RU2272322C2 - Method for detecting falsified voting papers - Google Patents

Abstract

FIELD: technology for automation of elections and cryptographic technologies used for this purpose.

SUBSTANCE: methods include encrypting selection in voting paper by means of first secret known only to operator, for generation of first component of encrypted voting paper, then selection is encrypted in voting paper by means of second secret, known only to operator, while second secret is selected independently on first secret, for generation of second component of encrypted voting paper. Then proof is generated, demonstrating that first and second components of encrypted voting paper are encrypted for one and the same selection in voting paper. First and second components of encrypted voting paper and proof are transmitted to computerized vote gathering system.

EFFECT: improved protection of voting platform from malicious software.

17 cl, 3 dwg

Description

This invention claims the priority of US provisional application No. 60/270182, filed February 20, 2001, US provisional application No. (registry number of the patent office 32462-8006US02), filed February 11, 2002, and is a partial continuation of application for US patent No. 09/534836, filed March 24, 2000; US patent application No. 09/535927, filed March 24, 2000; and US patent application No. 09/816869, filed March 24, 2001. The full contents of these five applications are included in this description.

FIELD OF THE INVENTION

This invention relates to the field of election automation and the cryptographic technologies used for this.

State of the art

The problems of inaccuracy and inefficiency have long been accompanied by the usual “manual” choices. Although it is believed that computers can be used to conduct elections more accurately and efficiently, computers bring their own problems. Since electronic data can be so easily changed, many electronic election systems are prone to numerous errors, the occurrence of which is much less likely in conventional election systems.

One class of such errors is based on the vague integrity of the voting voter computer or other computing devices. Under the current conditions of using computers on networks, it is extremely difficult to keep any machine protected from malicious software. Such software is often able to remain hidden in the computer for extended periods of time before it actually performs a harmful action. At the same time, it can be replicated to other computers on the network or to computers that have minimal interaction with the network. It can even be transferred to computers that are not included in the network due to the constant use of storage media by users.

In the context of electronic secret elections with ballots, this type of malicious software is especially dangerous, because even when its harmful effect is launched, it can go unnoticed and therefore can disrupt the elections in the future. Guided logic and accuracy tests (LT tests) monitor the processing of test ballots to determine if the voting system is working correctly and can be used as an attempt to detect malicious software present on the voter's computer. However, RT tests are extremely difficult to perform correctly, since it is possible that malicious software can distinguish between valid and test ballots and may not affect all test ballots. Since the requirement of election secrecy precludes the possibility of checking valid ballots for fraud, even thorough LT tests may be useless. The problem of combating this threat is known as the problem of trust in the executor.

Most of the existing ways to solve this problem of confidence in the performer focused on ways to protect the voting platform and thereby create the certainty that the voter's computer is “clean” or “not infected”. Unfortunately, the costs of examining and performing routine operations, which are necessary to ensure an acceptable level of such certainty, require the installation of electronic electoral systems in the controlled conditions of the vote counting unit, where the executive systems of computers can be maintained and controlled with the help of experts on computers and networks. These systems of vote counting nodes can provide some advantages due to simplification of configuration, ease of use, efficiency of tabulation of results and cost. However, this approach does not provide for the use of the large potential of distributed communication, which is used in the global electronic commerce.

In accordance with this, the solution to the problem of trust in the performer, which does not require the protection of the election platform from malicious software and which ensures the use of almost any computer system anywhere as an election platform, can be of great importance.

Brief Description of the Drawings

The drawings show:

figure 1 is an enlarged block diagram of typical conditions in which the tool operates;

figure 2 is a block diagram of some components typically contained in at least some computer systems and other devices that are affected by the tool;

figure 3 is a graphical diagram of the stages usually performed by means for detecting a falsified ballot.

Description of the best embodiments of the invention

A tool for detecting ballot papers falsified by malicious programs (a "tool for detecting") has been created. The approach used by the detection tool usually does not include attempts to exclude or prevent the occurrence of malicious software in the voting computer. Instead, it offers a cryptographically secure way for the voter to verify the ballot as it was received at the vote center, without disclosing information about the content (selection of candidates) for the vote center itself. That is, the center for collecting votes can accurately confirm to the voter which choice of candidates has been accepted, not knowing what the choice is. Thus, the voter can detect any difference between the choice of the voter and the actual choice accepted at the center of the vote collection (as presented in the transmitted digital data of the ballot). In addition, for each election, you can choose from a flexible set of decision strategies that allow the voter to re-drop the ballot when the accepted choice is different from the intended choice.

The following is a description of the detection tool in the context of fairly standard election conditions. For ease of presentation, the initial description of the detection tool assumes that the ballot paper contains only one question and that there is a set of K allowed answers a ₁ , ..., a _k (one of which may be “abstained”). For specialists in this field of technology it is clear that it is advisable to summarize the answer possible in this situation, for processing the vast majority of valid configurations of ballots in the world.

Some typical cryptographic features of selective settings are as follows:

1. The composition of the ballot: a set of cryptographic parameters of the election is agreed upon in advance by the election administration and is widely publicized by publication or other such means. Important parameters are the encryption group, the generator, the public election key, and the decision coding scheme. Namely, these are:

(a) The encryption group, G may be Z _p , where p is a large primary group or an elliptic curve group.

(b) Generator, g∈G. In the case G = Z _p , g must generate a subgroup <g> from G *, which has a large primary order q. In the case of an elliptic curve, it is assumed that <g> = G and q = p.

(c) Public election key, h∈ (g).

рассматриваются как недействительные. Обычно каждое S_k при 1≤k≤K состоит из одного элемента μ_k, хотя это в принципе не является обязательным. Однако для защиты схемы в целом необходимо, чтобы μ_k генерировались независимо или случайно с использованием некоторого открытого случайного источника или с помощью приемлемой схемы совместного пользования.(d) Decoding coding scheme: dividing <g> into “name representatives”. That is, <g> = S ₀ ∪ S ₁ ∪ ... S _K , where S _k are pairwise unconnected subsets of <g>. For each 1≤k≤K, any message m∈S _k represents a vote for a _k . Other posts

are considered invalid. Usually each S _k at 1≤k≤K consists of one element μ _k , although this is in principle not mandatory. However, to protect the circuit as a whole, it is necessary that μ _{k are} generated independently or randomly using some open random source or using an acceptable sharing scheme.

Although in the following description a multiplicative group notation system is used for uniformity, it is understood that all constructions using elliptic curves can also be well done.

