2.3.4 Improving Privacy: Benaloh and Yung, 1986

One obvious deficiency in the above protocol is that there is only one authority, which has the ability to decrypt any individual voter's vote. This hardly fits most definitions of a secret ballot, and thus Benaloh (the same person as Cohen above) and Yung proposed an improved scheme in 1986 [2]. In their new scheme, voters use sum secret sharing to distribute shares of their votes to each of Tauthorities, who then compute the sum from these shares. In this protocol, a vote now consists of a vector of encryptions of Tintegers; the plaintext should add to 0 or 1. More formally, a single voter's vote is now written as $(z_1,z_2,\ldots,z_T)$, where z_j is the jth authority's share of the vote. Since each voter only gets one vote, we require that $z_j\in E_j(m_j)$, where $\sum_j m_j = 0$ or 1. A valid ballot still consists of two votes, one of which sums up to 0 and the other of which sums up to 1. The key here is that each component of a vote is encrypted using a different authority's encryption parameters; because each authority t_j has its own encryption parameters (n_j,y_j), not revealed even to other authorities, all authorities must cooperate in order to decrypt any vote or tally. Note, however, that although n_j and y_j are different from authority to authority, r is still unique and global throughout the election.

The immediate problem that this adds is that it is now more difficult for the voters to prove that the ballots they use are valid, since the ballots now consist of many separate pieces. The protocol for verifying the honesty of the authorities is also more complicated this time.

The complete protocol is as follows; we explain parts of it in more detail afterwards.

Protocol 6 (Benaloh/Yung 1986 Election Scheme)    Suppose there are T authorities, t₁, ..., t_T. We use E_jto denote the encryption function using the parameters (n_j,y_j)posted by authority t_j, and the global r value.

A. Verifying the honesty of the authorities.

1.

Each authority t_j privately generates and provides encryption parameters (n_j,y_j), which it claims satisfies the necessary number theoretic properties.

2.

 Voters prepare k₁ test ballots and interactively prove each of them is valid. This uses a very similar protocol to that used in the interactive proof in step 2 of Protocol 5. For each test ballot (u₀,v₀) (where u₀ and v₀ are both vectors with T encrypted components), the voter carries out the following steps to prove the validity of the test ballot:

• Prepare a certain number of auxiliary ballots (analogous to the (u₁,v₁), ..., (u_k2,v_k2) of Protocol 5.
• For each auxiliary ballot (u_j,v_j), read a random bit from the beacon, and based on the beacon bit, perform one of the following (note that while this is the same as the above protocol in description, the mechanics are different given that each vote is now a vector and not an integer):
  • If the beacon bit is 0, prove that (u_j,v_j) is valid by decrypting u_j and v_j. Each vote is decrypted by releasing certificates for each component of the vector, proving that the T plaintext components add up to 0 for one of the two votes and 1 for the other.
  • If the beacon bit is 1, then prove that (u_j,v_j) is of the same type as (u₀,v₀), i.e., that either u_j is of the same type as u₀ and v_j as v₀, or u_j is of the same type as v₀ and v_j as u₀. (See description of this below.)

3.

Each voter votes (randomly) one of the two halves of each of its test ballots; in effect, there are k₁ parallel elections being held.

4.

The authorities decrypt all of the pieces of votes they receive and reveal the decryptions.

5.

The voters release the plaintext of all of the pieces they voted, along with certificates, and a check is performed to make sure that all pieces in step 4 match those in step 5. If this is successful, then we can be sure with high probability that all of the authorities have distributed valid encryption parameters and are able to distinguish votes.

B. Conducting the actual election.

1.

Each voter creates a new ballot for actual use, and uses the protocol in step 2 to verify that it is valid.

2.

Each voter selects half of the new ballot and submits it as its actual vote. Voter j sends to authority i the share z_ij which is an encryption of m_ij.

3.

Each authority now multiplies the shares it has received together to obtain $\prod_j z_{ij} \in E_i(\sum_j m_{ij})$. The authority now releases $\sum_j m_{ij}$ and invokes Protocol 4 to prove that it is the decryption of $\prod_j z_{ij}$.

4.

The final tally for the election is simply the sum of the released by the authorities (mod r).$\Box$

This protocol is structurally the same as Protocol 5. The only complicating factor is in step 2, where we need to prove that two votes are of the same type. This can be accomplished using a method similar to the dividing of encrypted votes in Protocol 5, where the quotient of the encrypted votes was shown to be an encryption of 0. Here, with votes being vectors instead of integers, we need to construct a vector of quotients and show that the quotients are encryptions of integers which add up to 0. More formally, let one vote be $(a_1,\ldots,a_T)\in\{u_j,v_j\}$ and the other be $(a'_1,\ldots,a'_T)\in\{u_0,v_0\}$, where $a_j\in E_j(m_j)$, $a'_j\in E_j(m'_j)$. If the two votes are indeed of the same type, m_j and m'_j would satisfy

$$\sum_{j=1}^T (m_j-m'_j) \equiv 0 \pmod r.$$ (2.7)

For each j, let x_j and x'_j be certificates for $a_j\in E_j(m_j)$ and $a'_j\in E_j(m'_j)$, respectively; in other words, let x_jand x'_j be the random numbers used when the voter prepared the votes in the first place, such that

$$a_j \equiv y_j^{m_j} x_j^r \pmod {n_j},$$ (2.8)

$$a'_j \equiv y_j^{m'_j} x_j^{\prime r} \pmod {n_j}.$$ (2.9)

Then, we have

$$a_j/a'_j \equiv y_j^{m_j-m'_j} \left(\frac{x_j}{x'_j}\right)^r \pmod {n_j},$$ (2.10)

$$a_j/a'_j \equiv y_j^{m_j-m'_j} y_j^r \left(\frac{x_j}{x'_jy_j}\right)^r \pmod {n_j}.$$ (2.11)

If $m_j-m'_j \ge 0$, the voter releases m_j-m'_j and certifies it with x_j/x'_j. If m_j-m'_j<0 on the other hand, the voter releases m_j-m'_j+r and certifies it with x_j/x'_jy_j. This normalization ensures that the decryption released for a_j/a'_jalways falls within the range [0,r-1], so that no useful information to the adversary is revealed about the relative order between m_jand m'_j.

This completes our description of Protocol 6. By tuning the security parameters including k₁ and k₂, any level of confidence in the results of the election can be achieved. It should be noted that, consistent with the principles of sum secret sharing, all of the authorities are required to collaborate in order to determine any individual's vote. The down side of this, however, is that a single authority's crash failure can halt the election.