Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
belenios
belenios
Commits
db12acab
Commit
db12acab
authored
Jul 07, 2017
by
Stephane Glondu
Browse files
Update the specification with threshold decryption support
parent
f49b4f54
Changes
1
Hide whitespace changes
Inline
Side-by-side
doc/specification.tex
View file @
db12acab
...
...
@@ -7,7 +7,7 @@
\usepackage
{
bbm
}
\usepackage
{
hyperref
}
\newcommand
{
\version
}{
0.2
}
\newcommand
{
\version
}{
1.5
}
\newcommand
{
\F
}{
\mathbbm
{
F
}}
\newcommand
{
\G
}{
\mathbbm
{
G
}}
...
...
@@ -30,6 +30,11 @@
\newcommand
{
\pdecryption
}{
\texttt
{
partial
\_
decryption
}}
\newcommand
{
\result
}{
\texttt
{
result
}}
\newcommand
{
\cert
}{
\texttt
{
cert
}}
\newcommand
{
\poly
}{
\texttt
{
polynomial
}}
\newcommand
{
\vinput
}{
\texttt
{
vinput
}}
\newcommand
{
\voutput
}{
\texttt
{
voutput
}}
\title
{
Belenios specification
}
\date
{
Version~
\version
}
\author
{
Stéphane Glondu
}
...
...
@@ -45,11 +50,6 @@ Belenios v\version. More discussion, theoretical explanations and
bibliographical references can be found in a technical report
available online.
\footnote
{
\url
{
http://eprint.iacr.org/2013/177
}}
The Belenios protocol is very similar to Helios (with a signature
added to ballots and different zero-knowledge proofs) and Helios-C
(with the distributed key generation of trustees of Helios, without
threshold support).
The cryptography involved in Belenios needs a cyclic group
$
\G
$
where
discrete logarithms are hard to compute. We will denote by
$
g
$
a
generator and
$
q
$
its order. We use a multiplicative notation for the
...
...
@@ -86,6 +86,19 @@ section~\ref{default-group}.
\item
$
C
$
forgets the mapping between
$
j
$
and
$
\public
(
c
_
j
)
$
if credential recovery is not needed
\item
$
C
$
sends
$
L
$
to
$
A
$
\item
$
A
$
and
$
T
_
1
,
\dotsc
,T
_
m
$
run a key establishment protocol
(either
\ref
{
no-threshold
}
or
\ref
{
threshold
}
)
\item
$
A
$
creates the
\hyperref
[elections]
{$
\election
$}
$
E
$
\item
$
A
$
loads
$
E
$
and
$
L
$
into
$
S
$
and starts it
\end{enumerate}
\subsubsection
{
Basic decryption support
}
\label
{
no-threshold
}
To perform tally with this scheme, all trustees will need to compute a
partial decryption.
\begin{enumerate}
\item
for
$
z
\in
[
1
\dots
m
]
$
,
\begin{enumerate}
\item
$
T
_
z
$
generates a
\hyperref
[trustee-keys]
{$
\tpk
$}
$
k
_
z
$
and
...
...
@@ -94,8 +107,41 @@ section~\ref{default-group}.
\end{enumerate}
\item
$
A
$
combines all the trustee public keys into the election
public key
$
y
$
\item
$
A
$
creates the
\hyperref
[elections]
{$
\election
$}
$
E
$
\item
$
A
$
loads
$
E
$
and
$
L
$
into
$
S
$
and starts it
\end{enumerate}
\subsubsection
{
Threshold decryption support
}
\label
{
threshold
}
To perform tally with this scheme,
$
t
+
1
$
trustees will need to compute
a partial decryption.