2. Presentation of the vote: each voter ν _i encrypts his choice or decision in the form of an ElGamal pair (X _i , Y _i ) = (g ^αi , h ^αi , m _i ), where α _i ∈Z _q is chosen arbitrarily by the voter, and m _i ∈S _k if ν _i ; wants to choose the answer a _k . This encrypted value is then transmitted to the voting center, usually with the addition of a digital signature created by the voter ν _i .

If the voter ν _i would calculate these values himself, for example, with a pencil and paper, then this protocol would be essentially sufficient for the implementation of secret ballot, a universally verified election system. (Depending on the tabulation method, some additional information would be necessary, such as confirmation of the voter's identity.) However, since in practice the voter ν _i performs only the selection using some user interface, it does not make sense to expect him to follow the actual value of the transmitted bits and will check them for compliance with their intended choice. In short, the voting performer can ignore the intent and transmit “choose μ _j ” when the voter really wanted to transmit “choose μ _k ”.

Typically, the voter needs to have some way to verify that the encrypted choice that was accepted at the vote center matches his own choice. Simply making the ballot box open would not be a smart decision, because the voting agent, not the voter, chooses α _i . In order to ensure the secrecy of the election and cast the data type, this value must be “lost”. Thus, the encrypted choice of the voter ν _i is opaque both for himself and for any other. A generalized confirmation from the voting center is also obviously not sufficient. The main necessary properties are properties:

1. Confirmation chain C returned by the voting center should be a function of the received data (encrypted selection).

2. The voter and the voting performer should be able to perform a special set of stages that allow the voter to attach C exclusively to the choice (or vote) μ _k that was adopted.

3. It must not be possible for the voter to act in such a way that the voter is deceived. That is, the performer does not have to convince the voter that μ _k was accepted, if in fact μ ≠ μ _k was accepted.

The next section describes such a scheme, which will be called SVC, in its main form. The following sections will describe some of the improvements and additions.

As part of the voting process, the following steps are usually performed.

SS-1. Voter M _i , driven by the voter ν _i , creates an encrypted ballot paper on behalf of the voter ν _i , as before. We denote this by (X _i , Y _i ) = (g ^αi , h ^αi , m _i ) for some quantity m _i ∈ 〈g〉 and α _i ∈Z _q .

SS-2. M _i must also create a proof of reliability P _i , which is a zero-knowledge proof that m _i ∈ {μ ₁ , ..., μ _k } (such a proof can be easily created from the main Chaum-Pederson proof for equality of discrete logarithms using technology referenced in [CDS94]. A special example can be found in [CGS97]).

SS-3. Then M _i transmits both P _i and the (signed) selection (X _i , Y _i ) to the vote collection center.

SS-4. Before recognizing the encrypted ballot, the voting center first checks the evidence P _i . If the verification of P _i fails, then the distortion is already detected, and the center of the vote collection may either not give out a confirmation chain or give out some random chain by default.

Ss-5. If the verification of P _i was successful, then the center for collecting votes calculates the values of W _i and U _i in the form

,

,

where K _i ∈G and β _i ∈Z _q are usually generated arbitrarily and independently (from voter to voter).

SS-6. Then the center of the collection of votes returns (W _i , U _i ) to M _i .

SS-7. Artist M _i calculates

and displays this chain (or more likely its hash function H (C _i )) for the voter ν _i .

The voter must know which chain of confirmation to look for. This can be done in two different ways. The most direct way is to obtain the ν _i voter of the values of K _i and β _i from the center of the vote collection. This is feasible, requires the transfer of a very small amount of data, and may be suitable for some implementation cases. However, in other situations this may be an unattractive approach, since in this case it is necessary to calculate C _i or (H (C _i )). Since the request of the performer M _i to perform these calculations destroys the protection of the circuit, the voter ν _i must have access to additional computing devices, as well as access to an independent communication channel.

As an alternative solution, the vote center calculates all possible confirmation chains for ν _i and transfers the results to the voter confirmation dictionary ν _i through an independent channel. Typically, the voter confirmation dictionary ν _i will consist of the following table in any reasonable format:

Answer Confirmation chain α ₁ H (C _i1 ) α ₂ H (C _i2 ) ·
· ·
· α _to H (C _iK )

where H is an open (published) hash function of choices (possibly an identity function) and C _ij = K _i μ _j ^βi .

Naturally, it is necessary to responsibly approach the creation of an independent channel to ensure its real independence. However, there are solutions for this. Since K _i and β ⁱ can be generated in advance of the election, even slow delivery methods, such as ground mail, can be used to transmit the dictionary.

For a more complete description of the detection tool below is an example illustrating the operation of some options for its implementation. The following is a detailed description of an example of a closed exchange to confirm the value.

For clarity of the example, several key parameters used, for example, the number of questions on the ballot, and the size of cryptographic parameters are much smaller than are usually used in practice. In addition, although aspects of an example exchange are described below in a specific order, it will be understood by those skilled in the art that they can be performed in various other sequences.

Some electronic election protocols contain additional features, such as:

- Voter and administration certification information (public key) for authentication and control;

- Style options for the page of the ballot;

- Data encoding standards;

- Protocol and tab parameters.

Since these characteristics are independent of the implementation of closed confirmation of the values, their detailed description is not included in this example.

In this example, it is assumed that the electronic protocol that encodes the voter responses is a single ElGamal pair. However, based on the following description, it is easy to make an exchange of closed confirmation of values for other election protocols using ElGamal encryption for ballots. For example, some embodiments of the tool include a homomorphic election protocol described in US patent application No. 09/535927. In this protocol, voter response is presented by several ElGamal couples. The confirmation dictionary used in this example is easy to modify to display the articulation of the corresponding confirmation chains or to display the hash function of their sequence.

First, the legal basis for election initialization data should be agreed. This includes at least: basic cryptographic numeric parameters, a ballot paper (i.e. a set of questions and allowed answers, etc.) and a decision coding scheme (this may also include additional data related to the particular election protocol used).

Cryptographic parameters

- group arithmetic: integer multiplicative modular arithmetic;

primary module: p = 47;

- subgroup module: q = 23;

- generator: g = 2;

- public key: h = gs, where s is private. For this example, it is assumed that h = gl2 = 7.

Ballot

- one question

- text of 1 question: What should be the color of our flag (you can choose a maximum of 1 color);

- number of answers / choice: 4

* 1 response text: blue

* text 2 of the answer: green

* text 3 of the answer: red

* text 4 of the answer: I abstain.

