Page 341 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 341
333
A Practical and Secure Coercion-Resistant Scheme for Internet Voting
The mechanism of Smith performs a global blind comparison of ciphertexts in-
stead of pairwise comparing ciphertexts via a plaintext equivalence test. In order
to accomplish this, the method makes deterministic fingerprints from probabilis-
tic encrypted credentials and then compares the resulting fingerprints through
hash tables. The method depends on the El Gamal cryptosystem and is described
as follows:
Let s be an El Gamal private key shared among the talliers and corresponding
s
to a public key h = g ,where g is a group generator, k another private key shared,
r
r
ks the product of k and s also shared, and (g ,σh ) the El Gamal ciphertext of
acredential σ,where r is a random number. In order to make a fingerprint from
r
r ks
r
k rk
r k
(g ,σh ), the talliers cooperatively compute (g ) = h rk and (σh ) = σ h .
k rk
rk
k
Then, they divide (σ h )by (h )toobtain σ . The talliers now use half of the
k
bits of σ as the fingerprint. This process is applied to all credential ciphertexts
using the same k and ks before comparing the resulting fingerprints.
k
Observe that the talliers need to publish σ before making the fingerprint.
Thus, anyone can verify the fingerprint is correct.
Weakness. Smith’s comparison method is efficient. However, it is insecure.
Especially, an adversary can determine whether a coerced voter gave him a valid
1
or a fake credential . In order to show this, we consider the following scenario:
Suppose an adversary forces the voter to reveal her credential σ.Now, the
adversary makes two tuples, one with the encryption of σ and the other with
2
the encryption of σ , and publishes them on the bulletin board. In the tallying
k 2k
phase, after applying Smith’s method, the talliers publish σ and σ on the
board. Now, by squaring a copy of each element on the board, the adversary is
able to test if a squared element matches an element on the board. Thus, if the
two votes corresponding to σ and its square were removed by the talliers, the
coercer learns that σ is an invalid credential.
3 Our Coercion-Resistant Voting Scheme
As we presented before, the scheme of JCJ is inefficient for large scale elections.
Also, we showed that the comparison mechanism of Smith is insecure. We now
introduce a new coercion-resistant voting scheme that employs some of the JCJ
ideas and that computes voting results in a linear time.
Our solution does not rely on blind comparisons to identify valid credentials.
Instead, we employ a particular mathematical structure to make the credentials
and use a function to identify them apart. The structure makes hard for a coercer
or a dishonest voter to forge new valid credentials, even after having seen several
valid ones.
The new scheme has the following advantages: its security can be proved, it
is a practical linear scheme (in the number of votes posted by the voters), one
cannot link the votes of a given voter in different elections, and the generation
of the credentials as well as the verification of their validity can be distributed
1
This problem was also observed independently by Clarkson et al. [8].
