3.2 Private district tallies

A more interesting requirement for a hierarchical election scheme is that the district tallies remain secret. To satisfy this requirement, we first modify Protocol 7 to produce encrypted masked shares of the district tally, rather than unencrypted masked shares. This can be achieved by encrypting the votes sent from the voter to the authorities.

In this scheme, to submit a secret vote $s\in\{0,1\}$ for which the voter has chosen the shares $\ensuremath{\mathrm{share}} _j(s)$ with Shamir secret sharing, the voter no longer sends $\ensuremath{\mathrm{share}} _j(s) + x_j$ publicly to authority t_j (where x_j is the private masking value transmitted by authority t_j to the voter), as in Protocol 7. Instead, the voter sends an encryption $a_j(s) \in E_j(\ensuremath{\mathrm{share}} _j(s) + x_j)$, which can be decrypted only by t_j. As we will see below, this ensures that district tallies remain secret. Note that the encryption parameters used by voters to encrypt the votes are different from the parameters used by authorities to publicly commit to the masking values; if the same set of parameters were used, uncoercibility would be lost. We detail the modifications below.

Protocol 8 (District Election Scheme)    The notation is same as that in Protocol 7, except we use E_j in addition to E^*_j to denote the encryption function using the parameters (n_j,y_j) posted by authority t_j. The global r value is common between the two sets of parameters (and across all authorities, as usual).

1.

Authorities each construct and prove the validity of encryption parameters (n_j,y_j) and (n^*_j,y^*_j), using one of the previously described protocols.

2.

For each voter, each authority t_j randomly selects a masking value x_j and other values c₁, ..., c_k1. The plaintext values x_j, c₁, ..., c_k1 are transmitted privately to the voter in the voting booth, while the encrypted values $z^*_j\in E^*_j(x_j)$, $s_1\in E^*_j(c_1)$, ..., $s_{k_1}\in E^*_j(c_{k_1})$ are publicly broadcast. Just as in step 3 of Protocol 7, the authority interactively proves that the plaintext values actually correspond to the encrypted values.

3.

Each voter now creates k₂+1 ballots, B₀, B₁, ..., B_k2, each comprised of a 0-vote and a 1-vote. Again, note that each vote now consists of T shares which are encrypted (using E_j) and masked. Each voter publicly distributes to each authority its encrypted masked share of both halves of the ballot, each component masked using different masking values. There are T(k₂+1) masking values involved in total for each voter; denote the masking value for ballot B_i and authority t_j as x_ij, an encryption $z^*_{ij} \in E^*_j(x_{ij})$ of which is publicly released ( $0\le i\le k_2$, $1\le j\le T$). With the use of k₂ beacon bits, the following interactive proof is then executed for each ballot B₁, ..., B_k2, which will show with high probability that B₀ is a valid ballot:

• If the ith beacon bit is 0, each authority t_j decrypts its masking value x_ij, and the voter decrypts the encrypted masked share that it previously sent to each authority. The authorities certify their decryption of the masking values using a certificate with respect to E^*_j; the voter certify its decryption of the ballot shares using a certificate with respect to E_j. Everyone can then subtract x_ij from the decrypted masked shares to obtain unmasked shares, and reconstruct the secret vote pair to verify that one vote is 0 and the other is 1.
• If the ith beacon bit is 1, the voter shows that the two halves of B₀ correspond to the two halves of B_i by instructing the authorities as to which half of one corresponds to which half of the other. For each pair of votes
  
  $$\begin{eqnarray*}\bigl(a_1(s), a_2(s), \ldots, a_T(s)) &\mbox{in}& B_0, \\ \bigl(a_1(s'), a_2(s'), \ldots, a_T(s')) &\mbox{in}& B_i \end{eqnarray*}$$
  
