Page 247 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 247
Anonymous One-Time Broadcast Using Non-interactive Dining Cryptographer Nets
239
[[n]],where j 1 ,... ,j u
C i [[n]] := M i [[n]] ⊕ R i[[n]] := M i [[n]] ⊕ R ij 1
[[n]] ⊕ ···⊕ R ij u
are the indexes of P i ’s neighbors, and where n ranges from 1 to N.Then P i publishes
C i and signs.
Observe that during the preliminary phase P i committed himself to R ij , and in the
first step of the publication phase he committed to M i , in both cases using the special
BCX commitment scheme presented in section 3.2. So using the protocol presented
in that section, P i can show (in the ”committed world”) that the assignment of C i is
−−−−→ −−−−−→ −−−−−→
[[n]] for each n.
correct, i.e. that indeed C i [[n]] = M i [[n]] ⊕ R ij 1 [[n]] ⊕ ··· ⊕ R ij u
4 Technical Considerations
4.1 Calculating the Collision Probability
Considered separately from the context of voting, the Non-Interactive Dining Cryp-
tographers channel deserves a performance analysis. Since participants choose slots
randomly, there always exists a chance that a collision occurs, i.e. two participants oc-
cupy the same slot, and consequently the corresponding slot contents (the vs) are lost.
If S = 365 and P =23, we are back to the birthday paradox: with probability approxi-
mately 1/2 we have a collision, so the message of two participants is lost. To reduce this
probability we can increase S. A well-known formula that approximates the collision
probability for this case is 1 − e −P (P −1)/2S .
Another solution is to run Q DC nets in parallel. The probability that in all of them
Q
a collision occurs is (1/2) , and that the same participant is involved in all of them
2 Q
equals ( ) (where we assume that the collisions in the DC nets are independent, and
P
where we ignore collisions which involve more than two participants (which have a
very low probability)).
But we can do even better. Instead of using Q =10 (say) parallel nets, it is certainly
more effective to use the same total number of slots, i.e. S = 3650 but let the partic-
ipant choose 10 slots randomly, instead of only one. Since the first version (Q parallel
nets) is a special case of the second (S = QS), the collision probability of the sec-
ond is bounded by the first. Preliminary computers simulations suggest it is orders of
magnitudes lower.
Approximating this probability accurately is not a simple exercise and a more careful
analysis is appropriate. For instance, it would be interesting to be see how the parame-
ters interrelate and be able to answer questions such as: Given a total of S slots and P
participants, how many message T should each participant send in order to maximize
successful completion of the protocol? Or reversely, given P participants, how should
we choose S and T if we want the failure probability to be really low, say 10 −20 ?These
questions are still subject of ongoing research.
4.2 Optimizing the BCX
The current version of the protocol is rather crude, the main point of this paper being
to show that unconditional privacy in voting is possible in a conceptually simple way.
Very rough estimates indicate that the current version of this protocol will result in files
