Josh D. Cohen (Benaloh) and Michael J. Fischer, A Robust and Verifiable Cryptographically Secure Election Scheme, FOCS 1985.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....RSA. 6. Homomorphic property: It has a homomorphic property: E(m 0 ; r 0 )E(m 1 ; r 1 ) mod n = E(m 0 m 1 ; r 3 ) if m 0 m 1 p. Such a property is used for electronic voting and other cryptographic protocols. Note that no other encryption scheme except the higher degree residue encryption [10] has such a homomorphic property, and the higher degree residue encryption is extremely inefficient in decryption. 7. Randomizability of ciphertext: Even someone who does not know the secret key can change a ciphertext, C = E(m; r) into another ciphertext, C = Ch mod n, while preserving ....

Cohen, J. and Fischer.: A Robust and Verifiable Cryptographically Secure Election Scheme, FOCS, pp.372-382 (1985).

....However, this protocol 2 has the ploblem mentioned earlier: all players must be active during the game and not every subset of cards cannot be reshuffled. The probabilistic encryption scheme of [7] is based on the Quadratic residuosity problem and a plaintext m takes a value of 0 or 1. [3] generalized it to m = 0; 1; r Gamma 1 by using the r th residue problem, where r is a prime number. 9] further generalized it to any r. By combining a secret sharing scheme with the probabilistic encryption scheme of [3] 2] showed an efficient verifiable secret sharing scheme and ....

....residuosity problem and a plaintext m takes a value of 0 or 1. 3] generalized it to m = 0; 1; r Gamma 1 by using the r th residue problem, where r is a prime number. 9] further generalized it to any r. By combining a secret sharing scheme with the probabilistic encryption scheme of [3], 2] showed an efficient verifiable secret sharing scheme and a fault tolerant election scheme. We apply this technique to a mental card game protocol. We suppose that there are N players. Numbers from 0 to 51 will be used to describe the cards. 2. Public key of each player We use the 53rd ....

[Article contains additional citation context not shown here]

J. Cohen and M. Fisher, "A robust and verifiable cryptographically secure election scheme", Proc. 26th FOCS, pp.372--382

....This paper shows new anonymous channels which allow less than a half of faulty centers, where faulty centers can stop or deviate from the protocol arbitrarily. Fault tolerant multivalued election schemes are obtained automatically. Cohen and Fischer type election scheme realizes only yes no votes [CF85, Be86]. A very efficient zero knowledge interactive proof system (ZKIP) for MIX is also presented. 2 Fault tolerant anonymous channels This section presents two robust anonymous channels which allow less than a half of faulty centers. One is based on the hardness of factorization and the other is ....

....is based on the difficulty of the discrete log problem. In both schemes, even if less than a half of centers are faulty, 1) randomly shuffled messages are output and (2) anonymity is protected. 2. 1 Proposed scheme based on factoring The r th residue public key cryptosystem is defined as follows [CF85]. Let r be a prime. Secret key: Two large prime numbers p; q such that rjp Gamma 1 and r 6 jq Gamma 1. Public key: N( pq) and y such that y 6= x mod N for 8x. Plaintext: m such that 0 m r. Encryption: E(m;x) y m x mod n, where x is a random number. Decryption: Let c = ....

J.D. Cohen and M.J. Fischer, A Robust and Verifiable Cryptographically Secure Election Scheme, in: Proc. of 26th IEEE Symp. on Foundations of Computer Science, 372--382 (1985).

....secretballot election scheme using PVSS as a basic tool. We show that by using our PVSS scheme we get a simple and efficient election scheme. This is not the case for the PVSS schemes of [Sta96] and [FO98] We follow the model for universally verifiable elections as introduced by Benaloh et al. [CF85,BY86,Ben87b], which assumes the availability of a so called 10 bulletin board, to which all of the players in the scheme will post their messages. The players comprise a set of tallying authorities (talliers) A 1 ; An , a set of voters V 1 ; Vm , and a set of passive observers. These sets ....

J. Cohen and M. Fischer. A robust and verifiable cryptographically secure election scheme. In Proc. 26th IEEE Symposium on Foundations of Computer Science (FOCS '85), pages 372--382. IEEE Computer Society, 1985.

....political party, representatives of organizations such as the Consumentenbond, and so on. In this way we achieve a form of distributed trust. The idea of distributed trust is incorporated in the bulletin board model, a paradigm for verifiable elections set forth by Benaloh et al. e.g. see [7, 6, 4]) Another important aspect of the model is that the bulletin board is assumed to behave as a broadcast channel such that everybody is able to see what is posted in the bulletin board. To discuss the bulletin board model we distinguish four types of roles in the election process. Officers ....