Decoding Coding Scheme

The choice Magnitude of response Blue 9 (μ ₁ ) Green 21 (μ ₂ ) Red 36 (μ ₃ ) I abstain 17 (μ ₄ )

At some point in time before issuing the acknowledgment and confirmation before distribution dictionaries vote collection center (or agency) generates for each voter V _i random, independent β _i and K _i. If a dictionary of confirmations is to be sent out after receiving the vote, then these parameters can be generated for each voter immediately after the recognition of each voting ballot. Alternatively, they can be generated in advance of the election. In this example, the ballot collection agency has access to these parameters both immediately after recognizing the ballot and immediately before sending the confirmation dictionary to the relevant voter.

At some point in time during the official election time, each voter V receives and authenticates the election initialization data indicated above. They can be obtained by sending a ballot request to any election server. As an alternative solution, the legislature may have suitable means for publishing election initialization data, i.e. make them convenient for all voters.

From the election initialization data, voter V is able to determine that the expected response is standard coding of a particular sequence of two distinguishable data elements. They are (in their exact order):

Selection encryption

A pair of integers (X, Z), where 0≤X, Z <47, indicating (in encrypted form) the choice, or answer, of the voter. For example, in order for an answer to be valid, it must be given in the form (X, Y) = (2 ^α , 7 ^α _μ ), where 0≤α <23 and μ∈ {9,21,36,17}.

Evidence of credibility

The proof of reliability should show that (X, Y) has the form described at the encryption stage of the choice (in this example, you must see that this proof consists of 15 modular integers arranged in a special sequence).

In this example, it is assumed that voter V wishes to vote for “green.”

1. The voter randomly generates α∈Z ₂₃ . In this example, α = 5. Since the encoding of “green” is 21, the choice of the voter V is calculated as

This pair is what should be transferred to the vote center.

A possible danger is that voter computer V may try to change these values.

Voter V (or rather, V’s computer) must prove that one of the following conditions is met

1. (X, Y) = (2 ^α , 7 ^α x9), that is, the choice (cast vote) means “blue”;

2. (X, Y) = (2 ^α , 7 ^α x21), that is, the choice (cast vote) means “green”;

3. (X, Y) = (2 ^α , 7 ^αl x36), that is, the choice (cast vote) means “red”;

4. (X, Y) = (2 ^α , 7 ^α x21), that is, the choice (cast vote) means “I abstain”

for some unspecified value of α without disclosing its actual value.

There are many standard methods for doing this. See, for example, R. Cramer, I. Damgard, W. Schoenmakers, “Evidence of Partial Knowledge and Simplified Design of Witness Concealment Protocols,” Advances in Criptology - CRYPTO'94, Lecture Notes in Computer Science, pages 174-187, Springer-Verlag , Berlin, 1994. The closed value confirmation technology used by the tool also works well with any method that meets the abstract criteria of the previous paragraph. Although the following are details of one such method of proving reliability, another type of evidence of authenticity can be used in embodiments of the tool.

Composition of evidence of credibility

(Subsequently, every action or calculation that V must perform is actually performed by V's computer).

1. V sets α2 = α = 5.

2. V generates ω ₂ ∈ _R Z ₂₃ , r ₁ , r ₃ , r ₄ ∈ _R Z ₂₃ , S ₁ , S ₃ , S ₄ ∈ _R Z ₂₃ , all randomly and independently. For this example, accepted

3. V calculates the corresponding quantities

4. V uses the published hash function to compute c∈Z ₂₃ as

Since you can choose various hash functions, for this example, any random variable is selected, for example,

(In practice, SHA1 or MD5 or other standards protecting the hash function can be used to calculate H).

5. V computes the interpolation polynomial P (x) of degree 4-1 = 3.

The specified properties of P are

P (x) = Σ ³ _j = 0 Z _j X _{j is} calculated using the standard theory of polynomial interpolation to obtain:

or

6. V calculates the quantities

r ₂ = ω ₂ + α ₂ s ₂ = 4 + 5x5 = 6

7. The proof of confidence V consists of 12 numbers

and three numbers

in the exact sequence (z ₀ can be omitted, since it is calculated from other data elements transmitted using the published hash function H).

After calculating the required encrypted selection (X, Y) and the corresponding proof of validity, voter V encodes these elements in the sequence specified by the standard encoding format. The resulting sequences constitute Voter Voting Ballot. (In order to make a voted ballot immutable and undeniable, V can also digitally sign this ballot using his personal signature key). The resulting combination of the ballot paper and the voter's signature V (more precisely, the standard coding of these two elements) form his signed ballot paper). Finally, each voter sends his (optionally signed) voting ballot back to the vote collection center.

As indicated above, specific random parameters for voter V (β and K) are available at the voting center. In this example, this

After receiving a voter’s voting ballot (not necessarily signed), the following stages are carried out in the voting center:

1. A digital signature is verified to determine the authenticity of the ballot, as well as the voter's right to vote.

2. If the verification of the signature at stage 1 is verified as correct, then the center for collecting votes then checks the evidence of authenticity. For a particular type of evidence of confidence that is selected for use in this example, this is as follows:

(a) The hash function H is used to calculate the value

P (0) = z ₀

(We remind you that the remaining coefficients P, z ₁ , z ₂ , z ₃ are part of the transmitted (not necessarily signed) voter ballot V).

(b) For each 1≤j≤4, both sides of the equations are estimated

(In this case, as indicated above, μ _j is taken from the decision coding scheme). If the equation does not converge in any of the cases, then verification will fail. This ballot is not recognized, and an arbitrary refusal chain (pointer) is returned to voter V.

3. If the previous step was successfully completed, the response chain (W, U) is calculated as

This serial pair is encoded as specified by the open encoding format and is returned to voter V.

4. V voter system calculates

and displays this chain to the voter (as an alternative solution, the protocol can determine that the open hash function should be calculated from C. In this example, C itself is displayed). If the voter's computer V tries to transfer a choice different from “green”, then the value C calculated above will be different. Moreover, the correct value of C cannot be calculated from the wrong value without solving the Diffie-Hellman problem (for small values of p and q that are selected in this example, this is possible. However, for real cryptographic parameters, the voter computer V is not able to do this) . Thus, if voter V's computer has transmitted an encrypted ballot that does not match voter V’s choice, then there are only two possibilities at the point in time when confirmation is expected from him. It may display something, or it may not display anything. In the event that nothing is displayed, voter V may perceive this as an indication that the ballot is falsified. In the case when something is displayed, it will probably be wrong, and voter V can again conclude that the ballot was falsified.

