Page 58 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 58
A. Juels, D. Catalano, and M. Jakobsson
50
Finally, ideal-tally does the following based on the value of the secret bit b.If b =0,
then ideal-tally does not count any ballot cast (by the adversary) using private key sk.
If b =1,then ideal-tally does include in the final tally a ballot cast using sk (excluding
double votes). ˜ ˜
Our definition of ideal-tally here assumes that every ballot has a unique correspond-
ing private key. This is true of most natural ballot structures (and true of our pro-
posed scheme). This definition, of course, also assumes ideal functionality in ideal-tally,
namely the ability to extract private keys and plaintext votes from ballots. We do not
specify in our definition how this “oracle” power is achieves. In our proofs, we construct
a simulator capable of performing this functionality required from ideal-tally.
Note that although A learns the secret keys of voters, in our ideal experiment these
secret keys in fact provide A with no information useful in voting—the ideal func-
tion ideal-tally ensures against misuse of keys—and no information useful in learning
votes—because A never sees BB.
We are now ready to present the experiment c-resist-ideal that characterizes the
success of A .
Experiment Exp c-resist-ideal (k 1,k 2,k 3,n V ,n A,n C )
ES,A,H
V ←A (voter names, “control voters”); % A corrupts voters
n V
{(sk i,pk i) ← register(SK R,i,k 2)} ; % voters are registered
i=1
(j, β) ←A (“set target voter and vote”); % A sets coercive target
if |V | = n A or j ∈{1, 2, ...,n V }− V or
β ∈{1, 2, ...,n C }∪ φ then % outputs of A checked for validity
output ‘0’;
b ∈ U {0, 1}; % coin is flipped
if b =0 then % voter evades coercion
BB ⇐ vote(sk j,PK T ,n C ,β,k 2);
˜
sk ⇐ sk j;
,k 2); % ballots posted for honest voters
BB ⇐ vote({sk i} i =j,i ∈V ,PK T ,n C ,D n U ,n C
˜
BB ⇐ A (sk, {sk i} i∈V , “cast ballots”); % A specifies vote choices
n V
(X,P) ← ideal-tally(SK T , BB,n C , {pk i} i=1 ,k 3); % election results are tallied
b ←A(X, “guess b”); % A guesses coin flip
if b = b then % experimental output determined
output ‘1’;
else
output ‘0’;
4 A Coercion-Resistant Election Protocol
We are now ready to introduce our protocol proposal. We begin by describing the cryp-
tographic building blocks we employ. Where appropriate, we model these as ideal prim-
itives, as explained.
El Gamal: El Gamal [24] represents a natural choice of cryptosystem for our purposes,
and is our focus in this paper. For reasons that we explain below, we will adopt a mod-
ified version of the basic El-Gamal scheme which can be seen as a simplified version