\begin{enumerate}
\item
for
$
z
\in
[
1
\dots
m
]
$
,
\begin{enumerate}
\item
$
T
_
z
$
generates a
\hyperref
[certificates]
{$
\cert
$}
$
\gamma
_
z
$
and sends it to
$
A
$
\item
$
A
$
checks
$
\gamma
_
z
$
\end{enumerate}
\item
$
A
$
assembles
$
\Gamma
=
\gamma
_
1
,
\dotsc
,
\gamma
_
n
$
\item
for
$
z
\in
[
1
\dots
m
]
$
,
\begin{enumerate}
\item
$
A
$
sends
$
\Gamma
$
to
$
T
_
z
$
and
$
T
_
z
$
checks it
\item
$
T
_
z
$
generates a
\hyperref
[polynomials]
{$
\poly
$}
$
P
_
z
$
and
sends it to
$
A
$
\item
$
A
$
checks
$
P
_
z
$
\end{enumerate}
\item
for
$
z
\in
[
1
\dots
m
]
$
,
$
A
$
computes a
\hyperref
[vinputs]
{$
\vinput
$}
$
\textsf
{
vi
}_
z
$
\item
for
$
z
\in
[
1
\dots
m
]
$
,
\begin{enumerate}
\item
$
A
$
sends
$
\Gamma
$
to
$
T
_
z
$
and
$
T
_
z
$
checks it
\item
$
A
$
sends
$
\textsf
{
vi
}_
z
$
to
$
T
_
z
$
and
$
T
_
z
$
checks it
\item
$
A
$
computes a
\hyperref
[voutputs]
{$
\voutput
$}
$
\textsf
{
vo
}_
z
$
and
sends it to
$
A
$
\item
$
A
$
checks
$
\textsf
{
vo
}_
z
$
\end{enumerate}
\item
$
A
$
extracts encrypted decryption keys
$
K
_
1
,
\dots
,K
_
m
$
and
\hyperref
[threshold-params]
{
threshold parameters
}
\end{enumerate}
\subsection
{
Vote
}
...
...
@@ -122,9 +168,10 @@ section~\ref{default-group}.
\begin{enumerate}
\item
$
A
$
stops
$
S
$
and computes the
\hyperref
[tally]
{$
\etally
$}
$
\Pi
$
\item
for
$
z
\in
[
1
\dots
m
]
$
,
\item
for
$
z
\in
[
1
\dots
m
]
$
(or, if in threshold mode, a subset of it
of size at least
$
t
+
1
$
),
\begin{enumerate}
\item
$
A
$
sends
$
\Pi
$
to
$
T
_
z
$
\item
$
A
$
sends
$
\Pi
$
(and
$
K
_
z
$
if in threshold mode)
to
$
T
_
z
$
\item
$
T
_
z
$
generates a
\hyperref
[tally]
{$
\pdecryption
$}
$
\delta
_
z
$
and sends it to
$
A
$
\item
$
A
$
verifies
$
\delta
_
z
$
...
...
@@ -220,6 +267,294 @@ number. The proof is verified as follows:
\item
check that
$
\challenge
=
\Hash
_
\pok
(
\pklabel
,A
)
\mod
q
$
\end{enumerate}
\subsection
{
Messages specific to threshold decryption support
}
\subsubsection
{
Public key infrastructure
}
\label
{
pki
}
Establishing a public key so that threshold decryption is supported
requires private communications between trustees. To achieve this,
Belenios uses a custom public key infrastructure. During the key
establishment protocol, each trustee starts by generating a secret
seed (at random), then derives from it encryption and decryption keys,
as well as signing and verification keys. These four keys are then
used to exchange messages between trustees by using
$
A
$
as a proxy.
The secret seed
$
s
$
is a 22-character string, where characters are
taken from the set:
\[
\texttt
{
123456789
ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz
}\]
\paragraph
{
Deriving keys
}
The (private) signing key
$
\textsf
{
sk
}$
is derived by computing the
SHA256 of
$
s
$
prefixed by the string
\verb
/
sk|
/
. The corresponding
(public) verification key is
$
g
^{
\textsf
{
sk
}}$
. The (private)
decryption key
$
\textsf
{
dk
}$
is derived by computing the SHA256 of
$
s
$
prefixed by the string
\verb
/
dk|
/
. The corresponding (public)
encryption key is
$
g
^{
\textsf
{
dk
}}$
.
\paragraph
{
Signing
}
Signing takes a signing key
$
\textsf
{
sk
}$
and a
\textsf
{
message
}
$
M
$
(as a
$
\jstring
$
), computes a
\textsf
{
signature
}
and produces a
$
\texttt
{
signed
\_
msg
}$
. For the signature, we use a (Schnorr-like)
non-interactive zero-knowledge proof.
\begin{gather*}
\texttt
{
signed
\_
msg
}
=
\left\{
\begin{array}
{
rcl
}
\textsf
{
message
}&
:
&
\jstring\\
\textsf
{
signature
}&
:
&
\texttt
{
proof
}
\end{array}
\right\}
\end{gather*}
To compute the
\textsf
{
signature
}
,
\begin{enumerate}
\item
pick a random
$
w
\in\Z
_
q
$
\item
compute the commitment
$
A
=
g
^
w
$
\item
compute the
\textsf
{
challenge
}
as
$
\textsf
{
SHA
256
}
(
\texttt
{
sigmsg|
}
M
\texttt
{
|
}
A
)
$
, where
$
A
$
is written
in base 10 and the result is interpreted as a 256-bit big-endian
number
\item
compute the
\textsf
{
response
}
as
$
w
-
\textsf
{
sk
}
\times\textsf
{
challenge
}
\mod
q
$
\end{enumerate}
To verify a
\textsf
{
signature
}
using a verification key
\textsf
{
vk
}
,
\begin{enumerate}
\item
compute the commitment
$
A
=
g
^{
\textsf
{
response
}}
\times\textsf
{
vk
}^{
\textsf
{
challenge
}}$
\item
check that
$
\textsf
{
challenge
}
=
\textsf
{
SHA
256
}
(
\texttt
{
sigmsg|
}
M
\texttt
{
|
}
A
)
$
\end{enumerate}
\paragraph
{
Encrypting
}
Encrypting takes an encryption key
$
\textsf
{
ek
}$
and a message
$
M
$
(as
a
$
\jstring
$
), computes an
\texttt
{
encrypted
\_
msg
}
and serializes it
as a
$
\jstring
$
. We use an El Gamal-like system.
\begin{gather*}
\texttt
{
encrypted
\_
msg
}
=
\left\{
\begin{array}
{
rcl
}
\textsf
{
alpha
}&
:
&
\G\\
\textsf
{
beta
}&
:
&
\G\\
\textsf
{
data
}&
:
&
\jstring
\end{array}
\right\}
\end{gather*}
To compute the
\texttt
{
encrypted
\_
msg
}
:
\begin{enumerate}
\item
pick random
$
r,s
\in\Z
_
q
$
\item
compute
$
\textsf
{
alpha
}
=
g
^
r
$
\item
compute
$
\textsf
{
beta
}
=
\textsf
{
ek
}^
r
\times
g
^
s
$
\item
compute
$
\textsf
{
data
}$
as the hexadecimal encoding of the (symmetric)
encryption of
$
M
$
using AES in CCM mode with
$
\textsf
{
SHA
256
}
(
g
^
s
)
$
as the key and
$
\textsf
{
SHA
256
}
(
g
^
r
)
$
as the
initialization vector (where numbers are written in base 10)
\end{enumerate}
To decrypt an
\texttt
{
encrypted
\_
msg
}
using a decryption key
\textsf
{
dk
}
:
\begin{enumerate}
\item
compute the symmetric key as
$
\textsf
{
SHA
256
}
(
\textsf
{
beta
}
/(
\textsf
{
alpha
}^{
\textsf
{
dk
}}
))
$
\item
compute the initialization vector as
$
\textsf
{
SHA
256
}
(
\textsf
{
alpha
}
)
$
\item
decrypt
$
\textsf
{
data
}$
\end{enumerate}
\subsubsection
{
Certificates
}
\label
{
certificates
}
A certificate is a
\texttt
{
signed
\_
msg
}
encapsulating a serialized
\texttt
{
cert
\_
keys
}
structure, itself filled with the public keys
generated as described in section~
\ref
{
pki
}
.
\begin{gather*}
\texttt
{
cert
}
=
\texttt
{
signed
\_
msg
}
\qquad
\texttt
{
cert
\_
keys
}
=
\left\{
\begin{array}
{
rcl
}
\textsf
{
verification
}&
:
&
\G\\
\textsf
{
encryption
}&
:
&
\G
\end{array}
\right\}
\end{gather*}
The message is signed with the signing key associated to
\textsf
{
verification
}
.