Then, the voter V compares the value C displayed on the display with the value found in the voter confirmation dictionary V corresponding to the “green” choice (the choice conceived by the voter V). At this time, voter V could already receive his confirmation dictionary in advance, or he could get a copy of it through any independent channel. An example of such a channel is the use of fax. If the displayed value does not match the corresponding confirmation chain in the confirmation dictionary, then falsification is detected and the ballot paper can be “omitted” again in accordance with the strategy chosen for the election.

The dictionary of confirmations for each voter calculates the center for collecting votes, because, as mentioned above, it is a body that has knowledge of the specific values of the voter α and K. In the case of the voter V, the dictionary is calculated as

The choice Confirmation chain Blue C _l = K _μ1 ^β = 37x9 ¹⁸ = 16 Green C ₂ = K _μ2 ^β = 37x21 ¹⁸ = 18 Red C ₃ = K _μ3 ^β = 37x36 ¹⁸ = 36 I abstain C ₄ = K _μ4 ^β = 37xl7 ¹⁸ = 8

A description of the level of protection provided by the tool when using the scheme of closed confirmation of values is given below: suppose that A is an adversary of the voting agent, and ∈ ₀ is the upper limit of the probability that A is capable of falsifying the evidence of reliability for any given μ _i , ..., μ _k (we know that ∈ ₀ is negligible).

Theorem 1. Suppose that the scheme for closed confirmation of quantities is performed with H = Id. Moreover, 1≤k ₁ ≠ k ₂ ≤K. Suppose that for some ∈> 0 it is possible to transfer b _i = (g ^αi h ^αi μ _k1 ) and map C _ik2 = K _i μ _k2 ^βi , where the probability is assumed to be uniform over the whole combination of values for μ ₁ , ... , μ _k g, h, β _i and K _i . Then A can solve a random example a of the Diffie-Hellman problem with probability ∈ and additional work O (K).

устанавливая h=X,h^βi=Y и μ_k2=μ_k1Z. Полученное распределение параметров выборов и C_ik1 очевидно является идентичными с распределением, которое получается в результате действительных выборов. С вероятностью ∈ противник А может отобразить С_ik2 и может тем самым вычислитьEvidence. Suppose A has X, Y, Z∈ _R <g>. And it can imitate the selections and exchanges of closed confirmation of quantities by means of a choice independently by random law C _ik1 <g> and μ _k ∈ 〈g〉 for all

setting h = X, h ^βi = Y, and μ _k2 = μ _k1 Z. The resulting distribution of election parameters and C _{ik1 are} obviously identical to the distribution that results from actual elections. With probability ∈, adversary A can map C _ik2 and can thereby calculate

Thus, log _x C = β _i log _x Ylog _x Z and C is a solution to the example of the Diffie-Hellman problem represented by the triple value (X, Y, Z).

Corollary 1. Suppose again that the closed-loop confirmation scheme is performed with H = Id. Moreover, 1≤k ₁ ≠ k ₂ ≤K. Suppose that for some ∈ ₁ > 0, adversary A can choose k ₁ ≠ k ₂ with probability ∈ ₁ , pass b _i = (g ^αi h ^αi μ _k1 ) and map C _ik2 = K _i μ _k2 ^βi , where the probability is assumed to be uniform over the entire combination of values for μ ₁ , ..., μ _K , g, h, β _i and K _i . Then A can solve a random example a of the Diffie-Hellman problem with probability ∈ ₁ / (Kl) and additional work 0 (K).

Proof: it is necessary to follow the proof of Theorem 1, but with respect to the problem of finding a solution for at least one Diffie-Hellman K-1 problem.

является верхней границей вероятности того, что А может решить случайный пример проблемы Диффи-Хеллмана. Тогда в случае H=Id верхней границей вероятности того, что А может передать выбор а, который отличается от выбора избирателя, и тем не менее отобразить правильную цепочку подтверждения, является ∈₀+(K-l)∈_DH.Corollary 2. Suppose that

is the upper bound on the probability that A can solve a random example of the Diffie-Hellman problem. Then, in the case of H = Id, the upper limit of the probability that A can transfer the choice of a, which differs from the choice of the voter, and nevertheless display the correct confirmation chain, is ∈ ₀ + (Kl) ∈ _DH .

If the hash function of H is not trivial, then one cannot hope to compare the feasibility of solving the Diffie-Hellman problem without significant special knowledge of the properties of H. Instead of evaluating the protection of the circuit for specially selected H, we only assume that H has a negligible probability of coincidence, and instead, we evaluate the security of the Diffie-Hellman problem for decision making. A variant of this problem is the following. A has a sequence of a set of numbers (X _n , Y _n , Z _n , C _n ), where X _n , Y _n , Z _{n are} generated independently by random law. With a probability of 1/2 C _n is a solution to an example (X _n , Y _n , Z _n ) of the Diffie-Hellman problem, and with a probability of 1-1 / 2 = 1/2 C _{n is} generated randomly and independently. It is said that A takes precedence ∈-DDH if A can, with a probability of 1/2 + e, get the answer to the question logx _n C _n = logx _n Z _n logx _n Z _n ?

Theorem 1 and Corollaries 1 and 2 obviously have analogues in the case H ≠ Id (only under the assumption that P has a negligible probability of coincidence). Both statements and proofs are carried out with slight variations, so we can summarize as follows:

является верхней границей преимущества DDH противника А. Тогда, если Н является любой хеш-функцией с пренебрежительно малой вероятностью совпадения, то верхней границей вероятности того, что А может передать выбор а, который отличается от выбора избирателя, и тем не менее отобразить правильную цепочку подтверждения, является ∈₀+(К-1)∈_DDH.Corollary 3. Suppose that

is the upper limit of the DDH advantage of adversary A. Then, if H is any hash function with a negligible probability of coincidence, then the upper limit of the probability that A can transmit a choice that is different from the voter’s choice, and still display the correct confirmation chain , is ∈ ₀ + (K-1) ∈ _DDH .

The closed confirmation of values scheme cannot provide any protection if adversary A also controls the center for collecting votes. If so, then A has access to K _i and β _i, and thus can easily display any valid confirmation chain of his choice. This is unlikely, as the center for the collection of votes will be irrefutably exposed in case of disclosure of such actions. However, in the event that it is unacceptable to trust the center of the collection of votes in this regard, the responsibility for confirmation can be shared among many selected administrations.

For the distribution of responsibility for confirmation, each administration A _j with 1≤j≤J generates (for the voter ν _i ) independently and randomly, K _ij and β _ij . Administrations can combine them in two general ways.

1. Concatenation. The confirmation chain for the voter is calculated as the concatenation in the given order of the individual confirmation chains (calculated separately, as in the previous part), corresponding to each administration J. In this case, the confirmation is successful only if all sub-chains are verified as correct.

2. Reliable server or printer. If it is permissible to trust a single central server or printer, then many confirmation chains can be combined into one chain of the same size with a simple calculation

This has the advantage of reducing the amount of confirmation data that needs to be transmitted to the voter, however, by creating a central point for attacking the system.

It is always advisable to reduce the size of the data that must be transmitted to the voter through an independent channel. As described in Part 3, the confirmation dictionary is already small by the standards of modern communications technology, but it may be preferable in terms of cost to transmit even less data. As indicated above, one approach may be to transfer the closed K _i and β _i directly to the voter, however, this has the disadvantage that too much computational load is transferred to the voter, which he cannot fulfill in his mind or on paper. The next variation of the scheme of closed confirmation of values ensures the achievement of both goals - less data to transmit through an independent communication channel and less verbal counting for the voter. This is due to the fact that the likelihood of voter fraud by the enemy increases, but this may be acceptable from the point of view of all elections. Even if the probability that the adversary will go unnoticed is, for example, 1/2, when a significant part of the votes changes, the probability that this will be detected by a statistically significant part of the voters is very high. As mentioned in the introduction, corrective measures are possible.

The idea is to deliver to the voter the entire set of confirmation chains through the suspected performer, but in a randomly rearranged order. In this case, the only additional information that the voter needs is the permutation used. In this scenario, this is not sufficient, since all confirmation chains are available and the adversary can gain some advantage simply by using the exclusion process (it is especially useful to consider the case when K = 2). To increase protection, we will include several random confirmation chains in the dictionary, which are also rearranged.

As before, the stages specified in part 3.1 are performed. In addition to this, the center for collecting votes transmits to the performer M _{i a} randomized dictionary D _i . The voting center carries out this as follows:

RD-1. As before, K (voter-specific) confirmation chains are calculated

RD-2. In addition to this, L additional chains are generated in the form

where e ₁ , ..., e _L are randomly generated in Z _q .

RD-3. A random permutation σ _i ∈Σ _{to + L is} generated.

RD-4. C sets Q _ij = S _{iσi (j)} for 1≤j≤K + L and sets D _i as a sequence of chains (Q _i1 , ... Q _{i (K + L)} ).

If C transmits some “human readable” representation of σ _i to voter ν _i through an independent channel, then voter ν _i can now verify his vote by finding a confirmation chain with the correct index. We denote this scheme as a closed confirmation of values 0 (SCVO).

Regarding the level of protection of SVCO, we consider the following form of the Diffie-Hellman decision-making problem: A has a sequence of a set of numbers (X _n , Y _n , Z _n , C _n , D _n ), where X _n , Y _n , Z _{n are} generated independently randomly the law. Suppose that R _n is randomly generated and O _n is a solution of the equation logX _n O _n = log _Xn Y _n log _Xn Zn. With a probability of 1/2 (C _n , D _n ) = (O _n , R _n ) and with a probability of 1-1 / 2 = 1/2 (C _n , D _n ) = (Rn, On). It is claimed that A takes precedence ∈-DDHP if A can, with a probability of 1/2 + ∈, get the answer to the question logx _n C _n = logx _n Z _n logx _n Z _n ? That is, opponent A must answer the same question as in the original version of the problem, however, the problem may be simpler because more information is available.

является верхней границей преимущества DDHP противника А и Н является любой хеш-функцией с пренебрежительно малой вероятностью совпадения. Верхней границей вероятности при схеме SCVO того, что А может передать выбор а, который отличается от выбора избирателя, и тем не менее отобразить правильную цепочку подтверждения, являетсяTheorem 3. Suppose that

is the upper limit of the enemy DDHP advantage of A and H is any hash function with a negligible probability of coincidence. The upper limit of probability in the SCVO scheme that A can transmit choice a, which is different from voter selection, and still display the correct confirmation chain, is

Proof: just as in the proof of Theorem 1, adversary A can imitate SCVO choices and exchanges. However, in this case, A must also simulate a list of confirmation chains that were not available in the closed value confirmation scheme (SVC). For given k ₁ , k ₂ A can choose C _ik1 ∈ 〈g〉 according to a random law, and for all k ₁ ≠ k ₂ choose выбрать _k ∈Z _q independently by a random law. Then A establishes μ _k = X ^Θk . For k ₁ ≠ k ₂ , k _2, adversary A sets C _ik = C _ikl Y ^Θk-Θk1 . A sets μ _k2 = μ _k1 Z and generates L additional random μ _l and l-1 additional С _il randomly. Finally, A sets C _ik2 = C _ik1 and the last remaining C _il = C _ikl D _n . As before, finding the right confirmation chain is equivalent to deciding which of the values of C _n , D _n is the correct solution to the Diffie-Hellman problem. Getting the average of all permutations with uniform probability gives a result.

The following describes a possible alternative to the closed confirmation scheme of the values described above. The protection level of these two schemes is essentially the same.

1. In addition to the public key h, the vote center publishes another public key in the form h = h ^d , where d∈Z _q is a secret known only to the vote center.

2. The performer M _i transmits an encrypted ballot paper on behalf of ν _i , as before, but is excessively encrypted using both h and h. We write the second encryption as

where α _i is selected independently of α _i .

3. M _i also creates a simple proof of certainty (essentially a single Chaum-Pedersen proof) that two quantities are ciphers of the same value.

4. If the evidence of credibility was not recognized by the center for collecting votes, then fraud was discovered, as before.

5. The center for the collection of votes randomly selects K _i ∈ 〈g〉; β _i ∈Z _q and computes

6. The collection center returns h ^βi and V _i to M _i .

7. M _i calculates S _i = K _i m ^{(d + l) βi} using the equation

and displays this value on the display (or H (S _i )) for the voter ν _i .

8. The voter, as before, requests a dictionary of confirmations and checks the displayed value against it.

If fraud is detected, corrective actions are taken as before.

) для всех избирателей и публикует эту величину заранее перед выборами.In the above description, the tool uses a single d (and therefore the only

) for all voters and publishes this value in advance of the election.

) для каждого избирателя ν_i. Величина d_i всегда держится в секрете, а величина

сообщается избирателю ν_i.As an alternative solution, the center for collecting votes (or a distributed set of “confirmation administrations”) issues an independent, random d _i (and therefore

) for each voter ν _i . The value of d _{i is} always kept secret, and the value

communicated to the voter ν _i .

In one embodiment, the means reports the value of h _{i to the} voter v _i as follows:

A-1: voter ν _i makes contact with the center for collecting votes and authenticates himself;

A-2: if the authentication was successful, then the center for collecting votes:

1. Generates randomly d _i .

2. Calculates

избирателю ν_i.3. Transmits

voter ν _i .

вместо h.A-3: then the voter v _i processes, as indicated above,

instead of h.

избирателю ν_i следующим образом:In another embodiment, the tool reports a value

voter ν _i as follows:

B-1: the voter ν _i makes contact with the center for collecting votes (and does not necessarily authenticate himself);

B-2: voter ν _i makes the choice of m _i in the ballot and returns an encrypted ballot (g ^αi , h ^αi m _i ).

B-3: the voting center at this point in time:

1. Generates randomly d _i .

2. Calculates

избирателю ν_i.3. Transmits

voter ν _i .

B-4: then the voter ν _i :

)1. Generates a second encryption m _i in the form (g ^αi ,

)

2. Generates the same proof of authenticity, showing that the first and second encryption are the encryption of the same choice m _i in the ballot.

3. Transmits both the second encryption and the evidence of authenticity to the vote collection center.

B-5: the rest of the process is performed as indicated above.

Figure 1-3 shows certain aspects of the tool. Figure 1 shows a generalized block diagram of typical conditions in which the tool operates. Figure 1 shows several computer systems 110 of the voters, each of which the voter can use to transmit the ballot and verify its undistorted reception. Each of the voter computer systems is connected via the Internet 120 to the computer system 150 of the voting center. For specialists in this field of technology it is clear that the computer systems of voters can be connected to the computer system of the center for collecting votes using systems other than the Internet. The tool transmits ballots from computer systems of voters to the computer system of the voting center, which returns an encrypted vote confirmation. In each voter computer system, the tool uses this encrypted vote confirmation to determine if the transmitted ballot has been rigged. Although preferred embodiments have been described with respect to these conditions, it will be understood by those skilled in the art that the tool can be implemented in various other conditions, including a single, monolithic computer system, as well as various other combinations of computer systems or similar devices connected in various ways.

2 is a block diagram illustrating components typically contained in at least some computer systems and other devices that the tool operates with, such as computer systems 110 and 130. These computer systems and devices 200 may include one or more central processors 201 (SRI) for executing computer programs; computer memory 202 for storing programs and data during use; read-only memory device 203, such as a hard disk drive for permanently storing programs and data; a drive 204 for a computer readable storage medium, such as a CD-ROM drive, for reading programs and data stored in a computer readable storage medium; and network connection 205 for connecting a computer system to other computer systems, for example, via the Internet. Although computer systems made as described above are preferably used to support the operation of the tool, it will be understood by those skilled in the art that the tool can be implemented using devices of various types and configurations and having various components.

Figure 3 shows a graphical diagram of the steps typically performed by a means for detecting a falsified ballot. For specialists in this field of technology it is clear that the tool can perform a set of stages deviating from those shown, including its own superset and subsets of these stages, changing the sequence of these stages, and stages of sets in which certain stages are performed by other computing devices.

At step 301, the detection means encodes in the voter's computer system the selection in the ballot paper made by the voter to form the ballot paper. At step 302, the detection means encrypts this ballot. In some embodiments, the encrypted ballot is an ElGamal pair generated using a public key and a secret held in the voter's computer system. At step 303, the detection means does not necessarily sign the ballot using a private key belonging to the voter. At step 304, the detection means generates evidence of authenticity, which indicates that the encrypted ballot is the encryption of the ballot in which the selection is made correctly. At step 305, the detection means transmits an encrypted, signed ballot paper and evidence of authenticity to the computer system of the voting center.

At 321, the detection means receives this transmission in the computer system of the voice center. At 322, the detection means verifies the received evidence of credibility. In step 323, if the verification of the evidence of confidence is successful, the detection means proceeds to step 324, otherwise the detection means does not proceed to stage 324. In step 324, the detection means generates an encrypted confirmation of the encrypted ballot. The detection tool does this without decrypting the ballot, which is usually not possible in the computer system of the vote center where there is no secret used to encrypt the ballot. At 325, the detection means transmits an encrypted acknowledgment to the voter's computer system.

At 341, the detection means receives an encrypted acknowledgment in the voter's computer system. At 342, the detection means uses a secret held in the voter's computer system to decrypt an encrypted vote confirmation. At 343, the detection means displays a decrypted vote confirmation for the user. At step 344, if the displayed voting confirmation is translated into a selection on the ballot paper made by the voter using the voter-owned confirmation dictionary, the detection means proceeds to stage 345, otherwise the detection means proceeds to stage 346. At stage 345, the detection means determines that the ballot of the voter was not falsified, while at step 346, the detection means determines that the ballot was falsified. In this case, embodiments of the detection means support the voter in recalling and retransmitting the ballot.

For specialists in the art it is clear that the above tool can be directly adapted or expanded in various ways. Although reference is made in the foregoing description to preferred embodiments, the scope of the invention is determined only by the following claims and the elements indicated therein.

Claims (47)

1. A method for recognizing falsification of an electronic ballot, performed in a data processing system, comprising, in a voter's computer system, receiving a selection in a ballot made by a voter from the set of correct voting choices; encoding the accepted voting option on the ballot; ballot encryption; the creation of evidence of credibility proving that the encrypted ballot matches the correct choice in the ballot; transfer of an encrypted ballot paper and evidence of authenticity to the computer system of the vote collection center; in the computer system of the voting center: receiving an encrypted ballot paper and evidence of authenticity; verification of the evidence of authenticity and only if the evidence of authenticity is successfully verified: without decrypting the encrypted ballot paper, generating an encrypted vote confirmation of the encrypted ballot paper; transmission of encrypted voting confirmation to the voter's computer system; in the voter's computer system: receiving an encrypted vote confirmation; decryption of the encrypted vote confirmation to receive a vote confirmation; display of received confirmation of voting; and if the user’s glossary of confirmations does not translate the displayed voting confirmation into the choice made by the voter on the ballot paper, the determination that the ballot paper was falsified. 2. The method according to claim 1, characterized in that the encryption of the ballot includes generating an ElGamal pair representing the ballot. 3. The method according to claim 1, characterized in that the computer system of the vote collection center transmits an encrypted vote confirmation to the voter's computer system through the first communication channel, further comprising, in the computer system of the voice collection center, transmitting a confirmation dictionary to the voter through the second communication channel, different from the first communication channel. 4. The method according to claim 3, characterized in that the individual confirmation dictionaries are transmitted to each of a plurality of voters, including the voter. 5. The method according to claim 1, characterized in that it further comprises applying the hash function to the decrypted confirmation of the vote before displaying it and in which it is determined that the ballot was falsified if the confirmation dictionary that the user does not translate the displayed hashed decrypted Voting confirmation by election ballot made by the voter. 6. A method for recognizing the falsification of an electronic ballot, performed in a data processing system, comprising using a secret stored in the ballot at the polling station to encrypt the ballot size selected by the voter; transmitting the encrypted value of the ballot to the point of collection of votes; receiving, in response to the transmission of the encrypted ballot, an encrypted vote confirmation; use of a secret stored in a polling station to decrypt an encrypted vote confirmation; displaying the decrypted voting confirmation, so that the displayed voting confirmation can be compared with the expected voting confirmation for the size of the ballot selected by the voter, to determine whether the electronic ballot was falsified. 7. The method according to claim 6, characterized in that it further comprises, before displaying the decrypted vote confirmation, using a hash function to convert the decrypted vote confirmation to a smaller output hash value. 8. The method according to claim 6, characterized in that the encryption of the ballot value comprises generating an ElGamal pair representing the value of the ballot. 9. The method according to claim 6, characterized in that the ElGamal pair is generated by evaluating the expressions g ^α and h ^α m, where p is primary; g∈Z _p , which has a primary multiplication order q, with the property that q is a multiple of 1 divided by p-1; h∈ 〈g〉; a∈Z _q are randomly selected at the polling station; m is the value of the ballot. 10. The method according to claim 9, characterized in that the ElGamal pair is generated by evaluating the expressions αg and αh + m, where g and h are both elements of the group of the elliptic curve ξ of the primary order q and α∈Z _{p is} randomly selected in the election site; m is the value of the ballot. 11. The method according to claim 6, characterized in that the use of a secret stored in the polling station to determine whether the encrypted vote confirmation reflects the accepted ballot size selected by the voter at the voting point contains a determination of the ballot value corresponding to the encrypted value ballot, received at the votes collecting, by evaluating the expression W ₁ / U ₁ ^α1, where α ₁ is a secret stored in the polling node and i W ₁ and U ₁ together contain encryptions ie confirmation of the vote; comparing a specific ballot size with a ballot size selected by the voter. 12. The method according to claim 11, characterized in that the evidence of reliability is not an interactive proof of reliability. 13. One or more computer memory devices collectively containing a voter protection data structure, the data structure containing one or more secrets used both (a) to encrypt an encoded ballot paper for transmission to the ballot collection point, and (b) for decrypting the encrypted confirmation of the ballot received from the ballot collection point, which indicates the contents of the ballot received at the ballot collection point. 14. One or more computer memory devices collectively containing a ballot data structure, wherein the ballot data structure comprises an encrypted selection in the ballot formed by encrypting one of the plurality of valid elections in the ballot made by the voter in the voter's computer system; evidence of authenticity, which demonstrates that the encrypted choice on the ballot forms the encryption of one of the many correct choices on the ballot without specifying which encryption of the many correct choices on the ballot forms the encrypted choice on the ballot; encrypted confirmation of the ballot generated in response to receiving the encrypted choice in the ballot in the computer system of the ballot collection center and proof of authenticity. 15. The computer memory device of claim 14, wherein the encrypted selection on the ballot is an ElGamal pair. 16. A method for recognizing the falsification of an electronic ballot, performed in a data processing system, comprising receiving an encrypted ballot size from a ballot transmitting node in a ballot receiving unit, the encrypted ballot value being encrypted for the ballot size based on the choice of the voter using a secret not available at the ballot receiving center; generating an encrypted secret value confirmation from the encrypted ballot value, which indicates to those who hold the secret used to encrypt the encrypted ballot value, the ballot value to which the accepted encrypted ballot value corresponds; transmitting the encrypted confirmation of the secret value to the ballot transmitting node, so that the encrypted confirmation of the secret value can be used in the ballot transmitting node to determine whether the encrypted value of the ballot received at the ballot receiving center matches the choice of the voter in the ballot. 17. The method according to clause 16, wherein the confirmation of the secret value is generated without decrypting the encrypted value of the ballot. 18. The method according to clause 16, wherein the encrypted secret value is encrypted so that in the node transmitting the ballots, if the encrypted confirmation of the secret value corresponds to a choice other than the choice of the voter, it is difficult to generate a decrypted confirmation of the secret value corresponding to the choice of the voter. 19. A method for recognizing falsification of an electronic ballot, performed in a data processing system, comprising transmitting an encrypted ballot from a first computer system to a second computer system, wherein the encrypted ballot reflects the choice in the ballot made by the voter; transmitting the confirmation from the second computer system to the first computer system, the confirmation being used to transmit the decrypted contents of the encrypted ballot received in the second computer system, the confirmation being generated without decrypting the encrypted ballot; displaying the confirmation in the first computer system, so that the voter can determine whether the decrypted content of the encrypted ballot received in the second computer system matches the selection made by the voter in the ballot. 20. The method according to claim 19, characterized in that it further comprises transmitting from the first computer system to the second computer system, evidence of authenticity indicating that the encrypted ballot transmitted from the first computer system to the second computer system reflects the correct choice in the ballot without identification of reflected voter choice. 21. The method according to claim 20, characterized in that the confirmation is transmitted from the second computer system to the first computer system only if the evidence of authenticity transmitted from the first computer system to the second computer system is verified to prove that the encrypted ballot paper transmitted from the first computer system into the second computer system, is the right choice for the voter. 22. A computer-readable storage medium whose contents cause the computer system to recognize the falsification of an electronic ballot transmitted to the ballot collection point by receiving from the ballot collection point an encrypted confirmation of the contents of the encrypted ballot received at the ballot collection point; using the secret stored in the election computer system to decrypt and display the confirmation to the voter, so that the voter can compare the displayed confirmation with the confirmation expected by the voter based on the choice in the ballot made by the voter to determine if the electronic ballot was falsified. 