In this paper, we present a verifiable shuffle and threshold decryption scheme in which, for security parameter k, L voters, M mix servers, and N decryption servers, the proof that the end tally corresponds to the original encrypted ballots is only O(k(L + M + N)) bits long. Previous verifiable shuffle constructions had proofs of size O(kLM + kLN), which, for elections with thousands of voters, mix servers, and decryption servers, meant that verifying an election on an ordinary computer in a reasonable amount of time was out of the question.
The linchpin of each construction is a controlled-malleable proof (cm-NIZK), which allows each server, in turn, to take a current set of ciphertexts and a proof that the computation done by other servers has proceeded correctly so far. After shuffling or partially decrypting these ciphertexts, the server can also update the proof of correctness, obtaining as a result a cumulative proof that the computation is correct so far. In order to verify the end result, it is therefore sufficient to verify just the proof produced by the last server.
Category / Keywords: applications / election schemes, threshold cryptography, zero knowledge Publication Info: To appear in PKC 2013 Date: received 11 Dec 2012, last revised 14 Dec 2012 Contact author: smeiklej at cs ucsd edu Available format(s): PDF | BibTeX Citation Version: 20121214:201237 (All versions of this report) Short URL: ia.cr/2012/697 Discussion forum: Show discussion | Start new discussion