CN102521910B - Vote-hiding type electronic voting method - Google Patents

Abstract

The invention discloses a vote-hiding type electronic voting method, which comprises the steps of: firstly setting a public system parameter, and a relative public key and a private key; and then, responding to the votes of voters to select the input so as to generate an electronic voting customization machine of electronically encrypted votes; performing a relative secure multi-party computation according to the formed electronically encrypted votes, and finally obtaining a voting result hiding votes of all candidates. The invention provides the electronic voting method capable of hiding the votes of all candidates by utilizing the secure multi-party computation and the vote guarantee technology for solving the problem of publishing the votes of the candidates in the voting in the prior art, and guaranteeing the final votes of all candidates in the electronic voting to be confidential so as to guarantee the privacy of the voters in electronic voting, especially small scale voting.

Description

A kind of electronic voting method of hiding number of votes obtained

Technical field

The present invention relates to electronic voting field, particularly the electronic voting of the higher applicable small-scale application of security requirement.

Background technology

If the people such as Endo pointed out the disclosed words of final number of votes obtained of each candidate in small-scale vote by ballot in 2008, can reveal group internal and neutral voter's ballot wish.Consider such a case: if Alice is a directors, and the board of directors determines to hold the chairman that single ballot elects to select next.Incumbent chairman and vice-president announce all qualified ballot name lists of the candidates, and they strive for ballot paper in their group and other voters' ballot paper teeth and nail.Alice is a neutral voter, does not belong to any one group.Alice wishes to keep the ballot purpose of oneself by other people, not known, and clashes avoiding with any one group.If but neutral voter's quantity is fewer, from each candidate's final gained vote situation, even if the ballot paper of Alice encrypted form is not decrypted, his ballot wish is also easy to be inferred out, and this has run counter to voter's privacy, thereby destroyed the freedom of electing.

To a certain extent, voting scheme depends on that to the degree of protection of voter's privacy opponent understands the uncertainty of honest voter's ballot paper.Give an example: if having two candidate Alice and Bob, and each voter wishes to throw to Alice, and now opponent forces a voter to vote to Bob.When final vote result is made known, if the number of votes obtained of final Bob is 0, opponent can determine that voter does not go to the polls by his wish, and this situation has also been run counter to voter's privacy.

Owing to participating in, the number of voting is on a small scale fewer; the ballot paper number that opponent can control proportion in small-scale vote by ballot is larger; and honest voter's proportion is less; honest voter's ballot wish is easy to be inferred out by other people ballot paper, therefore the protection of privacy is considered should specific efficiency more important in ballot on a small scale.Endo etc. point out that the poll that discloses all ballot candidates can reduce honest neutral voter's uncertainty, and the total number of persons of participation ballot is fewer, and the uncertainty of reduction is larger.

The threat of buying and selling ballot paper and compulsory voting in small-scale electronic voting is larger, so hide all candidates' final poll, seem particularly important, in security, electronic voting requirement is higher than extensive electronic voting on a small scale, votes on a small scale for one and keep all candidates' number of votes obtained to maintain secrecy.

Regrettably, nearly all electronic voting has all directly provided every candidate's ballot paper poll, but the electronic voting scheme that seldom has hiding ballot paper poll to require is suggested.

Saisho etc. utilize ElGamal cipher system to propose the electronic voting scheme that can hide voter's quantity, but this scheme be not for small-scale electronic voting design and also need special count of votes method.Endo etc. utilize ceiling price auction protocol to propose the voting scheme that can hide ballot candidate poll, but scheme can not be hidden the ballot paper of triumph side, and process can not be disclosed checking completely.The people such as calendar year 2001 Cramer and Schoenmakers in 2006 and Tuyls have provided the related protocol that Secure calculates, Adida in 2006 and Neff have provided a ballot assurance technology, and these are all that the electronic voting scheme of hiding candidate's number of votes obtained of the present invention provides the foundation.

Summary of the invention

Technical matters to be solved by this invention is for the security of small-scale electronic voting, confidentiality, proposes a kind of electronic voting method of hiding number of votes obtained.

The present invention is for solving the problems of the technologies described above by the following technical solutions:

An electronic voting method for hiding number of votes obtained, comprises the steps:

Step (1), arranges disclosed systematic parameter, comprising: the sum l of count of votes mechanism; The challenge number of bits L of ballot paper customization machine; Ballot candidate gathers C ₁..., C _cn, legal voter gathers V ₁..., V _d, wherein cn represents candidate's sum, d vote by proxy people sum;

Step (2), arranges relevant PKI and private key, and concrete steps are as follows:

Step (201), selects Integer n by trust authority KMC (KMC), and wherein n is strong prime p, and the product of q, meets p=2p '+1, q=2q '+1,

Step (202), makes m=p ' q ', by trust authority KMC (KMC), is selected at random make g=(1+n) ^ab ⁿmod n ²;

Step (203), calculates private key SK=β m by trust authority KMC (KMC), and adopts (t, n) thresholding pattern of Shamir to share, specific as follows: to make a ₀=β m, selects t a at random by trust authority KMC (KMC) _i∈ 0 ..., mn-1}, order calculate the P of count of votes mechanism _isecret share s _i=f (i) mod mn also issues the P of count of votes mechanism by safe lane _i, i ∈ 1 ..., t}, t ∈ 1 ..., n};

Step (204), open PKI PK=(g, n, θ=am β mod n), authentication secret VK, sub-authentication secret VK _i, wherein VK=v be by in an element of the cyclic subgroup that forms of square number, wherein Δ=l! ;

Step (3), gathers the ballot of the legal voter's input in V and selects in response to legal voter, ballot is selected to convert to the electronics ballot paper of encryption, produce the ballot paper customization machine of electronics ballot paper, and open relevant information is checked for voter; Wherein the mutual step of ballot paper customization machine and legal voter comprises:

Step (301): by the random 01 Bit String p that selects a L position of ballot paper customization machine ^*, and p ^*tell voter; Then voter selects candidate; Bit String p ^*after being finished, destroyed;

Step (302): according to voter V _ij is selected in the ballot of input, and wherein j represents voter V _iballot is to candidate C _j, i ∈ 1 ..., d}, j ∈ 1 ..., and cn}, ballot paper customization machine prints 2Lcn Paillier to be encrypted: PE _i(1) ..., PE _i(cn); Each PE wherein _i() is all that 2L Paillier encrypts, each PE _i() is divided into left and right two parts: PE _i() _land PE _i() _r, PE _i() _land PE _i() _rcorresponding L Paillier encrypts respectively, and the plaintext that wherein each Paillier encrypts is 0 or 1; PE wherein _i(t) _lcorresponding plaintext and PE _i(t) _rcorresponding plaintext is identical, PE _i(j) _lcorresponding plaintext is p ^*, PE _i(j) _rcorresponding plaintext and p ^*on the contrary;

Step (303): voter V _ilong challenge Bit String c in L position of random selection tells ballot paper customization machine, wherein challenges Bit String c and is comprised of L position and R position, and L position and R position represent with 0 and 1 respectively;

Step (304): according to challenge Bit String c, calculate cn corresponding value p by ballot paper customization machine _1i, p _2i..., p _cni: p _ji=p ^*, wherein, u ∈ 1 ..., cn}, u ≠ j; And by p _1i, p _2i..., p _cnitell voter V _i; Voter V _ichecking p _jiwhether equal p ^*if unequal voter raises an objection;

Step (305): according to challenge Bit String c, by the open PE of ballot paper customization machine _i(1) ..., PE _i(cn) whether the random value of using when corresponding plaintext is with encryption correctly forms for encryption corresponding to check, checking p _1i, p _2i..., p _cniwhether complete contrary with the locational bit of the corresponding R of disclosed encryption;

Step (306): t ∈ of the random selection of ballot paper customization machine 1,2 ..., L}, will and reservation is as ballot paper;

Step (4), carries out associated safety and in many ways calculates; Concrete steps are as follows:

Step (401): calculate:

$E_{V_{i1}}=P{E}_i{\left(1\right)}_{L_t}\⊕P{E}_i{\left(1\right)}_{R_t},$ $E_{V_{i2}}=P{E}_i{\left(2\right)}_{L_t}\⊕P{E}_i{\left(2\right)}_{R_t},$ ...， $E_{V_{\mathrm{icn}}}=P{E}_i{\left(\mathrm{cn}\right)}_{L_t}\⊕P{E}_i{\left(\mathrm{cn}\right)}_{R_t},$ Wherein i ∈ 1 ..., v}, the principle of wherein using is: $\mathrm{PE}{\left(\right)}_{L_t}\⊕{\mathrm{PE}\left(\right)}_{R_t}={\mathrm{PE}\left(\right)}_{L_t}+\mathrm{PE}{\left(\right)}_{R_t}-2\mathrm{PE}{\left(\right)}_{L_t}\mathrm{PE}{\left(\right)}_{R_t},$ The isomorphism that utilizes Paillier to encrypt, candidate C ₁the encrypted form of final number of votes obtained is similarly, to other candidate C ₂..., C _cnalso can obtain the number of votes obtained of respective encrypted

Step (402): right in any two carry out plaintext same test, by number of votes obtained identical be classified as a class;

Step (403): establish after step (402) is processed and become m≤cn wherein; To each C ' _j, l the P of mechanism ₁..., P _lutilize goalkeeper BITREP become corresponding binary bit and encrypt expression j ∈ 1 ..., M};

Step (404): to a pair of with i wherein, j ∈ 1 ..., M}, i ≠ j, l the P of mechanism ₁..., P _lutilize [x > y] comparison ring to obtain if set up, candidate C ' is described _ifinal number of votes obtained be greater than candidate C ' _jpoll, by C ' _icontinue to carry out analog with other remaining candidates;

Step (5), after Secure calculates, obtains candidate's collection that poll is maximum, announces the net result of ballot.

Further, the electronic voting method of a kind of hiding number of votes obtained of the present invention, Secure noted earlier calculates and relates to lower module:

1. multiplication gate: definition [[x]]=g ^xr ⁿbe that Paillier encrypts, g wherein, n is PKI, and r is random value, and x is message value; Given [[x]] and [[y]], l the P of mechanism ₁..., P _lby cooperation, calculate safely [[xy]], wherein l>=2;

2. same test expressly: given [[x]] and [[y]], l the P of mechanism ₁..., P _lby cooperation, carry out safely correlation computations, to judge that whether corresponding plaintext x and y equate, l>=2 wherein;

3. addition ring or subtraction ring: for given, about x, the binary bit of y is encrypted and represented [[x ₀]] ..., [[x _{m '-1}]] and [[y ₀]] ..., [[y _{m '-1}]], addition ring or subtraction ring calculate about the binary bit of x+y or x-y and encrypt and represent [[x ₀]] ..., [[z _{m '-1}]]; The principle of utilizing is as follows:

C _-1=0, c _i=x _iy _i+ x _ic _i-1+ y _ic _i-1-2x _iy _ic _i-1, z _i=x _i+ y _i+ c _i-1-2c _i; 0≤i≤m '-1 wherein;

4. [x > y] comparison ring: about x, the binary bit of y is encrypted and represented [[x for given ₀]] ..., [[x _{m '-1}]] and [[y ₀]] ..., [[y _{m '-1}]], calculate [x > y], if wherein x > y to set up the value of [x > y] be 1, otherwise [x > y] is 0; Derivation is as follows: t ₀=0, t _i+1=(1-(x _i-y _i) ²) t _i+ x _i-x _iy _i; 0≤i≤m '-1 wherein, the value of [x > y] is t _{m '};

5. random bit door: for i=1 ..., l, the P of mechanism _ia bit b of random generation _i{ 0,1}, to b for ∈ _iencrypt and form [[b _i]], and broadcast [[b _i]] and relevant non-interactive zero-knowledge proof, prove b _i{ 0,1} is a bit to ∈ really; To all [[b _i]], calculate [[b]], wherein the principle of utilizing is as follows: for i, j ∈ 1 ..., l},

6. BITREP door: a given Paillier encrypts [[x]], the P of mechanism ₁..., P _lbinary bit corresponding to x that cooperative computation goes out in [[x]] encrypted expression [[x ₀]] ..., [[x _{m '-1}]], l>=2 wherein.

Further, the electronic voting method of a kind of hiding number of votes obtained of the present invention, the correlation step that multiplication gate noted earlier calculates comprises:

Steps A 1: suppose that l mechanism produces the secret about x:

A1-a: each P of mechanism _iselect a random value d _i, to d _iencrypt and form [[d _i] and broadcast [[d _i] and relevant non-interactive zero-knowledge proof, prove P _ireally know d _i, make d represent

A1-b: calculate [[x]] [[d ₁]] ... [[d _l]]=[[x+d]], t institution cooperation thresholding deciphering obtains x+d;

A1-c: by P ₁obtain x ₁=(x+d)-d ₁, the P of other mechanisms _iobtain x _i=-d _i,

Steps A 2: each P of mechanism _ibroadcast [[x _i]], and relevant non-interactive zero-knowledge proof, to prove [[x _iy]] really corresponding to [[x _i]] in x _iy in [[y]];

Steps A 3: suppose that H gathers for the mechanism by above step, the mechanism that C be other gathers; Calculate * _{i ∈ C}[[x _i]], and thresholding deciphering obtains x _c=∑ _{i ∈ C}x _i, by x _c[[y]] calculates [[x _cy]]; Therefore, by { [[x _iy]] | i ∈ H} and [[x _cy]], all mechanism's calculating (* _{i ∈ H}[[x _iy]]) * [[x _cy]], obtain [[xy]] about xy.

Further, the electronic voting method of a kind of hiding number of votes obtained of the present invention, the correlation step that plaintext same test noted earlier calculates comprises:

Step B1: calculate [[y]] ^-1=[[y]];

Step B2: calculate [[x]] [[y]] ^-1=[[x-y]];

Step B3: each P of mechanism _iselect a random value d _i, broadcast [[d _i]] and relevant non-interactive zero-knowledge proof, make d represent

Step B4: calculate ${\left[\right[x-y\left]\right]}^{d_1}{\left[\right[x-y\left]\right]}^{d_2}...{\left[\right[x-y\left]\right]}^{d_n}={\left[\right[x-y\left]\right]}^d,$ N institution cooperation thresholding deciphering [[x-y]] ^dif corresponding plaintext is 0, x and y equate, otherwise corresponding plaintext is not that 0, x and y are unequal.

Further, the electronic voting method of a kind of hiding number of votes obtained of the present invention, random bit door noted earlier adopts relevant non-interactive zero-knowledge proof step to be: to [[b _i]] calculating [[b _i]] ²=[[b _i]] [[b _i]], l the P of mechanism ₁..., P _lto [[b _i]] and [[b _i]] ²carry out plaintext same test, if both expressly identical establishments of end product prove b _iequal 0 or 1; Otherwise be false.

Further, the electronic voting method of a kind of hiding number of votes obtained of the present invention, the correlation step that BITREP door noted earlier calculates comprises:

Step F 1: establishing N is the modulus PKI during Paillier encrypts, and produces a random value r ∈ _r[0, N), carry out following steps:

F1-a: the P of mechanism ₁..., P _lutilize random bit door to produce the individual random bit bit encryption of m ' value [[r ₀]] ..., [[r _{m '-1}]];

F1-b: the binary bits of supposing N is expressed as N ₀..., N _{m '-1}, to [[r ₀]] ..., [[r _{m '-1}]] and N ₀..., N _{m '-1}, utilize [x > y] comparison ring to calculate [[[N > r]]], wherein

F1-c: thresholding deciphering [[[N > r]]] obtains [N > r], if set up [N > r]=1, continues; Otherwise jump to step F 1-a;

Step F 2: calculate l the P of mechanism ₁..., P _lthresholding deciphering [[y]] obtains y=x+r mod N, 0≤y < N;

Step F 3: to y ₀..., y _m-1[[r ₀]] ..., [[r _m-1]], utilize subtraction ring to obtain corresponding bit and encrypt expression [[z ₀]] ..., [[z _m]], wherein z=x or z=x-N, wherein z _mrepresent sign bit;

Step F 4: according to sign bit z _mdetermine z=x or z=x-N; If z=x-N, to [[z ₀]] ..., [[z _m-1]] and N ₀..., N _m-1utilize addition ring to obtain the [[x that x is corresponding ₀]] ..., [[x _m-1]].

Further, the electronic voting method of a kind of hiding number of votes obtained of the present invention, non-interactive zero-knowledge proof method relevant described in steps A 1-a noted earlier is: to given [[α]]=g ^αs ⁿbmod n ², reference P proves the value that it knows α really, comprises the following steps:

A1, chooses x ∈ Z at random by reference P _n, calculate B=g ^xu ⁿmod n ²;

A2, utilizes safe collisionless hash function H:{0,1} by reference P ^*→ Z _ncalculating challenging value e=H (n, g, [[α]], B);

A3, makes w=x+e α mod n, by reference P, calculates z=us ^eg ^tmod n ², wherein t meets x+e α=w+tn, then by reference P, announces (B, e, w, z);

During checking, calculate $e\stackrel{?}{=}H(n,g,[\left[\mathrm{\&alpha;}\right]],B),$ $g^w{z}^n\stackrel{?}{=}B{\left[\right[\mathrm{\&alpha;}\left]\right]}^e\mathrm{mod}{n}^2.$

Further, the electronic voting method of a kind of hiding number of votes obtained of the present invention, relevant non-interactive zero-knowledge proof method is described in steps A 2 noted earlier: to given [[a]]=g ^ar ⁿmod n ², [[α]]=g ^αs ⁿmod n ²and D=[[a]] ^αγ ⁿmod n ², by reference P proof D=[[a α]] set up, comprise the following steps:

B1, chooses x ∈ Z at random by reference P _n, calculate A=[[a]] ^xv ⁿmod n ², B=g ^xu ⁿmod n ²;

B2, utilizes safe collisionless hash function H:{0,1} by reference P ^*→ Z _ncalculate challenging value e=H (n, g, [[a]], [[α]], D, A, B);

B3, makes w=x+e α mod n, by reference P, calculates z=us ^eg ^tmod n ², y=v[[a]] ^tγ ^emod n ², wherein t meets x+e α=w+tn, and P announces (A, B, e, w, z, y);

Checking is calculated $e\stackrel{?}{=}H(n,g,[\left[a\right]],[\left[\mathrm{\&alpha;}\right]],D,A,B),$ $g^w{z}^n\stackrel{?}{=}B{\left[\right[\mathrm{\&alpha;}\left]\right]}^e\mathrm{mod}{n}^2,$ ${\left[\right[a\left]\right]}^w{y}^n\stackrel{?}{=}{\mathrm{AD}}^e\mathrm{mod}{n}^2.$

Further, the electronic voting method of a kind of hiding number of votes obtained of the present invention, relevant non-interactive zero-knowledge proof method is described in step B3 noted earlier: to given [[a]]=g ^ar ⁿmod n ², [[α]]=g ^αs ⁿmod n ²and D=[[a]] ^αγ ⁿmod n ², by reference P proof D=[[a α]] set up, comprise the following steps:

B1, chooses x ∈ Z at random by reference P _n, calculate A=[[a]] ^xv ⁿmod n ², B=g ^xu ⁿmod n ²;

B2, utilizes safe collisionless hash function H:{0,1} by reference P ^*→ Z _ncalculate challenging value e=H (n, g, [[a]], [[α]], D, A, B);

B3, makes w=x+e α mod n, by reference P, calculates z=us ^eg ^tmod n ², y=v[[a]] ^tγ ^emod n ², wherein t meets x+e α=w+tn, and P announces (A, B, e, w, z, y);

Checking is calculated $e\stackrel{?}{=}H(n,g,[\left[a\right]],[\left[\mathrm{\&alpha;}\right]],D,A,B),$ $g^w{z}^n\stackrel{?}{=}B{\left[\right[\mathrm{\&alpha;}\left]\right]}^e\mathrm{mod}{n}^2,$ ${\left[\right[a\left]\right]}^w{y}^n\stackrel{?}{=}{\mathrm{AD}}^e\mathrm{mod}{n}^2.$

Further, the electronic voting method of a kind of hiding number of votes obtained of the present invention, the correlation step that thresholding deciphering noted earlier is calculated comprises:

Step 001: the P of count of votes mechanism _icalculate wherein i ∈ 1,2 ..., l}, and announce relevant non-interactive zero-knowledge proof: wherein Δ=l! , concrete method of proof is: for by reference P proof log _gh _i=log _xw _i, specifically comprise the steps:

First, by reference P, choose at random w ∈ Z _mn, calculate (x ^w, g ^w)=(a, b); Secondly, by reference P, utilize safe collisionless hash function H:{0,1} ^*→ Z _mncalculate challenging value e=H (a, b, u, v); Then, by reference P, calculate r=w+s _ie, announces (a, b, e, r); Finally, calculate during checking $e\stackrel{?}{=}H(a,b,u,v),$ $x^r\stackrel{?}{=}{\mathrm{au}}^e,$ $g^r\stackrel{?}{=}{\mathrm{bv}}^e;$

Step 002: if be less than t correctly by the non-interactive zero-knowledge proof of last step, stop; Otherwise making S is by above-mentioned steps t+1 secret shared set, calculates: $M=L\left(\underset{j\&Element;S}{\mathrm{\&Pi;}}{c_j}^{2{\mathrm{\&mu;}}_{0,j}^S}\mathrm{mod}{n}^2\right)\frac{1}{4{\mathrm{\&Delta;}}^2\mathrm{\&theta;}}\mathrm{mod}n,$ Wherein ${\mathrm{\&mu;}}_{0,j}^S=\mathrm{\&Delta;}{\mathrm{\&Pi;}}_{j^{\&prime;}\&Element;S\backslash \left\{j\right\}}\frac{j^{\&prime;}}{j^{\&prime;}-j}\&Element;Z,$ $L\left(u\right)=\frac{u-1}{n}.$

The present invention adopts above technical scheme compared with prior art, has following technique effect:

The present invention is based on Secure calculating and ballot assurance technology, proposed the method for the electronic voting scheme of a new applicable small-scale application and hiding candidate's number of votes obtained, can really make all candidates' final number of votes obtained all hide.

Accompanying drawing explanation

Fig. 1 is method flow diagram of the present invention.

Embodiment

Below in conjunction with accompanying drawing, technical scheme of the present invention is described in further detail:

Shown in Fig. 1, the concrete enforcement of this programme is described below with a simple case.

Disclosed systematic parameter is set: suppose count of votes mechanism sum l=4, totally 4 count of votes mechanism: P ₁, P ₂, P ₃, P ₄; Ballot candidate people is C ₁, C ₂, C ₃, C ₄, cn=4; Legal voter's list V ₁, V ₂, V ₃, V ₄, V ₅, d=5; L=3.

Relevant PKI and private key are set: suppose p=11, q=17, n=pq=187, m=5 * 8=40, β=6, a=7, b=8,

g＝(1+187) ⁷8 ¹⁸⁷mod187 ²＝16645，t＝2，SK＝a ₀＝240，a ₁＝11，a ₂＝10，

f(x)＝240+11x+10x ²，s ₁＝f(1)＝261，s ₂＝f(2)＝302，s ₃＝f(3)＝363，s ₄＝f(4)＝444，

PK＝(16645，187，184)，VK＝v＝4，Δ＝24，VK ₁＝v ₁＝1378，VK ₂＝v ₂＝33185，

VK ₃＝v ₃＝511，VK ₄＝v ₄＝1038。

Voter V ₁as follows with the reciprocal process of ballot paper customization machine:

Steps A: the random 01 Bit String p that selects 3 of ballot paper customization machine ^*(being assumed to be 101), and p ^*=101 tell voter V ₁.Then V ₁select candidate (to suppose V ₁select candidate c ₃).P ^*will later destroyed.

Step B: ballot paper customization machine prints totally 24 Paillier to be encrypted: PE ₁(1), PE ₁(2), PE ₁(3), PE ₁(4), each PE wherein ₁() is all that 6 Paillier encrypt, and is divided into left and right two parts: PE ₁() _land PE ₁() _r, PE ₁() _land PE ₁() _rcorresponding 3 Paillier encrypt respectively, and the plaintext that each Paillier encrypts is 0 or 1.PE ₁(t), (t ∈ 1 ..., and 4}, t ≠ 3) corresponding plaintext is 6 random 01 Bit Strings, wherein PE ₁(t) _lcorresponding plaintext and PE ₁(t) _rcorresponding plaintext is identical: for example getting and encrypting random value is 2,3,4,5,6,7, PE ₁(1) _land PE ₁(1) _rbe that 3 Paillier encrypt, corresponding plaintext is: 001, and corresponding ciphertext is respectively ${\mathrm{PE}}_1{\left(1\right)}_{L_1}:g^0{2}^{187}\mathrm{mod}34969=14560,$ ${\mathrm{PE}}_1{\left(1\right)}_{L_2}:g^0{3}^{187}\mathrm{mod}34969=28686,$

${\mathrm{PE}}_1{\left(1\right)}_{L_3}:g^1{4}^{187}\mathrm{mod}34969=13694,$ ${\mathrm{PE}}_1{\left(1\right)}_{R_1}:g^0{5}^{187}\mathrm{mod}34969=21057,$

${\mathrm{PE}}_1{\left(1\right)}_{R_2}:g^0{6}^{187}\mathrm{mod}34969=33393,$ ${\mathrm{PE}}_1{\left(1\right)}_{R_3}:g^1{7}^{187}\mathrm{mod}34969=20428;$

Similarly, PE ₁(2) _land PE ₁(2) _rbe that 3 Paillier encrypt, corresponding plaintext is: 110; PE ₁(4) _land PE ₁(4) _rbe that 3 Paillier encrypt, corresponding plaintext is: 100.And PE ₁(3) _lcorresponding plaintext is p ^*=101, PE ₁(3) _rcorresponding plaintext and p ^*be 010 on the contrary.

Step C: voter V ₁random one 3 the long challenge Bit String c (c is comprised of L (left side) and R (right side), represents respectively with 0 and 1, makes c=011 at this) that select tell ballot paper customization machine.

Step D: according to challenging value c, ballot paper customization machine calculates corresponding value p ₁₁, p ₂₁, p ₃₁, p ₄₁: p ₃₁=p ^*=101,

$p_{11}={\mathrm{PE}}_1{\left(1\right)}_L\&CirclePlus;c=001\&CirclePlus;011=010,$ $p_{21}={\mathrm{PE}}_1{\left(2\right)}_L\&CirclePlus;c=110\&CirclePlus;011=101,$

$p_{41}={\mathrm{PE}}_1{\left(4\right)}_L\&CirclePlus;c=100\&CirclePlus;011=111$ And by p ₁₁, p ₂₁, p ₃₁, p ₄₁tell voter V ₁.Voter V ₁checking p ₃₁whether equal p ^*if unequal voter can raise an objection.

Step e: according to challenging value c, the open PE of ballot paper customization machine ₁(1), PE ₁(2), PE ₁(3), PE ₁(4) whether the random value of using when corresponding plaintext is with encryption correctly forms for encryption corresponding to check.Checking p ₁₁, p ₂₁, p ₃₁, p ₄₁whether complete contrary with the locational bit of the corresponding R of disclosed encryption.C=011 for example, left and right is right, therefore ballot paper customization machine provides whether corresponding plaintext 001 and the random value 2,6,7 of using correctly form for encryption corresponding to check.On the position of all 1 correspondences in check c, p ₁₁whether (corresponding to 10) be complete contrary with disclosed plaintext (corresponding to 01).In like manner right and

Step F: a t=2 of the random selection of ballot paper customization machine, will

reservation is as ballot paper.

In like manner, voter V ₂, V ₃, V ₄, V ₅similar with reciprocal process and the steps A-F of ballot paper customization machine.

The ballot paper forming is carried out to associated safety to be calculated in many ways:

Steps A 1: the P of mechanism ₁, P ₂, P ₃, P ₄cooperative computation obtains $E_{V_{i1}}={\mathrm{PE}}_i{\left(1\right)}_{L_t}\&CirclePlus;{\mathrm{PE}}_i{\left(1\right)}_{R_t},$ $E_{V_{i2}}={\mathrm{PE}}_i{\left(2\right)}_{L_t}$ $\&CirclePlus;{\mathrm{PE}}_i{\left(2\right)}_{R_t},$ $E_{V_{i3}}={\mathrm{PE}}_i{\left(3\right)}_{L_t}\&CirclePlus;{\mathrm{PE}}_i{\left(3\right)}_{R_t},$ $E_{V_{i4}}={\mathrm{PE}}_i{\left(4\right)}_{L_t}\&CirclePlus;{\mathrm{PE}}_i{\left(4\right)}_{R_t}$ (i ∈ 1 ..., d}), the principle of wherein using is: $\mathrm{PE}{\left(\right)}_{L_t}\&CirclePlus;{\mathrm{PE}\left(\right)}_{R_t}={\mathrm{PE}\left(\right)}_{L_t}+\mathrm{PE}{\left(\right)}_{R_t}-2\mathrm{PE}{\left(\right)}_{L_t}\mathrm{PE}{\left(\right)}_{R_t}.$ The isomorphism that utilizes Paillier to encrypt, candidate C ₁the encrypted form of final number of votes obtained can be expressed as $E_{C_1}={\mathrm{\&Pi;}}_{i=1}^v{E}_{V_{i1}}.$ For example, $E_{V_{11}}={\mathrm{PE}}_1{\left(1\right)}_{L_2}\&CirclePlus;{\mathrm{PE}}_1{\left(1\right)}_{R_2}=\left[\right[0\&CirclePlus;0\left]\right]=\left[\right[0\left]\right],$ $E_{V_{12}}=\left[\right[1\&CirclePlus;1\left]\right]=\left[\right[0\left]\right],$ $E_{V_{13}}=\left[\right[0\&CirclePlus;1\left]\right]=\left[\right[1\left]\right],$ $E_{V_{14}}=\left[\right[0\&CirclePlus;0\left]\right]=\left[\right[0\left]\right].$ In like manner can obtain with suppose voter V ₂select candidate C ₂, V ₃select candidate C ₃, V ₄select candidate C ₁, V ₅select candidate C ₄, candidate C now ₁the encrypted form of final number of votes obtained be $E_{C_1}=E_{V_{11}}\&times;E_{V_{21}}\&times;E_{V_{31}}\&times;E_{V_{41}}\&times;E_{V_{51}}=\left[\right[0+0+0+1+0\left]\right]=\left[\right[1\left]\right],$ C ₂the encrypted form of final number of votes obtained be $E_{C_2}=E_{V_{12}}\&times;E_{V_{22}}\&times;E_{V_{32}}\&times;E_{V_{42}}\&times;E_{V_{52}}=\left[\right[0+1+0+0+0\left]\right]=\left[\right[1\left]\right],$ Ballot candidate C ₃the encrypted form of final number of votes obtained can be expressed as $E_{C_3}=E_{V_{13}}\&times;E_{V_{23}}\&times;E_{V_{33}}\&times;E_{V_{43}}\&times;E_{V_{53}}=\left[\right[1+0+1+0+0\left]\right]=\left[\right[2\left]\right],$ C ₄the encrypted form of final number of votes obtained be $E_{C_4}=E_{V_{14}}\&times;E_{V_{24}}\&times;E_{V_{34}}\&times;E_{V_{44}}\&times;E_{V_{54}}=\left[\right[0+0+0+0+1\left]\right]=\left[\right[1\left]\right].$

Step B1: right in any two carry out plaintext same test, by number of votes obtained identical be classified as a class.So time it is a class it is a class m=2.

Step C1: become after step B1 to each C ' _j, j ∈ { 1,2}, the P of mechanism ₁, P ₂, P ₃, P ₄utilize goalkeeper BITREP become corresponding binary bit and encrypt expression

Step D1: right with the P of mechanism ₁, P ₂, P ₃, P ₄utilize [x > y] comparison ring to obtain deciphering obtain plaintext 0, candidate C ' is described ₁={ C ₁, C ₂, C ₄number of votes obtained be less than candidate C ' ₂={ C ₃poll, therefore ballot candidate C ₃poll maximum, C ₃for final ballot victor.

Steps A 1 is asked step be: ${\mathrm{PE}}_1{\left(1\right)}_{L_2}+{\mathrm{PE}}_1{\left(1\right)}_{R_2}=28686\&times;33393\mathrm{mod}34969=5781,$ With reference to claim 2, utilize multiplication gate to obtain recycling $\mathrm{PE}{\left(\right)}_{L_t}\&CirclePlus;{\mathrm{PE}\left(\right)}_{R_t}={\mathrm{PE}\left(\right)}_{L_t}+\mathrm{PE}{\left(\right)}_{R_t}-2\mathrm{PE}{\left(\right)}_{L_t}\mathrm{PE}{\left(\right)}_{R_t}$ Can obtain.With reference to claim 2, wherein ask step as follows:

Steps A 2: the P of mechanism ₁, P ₂, P ₃, P ₄generation about secret:

A2a: the P of mechanism ₁select a random value d ₁=2, to d ₁encrypt and form [[d ₁]]=16645 ²8 ¹⁸⁷mod34969=14407, P ₂select a random value d ₂=3, to d ₂encrypt and form [[d ₂]]=16645 ³5 ¹⁸⁷mod34969=6514, P ₃select a random value d ₃=4, to d ₃encrypt and form [[d ₃]]=16645 ⁴6 ¹⁸⁷mod34969=30884, P ₄select a random value d ₄=5, to d ₄encrypt and form [[d ₄]]=16645 ⁵7 ¹⁸⁷mod34969=24282, broadcast [[d _i] and relevant non-interactive zero-knowledge proof, prove P _ireally know d _i.Make d represent

A2b: calculate ${\mathrm{PE}}_1{\left(1\right)}_{L_2}\left[\right[d_1\left]\right]...\left[\right[d_4\left]\right]=28686\&times;14407\&times;6514\&times;30884\&times;24282\mathrm{mod}$

34969=33618=[[0+2+3+4+5]]=[[14]], the P of mechanism ₁, P ₂, P ₃, P ₄thresholding deciphering obtains 14.

A2c:P ₁obtain x ₁=14-d ₁=12, P ₂obtain x ₂=-d ₂=-3, P ₃obtain x ₃=-d ₃=-4, P ₄obtain x ₄=-d ₄=-5, order

Step B2: calculate [[x ₁]], [[x ₂]], [[x ₃]], [[x ₄]], each P of mechanism _ibroadcast [[x _i]], and relevant non-interactive zero-knowledge proof, to prove [[x _iy]] really corresponding to [[x _i]] in x _iy in [[y]].

Step C2: suppose that H gathers for the mechanism by above step, the mechanism that C be other gathers.Calculate * _{i ∈ C}[[x _i]], and thresholding deciphering obtains x _c=∑ _{i ∈ C}x _i, by x _c[[y]] calculates [[x _cy]].Therefore by { [[x _iy]] | i ∈ H} and [[x _cy]], all mechanism's calculating (* _{i ∈ H}[[x _iy]]) * [[x _cy]], obtain [[xy]] about xy.

The non-interactive zero-knowledge proof of steps A 2a with reference to 15 in claim instructions (with [[d ₁]]=14407 be example):

(1) reference P chooses 2 ∈ Z at random _n, calculate B=16645 ²3 ¹⁸⁷modn34969=2170.

(2) P utilizes safe collisionless hash function H:{0,1} ^*→ Z _ncalculate challenging value e=H (187,16645,14407,2170).Suppose e=4.

(3) make w=2+4 * 2=10, P calculates z=3 * 8 ⁴16645 ⁰mod34969=12288, wherein 0 meets 2+4 * 2=10+187t, and P announces (2170,4,10,12288).

During checking, calculate $4\stackrel{?}{=}H\left(\mathrm{187,16645,14407,2170}\right),$ ${16645}^{10}{12288}^{187}\mathrm{mod}34969\stackrel{?}{=}$ $2170\&times;{14407}^4\mathrm{mod}34969.$

Wherein the thresholding decryption portion of steps A 2b is with reference to 17 in claim instructions (decrypt c=33618):

Steps A 5: the P of count of votes mechanism ₁calculate c ₁=33618 ^{2 * 24 * 261}mod34969=18956, P ₂calculate c ₂=33618 ^{2 * 24 * 302}mod34969=19347, P ₃calculate c ₃=33618 ^{2 * 24 * 363}mod34969=14910, P ₄calculate c ₄=33618 ^{2 * 24 * 444}mod34969=7957, and relevant non-interactive zero-knowledge proof is disclosed.

Step B5: if be less than 2 correct non-interactive zero-knowledge proofs of steps A 5 that pass through, stop.Otherwise making S is by the shared set P of 3 secrets of above-mentioned steps ₁, P ₂, P ₃, calculate: $M=L\left(\underset{j\&Element;S}{\mathrm{\&Pi;}}{c_j}^{2{\mathrm{\&mu;}}_{0,j}^S}\mathrm{mod}{n}^2\right)\frac{1}{4{\mathrm{\&Delta;}}^2\mathrm{\&theta;}}\mathrm{mod}n$ $=L\left({c_1}^{{\mathrm{\&mu;}}_{\mathrm{0,1}}^S}{c_2}^{{\mathrm{\&mu;}}_{\mathrm{0,2}}^S}{c_3}^{{\mathrm{\&mu;}}_{\mathrm{0,3}}^S}\mathrm{mod}34969\right)\&times;\frac{1}{4\&times;24\&times;24\&times;184}\mathrm{mod}187=14,$ Wherein ${\mathrm{\&mu;}}_{\mathrm{0,1}}^S=24\&times;\frac{2}{2-1}$ $\&times;\frac{3}{3-1}=72,$ ${\mathrm{\&mu;}}_{\mathrm{0,2}}^S=24\&times;\frac{1}{1-2}\&times;\frac{3}{3-2}=-72,$ ${\mathrm{\&mu;}}_{\mathrm{0,3}}^S=24\&times;\frac{1}{1-3}\&times;\frac{2}{2-3}=24,$ $L\left(u\right)=\frac{u-1}{n}.$

Wherein the zero-knowledge proof partial reference claim 10 of steps A 5 is (with c ₁=18956, c=33618 is example, wherein (c ₁ ²=18956 ²mod34969=23461, v ₁=1378)=(u, v)):

(1): reference P chooses 2 ∈ Z at random _mn, calculate:

(33618 ^2×4×24mod34969，4 ^2×24mod34969)＝(34698，6818)＝(a，b)。

(2): P utilizes safe collisionless hash function H:{0,1} ^*→ Z _mncalculate challenging value:

E=H (34698,6818,23461,1378), supposes e=3.

(3): P calculates r=2+261 * 3=785, announce (34698,6818,3,785).

During checking, calculate:

$3\stackrel{?}{=}H\left(\mathrm{34698,6818,23461,1378}\right),$ ${33618}^{4\&times;24\&times;785}\mathrm{mod}34969$ $\stackrel{?}{=}34698\&times;{23461}^3\mathrm{mod}34969,$ $4^{24\&times;785}\mathrm{mod}34969\stackrel{?}{=}6818\&times;{1378}^3\mathrm{mod}34969.$

Wherein the zero-knowledge proof partial reference claim 9:(of step B2 supposes [[x ₁]]=16645 ¹⁴* 14407 ^-1mod34969=23179=16645 ¹²(8 ^-1mod34969) ¹⁸⁷mod34969=16645 ¹²* 30598 ¹⁸⁷mod34969, [[y]]=33393, [[x ₁y]]=33393 ¹²5 ¹⁸⁷mod34969=28825)

(1) reference P chooses 2 ∈ Z at random _n, calculate A=33393 ²4 ¹⁸⁷mod34969=31945, B=16645 ²3 ¹⁸⁷modn34969=2170.

(2) P utilizes safe collisionless hash function H:{0,1} ^*→ Z _ncalculate challenging value e=H (187,16645,33393,23179,28825,31945,2170).Suppose e=4.

(3) make w=2+4 * 12=50, P calculates z=3 * 30598 ⁴16645 ⁰mod34969=28455, y=4 * 33393 ⁰* 5 ⁴mod34969=2500 wherein 0 meets 2+4 * 12=50+187 * 0, and P announces (31945,2170,4,50,28455,2500).

Checking: $4\stackrel{?}{=}H\left(\mathrm{187,16645,33393,23179,28825,31945,2170}\right),$ ${16645}^{50}\&times;{28455}^{187}\stackrel{?}{=}$ $2170\&times;{23179}^4\mathrm{mod}34969,$ ${33393}^{50}\&times;{2500}^{187}\stackrel{?}{=}31945\&times;{28825}^4\mathrm{mod}34969.$

Step C2 wherein: suppose H={P ₁, C={P ₂, P ₃, P ₄, calculate [[x ₂]] [[x ₃]] [[x ₄]]=6514 ^-130884 ^-124282 ^-1mod34969, mechanism's thresholding deciphering obtains x _c=x ₂+ x ₃+ x ₄=175, calculate $\left[\right[x_{C}y\left]\right]={\left[\right[y\left]\right]}^{x_C}={33393}^{175}\mathrm{mod}34969=10768,$ Finally

[[xy]]＝[[x ₁y]][[x _Cy]]＝28825×10768mod?34969＝2756。

Therefore $-2{\mathrm{PE}}_1{\left(1\right)}_{L_2}{\mathrm{PE}}_1{\left(1\right)}_{R_2}={2756}^{-2}\mathrm{mod}34969=10366,$ $E_{V_{11}}={\mathrm{PE}}_1{\left(1\right)}_{L_2}\&CirclePlus;{\mathrm{PE}}_1{\left(1\right)}_{R_2}=$ $\mathrm{PE}{\left(\right)}_{L_t}+{\mathrm{PE}\left(\right)}_{R_t}-2\mathrm{PE}{\left(\right)}_{L_t}{\mathrm{PE}\left(\right)}_{R_t}=5781\&times;10366\mathrm{mod}34969=23949.$ In like manner calculate with

Step B1 couple in any two carry out plaintext same test, with reference to 9 in claim instructions (with for example, suppose $E_{C_1}=\left[\right[1\left]\right]=16645\&times;7^{187}\mathrm{mod}34969=20428,$ $E_{C_2}=\left[\right[1\left]\right]=16645\&times;4^{187}\mathrm{mod}34969=13694$ )：

Steps A 3: calculate ${E_{C_2}}^{-1}={13694}^{-1}\mathrm{mod}34969=33373.$

Step B3: calculate $E_{C_1}{E_{C_2}}^{-1}=20428\&times;33373\mathrm{mod}34969=22989.$

Step C3: the P of mechanism ₁select a random value d ₁=2, to d ₁encrypt and form [[d ₁]]=16645 ²8 ¹⁸⁷mod34969=14407, calculates 22989 ²mod34969=7624, broadcast 7624 and 14407 and relevant non-interactive zero-knowledge proof; P ₂select a random value d ₂=3, to d ₂encrypt and form [[d ₂]]=16645 ³5 ¹⁸⁷mod34969=6514, calculates 22989 ³mod34969=3508, broadcast 3508 and 6514 and relevant non-interactive zero-knowledge proof; P ₃select a random value d ₃=4, to d ₃encrypt and form [[d ₃]]=16645 ⁴6 ¹⁸⁷mod34969=30884, calculates 22989 ⁴mod34969=6898, broadcast 6898 and 30884 and relevant non-interactive zero-knowledge proof; P ₄select a random value d ₄=5, to d ₄encrypt and form [[d ₄]]=16645 ⁵7 ¹⁸⁷mod34969=24282, calculates 22989 ⁵mod 34969=28676, broadcast 28676 and 24282 and relevant non-interactive zero-knowledge proof.Zero-knowledge proof partial reference claim 9 (above for example) wherein.

Step D3: calculate 7624 * 3508 * 6898 * 28676mod 34969=27589, institution cooperation thresholding deciphering 27589, obtaining corresponding plaintext is 0, therefore corresponding plaintext is equal, i.e. candidate C ₁and C ₂draw in votes.Wherein thresholding decryption portion is with reference to 17 in claim instructions (having been appeared example above).

Step C1 conversion binary bit represent 14 in partial reference claim instructions (with for example, suppose $E_{C_3}=\left[\right[2\left]\right]={16645}^2\&times;3^{187}\mathrm{mod}34969=2170$ )：

Steps A 4: produce a random value r ∈ _r[0,187), suppose r=5=00000101:

A4a: the P of mechanism ₁, P ₂, P ₃, P ₄utilize random bit door to produce 8 random bit bit encryption value [[r ₀]] ..., [[r ₇]].

The binary bits of A4b:187 is expressed as 10111011, to [[r ₀]] ..., [[r ₇]] and 10111011, utilize [x > y] comparison ring to calculate [[[187 > r]]], wherein

A4c: thresholding deciphering [[[187 > r]]] obtains [187 > r], if set up [187 > r]=1, continues; Otherwise jump to steps A 5a.Wherein thresholding decryption portion is with reference to claim 10.

Step B4: calculate $\left[\right[y\left]\right]=E_{C_3}{\mathrm{\&Pi;}}_{j=0}^7{\left[\right[r_j\left]\right]}^{2^j}=\left[\right[2+5\left]\right]=\left[\right[7\left]\right],$ Mechanism's thresholding deciphering [[y]] obtains y=7=00000111.Wherein thresholding decryption portion is with reference to 17 in claim instructions.

Step C4: to 00000111 and [[r ₀]] ..., [[r ₇]], utilize subtraction ring to obtain corresponding bit and encrypt and represent [[z ₀]] ..., [[z ₇]], respectively corresponding [[0]], [[0]], [[0]], [[0]], [[0]], [[0]], [[1]], [[0]].

Wherein the random bit door of steps A 4a is with reference to the random bit door in claim 5, for i=1 ..., 4, the P of mechanism _ia bit b of random generation _i{ 0,1}, to b for ∈ _iencrypt and form [[b _i], and broadcast [[b _i] and relevant non-interactive zero-knowledge proof, prove b _i{ 0,1} is a bit to ∈ really.To all [[b _i], calculate [[b]], wherein the principle of utilizing is for i, j ∈ 1 ..., l}, (with ask above process similar).Non-interactive zero-knowledge proof partial reference claim 5: to [[b _i]] calculating [[b _i]] ²=[[b _i]] [[b _i]], the P of mechanism ₁..., P ₄to [[b _i]] and [[b _i]] ²carry out plaintext same test, if both expressly identical establishments of result prove b _iequal 0 or 1; Otherwise be false.

[x > y] comparison ring of steps A 4b (is supposed [[r with reference to claim 2 ₀]]=16645 ⁰2 ¹⁸⁷mod34969=14560, [[r ₁]]=16645 ⁰3 ¹⁸⁷mod34969=28686, [[r ₂]]=16645 ⁰4 ¹⁸⁷mod 34969=11522, [[r ₃]]=16645 ⁰5 ¹⁸⁷mod34969=21057, [[r ₄]]=16645 ⁰6 ¹⁸⁷mod34969=33393, [[r ₅]]=16645 ¹7 ¹⁸⁷mod34969=20428, [[r ₆]]=16645 ⁰8 ¹⁸⁷mod34969=14027, [[r ₇]]=16645 ¹9 ¹⁸⁷mod34969=32007):

According to t ₀=0, t _i+1=(1-(x _i-y _i) ²) t _i+ x _i-x _iy _ican release successively $t_1=1-r_0\&DoubleRightArrow;\left[\right[t_1\left]\right]=16645\&times;{14560}^{-1}\mathrm{mod}34969=16645\&times;13428=22181;$ T ₂=(1-(r ₁) ²) t ₁, [[(r ₁) ²]]=11522 ^-2mod34969=11020 ²mod34969=28032, [[(1-(r ₁) ²)]]=16645 * 28032 ^-1mod34969=16645 * 14160mod34969=2140, therefore by [[t ₁]]=22181 and [[(1-(r ₁) ²)]]=2140 utilize multiplication gate can obtain [[t ₂]]=[[((1-(t ₁) ²) t ₁)]].Can obtain [[t similarly ₃]], [[t ₄]] ..., [[t ₇]], the value of [[[187 > r]]] is [[t ₇]].

The subtraction ring of step C4 (is supposed [[r with reference to claim 2 ₀]]=[[0]]=14560, [[r ₁]]=[[0]]=28686, [[r ₂]]=[[0]]=11522, [[r ₃]]=[[0]]=21057, [[r ₄]]=[[0]]=33393, [[r ₅]]=[[1]]=20428, [[r ₆]]=[[0]]=14027, [[r ₇]]=[[1]]=32007):

According to c _-1=0, c _i=x _iy _i+ x _ic _i-1+ y _ic _i-1-2x _iy _ic _i-1, z _i=x _i+ y _i+ c _i-1-2c _ican release c ₀=0, z ₀=y ₀therefore, [[z ₀]]=14560 ^-1mod34969=13428, can release [[z similarly ₁]] ..., [[z ₇]].

Claims (10)

1. an electronic voting method for hiding number of votes obtained, is characterized in that, comprises the steps:

Step (1), arranges disclosed systematic parameter, comprising: the sum l of count of votes mechanism; The challenge number of bits L of ballot paper customization machine; Ballot candidate gathers C ₁..., C _cn, legal voter gathers V ₁..., V _d, wherein cn represents candidate's sum, d vote by proxy people sum;

Step (2), arranges relevant PKI and private key, and concrete steps are as follows:

Step (201), selects Integer n by trust authority KMC (KMC), and wherein n is strong prime p, and the product of q meets wherein p ' and q ' are large prime numbers;

Step (202), makes m=p ' q ', by trust authority KMC (KMC), selects at random β ∈ Z _n ^*, (a, b) ∈ Z _n ^** Z _n ^*, make g=(1+n) ^ab ⁿmodn ²;

Step (203), calculates private key SK=β m by trust authority KMC (KMC), and adopts (t, n) thresholding pattern of Shamir to share, specific as follows: to make a ₀=β m, selects t a at random by trust authority KMC (KMC) _i∈ 0 ..., mn-1}, order calculate the P of count of votes mechanism _isecret share s _i=f (i) modmn also issues the P of count of votes mechanism by safe lane _i, i ∈ 1 ..., t}, t ∈ 1 ..., n};

Step (204), open PKI PK=(g, n, θ=am β modn), authentication secret VK, sub-authentication secret VK _i, wherein VK=v be by in an element of the cyclic subgroup that forms of square number, wherein Δ=l! ;

Step (3), gathers the ballot of the legal voter's input in V and selects in response to legal voter, ballot is selected to convert to the electronics ballot paper of encryption, produce the ballot paper customization machine of electronics ballot paper, and open relevant information is checked for voter; Wherein the mutual step of ballot paper customization machine and legal voter comprises:

Step (301): by the random 01 Bit String p that selects a L position of ballot paper customization machine ^*, and p ^*tell voter; Then voter selects candidate; Bit String p ^*after being finished, destroyed;

Step (302): according to voter V _ij is selected in the ballot of input, and wherein j represents voter V _iballot is to candidate C _j, i ∈ 1 ..., d}, j ∈ 1 ..., and cn}, ballot paper customization machine prints 2Lcn Paillier to be encrypted: PE _i(1) ..., PE _i(cn); Each PE wherein _i() is all that 2L Paillier encrypts, each PE _i() is divided into left and right two parts: PE _i() _land PE _i() _r, PE _i() _land PE _i() _rcorresponding L Paillier encrypts respectively, and the plaintext that wherein each Paillier encrypts is 0 or 1; PE wherein _i(t) _lcorresponding plaintext and PE _i(t) _rcorresponding plaintext is identical, PE _i(j) _lcorresponding plaintext is p ^*, PE _i(j) _rcorresponding plaintext and p ^*on the contrary;

Step (303): voter V _ilong challenge Bit String c in L position of random selection tells ballot paper customization machine, wherein challenges Bit String c and is comprised of L position and R position, and L position and R position represent with 0 and 1 respectively;

Step (304): according to challenge Bit String c, calculate cn corresponding value p by ballot paper customization machine _1i, p _2i..., p _cni: p _ji=p ^*, wherein, u ∈ 1 ..., cn}, u ≠ j; And by p _1i, p _2i..., p _cnitell voter V _i; Voter V _ichecking p _jiwhether equal p ^*if unequal voter raises an objection;

Step (305): according to challenge Bit String c, by the open PE of ballot paper customization machine _i(1) ..., PE _i(cn) whether the random value of using when corresponding plaintext is with encryption correctly forms for encryption corresponding to check, checking p _1i, p _2i..., p _cniwhether complete contrary with the locational bit of the corresponding R of disclosed encryption;

Step (306): t ∈ of the random selection of ballot paper customization machine 1,2 ..., L}, will and reservation is as ballot paper;

Step (4), carries out associated safety and in many ways calculates; Concrete steps are as follows:

Step (401): calculate:

$E_{V_{i1}}={\mathrm{PE}}_i{\left(1\right)}_{L_t}\&CirclePlus;{\mathrm{PE}}_i{\left(1\right)}_{R_t},E_{V_{i2}}={\mathrm{PE}}_i{\left(2\right)}_{L_t}\&CirclePlus;{\mathrm{PE}}_i{\left(2\right)}_{R_t},...,E_{V_{\mathrm{icn}}}={\mathrm{PE}}_i{\left(\mathrm{cn}\right)}_{L_t}\&CirclePlus;{\mathrm{PE}}_i{\left(\mathrm{cn}\right)}_{R_t},$ Wherein i ∈ 1 ..., v}, the principle of wherein using is: $\mathrm{PE}{\left(\mathrm{}\right)}_{L_t}\&CirclePlus;\mathrm{PE}{\left(\mathrm{}\right)}_{R_t}=\mathrm{PE}{\left(\mathrm{}\right)}_{L_t}+\mathrm{PE}{\left(\mathrm{}\right)}_{R_t}-2\mathrm{PE}{\left(\mathrm{}\right)}_{L_t}\mathrm{PE}{\left(\mathrm{}\right)}_{R_t},$ The isomorphism that utilizes Paillier to encrypt, candidate C ₁the encrypted form of final number of votes obtained is similarly, to other candidate C ₂..., C _cnalso can obtain the number of votes obtained of respective encrypted

Step (402): right in any two carry out plaintext same test, by number of votes obtained identical be classified as a class;

Step (403): establish after step (402) is processed and become m≤cn wherein; To each C _j', l the P of mechanism ₁..., P _lutilize goalkeeper BITREP become corresponding binary bit and encrypt expression j ∈ 1 ..., M};

Step (404): to a pair of with i wherein, j ∈ 1 ..., M}, i ≠ j, l the P of mechanism ₁..., P _lutilize [x>y] comparison ring to obtain if set up, candidate C is described _i' final number of votes obtained be greater than candidate C _j' poll, by C _i' continue to carry out analog with other remaining candidates;

Step (5), after Secure calculates, obtains candidate's collection that poll is maximum, announces the net result of ballot.

2. the electronic voting method of a kind of hiding number of votes obtained as claimed in claim 1, is characterized in that, described Secure calculates and relates to lower module:

1. multiplication gate: definition [[x]]=g ^xr ⁿbe that Paillier encrypts, g wherein, n is PKI, and r is random value, and x is message value; Given [[x]] and [[y]], l the P of mechanism ₁..., P _lby cooperation, calculate safely [[xy]], wherein l>=2;

2. same test expressly: given [[x]] and [[y]], l the P of mechanism ₁..., P _lby cooperation, carry out safely correlation computations, to judge that whether corresponding plaintext x and y equate, l>=2 wherein;

3. addition ring or subtraction ring: for given, about x, the binary bit of y is encrypted and represented [[x ₀]] ..., [[x _{m '-1}]] and [[y ₀]] ..., [[y _{m '-1}]], addition ring or subtraction ring calculate about the binary bit of x+y or x-y and encrypt and represent [[z ₀]] ..., [[z _{m '-1}]]; The principle of utilizing is as follows:

C _-1=0, c _i=x _iy _i+ x _ic _i-1+ y _ic _i-1-2x _iy _ic _i-1, z _i=x _i+ y _i+ c _i-1-2c _i; 0≤i≤m '-1 wherein;

4. [x>y] comparison ring: about x, the binary bit of y is encrypted and represented [[x for given ₀]] ..., [[x _{m '-1}]] and [[y ₀]] ..., [[y _{m '-1}]], calculate [x>y], if wherein x>y to set up the value of [x>y] be 1, otherwise [x>y] is 0; Derivation is as follows: t ₀=0, t _i+1=(1-(x _i-y _i) ²) t _i+ x _i-x _iy _i; 0≤i≤m '-1 wherein, the value of [x>y] is t _{m '};

5. random bit door: for i=1 ..., l, the P of mechanism _ia bit b of random generation _i{ 0,1}, to b for ∈ _iencrypt and form [[b _i]], and broadcast [[b _i]] and relevant non-interactive zero-knowledge proof, prove b _i{ 0,1} is a bit to ∈ really; To all [[b _i]], calculate [[b]], wherein the principle of utilizing is as follows: for i, j ∈ 1 ..., l},

6. BITREP door: a given Paillier encrypts [[x]], the P of mechanism ₁..., P _lbinary bit corresponding to x that cooperative computation goes out in [[x]] encrypted expression [[x ₀]] ..., [[x _{m '-1}]], l>=2 wherein.

3. the electronic voting method of a kind of hiding number of votes obtained according to claim 2, is characterized in that, the correlation step that described multiplication gate calculates comprises:

Steps A 1: suppose that l mechanism produces the secret about x:

A1-a: each P of mechanism _iselect a random value d _i, to d _iencrypt and form [[d _i]] and broadcast [[d _i]] and relevant non-interactive zero-knowledge proof, prove P _ireally know d _i, make d represent

A1-b: calculate [[x]] [[d ₁]] ... [[d _l]]=[[x+d]], t institution cooperation thresholding deciphering obtains x+d;

A1-c: by P ₁obtain x ₁=(x+d)-d ₁, the P of other mechanisms _iobtain x _i=-d _i,

Steps A 2: each P of mechanism _ibroadcast [[x _i]], and relevant non-interactive zero-knowledge proof, to prove [[x _iy]] really corresponding to [[x _i]] in x _iy in [[y]];

Steps A 3: suppose that H gathers for the mechanism by above step, the mechanism that C be other gathers; Calculate * _{i ∈ C}[[x _i]], and thresholding deciphering obtains by x _c[[y]] calculates [[x _cy]]; Therefore, by { [[x _iy]] | i ∈ H} and [[x _cy]], all mechanism's calculating (* _{i ∈ H}[[x _iy]]) * [[x _cy]], obtain [[xy]] about xy.

4. the electronic voting method of a kind of hiding number of votes obtained according to claim 2, is characterized in that, the correlation step that described plaintext same test calculates comprises:

Step B1: calculate [[y]] ^-1=[[y]];

Step B2: calculate [[x]] [[y]] ^-1=[[x-y]];

Step B3: each P of mechanism _iselect a random value d _i, broadcast [[d _i]] and relevant non-interactive zero-knowledge proof, make d represent

Step B4: calculate ${\left[\right[x-y\left]\right]}^{d_1}{\left[\right[x-y\left]\right]}^{d_2}...{\left[\right[x-y\left]\right]}^{d_n}={\left[\right[x-y\left]\right]}^d,$ N institution cooperation thresholding deciphering [[x-y]] ^dif corresponding plaintext is 0, x and y equate, otherwise corresponding plaintext is not that 0, x and y are unequal.

5. the electronic voting method of a kind of hiding number of votes obtained according to claim 2, is characterized in that, described random bit door adopts relevant non-interactive zero-knowledge proof step to be: to [[b _i]] calculating [[b _i]] ²=[[b _i]] [[b _i]], l the P of mechanism ₁..., P _lto [[b _i]] and [[b _i]] ²carry out plaintext same test, if both expressly identical establishments of end product prove b _iequal 0 or 1; Otherwise be false.

6. the electronic voting method of a kind of hiding number of votes obtained according to claim 2, is characterized in that, the correlation step that described BITREP door calculates comprises:

Step F 1: establishing N is the modulus PKI during Paillier encrypts, and produces a random value r ∈ _r[0, N), carry out following steps:

F1-a: the P of mechanism ₁..., P _lutilize random bit door to produce the individual random bit bit encryption of m ' value [[r ₀]] ..., [[r _{m '-1}]];

F1-b: the binary bits of supposing N is expressed as N ₀..., N _{m '-1}, to [[r ₀]] ..., [[r _{m '-1}]] and N ₀..., N _{m '-1}, utilize [x>y] comparison ring to calculate [[[N>r]]], wherein

F1-c: thresholding deciphering [[[N>r]]] obtains [N>r], if set up [N>r]=1, continues; Otherwise jump to step F 1-a;

Step F 2: calculate l the P of mechanism ₁..., P _lthresholding deciphering [[y]] obtains y=x+rmodN, 0≤y<N;

Step F 3: to y ₀..., y _m-1[[r ₀]] ..., [[r _m-1]], utilize subtraction ring to obtain corresponding bit and encrypt expression [[z ₀]] ..., [[z _m]], wherein z=x or z=x-N, wherein z _mrepresent sign bit;

Step F 4: according to sign bit z _mdetermine z=x or z=x-N; If z=x-N, to [[z ₀]] ..., [[z _m-1]] and N ₀..., N _m-1utilize addition ring to obtain the [[x that x is corresponding ₀]] ..., [[x _m-1]].

7. the electronic voting method of a kind of hiding number of votes obtained according to claim 3, is characterized in that, non-interactive zero-knowledge proof method relevant described in steps A 1-a is: to given [[α]]=g ^αs ⁿmodn ², reference P proves the value that it knows α really, comprises the following steps:

A1, is chosen at random by reference P calculate B=g ^xu ⁿmodn ²;

A2, utilizes safe collisionless hash function H:{0,1} by reference P ^*→ Z _ncalculating challenging value e=H (n, g, [[α]], B);

A3, makes w=x+e α modn, by reference P, calculates z=us ^eg ^tmodn ², wherein t meets x+e α=w+tn, then by reference P, announces (B, e, w, z);

During checking, calculate $e\stackrel{?}{=}H(n,g,[\left[\mathrm{\&alpha;}\right]],B),g^w{z}^n\stackrel{?}{=}B{\left[\right[\mathrm{\&alpha;}\left]\right]}^e\mathrm{mod}{n}^2.$

8. the electronic voting method of a kind of hiding number of votes obtained according to claim 3, is characterized in that, relevant non-interactive zero-knowledge proof method is described in steps A 2: to given [[a]]=g ^ar ⁿmodn ², [[α]]=g ^αs ⁿmodn ²and D=[[a]] ^αγ ⁿmodn ², by reference P proof D=[[a α]] set up, comprise the following steps:

B1, is chosen at random by reference P calculate A=[[a]] ^xv ⁿmodn ², B=g ^xu ⁿmodn ²;

B2, utilizes safe collisionless hash function H:{0,1} by reference P ^*→ Z _ncalculate challenging value e=H (n, g, [[a]], [[α]], D, A, B);

B3, makes w=x+e α modn, by reference P, calculates z=us ^eg ^tmodn ², y=v[[a]] ^tγ ^emodn ², wherein t meets x+e α=w+tn, and P announces (A, B, e, w, z, y);

Checking is calculated $e\stackrel{?}{=}H(n,g,[\left[\mathrm{\&alpha;}\right]],[\left[\mathrm{\&alpha;}\right]],D,A,B),g^w{z}^n\stackrel{?}{=}B{\left[\right[\mathrm{\&alpha;}\left]\right]}^e\mathrm{mod}{n}^2,{\left[\right[a\left]\right]}^w{y}^n\stackrel{?}{=}{\mathrm{AD}}^e\mathrm{mod}{n}^2.$

9. the electronic voting method of a kind of hiding number of votes obtained according to claim 4, is characterized in that, relevant non-interactive zero-knowledge proof method is described in step B3: to given [[a]]=g ^ar ⁿmodn ², [[α]]=g ^αs ⁿmodn ²and D=[[a]] ^αγ ⁿmodn ², by reference P proof D=[[a α]] set up, comprise the following steps:

B1, is chosen at random by reference P calculate A=[[a]] ^xv ⁿmodn ², B=g ^xu ⁿmodn ²;

B2, utilizes safe collisionless hash function H:{0,1} by reference P ^*→ Z _ncalculate challenging value e=H (n, g, [[a]], [[α]], D, A, B);

B3, makes w=x+e α modn, by reference P, calculates z=us ^eg ^tmodn ², y=v[[a]] ^tγ ^emodn ², wherein t meets x+e α=w+tn, and P announces (A, B, e, w, z, y);

Checking is calculated $e\stackrel{?}{=}H(n,g,[\left[\mathrm{\&alpha;}\right]],[\left[\mathrm{\&alpha;}\right]],D,A,B),g^w{z}^n\stackrel{?}{=}B{\left[\right[\mathrm{\&alpha;}\left]\right]}^e\mathrm{mod}{n}^2,{\left[\right[a\left]\right]}^w{y}^n\stackrel{?}{=}{\mathrm{AD}}^e\mathrm{mod}{n}^2.$

10. according to the electronic voting method of a kind of hiding number of votes obtained described in claim 3 or 4 or 6, it is characterized in that the correlation step that described thresholding deciphering is calculated comprises:

Step 001: the P of count of votes mechanism _icalculate wherein i ∈ 1,2 ..., l}, and announce relevant non-interactive zero-knowledge proof: wherein Δ=l! , concrete method of proof is: for by reference P proof log _gh _i=log _xw _i, specifically comprise the steps:

First, by reference P, choose at random w ∈ Z _mn, calculate (x ^w, g ^w)=(a, b); Secondly, by reference P, utilize safe collisionless hash function H:{0,1} ^*→ Z _mncalculate challenging value e=H (a, b, u, v); Then, by reference P, calculate r=w+s _ie, announces (a, b, e, r); Finally, calculate during checking $e\stackrel{?}{=}H(a,b,u,v),x^r\stackrel{?}{=}{\mathrm{au}}^e,g^r\stackrel{?}{=}{\mathrm{bv}}^e;$

Step 002: if be less than t correctly by the non-interactive zero-knowledge proof of last step, stop; Otherwise making S is by above-mentioned steps t+1 secret shared set, calculates: $M=L\left(\underset{j\&Element;S}{\mathrm{\&Pi;}}{c_j}^{2{\mathrm{\&mu;}}_{0,j}^S}\mathrm{mod}{n}^2\right)\frac{1}{4{\mathrm{\&Delta;}}^2\mathrm{\&theta;}}\mathrm{mod}n,$ Wherein ${\mathrm{\&mu;}}_{0,j}^S=\mathrm{\&Delta;}{\mathrm{\&Pi;}}_{j^{\&prime;}\&Element;S\backslash \left\{j\right\}}\frac{j^{\&prime;}}{j^{\&prime;}-j}\&Element;Z,L\left(u\right)=\frac{u-1}{n}.$