J. Cohen and M. Fischer. A robust and verifiable cryptographically secure election scheme. In Proc. 26th IEEE Symposium on Foundations of Computer Science (FOCS '85), pages 372--382. IEEE Computer Society, 1985.

....Internet. Secure electronic voting requires the exchange of untraceable yet authentic messages. Over the past few years quite an amount of work has been done in this area. Broadly two different approaches have been proposed: 1. approaches that rely on complex encryption schemes to cast a ballot [1, 7, 8, 9, 11, 14] (Note: all security protocols use some form of encryption technology; these protocols make use of complex technology that are not widely prevelant. 2. approaches that rely on the existence of an anonymous channel [2, 6, 10, 12, 15, 17, 18, 19] that is used to cast the ballot as an untraceable ....

....vote casting. To our knowledge no other voting protocol can make such a claim. 2 Related Work A number of electronic voting protocols have been proposed over the last few years. These can be broadly divided into two types: 1. approaches that rely on complex encryption schemes to cast a ballot [1, 7, 8, 9, 11, 14]. Note all security protocols use some form of encryption technology; these particular protocols use complex technologies that are not widely prevelant for example zero knowledge protocols and threshold cryptosystems. 2. approaches that rely on the existence of an anonymous channel [2, 6, 10, ....

[Article contains additional citation context not shown here]

J. D. Cohen and M. J. Fischer. A Robust and Verifiable Cryptographically Secure Election Scheme. In Proc. of the 26th IEEE Symposium on Foundations of Computer Science, pages 372--382. IEEE Computer Society, October 1985.

.... Feigenbaum and Merritt noted that a cryptosystem which is a ring homomorphism on Z 2Z could be used to implement completely non interactive secure circuit evaluation and called such cryptosystems algebraic [14] Benaloh gave a secure election scheme based on a homomorphic encryption scheme [12]. Cramer and Damgard use homomorphic bit commitments to drastically simplify zero knowledge proofs [13] Many other examples exist in which homomorphic properties are used to construct cryptographic protocols. The initial promise of privacy homomorphisms was tempered by a string of negative ....

J. Cohen and M. Fischer. A robust and verifiable cryptographically secure election scheme. In 26th Symposium on the Foundations of Computer Science, 1985.

....privacy is sometimes required [8] while we only require computational privacy. Receipt freeness [2] and preventing vote duplication can be achieved by other means (see, for example, 17] and are not considered here. Many voting schemes meeting the above requirements have been proposed [6, 3, 4, 8, 9, 23, 10]. However, all previously known schemes achieving universal verifiability rely on fully homomorphic encryption schemes, where the homomorphism is over additive group Z n and n is larger than the number of voters (our use of the term fully homomorphic is explained above) One typical paradigm is ....

....scheme. Depending on the level of trust in the authorities, they may also provide a (publicly verifiable) proof that decryption was done correctly. In this way, everyone is assured that all votes were correctly counted. Many examples of fully homomorphic encryption schemes are known (for example: [12, 6, 21]) The voting schemes of [6, 3, 4] are based on the r th residuosity assumption, those of [8, 9, 23] are based on the discrete logarithm assumption in prime groups, and the scheme of [10] is based on hardness of deciding residue classes in Z N 2 . Even so, it is interesting to determine the ....

[Article contains additional citation context not shown here]

J. Cohen and M. Fischer. A Robust and Verifiable Cryptographically Secure Election Scheme. FOCS 1985.

....only decrypt this one value W to determine the tally of the election; and by providing a certificate u of this decryption, the government can prove to all observers that the claimed tally is accurate. There are, of course, many problems with this scheme. But this is the fundamental idea used in [CoFi85], BeYu86] Cohe86] Bena87] and [BeTu94] to enable a variety of practical verifiable election schemes. 4 Conclusions This paper has described a method of dense probabilistic encryption which has many similarities to, but many advantages over, the original method of probabilistic encryption ....

Cohen, J. and Fischer, M. "A Robust and Verifiable Cryptographically Secure Election Scheme." Proc. 26 th IEEE Symp. on Foundations of Computer Science, Portland, OR (Oct. 1985), 372--382.

....a not gate, but the and gate formed the bottleneck. Around that time protocols existed for some specific problems, like the millionaires problem [38] two millionaires want to find out who is richest without revealing their wealth) how to play poker [36] 14] and how to hold secure elections [12]. These protocols take advantage of special algebraic properties of the encryption schemes used. Also, Zero Knowledge had just been defined [28] and people were coming up with protocols in which Alice can convince Bob that she knows a satisfying assignment for any Boolean circuit [7, 8, 10, 23] ....

