Page 248 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 248
J. van de Graaf
240
in the order of giga- or terabytes, for P = 500 (the average size of a precinct in Brazil).
However, by fine-tuning of the protocol and a careful analysis of the probabilities, sub-
stantial gains can be had.
For instance, a major cause is the expansion caused by the BCX, as every bit of the
channel needs at least one BCX, which is very inefficient representation. In fact, we
can show that a generalization of the bit commitment scheme used by Bos in his voting
protocol ([7], Chapter 3) has exactly the desired properties but with a constant size,
resulting in substantial gains. This will be detailed in the final version of this paper.
Another possibility for savings is that the current protocol is in some sense too robust,
and that by trading off the probability of catching someone cheating on an individual
vote some efficiency can be gained.
4.3 How to Prevent Ballot Marking
In the case of voting, a problem is that P i can choose the index s, the slot he wishes to
occupy, any way he likes. He could therefore abuse this freedom to mark his vote by
choosing a particular s, instead of choosing it at random.
Thesolutionis totake away P i ´s freedom to choose s. Instead, s must be determined
in some deterministic, pseudo-random way. As a first approach, one could apply a hash
function on v i , but this property can only be verified after all the contributions have
been posted – it would imply that contributions that do not fulfill this property will be
declared invalid.
A more general solution is obtained by calculating the hash on a set of known values,
such as the BCXs on M i andonthe R ij . For instance, the value h(BCX(M i ), BCX(R ij ))
could fix an arbitrary permutation π ∈{1,...,S}, which would be used to mix the slots
of C i ,i.e. C i [π(x)] = M i [x] ⊕ R i [x]. Again, the protocol in §3.2 would proof equality
respecting this permutation π.
5 Conclusions
This paper shows a conceptually simple protocol for voting with unconditional privacy.
The paper does so using a non-interactive version of the Dining-Cryptographers proto-
col, which is not as efficient (in terms of message size) as other voting protocols that
offer unconditional privacy, but is of interest in itself since it may have applications
other than voting.
The resulting protocol is certainly feasible for voting in small groups where the
chance of someone disrupting or not participating is low. Otherwise it might be wiser
to define a small number of authorities, whose main role is to reduce the interactions
necessary to eliminate no-showers. As in the mix networks, these authorities protect
the privacy of the voters, but unlike the mix case, there is no additional computational
assumption.
The author strongly believes that unconditional privacy for voting is a desirable prop-
erty. The fact that at some unknown point in the future voter privacy is completely vi-
olated is not acceptable, and the public may actually reject electronic voting systems
once this point becomes clear. Therefore, the search for practical voting protocols with
