## A Verifiable Multi-authority Secret Election Allowing Abstention From Voting (2002)

### Cached

### Download Links

- [comjnl.oxfordjournals.org]
- [crypto.ee.ntu.edu.tw]
- DBLP

### Other Repositories/Bibliography

Venue: | International Computer Symposium |

Citations: | 5 - 0 self |

### BibTeX

@ARTICLE{Juang02averifiable,

author = {Wen-shenq Juang and Chin-laung Lei and Horng-twu Liaw},

title = {A Verifiable Multi-authority Secret Election Allowing Abstention From Voting},

journal = {International Computer Symposium},

year = {2002},

volume = {45},

pages = {672--682}

}

### OpenURL

### Abstract

### Citations

2928 | A method for obtaining digital signatures and public-key cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ...reshold signature scheme [23, 24] and a secure one-way permutation function [4, 33]; (d) the RSA (Rivert, Shamir VERIFIABLE MULTI-AUTHORITY SECRET ELECTION 675 and Adleman) signature scheme is secure =-=[34]-=- and the ElGamal cryptosystem is secure [35]. All secure untraceable e-mail systems proposed in [28, 29, 30] can be applied to our scheme, but we recommend those systems in [28, 30] since we only need... |

2477 | Handbook of Applied Cryptography
- Menezes, Oorschot, et al.
- 1996
(Show Context)
Citation Context ...posed in [10] which we will briefly describe here. Let m be the blind message to be signed, let p and q be two large strong prime numbers such that q divides (p − 1) and let ρ be a generator of Z ∗ p =-=[25]-=-. Let g ≡p ρ (p−1)/q , z ∈ Zq, be the signer’s secret key and y ≡p g z be the corresponding public key. The scheme is proposed as follows. 1. The signer randomly chooses a number k ∈ computes �r ≡p g ... |

1204 | Untraceable electronic mail, return addresses, and digital pseudonyms
- Chaum
- 1981
(Show Context)
Citation Context ...r, s) on m without proper redundancy, one must send m along with (r, s) to the verifier. 3.3. Untraceable e-mail systems THE COMPUTER JOURNAL, Vol. 45, No. 6, 2002 Several anonymous channel protocols =-=[28, 29, 30, 31]-=- have been proposed for protecting senders’ anonymity. The mix-net approach is used in [28, 31] to realize a sender untraceable e-mail system. In the mix-net approach, the encrypted messages are sent ... |

1121 |
Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
- ElGamal, “A
- 1985
(Show Context)
Citation Context ...re one-way permutation function [4, 33]; (d) the RSA (Rivert, Shamir VERIFIABLE MULTI-AUTHORITY SECRET ELECTION 675 and Adleman) signature scheme is secure [34] and the ElGamal cryptosystem is secure =-=[35]-=-. All secure untraceable e-mail systems proposed in [28, 29, 30] can be applied to our scheme, but we recommend those systems in [28, 30] since we only need an e-mail system periodically. The concepts... |

440 | The dining cryptographers problem: Unconditional sender and recipient untraceability
- Chaum
- 1988
(Show Context)
Citation Context ...r, s) on m without proper redundancy, one must send m along with (r, s) to the verifier. 3.3. Untraceable e-mail systems THE COMPUTER JOURNAL, Vol. 45, No. 6, 2002 Several anonymous channel protocols =-=[28, 29, 30, 31]-=- have been proposed for protecting senders’ anonymity. The mix-net approach is used in [28, 31] to realize a sender untraceable e-mail system. In the mix-net approach, the encrypted messages are sent ... |

377 | Non-interactive and information-theoretic secure verifiable secret sharing - Pedersen - 1991 |

306 | An improved algorithm for computing logarithms over GF(p) and its cryptographic significance
- Pohlig, Hellman
- 1978
(Show Context)
Citation Context ...ors and the counter; (b) there exists a secure and untraceable e-mail system [28, 29, 30]; (c) there exist a secure blind threshold signature scheme [23, 24] and a secure one-way permutation function =-=[4, 33]-=-; (d) the RSA (Rivert, Shamir VERIFIABLE MULTI-AUTHORITY SECRET ELECTION 675 and Adleman) signature scheme is secure [34] and the ElGamal cryptosystem is secure [35]. All secure untraceable e-mail sys... |