\subsubsection
{
Channels
}
\label
{
channels
}
A
\textsf
{
message
}
is sent securely from
\textsf
{
sk
}
(a signing key)
to
\textsf
{
recipient
}
(an encryption key) by encapsulating it in a
\texttt
{
channel
\_
msg
}
, serializing it as a
$
\jstring
$
, signing it with
\textsf
{
sk
}
and serializing the resulting
\texttt
{
signed
\_
msg
}
as a
$
\jstring
$
, and finally encrypting it with
\textsf
{
recipient
}
. The
resulting
$
\jstring
$
will be denoted by
$
\textsf
{
send
}
(
\textsf
{
sk
}
,
\textsf
{
recipient
}
,
\textsf
{
message
}
)
$
, and
can be transmitted using a third-party (such as the election
administrator).
\begin{gather*}
\texttt
{
channel
\_
msg
}
=
\left\{
\begin{array}
{
rcl
}
\textsf
{
recipient
}&
:
&
\G\\
\textsf
{
message
}&
:
&
\G
\end{array}
\right\}
\end{gather*}
\subsubsection
{
Polynomials
}
\label
{
polynomials
}
Let
$
\Gamma
=
\gamma
_
1
,
\dotsc
,
\gamma
_
m
$
be the certificates of all
trustees. We will denote by
$
\textsf
{
vk
}_
z
$
(resp.
$
\textsf
{
ek
}_
z
$
)
the
\textsf
{
verification
}
key (resp. the
\textsf
{
encryption
}
key) of
$
\gamma
_
z
$
. Each trustee must compute a
\texttt
{
polynomial
}
structure
in step 3 of the key establishment protocol.
\begin{gather*}
\texttt
{
polynomial
}
=
\left\{
\begin{array}
{
rcl
}
\textsf
{
polynomial
}&
:
&
\jstring\\
\textsf
{
secrets
}&
:
&
\jstring
^
\ast\\
\textsf
{
coefexps
}&
:
&
\texttt
{
coefexps
}
\end{array}
\right\}
\end{gather*}
Suppose
$
T
_
i
$
is the trustee who is computing. Therefore,
$
T
_
i
$
knows
the signing key
$
\textsf
{
sk
}$
corresponding to
$
\textsf
{
vk
}_
i
$
and the
decryption key
$
\textsf
{
dk
}$
corresponding to
$
\textsf
{
ek
}_
i
$
.
$
T
_
i
$
first checks that keys indeed match. Then
$
T
_
i
$
picks a random
polynomial
\[
f
_
i
(
x
)=
a
_{
i
0
}
+
a
_{
i
1
}
x
+
\dotsb
+
a
_{
it
}
x
^
t
\in\Z
_
q
[
x
]
\]
and computes
$
A
_{
ik
}
=
g
^{
a
_{
ik
}}$
for
$
k
=
0
,
\dotsc
,t
$
and
$
s
_{
ij
}
=
f
_
i
(
j
)
\mod
q
$
for
$
j
=
1
,
\dotsc
,m
$
.
