Verifiable secret shuffles and their application to electronic voting
First Claim
1. A computer system for receiving a sequence of elements, comprising:
- a computer coupled to a computer network and configured to;
receive a sequence of electronic data elements representing individual data files,apply a cryptographic transformation using at least a first secret value to anonymously permute the sequence of electronic data elements and produce a first shuffled sequence of electronic data elements, wherein the server computer knows a correspondence between the first shuffled sequence of electronic data elements and the sequence of electronic data elements, andgenerate a first proof of correctness for the first shuffled sequence of electronic data elements based on an iterated logarithmic multiplication proof employing a binary operator, wherein each of the data elements in the sequence of data elements is associated with a common base value, and wherein verifying the proof of correctness employs a three-move, public coin proof of knowledge wherein in response to a verifying request, the computer computes a series of exponents by solving an associated series of linear equations.
3 Assignments
0 Petitions
Accused Products
Abstract
We present a mathematical construct which provides a cryptographic protocol to (verifiably shuffle) a sequence of (k) modular integers, and discuss its application to secure, universally verifiable, multi-authority election schemes. The output of the shuffle operation is another sequence of (k) modular integers, each of which is the same secret power of a corresponding input element, but the order of elements in the output is kept secret. Though it is a trivial matter for the “shuffler” (who chooses the permutation of the elements to be applied) to compute the output from the input, the construction is important because it provides a linear size proof of correctness for the output sequence (i.e. a proof that it is of the form claimed) that can be checked by one or more arbitrary verifiers. The protocol is shown to be honest-verifier zeroknowledge in a special case, and is computational zeroknowledge in general. On the way to the final result, we also construct a generalization of the well known Chaum-Pedersen protocol for knowledge of discrete logarithm equality ([3], [2]). In fact, the generalization specializes (exactly) to the Chaum-Pedersen protocol in the case (k)=2. This result may be of interest on its own. An application to electronic voting is given that matches the features of the best current protocols with significant efficiency improvements. An alternative application to electronic voting is also given that introduces an entirely new paradigm for achieving (Universally Verifiable) elections.
142 Citations
26 Claims
-
1. A computer system for receiving a sequence of elements, comprising:
-
a computer coupled to a computer network and configured to; receive a sequence of electronic data elements representing individual data files, apply a cryptographic transformation using at least a first secret value to anonymously permute the sequence of electronic data elements and produce a first shuffled sequence of electronic data elements, wherein the server computer knows a correspondence between the first shuffled sequence of electronic data elements and the sequence of electronic data elements, and generate a first proof of correctness for the first shuffled sequence of electronic data elements based on an iterated logarithmic multiplication proof employing a binary operator, wherein each of the data elements in the sequence of data elements is associated with a common base value, and wherein verifying the proof of correctness employs a three-move, public coin proof of knowledge wherein in response to a verifying request, the computer computes a series of exponents by solving an associated series of linear equations. - View Dependent Claims (2, 3, 4)
-
-
5. A computer-implemented cryptographic method between a prover computer and a verifier computer, the method comprising:
-
secretly shuffling a first series of electronic data elements with respect to a second series of electronic data elements to produce a shuffled set; generating a proof of correctness for the shuffled set based on proving that a first set of roots for a first polynomial equation is equal to a fixed constant multiple of a second set of roots for a second polynomial equation; and wherein the proof of correctness that the first set of roots is equal to a fixed multiple of the second sets of roots is obtained by;
specifying a second fixed constant, evaluating the first polynomial equation at a first random point to obtain a first value, evaluating the second polynomial equation at the first random point to obtain a second value, and determining that the second value is equal to a product of the first value and the second fixed constant. - View Dependent Claims (6, 7, 8, 9)
-
-
10. A computer system for receiving a sequence of elements, comprising:
-
a server computer coupled to a computer network and configured to; receive a sequence of electronic data elements representing individual data files, apply a cryptographic transformation using at least a secret key to anonymously permute the sequence of electronic data elements and produce a shuffled sequence of electronic data elements, wherein the server computer knows a correspondence between the shuffled sequence of electronic data elements and the sequence of electronic data elements, wherein the server computer is further configured to; generate a proof of correctness for the permutation based on a proof that the product of unencrypted values of elements of a first sequence of encrypted data elements is equal to the product of unencrypted values of elements of a second sequence of encrypted data elements. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A computer-readable medium whose contents store a sequence of electronic data elements and associated data, wherein the sequence of electronic data elements are processed by a computer-implemented method for a shuffling of the sequence of electronic data elements, the method comprising:
-
receiving the sequence of electronic data elements; applying a secret, one-way cryptographic transformation using at least a first secret key to anonymously permute the sequence of electronic data elements and producing a first shuffled sequence of electronic data elements; and generating a proof of correctness for the permutation based on a proof that the product of unencrypted values of elements of a first sequence of encrypted data elements is equal to the product of unencrypted values of elements of a second sequence of encrypted data elements. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26)
-
Specification