Page 61 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 61
is output that is checkable by any party and demonstrates, relative to E and the public
key of the ciphertexts that E is correctly constructed. It is convenient to conceptualize
˜
MN as an ideal primitive in terms of an oracle MN for MN with the property of
public verifiability. Coercion-Resistant Electronic Elections 53
There are many good choices of mix networks for our scheme; some examples of
such schemes are those of Furukawa and Sako [23] and Neff [38].
Proofs of knowledge: As sketched in the above descriptions, we make use of NIZK
(non-interactive zero-knowledge) proofs of knowledge [6] in a number of places. We
do not describe these tools in detail, as they are standard tools in the cryptographic
literature. Instead, we refer the reader to, e.g. [17], for discussion of construction and
logical composition of such protocols, and [11] for a notational overview and discussion
of efficient realization. As is the usual case, our use of NIZK proofs enforces a reliance
on the random oracle model in the security proofs for our scheme [4].
4.1 Our Proposed Protocol
Setup: The key pairs (SK R,PK R ) and (SK T ,PK T ) are generated (in an appro-
priately trustworthy manner, as described above), and PK T and PK R are published
along with all system parameters.
Registration: Upon sufficient proof of eligibility from V i , the registrar R generates and
transmits to V i a random string σ i ∈ U G that serves as the credential of the voter. Such
credentials can be generated in a distributed threshold manner (as in [25]), with each
[σ i ] to
active server of R sending the voter V i its credential. R then adds S i = E PK T
6
the voter roll L. The voter roll L is maintained on the bulletin board BB and digitally
signed as appropriate by R.
We assume that the majority of players in R are honest, and can thus ensure that
the R provides V i with a correct credential. Nonetheless, it is possible for R to furnish
V i with a proof that S i is a ciphertext on σ i . To enforce coercion-resistance in the case
where erasure of secrets by voters is not automatic, a designated verifier proof [29] must
be employed for this proof. We note that credentials may be used for multiple elections.
Candidate-slate publication: R or some other appropriate authority publishes a can-
didate slate C containing the names and unique identifiers in G for n C candidates, with
appropriate integrity protection. This authority also publishes a unique, random election
identifier .
Voting: Voter V i casts a ballot for candidate c j comprising M-El Gamal ciphertexts
(i) (i)
(E 1 ,E 2 ) respectively on choice c j and credential σ i . In particular, for a 1 ,a 2 ∈ U Z q :
(i) a 1 a 1 (i) a 2 a 2
a 2
a 1
E =(α 1 ,α ,β 1 )= (g ,g ,c j h ),E =(α 2 ,α ,β 2 )= (g ,g ,σ i h ).
1 1 1 2 2 2 1 2
6
In our definitions above, we use the common terminology of private and public keys—with
corresponding notation sk i and pk i—to describe the credentials associated with voters. Shift-
ing from a general exposition to our specific protocol, we now use σ i instead of sk i to denote
a voter credential, and S i instead of pk i to denote a public representation thereof. This change
of notation aims to reflect the fact that voters do not employ a conventional form of public-key
authentication in our scheme.
