Abstract

Veriable SecretBallot Elections

Josh Daniel Cohen Benaloh

Yale University

Privacy in secretballot elections has traditionally b een attained by using a

ballot b ox or voting b o oth to disasso ciate voters from ballots Although such

a system might achieve privacy there is often little condence in the accuracy

of the announced tally This thesis describ es a practical scheme for conducting

secretballot elections in which the outcome of an election is veriable by all

participants and even by nonparticipating observers All communications are

public yet under a suitable numbertheoretic assumption the privacy of votes

remains intact

The to ols developed here to conduct such elections have additional indep en

dent applications Cryptographic capsules allow a prover to convince veriers

that either statement A or statement B is true without revealing substantial in

formation as to which Secret sharing homomorphisms enable computation on

shared secret data and give a metho d of distributing shares of a secret such

that each shareholder can verify the validity of all shares

Veriable SecretBallot Elections

A Dissertation

Presented to the Faculty of the Graduate School

of

Yale University

in Candidacy for the Degree of

Do ctor of Philosophy

by

Josh Daniel Cohen Benaloh

December

c

Copyright by Josh Daniel Cohen Benaloh

ALL RIGHTS RESERVED

to my wife Laurie

in the spirit of Benaloh

Acknowledgements

I owe a great many debts to p eople who have given me generous help with

much of this work

My advisor Mike Fischer has had the often quite dicult task of teaching

me the discipline required to do work in theoretical computer science He has

used his marvelous intuition to channel my eorts away from the many dead

ends which I would have happily sp ent months if not years exploring Mike has

also taught me the imp ortance of the hard work that although unpleasant is

necessary to make clever ideas into worthwhile results

Sha Goldwasser and Neil Immerman served as my other ocial readers Neil

read my work with tremendous patience and care He has more than once given

his time and talents to help me over trouble sp ots and his great enthusiasm has

often added enjoyment to what would otherwise b e the dullest of tasks Sha

has shown great interest in my work from its earliest forms She has contributed

much to the eld and my work simply would not have b een p ossible without the

fundamental achievements of which she is one of the leading pioneers

There are many others to whom I am indebted Silvio Micali has b een enthu

siastic ab out my ideas in the many conversations we have had and this work is

built up on many of the imp ortant ideas which he has contributed Oded Goldre

ich has b een very supp ortive of my work and he added a key insight which led to

one of the ma jor applications Dana Angluin has a wonderfully vast knowledge of

theoretical computer science which she has always shared generously along with

her keen p ersp ective of the eld and of life in general Lenny Pitt and Gregory

Sullivan served as b eacons to show that there is indeed life after Yale Dave

Greenberg Rub en Michel and David Wittenberg have always b een willing to

listen to my ideas add their own and generally make life as a graduate student

far more pleasant Among the others who have b een of great help to me are

Gilles Brassard Don Copp ersmith Claude Crepeau Paul Feldman Jo e Kilian

Jerry Leichter Moti Yung and many more to whom I now ap ologize for having

omitted

Most of all I want to express my deep est gratitude to my wife Laurie Besides

her constant supp ort and her assumption of many chores which I neglected during

the more intensive p erio ds of this work she to ok the time to carefully read the

rst draft of this thesis She found typographical errors suggested clarications v

and simplied pro ofs Her drudge work enabled my other readers to receive a

far more p olished pro duct and if Id incorp orated more of her recommendations

when they were made I would have had fewer complaints ab out later versions

from my other readers vi

Contents

Introduction and Overview

The Election Encryption Function and its Prop erties

Probabilistic Encryption

Higher Residues

Residue Classes

The Consonance Prop erty

Characterizations of Consonance

Prime Consonance

Perfect Consonance

Deciding Residue Classes

Evaluations and Decomp ositions

The Election Encryption Function E

The Prime Residuosity Assumption

Elementary Elections

Interactive Pro ofs and the use of Cryptographic Capsules

Some Interactive Pro ofs

r

An Interactive Pro of that z Z

n

An Interactive Pro of that w RC c

An Interactive Pro of that w w

An Interactive Pro of that r n y is consonant

Cryptographic Capsules

Capsules and Residues

r

An Interactive Pro of that y Z

n

An Interactive Pro of of Prime Consonance vii

Resultindistinguishable Residuosity

Graph Nonisomorphism

Bo olean Circuit Satisability

Basic Elections

Secret Sharing Homomorphisms

Threshold Schemes

The Homomorphism Prop erty

Comp osite Security

Some Examples

Veriable Secret Sharing

SecretBallot Elections

Overview of SecretBallot Elections

Related Work

Election Denitions

Veriable Elections

Public Voting

Privacy

An Election Paradigm

Votes and Ballots

Votes

Decomp ositions of Votes

Ballots

A Veriable SecretBallot Election Schema

The function check

check

I

check

V

check

T

check

Time and Space Requirements

Time Requirements

Space Requirements

Correctness

Security viii

An Overview of the Reduction

Simulating Elections

The Symmetry Condition

The Formal Reduction

Usage and Optimizations

Parallelization

Asynchrony

Other Streamlining

Extensions and Variations

Multiway Elections

Preferential Voting

Giving the Winner without the Tally

Related Schemas

Conclusions ix x

Chapter

Introduction and Overview

Over the last decade the eld of publickey cryptography has ourished within

theoretical computer science Techniques based up on infeasible computations

now exist which allow one to p erform tasks that seem to defy intuition

This thesis broadens the scop e of some known techniques and develops a

number of new ones Some of the metho ds given here also greatly simplify many

previous cryptographic proto cols

Although there are many applications for the to ols presented here there is

one common thread throughout this work Virtually all of the to ols describ ed are

incorp orated to construct a schema for holding secretballot elections in which

the outcome of an election is veriable by all participants and observers This

schema has a number of desirable prop erties

The schema is practical The necessary proto cols can b e run in reasonable

time with current technology In addition the proto cols contain a large

amount of intrinsic parallelism Exp ected future technologies can make

these proto cols extremely fast

Every participant and even mere observers can verify the tally of an elec

tion They can b e convinced that with extremely high probability the

election tally given represents the true tally of the election

The schema is robust No action can b e taken by any voter or set of voters

which will corrupt or disrupt the election in any way Failure of up to

half of the app ointed tellers or vote counters can b e withsto o d without

corrupting or disrupting the election

CHAPTER INTRODUCTION AND OVERVIEW

The secrecy of legitimate votes remains intact under a cryptographic as

sumption to b e describ ed later even if up to half of the tellers and an ar

bitrary set of voters collude This number can b e increased up to the p oint

where if even one teller remains honest then privacy of votes is maintained

but there is a corresp onding decrease in the number of teller failures which

an election can survive

One of the additional applications developed here arises from the notion of

secret sharing homomorphisms Secret sharing as developed by Blakley and

Shamir allows shares of a secret to b e distributed to many shareholders in such

a way that any subset of shareholders of size b eyond a predetermined threshold

can reconstruct the secret Smaller subsets however can obtain no information

whatso ever ab out the secret

It is shown that in many secret sharing schemes computations on a secret or

set of secrets can b e accomplished by computing directly up on the corresp onding

shares Thus for a wide variety of simple arithmetic functions shares of the

result of applying the function to the secrets can b e obtained by applying

related functions directly to shares of the secrets

When secret sharing homomorphisms are combined with certain encryption

metho ds describ ed in this work some p owerful new to ols can b e created One

of these to ols gives a practical mechanism whereby the holder of a secret can

distribute shares to a number of agents in such a way that each agent can b e

convinced that it holds a legitimate share of the secret This task called veriable

secret sharing has b een studied in existing literature but this is the rst practical

construction of a veriable secret sharing scheme

The notion of cryptographic capsules is another to ol which has applications

b eyond elections Capsules provide a simple mechanism which allows one agent to

convince a second that one of two or more statements is true without revealing

which is the case This to ol is useful in a wide variety of interactive proto cols

some of which will b e describ ed

Structure of this Thesis

Chapter develops the theory of higher residues and an encryption mechanism

based on this theory The chapter concludes with an oversimplied rst pass at

veriable secretballot elections

Chapter gives an overview of interactive proofs and introduces the notion

of cryptographic capsules It is shown how capsules can b e used to enhance the

capabilities and simplify many uses of interactive pro ofs This chapter concludes

with a second pass at elections which shows how to use interactive pro ofs and

cryptographic capsules to plug some of the gaps left by the rst pass

Chapter describ es the concept of secret sharing or threshold schemes and

the rather surprising homomorphism prop erties which allow direct computations

on shares to b e p erformed in many such schemes As an application of secret

sharing homomorphisms this chapter describ es a simple and practical metho d of

veriable secret sharing Those already familiar with interactive pro ofs can read

this chapter indep endently of chapter

Chapter ties together the ideas of the previous three chapters by using

them to construct a general schema for practical robust and most imp ortantly

veriable secretballot elections The prop erties claimed are carefully delineated

and rigorous pro ofs are given that these prop erties are actually attained

Chapter

The Election Encryption

Function and its Prop erties

Since when Die and Hellman rst published their landmark pap er New

Directions in Cryptography DiHe publickey cryptography has blossomed

into a ma jor discipline within theoretical computer science In Rivest

Shamir and Adleman published the rst true publickey cryptosystem RSA

Their system was based up on Eulers theorem and the security of their scheme

relies up on the diculty of factoring large integers From that time on number

theoretic metho ds have b een closely asso ciated with publickey cryptography

In order to pro ceed a small amount of background and notation is necessary

Denition We say that a j b read a divides b if and only if there exist an

integer m such that am b We write a j b to indicate that it is not the case

that a divides b

Denition We say that a b read a is equivalent to b mo dulo n if and

n

only if n j a b

Denition We use a mo d n to denote the unique integer b such that b n

and a b

n

fintegers x x n gcdx n g denote the multi Denition Let Z

n

plicative subgroup of integers mo dulo n

Denition Denote by n the size of the group Z N is often called the

n

Euler totient function It is well known that if the prime decomp osition of n is

CHAPTER THE ELECTION ENCRYPTION FUNCTION

e

e e

1 2 k

given by n p p then p

k

e

e e

k

2 1

p p p p p n p

k

k

Probabilistic Encryption

In Goldwasser and Micali GoMi introduced the notion of probabilistic

encryption A probabilistic encryption metho d allows one to encrypt a xed

value in many dierent ways Thus even when given the encryption of a value

and details of the encryption mechanism it is not necessarily p ossible for an

adversary to determine whether or not the encryption represents the encryption

of a chosen value

Goldwasser and Micali develop a bit encryption function based on the problem

of quadratic residuosity

Denition An integer y is a quadratic residue mo dulo an integer n if and only

denote the set of quadratic if there exists an integer x such that y x Let Z

n

n

residues mo dulo n which are relatively prime to n

Let n b e an integer which is the pro duct of two distinct o dd primes p and q

An integer z which is relatively prime to n is said to b e of Jacobi symbol if

Otherwise z is said to b e of Jacobi and z Z or if z Z and z Z z Z

q p q p

clearly has Jacobi symbol symbol Every quadratic residue in Z

n

There is a simple eective p olynomial time pro cedure originally due to Gauss

Gaus which computes the Jacobi symbol of an integer with resp ect to a given

mo dulus There is however no known p olynomial time pro cedure to without

the factorization of n determine whether or not an integer with Jacobi symbol

is a quadratic residue mo dulo n In addition given a single integer y of Jacobi

symbol which is not in Z it is p ossible to uniformly select quadratic residues

n

or quadratic nonresidues mo dulo n even if the factorization of n is not known

Thus a probabilistic publickey bit encryption function prop osed by Gold

wasser and Micali can b e dened by a user by selecting an n of known factorization

n pq where p and q are distinct o dd primes and releasing this n together with a

y of Jacobi symbol which is not in Z An encrypted bit may b e sent to this

n

user by releasing a quadratic residue to indicate a zero or a quadratic nonresidue

of Jacobi symbol to indicate a one The user which p ossesses the factorization

of n can easily determine which is the case see NiZu for instance Without

HIGHER RESIDUES

the factorization however distinguishing b etween the two cases is an apparently

dicult problem of unknown complexity

Goldwasser and Micali show that any nontrivial information that an adver

sary can eectively derive from even the rep eated use of such a function would

yield an eective pro cedure for distinguishing residues from nonresidues and no

such pro cedure is known

Higher Residues

For the purp oses of this work it is useful to generalize the Goldwasser and Micali

encryption function to a function which can encrypt more than one bit at a time

To accomplish this higher residues are used

th

Denition For a given integer n an integer z is said to b e an r residue mo dulo

r r

n if and only if there exists some integer x such that z x Let Z denote the

n

n

th

r

set of r residues mo dulo n which are relatively prime to n and denote by Z

n

th

which are not r residues mo dulo n the set of z Z

n

r

Lemma Z is a subgroup of Z

n n

Pro of

r r r r

and z x with z x is a closed consider z z Z To see that Z

n n

n n

r th r r

x x is an r residue mo dulo n and is relatively x The pro duct z z x

n n

prime to n since b oth z and z are by denition relatively prime to n

r r r

To see that inverses exist simply note that if z x then x Z is

n

n

the inverse of z

r r

so Z for all r Of course

n

n

Finally asso ciativity is inherited from the group Z which in turn inherits its

n

asso ciativity from integer multiplication

r

Lemma Given a xed r and n every integer z Z has the same number

n

th

of r roots

Pro of

th r r

Let b e the distinct r ro ots of Since Z and

k n

n

r

k Next consider a z Z By denition there exists some x Z

n n

r

such that z x Since Z is a group x are distinct for distinct i Also

n i

n

r r r th

x x z Thus the x form k distinct r ro ots of z If z had some

i n n i i

CHAPTER THE ELECTION ENCRYPTION FUNCTION

th r r r

additional r ro ot x not among the x then x x x x z z

i n n n

th

xx is an r ro ot of and must b e congruent to some But if xx Thus

i n i

r

then x x and this violates the assumption on x Thus every z Z has

n i

n

th

the same number of r ro ots as do es

Lemma If r and n are relatively prime then every integer z Z is an

n

th r th A

r residue modulo n ie Z Z and an r root of z is given by z mo d n

n n

where A satises Ar B n

Pro of

Since r and n are relatively prime the Diophantine equation Ar B n

has integral solutions A and B which can easily b e computed by the extended

Euclidean algorithm when the factorization of n and hence n is known

n

Since z is relatively prime to n z by Eulers theorem Therefore

n

A r B n n B

z z z z z

n n n

A th

Thus z is a r ro ot of z mo dulo n

Lemma serves as the basis for the RSA publickey cryptosystem see

RSA

Residue Classes

c

Denition Let r n and y b e xed integers If w Z is expressible as w y z

n

n

r

then w is said to b e of residue class c with resp ect to r n and for some z Z

n

which are of residue class c again with resp ect y The set of all elements of Z

n

to a xed r n and y is denoted by RC c or simply RC c when r n and

rny

r

y are understo o d In particular it is clear that for all y Z RC Z

rny

n n

Lemma Let r n y be integers with y Z If RC c RC c is not empty

n

then RC c RC c

Pro of

c c r

1 2

Let w RC c RC c By denition w y z y z for z z Z

n n

n

r c c r

1 2

Since Z is a group this implies that y z z Z

n

n n

c r

1

Let w RC c By denition w y z for some z Z Let z

n n

n

c c r c c

1 2 2 1

z y Z Thus z y z Now

n

n

c c c c c

2 1 2 1 1

y z y y z w y z

n n n

RESIDUE CLASSES

r

Since z Z w RC c Thus RC c RC c By symmetry therefore

n

RC c RC c as desired

Lemma implies that for a given r n and y any two residue classes either

coincide or are disjoint

Denition Given a triple of integers r n y the norm of r n y written

m r

jr n y j is the least p ositive integer m such that y Z If no such inte

n

ger exists then jr n y j

r th

When y Z then jr n y j since Z consists of only those r residues

n n

which are relatively prime to n Whenever y Z however jr n y j is b ounded

n

r r

by r since y Z

n

The norm m jr n y j is a Lemma Let r n y be integers with y Z

n

divisor of r

Pro of

m r r r

Let g gcdm r There m r By denition y Z Since y Z

n n

exist integral solutions to the diophantine equation Am B r g Thus

g AmB r m A r B r

y y y y Z

n n

n

Since g is a p ositive integer and g m it must b e the case that g m since m

m r

is the least p ositive integer such that y Z Thus since g j r it is true that

n

m j r as desired

The next lemma describ es the number of distinct residue classes

Lemma Let r n y be integers with y Z and let m jr n y j RC c

n

RC c if and only if c c

m

c c

1 2

Pro of By denition y RC c and y RC c If c c then there

m

exists some integer a such that am c c Since m jr n y j and y Z

n

m r am r

y Z and therefore y Z Thus

n n

c c c c c am

1 2 1 2 2

y y y y y RC c

n n

am r c

1

since y Z Hence y RC c RC c So by lemma RC c RC c

n

c c

1 1

Conversely if RC c RC c then since y RC c y RC c Thus

r c c c c r

1 2 1 2

there exists a z Z such that y y z Therefore y Z Let

n

n n

CHAPTER THE ELECTION ENCRYPTION FUNCTION

g gcdm c c There exist integers A and B such that g Am B c c

Now

g AmB c c m A c c B r

1 2 1 2

y y y y Z

n n

n

r m r c c

1 2

Z by the ab ove argument Thus since since y Z by denition and y

n n

g r

g j m and y Z it must b e the case that g m But it is also the case that g

n

and hence m divides c c Therefore c c as desired

m

Thus given a triple r n y with y Z there are exactly m jr n y j

n

distinct residue classes and they are given by

r

RC RC RC m Z

n

This justies the terminology of a residue class

The following lemma gives a metho d for selecting uniformly from elements of

a given residue class c

If x is chosen uniformly from Lemma Let r n y be integers with y Z

n

c r

then w y x mo d n represents a uniformly chosen member of RC c Z

n

Pro of

c c c

is a group and c is xed y is xed and w y z y z if and Since Z

n n

n

c

only if z z Therefore each w RC c is expressible as w y z for exactly

n n

r

one z Z Recall that by denition there must b e at least one such z By

n

r th

lemma every z Z has exactly has the same number of distinct r ro ots

n

r

in Z Thus if x is chosen uniformly from Z x is a uniformly chosen element

n n

r c r

and y x is a uniformly chosen element of RC c of Z

n

The essence of Lemma is captured in more general terms by Angluin and

Lichtenstein in AnLi as the so called prop erty of random selfreducibility

They p oint out that this prop erty is common to a wide variety of number

theoretic problems and can b e used to show a problem is uniformly hard if

it is hard at all

The following lemmas give some imp ortant prop erties of residue classes

Lemma Let r n y be integers with y Z If w RC c and w

n

RC c then the product w w RC c c

THE CONSONANCE PROPERTY

Pro of

c

i

Each w RC c if and only if it is expressible as w y z for some

i i i n i

r c c c r c

1 2 2 1

z where z z z Z Thus z y z y z Z Thus w w y

n n i n

n n

w w RC c c

Lemma Let r n y be integers with y Z If w RC c then w

n

RC c

Pro of

c r

w RC c if and only if it is expressible as w y z for some z Z

n

n

c r

Since w Z w is welldened and w y z But since Z is a group

n

n n

r

z Z Thus by denition w RC c

n

The following lemma shows how two integers can b e shown to b e of the same

residue class

Two integers w and w are Lemma Let r n y be integers with y Z

n

r

of the same residue class with respect to r n and y if and only if w w Z

n

Pro of

If w and w are b oth in RC c then by lemma w is in RC c and by

r

lemma w w is in RC But this implies that w w as desired Z

n

r r

Conversely assume that w w w Z RC Since w Z so is

n

n n

w and so w RC If w RC c then w w w is also in RC c by

n

lemma Similarly if w RC c then w w w RC c

n

Thus to prove that two integers are of the same residue class it is necessary

th

only to exhibit an r ro ot of their quotient

The Consonance Prop erty

Denition A triple of p ositive integers r n y is said to b e consonant or simply

r n and y are consonant if jr n y j r

The most imp ortant feature of a consonant triple r n y is that the residue

classes RC RC RC r are all distinct

Lemma Let y Z There exist r distinct residue classes if and only if

n

r n y is consonant In addition if r n y is not consonant then the number

of distinct residue classes is at most r

CHAPTER THE ELECTION ENCRYPTION FUNCTION

Pro of

By lemma and the denition of consonant when r n y is consonant

there exist r distinct residue classes

r r

Conversely since y Z y Z and the norm and hence the number of

n n

distinct residue classes is b ounded by r If the norm were exactly r then r n y

would b e consonant If r n y is not consonant then by lemma the norm

must b e a prop er divisor of r This implies that the norm of r n y and hence

the number of distinct residue classes is b ounded by r

Characterizations of Consonance

We now b egin to characterize what it means for a triple to b e consonant

Lemma A triple r n y is consonant if and only if the fol lowing condition

holds for al l integers c

c r

c y Z

r

n

Pro of

If r n y is consonant then by lemma

r

c RC c RC Z

r

n

c r

Thus in particular y Z

n

Also if r n y is consonant then

c c r

y RC c RC RC c RC c y Z

r

n

by lemmas and

Conversely assume that

c r

c y Z

r

n

r r

Since this condition must hold for all c consider the case of c r Here y Z

n

r r

But Z is dened to b e a subset of Z Thus y Z and therefore y Z

n n n n

This implies that the norm m jr n y j is nite Next by lemma it is true

that for all integers c

c r

c RC c RC y Z

m n

THE CONSONANCE PROPERTY

But the premise gives that

c r

y Z c

r

n

Thus

c c

m r

Hence r j m must b e true But by lemma m j r must also b e true Therefore

m r as desired

We now give necessary conditions for a triple r n y to b e consonant

Theorem If r n y is consonant then the fol lowing are true

a y Z

n

q

b If q is a prime such that q j r then y Z

n

c If q is a prime such that q j r then there exists a prime power

q

e e

p j n such that q j p and y Z

e

p

Pro of

jr n y j Thus jr n y j r implies that y Z a When y Z

n n

q

b If q is a prime such that q j r then if y Z were true there would exist

n

q r q q r q r

some x Z such that y x This would imply that y x x

n n n

n

q

r q r

But this would violate lemma Hence y Z and therefore that y Z

n

n

r q

c Fix q to b e a prime p ower such that q j r and consider y If for each

e r q r r

prime p ower p j n it were true that y Z then by the denition of Z

e e

p p

r q th e

y would have an r ro ot mo dulo each p The Chinese Remainder Theorem

r q th

would then imply that y would have an r ro ot mo dulo n and therefore that

r q r

y Z But this contradicts lemma and hence there must b e at least

n

e r q r

one prime p ower p j n such that y Z

e

p

e r q r

and let Now x p to b e a prime p ower divisor of n such that y Z

e

p

e e

g gcdr p Let A and B b e integers such that g Ar B p Then

e

A r r Ar B p g

e e

y Z y y

e

p p

p

e e e

If q j p were true then since q j r g gcdr p gcdr q p and

r q r

Hence hence g would b e a divisor of r q But this would imply that y Z

e

p

e r q r

q j p and y Z

e p

CHAPTER THE ELECTION ENCRYPTION FUNCTION

q

th th r q

were so then since a q ro ot of y is an r ro ot of y Finally if y Z

e

p

q

r q r

would also b e true But this cannot b e the case Hence y Z y Z

e

e

p

p

Two imp ortant corollaries to theorem will b e given The rst follows

easily from theorem c and the second from theorem b However in

b oth cases direct pro ofs seem to b e even simpler

Corollary If r n y is consonant then r j n

Pro of

Let g gcdr n There exist integers A and B such that g Ar B n

g Ar B n A r r

y y y Z

n n

n

Thus since r n y is consonant g This implies that g r and hence that

r

r j n

r

Corollary If r n y is consonant and r then y Z

n

Pro of

r

y Z r

r

n

We now show that conditions ac of theorem together with one added

condition are sucient for a triple r n y to b e consonant

Theorem A triple of positive integers r n y is consonant if al l of the

fol lowing are true

a y Z

n

q

b If q is a prime such that q j r then y Z

n

c If q is a prime such that q j r then there exists a prime power

q

e e

p j n such that q j p and y Z

e

p

d r and n are not both even

THE CONSONANCE PROPERTY

Pro of

By lemma a triple r n y is consonant if and only if for all integers c

c r

c y Z

r

n

Thus to show that r n y is consonant it is sucient to show that

c r

c y Z

r

n

and

c r

y Z c

r

n

c a r r

If c then c ar for some integer a and therefore y y Z

r n

n

We must now show only that conditions ad together with the assumption

c r

that y Z imply that c Supp ose that there exists a triple r n y such

r

n

c r

but that c Since r j c there that conditions ad are true that y Z

r

n

exists some prime q and a p ositive integer such that q j r but q j c By

q

e e

condition c there exists a prime p ower p j n such that q j p and y Z

e

p

e

If n is o dd then since p j n p is o dd If n is even then by condition d r

is o dd and therefore since q j r q is o dd But the fact that q is an o dd prime

e e e

which divides p implies that p is o dd since Thus whether n

is is even or o dd we may assume that p is an o dd prime and therefore that Z

e

p

cyclic Let g b e a generator of this group

a c r

e

Write y as y by assumption and therefore g for some integer a y Z

p

n

q

e c ac c r

e

Thus since q j p q j ac But since y Z Therefore g y Z

e

e

p

p

p

q

a

e

q j c and q is prime q j a Therefore y g Z But we have already

e

p

p

q

shown under the assumption that c that y Z This is a contradiction

e

r

p

and hence c as desired

r

We have not completely characterized the cases when r n y is consonant

When r and n are b oth even we have not seen the precise prop erties necessary

and sucient for r n y to b e consonant Although this case is not of great in

terest the results are stated for completeness The pro ofs are somewhat complex

and are omitted

Claim If r is even but j r then r n y is consonant exactly when the con

ditions ac of theorems and are met

CHAPTER THE ELECTION ENCRYPTION FUNCTION

Similarly if n is even but j n then r n y is consonant exactly when the con

ditions ac of theorems and are met

If j r and j n then let b e the greatest integer such that j r In this case

r n y is consonant exactly when j n the conditions ac of theorem

and are met and y

In particular n y is consonant whenever y Z and y Z This is the

n n

case used in the GoldwasserMicali probabilistic encryption metho d GoMi

describ ed in section

is expressible as Theorem If r n y is consonant then each w Z

n

c r

w y z for at most one integer c such that c r and at most one z Z

n

n

Pro of

c c r

1 2

Supp ose w y z y z for c c r and z z Z Since

n n

n

c c r r

1 2

we can form y z z y z z Z is a and Z and since z z Z

n

n n n

c c r

1 2

group y z z Z Since c c r jc c j r Since r n y is

n

n

consonant r j c c and hence c c Finally since Z is a group c c

n

implies that z z

n

Thus when r n y is consonant the residue classes

RC RC RC r

are all distinct and by lemma represent the entire set of residue classes

Prime Consonance

A particularly useful sp ecial case of consonance o ccurs when the rst comp onent