  (where
  
  $$\begin{eqnarray*}&a_j(s) \in E_j\bigl(\ensuremath{\mathrm{share}} _j(s)+x_{0j}\b... ...)\in E_j\bigl(\ensuremath{\mathrm{share}} _j(s')+x_{ij}\bigr),& \end{eqnarray*}$$
  
  for each j) which the voter claims to be of the same type (i.e., s=s'), each authority t_j reveals x_0j-x_ij and certifies that $z^*_{0j}/z^*_{ij} \in E^*_j(x_{0j}-x_{ij})$, without revealing x_0j or x_ij. The voter, on the other hand, reveals
  

  $$\bigl( \ensuremath{\mathrm{share}} _j(s) + x_{0j} \bigr) - \bigl( \ensuremath{\mathrm{share}} _j(s') + x_{ij} \bigr)$$ (3.1)

  
  
  and certifies that
  

  $$\frac{ a_j(s) }{ a_j(s') } \in E_j\bigl( \bigl( \ensuremath... ...l( \ensuremath{\mathrm{share}} _j(s') + x_{ij} \bigr) \bigr),$$ (3.2)

  
  
  without revealing $\ensuremath{\mathrm{share}} _j(s) + x_{0j}$ or $\ensuremath{\mathrm{share}} _j(s') + x_{ij}$. Everybody can then compute
  

  $${ \bigl( \ensuremath{\mathrm{share}} _j(s) + x_{0j} \bigr) - \big... ...remath{\mathrm{share}} _j(s') + x_{ij} \bigr) - \bigl( x_{0j} - x_{ij} \bigr) }$$

  $$= \ensuremath{\mathrm{share}} _j(s) - \ensuremath{\mathrm{share}} _j(s') = \ensuremath{\mathrm{share}} _j(s-s')$$ (3.3)

  
  
  for each j, thereby reconstructing s-s', which should be zero (mod r).

4.

Each voter selects half of B₀ and submits it as its actual vote. To vote $s\in\{0,1\}$, the voter selects the half

$$\left( a_1(s), a_2(s), \ldots, a_T(s) \right)$$ (3.4)

from B₀.

5.

Everybody can now calculate the products over all voters

$$\left(\prod a_1(s), \prod a_2(s), \ldots, \prod a_T(s) \right).$$ (3.5)

Everybody can also calculate the products over all voters

$$\left(\prod z^*_{01}, \prod z^*_{02}, \ldots, \prod z^*_{0T} \right)$$ (3.6)

in which

$$\prod z^*_{0j} \in E^*_j\left(\sum x_{0j}\right)$$ (3.7)

for each j. Each authority t_j now decrypts $\prod z^*_{0j}$, revealing $\sum x_{0j}$ and certifying that $\prod z^*_{0j} \in E^*_j (\sum x_{0j})$. Each authority (or somebody other random entity) then encrypts and certifies $\sum x_{0j}$ into $z_{0j} \in E_j(\sum x_{0j})$ (note the transition between encryption parameters, from E^*_j to E_j, at this stage). Because for all voters

$$a_j(s) \in E_j\bigl(\ensuremath{\mathrm{share}} _j(s)+x_{0j}\bigr)$$ (3.8)

and the homomorphism properties of E_j and $\ensuremath{\mathrm{share}}$, we have

$$\prod a_j(s) \in E_j\left( \ensuremath{\mathrm{share}} _j(Y) + \sum x_{0j} \right)$$ (3.9)

for each j, where Y is the correct tally. Hence, again by the homomorphism property of E_j, everybody can calculate

$$Z_j = \frac{\prod a_j(s)}{\prod z_{0j}} \in E_j\left( \ensuremath{\mathrm{share}} _j(Y) \right).$$ (3.10)

6.

  The general public now knows with high probability the encrypted but unmasked shares

$$\bigl( Z_1, Z_2, \ldots, Z_T \bigr)$$ (3.11)

of Y. If we wish to know the actual tally Y, we can simply ask each authority t_j to decrypt (by exhaustive search) $\ensuremath{\mathrm{share}} _j(Y)$ and execute Protocol 4 to prove the correctness of the decryption. Everybody then knows the unencrypted, unmasked shares

$$\bigl( \ensuremath{\mathrm{share}} _1(Y), \ensuremath{\mathrm... ...re}} _2(Y), \ldots, \ensuremath{\mathrm{share}} _T(Y) \bigr),$$ (3.12)

from which everybody can reconstruct the tally Y. However, for use as a sub-protocol in the hierarchical election protocol below, this step must not be executed. The privacy of the district tally is preserved in the same way in which the privacy of each individual voter's vote is preserved, namely Shamir secret sharing (or any other secret sharing scheme that is plugged in).$\Box$

Based on Protocol 8 for running each district election, we can then run a hierarchical election using the following protocol.

Protocol 9 (Hierarchical Election Scheme)    Denote the intermediate authorities in the election by t₁, ..., and the global authorities by t'₁, ..., t'_U. Denote by Y₁, ..., Y_D the district tallies, and $Y=\sum_{d=1}^D Y_d$the global tally. We use E_i to denote the encryption function using the parameters (n_j,y_j) posted by intermediate authority t_i, and the global r value. We use E'_i to denote the encryption function using the parameters (n'_j,y'_j) posted by global authority t'_i, and the global r value. Note that, unlike with public district tallies, r here must be chosen to be larger than the total number of voters in the global election.

1.

For each district, run a district sub-election using Protocol 8. However, stop before step 6. At this point, each authority t_j has a secret share $\ensuremath{\mathrm{share}} _j(Y_d)$ of the district tally Y_d, and encryptions

$$Z_j \in E_j\bigl(\ensuremath{\mathrm{share}} _j(Y_d)\bigr)$$ (3.13)

are publicly known. (Here d denotes the district to which t_j belongs.)

2.

  Global authorities each construct and prove the validity of encryption parameters (n'_j,y'_j), using one of the previously described protocols.

3.

Each intermediate authority t_j privately creates shares $\ensuremath{\mathrm{share}} '_i(\ensuremath{\mathrm{share}} _j(Y_d))$ for i=1, ..., U using a secret sharing scheme, and (publicly) sends

$$A_{ij} \in E'_i\bigl(\ensuremath{\mathrm{share}} '_i(\ensuremath{\mathrm{share}} _j(Y_d))\bigr)$$ (3.14)

to the global authority t'_i.

4.

Each t_j also privately picks K random numbers c₁, c₂, ..., c_k3 and releases encryptions $C_k \in E_j(c_k)$ for k=1, 2, ..., K. For each k, t_j privately creates shares $\ensuremath{\mathrm{share}} '_i(c_k)$ for i=1, ..., U using a secret sharing scheme, and (publicly) sends

$$B_{ijk} \in E'_i\bigl(\ensuremath{\mathrm{share}} '_i(c_k)\bigr)$$ (3.15)

to the global authority t'_i. In order for t_j to prove that the encrypted shares A_ij are distributed properly (as opposed to just being random numbers), the beacon now generates K random bits. For each k=1, 2, ..., K, one of the following is performed:

• If the kth beacon bit is 0, t_j reveals c_k and certifies that
  

  $$C_k \in E_j(c_k).$$ (3.16)

  
  
  It also reveals
  

  $$\ensuremath{\mathrm{share}} '_i(c_k)$$ (3.17)

  
  
  for all i, certifying that
  

  $$B_{ijk} \in E'_i\bigl(\ensuremath{\mathrm{share}} '_i(c_k)\bigr).$$ (3.18)

  
  
  Everybody can then verify that $\ensuremath{\mathrm{share}} '_i(c_k)$ are indeed properly constructed shares for c_k.
• If the kth beacon bit is 1, t_j reveals $c_k - \ensuremath{\mathrm{share}} _j(Y_d)$ and certifies that
  

  $$C_k/Z_j \in E_j(c_k - \ensuremath{\mathrm{share}} _j(Y_d).$$ (3.19)

  
  
  It also reveals
  

  $$\ensuremath{\mathrm{share}} '_i(c_k) - \ensuremath{\mathrm{sh... ...mathrm{share}} '_i(c_k - \ensuremath{\mathrm{share}} _j(Y_d))$$ (3.20)

  
  
  for all i, certifying that
  

  $$\frac{B_{ijk}}{A_{ij}} \in E'_i\bigl( \ensuremath{\mathrm{sh... ...ath{\mathrm{share}} '_i(\ensuremath{\mathrm{share}} _j(Y_d)).$$ (3.21)

  
  
  Everybody can then verify that $\ensuremath{\mathrm{share}} '_i(c_k - \ensuremath{\mathrm{share}} _j(Y_d))$ are indeed properly constructed shares for $c_k - \ensuremath{\mathrm{share}} _j(Y_d)$.

5.

The global authorities now need to secretly compute $Y=\sum_{d=1}^D Y_d$. Before doing so, it must secretly reconstruct Y_d for each district d. Denote the ``reconstruction function'' for reconstructing shared secrets as R[list of intermediate authorities]. More precisely, let $R[j_1,j_2,\ldots,j_l]$ denote the unique function such that for any shared secret x among the intermediate authorities t_j1, t_j2, ..., t_jl, the secret can be reconstructed with the identity

$$R[j_1,j_2,\ldots,j_l] \bigl( \ensuremath{\mathrm{share}} _{j... ...), \ldots, \ensuremath{\mathrm{share}} _{j_l}(x) \bigr) = x.$$ (3.22)

Here l is the exact minimum number of intermediate authorities that are required to collaborate in order to reveal the shared secret (i.e., the number k chosen in Protocol 1). The key here is that, for any given set of authorities $j_1,j_2,\ldots,j_l$, the function $R[j_1,j_2,\ldots,j_l]$ is linear with respect to the l-vector of shares

$$\bigl( \ensuremath{\mathrm{share}} _{j_1}(x), \ensuremath{\m... ...2}(x), \ldots, \ensuremath{\mathrm{share}} _{j_l}(x) \bigr).$$ (3.23)

Since each share of Y_d is available as a shared secret among the global authorities (the shares are simply A_ij for each global authority t'_i and each intermediate authority t_j in district d), Y_d itself can be computed as a shared secret among the global authorities. Moreover, because addition and public-scalar multiplication of shared secrets correspond homomorphically to multiplication and raising to public power of the encryptions of shared secrets, respectively, the computation of Y_d can be done by manipulating the publicly known encrypted shares A_ij. In this way, everybody (not just the global authorities) is able to calculate, for each global authority t'_i and each district d, the encrypted share

$$Z'_{id} \in E'_i\bigl(\ensuremath{\mathrm{share}} '_i(Y_d)\bigr).$$ (3.24)

This accomplishes the goal of passing the shared secrets Y_d from the district authorities to the global authorities. If the secret sharing parameters are chosen so that more than one reconstruction of Y_d for the same district d are available (i.e., if k < n in Protocol 1 at the district level), the multiple reconstructions can be checked against each other for robustness by computing the differences between pairs of reconstructions (i.e., quotients of the encrypted shares), again as shared secrets, then decrypting and comparing with zero.

6.

Everybody is now able to calculate

$$Z'_i = \prod_d Z'_{id} \in E'_i\bigl(\ensuremath{\mathrm{share}} '_i(Y)\bigr).$$ (3.25)

7.

  Each global authority t'_i now decrypts Z'_i into $\ensuremath{\mathrm{share}} '_i(Y)$ and executes Protocol 4 to prove the decryption. Everybody can then reconstruct Y from the global shares.$\Box$

While Protocol 9 describes a hierarchical election with only one level of indirection, i.e., only one intermediate layer, it easily generalizes to multi-level hierarchical elections, i.e., elections in which there are more than one level of intermediate authorities. More specifically, such an election would start at the level of actual voters, and steps 2 through 7 of Protocol 9 would be used to verifiably and securely propagate each sub-tally up a level to higher authorities. The difference is that, in all but the highest level of the hierarchy, step 7 is not executed. This keeps all sub-tallies in intermediate layers secret. Only at the final, global level are the shares decrypted and used to reconstruct the global tally.