Page 66 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 66
A. Juels, D. Catalano, and M. Jakobsson
58
3. Adversarial corruption: The adversary A selects a set V of n A voters to corrupt,
as well as a voter j for coercion and a target vote β. If any of these selections
are invalid, i.e., if V = n A or j ∈V − V or β C
terminated. ∈ φ, then the simulation is
4. Coin flip: Acoin b ∈ U {0, 1} is flipped.
5. Credential release: S gives A the set of credentials {σ i } i∈V as well as a credential
σ for the targeted voter j.If b =1,then S gives σ = σ j ;otherwise σ is a random
string.
6. Honest voter simulation: For each ballot element in W, the simulator posts a bal-
lot consisting of two ciphertexts (α i,1 ,α ,β i,1 ), (α i,2 ,α ,β i,2 ). S also furnishes
i,1 i,2
the associated NIZK proofs of the form specified above. Since the associated chal-
˜
lenges value comes from OW , and may therefore be predetermined by S,the NIZK
proof may be simulated using standard techniques. Let A 0 be the list of these bal-
∗
lots. Let A be the associated set of plaintext ballot choices in W for which the
associated credential is correct, i.e., excluding λ elements.
The simulator creates the ciphertexts above as follows. For each ballot element
r i
in W, S chooses two elements r i ,k i at random in Z q and sets (α i,1 = h ,α =
1 i,1
k i
h
r i
h
k i
h ,β i,1 = h r i x 1 r i x 2 c j ), (α i,2 = h ,α = h ,β i,2 = h k i x 1 k i x 2 σ i ).
2 1 2 1 i,2 2 1 2
7. Adversarial ballot posting: The adversary A posts a set of ballots B 0 and associ-
ated NIZK proofs.
8. Decryption of ballots posted by the adversary: S checks the NIZK proofs in B 0 .
Let B 1 be the list of ballots with correct proofs. For each ballot in B 1 and each
credential in {σ i } i∈V σ j , the simulator decrypts using his own private key (see
above).
9. Tallying simulation: S simulates the behavior of honest tallying authorities. Since
these are a majority, any deviating behavior by tallying authorities in the control of
A may be ignored. This part of the simulation proceeds as follows:
(a) Proof checking: Let E 0 denote the combined list of input ballots A 0 and B 0 .
S simulates the behavior of honest tallying authorities in rejecting all ballots
with invalid associated NIZK proofs. Let E 1 be the resulting ballot list.
(b) Eliminating duplicates: Since no mixing has yet occurred, S may simulate
the elimination of duplicate ballots using its own decryption key. Let E 2 be the
resulting ballot list.
˜
(c) Mixing: S simulates the oracle MN as applied to E 2 by outputting an equal-
length list E 3 of random ciphertext triples. Likewise, S simulates the mixing
of L 0 by outputting an equal-lengthed list L 1 of random ciphertexts.
(d) Checking credentials: S simulates the process of credential checking. In a
˜
true protocol execution, this would involve sequential comparison using PET
between each ballot in E 3 (more precisely, the credential ciphertext therein)
and the ciphertexts in L 1 . Either a match is found, in which case a ballot is
deemed to be based on a valid credential, or else the list L 1 is exhausted, and
the ballot is rejected.
˜
S simulates the output of PET for this phase of the protocol using its own
decryption key as before. Let E 4 be the resulting ballot list.
(e) Decryption: This is done straightforwardly.