r of a consonant triple r n y is prime

Denition A triple r n y is said to b e prime consonant if r is prime and if

r n y is consonant

Theorem A triple r n y is prime consonant if and only if r is a prime

r

Z and y n

THE CONSONANCE PROPERTY

Pro of

If r n y is prime consonant then r is prime by denition Also y Z

n

r

r

by theorem a and y Z by theorem b Thus y Z

n n

Conversely if r is prime then either r j n or r and n are relatively prime

r

If r and n were relatively prime then by lemma Z Z would b e true

n n

r

r

Z implies that y Z and y Z Thus r j n But the assumption that y

n n n

If r is o dd the conditions of theorem are easily satised If r then since

r r

y Z and y Z jr n y j and therefore r n y is consonant

n n

Perfect Consonance

th

The next lemma shows how r ro ots mo dulo n can b e computed when r j n

r and nr are relatively prime and the factorization of n is known

r

Lemma If r j n r and nr are relatively prime and z Z then an

n

th A

r root of z modulo n is given by z mo d n where A satises Ar B nr

Pro of

Since r j n and since r and nr are relatively prime the Diophantine

equation Ar B nr has integral solutions A and B and such solutions can

easily b e computed by the extended Euclidean algorithm when the factorization

of n and hence n is known

r r

Therefore z x for some x Z Since z Z

n

n n

A r Ar r B nr r B nr r

z x x x x z

n n n n n

n

since a for all a Z

n

n

A th

Thus z is an r ro ot of z

r

Theorem If r j n r and nr are relatively prime and z Z then

n

th

z has exactly r distinct r roots

Pro of

e

e e

1 2

k

b e the prime factorization of n The multiplicative Let n p p p

k

e

e e

1 2 k

prop erty of the Euler totient function gives n p p Let p

k

e e

i i

there are exactly h r We will rst show that mo dulo each p h gcdp

i i

i i

th

r ro ots of

CHAPTER THE ELECTION ENCRYPTION FUNCTION

is cyclic Let g b e a generator of this group When p is an o dd prime Z

e

p

a e e

are expressible as g as a ranges in a p Thus the p elements of Z

e

p

a th ar

e

which is the case Now an element g is an r ro ot of if and only if g

p

e

if and only if p j ar But this is the case precisely when a is a multiple of

e e e

p gcdp r Thus the number of integers a in the range a p

a th e

for which g is an r ro ot of is exactly gcdp r Hence when p is o dd

i

e

th

i

the number of r ro ots of mo dulo p is exactly h

i

i

e

When p and is the largest p ower of which divides n then there

are two cases If r is even then the fact that r and nr are relatively prime

e e e

implies that nr is o dd Since is multiplicative and j n

e e r

e

for al l distinct and therefore j r Thus by Eulers theorem x

e e th e

Thus there are distinct r ro ots of mo dulo and x Z

e

e e e th

since divides r there are gcd r distinct r ro ots of mo dulo

e

e r r r

e e

and therefore that j x implies that x When r is o dd x

r r r

But x x x x x and the right hand term contains

r summands each of which is o dd since all elements of Z are o dd Thus the

e

e

e

is the right hand term is o dd This implies that j x and hence that x

th e e

only r ro ot of mo dulo Therefore there are once again gcd r

th e

distinct r ro ots of mo dulo Thus for any prime p the number of distinct

i

th

r ro ots of is exactly h

i

e

i

are relatively prime By the Chinese Remainder Theorem since all of the p

i

Q

th

h Now write r q q q the total number of r ro ots of mo dulo n is H

i

i

where the q are not necessarily distinct primes Since each prime q j r since

j j

Q

e e

i i

p then each prime q j p for some i r j n and since n

j

i

i i

Q Q

q are relatively prime each q can b e q and nr n Since r

j j j

j j

Q Q

h H Thus there are exactly q asso ciated with an h such that r

i j i

i j

th

r distinct r ro ots of mo dulo n

th

Finally by lemma there are exactly r distinct r ro ots of z for each

r

z Z

n

r

Corollary If r j n and if r and nr are relatively prime then jZ j

n

nr

DECIDING RESIDUE CLASSES

Pro of

th r

jZ j n and every x Z is an r ro ot of some z Z namely

n n n

r r th

z x Since by theorem every z Z has exactly r distinct r ro ots

n

n

r

jZ j nr as desired

n

Denition The triple r n y is said to b e perfect consonant if r n y is con

sonant and if r and nr are relatively prime

r

The following theorem characterizes the cosets of Z in Z when r n y is

n n

p erfect consonant

w is Theorem Let r n y be a perfect consonant triple and let w Z

n

c

expressible as w y z for a unique integer c in the range c r and a

n

r

unique z Z

n

Pro of

r

j nr A simple counting argument suces here By corollary jZ

n

and since there are r integers c in the range c r there are exactly n

c

pairs c z Since for every pair c z y z RC c by denition and since by

c

theorem no two distinct pairs corresp ond to the same y z Z there are

n

c

there j n Thus for every w Z But jZ at least n distinct y z Z

n n n

r c

exists exactly one pair c z with c r and z Z such that w y z

n

n

Therefore when r n y is p erfect consonant the residue classes

RC RC RC r

form a partition of Z

n

Deciding Residue Classes

Theorem shows that when r n y is p erfect consonant then every w Z

n

is a member of RC c for exactly one integer c in the range c r

Denition Let r n y b e a triple of integers For each w Z dene w

rny

n

or simply w when r n y is understo o d to b e the smallest nonnegative

c r

integer c such that w is expressible as w y z for some z Z When

n

n

there is no such c w

CHAPTER THE ELECTION ENCRYPTION FUNCTION

By theorem when r n y is consonant w is the unique c such

rny

that c r and w RC c when such a c exists and is otherwise By

theorem when r n y is p erfect consonant and w Z then w is

rny

n

always dened

In the case that r n y is p erfect consonant we would like to b e able to

when given a w Z determine w This will b e shown to b e eciently

rny

n

p

computable when r is of mo derate size and when the factorization of n and

therefore the value of n is known

We b egin this task with the following lemma

Lemma If r j n r and nr are relatively prime and w Z then

n

nr r

if and only if w w Z

n

n

Pro of

r nr r

such that w x Thus w then there exists an x Z If w Z

n n

n n

r nr n

x x by Eulers theorem

n n

nr

Conversely if w then since r and nr are relatively prime there

n

exist integers A and B such that Ar B nr Thus

Ar B nr r A nr B r A B r

w w w w w Z

n n n

n

as desired

Therefore given a w Z one can eectively determine the residue class of

n

c c r

w by checking w w y w y until a w y is found such that w y Z This

n

c will b e the w and will b e found after at most r trials since w is b ounded by

r

This metho d is not impractical for mo derately sized r however certain meth

o ds may b e employed to make this pro cess more ecient

Lemma Let r n y be a perfect consonant triple Let w Z and let A

n

B nr

and B be integers such that Ar B nr Then w is the

n

r

unique value such that and w

n rny rny

Pro of

Since r and nr are relatively prime there exist integers A and B such

that Ar B nr

c

By theorem since w Z w can b e written as w y z for some

n

n

r nr

z Z and by lemma z Thus

n n

DECIDING RESIDUE CLASSES

B nr cB nr B nr cAr cA r c c

z w y z y y y y

n n n n n

cA r r

where z y Z Thus w

n

n

Also

r B nr r B n B

w w

n n n n

r

Thus and is of the same residue class as w

n

th

Since by theorem there are exactly r integers which are r ro ots of

i

mo dulo n and since by the ab ove there is a in each of the r distinct residue

i

classes Thus the of any given residue class must b e unique

Denition We call the of lemma the canonical root of class c

If we are to decide the residue class of many distinct integers with resp ect to

a given r n and y lemma allows us to in one prepro cessing phase compute

the canonical ro ot of each residue class Afterwards we may determine the class

of a given w by computing the canonical ro ot of its class and lo oking up the

class of this in the precomputed list

A somewhat more ecient metho d of determining residue classes can b e

achieved by using the so called big step little step metho d Let b e

p

r computations the the canonical ro ot of the same class as a given y In O

p

bi r c

p

can b e constructed where list Thus by taking big

i n

r c b

th

steps markers can b e placed throughout the cyclic group of r ro ots of mo dulo

n Once the list is constructed a given can b e lo oked up by computing the

j

sequence until a is found which is on the previous list Such an

p p

r c Hence it takes O r log r entry will b e found by the time j reaches j b

p

mo dular op erations to compute and sort the initial list and O r log r mo dular

op erations to compute and search the list to nd the residue class of a given

element

The reader may observe the similarity b etween the problem of determining

the residue class of a canonical ro ot and that of evaluating discrete logarithms

mo dulo a prime Techniques for the latter problem can b e applied directly to

the former See PoHe Adle COS for work on the discrete logarithm

problem

Thanks to Jo e Kilian for p ointing out this trick

CHAPTER THE ELECTION ENCRYPTION FUNCTION

One nal p oint to b e made here is that if r rather than b eing prime is a

k

pro duct of small primes in particular r then the class of a given w with

resp ect to a given r n and y can b e computed in time p olynomial in log r This

k

can b e done by assuming r rst deciding which of w w y and w y is a

rd

cub e residue mo dulo n Let i f g b e the unique integer such that

i

i i i

2 1

w y is a cub e Let i f g b e the unique integer such that w y is

th

a residue Continue for k iterations It is not hard to see that each choice

taken gives a digit in the ternary representation of w

Evaluations and Decomp ositions

Denition For a given r let Z fintegers c c r g denote the set of

r

r

dene D nonnegative integers less than r For y Z b e the Z Z

r

n n

ny

pro duct group with the following somewhat unusual op eration

r

if and only if c Z and x Z c x D

r

n ny

c c x x mo d n if c c r

c x c x

c c r x x y mo d n if c c r

The rational for this rather bizarre op eration shall b ecome clear shortly First

r

however we shall see that D is a group

ny

r

Lemma D is a commutative group

ny

Pro of

r

It is easy to see that the element D is an identity

ny

By the denition of the op erator the rst comp onent is in Z and since

r

r

y Z the second comp onent is in Z Hence D is closed

n n

ny

It is not hard to see that the inverse of c x denoted by c x is given by

x mo d n if c

c x

r c x y mo d n if c r

Here if c

x x x x mo d n

and if c r then

c x c x c x r c x y mo d n

EVALUATIONS AND DECOMPOSITIONS

c r c r xx y y mo d n

r

To see that D is asso ciative we need only observe that

ny

c x c x c x

bc c c r c

1 2 3

c c c mo d r x x x y mo d n

c x c x c x

Finally the commutativity of addition and multiplication of integers and the

r

symmetry in the denition of imply that D is commutative

ny

r

We can b egin to understand why D is dened as it is by considering the

ny

following evaluation function

r c r

Denition Dene D by c x y x mo d n Z

n

ny

Lemma is a homomorphism

Pro of

r

Let c x c x D

ny

If c c r then

c x c x

c c x x mo d n

c c r

1 2

y x x mo d n

c r c r

2 1

mo d n mo d n mo d ny x y x

c x c x

If c c r then

c x c x

c c r x x y mo d n

c c r r

1 2

y x x y mo d n

c c r

1 2

y x x mo d n

c r c r

1 2

y x mo d ny x mo d n mo d n

c x c x

Thus is a homomorphism

CHAPTER THE ELECTION ENCRYPTION FUNCTION

r

Denition Given c x D c x is called the evaluation of c x Given

ny

w Z a c x such that c x w is called a decomposition of w

n

Remarks

r

A given w Z may have multiple decomp ositions in a given D It is

n

ny

clear however that when c r then w has a decomp osition of the

form c x if and only if w RC c

For a given r n and y it is easy to evaluate c x even if the fac

torization of n is unknown It may however b e far more dicult to nd

even a single decomp osition of a given w In fact simply computing w or

determining some c such that w RC c may b e hard

It should now b e somewhat clearer why the awkward op eration is used If

the normalization of the rst comp onent were not accompanied by normal

ization of the second comp onent then would not b e a homomorphism

If neither comp onent were normalized then it would not b e p ossible to

restrict the rst comp onent to elements of Z and without this restriction

r

r

it is very dicult to dene D so that is a homomorphism unless

ny

n is used and it may b e desirable to keep n private

By disclosing a decomp osition c x of a given w it is easy to show that

w RC c It will also b e imp ortant to b e able to show how the residue classes

of two given integers relate without giving their individual residue classes

Denition For convenience we dene the binary dierence c x c x of

r

two elements c x c x D by

ny

c x c x c x c x

The relevant feature of this op eration is that given decomp ositions c x

of w and c x of w one can show the residue class of w w by giving

c x c x which is a decomp osition of w w without directly revealing the

individual residue classes of w and w

THE ELECTION ENCRYPTION FUNCTION E

The Election Encryption Function E

At this p oint we may b egin the task of dening the election encryption function

E

Denition For each p ositive integer n dene the size of n by jnj dlog ne

Denition A pair of p ositive integers r n is said to b e exact consonant if r is

prime and if n is the pro duct of two distinct primes n pq with jpj jq j djnje

such that r j p r j p and r j q

Denition A triple of p ositive integers r n y is said to b e exact consonant if

r

the pair r n is exact consonant and if y Z Note that an exact consonant

n

triple is b oth prime consonant and p erfect consonant

We would now like to show that exact consonant pairs and triples are plentiful

easy to nd and can b e generated uniformly

Lemma Given any odd prime r an exact consonant pair r n with jnj

N together with the factors of n can be selected uniformly in expected time poly

nomial in N

Note that there exist no exact consonant triples r n y with r

Pro of

We b egin by noting that there exist practical random tests to determine

whether or not a given integer is prime The probabilistic primality tests of

Solovay and Strassen SoSt and Miller Mill are quite practical and

well suited for these purp oses and run in time p olynomial in the length of the

prosp ective prime The probability that these algorithms will when given a

comp osite assert that the integer is prime is exp onentially small in the number

of p olynomial time iterations p erformed Newer primality tests which never give

a false prime have b een developed by Goldwasser and Kilian GoKi and

Adleman and Huang AdHu These tests run in exp ected p olynomial time

in the length of the prosp ective prime but they are far less practical than the

earlier metho ds

The prime number theorem asserts that for x the number of primes

less than x is at least x log x A generalization of the prime number theorem

e

asserts that in any arithmetic sequence ax b with x a p ositive integer and a and

b relatively prime the density of primes within this sequence is roughly the same

as within the integers More precisely the probability that an element of size jpj

CHAPTER THE ELECTION ENCRYPTION FUNCTION

randomly chosen from within this sequence is prime is greater than p log p see

e

Kran

An integer q with jq j N such that r j q can b e uniformly chosen by

randomly selecting an integer b with b r and selecting q of size N from

the sequence r x b Similarly an integer p with jpj N such that r j p

and r j p can b e uniformly chosen by randomly selecting an integer b with

b r and selecting p of size N from the sequence r x br

An exact consonant pair can therefore b e generated by choosing p and q as

prescrib ed ab ove and checking for primality If p and q are not prime they are

discarded and another pair is chosen The general form of the prime number the

orem ensures that at least a N fraction of such p and of such q are prime Since

the selection and testing is p olynomial time and the number of pairs which must

b e examined is exp ected to b e p olynomial in N this pro cess requires exp ected

p olynomial time in N

Lemma Given any exact consonant pair r n together with the factors of

n an exact consonant triple r n y can be selected uniformly in expected time

polynomial in N jnj

Pro of

When r n is exact consonant by corollary precisely out of r of the

th

will are r residues Therefore uniform selection of y from Z members of Z

n n

th

yield a y which is not an r residue with probability r r Whether or

th

not a given y is an r residue can b e quickly tested given the factors of n by

lemma Thus exact consonant triples can b e uniformly selected in exp ected

p olynomial time in N by uniformly selecting among p ossible values of y until one

r

is found which is not in Z The exp ected number of trials to nd such a y is

n

just r r

Note that lemmas and do not together imply that for xed r

an exact consonant triple r n y can b e selected uniformly from among those

with jnj N This is b ecause the number of exact consonant triples asso ciated

with a given exact consonant pair r n is directly prop ortional to n Thus

even among the exact consonant pairs r n with jnj N larger values of n

will yield more exact consonant triples Thus for xed r uniform selection of n

followed by uniform selection of y do es not give uniform selection of an consonant

THE PRIME RESIDUOSITY ASSUMPTION

triple r n y A weighted selection scheme could yield such a uniform selection

pro cess Fortunately however the pro cess of rst uniformly selecting n such that

r n is exact consonant and then uniformly selecting y such that r n y is exact

consonant will b e suitable for the purp oses given here

We are now ready to dene an election encryption function

Denition Given an exact consonant triple r n y an election encryption func

tion E is dened to take a secret value s and a random value x and pro duce

rny

s r

E s x y x mo d n When there is no ambiguity the r n y will b e

rny

omitted

Note that where E is dened E s x s x

It is clear from lemma that if x is selected uniformly from Z then E s x

n

is a uniformly selected member of RC s Thus E s x serves as an encryption

of the secret value s which can b e decrypted by any agent which p ossesses the

factorization of n see section

This encryption metho d serves as a means of probabilistic encryption which

is very similar to that given in GoMi However since each encrypted value

represents the encryption of a message from a message space of size r instead

of size as in the GoMi scheme the size of a message which is represented

by a single encryption can b e much larger and therefore the ratio of plaintext to

ciphertext is much larger In fact for a given security parameter N the density

in the GoMi scheme is only N while in this scheme it is log r N log r

and thus can b e made arbitrarily close to by increasing r

This approach is describ ed in the app endix of BeYu

The Prime Residuosity Assumption

Section describ es how values may b e encrypted using an election encryption

function E and section shows how such an encryption function can b e de

crypted when the factorization of the asso ciated n is known We want it to b e

the case that it is dicult to decrypt an election encryption function when the

factorization of its n is unknown

Since the problem of distinguishing b etween residue classes together with all

problems which have b een used as the basis for publickey cryptography are in

the class of NP functions no nontrivial lower b ounds on their computational

CHAPTER THE ELECTION ENCRYPTION FUNCTION

complexity are known The b est that we are able to do is to make an assumption

ab out the diculty of some mathematical problem and prove theorems relative to

this assumption The assumption used here is the Prime Residuosity Assumption

Denition Let A b e a p ossibly probabilistic algorithm with input s and binary

output Let S and S b e sets and let p b e the probability that outputA

i

given that s S A is said to distinguish b etween S and S with advantage

i

if

jp p j

A is said to distinguish b etween S and S with condence if A distinguishes

b etween S and S with advantage

The terms advantage and condence are technically interchangeable

They do however have dierent connotations The term advantage will

b e used when is presumed to b e near and indicates a slight advantage at

distinguishing b etween sets The term condence will b e used when is

near and indicates a large advantage at distinguishing b etween sets

th

Denition A p ossibly probabilistic algorithm A is said to decide r residues

in p olynomial time if there exists some p olynomial P and innitely many p os

r

with a P N and Z itive integers N such that A distinguishes b etween Z

n n

advantage for at least P N of the exact consonant pairs r n with N jnj

in time b ounded by P N

The Prime Residuosity Assumption

The prime residuosity assumption asserts that for every prime r there ex

th

ists no probabilistic or deterministic algorithm A which decides r residues in

p olynomial time

Although we cannot prove the prime residuosity assumption we can argue

ab out its plausibility We b egin by showing that the ability to distinguish b etween

some pair of residue classes implies the ability to distinguish b etween every pair

of residue classes

Lemma Let r n y be prime consonant If one can distinguish between

the members of some pair of classes with an advantage in time polynomial in

jnj then one can distinguish between the members of any pair of classes with

condence ie with advantage in time polynomial in jnj r and

THE PRIME RESIDUOSITY ASSUMPTION

In fact the class of any element can be determined with condence in

this time

Pro of

Assume there exists such an algorithm A which distinguishes b etween two

p ossibly unknown classes with advantage in time p olynomial in jnj Let p b e

i

the probability that output A when the input to A is of RC i We b egin by

extensively sampling the output of A when given elements chosen uniformly from

each of the r p ossible residue classes By lemma we can uniformly select the

elements of any given class so this is not a problem

Supp ose that we run A on k uniformly selected elements of a given class

RC i The Chebyshev inequality implies that for a given the probability that

the observed fraction of trials for which outputA diers p by more than

i

Thus if we sample the output of A on k randomly selected is less than

2

k

with a probability of error less elements of RC i we can determine p to within

i

r

2

r

Let Q b e the number of times output A when given an element of than

2 i

k

Q

i

class i and let q That is q is the observed probability that output A

i i

k

with probability greater when given an element of class i Thus jq p j

i i

r

2

r

than

2

k

By rep eating this pro cess for each class we can construct an entire table of

As p erformance on each residue class We say that such a table is correct if for

each q in the table jq p j Since each of the individual entries exceeds

i i i

r

2

r

k trials on each of the r residue classes this b ound with probability less than

2

k

3

r

pro duces a table which is correct with probability greater than

2

k

By assumption there exists at least one pair of classes i and j which is

distinguished by A with advantage That is for at least one pair i j jp p j

i j

Thus given a correct table there exists at least one pair of entries q q such

i j

Fix i and j such that q and q are one such pair that jq q j

i j i j

r

and since the table contains a total of r values there Since jq q j

i j

r

dened by I m m with m b etween must b e some interval I of size

r r r

q and q such that no entry of the table falls in I Mark all of the table entries

i j

which are b elow I less than m with a Mark all of the table entries which are

ab ove I greater than m with a

r

An integer w whose class c is unknown will b e tested as follows Since Z

n

is a group lemma ensures that given an element w RC c an element z

CHAPTER THE ELECTION ENCRYPTION FUNCTION

uniformly selected from RC c can b e generated by selecting a random x Z

n

r

and forming w x mo d n Similarly since w RC c an element of RC c i can

i r

b e selected uniformly by selecting a random x Z and forming w y z mo d n

n

A statistical ngerprint of w will b e pro duced by sampling k elements from

each of RC c RC c RC c RC c r A new set of observed

probabilities q is obtained This ngerprint is said to b e correct if none of these

Note values diers from the asso ciated actual probability p by more than

r

that the values p are simply a reordering actually just a rotation of the

original probabilities p while the q represent a dierent set of observations and

i

therefore may have no relationship to the original q The probability for a given

i

2

r

Thus the probability that the nger print is less than j that jp q

2

r k

3

r

is correct is greater than Each entry of w s ngerprint which is less than

2

k

m is marked with a and each entry which is greater than m is marked with a

When given a correct table and a correct ngerprint neither the table entry

nor the ngerprint entry for a given pair will vary from the actual value by more

Hence they will not vary from each other by more than Thus than

r r

m contains no table entries no entry from since the interval I m

r r

the ngerprint of w will span I and b e marked with a resp when the

corresp onding table entry is marked with a resp

Now if the table and ngerprint are correct there is exactly one rotation of

the ngerprint such that its marks will match those of the table There is at least

one matching b ecause rotating the ngerprint by c p ositions causes the classes

and hence the markings to match If there were some other matching say a

p ositions then the markings would rep eat every g gcdr jc c j rotation of c

p ositions But r is prime thus either c c giving a unique residue class c

r

or g This latter case would imply that the marking sequence is constant

since it rep eats every g p ositions But this is imp ossible since it contains

by construction a in either the i or the j p osition and a in the other Hence

this pro cess determines c accurately when the table and ngerprint are correct

3

r

and this will o ccur with probability at least

2

k

To ensure that the condence is at least we simply choose k such that

3 3

r r

This is true when k Thus since by assumption each of the

2 2

k

k r trials can b e p erformed in time p olynomial in jnj the entire pro cess can b e

completed in time p olynomial in jnj r and as desired

THE PRIME RESIDUOSITY ASSUMPTION

In particular an algorithm which can gain an inverse p olynomial advantage at

distinguishing b etween some pair of residue classes can b e made to gain an inverse

p olynomial advantage at distinguishing b etween every pair of residue classes

Corollary Let r be a xed prime and let P be a polynomial Let A be

an algorithm which for some given prime consonant triples r n y distinguishes

between the members of some pair of classes with respect to r n and y with an

advantage of at least P jnj in time polynomial in jnj On those same prime

consonant triples one can distinguish between the members of any pair of classes

r

with condence in time polynomial in jnj r and In particular Z

n

can be distinguished with a P jnj advantage in this time and Z

n

Pro of

Apply lemma with P N

Adleman and McDonnell in AdMc see also APR Adle show that

th

an oracle which takes an r and a z and determines whether or not z is an r

residue mo dulo n can b e used to generate an ecient although not quite

th

p olynomial time algorithm to factor n The problem of deciding r residuosity

for a xed r is certainly no harder than factoring The result of Adleman

and McDonnell leads us to b elieve that the problems may b e of comparable

complexity

When n is the pro duct of two distinct primes computing n is computa

tionally equivalent to factoring n Miller shows in Mill that for general n the

two problems are p olynomial time equivalent assuming the Extended Riemann

Hyp othesis

th

One further lemma helps to argue that the sp ecial conditions of r residuosity

and exact consonance are closely related to other problems As in the quadratic

case the ability to extract ro ots is equivalent to the ability to split n as shown

by lemma

Lemma If there exists some prime divisor p of n such that r and p

r r

p are relatively prime and if x x for distinct x x Z then

n

n

gcdx x n is a nontrivial factor of n

Pro of

r r r r r r r r

Since x x x x Since x x and p j n x x and

n n n p

therefore by lemma x x x and x are however distinct mo dulo n

p

CHAPTER THE ELECTION ENCRYPTION FUNCTION

Hence p j x x and n j x x Thus gcdx x n is a nontrivial divisor

of n

In particular when r n y is prime consonant the ability to either compute

th

n or to extract r ro ots is computationally equivalent to the ability to factor

n

Elementary Elections

We are now ready to describ e an oversimplied metho d by which veriable secret

ballot elections can b e held The scheme presented here is riddled with cracks

and should not b e read as a claim of a secure metho d of holding veriable secret

ballot elections Instead the aim of this section is to provide an overview of

the metho d of elections that will b e describ ed in greater detail in subsequent

chapters

The scheme describ ed in this section will b e centralized A central government

is assumed to exist The government prepares an election encryption function

E as describ ed in section with r greater than the number of eligible voters

The government releases to the public the triple r n y allowing everyone to

compute E of any chosen values but keeps secret the factors of n

Each voter selects a random x Z and a vote s When s it denotes

i i i

n

a no vote and when s it denotes a yes vote Each voter then publically

i

releases the result w E s x By lemma w will b e a uniformly chosen

i i i i

member of RC for those voters who cast no votes and a uniformly chosen

member of RC for those voters who cast yes votes

Q

w mo d n will b e a member of a RC c By lemma the pro duct W

i

i

where c is equivalent mo dulo r to the sum of the classes of the released votes w

i

Furthermore by theorem this c is unique in the range c r But the

number of voters is less than r and each vote is either of class or of class

Thus the sum of these classes c is precisely equal to the number of yes votes

among the votes cast

The government can compute c W recall that W is public as in sec

tion and prove to the voters that W RC c by releasing a c and x such that

c r th c

W y x where x is an r ro ot of W y computed as in lemma

n

The government thereby convinces all participants and observers that the c

ELEMENTARY ELECTIONS

it releases is in fact the number of yes votes cast and is therefore the tal ly of

the election

There are of course many problems with this scheme These include but

are not limited to the following

There is no reason to b elieve that the government chose its election encryp

tion function as sp ecied in section

In fact if r and n are chosen to b e relatively prime then every W Z

n

c r

can b e expressed as W y x for any c of the governments choosing

n

Thus the government can claim any tally it desires

There is no reason to b elieve that the votes w cast by the voters are

i

chosen only from among elements of RC or RC

If a single voter casts as its vote a w RC for instance then

i

this one vote increments the tally of the election by Of course

the government could detect this digression but it may not wish to reveal

it

The government may even if honest unwittingly reveal information which

may allow some voters to determine the votes of others

For example the schema describ ed ab ove requires the government to reveal

th

an r ro ot of a quantity with which it is presented It may b e p ossible for

one or more voters to force the pro duct W towards a value for which a

c

ro ot of W y is already known and thus a distinct ro ot would allow the

factorization of n to b e determined In this schema it is not dicult for

the last voter of an election to direct things this way

The government knows how every voter voted

This information could b e revealed to others or used in an improp er manner

It is certainly undesirable for any agent to know the private information of

others

The government may halt the election at any time

If the government sees that the tally of an otherwise prop er election is not

to its liking it may refuse to reveal W Thus the tally of the election

remains unknown to its participants

CHAPTER THE ELECTION ENCRYPTION FUNCTION

The rst three problems describ ed here will b e addressed by the metho ds of

chapter The nal two problems will b e managed by the techniques of chapter

Chapter will tie these approaches together and give a complete faulttolerant

schema for holding veriable secretballot elections The schema is proven to

not only allay the concerns expressed ab ove but also to pro duce a tally which

is correct with extremely high probability It is also proven that distinguishing

b etween the votes of prop er voters who follow their proto cols is as dicult a

problem as deciding b etween residue classes It is thusly shown that the existance

of any algorithm which can even with the assistance of colluding participants

gain even an inverse p olynomial advantage at deciding b etween p ossible votes

among prop er voters is sucient to violate the prime residuosity assumption

Chapter

Interactive Pro ofs and the use of

Cryptographic Capsules

This chapter describ es a deceptively almost embarrassingly simple technique

that of cryptographic capsules which allows Alice to convince Bob that either X

or Y is true without giving Bob any information as to which is the case Capsules

are used in and further the capabilities of so called interactive proofs

The notion of interactive proofs was introduced and rst used by Goldwasser

and Micali in GoMi The ideas were further developed by the original authors

together with Fischer and Racko in FMR and GMR The fundamental

idea is an extension of the notion of a formal pro of to what might b e called a

convincing argument

Traditionally if Alice wants to convince Bob that a certain prop erty holds

say that a given y is a quadratic residue mo dulo a given n she could write out

a formal pro of of the fact which would likely include the factorization of n and

send the pro of to Bob This pro cedure is quite eective at giving Bob the desired

information but it might have an unwanted side eect of giving Bob additional

information such as the factorization of n

Instead Alice might b e able to convince Bob of some prop erty through an

interactive conversationperhaps by answering a number of challenges put for

ward by Bob In this way it may b e p ossible for Alice to convince Bob of the

validity of her claim without surrendering additional information

CHAPTER CRYPTOGRAPHIC CAPSULES

Some Interactive Pro ofs

Interactive pro ofs are a kind of electronic shell game Supp ose there is a ball

hidden under one of two shells Alice is allowed to scramble the shells and Bob

is then allowed to lo ok b eneath one of the two shells If this pro cess is rep eated

indenitely and if Bob each time randomly selects the shell to lo ok b eneath

then Bob will in all probability eventually nd the ball In fact it may b e

said that Bob will with extremely high probability nd the ball within a fairly

small number of trials If after many tries Bob has not found a ball he may

reasonably conclude that neither shell has a ball b eneath it This is true even

though Bob may never have lo oked b eneath b oth shells simultaneously

A more substantive example can b e drawn from the domain of chapter

Supp ose that Alice wants to select and reveal to Bob an n such that n pq where

p and q are distinct primes and jpj jq j Alice may pro ceed as in gure

Condence Parameter N

Alice selects N pairs of distinct primes p q such that jp j jq j

i i i i

and reveals the n p q to Bob

i i i

Bob selects a random index j and reveals j to Alice

For i j Alice reveals p and q

i i

Condence N

Figure Interactive pro of that an n pq where p and q are distinct primes

such that jpj jq j

If for all i j Alice has released p and q such that n p q p and q are

i i i i i i i

prime and jp j jq j then it may b e said that Bob is convinced that it is also

i i

the case that n p q where p and q are distinct primes with jp j jq j

j j j j j j j

Alice could only have defeated Bob by successfully predicting which j Bob

would select Since Bob selects j randomly and since there were N p ossible

values of j to choose from this could only b e done with probability N Thus

Bob may b e said to b e convinced that Alice could have only cheated him with

probability N Thus Bob is said to have condence N

Once this interactive pro of has b een completed Alice and Bob share a value

n for which only Alice p ossesses the factors but for which Bob is convinced that

SOME INTERACTIVE PROOFS

certain prop erties hold It may b e claimed that Bob has learned nothing from

the interactive pro of other than the fact that n satises these prop erties In

particular Bob has not b een given the factors of n

The approach used in this interactive pro of is very general and it may b e used

by Alice in many situations to convince Bob that an ob ject has a given prop erty

which is feasibly computable by Alice but not by Bob There are however two

principal shortcomings of this approach

First although Bobs condence may b e high it is dicult to make it very

high as is necessary for many applications The probability that Bob is fo oled

decreases only in inverse linear prop ortion to the number of ob jects prepared by

Alice

Second it is dicult to use this technique to show that a prop erty holds

ab out a sp ecic ob ject For instance it may still b e dicult for Alice to convince

r

Bob that a sp ecied z is in Z for xed n and r unless Alice is willing to reveal

n

th

to Bob the factors of n or an r ro ot of the sp ecied z

We shall show here some relevant interactive pro ofs which remedy these short

comings The rst is intended to b e somewhat introductory

r

An Interactive Pro of that z Z

n

th th

It is shown in chapter that p ossession of two distinct r ro ots of a given r

residue z is often sucient to split n into nontrivial factors In particular when

th

r n is exact consonant lemma shows that p ossession of two distinct r

ro ots is sucient to completely factor n In addition in such an elementary

election scenario of section the last voter could direct the outcome so as to

th th

force the government to pro duce an r ro ot of any desired r residue Thus the

th

nal voter could select a random x and force the government to release an r

r

ro ot x of z x Since x is chosen randomly and not revealed and since there

n

th

are r distinct r ro ots of z the probability that x x is r r Since r is

n

greater than the number of voters this probability is quite high Hence the nal

voter could manipulate the election in such a way as to with high probability

determine the factors of n and thereby determine the votes of other voters

In order to avoid this and related diculties it is desirable that the gov

r

ernment have some means of convincing others that a given z is in Z without

n

th

revealing an r ro ot of z or the factors of n We will limit ourselves here to

CHAPTER CRYPTOGRAPHIC CAPSULES

an intuitive argument as to why this approach do es not reveal undue informa

tion The formal pro of that privacy is not in any way compromised is deferred

to chapter

The essence of the interactive pro of of gure relies on two prop erties

r

rst the group structure of Z and second the fact that random pairs of the

n

th

form x z where x is an r ro ot of z can b e easily generated by anyone with or

without the factors of n

Condence Parameter N

Alice prepares N random pairs of the form x z where each x is

i i i

r

randomly chosen from Z and each z x

i n

n i

Alice reveals the z to Bob but keeps the corresp onding x concealed

i i

Bob selects a random subset S of the indices

For each i S Alice reveals to Bob x

i

th

For each i S Alice reveals to Bob xx where x is a xed r ro ot

i

of the z in question

N

Condence

r

Figure Interactive pro of that z Z

n

It can b e argued here that Bob has received no information since he has seen

only random x z pairs which he could have generated for himself It is also the

i i

r

and therefore case that it has b een proven to Bob that for each i S z Z

i

n

since Alice could not have foreseen which subset of indices Bob would choose

r

Bob can b e said to have b een convinced that z Z for at least one i S If

i

n

r

this were not the case then it would have to b e true that z Z for every i S

i

n

r

and z Z for every i S Thus Alice would have to have either known or

i

n

guessed the precise subset S to b e selected by Bob before revealing the z to Bob

i

N

Alice could guess such a subset of the N indices with probability only

th

In the last step Alice reveals the xx to Bob Each such xx is an r ro ot of

i i

r th

z z but b ecause of the group structure of Z an r ro ot of z z can only exist if

i i

n

r

either b oth z and z are in the group Z or if neither z nor z is in this group

i i

n

Thus having b een previously convinced that at least one of these latter z for

i

r r

i S is in the group Z Bob must conclude that z also is in Z

n n

SOME INTERACTIVE PROOFS

The only place where it app ears that Bob might gain some undue information

from Alice is in this last step This concern is however alleviated by again

r r

app ealing to the group structure of Z Since Z is a group the pairs xx z z

i i

n n

th

are to Bob random elements of Z together with their r p owers Once again

n

Bob could have generated such pairs for himself Thus it can b e argued that

r

b eyond b eing convinced that z Z Bob has learned nothing from the exchange

n

The limited disclosure of information seen in the interactive pro of of gure

is the essence of zeroknowledge as dened by Goldwasser Micali and Racko

in GMR The notion of zeroknowledge stems from the attempt to capture

the intuition that Bob has learned nothing from the interactive pro of b esides that

which is entailed by the claim of the pro of itself

One way in which to capture this intuition is to assert that it must b e p ossible

to simulate Alices actions in such a way that Bobs conversations with Alice

are indistinguishable from simulated conversations If this prop erty is true of all

p ossible agents who might take Bobs place in an interactive pro of with Alice

then in some sense no agent could learn anything from these conversations and

the interaction is deemed zeroknowledge

In the interactive pro of of gure for example Bob is convinced of the

r

as well as of consequences of this claim It is p ossible more claim that z Z

n

over to simulate Alices actions in this proto col since all of Alices actions are

r

indistinguishable from the release of randomly chosen pairs of the form x x

A simulator could therefore b e constructed which rst selects the set S of

indices exactly as Bob would Note that a dishonest agent in Bobs place might

not select S randomly but rather use some other means This do es matter as

long as S is generated exactly as the agent would The simulator then randomly

r

generates pairs x x with each x Z For all i S the simulator releases

i i

i n

r r

z x mo d n and for all i S the simulator releases z z x mo d r The

i i

i i

simulator then releases the set S Finally the simulator releases all x By

i

th th

construction for all i S x is an r ro ot of z and for all i S x is an r

i i i

ro ot of z z as desired

i

Thus no outside observer would b e able to distinguish the simulation from

an actual conversation b etween Alice and Bob This zeroknowledge prop erty

ensures in particular that Alice is not giving information to Bob which could

th

assist Bob in constructing an r ro ot of z

It should once again b e emphasized that although this is an app ealing ar

CHAPTER CRYPTOGRAPHIC CAPSULES

r

guement it is not a formal pro of We neither prove that z Z must b e the

n

case nor that Bob has learned nothing he shouldnt have in the exchange In

this chapter the interactive pro ofs presented will not b e accompanied by formal

pro ofs that they achieve the desired prop erties Instead arguments like the pre

ceding intuitive app eal will b e given The formal pro ofs that are required will b e

given as part of the full veriable secretballot election schema of chapter

An Interactive Pro of that w RC c

Given the interactive pro of metho d of section it is now easy to see how to

show that w RC c

rny

r

By denition w RC c if and only if there exists some z Z such

rny

n

c

that w y z Thus showing that w RC c is equivalent to showing that

n

c r

w y Z Hence w RC c can b e shown by using the interactive pro of

n

c r

metho d of section to show that w y Z

n

In particular theorem tells us that if r n y is consonant there exists at

c

most one integer c with c r such that w is expressible as w y z for some

n

r

z Z This c when dened is w Thus when r n y is consonant this

rny

n

metho d can b e used to show that w c

rny

An Interactive Pro of that w w

It will so on b ecome imp ortant to enable Alice to convince Bob that under the

assumption that r n y is consonant w w without revealing to Bob the

values of w and w This capability will b e used extensively as a comp onent

of subsequent interactive pro ofs

r

Lemma tells us that w w if and only if w w Thus an Z

n

interactive pro of that w w may b e achieved by using the interactive pro of

r

technique of section to show that w w Z

n

A uniform indistinguishability argument can b e used to show that this in

teractive pro of metho d gives an adversary no substantial information ab out the

value of w and w There are however subtleties to this argument since the

phrase gives an adversary no substantial information has not yet b een precisely

dened Once again these details will b e deferred

SOME INTERACTIVE PROOFS

An Interactive Pro of that r n y is consonant

We next give an interactive pro of metho d to show that a triple r n y is conso

nant This interactive pro of has an added b enet since by corollary when

r

r n y is consonant and r then y Z Thus the metho ds of this section

n

r

can b e used in many imp ortant cases to show that y Z Section will give

n

an improved interactive pro of metho d which can always b e used to show that

r

y Z

n

The key element of this interactive pro of is obtained from lemma which

states that when y Z there are r distinct residue classes precisely when

n

r n y is consonant and no more than r distinct residue classes otherwise

Thus Alice can convince Bob that r n y is consonant by demonstrating her

ability to distinguish b etween residue classes In particular when Alice is pre

sented with a w randomly chosen from one of the r residue classes RC RC RC r

she should always b e able to determine to which class w b elongs and give a

resp onse which matches Bobs exp ectation

This suggests the interactive pro of that r n y is consonant given in g

then by theorem a r n y is not consonant ure Note that if y Z

n

This condition is easily tested so we may assume that y Z

n

Condence Parameter N

Bob prepares N pairs c x where c is uniformly chosen from Z

i i i r

and x is uniformly chosen from Z and sends Alice the values w

i i

n

c r

i

c x y x mo d n

i i

i

Alice computes the c from the w and sends the c to Bob

i i i

N

Condence

Figure Interactive pro of that r n y is consonant

Lemma guarantees that each w is a uniformly selected member of RC c

i i

Lemmas and guarantee that if r n y were not consonant then w would

i

also b e a member of RC c for some c c with c r and that therefore

i

i i i

by lemma RC c RC c Since c was chosen by Bob uniformly from Z

i i r

i

Alice could only guess which of c or c or p ossibly other values was chosen

i

i

by Bob She would therefore have a probability of at most of guessing the

CHAPTER CRYPTOGRAPHIC CAPSULES

correct c on each of N trials Thus Alice would not b e able to duplicate the c

i i

N

exp ected by Bob with probability greater than

Despite its simplicity there is a problem here Alice is eectively acting as a

residue class oracle for Bob and may b e giving Bob useful information ab out the

class of one or more w for which Bob did not already know the class Thus there

i

is no hop e that this interactive pro of could satisfy the zeroknowledge criterion

To handle this problem we add an additional phase to the interactive pro of

whereby Bob convinces Alice that he already knows the class of an element

b efore Alice gives it

The interactive pro of of gure can b e used by Bob to convince Alice that

he knows the residue class of a chosen element

Condence Parameter N

c r

Bob prepares a pair c x and sends w c x y x mo d n to

Alice

Bob also prepares N pairs c x where c is uniformly chosen from

i i i

Z and x is uniformly chosen from Z and sends w c x

r i i i i

n

c r

i

y mo d n to Alice x

i

Alice selects a random subset S of the indices

For each i S Bob sends c x to Alice

i i

For each i S Bob sends Alice c x c x

i i

N

Condence

Figure Interactive pro of that a decomp osition of w is known

For any i if one is given b oth c x and c x c x then one can easily

i i i i

compute c x Thus Alice is convinced that Bob can compute c x Because

r

of the group structure of D however all that Alice sees are N completely

ny

r

random elements of D Thus it can b e argued that this interaction is of no

ny

help to Alice in attempting to compute c

A complete interactive pro of that r n y is consonant which is satisfactory

to b oth Alice and Bob can now b e given in gure

Notice the notion of security added here Informally the condence mea

sure indicates the level of faith of the verier Bob that it has not b een deceived

by the prover Alice The security measure indicates the level of faith of the

SOME INTERACTIVE PROOFS

Condence Parameter N

Security Parameter N

r

Bob uniformly selects N elements c x D

i i

ny

Bob sends Alice c x for all such c x

i i i i

For each i Bob uniformly selects N additional elements c x

ij ij

r

D and sends c x to Alice for all i j

ij ij

ny

Alice selects a random subset S of the i j indices

For each i j S Bob sends c x to Alice

ij ij

For each i j S Bob sends Alice c x c x

i i ij ij

Alice sends Bob c for all i

i

N

Condence

0 0

N N N

N Security

Figure Secure interactive pro of of consonance

prover Alice that it has not b een deceived by the verier Bob Note that the

verier is deceived if it is convinced of a claim which is not true while the prover

is deceived if the verier is able to gain information b eyond that which is entailed

by the claim

In the ab ove interactive pro of Bob could only gain additional information

by in one of N instances guessing in advance a subset of N elements selected

0

N

Thus the by the Alice Each subset could b e guessed with probability

0

N N

This gives the probability that none of the N subsets is guessed is

security level of the interactive pro of

Once again it is emphasized that these notions are not meant to b e formal

Formal denitions of condence and security will b e given as needed in chapter

Remark In most cases where Alice generates a triple r n y for use in an

interactive proto col it is sucient that Alice convince Bob that r n y is con

sonant A proto col may sp ecify that Alice select a p erfect consonant or even an

exact consonant triple This is generally to enable Alice to easily decide residue

classes or to make deciding classes dicult on average for Bob by making n

dicult to factor for instance Thus in these cases Alice need not convince

CHAPTER CRYPTOGRAPHIC CAPSULES

Bob of p erfect consonance or exact consonance as it is only to her disadvantage

to violate these conditions It is however necessary for Alice to convince Bob of

consonance since violation of this prop erty may allow Alice to cheat Bob

Cryptographic Capsules

A cryptographic capsule or simply capsule is a randomly ordered collection of

ob jects each of which is of some sp ecied form The order of the elements of

the capsule is randomly p ermuted to hide which element is of which type or

alternately some easily computable ordering function such as can b e applied

to the capsule to obscure the original ordering

A simple example of a capsule is a pair of integers one of which is even and

one of which is o dd eg This capsule however is not very interesting

b ecause it is readily apparent which is the o dd integer and which is the even

integer

A somewhat more useful capsule may b e an unordered pair of integers

fn n g with n p q where p and q are each primes congruent to mo dulo

and n p q where p and q are each primes congruent to mo dulo

If we assume that distinguishing b etween these two cases is hard then this

suggests a simple metho d for ipping a coin over a telephone Alice prepares

such a pair and transmits it to Bob Bob then selects one element from the pair

and transmits his choice to Alice nally Alice reveals the factors of b oth n and

n to Bob We may say that the coin ip is heads if Bob chose the element with

factors congruent to mo dulo and tails otherwise

This is not an ideal example since Alice could have simply transmitted a

single integer of one of the two preceding classes and asked Bob to guess which

class it was from The real p ower of capsules comes from the ability to prove

interactively that a capsule is of the required form without the need to later

reveal secret information ab out its contents

Capsules and Residues

Many of the interesting uses of cryptographic capsules are found when their con

tents consist of members of two or more residue classes as describ ed in chapter

CAPSULES AND RESIDUES

r

An Interactive Pro of that y Z

n

Section gave an interactive pro of metho d to show that a triple r n y is

r

consonant This has the fringe b enet of also showing that y Z since this is

n

always the case when r n y is consonant and r It is however not always

r

the case that y Z implies that r n y is consonant We want therefore

n

to give a somewhat more general interactive pro of metho d which can always b e

r

used to show that y Z whenever it is in fact true

n

There is another reason for which we would like to reexamine the interactive

pro of metho d of section With that metho d Alice must decide the residue

class of many distinct values This may b e a cumbersome task for Alice since she

p

has r distinct classes to choose from and even the b est metho ds use O r log r

op erations

The burden on Alice can b e eased substantially by limiting the p ossibilities

to two Alice is presented either with a member of RC or a member of RC

r

and asked to decide which is the case This is sucient to show that y Z

n

r

RC RC since when y Z

n

As in the interactive pro of of section Bob could simply present Alice

with randomly chosen members of RC and RC and ask her to distinguish

b etween them Once again however by doing this Alice could b e acting as a

residuosity oracle for Bob and might b e giving Bob undue information

To alleviate this problem Bob must convince Alice that he knows the

class of a w b efore presenting it to Alice without giving away the class to Alice

Furthermore Bob must prove to Alice that w f g again without

rny

giving away which is the case If Bob fails to do this and presents Alice with a w

for which w then Alice may b e forced to search for w or to go through

a cumbersome pro cedure to accuse Bob of cheating

To accomplish these tasks cryptographic capsules can b e used as in gure

Unless Bob were able to guess in advance the subset of capsules which Alice

designates to b e op ened Bob would not b e able to p erform the required decom

p ositions without b eing able to determine the class of w by himself Bobs chance

N

of guessing such a subset is only

The imp ortance of Bob b eing able to demonstrate that his value is a legitimate

member of RC or RC without revealing which should not b e lost here as

this is one of the fundamentals which will b e used later to enable secretballot

CHAPTER CRYPTOGRAPHIC CAPSULES

Condence Parameter N

Bob prepares a pair c x such that c f g and x Z and sends

n

c r

w c x y x mo d n to Alice

Bob also selects N additional values and and sends to Al

i i

ice N capsules each consisting of in random order the pair u

i

r r

mo d n and v y mo d n

i i i

i i

Alice designates a random subset of the capsules and demands that

they b e op ened

Bob op ens these capsules by presenting Alice with a decomp osition

of each comp onent of the capsule

For each remaining capsule Bob selects

u if c

i

i

v if c

i

and shows that is of the same residue class as w by presenting

i

Alice with a decomp osition of the quotient w

i

N

Condence

Figure Interactive pro of that w f g

elections to b e made veriable

Once Bob has completed the interactive pro of of gure Alice should b e

convinced that Bob knows w and that w f g Thus Alice should b e

willing to provide w to Bob

If RC RC were true then Alice would only have a chance of

presenting Bob with the class he exp ects Thus by rep eating the entire pro cess

N

N times Bobs condence can b e elevated to Therefore b oth Alice

and Bob should b e satised by the interactive pro of of gure

An imp ortant sp ecial case o ccurs when r Here Alice interactively proves

to Bob that a given y is not a quadratic residue mo dulo n In this case in fact

there is a symmetry b etween multiplication and division so the entire interactive

pro of can b e completed without computing inverses The interactive pro of given

here represents a signicant simplication of the original interactive pro of of

quadratic nonresiduosity given in GMR

CAPSULES AND RESIDUES

Condence Parameter N

Security Parameter N

Bob randomly selects N values c f g and x uniformly from Z

i i

n

c r

i

and sends Alice the N values w c x y mo d n x

i i i

i

With each w Bob randomly selects N additional values and

i ij

and sends to Alice N capsules each consisting of in random

ij

r

mo d n and v order the pair u

ij ij ij ij

ij

r

mo d n y

ij

Alice designates a random subset of the capsules and demands that

they b e op ened

Bob op ens these capsules by presenting Alice with a decomp osition

of each comp onent of the capsule

For each remaining capsule fu v g Bob selects

ij ij

u if c

ij i

ij

v if c

ij i

and shows that is of the same residue class as the asso ciated w

ij i

by presenting Alice with a decomp osition of the quotient w

ij

i

Alice tells Bob to which class each w b elongs

i

N

Condence

0 0

N N N

Security N

r

Figure Interactive pro of that y Z n

CHAPTER CRYPTOGRAPHIC CAPSULES

An Interactive Pro of of Prime Consonance

r

The interactive pro of that y Z given in the previous section can also to used to

n

show that a triple r n y is prime consonant This is true since by theorem

r

when r is prime and y Z then y Z is sucient to imply that r n y is

n n

prime consonant The rst two of these conditions are easily veriable so by

entering into the interactive pro of of section Alice can convince Bob that

a triple r n y is prime consonant

This interactive pro of technique can b e more ecient than the general in

teractive pro of of consonance given in section This is b ecause for each

challenge w presented to Alice by Bob Alice need only decide the class of w from

among two p ossible residue classes RC and RC instead of from among all

r p ossible residue classes

Resultindistinguishable Residuosity

GHY generalizes the result of GMR in such a way that an observer Carol

watching the proto col b etween Alice and Bob gains no information from the

proto col as to whether Alice convinced Bob that a given z was or was not a

quadratic residue The key addition to the proto col of GMR is the inclusion

of a third set of p ossibilities Instead of choosing w from among just the two sets

X RC and Y RC Bob may select from an additional set Z Z consists

of elements of the same class as z and members of Z can b e randomly generated

by multiplying z by randomly chosen members of Z

n

By using threecomp onent capsules the proto col given in GHY can b e

simplied tremendously Bob simply prepares N master capsules C each con

i

sisting of one member of each of X Y and Z For each C Bob also prepares

i

N additional scratch capsules of the same form Alice designates some subset of

the scratch capsules and Bob op ens these Bob then matches the comp onents of

each scratch capsule with C That is on each scratch capsule Bob links element

of X with the element of X in capsule C the element of Y with the element of

Y in capsule C and the element of Z with the element of Z in capsule C Bob

does not tel l Alice which link is which Bob then demonstrates that each link is

valid by decomp osing the quotient of each pair of linked elements to show that

each such quotient is a residue Alice now convinced that C was generated as

required tells Bob which capsule comp onent is of a class dierent from the other

CAPSULES AND RESIDUES

two thus transmitting to Bob the class of z

The chance of Alice b eing fo oled into revealing excessive information to Bob

0

N

is only in The chance of Alice fo oling Bob in one iteration of this proto col

N

is so by iterating the pro cess N times Bob can obtain condence

that he has not b een misled Finally a symmetry argument shows that Carol

receives absolutely no information from watching this proto col that she could not

have obtained on her own

Graph Nonisomorphism

One example in which capsules are useful without the aid of residue classes is

seen in a proto col for graph nonisomorphism given in GMW Their original

proto col closely followed the nonresiduosity proto col of GMR In GMW

a prover designates a graph H given by the verier as either a p ermutation of

graph G or of graph G after b eing convinced that the verier already holds

such a p ermutation

A simpler proto col is obtained by incorp orating capsules in a manner similar

that describ ed in section Residue classes are replaced by the equivalence

classes induced by graph isomorphism and class equivalence is demonstrated by

exhibiting p ermutations Thus capsules each consisting of a p ermutation of

G and a p ermutation of G are used to interactively prove that a given graph

H is a p ermutation of either G or G

Bo olean Circuit Satisability

Recently also in GMW Goldreich Micali and Wigderson gave a simple and

elegant zeroknowledge interactive proto col as dened in GMR to prove for

any k that a graph is k colorable without revealing any information ab out a

sp ecic coloring assuming that the prover p ossesses a k coloring of the graph

Because k colorability is NP complete this implies that any p ositive instance of a

problem in NP for which a prover holds a certicate eg a satisfying assignment

for a Bo olean formula can b e reduced to graph colorability and shown in a zero

knowledge fashion to b e a p ositive instance The only assumption made is the

existence of a probabilistic cryptosystem and this is implied by the existence of

a oneway p ermutation see GoMi andYaob

CHAPTER CRYPTOGRAPHIC CAPSULES

In this section we shall examine an alternate approach which gives the same

result by a very dierent metho d The metho d uses capsules to give a zero

knowledge proto col to interactively prove that a given Bo olean formula or arbi

trary Bo olean circuit with indegree has a satisfying assignment Brassard and

Crep eau in BrCr indep endently of b oth this work and GMW have achieved

the same result and Chaum in Chaua has also indep endently achieved a very

similar result

The ma jor advantage of this metho d over the original is eciency When

a Bo olean formula or circuit is reduced to a colorability graph the number of

vertices and edges in the resulting graph is linear in the size of the Bo olean

formula Each stage of the interactive pro of proto col of Goldreich Micali and

Wigderson however requires a new encryption of the entire graph and for any

xed condence level desired their proto col requires a number of stages which

is linear in the number of edges in the graph Thus the number of probabilistic

encryptions required by this proto col grows quadratically with the size of the

graph or circuit Because of the lo cal nature of the metho d presented b elow re

encryption is not necessary and the number of probabilistic encryptions required

grows only linearly with the size of the circuit or graph

The ma jor disadvantage of this metho d compared to the original metho d is

that the new pro cedure requires a seemingly stronger cryptographic assump

tion Although b oth metho ds require a probabilistic encryption function such as

the residue class based probabilistic encryption of GoMi the metho d given

here requires a probabilistic encryption function for which two encrypted values

can b e proven in a zeroknowledge manner to b e encryptions of the same value

Although this prop erty is easily achieved by the residue class based probabilistic

encryption Lemma it is not at all obvious that every probabilistic en

cryption function has this prop erty However by observing that the problem of

inverting a probabilistic encryption function is itself in NP the original Goldre

ich Micali and Wigderson result can b e applied to show that the cryptographic

assumption required here is in fact no stronger than the assumption of the

existence of an arbitrary probabilistic cryptosystem

The Satisability Scheme

The basic idea of the scheme is again deceptively simple If Alice wants

to prove to Bob that a given formula is satisable and Alice has a satisfying

CAPSULES AND RESIDUES

assignment Alice b egins by choosing an n which is the pro duct of two large

primes and providing Bob with n and a y with Jacobi symbol which is not a

quadratic residue mo dulo n This is merely the establishment of a Goldwasser

Micali probabilistic encryption function The fact that y has Jacobi symbol

with resp ect to n can b e veried by Bob without Alices assistance Alice

can convince Bob that y Z by engaging in the nonresiduosity proto col of

n

section

Alice then draws a circuit to compute the Bo olean function in the obvi

ous way selects a satisfying assignment and sends Bob an encryption of this

assignment For each variable Alice sends Bob a random member of RC if

that variable is FalseO and a random member of RC if that variable is

TrueOn Alice then encrypts the output of each gate of the circuit in the

same manner and sends Bob these encrypted values as well

For each gate in the circuit Alice then interactively proves to Bob that the

gate computes the required function The computation of an AND gate will b e

shown here and other Bo olean functions should b ecome apparent

To prove that a given gate computes an AND on its inputs a full truth table

for AND is used There are of course four p ossibilities either b oth inputs and

the output are the rst input is the second is and the output is the rst

input is the second is and the output is or b oth inputs and the output are

Fourcomponent capsules are prepared such that each of these four inputoutput

cases is represented by one of the four comp onents of each capsule Each case

is represented by an ordered triple containing random members of the residue

classes corresp onding to these values A capsule for AND would b e a fourelement

unordered set consisting of four ordered triples whose elements are members

of residue classes RC RC RC RC RC RC RC RC RC

and RC RC RC

Let G b e an arbitrary gate with inputs marked with and and an output

marked with Each of and is a random member of RC c if and only if the

actual value of the inputoutput is c Let f b e the function computed by gate G

To prove that a gate G computes the claimed function f Alice must

show that f To accomplish this Alice prepares many capsules

of the form describ ed for an AND gate ab ove and Bob selects an arbitrary subset

to b e op ened Alice op ens these capsules by giving Bob a decomp osition of each

element of each triple of each comp onent of each capsule Alice then proves that

CHAPTER CRYPTOGRAPHIC CAPSULES

each unop ened capsule matches G by selecting one of its four comp onents call it

and presenting Bob with a square ro ot of each of the three quotients

and

Finally Alice interactively proves that the output of the circuit is by proving

that this value is a nonresidue as in section

Remark Some gates may b e computed without the need for an interactive

pro of For example an encrypted value may b e complemented simply by multi

plying it by y and the XOR of two or more encrypted values is represented by

their pro duct

If it were also p ossible to compute AND gates or OR gates without interactive

pro ofs then the satisability of any given circuit could b e demonstrated with a

single interactive pro of that the value of the circuit output is Unfortunately

no encryption homomorphism is known which allows the direct computation of

an expressively complete set of b o olean functions

Basic Elections

We are now ready to make our second pass at secretballot elections Most of the

problems raised in the elementary election scenario of section are addressed

here The centralized government do es however remain As an additional con

venience we assume here the existence of a universally trusted source of random

bits a socalled beacon see Rabia Although it will not b e necessary to

use a b eacon it is a simpler mechanism than that which will ultimately b e given

A b eacon may b e pro duced as the outcome of some natural event which dees

prediction such as the low order bit of a geigercounter sampling in a radioactive

environment a measurement of sunsp ot activity or a seismographic reading

In this scheme V is the set of eligible voters and r is a xed prime chosen

such that r jV j

The improvements over the elementary election scenario exhibited here are

mainly due to the incorp oration of interactive pro ofs to give condence that

at various stages agents are p erforming as required In particular votes are

prepared by forming a capsule or ballot consisting of a no vote and a yes vote

BASIC ELECTIONS

In this schema an integer w is said to b e a no vote if w RC and a

yes vote if w RC A capsule can b e interactively proven to consist of a no

vote and a yes vote by an interactive pro of metho d which is nearly identical to

the interactive pro of that w f g from section Recall that in that

interactive pro of metho d an integer w is chosen uniformly from either RC or

RC and interactively proven to b e of that form by relating w to capsules each

of which contains one element from each of RC and RC

We could simply use the same interactive pro of metho d and allow such a w

to then b e used as the vote but we wish to allow the interactive pro of to b e

p erformed b efore the voter is forced to decide which way to vote To do this

easily we allow each voter to prepare a master ballot capsule consisting of a

no vote and a yes vote and many similar scratch ballots to b e used in the inter

active pro of A random subset of these capsules are demanded to b e op ened

decomp osed and each remaining scratch ballot is related to the master ballot

by demonstrating that their comp onents are of the same residue classes either

matched directly or matched in reverse order

After this interactive pro of is complete the voter may select one of the two

votes from the master ballot as the vote to b e cast in the election Other partic

ipants should b e convinced that the vote cast is legitimate either a no vote or a

yes vote without discovering which is the case

The basic election schema is given in gure

The function check used in the schema is dened to b e go o d exactly when

agents actions are sup ercially consistent with their proto cols In particular

check is dened to b e go o d if and only if a voter successfully completes the

V

interactive pro of in phase to show the legitimacy of its master ballot and then

selects a vote from its master ballot as the vote to b e cast in phase We do

not want to include in the tally votes cast by voters who have not demonstrated

their legitimacy

The check function is simple for all agents to compute and can b e precisely

dened Its precise denition is however quite cumbersome and will not b e

given here A complete sp ecication of the more general check function used in

the full veriable secretballot election schema will b e given along with the full

schema in chapter

The advantages achieved by this election schema over the schema outlined

in section are mainly in the area of veriability The interactive pro ofs en

CHAPTER CRYPTOGRAPHIC CAPSULES

Phase executed by government

Release a randomly chosen pair n y such that r n y is exact con

sonant Voters may challenge the consonance of r n y by engaging

the government in the interactive pro of of section up to jnj times

each

Phase steps executed by each voter V V

a Let djnj log jV je For i randomly select Z

i i

n

and release as ballot B the capsule consisting of the two numbers

i

r r

mo d n in random mo d n and v u

i i i i

i i

order

b Use b eacon to generate random bits b f or i

i

c For all i such that b reveal and For all i such that b

i i i i

reveal and mo d n

i i

Phase executed by each voter V V

Select one element of its B as its actual vote w To vote yes select

r r

w y To vote no select w

Phase executed by government

Q

w mo d n Compute G f check go o dg and W

V

G

Reveal t W and use the interactive pro of metho d of section

to show that t RC W

The value of t represents the number of yes votes cast in the election

Figure The schema for elections with a government

BASIC ELECTIONS

sure the legitimacy of the governments encryption function and the votes cast

and ultimately the correctness of the tally Even collusion b etween dishonest

voters and a corrupt government is not sucient to convince honest voters of an

incorrect tally

There is also some measure of privacy since the vote cast by each voter is

indecipherable by other voters Thus if the government can b e trusted to main

tain the privacy of votes then the schema given here is sucient to enable the

conducting of veriable secretballot elections

The main diculty left to b e addressed is the governments ability to see

how each voter voted This alone gives a government extraordinary p ower to

compromise privacy to apply co ercion to voters or to halt elections which would

yield an undesirable tally

The metho ds of chapter will show how to divide an entity such as a gov

ernment into many constituent comp onents such that no set of fewer than a

predetermined number of the comp onents can obtain any useful information

ab out a given pro cess Chapter will show how this metho d can b e applied to

elections in order to prevent deciphering of individual votes

Chapter

Secret Sharing Homomorphisms

In Blakley and Shamir indep endently prop osed schemes by which a secret

can b e divided into many shares which can b e distributed to mutually suspicious

agents If at least some predetermined number of these agents p o ol their shares

they can reconstruct the secret If however fewer than this number of agents

p o ol their shares they obtain no information whatso ever ab out the secret

This chapter describ es a homomorphism prop erty attained by these and sev

eral other secret sharing schemes which allows multiple secrets to b e combined

by direct computation on shares This prop erty reduces the need for trust among

agents and allows secret sharing to b e applied to many new problems One ap

plication describ ed here gives a metho d of veriable secret sharing which is much

simpler and more ecient than previous schemes A second application gives the

nal piece which allows the construction of a faulttolerant metho d of holding

veriable secretballot elections

Threshold Schemes

In Shamir in Sham dened the notion of a threshold scheme often

called a secret sharing scheme

Shamir denes a k n threshold scheme to b e a division of a secret D into n

pieces D D in such a way that

n

knowledge of any k or more D pieces makes D easily computable

i

CHAPTER SECRET SHARING HOMOMORPHISMS

knowledge of any k or fewer D pieces leaves D completely undetermined

i

in the sense that all its p ossible values are equally likely

The pieces of a secret are often called shares

Since several dierent threshold schemes have b een prop osed see Blak

AsBl and Koth for some examples and they have proved to b e useful in

a wide variety of interactive proto cols The threshold scheme originally prop osed

by Shamir in Sham is the b est known and is very simple and elegant It is

based on p olynomial interpolation and evaluation and for completeness it will

b e sketched here

Shamirs Threshold Scheme

It is well known that given any eld F any set of k distinct values

x x x F

k

and k additional values

y y y F

k

there exists a unique p olynomial P of degree at most k with co ecients in

F such that for all i P x y This unique p olynomial P is said to b e the

i i

interpolation of the p oints x y

i i

Shamirs threshold scheme xes F to b e a nite eld and enables the sharing

of a secret s F To accomplish this a p olynomial of degree up to k with

constant term s is randomly selected This can b e done by randomly selecting

k co ecients c F and forming

i

k

P x c x c x s

k

th

The i share of s is then computed as t P i

i

It is not hard to see that as long as the number of shares is less than jFj

the following conditions hold any k shares are sucient to interpolate the

p olynomial P and thereby construct the secret s and k or fewer shares

leave s completely undetermined since for any set of k shares and any p ossible

secret s F there exists exactly one p olynomial P which interpolates the k

known shares together with the p oint s and which has degree at most k

THRESHOLD SCHEMES

Denition For convenience we use the notation jjht t t ijj to denote the

n

secret dened by the shares t t t in Shamirs scheme That is jjht t t ijj

n n

is the value at of the minimum degree p olynomial P passing through the p oints

i t

i

We may now b egin to formally dene a threshold scheme

Denition We say that G A B is a random function if for each a A Ga

is a random variable with a given probability distribution over B

Denition Let a A and b B b e elements of A and B resp ectively We

G

write Proba b read the probability that a yields b under G to denote

ProbGa b

Let S b e the domain of p ossible secrets and let T b e the share domain The

following denition asserts that given some partial set of shares a given secret

yields this set with a probability equal to that with which the secret yields some

set of shares containing the partial set

Denition Given a set I fi i i g f ng together with values

n th

value of an ntuple in T such that the value represents the i

i i i i

j 1 2

j

we dene

X

G G

Proba Proba t t t

i i i n

1 2

n

where the sum is taken over all ntuples in T such that for all i I t

i i

We are now ready to dene a k n threshold scheme

n

Denition A k n threshold scheme consists of a random function G S T

k

and a collection of functions F T S dened for each I f ng with

I

jI j k

These functions satisfy the following three prop erties

The functions G and F for all I are computable in p olynomial time

I

Let t t t b e a value of Gs for some s S Then for all I

n

fi i i g f ng with jI j k

k

F t t t s

I i i i

1 2

k

Let t t t b e a collection of k shares Then for all s s S

i i i

1 2

k 1

G G

Probs t t t Probs t t t

i i i i i i

1 2 1 2

k 1 k 1

CHAPTER SECRET SHARING HOMOMORPHISMS

The rst condition implies that secrets can b e eciently divided into shares

and reconstructed from the shares The second implies that any subset consisting

of k of the n shares determines the same secret as do es any other subset Finally

the third condition implies that no set of fewer than k shares gives any information

whatso ever ab out the secreteven if partial a priori information ab out the secret

exists

The Homomorphism Prop erty

Denition Let and b e arbitrary binary functions on elements of the secret

domain S and of the share domain T resp ectively We say that a k n threshold

scheme has the homomorphism prop erty or is homomorphic if for

all I whenever

s F t t t

I i i i

1 2

k

and

s F t t t

I

i i i

1 2

k

then

t t s s F t t

i I i

i i 1

k

1

k

This prop erty implies that the comp ositions of the shares of the secrets are

shares of the comp osition of the secrets

The following diagram shows how a set of m secrets s s s can b e

m

th th

divided into shares such that t represents the i share of the j secret s

ij j

s s s s

m

t t t t

m

t t t t

m

t t t t

n n n nm

th

Each t is computed as the comp osition under of all of the i shares

i

The value s is computed as the comp osition under of the secrets s and this

j

value is also computable as the secret dened by the comp osite shares t

i

Denition The value s formed as the comp osition under of the secrets

s s s is called the composite secret and the secrets s s s are called

m m

COMPOSITE SECURITY

constituent secrets The shares t of the constituent secrets are called constituent

ij

shares and the values t formed as the comp ositions under of the constituent

i

shares are called composite shares

The homomorphism prop erty can now b e restated as the composite shares

are shares of the composite secret

Lemma Shamirs threshold scheme is homomorphic where the addi

tion is dened over the integers modulo p

Pro of

Let P x and P x b e two p olynomials each of degree at most k for some

p ositive integer k Recall that with Shamirs scheme these p olynomials dene

th

the secrets P and P resp ectively and the i shares of these secrets are

given by P i and P i resp ectively

Now consider the p olynomial P x P x P x Since b oth P x and

P x are of degree at most k their sum P x is also of degree at most

k Also for all i P i P i P i By the interpolation theorem for

any subset of k of the p oints i P i there is a unique p olynomial of degree at

most k which interpolates these p oints Since P x is of the prop er degree

and passes through these p oints every set of k p oints i P i interpolates to the

p olynomial P x This p olynomial determines the secret P which is equal to

P P Thus Shamirs scheme is homomorphic

Comp osite Security

One use for the homomorphism prop erty of section is to allow for the com

putation of a comp osite secret without ever revealing the constituent secrets

This may b e desirable in a number of circumstances in which computation on

secret data is desired RAD Yaoa Feig and GMW discuss prob

lems of this sort and it will b e seen that veriable secret sharing and veriable

secretballot elections can b e mo deled in this way

It seems however that the homomorphism prop erty is not strong enough for

these applications We want it to also b e the case that up to k complete sets

of constituent shares together with al l of the comp osite shares and therefore the

comp osite secret give no more information ab out the constituent secrets than

CHAPTER SECRET SHARING HOMOMORPHISMS

do es the comp osite secret alone Thus if a homomorphic threshold scheme

is used to generate a comp osite secret from the shares of constituent secrets then

no set of up to k dishonest shareholders could gain any information at all

ab out the constituent secrets other than that which is given by the comp osite

secret alone Since it is assumed that the comp osite secret is to b e given and

that it might give some partial information ab out the constituent secrets this

is the b est that could b e hop ed for

Without this prop erty it is conceivable that conspiring shareholders could

gather the information released by honest shareholders ie the comp osite shares

and use this information in order to construct at least partial information ab out

the constituent secrets If conspirators could accomplish this then there is no

p oint to comp osing the shares and releasing only a comp osite share as the only

purp ose of this comp osition is to protect the constituent secrets

Assume without loss of generality that the rst k shareholders wish to

conspire in order to obtain additional information ab out the constituent secrets

s s s The following diagram shows all of the values directly available to

m

the conspiring shareholders

s

t t t t

m

t t t t

m

t t t t

k k k k m

t

k

t

k

t

n

We want it to b e the case that these values do not assist the conspirators in

gaining information ab out the values s s s b eyond that which is given by

m

s alone

Denition We say that a homomorphic threshold scheme is

composite if for every table of the ab ove form and for all values s the probability

j

that the s represent the constituent secrets is the same as this probability when

j

given only the value of the comp osite secret s

COMPOSITE SECURITY

The following theorem is somewhat surprising

Theorem If the secret domain S and the share domain T are nite and of

the same cardinality then every homomorphic k n threshold scheme is

a composite k n threshold scheme

Pro of

Consider the following diagram of values available to the rst k share

holders

s

t t t t

m

t t t t

m

t t t t

k

k k k m

t

k

t

k

t

n

By the denition of a threshold scheme the k sets of constituent shares

t for i k give no information ab out the constituent secrets s even

ij j

though partial a priori information ab out the s exists b ecause the value of the

j

comp osite secret s is given

Now the constituent shares t allow the computation of the comp osite shares

ij

t for i k since each t is given by

i i

t t t t

i i i im

Thus these comp osite secrets give no additional information ab out the con

stituent secrets s

j

Finally we observe that when the secret domain and the share domain are

b oth nite and of the same cardinality then the secret together with any set

of k shares completely determine the remaining shares This is so b ecause

every secret is completely consistent with any set of k shares Thus for

each remaining share there must b e at least one value which would yield each

p ossible secret Therefore there must b e exactly one value of each remaining

share asso ciated with each p ossible secret Hence the secret together with k

shares completely determine the remaining shares This then implies that the

CHAPTER SECRET SHARING HOMOMORPHISMS

remaining comp osite shares t for i k n are also computable by the rst

i

k shareholders when given the comp osite secret s Hence the comp osite

shares also give no additional information ab out the constituent secrets s

j

Remark The condition that the secret domain S and the share domain T are of

the same nite cardinality was not strictly required In fact almost any domain

with a group structure would suce For simplicity of exp osition and to keep

the notation under control this generalization has not b een incorp orated into

the theorem

Some Examples

Lemma shows that Shamirs k n threshold scheme is homomorphic

over the integers mo dulo p and since the secret domain and the share domain

consist of the same nite set the integers mo dulo p theorem implies that

Shamirs scheme is comp osite

Many other known threshold schemes are also homomorphic The

threshold schemes found in Blak AsBl and Koth for example are all

homomorphic

What if the desired comp osite secret is not the sum of the constituent secrets

Shamirs scheme is not comp osite This is b ecause the pro duct of two

nonconstant p olynomials is of higher degree than the factors

By using a homomorphism b etween addition and discrete logarithms for ex

ample it is p ossible to transform Shamirs scheme into a homomorphic

k n threshold scheme Thus if the desired comp osite secret is the pro duct of

the constituent secrets Shamirs scheme can still b e used This metho d can b e

summarized by the following statement The sums of the shares of the discrete

logs of the secrets are shares of the discrete log of the product of the secrets

In general discrete logarithms may b e dicult to compute However if p

is small or of one of a variety of sp ecial forms the problem is tractable see

PoHe Adle COS It should b e emphasized that such sp ecial cases

for p do not in any way weaken the security of our schemes The security is not

cryptographic but rather is information theoretic Therefore there need b e no

assumptions ab out the diculty of solving any sp ecial problems

VERIFIABLE SECRET SHARING

There is however a subtlety here since discrete logarithms are only dened

within multiplicative groups and the multiplicative subgroup Z has order n

n

which is not prime for prime n Polynomial interpolation however is only

welldened over a eld which if nite must b e of prime order

th

To alleviate this diculty we let the secret domain S b e the set of r ro ots

of mo dulo n where r is prime r j n and r and nr are relatively prime

By theorem this is sucient to ensure that S has exactly r members and

since r is prime discrete logarithms over S will yield values in Z which is a eld

r

Veriable Secret Sharing

An imp ortant application of secret sharing homomorphisms provides a simple and

ecient metho d for veriable secret sharing This problem was rst describ ed

by Chor Goldwasser Micali and Awerbuch in CGMA and the application

of secret sharing homomorphisms to this problem was developed as a result of

an observation made by Oded Goldreich

Denition We say that a set of n shares t t t is k consistent if every

n

subset of k of the n shares denes the same secret

The problem of veriable secret sharing is to convince shareholders that their

shares collectively are k consistent This task usually falls up on the holder of

the initial secret s and this agent is usually referred to as the dealer

In Shamirs threshold scheme the shares t t t are k consistent if and

n

only if the interpolation of the p oints t t n t yields a p olynomial

n

of degree at most d k It is useful to observe that if the sum of two

p olynomials is of degree at most d then either b oth are of degree at most d or

b oth are of degree greater than d

This suggests the following outline of an interactive pro of that a p olynomial

P given by its encrypted values at n distinct p oints is of degree at most d

Encryptions of the values of the p oints that describ e P are released by the

prover

Encryptions of many additional random p olynomials again of degree at

most d are also released by the prover

A random subset of the random p olynomials is designated by the veriers

CHAPTER SECRET SHARING HOMOMORPHISMS

The p olynomials in the chosen subset are decrypted by the prover They

must all b e of degree at most d

Each remaining random p olynomial is added to P Note that p ointwise

addition gives the same p olynomial as the co ecientwise addition Each

of these sum p olynomials is decrypted by the prover They must also all

b e of degree at most d

Since the encryptions of shares are made public the security is no longer

information theoretic but rather dep ends up on a cryptographic assumption The

encryption of the values of each p oint must b e probabilistic to prevent guessing

of values and it must satisfy a homomorphism prop erty so that an encryption of

the sum of two values can b e developed directly from the encryptions of the two

values These prop erties are satised by the encryption function E of section

An ecient veriable secret sharing scheme can thus b e given as follows

Let r b e a xed prime and supp ose the secret value s is to b e drawn from Z

r

Supp ose further that each future shareholder has developed a public election

encryption function E by releasing a pair n y such that r n y is prime

i i i i i

consonant and has interactively proven that r n y is prime consonant using

i i

the interactive pro of metho d of section

The dealer divides a secret s into n shares t t t using Shamirs secret

n

sharing scheme That is co ecients c c c are randomly selected from

k

k

Z P x c x c x c x s is formed and the shares t P i are

r k i

th th

computed The i share t is transmitted to the i shareholder by releasing a

i

randomly chosen member of RC t This is done by selecting a random x

i rn y i

i i

t

r

i

Z and releasing E t x y x mo d n Thus for each i the pair i E t x

i i i i i i i

i

n i

i

is made public

To convince a participant that the encrypted p oints i E t x describ e a

i i i

p olynomial with degree no more than d k the dealer can engage in the

interactive pro of of gure

By construction each pair t x is a decomp osition of the corresp onding

i i

public value E t x By releasing all i decomp ositions for each p olynomial

i

i i

P A the dealer allows the p olynomial P dened by the p oints i t to b e

i

interpolated

By lemma and by the denition of the op erator each of the pairs

t x t x is a decomp osition of the publically computable pro duct of encryp

i i

i i

VERIFIABLE SECRET SHARING

Dealer

Select m random p olynomials P each of degree at most d The val

ues of these random p olynomials at the secrets they describ e are

also selected randomly This is accomplished by selecting for each ran

dom p olynomial P k co ecients c c c uniformly from Z and

k r

k

forming P x c x c x c For each of these p olynomials

k

P select random values x Z and set t P i Reveal to the

i n i

i

public the pairs i E t x

i

i i

Veriers

Randomly select a subset A of these random p olynomials

Dealer

Each p olynomial in P A is op ened by revealing for all i the de

comp osition t x For each p olynomial P A the p ointwise sum

i i

P P mo d r is op ened by releasing for all i the pair t x t x

i i

i i

as dened in section

Figure Interactive pro of that P x is of degree at most d

tions given by E t x E t x Recall that the rst comp onent of t x t x

i i i i i i

i i i i

is simply t t mo d r Thus the rst comp onent of this decomp osition of

i

i

E t x E t x gives the sum t t mo d r P i P i mo d r Since Shamirs

i i i i i i

i i

scheme is homomorphic ie since the p ointwise sum of p olynomials

matches the co ecientwise sum the dealer by releasing each of the n p ointwise

sums P i P i mo d r for each p olynomial P A allows the p olynomial

P P mo d r to b e interpolated

Any veriers can then conrm that all p olynomials P A and all p olyno

mials P P mo d r for P A are of degree at most d This should b e sucient

m

to convince the veriers with condence that P to o is of degree at

CHAPTER SECRET SHARING HOMOMORPHISMS

most d as desired

If there is more than one verier in particular if each shareholder is to b e

convinced of the consistency of the shares then each verier can enter into such

an interactive pro of with the dealer or the veriers may all take part in the

interactive pro of by jointly selecting the subset of random p olynomials to b e

op ened by the dealer

It is not hard to see that a set of random p olynomials of degree at most d

together with a set of sums of P with other random p olynomials of degree at

most d gives no useful information ab out P b eyond the degree b ound This is

in fact a sp ecial case of theorem

Thus by combining Shamirs secret sharing scheme with the results of this

chapter and chapter and using the interactive pro of metho ds given in chap

ter a simple and ecient veriable secret sharing scheme can b e pro duced

Chapter

SecretBallot Elections

We are now ready to combine the to ols describ ed in the preceding chapters and

pro duce a schema for veriable secretballot elections In the schema describ ed

in this chapter voters cast their votes in encrypted form and a government

or a set of constituent tellers releases a tally and a pro of of its correctness

which can b e veried by all It is proven that if a set of conspiring voters can

in p olynomial time obtain more than a small advantage at compromising the

privacy of the honest voters then the prime residuosity assumption of chapter

is false

Overview of SecretBallot Elections

The ma jor shortcomings of the basic election schema describ ed in section can

b e summarized by the fact that the central government is to o p owerful The

government can tell how individual voters cast their votes and can if it wishes

halt an election any time it likes To alleviate these problems the basic election

schema can b e embedded within a comp osite J K threshold scheme in

particular in Shamirs scheme as suggested by the outline b elow

Instead of a single government K subgovernments or tel lers each hold a

subelection Each voter chooses either or as a secret value indicating a

no vote indicating a yes vote and distributes one share of the secret vote to

each of the K tellers The tally of the election is given by the sum of the voters

secrets

Since the J K threshold scheme has the homomorphism prop erty

CHAPTER SECRETBALLOT ELECTIONS

the sum of voteshares is itself a share of the sum tally of the votes Thus

once J or more tellers release their tallyshares the overall election tally can b e

determined Furthermore since the secret domain and the share domain consist

of the same nite set the conditions of theorem are satised and fewer than

J conspiring tellers are unable to determine any individual voters secret vote

In order to maintain privacy of the voteshares and hence the votes them

selves while allowing the accuracy of the tallyshares the sums of the vote

shares to b e veried the singlegovernment veriable selection schema of sec

tion is used Each teller selects an election encryption function E and each

i

th

voter transmits the i share of its vote by revealing an encryption of this share

th

under the i tellers encryption function E Each teller then computes the sum

i

of the voteshares it receives and while keeping the actual voteshares secret

interactively proves that the tallyshare it releases represents the sum of these

voteshares by decrypting the pro duct of the encrypted voteshares Thus even

though the voteshares cast by each voter are no longer constrained to b eing

or each teller can pro duce a veriable sum of these by shares as in the

singlegovernment election schema of section

The interactive pro of techniques used in section can b e generalized slightly

to allow verication of the voteshares Here each voter participates in an inter

active pro of to demonstrate to all participants that the voteshares it distributes

are legitimate in the sense that every set of J of its voteshares derives the same

secret vote the set of voteshares is J consistent and that this vote is either a

or a

Thus as long as at least J of the K designated tellers participate through

to conclusion an election can b e conducted such that each participant has very

high condence in the accuracy of the resulting tally and no set of fewer than J

tellers together with any number of conspiring voters can gain as much as an

inverse p olynomial advantage at distinguishing b etween p ossible votes of honest

voters without breaking the underlying cryptosystem and thereby violating the

prime residuosity assumption

A normal threshold which may b e used for an election might set J to b e

ab out of K In this scenario a small fraction of tellers could

fail without causing the election to fail and a large fraction of the

tellers would have to collude to resolve individual votes

RELATED WORK

Related Work

Various cryptographic schemas have b een prop osed for b oardro om voting in

which participants pass encrypted messages from one to another while p erforming

encryption and decryption op erations until a certain p oint is reached at which all

are condent of the outcome of the vote see DLM Merr and Yaoa

These all share the problems that the active participants must b e known in ad

vance and if one participant stops following its proto col during the election the

election cannot continue Thus these b oardro om schemas are not well suited for

largescale elections

Chaum Chau prop oses the use of a trusted mix similar to a gov

ernment to scramble pairs of votes and digital pseudonyms The votes are

publicly revealed but the identity of the corresp onding voters is protected by

the mix This mix schema seems to have prop erties very similar to those of the

singlegovernment election schema presented in section but the approach is

very dierent Instead of hiding voters the schemas presented in this thesis hide

the actual values of the votes Chaum also suggests the use of multiple mixes

cascaded to improve the privacy of individual voters The prop erties obtained

with the cascaded mix schema app ear to b e similar to those proven for the mul

tiple teller schema presented in this chapter when no faulty tel lers are al lowed

If one mix fails however the election collapses whereas the failure of any prede

termined number of tellers can b e tolerated in the secretballot election schema

presented here

Very recently Chaum Chaub has given another metho d of holding veri

able secretballot elections which obviates the need for a mix The work is similar

to b oardro om voting in that failure of a single voter causes an election to fail

however Chaums metho d ensures that such failures can b e traced This allows

an election to b e restarted without the faulty voter This approach however

still do es not seem practical for largescale elections since the election proto cols

might have to b e rep eated once for each faulty or malicious voter in the system

until an election with no improp er voters can b e completed

Also very recently Goldreich Micali and Wigderson GMW found a

metho d to show that al l NP predicates can b e proven in a zeroknowledge

fashion With resp ect to secretballot elections their result can b e used to give

a metho d of veriable secretballot elections but there are limitations Firstly

CHAPTER SECRETBALLOT ELECTIONS

their result can only tolerate failure of half of the participants whereas any

number of dishonest or faulty tellers can b e tolerated by the schema presented

here Secondly the metho ds of Goldreich Micali and Wigderson are although

p olynomially b ounded far b eyond practicality while the given schema is shown

to b e within the b ounds of practicality with current technology

The rst version of this work was given by Cohen Benaloh and Fischer in

CoFi Various improvements and extensions were given by Cohen Benaloh

in Cohe and by Benaloh and Yung in BeYu The veriable secretballot

election schema to b e presented in this chapter incorp orates most of the ideas

presented in these previous versions and adds new metho ds which b oth improve

the results and simplify the presentation

Election Denitions

We now give a formal mo del of the veriable secretballot election problem and

the prop erties that we want a solution to have

Veriable Elections

A J threshold K tel ler Lvoter election system or simply a J K L election

system E is a synchronous system of communicating pro cesses The pro cesses

may b e thought of as probabilistic Turing machines extended with op erations for

communication The program run by such a pro cess is called a protocol K of the

pro cesses T T are designated as tellers and L of the pro cesses V V

K L

are designated as p otential voters We denote the set of teller pro cesses by T

and the set of voter pro cesses by V T and V are xed in advance and each

pro cess knows the designation of every pro cess

Communication is via bul letin boards which can b e thought of as restricted

shared memories Each pro cess controls one bulletin b oard which it is said

to own The corresp ondence b etween bulletin b oards and pro cesses is xed in

advance and known to all pro cesses Each bulletin b oard can b e read by every

pro cess but it can only b e written by its owner and then only by app ending

new messages not by altering old ones In practice implementing such bulletin

b oards may b e a problem unto itself See Fisc for a survey of the literature on this problem as well as BenO and Rabib for some probabilistic approaches

ELECTION DEFINITIONS

In addition there is a publiclyreadable number N called a security parameter

which serves as the only input to each pro cess N controls the likelihoo d that

the election is correct and that privacy is maintained

Denition A J K L election schema S consists of a collection of proto cols

for use by a J K L election system and a function check The function check

returns either go o d or bad and dep ends on N and the messages p osted to the

public bulletin b oards check must b e computable in time p olynomial in N

S prescrib es a proto col for each teller pro cess and two p ossible proto cols

T

for each voter to b e used to cast a yes vote and proto col to b e used

yes no

to cast a no vote

Denition An election under S consists of a run of a J K L election system

E for which check returns go o d Any pro cess of E which follows one of its

proto cols prescrib ed by S is said to b e proper otherwise it is improper We

say that a voter casts a valid yes vote resp ectively no vote if the messages

it p osts are consistent with the proto col resp ectively We say it votes

yes no

properly if it casts a valid yes or no vote otherwise it votes improperly Note

that a prop er voter by denition always votes prop erly but an improp er voter

may or may not vote prop erly and if it votes improp erly that fact may or may

not b e detectable by others

Denition The tal ly of an election is the pair t t where t and t are

yes no yes no

the number of voters who cast valid yes and no votes resp ectively As part of

its proto col each teller T releases a value For some predetermined function

k k

if t t then the tally of the election is said to b e correct

K yes no

Let b e a function of N The schema S is said to b e veriable with condence

if for any election system E check satises the following prop erties for

random runs of E using security parameter N

If at least J tellers are prop er in E then with probability at least N

check returns go o d and the tally of the election is correct

The joint probability that check returns go o d and the election tally is not

correct is at most N

S is said to b e veriable if for every inverse p olynomial function N P N

there exists an integer N such that S is veriable with condence N

whenever N N

CHAPTER SECRETBALLOT ELECTIONS

Public Voting

A simple example of a veriable election schema is one in which each voter

publicly p osts a single yes or no vote Each teller T then counts the yes

k

and no votes and announces the totals as If at least J of the K tellers p ost

k

totals which match the number of yes and no votes p osted then

k K

is dened to b e this value Otherwise is undened

k

check returns go o d if and only if the totals of the valid votes are the same as

those announced by at least J of the tellers Thus by computing the function

check any participant can verify the accuracy of the announced tally

Privacy

The trivial example ab ove shows that a veriable election schema is not very

interesting without the incorp oration of some notion of privacy Preserving pri

vacy in an election do es not always imply the inability of one voter to determine

anothers vote For example in the case of a unanimous mandate every voter

knows every other voters vote More generally any coalition of voters can de

termine the subtally of the votes cast by voters outside of the coalition simply

by subtracting their own votes from the released totals We say that privacy is

maintained if any conspiracy of voters and tellers which do es not include at least

J tellers has at most a small advantage at distinguishing b etween any two vote

assignments that have the same subtally on a set of prop er voters In particular

if there exist two prop er voters of which one casts a yes vote and one casts a no

vote then no conspiracy of fewer than J tellers and any number of remaining

voters can attain more than a small advantage at deciding which of these two

votes is the yes vote

In order to account for the p ossibility of a collection of improp er voters acting

in concert we augment our mo del to p ermit private communication channels

b etween improp er pro cesses However we do not want to assume that private

channels are always available so we do not p ermit their use in the proto cols

prescrib ed by a veriable election schema In other words the adversaries can

communicate secretly among themselves but the prop er pro cesses cannot

To formalize the privacy requirement let C T the conspiring tellers

T

such that jC j J and let C V the conspiring voters Let C C C b e

T V T V

the set of conspiring pro cesses and let c C We dene a c C conspiracy C

AN ELECTION PARADIGM

to consist of an assignment of proto cols to pro cesses in C p ossibly with private

communication among themselves such that c pro duces an output in f g

which we denote outputC We require the running time of each pro cess in C

to b e p olynomial in N

We now dene what it means for a conspiracy C to compromise privacy of

an J K L election schema S Let H V C the honest voters and let h

V

and h b e assignments of votes to voters in H such that the subtally of votes

in h is the same as that in h For each i f g dene an election system E

i

as follows Every pro cess in C runs the proto col assigned to it by C every voter

pro cess V H runs proto col and every teller pro cess T not in C runs its

h k T

i

prop er proto col For a xed security parameter N let p b e the probability

T i

that outputC on a random run of E and let b e a real number We say

i

that C distinguishes h from h with advantage if

jp p j

In other words the conspiracy has an advantage in determining whether the

votes corresp ond to assignment h or to h in a given election with security

parameter N

Denition We say that C compromises the privacy of h h in S if for some

inverse p olynomial function P N C distinguishes h from h with N

advantage on innitely many values of N Finally we say that S is secure if for

every c C conspiracy C and every pair of vote assignments h h to voters in

H that have the same subtally C do es not compromise the privacy of h h in

S

The election problem is to nd for each triple J K L a J K L election

schema that is veriable and secure

An Election Paradigm

The election paradigm up on which the schema presented here is based op erates

in four phases and is shown in Figure The participants are a set of tellers

T fT T T g and a set of voters V fV V V g Implicit in the

K L

paradigm is that each phase must b e completed by all participants b efore the

CHAPTER SECRETBALLOT ELECTIONS

Each T Select and reveal a set of parameter values S to b e used

k

in the election and interactively prove that S conforms to

certain sp ecications

Each V Select and reveal an unmarked ballot B consisting of an

encrypted yes vote and an encrypted no vote in random

order and interactively prove that B is of this form

Each V Select one vote as the actual vote on the ballot B

Each T Release a comp osition of the values received by T

k k k

and interactively pro of that is this comp osition

k

The tally of an election is where is a pre

K

determined function

Figure The election paradigm

next b egins This is achieved by setting deadlines in advance for the completion

of each phase

The four phases of an election corresp ond in a fairly natural way to asp ects of

actual elections The rst phase is an announcement phase in which the election

is announced p erhaps dates are selected and parameters and rules which will

guide the election are set The second phase consists of voter registration in which

eligible voters identify themselves and register for the election The third phase

is the actual voting phase in which voters select their votes The fourth phase

is the tal ly phase in which the election tally is compiled and revealed Notice

that the four phases do not have to take place in rapid succession In particular

registration may b e done well b efore the actual voting and the decision of how

or whether to cast a vote need not b e made until the voting phase

The basic election schema of section is a sp ecial case of this paradigm

In the basic election schema there is only one teller called the government

In this case the tally function can b e simply the identity function Such a

government is of course able to determine how every voter votes in an election

It is however still useful to see how a government can convince voters of the

correctness of a tally without releasing the actual votes

In the more general teller schema to b e presented next each teller functions

VOTES AND BALLOTS

essentially as an autonomous subgovernment However the tallyshares

released by the tellers are not meaningful until they are combined by

Votes and Ballots

Section Elementary Elections presented the notion of using a random mem

b er of residue class to denote a no vote and a random member of residue class

to denote a yes vote This notion was maintained in section Basic Elections

where elections still required only a single government entity Generalizing to the

case of multiple tellers however requires a corresp onding change to the notion

of a vote

Supp ose we are to hold an election with K tellers such that the election can

withstand up to F teller faults We embed the basic election schema of section

within a J K Shamir secret sharing scheme where J K F Let r b e a xed

prime greater than the number of eligible voters and supp ose each teller T has

k

selected election parameters n y such that r n y is consonant

k k k k

Denition Given a prime r we say that a vector

P hn y n y n y i

of parameters is r proper if for every k r n y is a prime consonant triple

k k

r

Z see theorem This condition is satised whenever y

k

n

k

Denition Given a prime r and an r prop er parameter vector

P hn y n y n y i

dene

Z Z Z Z

n n n P

As the direct pro duct of groups Z to b e the direct pro duct of the groups Z

n

P

k

is itself a group

Denition Given a prime r and an r prop er parameter vector

P hn y n y n y i

dene

r r r r

D D D D

n y n y n y P

CHAPTER SECRETBALLOT ELECTIONS

r

to b e the direct pro duct of the decomp osition sets D dened in section

n y

k k

r

Of course since by lemma each D is a group the direct pro duct

n y

k k

r

D is also a group with the straightforward generalization of as its op eration

P

As in section we are able to dene an evaluation function

r

Z D

P P

Denition Let P hn y n y n y i b e an r prop er parameter

r

by Z vector Dene D

P P

hc x c x c x i

r c r c r c

2 1

mo d n i x mo d n y x mo d n y x hy

As a direct pro duct of homomorphisms is a homomorphism

r

Denition Given a D D D is called the evaluation of D Given a

P

r

W Z a D D such that D W is called a decomposition of W

P P

r

As in the scalar case every D D has a unique evaluation but a W Z

P P

may have multiple decomp ositions

Denition Given an r prop er parameter vector

P hn y n y n y i

and a vector W hw w w i Z the disclosure of W with resp ect to r

P

and P denoted by W or simply W when r and P are understo o d is the

rP

comp onent vector C hc c c i where each c w Note that

k k rn y

k k

since each r n y is only required to b e prime consonant and not required to

k k

b e p erfect consonant it is p ossible that w

k rn y

k k

Votes

Denition Given a vector C hc c c i and a threshold J let jjC jj or

J

simply jjC jj when J is understo o d denote the value at of the minimum degree

p olynomial passing through the p oints k c if this p olynomial is of degree less

k

than J That is jjC jj is the secret dened by the shares c c c If any of

the c or if the minimum degree p olynomial passing through the p oints

k

k c is of degree J or greater then jjC jj

k J

VOTES AND BALLOTS

Denition Given J K with J K a prime r and a K comp onent r

prop er parameter vector P we say the type of a W Z is the secret dened

P

by the disclosure of W ie typeW jjW jj If any element of the disclosure

of W is undened or if the disclosure of W do es not dene a unique secret

then type W

Denition Given J K with J K a prime r and a K comp onent

r prop er parameter vector P a vote is dened to b e a K comp onent vector of

integers W hw w w i such that jjW jj is nite A vote of type is

K

called a no vote and a vote of type is called a yes vote A vote which is either

a no vote or a yes vote is said to b e valid Let J K r P or simply when

J K r and P are understo o d denote the set of votes with resp ect to J K r

and P

Denition Given two votes U hu u u i and V hv v v i in

K K

J K r hn y n y n y i we dene their pro duct U V to b e

K K

the vector U V hu v u v u v i where each pro duct u v is taken

K K k k

mo dulo n

k

We b egin by giving generalizations of lemmas and of section

Lemma If U hu u u i and V hv v v i are votes of type u

K K

and v respectively then the product U V is a vote of type u v mo d r

Pro of

By denition U is of type u if and only if the secret dened by the disclosure

of U is u Similary V is of type v if and only if jjV jj v Now

U V hu v u v u v i

rn y rn y K K rn y

1 1 2 2

K K

But by lemma this is equal to

h u v mo d r

rn y rn y

1 1 1 1

u v mo d r

rn y rn y

2 2 2 2

u v mo d r i

K rn y K rn y

K K K K

That is to say the disclosure of U V is the comp onentwise sum of the dis

closures of U and V By lemma Shamirs secret sharing scheme is

CHAPTER SECRETBALLOT ELECTIONS

homomorphic Thus the sum of the shares

h u v mo d r

rn y rn y

1 1 1 1

u v mo d r

rn y rn y

2 2 2 2

u v mo d r i

K rn y K rn y

K K K K

constitute shares of the sum u v of the original secrets The secret domain

however is limited to Z Hence U V is a vote of type u v mo d r

r

Denition Given a vote W hw w w i in

K

J K r hn y n y n y i

K K

we dene their pro duct W to b e the vector W hw w i where w

K

is taken mo dulo n each inverse w

k

k

Lemma If W hw w w i is a vote of type t then W is a vote of

K

type t mo d r

Pro of

Since W is a vote each w is relatively prime to its corresp onding n Thus

k k

W is welldened Let C hc c c i W b e the disclosure of W

K

W C mo d r hc mo d r c mo d r c mo d r i

K

since by lemma if w is of class c then w is of class c Also the

k k k

k

prop erties of p olynomials readily imply that jj C jj jjC jj mo d r Thus W

is a vote of type t mo d r

It is now easy to show that the set is a group

Lemma Given J K with J K a prime r and a K component

r proper parameter vector P the set J K r P is a commutative group under

the operation

VOTES AND BALLOTS

Pro of

h i is clearly an identity for The element

Lemma shows that is closed under multiplication

By lemma W is a welldened vote and clearly W W W W

so W is an inverse of W Finally asso ciativity and commutativity are

inherited from integer multiplication

We are now able to give a generalization of lemma of section

Lemma Two votes U hu u u i and V hv v v i are of the

K K

same type with respect to a given parameter vector if and only if there exists a

vote W hw w w i of type such that U V W

K

Pro of

Assume there exists a vote W of type such that U V W Then by

lemma the type of U is equal to the sum of the types of V and W But the

W is of type Thus the type of U must equal the type of V

Conversely let W U V Since is a commutative group U V W If

U and V are b oth of type t then by lemma V is a vote of type t mo d r

Thus by lemma W U V is a vote of type

Decomp ositions of Votes

r r

Denition Let D b e dened by fD D D g In

P P

r

other words is the set of D hc x c x c x i D such that

K K

P

jjhc c c ijj is nite

K

r

Lemma is a subgroup of D

P

Pro of

r

The identity of D is the element h i which describ es

P

r

the secret value Thus the identity of D is in If D D then

P

D D D D and by denition each D is in Hence

i

D D so D D Finally if D then D D

so D

Thus in particular the binary op eration dened by

D D D D

CHAPTER SECRETBALLOT ELECTIONS

is welldened on and given D and D such that D W and D

W

type D D type D D

type W W

type W type W

Therefore the dierence b etween the types of W and W can b e shown by

revealing D D which is a decomp osition of W W

This prop erty which is a consequence of lemma can in analogy with

lemma b e used as the basis for an interactive pro of almost identical to that

of section to show that two votes are of the same type

Remark It is p ossible to dene votes as a single integer rather than a vector

The Chinese Remainder Theorem denes an isomorphism b etween the group Z

P

Q

n where P hn y n y n y i and the group Z where N

k K K

k

N

All of the op erations on votes can b e redened to conform to this viewp oint

without any loss of functionality Although there are some advantages to dening

a vote to b e a single integer the size of the integer is of course comparable to

the size of the vector of integers used For purp oses of clarity the comp onents

have b een kept separate here

Ballots

Denition A capsule consisting of a pair of votes is called a ballot

Denition A ballot consisting of a no vote and a yes vote in either order is

called a valid ballot

Denition A ballot consisting of two no votes ie two votes of type is called

a zero ballot

Denition The type of a ballot B W W is the ordered pair

type W type W

Two ballots are said to b e of equivalent type if their types are the same or the

reverse of each other

A VERIFIABLE SECRETBALLOT ELECTION SCHEMA

We also dene two quotient op erators on ballots

Denition If B W W and B W W are ballots then the forward

quotient B B is dened to b e the ballot W W W W and the reverse

quotient B nB is dened to b e the ballot W W W W

Note that two ballots B and B are of equivalent type if and only if at least

one of B B and B nB is a zero ballot In particular if B and B are b oth valid

ballots then exactly one of B B and B nB is a zero ballot

A Veriable SecretBallot Election Schema

Here at last are the proto cols for the full faulttolerant veriable secretballot

election schema With the machinery that has b een constructed the schema can

b e describ ed fairly simply

Besides the sets T of tellers and V of voters we introduce two additional sets

of participants These additional sets may b e drawn from T V or they may

consist of indep endent participants

The rst of these additional sets is the set of bit generators denoted by G

Let M jG j The sole resp onsibility of the bit generators is to generate random

bits at various times to facilitate interactive pro ofs If a single trusted random

source known as a beacon Rabia is available then G can b e the singleton

set containing just this b eacon In general G should b e chosen to b e a set of

random sources such that each participant is condent in the integrity and the

unpredictability of at least one member of G

The second additional set is the set of inspectors denoted by I Let I jI j

The mission of the insp ectors will b e to engage the tellers in a set of interac

tive pro ofs to ensure the validity of the election parameters As with the bit

generators the insp ector set I should b e chosen such that each participant is

condent in the integrity of at least one member of I The insp ector set I may

consist of the bit generators G the tellers T themselves challenging each other

or the entire set of voters V The reasons for selecting one of these sets over

another are dictated by the assumed capabilities of the agents and by eciency

considerations This is discussed further in section It should b e emphasized

that the insp ectors are not able to oversee an entire election They even as a

set are not able to read voters private votes nor obtain any sp ecial information

CHAPTER SECRETBALLOT ELECTIONS

ab out the election parameters from the tellers Their role is quite limited and

their introduction is merely a notational convenience which adds exibility to the

election schema

We assume that a prime r which is larger than the number of eligible voters

has b een xed in advance and that a security parameter N has also b een selected

The election schema consists of four basic phases according to the paradigm

describ ed in section Within each of these phases there may b e several sub

phases

In the announcement phase each teller T T randomly selects a pair n y

k k k

such that the triple r n y is prime consonant Each teller uses the interactive

k k

pro of technique of section to convince each member of the insp ector set I

that r n y is in fact prime consonant see gure

k k

In the registration phase each voter V V that wishes to vote prepares a

valid ballot as describ ed in section A slightly generalized version of the

interactive pro of of section is then used to demonstrate the validity of the

ballot see gure

In the voting phase each voter V V that has satisfactorily completed its

interactive pro of may then cast a vote by designating one of the two votes on its

ballot as the vote to b e cast see gure

In the tally phase the pro duct of the votes cast is computed These votes

are completely public although the secrets they represent are not and the

pro duct can b e computed by anyone and everyone The type of this pro duct

is the tally of the election Each teller T T releases the type of its comp onent

k

of this vote pro duct An interactive pro of using the technique of section is

used by each teller to demonstrate the class of its comp onent see gure

Once a sucient number of tellers have pro duced these tallyshares the

overall tally can b e computed as the secret dened by the set of tallyshares

The tally function is dened to b e the secret determined by any J or more

values for which check k go o d

k T

The function check

In order to gain condence that the tally is correct it is necessary to evaluate

the check function The check function do es not require computation of residue

THE FUNCTION CHECK

A Each teller T T uniformly selects an n with jn j N such that the

k k k

N

pair r n is exact consonant with error probability at most K as

k



in lemma Each teller then uniformly selects a y Z such that the triple

n

k

r n y is exact consonant as in lemma Teller T p osts the pair n y

k k k k k

as its election parameters

B Let dlog jI jlog log jT jN e and let dlog jT jN e

Each insp ector I selects for each teller T values c f g and x uniformly

s k i i

c

r 

i

mo d n and p osts the values w c x y x from Z

k i i i

i n

k

With each w insp ector I randomly selects additional values and all

i s ij ij

relatively prime to n and p osts capsules each consisting of in random order

k

r r

the pair u mo d n and v y mo d n

ij ij k ij ij k k

ij ij

C Each teller T for each insp ector I selects random bits b i

k s ij

and j

D For each pair i j such that b I releases the values and

ij s ij ij

For each pair i j such that b I selects and p osts

ij s

u if c

ij i

w

ij

v if c

ij i

Let c x b e a decomp osition of w That is c x is either or

ij ij ij ij ij ij

Insp ector I then releases the decomp osition of w w given by

ij s ij

i

c x c x

ij ij i i

c c x x mo d n if c c

ij i ij k ij i

i

c c r x x y mo d n if c c

ij i ij k ij i

i

k

E Each teller T then releases w for all i

k i

rn y

k k

F Each challenger I releases c x for all i

s i i

Figure Phase The announcement phase

CHAPTER SECRETBALLOT ELECTIONS

A Let dlog jV jN e

Each voter V prepares as unmarked ballots M capsules B each consist

i

ing of a no vote and a yes vote as describ ed in section One of these capsules

is designated as the master ballot B and of these capsules are asso ciated

with each of the M bit generators

B Each bit generator G pro duces for each voter V bits b i

m i

C For all i such that b voter V decomp oses its asso ciated B For all i such

i i

that b voter V decomp oses either B B or B nB whichever of the

i i i

two is a zero ballot

Figure Phase The registration phase

Each voter V designates one of the two votes of its master ballot B as the actual

vote to b e cast in the election

Figure Phase The voting phase

A Let dlog jT jN e

Each teller T computes the set of correct voters V for which check

k V

th

go o d and then computes W which is the pro duct mo dulo n of the k comp o

k k

nent of all votes cast by the correct voters

Each teller T reveals W

k k k

rn y

k k

 r

Each teller T selects M random values s Z and reveals S s

k i i n

n k i

k

From these M values of S of the S are asso ciated with each of the M bit

i i

generators

B Each bit generator G pro duces for each teller T bits b asso ciated with the

m k i

S

i

C For all i such that b teller T reveals its asso ciated s For all i such that

i k i

th

k

b teller T reveals s x where x is an r ro ot of W y

i k i k k k

k

Figure Phase The tally phase

THE FUNCTION CHECK

classes or examination of challenges but it do es require that each vote cast b e

checked for consistency The function check is dened in terms of a function

check The function check is in turn dened in terms of check and check

T T I V

check

I

The value of the function check s k is dened to b e go o d if and only if

I

In phase B insp ector I has p osted up to complete sets each con

s

taining an element w and capsules Each w and the elements of each

i i

capsule must all b e relatively prime to n

k

In phase D for each capsule with which teller T asso ciates a insp ector

k

I p osts a decomp osition showing one comp onent to b e of RC and the

s

other to b e of RC

In phase D for each capsule with which teller T asso ciated a insp ector

k

I chooses a comp onent w and gives a decomp osition of w w Each

s ij ij

i

such decomp osition must show w w to b e in RC

ij

i

In phase F insp ector I p osts a decomp osition of w

s i

check

V

The value of the function check is dened to b e go o d if and only if

V

In phase A voter V p osts a master ballot and M sets consisting of

ballots each Every element of every comp onent of every ballot p osted must

b e relatively prime to its asso ciated mo dulus n Let B denote this master

i

ballot

In phase C for each ballot with which the corresp onding bit generator

has asso ciated a voter V p osts a complete decomp osition of the ballot

These decomp ositions must show these ballots to b e valid ballots

In phase C for each ballot B with which the corresp onding bit gener

ator has asso ciated a voter V p osts a complete decomp osition of either

B B or B nB These decomp ositions must show these quotients to b e zero ballots

CHAPTER SECRETBALLOT ELECTIONS

In phase voter V designates one of the two votes of its master ballot as

the vote to b e cast

check

T

The value of the function check k is dened to b e go o d if and only if

T

In phase A teller T p osts a pair n y such that y is relatively prime

k k k k

to n

k

In phase C teller T asso ciates a bit with each capsule presented to it

k

by an insp ector

In phase E for each w presented by an insp ector I for which the value

i s

of check s k is go o d teller T asso ciates a bit designating to which of

I k

RC and RC w b elongs

i

No insp ector for which check s k go o d p osts a decomp osition in phase

I

F which contradicts a residue class claimed by teller T

k

In phase A teller T p osts a tallyshare

k k

In phase A teller T p osts M values w each relatively prime to n

k k

In phase C for each value w with which the corresp onding bit generator

th

has asso ciated a teller T p osts an r ro ot of w

k

In phase C for each value w with which the corresp onding bit generator

th

k

has asso ciated a teller T p osts an r ro ot of W y w where W is the

k k k

th

pro duct mo dulo k of the k comp onent of all votes cast by voters V for

which check go o d

V

check

The value of check is dened to b e go o d if and only if check k go o d for at

T

least J tellers T

k

We shall show in section that the probability that check go o d while the

tally is incorrect decreases exp onentially as the security parameter N increases

TIME AND SPACE REQUIREMENTS

Time and Space Requirements

It is imp ortant to analyze the resources used in the election schema of section

Recall that K jT j is the number of tellers L jV j is the number of voters

M jG j is the number of bit generators I jI j is the number of insp ectors

and N is the security parameter

Time Requirements

Although the election schema has many complicated asp ects almost all of the

computation times are b ounded by the cost of p erforming gcd op erations When

selecting a random x Z gcdx n is computed to verify that x is in fact

n

relatively prime to n When N jnj such a gcd requires O N N bit multiplica

c r

tiondivision op erations Once such an x has b een chosen computing y x mo d n

for c r requires only O log r N bit multiplicationdivision op erations

Thus since r n the cost of selecting a random member of residue class c is

dominated by the cost of the gcd and is O N times the cost of p erforming an

N bit multiplication or division

Voter Proto cols

In the registration phase of the election schema each voter prepares O M

O log LMN ballots each consisting of K pairs of integers selected from sp ecic

classes Thus each voter requires O log LKMN N bit multiplications and

divisions to complete phase

Phase only requires each voter to designate one bit of information and

phase requires no voter participation Thus the total time required for each

voter proto col is the time needed to p erform

O log LKMN

N bit multiplications andor divisions That is the number of N bit multiplica

tions and divisions required of a voter is prop ortional to the square of the security

parameter N the number of tellers K the number of bit generators M and

the logarithm of the number of voters L

CHAPTER SECRETBALLOT ELECTIONS

Teller Proto cols

The rst step required of each teller is the selection of a pair n y such that

r n y is prime consonant The metho d of lemmas and require the

selection of primes p and q such that r j p r j p and r j q

Such a p can b e randomly chosen by selecting an A of size roughly O n and a

B uniformly selected among integers from to r inclusive and computing

p Ar B r The general form of the prime number theorem used in

lemma see Kran ensures that such integers have roughly the same

density of primes as integers in general Thus approximately out of N of

such integers p are prime Probabilistic primality tests can b e used to test such

p These tests can verify primality with condence using O N N

bit multiplications and divisions Comp osite N can b e discovered with O N

exp ected N bit multiplications and divisions Thus the total exp ected time to

nd such a p is O N N times the time for an N bit multiplicationdivision

and the probability of pro ducing a false prime is b ounded by T where T is

the number of trials and is O N Similarly a prime q of the required form can

b e generated by selecting an A of roughly the size of n and a B uniformly selected

among integers from to r inclusive and computing q Ar B Once

again integers of this form have roughly the same density of primes as integers

in general Thus such a q can b e found in exp ected time O N N times

the time for an N bit multiplicationdivision with a comparable error b ound

N

Thus selecting an exact consonant pair with error probability less than K

is accomplished by setting dlog K N log N e and requires the same time

as is required to p erform O log K N log N N bit multiplicationdivision

op erations

Next given n such that r n is exact consonant lemma asserts that

r

a r r fraction of the y Z are not in Z Thus the exp ected number

n n

of such y which must b e tested is constant Such a test requires a gcd and by

Lemma a mo dular exp onentiation Thus an exp ected O N N bit mul

tiplicationsdivisions are used to generate the required y Hence selection of a

suitable n y pair requires an exp ected O log K N log N N bit multiplica

tions and divisions

The remaining obligations of the tellers consist almost entirely of determining

the residue classes of various integers Each teller must do this once for every

TIME AND SPACE REQUIREMENTS

challenge it receives up to dlog K eN challenges p er insp ector and once

more to tally its voteshares by computing the residue class of their pro duct

Thus up to O I log K N deco dings class determinations are required of each

teller

The teller challenges are constrained to b e elements of either RC or RC

By lemma these two cases can b e distinguished with a single mo dular

exp onentiation requiring at most O N N bit multiplications and divisions

Therefore the total number of N bit multiplications and divisions necessary to

answer the challenges is O I log K N

Each teller must also compute the pro duct of its comp onent of the up to L

votes cast This requires O L N bit multiplications and divisions

The big step little step metho d of section can b e used to compute the

residue class of the single value which gives the tellers share of the tally This

p

r log r N bit multiplications and divisions requires O

Finally the interactive pro of that the tellers share of the tally is correct re

th

quires O M O log K MN N bit multiplications divisions and r p ower

computations Thus the total number of N bit multiplications and divisions

required is O log K MN log r

Hence the total time needed by each teller proto col is the time required to

p erform

p

r log r log K MN log r O log K N log N I log K N L

N bit multiplicationdivision op erations

Insp ector Proto cols

In the announcement phase of the schema each insp ector may challenge each

teller A challenge requires the preparation of O O log I log log K N

random members of known residue classes and each insp ector may challenge each

of the K tellers up to dlog K N e times Thus each insp ector may pre

pare up to O log I K log K log log K N random members of known residue

classes Since each random selection requires O N N bit multiplications and

divisions each insp ector requires

O log I K log K log log K N

N bit multiplicationdivisions

CHAPTER SECRETBALLOT ELECTIONS

Bit Generator Proto cols

The bit generator proto cols consist entirely of providing random bits when re

quired to do so Each bit generator must provide dlog LN e bits to each

of the L voters to form the interactive pro ofs of vote validity Also each bit

generator must provide dlog K N e bits to each of the K tellers to form

the interactive pro ofs of the accuracy of the subtallies Thus each bit generator

must pro duce a total of

dlog LeL dlog K eK N

bits

Computing check

Almost all of the work required to compute check consists of computing greatest

common divisors inverses and mo dular exp onentiations Each of these op era

tions requires at most O N N bit multiplications and divisions For each of the

I insp ectors and each teller check s k requires

I

O O log I log K log log K N

gcd inverse and mo dular exp onentiation computations For each of the up

to L voters check requires O KM O K log LMN gcd inverse and

V

mo dular exp onentiation computations For each of the K tellers check requires

T

O M LO log K MN L gcd and mo dular exp onentiation computations

Thus computing check requires

O I log I K log K log log K N KLlog LMN K log K MN

N bit multiplication and division op erations

In particular note that computing check requires time prop ortional to L log L

rather than just log L This is explained by the fact that in order to verify the

results of an election one must lo ok over the votes cast by al l voters to ensure

their validity

Space Requirements

What is meant by space requirements here is the amount of p ermanent space

which is required to hold the messages which must b e p osted The amount of

CORRECTNESS

internal space required to p erform the secret computations is quite small

Each voter must p ost M ballots each consisting of two vectors which

contain K N bit integers Each voter must then p ost M decomp ositions each

consisting of two vectors which contain K pairs consisting of an N bit integer

and a log r bit integer Finally each voter p osts one additional bit thereby

indicating its vote Thus each of the L voters may p ost up to KN

K M N log r bits of information on its message b oard

Each teller must p ost an n and y of N bits each and for each insp ector

up to bits and up to bits to answer each of the up to I challenges

Later each teller must p ost a log r bit tallyshare and M N bit integers to

prove the validity of its tallyshare Thus each of the K tellers may p ost up to

N log r M bits of information on its message b oard

Each insp ector may p ost up to N bit challenge messages for each of the

K tellers To interactively prove the validity of each of these challenges each

insp ector p osts up to and capsules each containing two N bit messages For

each challenge an insp ector must then p ost decomp ositions of up to values

each consisting of a log r bit message and an N bit message Each insp ector

must then p ost a decomp osition again consisting of a log r bit message and an

N bit message for each challenge Thus each of the I insp ectors may p ost up

to K N K N K N log r K N log r bits of information

on its message b oard

The bit generators must each p ost a total of L K bits

Correctness

In this section we give the pro of that the scheme S presented in section is a

veriable J K L election scheme as dened in section

The main to ol in showing that the announced tally is correct is the use of

interactive pro ofs The basic idea of these interactive pro ofs is to force an agent

who would pro duce fraudulent information to outguess the bit generators As

long as at least one of the generators and one of the insp ectors is honest this

can b e done successfully with only low probability

The interactive pro ofs completed b etween the insp ectors and the tellers give

th

extremely high condence that each y is not an r residue mo dulo n By theo

CHAPTER SECRETBALLOT ELECTIONS

rem this implies that each r n y triple is prime consonant and therefore

c r

that each w Z is expressible as w y z with z Z for at most one integer

n

n n

c such that c r

The remaining interactive pro ofs give extremely high condence that each

vote cast is valid and that the tallyshare released by each teller represents the

actual residue class of the tellers comp onent of the pro duct of the votes cast

Since by lemma the pro duct of valid votes yields a vote whose type is

the sum of the types of the votes this type represents the number of yes votes

cast in the election and once at least J tellers have released and interactively

proven their tallyshares this election tally can b e computed This is used to

derive the following lemma

Lemma If at least one bit generator is honest and at least one inspector is

N

honest then with probability at least L check go o d if and only

V

if voter V votes properly

Pro of

If V votes prop erly then by construction check go o d and by the timing

V

analysis of section V can complete its proto col in p olynomially b ounded

time If V do es not vote prop erly then by denition V p osts some message

which is inconsistent with its following either of its two prescrib ed proto cols

Such a digression will b e caught by the interactive pro of of vote validity and

therefore check bad unless the interactive pro of fails But this o ccurs with

V

N

3

probability at most L

Lemma If at least one bit generator is honest and at least one inspector is

N

honest then with probability at least K check k go o d if and

T

only if tel ler T acts properly

k

Pro of

If T acts prop erly then by construction check k go o d unless teller T

k T k

selects a false prime as a factor of its rst parameter N By construction

k

N

this can only happ en with probability less than K By the timing analysis

of section T can complete its proto col in p olynomially b ounded time

k

Thus the probability that teller T acts prop erly and check k bad is at most

k T

N

K

If T do es not act prop erly then the digression could o ccur in one of several

k

places T could p ost a pair of election parameters n y such that r n y

k k k k k

CORRECTNESS

is not consonant T could fail to answer one or more of the valid insp ector

k

challenges to its pair T could p ost an invalid tallyshare Finally T could fail

k k

to complete the interactive pro of of the validity of its tallyshare If T p osts

k

a pair which do es not meet the consonance criterion then it will not b e able

to correctly answer the challenges of the at least one by assumption honest

insp ector and this will cause check k bad If r n y were not conso

T k k

nant then T could answer these challenges correctly with probability no greater

k

N

2

K If T fails to answer a valid insp ector challenge then than

k

check k bad by construction Similary check k bad if T fails to com

T T k

plete the interactive pro of of the validity of the tallyshare If T completes the

k

interactive pro of of the tallyshare and r n y is consonant then the tally

k k

share could only b e invalid if its interactive pro of failed which can happ en with

N

4

probability no more than K Thus the probability that a teller T

k

N

acts improp erly while check k returns go o d is at most K

T

N

Therefore with probability at least K check k go o d if and

T

only if teller T acts prop erly

k

By lemmas and if at least one bit generator is honest and at least one

insp ector is honest then even if none of the tellers and none of the voters are

N

prop er the joint probability is at most that check returns go o d and the

election tally is not correct

This is sucient to give the following theorem

Theorem The election schema of section is veriable

Pro of

It can only b e the case that check go o d and the election tally is incorrect if

at least one teller T for which check k go o d releases an incorrect tallyshare

k T

or if the vote of a voter which did not vote prop erly was counted towards the

k

tally By lemma and since there are K tellers the probability of the former

N N

case is b ounded by K K and by lemma and since there are at

N N

most L voters the probability of the latter case is b ounded by LL

Thus the probability that the election tally is incorrect and go o d is b ounded

N N

by and therefore the election schema of section is veriable

N

with condence

N

Since the function grows faster than any p olynomial function P N the

election schema of section is veriable

CHAPTER SECRETBALLOT ELECTIONS

Security

It remains to b e shown that compromising the votes of prop er voters is hard Un

fortunately signicant lower b ounds have b een very scarce in theoretical com

puter science The nature of publickey cryptography in particular makes it

dicult to imagine a schema for which a sup erp olynomial lower b ound on secu

rity would not immediately separate P and NP We must therefore b e willing to

settle for an equivalence result a result that proves by a rigorous reduction

that any breach of security would yield an ecient algorithm to solve a natural

problem which is b elieved to b e hard Not surprisingly the problem of compro

mising an election is closely related to the problem of deciding residuosity and

the prime residuosity assumption

It is easy to see that an oracle with the ability to decide residuosity can

determine how individual voters voted in an election It will however require

far more eort to show that any oracle which in p ossible collusion with voters

tellers insp ectors and bit generators can gain even a small advantage b eyond

chance at deciphering votes of honest voters can itself b e used to gain nontrivial

information ab out deciding residues

An Overview of the Reduction

The formal reduction is quite tedious however the basics are reasonably palat

able To b egin with we shall assume that we have a minimal set of honest agents

at our disp osal In order to maintain any privacy of votes we require at least one

honest bit generator at least K J honest tellers and a set of honest vot

ers which contains at least two opp osing voters Without some opp osition among

the honest voters the dishonest voters could subtract their subtally from the

election tally and see that all honest voters cast the same votes The remaining

agents may all conspire or some may just run their usual assigned proto cols

We will see that whenever the conspirators are able to gain b etter than chance

information ab out the votes of honest voters the conspirators may themselves

b e used to give information ab out residues

Assume without loss of generality that the honest tellers are denoted by

T T T and that bit generator G is honest Consider elections in which

each teller T has selected parameters n y We will see that for any such

SECURITY

parameter sets on which the conspirators have an advantage at distinguishing

b etween votes the conspirators may b e used to with a comparable advantage

decide residuosity mo dulo n for at least one Intuitively with

this minimal set of honest election functionaries an election is only as strong as

the weakest of the n chosen It will then b e seen that obtaining even an inverse

p olynomial advantage at distinguishing b etween votes in an inverse p olynomial

fraction of all elections is sucient to violate the prime residuosity assumption

The reduction will show that if we are given a set of such n for which we do

not know the factorizations we can decide residuosity mo dulo at least one of the

n with the same advantage as that with which the conspirators can distinguish

b etween votes

To accomplish this we start by simulating an election with the given n as

parameters It will b e shown that it is p ossible by rep eatedly starting stopping

and restarting an election to simulate an election with the same distribution that

honest elections would have if the factors of the n were known By assumption

therefore the conspirators will demonstrate some advantage at distinguishing

b etween votes in this case

We next rep eat the pro cess except with y changed from a random nonresidue

as sp ecied by the proto col to a random residue mo dulo n We continue

changing the y one at a time from nonresidues to residues until for all such

th

that the y are r residues mo dulo n

It will b e shown that when all y are residues mo dulo their resp ective n a

p erfect symmetry exists and that the conspirators will b e completely unable to

gain an advantage at distinguishing b etween votes since every vote could equally

well represent a yes or a no Since this is so the initial advantage of the

adversaries must have dropp ed by at least on some ip of a y from non

residue to residue For this n we are able to decide residuosity by substituting

unknown quantities for y and measuring the advantage attained

Simulating Elections

The rst task of the reduction is to show how to simulate elections ie to simulate

the duties of honest tellers when in fact the factors of their mo duli are unknown

This puts us as the simulators in the somewhat o dd situation of controling the

honest agents and p erhaps causing them to stray from their prop er proto cols

CHAPTER SECRETBALLOT ELECTIONS

while the dishonest agents are out of our control and may very well run prop er

proto cols

To b egin with each honest teller T p osts its parameters n y and sub

mits itself to challenges from insp ectors which it must answer correctly The

honest insp ectors are not a problem since they may transmit the correct chal

lenge resp onses directly to the teller

To answer the challenges of the dishonest insp ectors we must employ a

technique which is common in pro ofs of interactive proto cols We observe that

even probabilistic machines may b e viewed as deterministic machines with access

to random stimuli usually a Turing machine with a random tap e If the machine

is given the same stimuli it will act in the same way Thus it is p ossible to run

an adversary to a certain p oint multiple times each time leaving the adversary

in the same state By altering later external inputs it is p ossible to observe an

adversarys resp onses to a variety of inputs at this p oint of the proto col

To answer the challenges put forth by dishonest insp ectors a teller need only

nd for each challenge w one value w for which the insp ector will decom

i ij

p ose both w and w w Recall that the interactive pro of asso ciated with

ij ij

i

the challenges requires the insp ector to decomp ose one or the other of w and

ij

w w and that the teller decides which of the two is to b e decomp osed With

ij

i

decomp ositions of b oth w and w w a teller can easily compute a decomp o

ij ij

i

sition of w and thereby successfully answer the challenge Thus by stopping and

i

restarting the adversary each teller can answer the challenges to its parameters

from any and all insp ectors even though it can not factor its own parameters

When the dishonest voters cast their votes each honest teller must de

termine its comp onent of the vote cast Without this information the teller

would not b e able to complete the election by pro ducing its tallyshare in the

nal phase In order to accomplish this a similar trick is used but there is a catch

here The bits which are generated for the voter this time are not pro duced by

the teller in question but rather by the bit generators If this were not so others

would have no condence in the legitimacy of the vote This is where the one

honest bit generator G b ecomes involved Since we the election simulators

control G we can change the value pro duced by G at various times in order to

change some of the bits to which voters must resp ond

By changing the value of G s bit we are able to force each dishonest voter V

to reveal a decomp osition of the vote which it cast With these decomp ositions

SECURITY

in hand each teller T is easily able to complete the election simulation

Note that after each stopping and restarting op eration the election state is

restored and the election is then continued from that p oint Thus if all simula

tions were successful the distribution of simulated elections would b e identical to

that of actual elections Unfortunately it may not always b e p ossible to simulate

an election

Denition Formally we say that an algorithm A is an r N election simulator

with P N success if for every parameter set

hn y n y n y i

such that for each r n y is exact consonant and each jn j N A can

without access to the factorization of one of the n run T T T G and

a set H of honest voters prop erly in the sense that the actions pro duced by

A are identical to those that would b e pro duced by T T T G and H

given that each T selected n y as its parameters Note that this is true

even though A do es not p ossess the factorization of one of the n

In this denition of an election simulator it is assumed that the simulator

is given the factorizations of all but one of the parameters n for the tellers T

which it must simulate Although it is p ossible to simulate elections in which the

factors of n are not known for any it will b e seen that for the reduction it is

sucient to simulate elections in which the factors of all but one n are known

Lemma For every prime r and every polynomial P N there exists an in

teger N such that for al l integers N N there exists a polynomial time r N

election simulator A with P N success

Pro of

Let P N b e an arbitrary p olynomial We give a constructive pro of which

denes an election simulator A which runs tellers T T T bit generator

G and the voters in H prop erly in p olynomial time with probability greater

than P N

Since we are only assuming control of the honest tellers T T T the

honest bit generator G and the honest voters H we may assume that all

other agents are dishonest and part of the conspiracy C

A b egins by instructing each honest teller T to announce n y as its

election parameters All tellers T for which A p ossesses the factors of n can b e

CHAPTER SECRETBALLOT ELECTIONS

simulated by A by executing the teller proto col precisely from this p oint on

Denote the one teller T for which the factorization of n is not available as

T and denote its parameters by n y Simulating the actions of T will require

a signicantly greater eort

First A must have T answer each challenge satisfactorily For each challenge

an insp ector will prepare for teller T a challenge value a w which is in either

RC or RC for which the T is supp osed to b e able to tell which

rn y rn y

   

and a set of capsules each consisting of one element from each of RC

rn y

 

and RC

rn y

 

Once all of the insp ectors have prepared and p osted all of their challenge

capsules teller T is instructed by A to randomly select a subset of each of these

sets of capsules

Insp ectors must then b egin decomp osing their subsets Each subset must b e

decomp osed by the insp ector and one element of each remaining capsule must

b e matched with the corresp onding w The match is accomplished by taking

i

mo d n an element w from each asso ciated capsule and decomp osing w w

ij ij

i

Consider one such subset of capsules to b e op ened If the insp ector do es not give

these decomp ositions then the challenge is invalid and should b e ignored by T

If the insp ector do es present T with appropriate decomp ositions then A backs

up the simulation and continues again from the p oint at which T selected the

subset of these capsules Here A instructs T to select another random subset

of the capsules The simulation is continued until these capsules are dealt with

There are two p ossibilities here The insp ector may once again present T with

appropriate decomp ositions In this case if the subset of capsules is dierent

there must b e at least one capsule which the insp ector b oth decomp osed and

matched with w This is sucient for A to determine w and thereby instruct

i i

T as to the prop er answer to the challenge If the insp ector this time refuses

to present T with appropriate decomp ositions then A once again backs up the

simulation and instructs T to try another subset Let I P N This

pro cess is rep eated up to times or until A is able to get each insp ector to

present a second set of decomp ositions for each challenge and thereby allow A to

compute each w If after attempts A is unable to get an insp ector to present

i

a second set of decomp ositions for a given challenge then the simulation fails If

however the appropriate decomp ositions are obtained then the simulation can continue

SECURITY

Once the challenge phase of the election is completed the ballot preparation

phase can b egin A instructs each honest voter in H to execute its normal

proto col A must then prepare to deal with the dishonest voters

Each dishonest voter prepares a master ballot B and additional scratch

ballots for each bit generator Once all ballots are prepared A instructs bit

generator G to select a random subset of the scratch ballots asso ciated with

it Other bit generators will also select subsets of the scratch ballots asso ciated

with them Voters must then decomp ose their ballots Each voter decomp oses

the designated ballots those in the selected subset and for each remaining ballot

B must decomp ose either B B or B nB If the voter do es not present these

decomp ositions it is acting improp erly and should b e ignored Once the de

comp ositions are obtained A backs up the simulation and instructs G to select

another random subset of the ballots asso ciated with it For each voter if this

second subset is decomp osed appropriately then if the subset is dierent there

must b e some ballot B for which the voter has presented decomp ositions of b oth

B and either B B or B nB This is sucient for A to completely decomp ose

B Let LP N This pro cess is rep eated up to times or until A is able

to get every voter to present a second set of decomp ositions and thereby allow

A to compute a decomp osition of B If A is unable to obtain a second set of

decomp ositions for some voter the simulation fails If however a decomp osition

of B is obtained for all voters then the simulation can continue

In the voting phase A simply instructs the set H of honest voters to vote

according to either assignment h or h dep ending up on the desired simulation

Since the evaluation function is a homomorphism the sum of the

decomp ositions of the votes cast is a decomp osition of the pro duct of the

votes cast Thus if there has b een no failure up to this p oint A has a complete

decomp osition of the vote pro duct and can complete the election directly A

simply instructs each honest teller T to release as its tallyshare the class of

th

comp onent of the vote pro duct as given by the decomp osition Since A

has a complete decomp osition the interactive pro of of these tallyshares can b e

completed normally

It is clear that with the choices of and given this simulation pro cess is

p olynomial in K L M and N

We must now analyze the probability of a successful simulation The simu

lation succeeds unless one of the insp ectors or voters gives a prop er rst set of

CHAPTER SECRETBALLOT ELECTIONS

decomp ositions but fails to give a second set of decomp ositions on any of the

subsequent tries Since these cases are indistinguishable to the conspirators we

may assume that all trials are indep endent

It is the goal of the conspirators to keep A from simulating an election

successfully Therefore we may assume that the conspirators will try to maximize

the probability of causing at least one insp ector or voter to decomp ose the rst

set of capsulesballots and to decomp ose no further sets This probability is

of course maximized by maximizing the probability of each insp ector and each

voter of achieving this goal

Let p b e the probability that an insp ector will decomp ose a given subset of

I

capsules remember that p is indep endent of the iteration since each iteration

I

lo oks like the rst and that p is indep endent of the insp ector since each is

I

trying to maximize the probability that it will cause the simulation to fail The

probability that a given insp ector will on a given challenge decomp ose the rst

subset and none of the subsequent subsets is

1 1

p p

I I

1

The term accounts for the p ossibility that the same subset is chosen since

this will not allow the challenge to b e answered Each of the I insp ectors can

challenge the honest teller T up to times Thus the total number of challenge

resp onses which must b e successfully simulated is b ounded by I

Similarly let p b e the probability that a voter will decomp ose a given subset

V

of ballots The probability that a given voter will decomp ose the rst subset and

none of the subsequent subsets is

3 2

p p

V V

There are L eligible voters so the total number of ballots which must b e success

fully decomp osed is b ounded by L

Now to see where the function f p p p reaches its maximum

value we may dierentiate

f p p p p

Therefore f p when

p or p

SECURITY

Clearly the maximum is achieved at p Thus the maximum

value attained by the function f p is

f

e e

where e is Eulers constant In particular when then f p

Thus with

dlog I log log K N e

and

I P N I dlog K N eP N

1

for suciently large N Also with dlog LN e and LP N

3

for suciently large N

Thus the probability of at least one insp ector challenge causing the simulation

to fail is less than

I

P N

and the probability of at least one voter causing the simulation to fail is less than

L

P N

Therefore the probability of a successful simulation is greater than

P N

for suciently large N

Remark Such a simulation could b e accomplished even if factorizations of none

of the n were available This would simply require increasing by a factor of

log K and by a factor of K to account for the additional challenges which

would have to b e answered by the back up and rep eat pro cess

CHAPTER SECRETBALLOT ELECTIONS

The Symmetry Condition

It is not at all hard to see that in pseudoelections in which the honest tellers

T T T K J select parameters n y where each

th

y is an r residue mo dulo n distinct vote assignments are indistinguishable

in an information theoretic sense This is so b ecause every vote assignment with

the prop er subtally among the honest voters is completely consistent with such

a pseudoelection

r

When y Z then all of the residue classes RC c are identical Thus

n

c r

if x is chosen randomly from Z then for every integer c w y x mo d n

n

r

represents a uniform selection from among the elements of Z Thus each w

n

could equiprobably b e used to indicate any class Hence any vote could just as

easily represent any other and all consistent vote assignments b ecome equally

meaningful Therefore in this case no p ossible adversary could do b etter than

chance at distinguishinging b etween vote assignments

Denition A n y n y n y pseudoelection is a transcript of an

election for which check go o d and for each teller honest teller T has selected

parameters n y

Lemma Let H be a set of honest voters and let h and h be two as

signments of votes to voters in H which have the same subtal ly over H Let

r

n y n y n y be such that each y is in Z Every pseudo

n

election transcript in which the voters in H vote according to h could also be

obtained by the voters in H voting according to h and viceversa

Pro of

A vector C hc c c i such that jjC jj t can b e uniformly selected

K J

by selecting J random values uniformly from Z and by lling the remaining

r

K J values with the unique elements of Z such that jjC jj t is

r J

true Thus in a J threshold K teller Lvoter election a vote of type t can b e

generated uniformly by rst selecting J random values uniformly from Z

r

and additional values to form a vector C with jjC jj t and then uniformly

J

selecting a vote W with disclosure C

Thus b eing given J comp onents of the disclosure of a uniformly generated

r

vote of any type t gives no information as to the type t If each y Z then

n

for each n y the residue classes RC c coincide for all integers c Thus

rn y

if a vote is formed by uniform selection with election parameters which include

SECURITY

these n y then the comp onents corresp onding to these parameters will

th

simply consist of random r residues Since the remaining J comp onents

although they have welldened disclosures are selected completely uniformly

and indep endently of the intended type a uniformly generated pseudovote W

will b e p erfectly consistent with any intended type

Thus all votes in such an election are completely consistent with all types

and pseudoelections in which the honest voters in H vote according to assign

ment h are identical to pseudoelections in which the honest voters in H vote

according to assignment h

The Formal Reduction

Denition A vector hn n n i is said to b e r N legitimate if for

every n jn j N and the pair r n is exact consonant

Denition An election is said to b e r N honest if hn n n i is

r N legitimate and if there exists a set T T T of honest tellers such that

each n is the rst comp onent of the election parameters selected by the teller

T

The ob ject now is to see how to take a sp ecic given n and gain an advantage

at deciding residuosity mo dulo this n For many such n no advantage will

b e attained but if it is p ossible to attain an inverse p olynomial advantage at

compromising elections with security parameter N then when N is suciently

large an inverse p olynomial advantage will b e obtained at deciding residuosity

mo dulo n for a p olynomially sized fraction of the p ossible values of n of size N

Recall from section that a conspiracy C is said to compromise privacy if

there exists some p olynomial P N such that for innitely many values of N

C can gain a P N advantage at distinguishing b etween some pair of vote

assignments in random elections with security parameter N in time P N

Theorem The prime residuosity assumption implies that there exists no

conspiracy C that compromises privacy

Pro of

We prove the theorem by contraposition

Fix r to b e a prime and assume that there exists some conspiracy C that

compromises privacy By assumption C is able to gain a P N advantage at

CHAPTER SECRETBALLOT ELECTIONS

distinguishing b etween some pair vote assignments in r N honest elections

for innitely many N

Consider rst the randomizing function f y which is dened to select

n

an integer c uniformly with c r and an x uniformly from Z and yield

n

c r

f y y x mo d n This randomizing function has the interesting prop erty

n

r

that when r n is exact consonant then if y Z f y is a uniformly selected

n

n

r

r r

then f y is a uniformly selected member of Z Z member of Z and if y

n

n n n

We now dene the family of algorithms B For i let B b e an

i i

algorithm which takes as input the pair n y and acts as follows B uniformly

i

selects for i values n such that each jn j N and each

pair r n is exact consonant as in lemma Then for i B

i

r

r

and for i B uniformly selects y uniformly selects y Z Z

i

n n

Note that B can retain the factorizations of these n so generating these y

i

as prescrib ed is not a problem B also selects a random bit b f g B

i i

then sets n n and y f y and by lemma simulates an election with

i i n

parameters hn y n y n y i and with an assignment h of votes

b

to honest voters in H where h and h are assignments of votes to voters in H

which C is assumed to distinguish b etween with an inverse p olynomial advantage

Unless the simulation fails the output of C is a bit c f g If the simulation

fails we set c The output of B is the exclusiveor b c Thus except

i

in the case where the simulation fails output B precisely when outputC

i

matches the choice of the vote assignment h on which C is run

b

For the most part there is no guarantee that C will do anything at all with

these simulated elections ie the output of C could always b e since a p owerful

th

residues and might therefore C may b e able to detect that some of the y are r

refuse to participate in an election or cause the simulation to always fail There

are however some constraints that can b e placed on C Let p b e the probability

that C outputs given that b Let p b e the probability that C outputs

given that b Let q denote the probability that outputB

i i

First of all as n varies among values such that r n is exact consonant and

r

Z then the simulated elections represent a uniform sampling of actual y

n

elections with N jnj By assumption C gains a P N advantage at distin

guishing b etween h and h for innitely many N By denition this implies

that jp p j P N By lemma we may run the simulator B such that

it succeeds with probability greater than P N Therefore when y is

SECURITY

th

not an r residue jq j P N

Next when B is given an n such that the pair r n is exact consonant

r

and a y Z then lemma applies and hence C can attain no advantage

n

whatso ever at distinguishing b etween h and h Thus in this case q

Finally as n varies among values such that r n is exact consonant B when

i

r

r

Z Thus given a y Z will b e indistinguishable from B when given a y

i

n n

the same advantage at distinguishing b etween h and h will b e obtained in b oth

of these cases

For a xed N let a denote the overall value jq j when the input n y

i i

r

to B is such that r n is exact consonant jnj N and y Z and let b

i i

n

denote the overall value jq j when the input n y to B is such that r n is

i i

r

exact consonant jnj N and y Z The ab ove arguments give the following

n

chain

P N a b a b a b

This implies that for each of the innitely many N for which C gains a P N

advantage at distinguishing b etween h and h there exists some i such that

ja b j P N Let denote a value for which ja b j P N

i i

for innitely many values of N There must exist at least one such

We now have that for innitely many values of N the algorithm B when

r

has a probability of outputting Z given inputs n with jnj N and y with y

n

which diers by at least P N from the probability of outputting when

r

jnj N and y Z This B will b e used to develop an algorithm which decides

n

th

r residues

Let A b e an algorithm which takes as input integers n and y with y Z

n

A runs B on the pair n y For innitely many values of N B distinguishes

r

r

b etween the case y Z and the case y Z with a P N advantage

n n

when jnj N and r n is an exact consonant pair

For convenience we say that a given n is decided if for that n B gains

more than a P N advantage at distinguishing b etween residues and non

residues We will see that at least a P N fraction of the n of size N such

that r n is exact consonant are decided by B

The worst case o ccurs when for as many n as p ossible B gains exactly a

P N advantage The overall advantage however must b e P N

To further the worstcase scenario assume that each n which is decided is decided

CHAPTER SECRETBALLOT ELECTIONS

with certainty ie with advantage If only a P N fraction of the n

were decided it would still not raise the overall advantage to quite P N

Thus at least a P N fraction of the n of size N such that r n is exact

consonant are decided by B

th

Hence for innitely many N A decides r residues with a P N

advantage for at least a P N fraction of the n of size N such that the

pair r n is exact consonant and this advantage is achieved in time p olynomial

in N This violates the prime residuosity assumption and therefore the theorem

is proven

Usage and Optimizations

For a relatively large election p erhaps L voters K

tellers M bit generators I insp ectors and condence

the computations required by the election schema given here are near the edge

of feasibility on p owerful machines There are several approaches to making the

entire pro cess more managable

Parallelization

First the entire schema is massively parallelizable All of the rep eated steps

in every subphase can b e p erformed in parallel and with a large number of

pro cessors each voter proto col can b e p erformed with only O N sequential

N bit multiplications and divisions The time to complete the teller proto cols is

dominated by the time to determine residue classes Besides b eing able to handle

separate insp ector challenges in parallel the compilation of a residue class table

th th

of r ro ots of unity or the search for a recognized r ro ot of unity can easily

b e parallelized Finally the check function can also easily b e run with very few

sequential dep endencies

Asynchrony

Although the denitions of an election system given in section require that

the pro cessors b e synchronous it do es not seem that this is necessary for the

election schema given in section Within each of the four election phases

USAGE AND OPTIMIZATIONS

there are as many as six ma jor steps to b e p erformed The pro cessors need

not run synchronously as long as all pro cessors have completed each step b efore

b eginning the next

Other Streamlining

Even when run sequentially there are several variants which may b e used to make

the election schema more ecient First if an unpredictable random source can

b e found and agreed up on then the set G of bit generators can b e reduced to

size M As mentioned earlier a bit generator of this form is often called a

beacon Rabia

Even when no b eacon is available the bit generators may use the exclusiveor

of their individual bits to form a simulated b eacon In order to accomplish this

the bit generators select parameters and answer challenges from insp ectors just

as do the tellers Each generator then can use its parameters to encrypt each

bit as it is released When all bit generators have released an encrypted bit

the decryptions are revealed and the exclusiveor of the decrypted bits is used

as a simulated b eacon bit This prevents the last generator from deciding the

outcome of the simulated b eacon bit

To take this approach a step further the tellers can be the bit generators

Tellers can use their already chosen and tested parameters to encrypt bits to

simulate a b eacon This combination is quite app ealing since the security of the

election already assumes that at least K J tellers are honest and only one

honest bit generator is needed to ensure correctness

The choice of the insp ector set I can play a large role in the eciency of

an election The insp ector set can consist of the entire electorate all voters

but this can b e very exp ensive Instead of each voter challenging each teller

each bit generator can challenge each teller In the case where the tellers and

the bit generators are the same set each teller tests every other Since it is

necessary to trust at least one bit generator anyway the bit generators can act

as surrogates for the purp ose of testing the tellers This do es not work however if

the bit generators are natural sources or a b eacon rather than generators since a

challenge requires computation and the maintainance of secret information The

tellers themselves can of course act as the insp ectors and challenge each other

This makes go o d sense if the tellers are already acting as the bit generators as

CHAPTER SECRETBALLOT ELECTIONS

mentioned previously

Extensions and Variations

The secretballot election schema describ ed in this chapter is quite exible and

adaptable to a variety of purp oses and changing circumstances Some of these

variations will b e describ ed b elow

Multiway Elections

So far we have considered only elections with two p ossible choicesyes and

no The schema presented extends easily to elections where many choices are

allowed

One metho d to hold a threeway election for example would b e to select an

e

integer r greater than the number of eligible voters and to choose the election

e

prime r to b e greater than r rather than just greater than the number of eligible

voters Votes cast by voters would b e constrained to one of the following three

e

types choice A type r choice B type and choice C type Three

comp onent capsules are used to constrain the votes to b e of one of these three

e e

forms Since r is greater than the number of eligible voters and r r the

pro duct of the votes will b e of a type t which is unique mo dulo r and this t

e e

in turn is uniquely expressible as t ar b for b r The values of a

and b resp ectively denote the number of votes for choices A and B and the

remaining valid votes are for choice C It is easy to see how to extend this

approach to elections with more than three choices

Moti Yung has suggested an alternative metho d for holding multiway elec

tions The approach is somewhat similar to the Bo olean circuit satisability

scheme describ ed in section For a threeway election three comp onent

capsules are again used Each comp onent of the unordered three comp onent

capsules would consist of an ordered triple of votes The ordered triple would con

sist of one yes vote and two no votes The yes would app ear in each of the three

ordered p ositions exactly once in each capsule That is a capsule would lo ok

like fno no yes no yes no yes no nog and the actual vote cast would b e

a triple of one of these three forms Three separate counters are maintained

one corresp onding to each of three choices A B and C A vote triple of the

EXTENSIONS AND VARIATIONS

form no yes no for example would put a no vote into the A counter a yes

vote into the B counter and a no vote into the C counter The pro duct of

the votes in each of the three counters is taken separately and a tally of each of

the three counters is formed as in the general schema Each counter tally then

represents the number of votes cast for the corresp onding choice Once again

it is easy to see how this metho d can b e extended to elections with more than

three choices

Preferential Voting

The previous metho ds enable the pro duction of tallies in elections with more

than two choices but they do not indicate how to make use of these tallies to

decide an issue such as which of three candidates will win an elective oce

One may of course simply declare the candidate with the largest number of

votes to b e the winner This so called plurality rule suers from several serious

problems It is p ossible with plurality voting for instance to elect a candidate

who has only minority supp ort and in fact strong ma jority disapproval

Additional exibility can b e obtained by allowing each voter one of six choices

These choices would corresp ond to the six p ossible preference rankings among

the three candidates The number of voters who select each of the six preference

lists could then b e determined and a preferential voting metho d could b e applied

to these results

Unfortunately the results of Kenneth Arrow Arro indicate that even

with a complete list of voter preferences no voting metho d exists which will

always choose a winner which satises a small number of highly desirable criteria

Even though Arrows work shows that no voting metho d is p erfect there are

alternatives to plurality voting and once the list of voter preferences has b een

compiled any voting rule can b e used to determine a winner

One quite interesting rule is called approval voting see Stra With ap

proval voting each voter can cast one or zero votes in favor of each candidate and

the candidate who receives the most votes is the winner It can b e shown that

with approval voting it is in each voters interest to cast votes for all candidates

ab ove a certain threshold of acceptability Approval voting is particularly useful

when there are several identical electoral p ositions to b e lled such as atlarge

seats on a city council Here the candidates with the most votes ll the seats

CHAPTER SECRETBALLOT ELECTIONS

Approval voting can b e implemented quite easily within the general secret

ballot election schema Each voter prepares a ballot for each candidate exactly

as ballots were prepared b efore Then each voter casts one vote from each ballot

for each candidate In this way each candidates tally can b e computed

Giving the Winner without the Tally

Adi Shamir suggested the problem of holding a secretballot election in which

all participants are condent of the winner but in which the actual tally of

the election is not released Shamir together with Oded Goldreich and Ron

Rivest oered ideas which led to a solution limited to the single teller centralized

government case

The idea is to hold an election as usual except for the release of the tally At

this p oint instead of showing that a sp ecic tally is the case the government

shows that al l p ossible tallies which would cause the losing choice to win are

not the case This can b e accomplished by using the interactive pro of metho d of

section up to r times to show that the vote pro duct is not a member of

any of the up to r p ossible residue classes which would cause the losing choice

to win This solution is describ ed in somewhat greater detail in Cohe

Related Schemas

In addition to the election schema presented in this chapter a number of related

schemas which all conform to the election paradigm of Figure can b e devised

One of these schemas is based up on the diculty of computing the discrete

logarithm mo dulo a known prime Adle PoHe COS Another is

based up on the diculty of determining the order of an element mo dulo the

pro duct of two unknown primes A third prop osed schema encrypts a vote using

the low order bit of a message encrypted by RSA RSA

The ma jor requirement of such a schema seems to b e the existance of a

function that can b e computed on a set of encrypted data which preserves the sum

of the unencrypted comp onents see RAD The variety of number theoretic

problems on which such schemes can b e based and the ease with which they have

b een found gives additional reason to b elieve in the usefulness of the general paradigm

Chapter

Conclusions

It do es not seem likely that the metho ds for holding a veriable secretballot

election presented in this thesis will b e used in actual elections in the near future

The schema is reasonably practical and advances in technology can b e exp ected

to make the schema quite fast however public acceptance and the widescale

availability of the required technology seem to b e some distance away

The pro cess of implementing a schema such as this is p olitical and not tech

nical and in some regions it is not in the interests of those in p ower to have

veriable elections There are many asp ects of elections which are simply b eyond

the scop e of this work The maintainance of eligible voter rolls for instance is

not addressed at all In fact all public asp ects of elections are completely inde

p endent of this work The results given in this thesis merely allow the private

comp onent of secretballot elections to b e managed as though it to o were public

It is also true in our current so ciety that distrust of science and scientists

is widespread It do es not seem to b e satisfactory to implement a veriable

secretballot election schema that will only serve to convince a select few who

understand the mathematics Fortunately the mathematics in this schema is

although somewhat detailed accessible at the undergraduate level or even con

ceivably the high school level If an election schema such as this were to b e

adopted for largescale use it could b e accompanied by an eort to educate p eo

ple ab out the mechanism involved A short undergraduate mathematics course

or even an advanced high school course should b e sucient for this purp ose

One of the motivations for this work has b een the desirability for preferential

elections The current plurality voting rules most frequently used seem all to o

CHAPTER CONCLUSIONS

often to place a candidate with a minority mandate into oce The addition of

runo elections which are used in some areas improve the prosp ects slightly but

they still leave much to b e desired

Although Kenneth Arrow has shown that no voting rule can b e completely sat

isfactory the implementation of an alb eit imp erfect preferential voting system

could improve current systems tremendously It seems however that largescale

preferential voting is b eyond our ability to implement with pap er or mechani

cal voting technology Electronic technologies could however b e used for this

purp ose

In fact it is ever more the case that current elections are b egin conducted with

electronic technologies This is esp ecially true for the pro cess of vote counting

As the electronic comp onent to elections b ecomes more pronounced our con

dence in b oth the privacy of our votes and the accuracy of the tally should wane

It is generally felt that smallscale corruption or errors in manual or mechanical

voting systems would lead to only a small number of erroneous votes or violated

privacies Such is not the case however with electronic systems where small

bugs intential or unintentional can easily lead to huge shifts of votes or the

public disclosure of large numbers of votes It seems evident that if we are to

bring computerization into our electoral pro cesses then we must do it in such a

way as to preserve the integrity of the pro cess and to prevent the concentration

of p ower into the hands of the few who control the pro cess The adoption of a

schema of the sort presented here could do much towards serving these ends

It is p ossible to envision a so ciety in which small voting devices or voting

software are available from a variety of vendors Such devices or software could

p erhaps b e plugged into voting outlets at various centers or even in the home

The advantages that could b e attained by implementing such a system are

numerous They include the p ossibility of preferential voting p erhaps made

simple through an interactive system condence in the outcome condence in

privacy greater ease and exibility in voting and far greater sp eed in computing

results It would even b e p ossible although probably not eective to implement

a mo dern Athenian demo cracy in which ma jor issues are brought b efore the

public for a rapid vote

Many of these ideas may seem overly ambitious and unrealistic but we should

b e aware that the technology exists to make them p ossible If the will of so ciety

were to shift towards these goals the technology required to achieve them could

b e ready

Of more immediate interest are the to ols that have b een built which allow

for the construction of veriable secretballot elections The election encryption

function gives a highdensity metho d of probabilistic encryption which has a

wide variety of applications Cryptographic capsules have applications to current

needs in user authentication and in electronic funds transfer for example Secret

sharing homomorphisms have applications in many instances where computing of

shared encrypted data arises And even if it is somewhat wistful an imp ortant

application of all of these metho ds makes p ossible the holding of largescale

robust and veriable secretballot elections

Bibliography

AdHu Adleman L and Huang M Recognizing Primes In Random

th

Polynomial Time Proc ACM Symp on Theory of Computing

New York NY May

Adle Adleman L Sub exp onential Algorithm for The Discrete Loga

th

rithm Problem Proc IEEE Symp on Foundations of Com

puter Science San Juan PR Oct

Adle Adleman L On Distinguishing Prime Numbers from Comp osite

st

Numbers Proc IEEE Symp on Foundations of Computer

Science Syracuse NY Oct

AdMc Adleman L and McDonnell R An Application of Higher

rd

Recipro city to Computational Number Theory Proc IEEE

Symp on Foundations of Computer Science Chicago IL Nov

AFK Abadi M Feigenbaum J and Kilian J On Hiding In

th

formation from an Oracle Proc ACM Symp on Theory of

Computing New York NY May

Angl Angluin D Lecture Notes on the Complexity of Some Problems

in Number Theory TR Yale University Department of Com

puter Science New Haven CT Aug

AnLi Angluin D and Lichtenstein D Provable Security of Cryp

tosystems a Survey TR Yale University Department of

Computer Science New Haven CT Oct

BIBLIOGRAPHY

APR Adleman L Pomerance C and Rumley R On Distin

guishing Prime Numbers from Comp osite Numbers Annals of

Math

Arro Arrow K Social Choice and Individual Values John Wiley and

Sons New York

AsBl Asmuth C and Blo om J A Mo dular Approach to Key Safe

guarding Texas AM University Department of Mathematics

College Station TX

th

Baba Babai L Trading Group Theory for Randomness Proc

ACM Symp on Theory of Computing Providence RI May

Benaa Benaloh J Cryptographic Capsules A Disjunctive Primitive for

Interactive Proto cols Crypto Santa Barbara CA Aug

Benab Benaloh J Secret Sharing Homomorphisms Keeping Shares of

a Secret Secret Crypto Santa Barbara CA Aug

nd

BenO BenOr M Probabilistic Algorithms in Finite Fields Proc

IEEE Symp on Foundations of Computer Science Nashville TN

Oct

BenO BenOr M Another Advantage of Free Choice Completely

nd

Asynchronous Agreement Proto cols Proc ACM Symp on

Principles of Distributed Computing Montreal PQ Aug

BeYu Benaloh J and Yung M Distributing the Power of a Gov

th

ernment to Enhance the Privacy of Voters Proc ACM Symp

on Principles of Distributed Computing Calgary AB Aug

Blak Blakley G Safeguarding Cryptographic Keys Proc AFIPS

National Computer Conference New York NY June

BIBLIOGRAPHY

BlMe Blakley G and Meadows C A Database Encryption Scheme

Which Allows the Computation of Statistics Using Encrypted

Data Proc IEEE Symposium on Computer Security and Privacy

Oakland CA Apr

BrCr Brassard G and Crep eau C ZeroKnowledge Simulation of

Bo olean Circuits Crypto Santa Barbara CA Aug

CGMA Chor B Goldwasser S Micali S and Awerbuch B Ver

iable Secret Sharing and Achieving Simultaneity in the Presence

th

of Faults Proc IEEE Symp on Foundations of Computer

Science Portland OR Oct

Chau Chaum D Untraceable Electronic Mail Return Addresses and

Digital Pseudonyms Comm ACM Feb

Chaua Chaum D Demonstrating that a Public Predicate can b e Satis

ed Without Revealing Any Information Ab out How Crypto

Santa Barbara CA Aug

Chaub Chaum D Elections with Unconditionally SecretBallots and

Disruption Equivalent to Breaking RSA unpublished manuscript

CoFi Cohen J and Fischer M A Robust and Veriable Crypto

th

graphically Secure Election Scheme Proc IEEE Symp on

Foundations of Computer Science Portland OR Oct

Cohe Cohen J Improving Privacy in Cryptographic Elections TR

Yale University Department of Computer Science New Haven

CT Feb

COS Copp ersmith D Odlyzko A and Schroepp el R Discrete

Logarithms in GF p Algorithmica

DiHe Die W and Hellman M New Directions in Cryptography

IEEE Trans on Information Theory Nov

BIBLIOGRAPHY

DLM DeMillo R Lynch N and Merritt M Cryptographic Pro

th

to cols Proc ACM Symp on Theory of Computing San Fran

cisco CA May

Feig Feigenbaum J Encrypting Problem Instances or Can You Take

Advantage of Someone Without Having to Trust Him Proc Crypto

Santa Barbara CA Aug Published as Ad

vances in Cryptology ed by H Williams in Lecture Notes in Com

puter Science vol ed by G Go os and J Hartmanis Springer

Verlag New York

Fisc Fischer M The Consensus Problem in Unreliable Distributed

Systems Proc International FCTConference Borgholm

Sweeden Aug Published as Foundations of Com

putation Theory ed by M Karpinski in Lecture Notes in Computer

Science vol ed by G Go os and J Hartmanis SpringerVerlag

New York

FMR Fischer M Micali S and Racko C A Secure Proto col for

the Oblivious Transfer Presented at Eurocrypt Paris France

Apr Not in pro ceedings

Fort Fortnow L The Complexity of Perfect ZeroKnowledge Proc

th

ACM Symp on Theory of Computing New York NY May

Gaus Gauss C Disquisitiones Arithmeticae Translated by

Arthur A Clarke and published by Yale University Press New

Haven Reprinted by SpringerVerlag New York

GHY Galil Z Hab er S and Yung M A Private Interactive Test

of a Bo olean Predicate and MinimumKnowledge PublicKey Cryp

th

tosystems Proc IEEE Symp on Foundations of Computer

Science Portland OR Oct

GMR Goldwasser S Micali S and Racko C The Knowledge

th

Complexity of Interactive Pro ofSystems Proc ACM Symp

on Theory of Computing Providence RI May

BIBLIOGRAPHY

GMT Goldwasser S Micali S and Tong P Why and How to Es

rd

tablish a Private Co de On a Public Network Proc IEEE

Symp on Foundations of Computer Science Chicago IL Nov

GMW Goldreich O Micali S and Wigderson A Pro ofs that

Yield Nothing But their Validity and a Metho dology of Crypto

th

graphic Proto col Design Proc IEEE Symp on Foundations

of Computer Science Toronto ON Oct

GMW Goldreich O Micali S and Wigderson A How to Play

Any Mental Game or A Completeness Theorem for Proto cols with

th

Honest Ma jority Proc ACM Symp on Theory of Computing

New York NY May

GoKi Goldwasser S and Kilian J Almost All Primes Can b e

th

Quickly Certied Proc ACM Symp on Theory of Computing

Berkeley CA May

GoMi Goldwasser S and Micali S Probabilistic Encryption How

to Play Mental Poker Keeping Secret All Partial Information

th

Proc ACM Symp on Theory of Computing San Francisco

CA May

GoMi Goldwasser S and Micali S Pro ofs With Untrusted Oracles

Unpublished Manuscript May

GoMi Goldwasser S and Micali S Probabilistic Encryption J

Comp Sys Sci

GoSi Goldwasser S and Sipser M Private Coins versus Public

th

Coins in Interactive Pro of Systems Proc ACM Symp on

Theory of Computing Berkeley CA May

Koth Kothari S Generalized Linear Threshold Scheme Proc Crypto

Santa Barbara CA Aug Published as Ad

vances in Cryptology ed by G Blakely and D Chaum in Lecture

Notes in Computer Science vol ed by G Go os and J Hart

manis SpringerVerlag New York

BIBLIOGRAPHY

Kran Kranakis E Primality and Cryptography John Wiley and Sons

New York

MaAd Manders K and Adleman L NPComplete Decision Problems

for Binary Quadratics J Comp Sys Sci

Merr Merritt M Cryptographic Proto cols PhD Thesis presented

at Georgia Institute of Technology Feb

Mill Miller G Riemanns Hyp othesis and Tests for Primality Re

search Rep ort Cs Department of Computer Science Univer

sity of Waterloo Waterloo ON Oct Abridged version in

th

Proc ACM Symp on Theory of Computing Albuquerque NM

May

Mill Miller G Riemanns Hyp othesis and Tests for Primality J

Comp Sys Sci

NiZu Niven I and Zuckerman H An Introduction to the Theory of

rd

Numbers ed John Wiley and Sons New York

PoHe Pohlig S and Hellman M An Improved Algorithm for Com

puting Logarithms Over GF and Its Cryptographic Signicance

IEEE Trans on Information Theory Jan

Rabi Rabin M Digitalized Signatures and Publickey Functions as

Intractable as Factorization MITLCSTR MIT Technical

Rep ort Jan

Rabi Rabin M Probabilistic Algorithms in Finite Fields SIAM Jour

nal on Computing May

Rabia Rabin M Transaction Protection by Beacons J Comp Sys

Sci Oct

th

Rabib Rabin M Randomized Byzantine Generals Proc IEEE

Symp on Foundations of Computer Science Tucson AZ Nov

BIBLIOGRAPHY

RAD Rivest R Adleman L and Dertouzos M On Data Banks

and Privacy Homomorphisms Foundations of Secure Computa

tion ed by R A DeMillo et al Academic Press New York

RSA Rivest R Shamir A and Adleman L A Metho d for Ob

taining Digitial Signatures and Publickey Cryptosystems Comm

ACM Feb

Sham Shamir A How to Share a Secret Comm ACM Nov

SoSt Solovay R and Strassen V A Fast MonteCarlo Test for Pri

mality SIAM Journal on Computing

Stra Stran P Topics in the Theory of Voting Birkhauser Boston

rd

Yaoa Yao A Proto cols for Secure Computations Proc IEEE

Symp on Foundations of Computer Science Chicago IL Nov

Yaob Yao A Theory and Applications of Trapdo or Functions Proc

rd

IEEE Symp on Foundations of Computer Science Chicago IL

Nov