2.3.5 Improving Uncoercibility: Benaloh and Tuinstra, 1994

Benaloh continued his crusade for better election protocols with his 1994 joint effort with Tuinstra [3], in which they propose a solution to another flaw in Protocols 5 and 6.

In the protocols above, all of the voters' communications are public, and thus the voters are subject to coercion to reveal their votes. An armed villain could conceivably collect all of the shares a voter sent during the election and demand under extreme duress that the voter reconstruct his or her actual vote. What is missing is some private information that the voter can use to lie about his or her vote. In [3], Benaloh and Tuinstra fix this and thus make their new protocol uncoercible under certain circumstances.

The model used in this protocol is very similar to that of the two previous protocols, with multiple voters and multiple authorities. To allow for the communication of private information, Benaloh and Tuinstra assume the existence of a private channel between each authority and voter. The new proposal also changes the fault tolerance requirement from Protocol 6, by allowing for some authorities to fail. This is accomplished by using Shamir secret sharing rather than sum secret sharing.

The key point in this protocol is that each authority transmits a private, random masking value to each voter ``inside the voting booth.'' The voter then knows to adjust the component in its vote corresponding to that authority by the masking value. After exiting the voting booth, the voter is able to lie about the masking value, thus frustrating the attempts of various armed henchpersons. At the end of the protocol, the total of the masking values for each voter is removed from the decrypted tally, resulting in the final, correct tally. While the masking values themselves are transmitted privately, encryptions of the masking values are released to the public, thus ensuring that the authority cannot falsify the result of the election by lying about the masking values.

Each vote is now shared among authorities based on points on a polynomial, with polynomials having constant term 0 representing a 0-vote and 1 representing a 1-vote. Each voter will send to each authority its share of the polynomial translated by the private masking value, along with the encrypted masking value. Thus, given a secret vote $s\in\{0,1\}$ for which the voter has chosen the shares $\ensuremath{\mathrm{share}} _1(s)$ , $\ensuremath{\mathrm{share}} _2(s)$ , ..., $\ensuremath{\mathrm{share}} _T(s)$ with Shamir secret sharing, the masked share of s sent to authority j is $\ensuremath{\mathrm{share}} _j(s) + x_j$ rather than $\ensuremath{\mathrm{share}} _j(s)$ , where x_j is the private masking value transmitted by authority t_j to the voter.

Protocol 7 (Benaloh/Tuinstra 1994 Election Scheme) Again, suppose there are T authorities, t₁, ..., t_T. We use E^*_i to denote the encryption function using the parameters (n^*_j,y^*_j) posted by authority t_j, and the global r value. (We use the asterisks to emphasize the fact that encryption is only used for the authorities to publicly commit to their masking values. No encryption is needed for the actual votes, because they are already masked anyway.) Let Y denote the final tally.

1.

Authorities each construct and prove the validity of encryption parameters (n^*_j,y^*_j), using one of the previously described protocols.

2.

For each voter, each authority t_j randomly selects a masking value x_j and other values c₁, ..., c_k₁. The plaintext values x_j, c₁, ..., c_k₁ are transmitted privately to the voter in the voting booth, while the encrypted values $z^*_j\in E^*_j(x_j)$ , $s_1\in E^*_j(c_1)$ , ..., $s_{k_1}\in E^*_j(c_{k_1})$ are publicly broadcast.

3.

In order for the authority to interactively prove that the plaintext values correspond to the encrypted values, the beacon then generates k₁ random bits. For i=1, ..., k₁, one of the following is done:

If the ith beacon bit is 0, the authority decrypts s_i and shows that it is an encryption of c_i by presenting a certificate.
If the ith beacon bit is 1, the authority decrypts s_iz^*_j and shows that it is an encryption of c_i + x_j by presenting a certificate.

4.

Each voter now creates k₂+1 ballots, B₀, B₁, ..., B_k₂, each comprised of a 0-vote and a 1-vote, and publicly distributes to each authority its masked share of both halves of the ballot, each component masked using different masking values. There are T(k₂+1) masking values involved in total for each voter; denote the masking value for ballot B_i and authority t_j as x_ij, an encryption $z^*_{ij} \in E^*_j(x_{ij})$ of which is publicly released ( $0\le i\le k_2$ , $1\le j\le T$ ). With the use of k₂ beacon bits, the following familiar interactive proof is then executed for each ballot B₁, ..., B_k₂, which will show with high probability that B₀ is a valid ballot:

If the ith beacon bit is 0, each authority t_j decrypts its masking value x_ij. Everyone can then subtract x_ij from the masked shares to obtain unmasked shares, and reconstruct the secret vote pair to verify that one vote is 0 and the other is 1.
If the ith beacon bit is 1, the voter shows that the two halves of B₀ correspond to the two halves of B_i by instructing the authorities as to which half of one corresponds to which half of the other. For each pair of votes

$\begin{eqnarray*}\bigl(\ensuremath{\mathrm{share}} _1(s)+x_{01}, \ensuremath{\ma... ...\ensuremath{\mathrm{share}} _T(s')+x_{iT}\bigr) &\mbox{in}& B_i \end{eqnarray*}$

which the voter claims to be of the same type (i.e., s=s'), each authority t_j reveals x_0j-x_ij and certifies that $z^*_{0j}/z^*_{ij} \in E^*_j(x_{0j}-x_{ij})$ without revealing x_0j or x_ij. Everybody can then compute

$\displaystyle { \bigl( \ensuremath{\mathrm{share}} _j(s) + x_{0j} \bigr) - \big... ...remath{\mathrm{share}} _j(s') + x_{ij} \bigr) - \bigl( x_{0j} - x_{ij} \bigr) }$

$\displaystyle = \ensuremath{\mathrm{share}} _j(s) - \ensuremath{\mathrm{share}} _j(s') = \ensuremath{\mathrm{share}} _j(s-s')$ (2.12)

for each j, thereby reconstructing s-s', which should be zero (mod r).

5.

Each voter selects half of B₀ and submits it as its actual vote. To vote $s\in\{0,1\}$ , the voter selects the half

$\begin{displaymath}\left(\ensuremath{\mathrm{share}} _1(s)+x_{01}, \ensuremath{... ...02}, \ldots, \ensuremath{\mathrm{share}} _T(s)+x_{0T} \right) \end{displaymath}$

(2.13)

from B₀.

6.

Everybody can now calculate the sums over all voters

$\displaystyle { \left(\sum (\ensuremath{\mathrm{share}} _1(s)+x_{01}), \sum (\e... ...2(s)+x_{02}), \ldots, \sum (\ensuremath{\mathrm{share}} _T(s)+x_{0T}) \right) }$
		$\displaystyle = \left(\ensuremath{\mathrm{share}} _1(Y) + \sum x_{01}, \ensurem... ...}} _2(Y) + \sum x_{02}, \ensuremath{\mathrm{share}} _T(Y) + \sum x_{0T} \right)$	(2.14)

where Y is the correct tally. Everybody can also calculate the products over all voters

$\begin{displaymath}\left(\prod z^*_{01}, \prod z^*_{02}, \ldots, \prod z^*_{0T} \right) \end{displaymath}$

(2.15)

in which $\prod z^*_{01} \in E^*_1(\sum x_{01})$ , $\prod z^*_{02} \in E^*_2(\sum x_{02})$ , ..., $\prod z^*_{0T} \in E^*_T(\sum x_{0T})$ . Each authority t_j now decrypts $\prod z^*_{0j}$ , revealing $\sum x_{0j}$ and certifying that $\prod z^*_{0j} \in E^*_j (\sum x_{0j})$ . Everybody can now calculate

$\displaystyle { \left(\ensuremath{\mathrm{share}} _1(Y) + \sum x_{01}, \ensurem... ... _2(Y) + \sum x_{02}, \ensuremath{\mathrm{share}} _T(Y) + \sum x_{0T} \right) }$
		$\displaystyle - \left(\sum x_{01}, \sum x_{02}, \sum x_{0T} \right) = \left(\en... ..., \ensuremath{\mathrm{share}} _2(Y), \ensuremath{\mathrm{share}} _T(Y) \right).$	(2.16)

From these unmasked shares of Y, everybody can then reconstruct the tally Y. $\Box$

The key part of this protocol is that the correctness of the masking values is proven without resorting to certificates; thus, a voter has no way of proving what its masking values were, and can thus lie about them. If several of the authorities are corrupt and reveal their masking values, a voter can still lie by being honest about the shares sent to corrupt authorities and deceptive about the shares sent to honest authorities. As long as at least one authority is trustworthy, the voter can lie about that authority. Of course, this means that a voter has to know beforehand which authorities are trustworthy, and which is problematic. Still, given that assumption, this protocol achieves uncoercibility.

In later work done in 1996 [4], Wu created a new protocol with slightly different assumptions, in which it is not necessary to know beforehand which voters are corrupt. Wu's protocol relies heavily on verifiable secret sharing, but is clean and elegant. In summary, Wu introduces the idea of a polling device, which is able to transmit bits to a voter anonymously. Each authority uses VSS to share a bit among the other authorities. The set of bits generated this way is communicated to the voter privately and anonymously, and the voter uses the XOR of these bits to mask the shares it sends out. The authorities then remove the mask and reconstruct the vote. All the voter needs to do to lie about its vote is lie about one of the bits it receives.

$\displaystyle { \bigl( \ensuremath{\mathrm{share}} _j(s) + x_{0j} \bigr) - \big... ...remath{\mathrm{share}} _j(s') + x_{ij} \bigr) - \bigl( x_{0j} - x_{ij} \bigr) }$
		$\displaystyle = \ensuremath{\mathrm{share}} _j(s) - \ensuremath{\mathrm{share}} _j(s') = \ensuremath{\mathrm{share}} _j(s-s')$	(2.12)