## Practical Multi-Candidate Election System (2001)

### Cached

### Download Links

- [www.di.ens.fr]
- [hal.inria.fr]
- [theory.lcs.mit.edu:80]
- [people.csail.mit.edu]
- [theory.csail.mit.edu]
- [csail.mit.edu]
- [www.di.ens.fr]
- [theory.lcs.mit.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | In PODC |

Citations: | 79 - 7 self |

### BibTeX

@INPROCEEDINGS{Baudron01practicalmulti-candidate,

author = {O. Baudron and P.-A. Fouque and D. Pointcheval and G. Poupard and J. Stern},

title = {Practical Multi-Candidate Election System},

booktitle = {In PODC},

year = {2001},

pages = {274--283},

publisher = {ACM Press}

}

### Years of Citing Articles

### OpenURL

### Abstract

The aim of electronic voting schemes is to provide a set of protocols that allow voters to cast ballots while a group of authorities collect the votes and output the final tally. In this paper we describe a practical multi-candidate election scheme that guarantees privacy of voters, public verifiability, and robustness against a coalition of malicious authorities. Furthermore, we address the problem of receipt-freeness and incoercibility of voters. Our new scheme is based on the Paillier cryptosystem and on some related zero-knowledge proof techniques. The voting schemes are very practical and can be efficiently implemented in a real system. Keywords: Homomorphic cryptosystems, High-Residuosity Assumption, Practical Voting scheme, threshold cryptography 1

### Citations

1750 | How to Share a Secret - Shamir - 1979 |

1194 | Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms
- Chaum
- 1981
(Show Context)
Citation Context ... analysis can be performed, over many voting processes. As a consequence, it may be essential to protect anonymity of (non)-voters, while being able to avoid double-voting. As usual, blind signatures =-=[6] are a con-=-venient tool for providing such an anonymity, while preventing double-usage of a certificate. Let us consider a blind signature scheme that prevents "one-more forgeries " [29]. One can eithe... |

1173 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...tosystem Various cryptosystems based on randomized encryption schemes E(M) which encrypt a message M by raising a basis g to the power M and suitably randomizing this result have been proposed so far =-=[17, 1, 22, 26, 27]. Their se-=-curity 5 is based on the intractability of various "residuosity" problems. As an important consequence of this encryption technique, those schemes have homomorphic properties. Homomorphic Pr... |

829 | How to prove yourself: practical solutions to identification and signature problems - Fiat, Shamir - 1986 |

579 |
Efficient signature generation by smart cards
- Schnorr
- 1991
(Show Context)
Citation Context ... providing such an anonymity, while preventing double-usage of a certificate. Let us consider a blind signature scheme that prevents "one-more forgeries " [29]. One can either use the Okamot=-=o-Schnorr [25, 32]-=- version which is based on the difficulty of computing discrete logarithms, or the Okamoto-GuillouQuisquater [25, 18] version which is based on the difficulty of computing e-th roots modulo a composit... |

220 | A Secure and Optimally Efficient Multi-Authority Election Scheme
- Cramer, Gennaro, et al.
- 1997
(Show Context)
Citation Context ... problem if we want to deploy this system. Moreover the scenario is adapted to numerous practical situations where local results represent also valuable information. 1.2 Related Work Election schemes =-=[1, 2, 31, 9, 10, 33] were firs-=-t described by Benaloh [1]. All these voting schemes primarily discuss only "yes/no" vote. Two election models have been proposed so far. # ACM 2001. 2 In Benaloh schemes, a voter shares his... |

211 |
Receipt-free secret-ballot elections
- Benaloh, Tuinstra
- 1994
(Show Context)
Citation Context ... problem if we want to deploy this system. Moreover the scenario is adapted to numerous practical situations where local results represent also valuable information. 1.2 Related Work Election schemes =-=[1, 2, 31, 9, 10, 33] were firs-=-t described by Benaloh [1]. All these voting schemes primarily discuss only "yes/no" vote. Two election models have been proposed so far. # ACM 2001. 2 In Benaloh schemes, a voter shares his... |

209 | Security proofs for signature schemes - Pointcheval, Stern - 1996 |

202 | Practical threshold signatures - Shoup - 2000 |

198 |
A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory
- Guillou, Quisquater
- 1988
(Show Context)
Citation Context ...one actually knows the encrypted message. Let N be a k-bit RSA modulus. Given c = g m r N mod N 2 , the prover P convinces the verifier V that he knows m similar to Okamoto [25] and GuillouQuisquater =-=[18]-=-. We note a \Xi b the quotient in the division of a by b. 1. P chooses at random x 2 Z N and s 2 Z N . He computes u = g x s N mod N 2 and commits to u. 2. V chooses a challenge e 2 [0; A[ and sends e... |

159 | A New Public-Key Cryptosystem as Secure as Factoring
- Okamoto, Uchiyama
(Show Context)
Citation Context ...tosystem Various cryptosystems based on randomized encryption schemes E(M) which encrypt a message M by raising a basis g to the power M and suitably randomizing this result have been proposed so far =-=[17, 1, 22, 26, 27]. Their se-=-curity 5 is based on the intractability of various "residuosity" problems. As an important consequence of this encryption technique, those schemes have homomorphic properties. Homomorphic Pr... |

149 | A generalisation, a simplification and some applications of Paillier’s probabilistic public-key system - Damgård, Jurik - 1992 |

147 |
Provably secure and practical identification schemes and corresponding signature schemes
- Okamoto
- 1993
(Show Context)
Citation Context ... is possible to prove that one actually knows the encrypted message. Let N be a k-bit RSA modulus. Given c = g m r N mod N 2 , the prover P convinces the verifier V that he knows m similar to Okamoto =-=[25]-=- and GuillouQuisquater [18]. We note a \Xi b the quotient in the division of a by b. 1. P chooses at random x 2 Z N and s 2 Z N . He computes u = g x s N mod N 2 and commits to u. 2. V chooses a chall... |

134 | Designated verifier proofs and their applications
- Jakobsson, Sako, et al.
- 1996
(Show Context)
Citation Context ...se an interactive zero-knowledge proof, which is non-transferable, as any zero-knowledge proof, thanks to the simulatability of the transcript. Or they use a non-interactive designated-verifier proof =-=[21]-=-. -- he needs a proof that the new encrypted vote is valid. However, without the additional random value introduced by the randomizer, he can no longer provide such a proof by himself. Therefore, he h... |

113 | Efficient receipt-free voting based on homomorphic encryption
- Hirt, Sako
- 2000
(Show Context)
Citation Context ...rnatively assume a secret communication channel between any user and a randomizer. Previous Work The assumption of secret communication channel has also been used in the recent paper of Hirt and Sako =-=[19]-=-. But the communication load of their mix-net to provide receipt-freeness if very high. Indeed, in their technique, they assume, as we do, that the encryption scheme E is homomorphic but also allows r... |

93 | Multiauthority secret-ballot elections with linear work
- Cramer, Franklin, et al.
- 1996
(Show Context)
Citation Context ... problem if we want to deploy this system. Moreover the scenario is adapted to numerous practical situations where local results represent also valuable information. 1.2 Related Work Election schemes =-=[1, 2, 31, 9, 10, 33] were firs-=-t described by Benaloh [1]. All these voting schemes primarily discuss only "yes/no" vote. Two election models have been proposed so far. # ACM 2001. 2 In Benaloh schemes, a voter shares his... |

78 | A simple publicly verifiable secret sharing scheme and its application to electronic voting
- Schoenmakers
- 1999
(Show Context)
Citation Context |

73 | Sharing decryption in the context of voting or lotteries
- Fouque, Poupard, et al.
- 2000
(Show Context)
Citation Context ...trapdoor to compute the discrete logarithm. Both of these arguments are the main components to design multi-candidate election schemes and finally a threshold version of this cryptosystem appeared in =-=[15]-=- and was rediscovered independently but later in [11]. In this last paper, the authors have a new and original point of view on Paillier scheme and provide another threshold version. They apply this s... |

68 | Provably secure blind signature schemes
- Pointcheval, Stern
- 1996
(Show Context)
Citation Context ...lind signatures [6] are a convenient tool for providing such an anonymity, while preventing double-usage of a certificate. Let us consider a blind signature scheme that prevents "one-more forgeri=-=es " [29]-=-. One can either use the Okamoto-Schnorr [25, 32] version which is based on the difficulty of computing discrete logarithms, or the Okamoto-GuillouQuisquater [25, 18] version which is based on the dif... |

52 | M.: Practical Threshold RSA Signatures Without a Trusted Dealer
- Damg˚ard, Koprowski
- 2000
(Show Context)
Citation Context ...rio : -- In an initialization phase, the servers use a distributed key generation algorithm to create the public key PK and secret shares SK i of the private key SK. To remove the trusted dealer, see =-=[12, 14]-=-. Next the servers publish verification keys VK;VK i . -- To encrypt a message, any user can run the encryption algorithm using the public key PK. -- To decrypt a ciphertext c, the combiner forwards c... |

50 | Deniable encryption
- Canetti, Dwork, et al.
- 1997
(Show Context)
Citation Context ... mix-net channel has been proposed by Sako and Kilian [31] where only a one-way secret communication from the authorities to the voters is assumed. Another class of solutions uses deniable encryption =-=[4, 5]-=- such that the voters can lie later how the ciphertext is encrypted and this technique ensures incoercible voters. We first define both notions of receipt-freeness and incoercibility. Then, we describ... |

40 | On concrete security treatment of signatures derived from identification - Ohta, Okamoto - 1998 |

39 |
A generalisation, a simplification and some applications of paillier’s probabilistic public-key system
- Damga˚ard, Jurik
- 2001
(Show Context)
Citation Context ...hese arguments are the main components to design multi-candidate election schemes and finally a threshold version of this cryptosystem appeared in [15] and was rediscovered independently but later in =-=[11]-=-. In this last paper, the authors have a new and original point of view on Paillier scheme and provide another threshold version. They apply this sharing scheme to a multi-candidate voting scheme as w... |

34 | Incoercible multiparty computation
- Canetti, Gennaro
- 1996
(Show Context)
Citation Context ... mix-net channel has been proposed by Sako and Kilian [31] where only a one-way secret communication from the authorities to the voters is assumed. Another class of solutions uses deniable encryption =-=[4, 5]-=- such that the voters can lie later how the ciphertext is encrypted and this technique ensures incoercible voters. We first define both notions of receipt-freeness and incoercibility. Then, we describ... |

32 |
Public-Key Cryptosystems Based on Discrete Logarithms Residues
- Paillier
- 1999
(Show Context)
Citation Context ... the computation of the tally grows exponentially with the number of candidates :\Omega (( p `) p\Gamma1 ) where ` is the number of voters and p the number of candidates. The cryptosystem of Paillier =-=[27]-=- provides an efficient decryption algorithm as well as the largest bandwidth among all cryptosystems using a trapdoor to compute the discrete logarithm. Both of these arguments are the main components... |

25 |
New Cryptosystem based on Higher Residues
- Naccache, Stern
(Show Context)
Citation Context ...tosystem Various cryptosystems based on randomized encryption schemes E(M) which encrypt a message M by raising a basis g to the power M and suitably randomizing this result have been proposed so far =-=[17, 1, 22, 26, 27]. Their se-=-curity 5 is based on the intractability of various "residuosity" problems. As an important consequence of this encryption technique, those schemes have homomorphic properties. Homomorphic Pr... |

22 | Fully Distributed Threshold RSA under Standard Assumptions, Cryptology ePrint Archive, Report 2001/008
- Fouque, Stern
- 2001
(Show Context)
Citation Context ...rio : -- In an initialization phase, the servers use a distributed key generation algorithm to create the public key PK and secret shares SK i of the private key SK. To remove the trusted dealer, see =-=[12, 14]-=-. Next the servers publish verification keys VK;VK i . -- To encrypt a message, any user can run the encryption algorithm using the public key PK. -- To decrypt a ciphertext c, the combiner forwards c... |

22 |
On the Length of Cryptographic Hash-Values used in Identification Schemes
- Girault, Stern
- 1994
(Show Context)
Citation Context ...ree ciphertexts C n , C r and C ` and of some proofs of 13 correctness. Some well known optimizations can be applied. For example, the commitments can be replaced by their hash values as described in =-=[16]-=-. Let us note jHj the size of the hashed commitments, jAj the size of the challenges and jN j the size of the modulus used in the Paillier cryptosystem. The size of a vote is exactly 4jHj + 4jAj + (11... |

19 |
Divertible Zero Knowledge Interactive Proofs and Commutative Random SelfReducibility
- Okamoto, Ohta
- 1990
(Show Context)
Citation Context ... he has to interact with the randomizer to get it. However, we want that any part of the transcript of this interaction cannot be used as a receipt by a user. Thus we will use the divertible property =-=[23, 3, 20, 7, 8]-=- of the previous interactive proof that an encrypted message lies in a given set. With such a divertible proof, the transcript seen by the user is independent of the resulting proof: the resulting pro... |

16 |
Self-scrambling anonymizers
- Pointcheval
- 2000
(Show Context)
Citation Context ... that each message has been re-encrypted in the new list, which makes a very huge amount of data to store. Independent Randomizers Our proposal is in the same vein as the "selfscrambling anonymiz=-=ers" [28]-=-. Users ask an external entity to randomize their votes, without modifying the contents. But the voter requires more than just a new encryption of his vote: -- he wants a proof that this new ciphertex... |

6 |
All Language in NP Have Divertible Zero-Knowledge Proofs and Arguments under Cryptographic Assumptions
- Burmester, Desmedt
- 1991
(Show Context)
Citation Context ... he has to interact with the randomizer to get it. However, we want that any part of the transcript of this interaction cannot be used as a receipt by a user. Thus we will use the divertible property =-=[23, 3, 20, 7, 8]-=- of the previous interactive proof that an encrypted message lies in a given set. With such a divertible proof, the transcript seen by the user is independent of the resulting proof: the resulting pro... |

5 |
Witness Hiding Proofs and Applications
- Chen
- 1994
(Show Context)
Citation Context ... he has to interact with the randomizer to get it. However, we want that any part of the transcript of this interaction cannot be used as a receipt by a user. Thus we will use the divertible property =-=[23, 3, 20, 7, 8]-=- of the previous interactive proof that an encrypted message lies in a given set. With such a divertible proof, the transcript seen by the user is independent of the resulting proof: the resulting pro... |

3 |
Parallel Divertibility of Proofs of Knowledge
- Chen, Damg˚ard, et al.
- 1995
(Show Context)
Citation Context |

3 |
Any Language in IP Has a Divertible ZKIP
- Itoh, Sakurai, et al.
- 1993
(Show Context)
Citation Context |

2 |
Receipt-free mix-type voting scheme - A pratical solution to the implementation of a voting booth
- Sako, Kilian
(Show Context)
Citation Context |