236 |
A practical secret voting scheme for large scale elections
- Fujioka, Okamoto, et al.
- 1993
(Show Context)
Citation Context ...mply issuing a unique identification number to each voter in the election scheme would disclose the privacy of the voters. To overcome this difficulty, many cryptographic protocols have been proposed =-=[1, 2, 3, 4, 5, 6, 7, 8, 9]-=-. Another required feature in electronic voting schemes is that each voter can verify the voting result. When a voter finds that his/her vote has not been properly counted by the counter, he/she can m... |

231 |
A Practical Scheme for Non-interactive Verifiable Secret Sharing
- Feldman
- 1987
(Show Context)
Citation Context ... trusted party was proposed by Pedersen in [19]. The basic idea in Pedersen’s distributed key generation protocol [19] is to have n parallel executions of Feldman’s verifiable secret sharing protocol =-=[20]-=- in which each participant Pi acts as a dealer of a random secret zi that he/she chooses. The group secret key z is taken to be the sum of all honest dealers’ zi’s. Since Feldman’s verifiable secret s... |

223 | A secure and optimally efficient multiauthority election scheme
- Cramer, Gennaro, et al.
(Show Context)
Citation Context ...n all single authority voting schemes [2, 4, 5, 6, 8], voters cannot abstain from voting after the registration phase. If they do it, the authority can add extra votes as he/she wishes. Cramer et al. =-=[15]-=- proposed a voting scheme, based on homomorphic encryption and proofs of knowledge, which is suitable for large-scale elections since the computation and communication overheads are small even if the ... |

191 |
A Threshold Cryptosystem without a Trusted Party
- Pedersen
- 1991
(Show Context)
Citation Context ...uildings674 W.-S. JUANG, C.-L.LEI AND H.-T. LIAW block of threshold cryptosystems. The first distributed key generation for threshold cryptosystems without a trusted party was proposed by Pedersen in =-=[19]-=-. The basic idea in Pedersen’s distributed key generation protocol [19] is to have n parallel executions of Feldman’s verifiable secret sharing protocol [20] in which each participant Pi acts as a dea... |

175 |
One way hash functions and DES
- Merkle
- 1990
(Show Context)
Citation Context ... (r, s). To verify the signature (r, s), one simply computes m ≡p g −s y r r and checks if m has some proper redundancy information. If m has no proper redundancy, a secure one-way hashing function H =-=[26, 27]-=- can be applied to m. However, this approach cannot provide the message recovery capability. To verify the blind signature (r, s) on m without proper redundancy, one must send m along with (r, s) to t... |

132 | Secure Distributed Key Generation for Discrete-Log Based Cryptosystems
- Gennaro, Jarecki, et al.
(Show Context)
Citation Context ...taken to be the sum of all honest dealers’ zi’s. Since Feldman’s verifiable secret sharing has the property of revealing yi = gzi , the group public key is the product of all honest dealers’ yi’s. In =-=[21]-=-, Gennaro et al. show that Pedersen’s distributed key generation protocol [19] cannot guarantee that the distribution of the distributed generated group public key is equal to a uniform distribution. ... |

102 |
signature system
- Blind
- 1984
(Show Context)
Citation Context ...ther voters. The drawback of this scheme is that if all candidates conspire, the privacy of the voters is violated. For the ability of protecting the privacy of the voters, blind signature techniques =-=[10, 11, 12, 13]-=- are widely adopted to secure voting schemes [2, 4, 5, 8]. A distinguishing property required by a typical blind signature scheme [10, 11, 12, 13] is so-called the ‘unlinkability’, which ensures that ... |

85 |
Efficient anonymous channel and all/nothing election scheme
- Park, Itoh, et al.
- 1994
(Show Context)
Citation Context ...r, s) on m without proper redundancy, one must send m along with (r, s) to the verifier. 3.3. Untraceable e-mail systems THE COMPUTER JOURNAL, Vol. 45, No. 6, 2002 Several anonymous channel protocols =-=[28, 29, 30, 31]-=- have been proposed for protecting senders’ anonymity. The mix-net approach is used in [28, 31] to realize a sender untraceable e-mail system. In the mix-net approach, the encrypted messages are sent ... |

