutation σ of size S, and uses it to permute the slots
in M i , thus creating M .In other words, M [s]:= M i [σ(s)]. Then he commits
i i
to the individual bits of M .
i
ii A random challenge bit c is generated by the trusted source.
−→
iii If c =0 then P i reveals the permutation σ and proves equality between M and
i
−→
M i under the permutation σ.If c =1 then P i opens the bit commitments of
M for those slots that contain zeroes only.
i
This protocol must be executed K times in parallel, where K is a security parame-
ter. Cheating succeeds only if P i can predict the challenge bits in each round, which
happens with probability 2 −K .
Commitment and proof of C i . P i now adds the random bits R i exchanged between
his neighbors to the input M i in order to compute his contribution C i as follows:
