Page 85 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 85
77
Receipt-Free K-out-of-L Voting Based on ElGamal Encryption
simulator. More precisely, a diverted proof for e is generated as follows: First,
the randomizer used the simulator to generate a random validity proof for e
with challenge 0 (here we use that the Σ-proof is special zero-knowledge). Then,
the voter and the randomizer engage in an interactive validity proof for e.The
diverted proof is then the sum of these two proofs.
∈ R Z u ,
i,0
More precisely, the randomizer selects random “displacements” c
i,0
i,0
c i,1 = −c ,and β ,β i,1 ∈ R R for i =1,... ,L. The displacements are chosen
such that c i,1 + c i,0 =0 forall i, i.e., the sum of the new sub-challenges will
not change. Upon reception of the first message (e ,e ) of the interactive
i,0 i,1
Σ-proof, the randomizer computes the first “message” of the non-interactive
diverted proof as
i,1
i,0 i,0 i,0 i,0 i,1 i,1 ⊕ E(0,β ) c e i,1
i,1
e = e ⊕ E(0,β ) c e i,0 , e = e
i,0
i,1
and asks as challenge c = H(e ,e ). When receiving the third message (c i,0 ,
c i,1 ,β i,0 ,β i,1 ), the randomizer computes the third “message” (c ,c ,β ,β )
i,0
i,1
i,0
i,1
of the non-interactive diverted proof as
i,1
i,1
i,0
i,0
c i,0 = c i,0 c , c i,1 = c i,1 c , β i,0 = β i,0 β , β i,1 = β i,1 β .
i,0
i,0
i,1
i,1
One can easily verify that the diverted conversation (e ,e ),c, (c ,c ,
β ,β ) is accepting for e i (due to the linearity of the validity proof). Note
i,0
i,1
that in the interactive validity proof, L such proofs are run in parallel with the
same challenge (AND-combination). The above diversion is then applied on each
parallel instance independently. Furthermore, as the original interactive proof is
honest-verifier zero-knowledge only, one must ensure that the challenge of the
randomizer is chosen at random. This is achieved by having the randomizer not
only send c to the voter, but instead all e , such that the voter can apply the
i,j
hash function himself. Obviously, then the voter knows that the challenge is
selected at random under the random oracle assumption.
Adjusting the diverted validity proof to e . With the above protocol, the random-
∗
izer can construct a diverted non-interactive validity proof for e.It remains to
convert this proof into a validity proof for e . So consider the following diverted
∗
,β ]. Then one
validity proof for e:[c, c 1,0 ,...,c L,0 ,β 1,0 ,...,β L,0 ,β 1,1 ,...,β L,1 Σ
can easily verify that the following vector is a validity proof for the re-encrypted
∗
ballot e = e ⊕ E(0, ξ):
Σ
[c, c 1,0 ,...,c L,0 , β (ξ 1 ... ξ L ),
ξ
ξ
ξ
β 1,0 c 1,0 1 ,...,β L,0 c L,0 L , β 1,1 c 1,1 1 ,...,β L,1 c L,1 L ].
ξ
6.3 Security Analysis (of the Vote-Casting Protocol)
The vote-casting protocol must satisfy two requirements: First, the randomizer
must not learn the vote. Second, the voter must not be able to proof any corre-
spondence between the original ballot e and the re-encrypted ballot e .
∗