61 |
Security in Computing
- Pfleeger
- 1997
(Show Context)
Citation Context ...mply issuing a unique identification number to each voter in the election scheme would disclose the privacy of the voters. To overcome this difficulty, many cryptographic protocols have been proposed =-=[1, 2, 3, 4, 5, 6, 7, 8, 9]-=-. Another required feature in electronic voting schemes is that each voter can verify the voting result. When a voter finds that his/her vote has not been properly counted by the counter, he/she can m... |

40 |
Reciept-free Mix-Type Voting Scheme
- Sako, Killian
- 1995
(Show Context)
Citation Context ...permutations and multiparty computation. In their scheme, each voter needs to compute about 10 3 modular exponentiations when the number of candidates is 10 in the registration phase. Sako and Kilian =-=[18]-=- proposed a Mixtype voting scheme which is receipt-free and universally verifiable. One basic assumption of their scheme is that there exists a physical secure private channel from the tally centre to... |

40 | Breaking an efficient anonymous channel
- Pfitzmann
- 1994
(Show Context)
Citation Context ...s and send them to the next agent. Finally, the last agent will send the encrypted messages to their destinations. The basic assumption of the mix-net approach is at least one mix agent is honest. In =-=[32]-=-, Pfitzmann shows several attacks on the anonymous channels proposed in [31]. In the mix-net approach, it is harder to decide whether a sender has not sent his/her message to the receiver through an a... |

37 |
Network and InterNetwork Security
- Stallings
- 1995
(Show Context)
Citation Context ...st. Letsbe the threshold value of the threshold cryptosystem, so that, at least (& \Gamma +1) scrutineers are honest. Letsbe a public one-way permutation function, h be a public one-way hash function =-=[17, 28]-=- and tag be a voting tag indicating the current voting. Let U i denote the identification of administrator i and S i denote the identification of scrutineer i: Let d v i be the secret key chosen by vo... |

32 | Blind signatures based on the discrete logarithm problem
- Camenisch, Piveteau, et al.
- 1994
(Show Context)
Citation Context ...ther voters. The drawback of this scheme is that if all candidates conspire, the privacy of the voters is violated. For the ability of protecting the privacy of the voters, blind signature techniques =-=[10, 11, 12, 13]-=- are widely adopted to secure voting schemes [2, 4, 5, 8]. A distinguishing property required by a typical blind signature scheme [10, 11, 12, 13] is so-called the ‘unlinkability’, which ensures that ... |

32 | Meta-Message Recovery and Meta-Blind Signature Schemes Based on the Discrete Logarithm Problem their Applications
- Horster, Michels, et al.
- 1994
(Show Context)
Citation Context ...ther voters. The drawback of this scheme is that if all candidates conspire, the privacy of the voters is violated. For the ability of protecting the privacy of the voters, blind signature techniques =-=[10, 11, 12, 13]-=- are widely adopted to secure voting schemes [2, 4, 5, 8]. A distinguishing property required by a typical blind signature scheme [10, 11, 12, 13] is so-called the ‘unlinkability’, which ensures that ... |

31 |
A digital multisignature scheme using bijective public-key cryptosystems
- Okamoto
- 1988
(Show Context)
Citation Context ...d with its signature Cert S (h(m)); where h is a secure one-way hash function and S is the identification of the signer: The verification of the RSA signature can be achieved by the comparison method =-=[20]-=-. Using ElGamal cryptosystem, each voter will encrypt his ballot by the group public key generated in the global key generation phase for achieving the fairness of the candidates' campaigns and the fu... |

29 | Secret ballot elections in computer networks
- Nurmi, Salomaa, et al.
- 1991
(Show Context)
Citation Context ...mply issuing a unique identification number to each voter in the election scheme would disclose the privacy of the voters. To overcome this difficulty, many cryptographic protocols have been proposed =-=[1, 2, 3, 4, 5, 6, 7, 8, 9]-=-. Another required feature in electronic voting schemes is that each voter can verify the voting result. When a voter finds that his/her vote has not been properly counted by the counter, he/she can m... |

27 |
Electronic voting schemes allowing open objection to the tally
- Sako
- 1994
(Show Context)
Citation Context |

24 |
Elections with Unconditionally Secret Ballots and Disruptions Equivalent to Breaking RSA
- Chaum
- 1988
(Show Context)
Citation Context |

22 | Some remarks on a receipt-free and universally verifiable mixtype voting scheme
- Michels, Horster
- 1996
(Show Context)
Citation Context ...Sako et al. [27] proposed a Mix-type voting scheme which is receipt-free and universally verifiable. One basic assumption of their scheme is that the coercer must not collude with any other mix agent =-=[18]-=-. 3 The multi-authorities voting scheme In this section, we propose a robust and verifiable multi-authorities secret voting scheme for large scale general elections. In our scheme, blind threshold sig... |

19 | A secure and practical electronic voting scheme for real world environment
- Juang, Lei
- 1997
(Show Context)
Citation Context ...e. 3.2. Blind threshold signature schemes The concept of blind signature was introduced by Chaum [11]. It allows the realization of some applications in privacy protection, e.g. secure voting systems =-=[2, 4, 5, 8]-=-, preserving voters’ privacy, and secure electronic payment systems [11], protecting customers’ anonymity. For distributing the power of a single signer, Juang and Lei [23, 24] proposed blind threshol... |

18 | A cryptographic scheme for computerized general elections - Iversen - 1992 |

8 | Partyially blind threshold signatures based on discrete logarithm
- Juang, Lei
- 1999
(Show Context)
Citation Context ...cure voting systems [2, 4, 5, 8], preserving voters’ privacy, and secure electronic payment systems [11], protecting customers’ anonymity. For distributing the power of a single signer, Juang and Lei =-=[23, 24]-=- proposed blind threshold signature schemes using the concept of Pedersen’s distributed key generation protocol [19] and the blind signature schemes proposed in [10]. The basic idea in Juang and Lei’s... |

8 | Anonymous channel and authentication in wireless communications
- Juang, Lei, et al.
- 1999
(Show Context)
Citation Context |

7 |
A collision free secret ballot protocol for computerized general elections
- Juang, Lei
- 1996
(Show Context)
Citation Context |

6 | Protocols for secure communications - Yao - 1982 |

5 |
Receipt free secret ballot elections
- Benaloh, Tuinstra
- 1994
(Show Context)
Citation Context ...n protocol since the intentions of voters are only either ‘Yes’ or ‘No’. Where there are several options, the computing of the individual ballot and the final tally is in general more complicated. In =-=[16]-=-, Benaloh and Tuinstra proposed a receipt free secret ballot protocol and voting booths in which no more than a single voter can stay at the same time. In their protocol with multi-authorities, no one... |

4 |
Low-computation blind signature schemes based on quadratic residues
- Fan, Lei
- 1996
(Show Context)
Citation Context |

4 |
A Practical Electronic Voting Protocol Using Threshold Schemes
- Baraani, Pieprzyk, et al.
- 1994
(Show Context)
Citation Context ...provide a VERIFIABLE MULTI-AUTHORITY SECRET ELECTION 673 mechanism for ensuring that any voter can make an open objection to the tally if his/her vote has not been published. Baraani-Dastjerdi et al. =-=[14]-=- proposed a multi-authorities voting scheme using threshold schemes for achieving the fairness property. In [14], there is a need for a trusted authority to distribute secret shadows to each candidate... |

2 |
A.Renvall: Efficient voting with no selling of votes, Theoretical Computer Science 226
- Niemi
- 1999
(Show Context)
Citation Context ...can coerce the voters into changing their intentions. Again, however, this protocol is not a general election protocol since the intention of any voter is only either ‘Yes’ or ‘No’. Niemi and Renvall =-=[17]-=- proposed a receipt-free secret ballot protocol based on zeroway permutations and multiparty computation. In their scheme, each voter needs to compute about 10 3 modular exponentiations when the numbe... |

2 |
Cryptography and Network Security (2nd edn
- Stallings
- 1999
(Show Context)
Citation Context ... (r, s). To verify the signature (r, s), one simply computes m ≡p g −s y r r and checks if m has some proper redundancy information. If m has no proper redundancy, a secure one-way hashing function H =-=[26, 27]-=- can be applied to m. However, this approach cannot provide the message recovery capability. To verify the blind signature (r, s) on m without proper redundancy, one must send m along with (r, s) to t... |