J. D. Cohen & M. J. Fischer (1985). A robust and verifiable cryptographically secure election scheme. In Proc. 26th IEEE Symp. on Foundations of Comp. Science, pages 372--382, Portland. IEEE.

....Although Chaum s protocol can detect such disruptions, it cannot recover from them without restarting the entire election [11] In 1985 Cohen (a.k.a. Benaloh) and Fischer published a description of a secure election scheme in which it is very difficult for dishonest voters to disrupt the election [7]. However, the scheme does not protect the privacy of individuals from the election authority. Cohen later presented extensions to this scheme which distribute the power of government and offer more privacy protection [6] Benaloh claims this scheme is reasonably practical and cites political ....

Cohen, J. D., and Fischer, M. J. A robust and verifiable cryptographically secure election scheme (extended abstract) . Tech. Rep. YALEU/DCS/TR-454, Yale University, July 1985. Also appeared in 1985 Foundations of Computer Science conference proceedings.

....More recent proposals of these type are those of Abe [Abe98] Jakobsson [Jak98, Jak99] and Jakobsson and Juels [JJ99] For actual implementations of MIX networks see [SGR97] and the references therein. In contrast to the schemes mentioned in the previous paragraph, the ones introduced in [CF85, BY86, Ben87] do not rely on the use of anonymous channels. In these schemes ballots are distributed over a number of tallying authorities through a special type of broadcast channel. Rather than hiding the correspondence between the voter and his ballot, the value of the vote is hidden. Among 2 these latter ....

....of O(k) bit sized numbers will be our unit with respect to which we measure computational costs. 3 Our MTS proposal combines features of two parallel lines of research concerning electronic voting schemes, those based on MIX networks (a la [Cha81] and in homomorphic encryption schemes (a la [CF85, BY86, Ben87]) We use homomorphic (ElGamal) encryption in order to hide the vote tallies. We rely on special properties of the ElGamal cryptosystem in order to perform an equality test between the tally and members of S. We use MIX networks (ElGamal based) in order to hide the value of the member of S ....

[Article contains additional citation context not shown here]

Josh D. Cohen and Michael J. Fischer. A robust and verifiable cryptographically secure election scheme. In 26th Annual Symposium on Foundations of Computer Science, 372--382, 1985. IEEE.

....not gate, but the and gate formed the bottleneck. Around that time protocols existed for some specific problems, like the millionaires problem [38] two millionaires want to find out who his richest without revealing their wealth) how to play poker [36] 14] and how to hold secure elections [12]. These protocols take advantage of special algebraic properties of the encryption schemes used. Also, Zero Knowledge had just been defined [28] and people were coming up with protocols in which Alice can convince Bob that she knows a satisfying assignment for any Boolean circuit [7, 8, 10, 23] ....

J. D. Cohen and M. J. Fischer. A robust and verifiable cryptographically secure election scheme. In Proc. 26th IEEE Symp. on Foundations of Comp. Science, pages 372--382, Portland, 1985. IEEE.

....a threshold version where the decryption algorithm is shared between several servers. In order to decrypt a ciphertext, each server first computes a decryption share and then a public combining algorithm outputs the plaintext. Most homomorphic cryptosystems as Goldwasser Micali s [11] Benaloh s [1, 4], Naccache Stern s [12] Okamoto Uchiyama s [13] or Paillier s [14] cryptosystems need to distribute a secret value related to the factorization of an RSA modulus. We use the recent threshold techniques developed by Shoup in [21] which allows to distribute RSA signature and we extend them to the ....

....b = H = h s = g as . Consequently G and H have the same discrete logarithm in the respective basis g and h. 3. 3 The Paillier cryptosystem Various cryptosystems based on randomized encryption schemes E(M) which encrypt a message M by raising a basis g to the power M have been proposed so far [11, 1, 4, 22, 12 14]. Their security is based on the intractability of computing discrete logarithm in the basis g without a secret data, the secret key, and easy using this trapdoor. We call those cryptosystems trapdoor discrete logarithm schemes. As an important consequence of this encryption technique, those ....

[Article contains additional citation context not shown here]

J. Cohen and M. Fisher. A robust and verifiable cryptographically secure election scheme. In Symposium on Foundations of Computer Science. IEEE, 1985.

....that only a subset (of a size larger than a certain threshold) of the authorities is required to participate throughout the execution of the scheme in order to compute the final tally. 1. 2 Related Work The type of voting schemes considered in this paper was first introduced and implemented in [CF85, BY86, Ben87b]. In these schemes, privacy and robustness are achieved by distributing the ballots over a number of tallying authorities, while still achieving universal verifiability. This contrasts with other approaches in which the ballots are submitted anonymously to guarantee privacy for the individual ....

....of blind signatures as in privacy protecting payment systems (see, e.g. Che94] to achieve privacy. For these approaches it seems difficult however to attain all desired properties, 2. Cryptographic Primitives 4 and still achieve high performance and provable security. The voting schemes of [CF85, BY86, Ben87b] rely on an r th residuosity assumption. In [SK94] it is shown that such schemes can also be based on a discrete logarithm assumption (without fully addressing robustness, though) and how this leads to considerable efficiency improvements. In the present paper we will also address various ....

[Article contains additional citation context not shown here]

J. Cohen and M. Fischer. A robust and verifiable cryptographically secure election scheme. In Proc. 26th IEEE Symposium on Foundations of Computer Science (FOCS '85), pages 372--382. IEEE Computer Society, 1985. References 12

....all un corrupted servers receive all messages that are broadcast, and may retrieve the information from messages encrypted with a public key, if they know the corresponding private key. Our communication model is similar to [34] All participants communicate via an authenticated bulletin board [8] in a synchronized manner. The adversary: Our threshold schemes assume stationary adversary which stays at the corrupt processor (extensions to mobile adversary as defined in [15] are assumed by the proactive protocol) It is t restricted; namely it can, during the life time of the system, ....

J. D. Cohen and M. J. Fischer. A robust and verifiable cryptographically secure election scheme (extended abstract). In 26th Annual Symposium on Foundations of Computer Science, pages 372--382, Portland, Oregon, 21--23 Oct. 1985. IEEE.

....the parties constructing the RSA modulus N can also find the prime factors of N . Knowledge of this trapdoor of the accumulator translates directly into the ability to forge coins. Thus the factors P and Q should be chosen in an isolated process and be destroyed after system setup as in [10]. Alternatively and more securely, a distributed generation of the RSA modulus is possible (see [4, 13] Unlike in blind signature based payment systems where the sensitive secret signature key of the bank is needed in each withdrawal session, no secret information is needed during the operation ....

Josh D. Cohen and Michael J. Fischer. A robust and verifiable cryptographically secure election scheme (extended abstract). In 26th Annual Symposium on Foundations of Computer Science, pages 372--382, Portland, Oregon, 21--23 October 1985. IEEE.

....A formal definition of this notion is provided later on in the thesis. Influential examples of cryptographic protocols were the ones for secret key exchange [DH76] oblivious transfer [Rab81] and its applications [Blu81,EGL83] coin flipping by telephone [Blu81] mental poker [SRA81,GM82] voting [CF85], and untraceable communications [Cha88] Recently, results of a more general nature were obtained. Yao [Yao87] presented a protocol for the general problem of two party pri3 vate function evaluation, and Goldreich, Micali and Wigderson in [GMW87] presented a way to obtain a secure multi party ....

J. D. Cohen and M. J. Fischer. A robust and verifiable cryptographically secure election scheme. In Proceedings of the 26th IEEE Symposium on Foundations of Computer Science, pages 372--382, Portland, 1985. IEEE.

....Although Chaum s protocol can detect such disruptions, it cannot recover from them without restarting the entire election [11] In 1985 Cohen (a.k.a. Benaloh) and Fischer published a description of a secure election scheme in which it is very difficult for dishonest voters to disrupt the election [7]. However, the scheme 10 Lorrie Faith Cranor does not protect the privacy of individuals from the election authority. Cohen later presented extensions to this scheme which distribute the power of government and offer more privacy protection [6] Benaloh claims this scheme is reasonably ....

Cohen, J. D., and Fischer, M. J. A robust and verifiable cryptographically secure election scheme (extended abstract). Tech. Rep. YALEU/DCS/TR-454, Yale University, July 1985. Also appeared in 1985 Foundations of Computer Science conference proceedings.

....This paper shows new anonymous channels which allow less than a half of faulty centers, where faulty centers can stop or deviate from the protocol arbitrarily. Fault tolerant multivalued election schemes are obtained automatically. Cohen and Fischer type election scheme realizes only yes no votes [CF85, Be86]. A very efficient zero knowledge interactive proof system (ZKIP) for MIX is also presented. 2 Fault tolerant anonymous channels This section presents two robust anonymous channels which allow less than a half of faulty centers. One is based on the hardness of factorization and the other is ....

....based on the difficulty of the discrete log problem. In both schemes, even if less than a half of centers are faulty, 1) randomly shuffled messages are output and (2) anonymity is protected. 2. 1 Proposed scheme based on factoring The r th residue public key cryptosystem is defined as follows [CF85]. Let r be a prime. Secret key: Two large prime numbers p; q such that rjp Gamma 1 and r 6 jq Gamma 1. Public key: N( 4 = pq) and y such that y 6= x r mod N for 8x. Plaintext: m such that 0 m r. Encryption: E(m;x) 4 = y m x r mod n, where x is a random number. Decryption: Let c ....

J.D. Cohen and M.J. Fischer, A Robust and Verifiable Cryptographically Secure Election Scheme, in: Proc. of 26th IEEE Symp. on Foundations of Computer Science, 372--382 (1985).

....VOL. E00 A, NO. 1 JANUARY 1997 has the ploblem mentioned earlier: all players must be active during the game and not every subset of cards cannot be reshuffled. The probabilistic encryption scheme of [7] is based on the Quadratic residuosity problem and a plaintext m takes a value of 0 or 1. [3] generalized it to m = 0; 1; r Gamma 1 by using the r th residue problem, where r is a prime number. 9] further generalized it to any r. By combining a secret sharing scheme with the probabilistic encryption scheme of [3] 2] showed an efficient verifiable secret sharing scheme and ....

....problem and a plaintext m takes a value of 0 or 1. 3] generalized it to m = 0; 1; r Gamma 1 by using the r th residue problem, where r is a prime number. 9] further generalized it to any r. By combining a secret sharing scheme with the probabilistic encryption scheme of [3], 2] showed an efficient verifiable secret sharing scheme and a fault tolerant election scheme. We apply this technique to a mental card game protocol. We suppose that there are N players. Numbers from 0 to 51 will be used to describe the cards. 2. Public key of each player We use the 53rd ....

[Article contains additional citation context not shown here]

J. Cohen and M. Fisher, "A robust and verifiable cryptographically secure election scheme", Proc. 26th FOCS, pp.372--382

....the system (albeit, no more than k 0 simultaneously in any period) Next, we discuss informally some of the issues and assumptions in our model. The communication model: The communication model presented here is similar to [HJKY95] The l servers communicate via an authenticated bulletin board [CF85] in a synchronized manner. The board is accessible by a Gateway (an efficient combining function which produces the correct final result) that can be assumed to be insecure. We assume that the adversary cannot jam communication. The board assumption models an underlying basic communication ....

J. Cohen and M. Fischer, A robust and verifiable cryptographically secure election scheme, FOCS 85.

....encountered in [30] They also propose a new election scheme which, unlike the scheme in [30] satisfies the fairness criterion. The voting protocol developed by Benaloh [9] allows only yes no votes and is an extension using a composite (k; n) threshold scheme of the voting protocol in [34]. The identity of the voter is hidden as long as there are fewer than k conspiring voting agencies. Iversen [98] used the technique proposed to realize electronic money and developed a decentralized voting scheme. The main disadvantage of this approach is that if all centers conspire, the privacy ....

Cohen, J., Fischer, M., A Robust and Verifiable Cryptographically Secure Election Scheme, Proc. 26th IEEE Symp. on Foundations of Computer Science, 372--382, Portland (OR), 1985

....for, where the receipt of a vote, which proves that a voter has voted for a candidate, could be used by another party to coerce the voter. Benaloh and Tuinsra [BT94] introduced the concept of the receipt free voting based on the framework of the voting scheme using higher degree residue encryption [BY86, CF85]. They used a physical assumption, the existence of a voting booth. Their scheme allows voters only yes no voting and is very impractical for large scale elections, since a lot of communication and computation overhead is needed to prevent the dishonesty of voters by using zero knowledge (like) ....

....of voters by using zero knowledge (like) protocols. Sako and Kilian [SK94] and Cramer, Franklin, Schoenmaker and Yung [CFSY96] improved the efficiency of the underlying zero knowledge protocols by using discrete logarithm encryption in place of the higher degree residue encryption used in [BY86, CF85, BT94]. However, their schemes do not satisfy receipt freeness. Moreover, their scheme allows voters only yes no voting, and if it is extended to multiple bit voting, their schemes are still inefficient in practice. Sako and Kilian [SK95] proposed a receipt free voting scheme based on the Mixnet ....

J. Cohen and M. Fisher, "A Robust and Verifiable Cryptographically Secure Election Scheme", Proc. of FOCS, pp.372--382 (1985).

....Although Chaum s protocol can detect such disruptions, it cannot recover from them without restarting the entire election [57] In 1985, Cohen (a.k.a. Benaloh) and Fischer published a description of a secure election scheme in which it is very difficult for dishonest voters to disrupt the election [32]. However, the scheme does not protect the privacy of individuals from the election authority. Cohen later presented extensions to this scheme which distribute the power of government and offer more privacy protection [31] Benaloh claims this scheme is reasonably practical and cites political ....

Josh D. Cohen and Michael J. Fischer. A robust and verifiable cryptographically secure election scheme (extended abstract). Technical Report YALEU/DCS/TR-454, Yale University, July 1985. Also appeared in 1985 Foundations of Computer Science conference proceedings.

....that only a subset (of a size larger than a certain threshold) of the authorities is required to participate throughout the execution of the scheme in order to compute the final tally. 1. 2 Related Work The type of voting schemes considered in this paper was first introduced and implemented in [CF85, BY86, Ben87b]. In these schemes, privacy and robustness are achieved by distributing the ballots over a number of tallying authorities, while still achieving universal verifiability. This contrasts with other approaches in which the ballots are submitted anonymously to guarantee privacy for the individual ....

....[Cha81] or even some form of blind signatures as in privacy protecting payment systems (see, e.g. Che94] to achieve privacy. For these approaches it seems difficult however to attain all desired properties, and still achieve high performance and provable security. The voting schemes of [CF85, BY86, Ben87b] rely on an r th residuosity assumption. In [SK94] it is shown that such schemes can also be based on a discrete logarithm assumption (without fully addressing robustness, though) and how this leads to considerable efficiency improvements. In the present paper we will also address various ....

[Article contains additional citation context not shown here]

J. Cohen and M. Fischer. A robust and verifiable cryptographically secure election scheme. In Proc. 26th IEEE Symposium on Foundations of Computer Science (FOCS '85), pages 372--382. IEEE Computer Society, 1985.

....Notice that this protocol is interesting only for small t because it is exponential in t . In the sequel, we will use it exclusively with t 2. This Boolean computation protocol was discovered independently by Josh Benaloh [Be86] as an application of the general tool of cryptographic capsules [CoFi85]. 6. ZKIP FOR SAT The zero knowledge interactive proof for satisfiability should now be obvious. Let f : 0,1 k 0,1 be the function computed by some satisfiable Boolean formula for which Alice knows an assignment b 1 , b 2 , b k 0,1 such that f (b 1 , b 2 , b k ) ....

....mod n , hence that z i is a quadratic residue; ii) for each i X , disclose x i x mod n so that Bob can check that (x i x ) 2 z i z (mod n ) hence that z i has the same quadratic character as z . This protocol is independently given in [Be86] its essence was already in [CoFi85]. Although it is simpler than those of [GwMiRac85, GaHaYu85] it is worth mentioning that quadratic non residuosity cannot be proved with our protocol unless the standard y QNR n [ 1] has been proved once and for all. Thus, the protocol of [GwMiRac85] must be used the very first time in order to ....

Cohen, J. D. and M. J. Fisher, "A robust and verifiable cryptographically secure election scheme", Proceedings of the 26th Annual IEEE Symposium on the Foundations of Computer Science, 1985, pp. 372-382.

....protocols can be divided into two main categories: two party protocols and multi party protocols. These are the lines along which the bulk of this paper is organized. Three areas of cryptography are closely related to the problem of secure distributed computation. Secret ballot election schemes [36] [17] are essentially a special case of secure computation in which the function is a simple sum of ones and zeros. Instance hiding schemes [1] 11] involve a weak computational agent exploiting one or more strong but untrusted computational agents to compute a function for secret inputs. When one ....

J. (Benaloh) Cohen and M. Fisher, "A robust and verifiable cryptographically secure election scheme," IEEE FOCS 1985, 372-382.

....is authorized to enter into the transaction, or is able to pay. 35, 33] 10.1.3 Voting Cryptographic technology can be used to manage an election so that every voter s vote remains private, but yet every voter can be sure that the vote counting was not manipulated. See Cohen and Fischer [41]. 10.2 Multiparty Ping Pong Protocols One way of demonstrating that a cryptographic protocol is secure is to show that the primitive operations that each party performs can not be composed to reveal any secret information. Consider a simple example due to Dolev and Yao [57] involving the use of ....

J. D. Cohen and M. J. Fischer. A robust and verifiable cryptographically secure election scheme. In Proceedings of the 26th IEEE Symposium on Foundations of Computer Science, pages 372--382, IEEE, Portland, 1985.

....that transfers a message in each direction with certainty; it is discussed in more detail in Section 2.4.4. Electronic money [38] 39] is a collection of protocols (e.g, withdrawal, purchase, deposit) that implement payment schemes without any physical requirements. Secretballot election schemes [50] [19] 91] are essentially a special case of secure computation in which the function is a simple sum of ones and zeros. Early work in the formalization of cryptographic protocols is also of interest. One approach is algebraic [62] 111] proving security by relating actual protocols ....

J. (Benaloh) Cohen and M. Fisher, "A robust and verifiable cryptographically secure election scheme," IEEE FOCS 1985, 372--382.

....system (albeit, no more than k 0 simultaneously at a round) In what follows we discuss informally some of the issues and assumptions in our model. The communication model: The communication model is very much like that of [HJKY95] The l servers communicate via an authenticated bulletin board [CF85] in a synchronized manner. The board is accessible by a Gateway (combining function) that can be assumed to be an insecure gateway that produces the final function result. We assume that the adversary cannot jam communication. The board assumption models an underlying basic communication protocol ....

J. (Benaloh) Cohen and M. Fischer, A robust and verifiable cryptographically secure election scheme, Proc. 26th Annual Symposium on the Foundations of Computer Science, 1985, pp 372--382.

....the result of the voting. Fairness : Nothing must affect the voting. 4.2 Reviews of Some Secure Voting Schemes. Chaum [7] was the first who proposed an election protocol. Several other voting schemes have been proposed by other researchers emphasizing theoretical and practical aspects of voting [18, 1, 9, 14, 7, 2, 13]. In some proposals, the whole voting procedure is controlled by voters themselves. However many interactions among voters are necessary to prove that the voting procedure has been done correctly. As in real voting systems there is no interaction among voters, these protocols are interesting ....

....and authenticity, we can use the two following methods of transmission of untraceable yet authentic ballots: 1. the ballot is sent in an encrypted form; 2. the ballot is sent through an anonymous communication channel. The first approach is proposed by Benaloh and Yung [1] Cohen and Fischer [9], and Iversen [14] Their schemes utilize encryption techniques. The second approach has been proposed by Chaum [7] Boyd [2] and Fujioka, Okamoto and Ohta [13] Their schemes used an anonymous communication channel, and one administrator. They provide unconditional security against tracing the ....

[Article contains additional citation context not shown here]

J. D. Cohen and M. J. Fischer. A robust and verifiable cryptographically secure election scheme. 26th Annual Symposium on Foundations of Computer Science, IEEE, pages 372--382, October 1985.

....that transfers a message in each direction with certainty; it is discussed in more detail in Section 2.4.4. Electronic money [32] 33] is a collection of protocols (e.g, withdrawal, purchase, deposit) that implement payment schemes without any physical requirements. Secretballot election schemes [42] [18] 65] are essentially a special case of secure computation in which the function is a simple sum of ones and zeros. Early work in the formalization of cryptographic protocols is also of interest. One approach is algebraic [49] 77] proving security by relating actual protocols ....

J. (Benaloh) Cohen and M. Fisher, "A robust and verifiable cryptographically secure election scheme," IEEE FOCS 1985, 372-382.

....tally is verifiable to any observer of the election, while due to the use of a matching fault tolerant threshold decryption technique, the individual votes will remain private and the (benign or malign) failure of authorities can be tolerated. We work in the model set forth by Benaloh et al. CF85, BY86, Ben87] where the active parties are divided into l voters V 1 ; V l and n tallying authorities (talliers) A 1 ; An . To achieve universal verifiability all parties have access to a so called bulletin board. A bulletin board is like a broadcast channel with memory to the ....

....privacy By far, the majority of election protocols that support some level of verifiability (either universal or limited to voters, who can check their own vote) merely provide computational protection of the voter s privacy. For example, the schemes presented by Benaloh et al. CF85, BY86, Ben87, BT94] all rely on the so called r th residuosity assumption. Once this assumption is broken (e.g. when the public modulus is factorized) the content of each individual ballot can be decrypted. Similarly, schemes using anonymous channels or mixes [Cha81] usually rely on ....

J. Cohen and M. Fischer. A robust and verifiable cryptographically secure election scheme. In Proc. 26th IEEE Symposium on Foundations of Computer Science (FOCS '85), pages 372--382. IEEE Computer Society, 1985.

....expansion encountered in [7] They also propose a new election scheme which, unlike the scheme in [7] satisfies the fairness criterion. The voting protocol developed by Benaloh [1] allows only yes no votes and is an extension using a composite (k; n) threshold scheme of the voting protocol in [9]. The identity of the voter is hidden as long as there are fewer than k conspiring subgovernments. In [2] Boyd proposes a voting protocol applying multiple key ciphers, with the trusted voting authority. The improved version of this protocol is given by Boyd in [3] requiring no trusted authority. ....

Cohen, J., Fischer, M., A Robust and Verifiable Cryptographically Secure Election Scheme, Proc. 26th IEEE Symp. on Foundations of Computer Science, 372--382, Portland (OR), 1985

....conspire in an attempt to breach privacy. The second extension allows a government to reveal (and convince voters of) the winner in an election without releasing the actual tally. Combining these two extensions in a uniform manner remains an open problem. 1 Introduction and Background In [CoFi85], a protocol was presented which gives a method of holding a mutually verifiable secret ballot election. The participants are the voters, a government, a trusted beacon which generates publically readable random bits, and a trusted global clock. The protocol has four basic phases. In phase 1, ....

....the accuracy of the tally. With the aid of a final interactive proof, very high confidence is given that the tally released correctly represents the total number of no votes and the total number of yes votes cast. For completeness, the protocol is given in figure 1.1. Proofs are given in [CoFi85] that this protocol satisfies a correctness theorem and a privacy theorem. The correctness theorem states roughly that if the election passes a simple check function, then with high probability the tally claimed by the government is the desired tally of votes. The privacy theorem state roughly ....

[Article contains additional citation context not shown here]

Cohen, J. and Fischer, M. "A Robust and Verifiable Cryptographically Secure Election Scheme." Proc. 26 th IEEE Symp. on Foundations of Computer Science, Portland, OR (Oct. 1985), 372--382.

No context found.

Josh D. Cohen (Benaloh) and Michael J. Fischer, A Robust and Verifiable Cryptographically Secure Election Scheme, FOCS 1985.

No context found.

J. D. Cohen and M. Fischer. A Robust and Verifiable Cryptographically Secure Election Scheme. In the 26th FOCS. IEEE, 1985.

No context found.

J. D. Cohen (Benaloh) and M. J. Fischer. A robust and verifiable cryptographically secure election scheme. pages 372--382, Portland, 1985.

No context found.

J. D. Cohen and M. J. Fischer, (1985), A robust and verifiable cryptographically secure election scheme, Proc. of 26th Symp. on Foundation of Computer Science, 1985, 372--382.

No context found.

J. D. Cohen and M. J. Fischer, (1985), A robust and verifiable cryptographically secure election scheme, Proc. of 26th Symp. on Foundation of Computer Science, 1985, 372--382.

No context found.

J. Cohen and M. Fischer. A robust and verifiable cryptographically secure election scheme. In Proceedings of 26th IEEE Symposium on Foundations of Computer Science, pages 372--382, 1985.

No context found.

Josh D. Cohen and Michael J. Fischer. A robust and verifiable cryptographically secure election scheme. In proceedings of FOCS '85, pages 372--382, 1985.

No context found.

J. D. Cohen and M. J. Fischer. A robust and verifiable cryptographically secure election scheme. In Proceedings of the 26th IEEE Symposium on Foundations of Computer Science, pages 372--382, Portland, 1985. IEEE.

No context found.

J. D. Cohen and M. J. Fischer, (1985), A robust and verifiable cryptographically secure election scheme, Proc. of 26th Symp. on Foundation of Computer Science, 1985, 372--382.

No context found.

J. D. Cohen and M. J. Fischer, (1985), A robust and verifiable cryptographically secure election scheme, Proc. of 26th Symp. on Foundation of Computer Science, 1985, 372--382.

No context found.

Josh D. Cohen (Benaloh) and Michael J. Fischer, A Robust and Verifiable Cryptographically Secure Election Scheme, FOCS 1985.

No context found.

J. D. Cohen and M. J. Fischer, (1985), A robust and verifiable cryptographically secure election scheme, Proc. of 26th Symp. on Foundation of Computer Science, 1985, 372--382.

No context found.

Cohen, J. and Fischer.: A Robust and Verifiable Cryptographically Secure Election Scheme, FOCS, pp.372-382 (1985).

No context found.

J. C. Benaloh (Cohen) and M.J. Fischer. A robust and verifiable cryptographically secure election scheme. Symp. on Foundations of Computer Science (FOCS), 1985.

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC