2.3.3 First Try: Cohen and Fischer, 1985

The Cohen and Fischer proposal of 1985 [1] provides robustness, verifiability, and some measure of privacy, and is built out of the tools discussed above. In this scheme, there is one election authority charged with computing and releasing the final tally, and all voters are able to verify for themselves that the final tally is correct. Voters vote by using ballots, or pairs of encrypted values (u, v), such that one value in the pair is an encryption of 0 and the other an encryption of 1. The voter votes by choosing either u or v to send in.

The scheme has four major steps:

1.

The authority generates several sets of encryption parameters, i.e., values for n and y (r is assumed to be already publicly chosen to be much larger than the total number of voters), and interactively proves their validity, keeping one set of parameters for actual use.

2.

Each voter prepares a set of ballots and interactively proves that they are valid, keeping one set of ballots for actual use.

3.

Each voter votes by selecting half of the chosen ballot.

4.

The authority counts the votes and releases the final tally.

In more detail, the protocol is as follows. All communications are assumed to be public.

Protocol 5 (Cohen/Fischer 1985 Election Scheme)    In the following, the numbers k₁ and k₂ are security parameters that can be increased as deemed necessary to boost the probabilistic confidence in the election. Let Y denote the final tally.

1.

 Authority constructs parameters for encryption scheme.

• Construct and release k₁ sets of valid encryption pairs (n_i, y_i).
• Use the beacon to generate enough bits to randomly pick one of the encryption pairs.
• For each encryption pair which was not chosen, prove that it is valid by releasing the two prime factors of n_i. The voters can then verify for themselves that the encryption pair satisfies all of the conditions listed in Section 2.3.2.

2.

 Voters prepare candidate ballots for use in the election.

• Construct and release ballots (u₀,v₀), (u₁,v₁), ..., (u_k2,v_k2), such that for each i, either $u_i\in E(0)$ and $v_i\in E(1)$, or $u_i\in E(1)$ and $v_i\in E(0)$. Each voter plans to use (u₀,v₀) as the actual ballot, and now needs to prove its validity without revealing whether it is an encryption of (0,1) or (1,0).
• Read k₂ bits from the beacon, b₁, ..., b_k2.
• For each i=1, ..., k₂, perform one of the following steps:
  • If b_i = 0, provide certificates to show that either $u_i\in E(0)$ and $v_i\in E(1)$, or $u_i\in E(1)$ and $v_i\in E(0)$. This proves explicitly that the ith ballot is valid. (In this situation, it is secure to provide the certificates directly without going through Protocol 4 twice, because the x's used during encryption were randomly generated anyway.)
  • If b_i = 1, provide certificates to show that either u_i/u₀,  $v_i/v_0\in E(0)$ or u_i/v₀,  $v_i/u_0\in E(0)$. This demonstrates that the ith ballot and the actual ballot are encryptions of the same numbers, though not necessarily in the same order.

3.

 Voters perform the actual voting.

• Select the desired half of (u₀,v₀), and submit it as the actual vote v.

4.

 Authority computes the final tally.

• Compute the product of the encrypted votes the voters have submitted. The product will be an encryption of the sum of the unencrypted votes. In other words, compute the product over all voters $\prod v$, which will be an element of E(Y), i.e., an encryption of the tally.
• Decrypt $\prod v$ by exhaustively searching over all possible Y. Reveal Y, and invoke Protocol 4 to interactively prove that $\prod v\in E(Y)$ without producing an explicit certificate.$\Box$

Some of the above points may need further explanation:

In the interactive proof in step 1, the authority can only cheat if it guesses beforehand which set of encryption pairs the beacon bits will leave unchecked, and it can do this with probability 1/k₁.

In the interactive proof in step 2, where each voter is proving that its ballots are valid, the idea is that for each test ballot (u_i,v_i), the voter will either have to reveal explicitly that it is valid, or reveal that it is of the same type as (u₀,v₀), the ballot to be actually used. If (u₀,v₀) is not a valid ballot, the voter will only escape undetected if it makes some of the test ballots valid and the rest of them of the same type as (u₀,v₀), and the beacon bits work out exactly properly. This requires that the voter guess beforehand each of the beacon bits, so the probability of escape is only 1/2^k₂.

In step 4, since all communications are public, each voter can multiply all of the encrypted votes from step 3 for itself and verify using the authority's interactive proof that the final tally is indeed correct. If everything else has gone right, the authority can only escape with a false tally with probability 2^-N, where N is the security parameter chosen when invoking Protocol 4.