$
T
_
i
$
then fills the
\texttt
{
polynomial
}
structure as follows:
\begin{itemize}
\item
the
\textsf
{
polynomial
}
field is
$
\textsf
{
send
}
(
\textsf
{
sk
}
,
\textsf
{
ek
}_
i,M
)
$
where
$
M
$
is a
serialized
\texttt
{
raw
\_
polynomial
}
structure
\begin{gather*}
\texttt
{
raw
\_
polynomial
}
=
\left\{
\begin{array}
{
rcl
}
\textsf
{
polynomial
}&
:
&
\Z
_
q
^
\ast
\end{array}
\right\}
\end{gather*}
filled with
$
a
_{
i
0
}
,
\dotsc
,a
_{
it
}$
\item
the
\textsf
{
secrets
}
field is
$
\textsf
{
send
}
(
\textsf
{
sk
}
,
\textsf
{
ek
}_
1
,M
_{
i
1
}
)
,
\dotsc
,
\textsf
{
send
}
(
\textsf
{
sk
}
,
\textsf
{
ek
}_
m,M
_{
im
}
)
$
where
$
M
_{
ij
}$
is a serialized
\texttt
{
secret
}
structure
\begin{gather*}
\texttt
{
secret
}
=
\left\{
\begin{array}
{
rcl
}
\textsf
{
secret
}&
:
&
\Z
_
q
\end{array}
\right\}
\end{gather*}
filled with
$
s
_{
ij
}$
\item
the
\textsf
{
coefexps
}
field is a signed message containing a
serialized
\texttt
{
raw
\_
coefexps
}
structure
\begin{gather*}
\texttt
{
coefexps
}
=
\texttt
{
signed
\_
msg
}
\qquad
\texttt
{
raw
\_
coefexps
}
=
\left\{
\begin{array}
{
rcl
}
\textsf
{
coefexps
}&
:
&
\G
^
\ast
\end{array}
\right\}
\end{gather*}
filled with
$
A
_{
i
0
}
,
\dotsc
,A
_{
it
}$
\end{itemize}
\subsubsection
{
Vinputs
}
\label
{
vinputs
}
Once we receive all the
\texttt
{
polynomial
}
structures
$
P
_
1
,
\dotsc
,P
_
m
$
, we compute (during step 4) input data (called
\texttt
{
vinput
}
) for a verification step performed later by the
trustees. Step 4 can be seen as a routing step.
\begin{gather*}
\texttt
{
vinput
}
=
\left\{
\begin{array}
{
rcl
}
\textsf
{
polynomial
}&
:
&
\jstring\\
\textsf
{
secrets
}&
:
&
\jstring
^
\ast\\
\textsf
{
coefexps
}&
:
&
\texttt
{
coefexps
}^
\ast
\end{array}
\right\}
\end{gather*}
Suppose we are computing the
\texttt
{
vinput
}
structure
$
\textsf
{
vi
}_
j
$
for trustee
$
T
_
j
$
. We fill it as follows:
\begin{itemize}
\item
the
\textsf
{
polynomial
}
field is the same as the one of
$
P
_
j
$
\item
the
\textsf
{
secret
}
field is
$
\textsf
{
secret
}
(
P
_
1
)
_
j,
\dotsc
,
\textsf
{
secret
}
(
P
_
m
)
_
j
$
\item
the
\textsf
{
coefexps
}
field is
$
\textsf
{
coefexps
}
(
P
_
1
)
,
\dotsc
,
\textsf
{
coefexps
}
(
P
_
m
)
$
\end{itemize}
Note that the
\textsf
{
coefexps
}
field is the same for all trustees.
In step~5,
$
T
_
j
$
checks consistency of
$
\textsf
{
vi
}_
j
$
by unpacking it
and checking that, for
$
i
=
1
,
\dotsc
,m
$
,
\[
g
^{
s
_{
ij
}}
=
\prod
_{
k
=
0
}^
t
(
A
_{
ik
}
)
^{
j
^
k
}
\]
\subsubsection
{
Voutputs
}
\label
{
voutputs
}
In step 5 of the key establishment protocol, a trustee
$
T
_
j
$
receives
$
\Gamma
$
and
$
\textsf
{
vi
}_
j
$
, and produces a
\texttt
{
voutput
}
$
\textsf
{
vo
}_
j
$
.
\begin{gather*}
\texttt
{
voutput
}
=
\left\{
\begin{array}
{
rcl
}
\textsf
{
private
\_
key
}&
:
&
\jstring\\
\textsf
{
public
\_
key
}&
:
&
\texttt
{
trustee
\_
public
\_
key
}
\end{array}
\right\}
\end{gather*}
Trustee
$
T
_
j
$
fills
$
\textsf
{
vo
}_
j
$
as follows:
\begin{itemize}
\item
\textsf
{
private
\_
key
}
is set to
$
\textsf
{
send
}
(
\textsf
{
sk
}
,
\textsf
{
ek
}_
j,S
)
$
, where
$
S
_
j
$
is
$
T
_
j
$
's
(private) decryption key:
\[
S
_
j
=
\sum
_{
i
=
1
}^
m s
_{
ij
}
\mod
q
\]
\item
\textsf
{
public
\_
key
}
is set to a
\hyperref
[trustee-keys]
{
\texttt
{
trustee
\_
public
\_
key
}}
structure
built using
$
S
_
j
$
as private key.
\end{itemize}
The administrator checks
$
\textsf
{
vo
}_
j
$
as follows:
\begin{itemize}
\item
check that:
\[
\textsf
{
public
\_
key
}
(
\textsf
{
public
\_
key
}
(
\textsf
{
vo
}_
j
))=
\prod
_{
i
=
1
}^
m
\prod
_{
k
=
0
}^
t
(
A
_{
ik
}
)
^{
j
^
k
}
\]
\item
check
$
\textsf
{
pok
}
(
\textsf
{
public
\_
key
}
(
\textsf
{
vo
}_
j
))
$
\end{itemize}
\subsubsection
{
Threshold parameters
}
\label
{
threshold-params
}
The
\texttt
{
threshold
\_
parameters
}
structure embeds data that is
published during the election.
\begin{gather*}
\texttt
{
threshold
\_
parameters
}
=
\left\{
\begin{array}
{
rcl
}
\textsf
{
threshold
}&
:
&
\I\\
\textsf
{
certs
}&
:
&
\texttt
{
cert
}^
\ast\\
\textsf
{
coefexps
}&
:
&
\texttt
{
coefexps
}^
\ast\\
\textsf
{
verification
\_
keys
}&
:
&
\texttt
{
trustee
\_
public
\_
key
}^
\ast
\end{array}
\right\}
\end{gather*}
The administrator fills it as follows:
\begin{itemize}
\item
\textsf
{
threshold
}
is set to
$
t
+
1
$
\item
\textsf
{
certs
}
is set to
$
\Gamma
=
\gamma
_
1
,
\dotsc
,
\gamma
_
m
$
\item
\textsf
{
coefexps
}
is set to the same value as the
\textsf
{
coefexps
}
field of
\texttt
{
vinput
}
s
\item
\textsf
{
verification
\_
keys
}
is set to
$
\textsf
{
public
\_
key
}
(
\textsf
{
vo
}_
1
)
,
\dotsc
,
\textsf
{
public
\_
key
}
(
\textsf
{
vo
}_
m
)
$
\end{itemize}
\subsection
{
Credentials
}
\label
{
credentials
}
...
...
@@ -264,9 +599,8 @@ secret exponent, a public key $\public(c)=g^s$ is computed.
\right\}
\end{gather*}
The election public key, which is denoted by
$
y
$
thoughout this
document, is computed by multiplying all the public keys of the
trustees, and bundled with the group parameters in a
\texttt
{
wrapped
\_
pk
}
structure.
document, is computed during the setup phase, and bundled with the
group parameters in a
\texttt
{
wrapped
\_
pk
}
structure.
\newcommand
{
\blank
}{
\textsf
{
blank
}}
\newcommand
{
\minlabel
}{
\textsf
{
min
}}
...
...
@@ -312,7 +646,8 @@ During an election, the following data needs to be public in order to
verify the setup phase and to validate ballots:
\begin{itemize}
\item
the
$
\election
$
structure described above;
\item
all the
$
\tpk
$
s that were generated during the
\item
all the
$
\tpk
$
s, or the
$
\texttt
{
threshold
\_
parameters
}$
, that were generated during the
\hyperref
[election-setup]
{
setup phase
}
;
\item
the set
$
L
$
of public credentials.
