Extending Helios Towards Private Eligibility Verifiability

Abstract

We show how to extend the Helios voting system to provide eligibility verifiability without revealing who voted which we call private eligibility verifiability. The main idea is that real votes are hidden in a crowd of null votes that are cast by others but are indistinguishable from those of the eligible voter. This extended Helios scheme also improves Helios towards receipt-freeness.

A Cryptographic Building Blocks

1.1 A.1 Proof of an Encryption of 1

In order to prove that a given ciphertext (a, b) encrypts 1, one has to present a zero-knowledge proof:

$$ ZKP\{\exists r: a = g^r\,\text {mod}\,p \wedge b = h^r\,\text {mod}\,p\}$$

The proof, presented in [9], is as follows:

1. 1.

   Prover chooses a random \(w \in _R\mathbb {Z}_q\), computes \(\alpha = g^w\,\text {mod}\,p\), \(\beta = h^w\,\text {mod}\,p\) and sends \(\alpha \), \(\beta \) to the Verifier.

2. 2.

   Verifier sends the challenge \(c \in _R\mathbb {Z}_q\) to the prover

3. 3.

   Prover computes \(u = w + cr\,\text {mod}\,q\) and sends u to Verifier

4. 4.

   Verifier checks, that \(g^u \equiv \alpha a^c\,\text {mod}\,p\) and \(h^u \equiv \beta b^c\,\text {mod}\,p\) hold.

The proof has the soundness error of 1 / q.

1.2 A.2 Proof of Knowledge of Discrete Log

The following proof can be used to prove knowledge of a DSA or ElGamal signing key, or knowledge of an ElGamal ciphertext.

$$ \mathtt{Proof~of~knowledge } \{s: h = g^s \} $$

Public Parameters: ElGamal/DSA parameters (g, h, p, q)

Prover knows: \(s : h = g^s\,\text {mod}\,p\).

1. 1.

   Prover selects a random value \(w \in _R\mathbb {Z}_q\) and publishes \(a = g^w\).

2. 2.

   Verifier sends the challenge \(c \in _R\mathbb {Z}_q\)

3. 3.

   Prover calculates and publishes \(u = w + cs\)

4. 4.

   Verifier checks \(g^u = ah^c\)

The soundness error of the proof is 1 / q.

1.3 A.3 Proof of Knowledge of RSA Signature

$$ \mathtt{Proof~of~knowledge } \{s: s^e \equiv h(m)\,\text {mod}\,N\} $$

Public Parameters: Message m, encoding function h(m), RSA public key (N, e) with e prime

Prover knows: \(s: s^e \equiv h(m)\,\text {mod}\,N\), \(d: d = e^{-1}\,\text {mod}\,\phi (N)\).

1. 1.

   Prover selects a random value \(r \in _R\mathbb {Z}^*_N\) and calculates \(x = r^e\,\text {mod}\,N\)

2. 2.

   Verifier sends the challenge \(c \in _R\mathbb {Z}_e\)

3. 3.

   Prover calculates \(z = rs^c\,\text {mod}\,N\) and sends z to Verifier

4. 4.

   Verifier checks \(z^e \equiv x\cdot h(m)^c\,\text {mod}\,N\).

The soundness error of the proof is 1 / e. Note, that often the small prime values of e are used as public key in RSA system: commonly, \(e = 3\) or \(e = 2^{16} + 1\). This leads to the proof being insufficiently sound. For this cases, a modification has been proposed in [12], where in order to prove the knowledge of e-th root s of h(m), one proves the knowledge of \(e^t\)-th root \(s'\) of \(h(m)\,\text {mod}\,N\), which can be calculated as \(s' = h(m)^{d^t}\,\text {mod}\,N\). The modified proof has the soundness error of \(1/e^t\).