evoting (requirements & protocols). 1) Aggelos Kiayias, Moti Yung : Selftallying Elections and Perfect Ballot Secrecy 2) Jens Groth : Efficient Maximal Privacy in Boardroom Voting an d A nonymous Broadcas t. Types of Adversary. 1)Passive
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
evoting(requirements & protocols)
1) Aggelos Kiayias, Moti Yung:
Selftallying Elections and Perfect BallotSecrecy
2) Jens Groth:
Efficient Maximal Privacy in Boardroom Voting and
Anonymous Broadcast
1)Passive
Static
2)Active
Adaptive(or Dynamic)
3)FailStop
Corrective Fault Tolerance
(More relaxed form of robustness)
hi:=h (voter’s public key).
k
a
i
(select n1 values and set s i,n:= s i,j ).
R i,j:=g and R’i,j:=hj
along with a proof of knowledge that log R i,j=logR’i,j.
R’j = R’i,j, and publishes it on the board.
s
s
i,j
i,j
g
h
j
Interactive Proof of Knowledge
Theorem: After the completion of the prevoting phase
i)Any thirdparty can verify that log R i,j=logR’i,j.
ii)Any thirdparty can verify that s i,j=0.
iii)If at least one voter chose the s i,j values randomly, then the values t j= s i.,j are random in q, with the
property that tj=0.
g
h
j
1
t
j
t
v
j
j
v
j
n+1
n1
Two cases:
S:=set of voters who didn’t participate
S:=set of remaining voters
Each voter Vk, k S, publishes R’’:=h , together with a noninteractive proof of knowledge for
Then the bulletin board authority modifies the values
_
_
s
k,j
k
k
The values R’k are changed to satisfy the properties
of Theorem, especially (iii), with tk:=log R’k . It is
easy to see that tk=0 and that the values tk are
random in q, if at least one voter chose the si,j
randomly.
h
k
S’:=set of voters who didn’t cast a vote
S’:=set of remaining voters
Each Voter Vk, k S’ publishes ek:= sk,j and
Φk:=( R’j,k) .
The value of ek can be publicly verified by checking
g := Rk,j
Φk must be accompanied by a PK as before.
_
_
a
1
k
e
k
The tally computation can be performed by any third party:
T:= B h (Φ )
It is easy to see that T {f ,…,f }, so the number of the positive votes can be found with a brute force attack as before.
e
1
k
k
k

tj
0
n1
c1
Theorem: The described protocol satisfies privacy, fairness(assuming the existence of an honest authority that casts the lest 0vote), universalverifiability, correctivefault tolerance, disputefreeness, selftallying and perfect ballot secrecy.
Simple protocol in the honestbutcurious case (Passive),and a yesorno voting.
Initialization:
x
j
Casting votes:
(g ,( hi) g ).
(g , ( hi) g ).
…
(g ,g ).
r1
v1
r1
r1+r2
r1+r2
v1+v2
ri
vi
Tallying:
g . vin, so we can compute the 1votes.
vi
i
Initialization:
x
i
Voting Phase:
u:=ug
v:=vu ( hj) g ,
where T: the set of remaining voters.
ri
ri
vi
xi
Tallying:
The state of the election is (u,v) with v=g .
If there are not too many voters and candidates, the
discrete logarithm can be computed.
Faultcorrection:
The remaining voters have to repeat the voting phase,
with the reduced set of voters. They can gain a factor
logc by proving that they cast the same vote…
vi
KiayiasYung
1. O(n) exponentiations in thekey regi
stration phase
2. O(nk) size of the key
3. O(n ) exponentiations for the verifi
cation of the keys
4. O(logc) exponentiations in the
voting phase
Groth
1. O(1) exponentiations in the key regi
stration phase
2. O(k) size of the key
3. O(n) exponentiations for the verifi
cation of the keys
4. O(logc) exponentiations in the
voting phase
2
Requirements:
xi
j S\{i}
Message submission:
ri
ri
j S
j S
xi
j S
Theorem: The described protocol is selfdisclosing, disputefree, anonymous broadcast protocol with perfect message secrecy.Assuming the existence of an honest authority that doesn’t submit a message himself, the protocol is fair.