\end{itemize}
...
...
@@ -340,8 +675,8 @@ vote is blank or not. Each weight comes with a proof (in \iproofs,
same length as
\choices
) that it is
$
0
$
or
$
1
$
. The whole answer also
comes with additional proofs that weights respect constraints.
More concretely, each weight
$
m
\in
[
0
\dots
1
]
$
is encrypted in
to
a
$
\ciphertext
$
as follows:
More concretely, each weight
$
m
\in
[
0
\dots
1
]
$
is encrypted
(
in a
n El
Gamal-like fashion) into a
$
\ciphertext
$
as follows:
\begin{enumerate}
\item
pick a random
$
r
\in\Z
_
q
$
\item
$
\alphalabel
=
g
^
r
$
...
...
@@ -575,7 +910,7 @@ $(\pi_0,\pi_1,\dotsc,\pi_k)$ such that the following procedure passes:
\newcommand
{
\siglabel
}{
\textsf
{
signature
}}
Each ballot contains a digital signature to avoid ballot stuffing. The
Each ballot contains a
(Schnorr-like)
digital signature to avoid ballot stuffing. The
signature needs a
\hyperref
[credentials]
{
credential
}
$
c
$
and uses all
the
\ciphertext
{}
s
$
\gamma
_
1
,
\dots
,
\gamma
_
l
$
that appear in the ballot
(
$
l
$
is the sum of the lengths of
$
\choices
$
). It is computed as
...
...
@@ -710,12 +1045,24 @@ B=\frac{\alphalabel(\etally_{i,j})^\response}{\dfactors_{i,j}^\challenge}
\right\}
\end{gather*}
The decryption factors are combined for each ciphertext to build
synthetic ones:
synthetic ones
$
F
_{
i,j
}$
. With basic decryption support
:
\[
F
_{
i,j
}
=
\prod
_{
z
\in
[
1
\dots
m
]
}
\pdlabel
_{
z,i,j
}
\]
where
$
m
$
is the number of trustees. The
$
\resultlabel
$
field of the
$
\result
$
structure is then computed as follows:
where
$
m
$
is the number of trustees. With threshold decryption
support:
\[
F
_{
i,j
}
=
\prod
_{
z
\in\mathcal
{
I
}}
(
\pdlabel
_{
z,i,j
}
)
^{
\lambda
_
z
^{
\mathcal
{
I
}}}
\]
where
$
\mathcal
{
I
}
=
\{
z
_
1
,
\dotsc
,z
_{
t
+
1
}
\}
$
is the set of indexes of
supplied partial decryptions, and
$
\lambda
_
z
^{
\mathcal
{
I
}}$
are the
Lagrange coefficients:
\[
\lambda
_
z
^{
\mathcal
{
I
}}
=
\prod
_{
k
\in\mathcal
{
I
}
\backslash\{
z
\}
}
\frac
{
k
}{
k
-
z
}
\mod
q
\]
The
$
\resultlabel
$
field of the
$
\result
$
structure is then computed
as follows:
\[
\resultlabel
_{
i,j
}
=
\log
_
g
\left
(
\frac
{
\betalabel
(
\etallylabel
_{
i,j
}
)
}{
F
_{
i,j
}}
\right
)
\]
...
...
@@ -726,8 +1073,8 @@ After the election, the following data needs to be public in order to
verify the tally:
\begin{itemize}
\item
the
$
\election
$
structure;
\item
all the
$
\tpk
$
s
that were generated during
th
e
\hyperref
[election-setup]
{
setup phase
}
;
\item
all the
$
\tpk
$
s
, or the
$
\texttt
{
threshold
\_
parameters
}$
,
th
at
were generated during the
\hyperref
[election-setup]
{
setup phase
}
;
\item
the set of public credentials;
\item
the set of ballots;
\item
the
$
\result
$
structure described above.
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment