Page 345 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)

P. 345

A Practical and Secure Coercion-Resistant Scheme for Internet Voting
Registration phase. After verifying that a voter is eligible, R issues to the
voter a secret credential σ =(r, a, b, c) via an untappable channel, where a is
y
a random element in G (with a =1), r is a random element in Z p , b = a ,
x+rxy 337
and c = a . In addition, R may furnish the voter with a designated verifier
proof [16] of well-formedness for σ.Notethat if (r, a, b, c) is valid, then for all r
l
l
l
the credential (r, a ,b ,c )for l ∈ R Z p is a valid one too. This property is used
by the voter to change the values a, b, c each time she votes.
r
Voting phase. The voter casts her ballot by sending the tuple (E T [C],a,E T [a ],
ry x+rxy r
E T [a ],E T [a ],o ,P) through an anonymous channel to BB,where C is
r ry x+rxy
the candidate chosen, (r, a, a ,a ,a ) correspond to voter’s credential, o is
the public generator of G published in the setup phase, and P is a list of non-
interactive zero-knowledge proofs which ensure that the vote is well-formed. In
particular, P contains a proof that the vote is for a valid candidate, proofs of
r
r
knowledge of the plaintexts, and a proof that E T [a ]and o contain the same r.
y x+rxy
Recall from the previous paragraph that the values a, b = a ,and c = a
have been changed by the voter and are therefore different from the ones she
received from R.
r
The value o is used to detect duplicates and guarantees that only one vote
per voter will be counted. Otherwise, a dishonest voter could vote several times
without being detected.
Tallying phase. In order to compute the voting results, the talliers T perform
the following steps:
1. Verifying proofs. T verifies the proofs P on each tuple and remove tuples
with invalid proofs. That is, T verifies that a is in G and a =1, that E T [C]
is a vote for a valid candidate, the proofs of knowledge of the plaintexts, and
r
r
the proof that E T [a ]and o contain the same r;
2. Removing duplicates. In order to exclude duplicates, T first identifies
r
them by comparing all o , for instance, using a hashtable. After this, T
keeps the last posted tuples based on the order of posting on the bulletin
board;
3. Encrypting the plaintext element. The tuples that passed the previous
r
steps have their values o and P deleted, and their second component (i.e.
a) replaced by the Modified El Gamal ciphertext E T [a]. This way, only the
r ry x+rxy
values E T [C],E T [a],E T [a ],E T [a ],E T [a ] are processed in the next
step;
r
4. Mixing tuples. T sends the tuples composed of E T [C],E T [a],E T [a ],
ry x+rxy
E T [a ],E T [a ] to a verifiable mix net and publish the output on BB.
r ry
Let the tuples formed by (t, u, v, w, z)= (E T [C] ,E T [a] ,E T [a ] ,E T [a ] ,
x+rxy
] ) be the mix net output, where E T [X] means a re-encryption of
E T [a
E T [X];
5. Identifying valid votes. For each tuple, R first employs its secret key y
y
y
to cooperatively compute v . Then, R checks whether v and w have the
same plaintext using a plaintext equivalence test. If the verification result is
positive, R generates a fresh shared key α ∈ R Z p and cooperatively computes

340 341 342 343 344 345 346 347 348 349 350