2.3.2 The Encryption Scheme

To start with, public-key encryption can serve the obvious purpose of turning any public communication channel into a private and/or authenticated one. In addition, most voting protocols below use the following scheme for encryption and decryption, which has an extremely useful homomorphism property that we will describe afterwards.

The encryption algorithm relies on three publicly known values n, y, and r. Of these, n must be the product of two large primes p and q, r should be a prime that divides either p-1 or q-1but not both, and y should be relatively prime to n. To encrypt any value i mod r, we then pick some x relatively prime to n, and compute

$$w \equiv y^i x^r \pmod n.$$ (2.1)

It can be proven that there is only one value of i possible for each given w. In other words, each ciphertext w corresponds to only one plaintext value i. We write this as $w\in E(i)$, where

$$E(i) = \{\, w \mid \exists x\mbox{, }w \equiv y^i x^r \pmod n \,\}.$$ (2.2)

A term often used in the literature is that w is of type i. Note that, while each ciphertext only corresponds to one plaintext value, the converse is not true. Indeed, because x can vary, there are a great number of ciphertexts wavailable for each plaintext i. This probabilistic nature is a critical feature of this encryption scheme; it will ensure that encrypted votes cannot be compared for equality.

Another useful and easily verified property of this encryption scheme is that the product of two ciphertexts is an encryption of the sum of the corresponding plaintexts. In other words, if $w_1\in E(i_1)$ and $w_2\in E(i_2)$, then $w_1w_2\in E(i_1+i_2)$. This property, called the homomorphism property, will allow us to compute the ciphertext of the tally from the ciphertext of individual votes, without having to decrypt each individual vote at any point in the process. We will also use this property heavily in interactive proofs described below.

For arbitrary i, the value x can be used as a certificate, or receipt, to prove that w is indeed a proper encryption of i. Without a certificate, decryption of a ciphertext w can be accomplished by exhaustively searching over all possible values of imod r, and evaluating the expression

$$(wy^{-i})^{\phi(n)/r},$$ (2.3)

which will be 1 if we have found the right value of i. (Here,

$$\phi(n) = (p-1)(q-1)$$ (2.4)

is the Euler $\phi$ function.) Note that only someone who knows $\phi(n)$ will be able to apply this technique, and that there is no known method to determine $\phi(n)$ without factoring n into p and q. In other words, assuming that p and q stays secret and that integer factorization stays difficult, only the entity that originally created the (n,y) pair will be able to computationally feasibly decrypt w using its knowledge of p and q.

One complicating factor remains. As noted above, to prove that w is an encryption of i, one can simply produce a certificate x, such that Equation 2.3 holds. Because x is randomly generated by the entity which encrypted i to w in the first place, it is information theoretically secure for this entity to release x mod n as a certificate to the public that $w\in E(i)$. However, consider the situation where w is a publicly known ciphertext, decrypted to i using the exhaustive search procedure described in the previous paragraph, by an entity that knows the factorization n=pq. Suppose that the entity wants to prove to the public that $w\in E(i)$; for example, one common case is that the entity is an election authority who wants to prove its decryption of the tally is correct. Although the exhaustive search procedure also produces a certificate x, this x is yet publicly unknown; therefore, releasing x may give an adversary additional information for factoring n. Hence, the entity needs to prove that $w\in E(i)$without releasing x. To do this, the following sub-protocol may be used; it is a classical interactive proof protocol with exponentially decreasing probability of non-detection.

Protocol 4 (Interactive Proof of Decryption)    Given n, r, y, w, i public as above, to prove with probability 1-1/2^N that Equation 2.3 holds for some x known privately by the prover:

1.

The prover randomly and privately chooses N integers, c₁, c₂, ...,c_N. For each j=1, 2, ..., N, the prover computes and releases C_j such that

$$C_j \equiv c_j^r y^{-i} \pmod n.$$ (2.5)

2.

For each C_j, a random beacon bit b_j is obtained and one of the following steps performed:

• If b_j = 0, the prover releases c_j, and the verifier checks that Equation 2.5 holds for this particular j. This proves that Equation 2.5 is true for all j=1, 2, ..., N with high probability.
• If b_j = 1, the prover releases c_j x, and the verifier checks that
  

  $$C_j w \equiv (c_j x)^r \pmod n.$$ (2.6)

  
  
  This proves the above equation for all j=1, 2, ..., N with high probability.$\Box$

Note that, even though the verifier in this protocol can be convinced of the decryption to any probability arbitrarily close to 1, the verifier cannot, from executing the protocol, construct a certificate of the decryption. Nor can the verifier derive any information that would allow it to conduct a similar proof of decryption to anybody else.

A special case of the above protocol is particularly useful, namely when i=0 and w=w₁/w₂ for some w₁, w₂. In this special case, the prover has proven that $w_1/w_2\in E(0)$. By the homomorphism property mentioned above, the prover has proven that w₁ and w₂ correspond to the same plaintext, without revealing the plaintext itself. Of course, this can also be proven by revealing directly x such that $x^r\equiv w_1/w_2$, but as we explained above, this may be information theoretically insecure.