23. A method for detecting falsification of an electronic ballot, performed in a computerized election system, comprising receiving an electronic ballot, the electronic ballot comprising an encrypted voter choice; determining that the accepted encrypted election of the voter is not accompanied by the correct proof of authenticity, which indicates that the encrypted electoral choice encrypts one of the many valid elections in the ballot, and in response to this determination, determining that the generated first ballot was falsified. 24. The method according to p. 23, characterized in that for the encrypted choice of the voter does not accept evidence of authenticity. 25. The method according to item 23, wherein the evidence of authenticity is taken together with the encrypted choice in the ballot, and the combination of the evidence of authenticity and the encrypted ballot do not pass the verification operation performed by the computer system of collecting votes, where the verification operation is created exclusively for determining whether an encrypted ballot is an encryption of at least one valid ballot answer. 26. A computer system for detecting falsification of an electronic ballot, comprising means for receiving an electronic ballot, wherein the electronic ballot contains an encrypted voter choice; means for determining that the accepted encrypted voter choice is not accompanied by the correct evidence of authenticity, which indicates that the encrypted voter choice forms the encryption of one of the many valid choices on the ballot; means for determining, in response to this determination, that the generated first ballot has been falsified. 27. A method of confirming the acceptance of a choice in a ballot paper made by a voter, performed in a computer system, comprising receiving a first confirmation message from a first party, wherein the contents of the first confirmation message confirms the unencrypted value of the encrypted voter selection accepted for the voter by the vote collection administration; receiving the second confirmation message from the second side, which is independent of the first side, while the contents of the second confirmation message independently confirms the unencrypted value of the encrypted voter choice accepted for the voter by the vote collection administration, while the encrypted voter choice is impossible for decryption by the first side, the second side and vote collection administration. 28. The method according to item 27, wherein it further comprises displaying the contents of the first and second confirmation messages, so that both the displayed first confirmation message and the displayed second confirmation message can be compared by the voter with the expected voting confirmation messages for selection in the ballot, made by the voter to determine whether the voter administration accepted an encrypted version of the voter’s choice, different from the one on the ballot etene made by voters. 29. The method according to item 27, characterized in that it further comprises combining the contents of the first and second confirmation messages to obtain a combined confirmation message; displaying a combined confirmation message, so that the displayed combined confirmation message can be compared to the voter with the expected combined vote confirmation message to select on the ballot paper made by the voter, in order to determine whether the encrypted version of the voter has been accepted for the voter by a different choice than ballot paper made by the voter. 30. The method according to clause 29, wherein the combined confirmation message is obtained using the concatenation of the contents of the first and second confirmation messages. 31. The method according to clause 29, wherein the combined confirmation message is received using threshold secret reconstruction technology. 32. The method according to item 27, wherein the first and second confirmation messages each contain a first value and a second value, and in which a combined confirmation message is obtained by determining the product of the first values contained in the first and second confirmation messages, and definitions of the product of the second quantities contained in the first and second confirmation messages 33. A computer-readable storage medium, the content of which leads to confirmation by the computer system of the selection in the ballot made by the voter, by receiving the first confirmation message from the first party, while the contents of the first confirmation message confirms the unencrypted value of the encrypted voter choice accepted by the vote collection administration ; receiving the second confirmation message from the second side, which is independent of the first side, while the contents of the second confirmation message independently confirms the unencrypted value of the voter choice accepted for the voter by the vote collection administration, while the encrypted voter choice is impossible for decryption by the first side, the second side and the administration collecting votes. 34. A voter driven computer memory device containing a data structure for confirming an election on a ballot made by a voter, containing a first confirmation message received from a first party, the contents of the first confirmation message confirming an unencrypted value of a voter selection accepted for the voter by the toll office votes and the second confirmation message received from the second side, which is independent of the first side, while the contents of the second confirmation message independently confirms the unencrypted value of the voter choice accepted for the voter by the vote collection administration, while the encrypted voter choice is impossible for decryption by the first side, the second side and vote collection administration. 35. A method of confirming a choice in a ballot paper made by a voter, performed in a computer system, comprising transmitting to the first recipient, via the first communication channel, a confirmation dictionary for the first voter containing a list of voter selection confirmation messages located in the first order, and transmitting to the first recipient via the second channel communication, which differs from the first communication channel, instructions to the dictionary of confirmations for the first voter, indicating for each of the many correct choices in the voter, the first-order position containing the voter choice confirmation message corresponding to the correct voter choice, so that the first recipient can use the identity of the choice on the ballot paper made by the first voter, together with the instructions in the confirmation dictionary, to identify the voter choice confirmation message in the confirmation dictionary corresponding to the election on the ballot made by the voter. 36. The method according to clause 35, characterized in that it further comprises transmitting to the second recipient, through the first communication channel, a second confirmation dictionary for the second voter, containing a list of voter selection confirmation messages arranged in the second order, wherein the second voter is different from the first voter, the second the receiver is different from the first receiver, the second order is different from the first order. 37. A computing system for confirming receipt of a choice in a ballot paper made by a voter, comprising a first transmission system connected to a first communication channel that transmits a confirmation dictionary containing a list of voter selection confirmation messages in a first order and a second transmission system connected to a receiver with a second communication channel, which is different from the first communication channel, which transmits to the recipient instructions to the confirmation dictionary indicating for each of the plurality correct voter choices, the first-order position containing the voter choice confirmation message corresponding to the correct choice on the ballot, so that the recipient can use the identity of the choice on the ballot made by the voter, together with the instructions to the confirmation dictionary, to identify the confirmation message of the choice in the confirmation dictionary the voter corresponding to the election on the ballot made by the voter. 38. The computing system according to clause 37, wherein the second transmitting system transmits instructions to the dictionary of confirmations by voice message. 39. The computing system according to clause 37, wherein the second transmitting system transmits instructions to the dictionary of confirmations by mail. 40. A method of delivering a choice in a ballot paper made by a voter, performed in a computer system, comprising in the computer system of the performer: encrypting the selection in the ballot using the first secret known only to the performer to generate the first component of the encrypted ballot; encrypting the choice in the ballot using a second secret known only to the performer, while the second secret is chosen independently of the first secret to generate the second component of the encrypted ballot; generating evidence demonstrating that the first and second encrypted components of the ballot are encrypted for the same choice on the ballot; transfer of the first and second components of the ballot paper and evidence to the computer system of collecting votes; in a computer-based voting system: determining whether evidence shows that the first and second encrypted components of the ballot are encrypted for the same choice in the ballot, and only if the evidence shows that the first and second encrypted components of the ballot are encrypted for the same the same choice on the ballot, recognition of the choice on the ballot. 41. The method according to p, characterized in that the first encrypted component of the ballot is generated by evaluating g ^α and h ^α m, where p is primary; g∈Z _p , which has a primary multiplication order q, with the property that q is a multiple of 1 divided by p-1; h∈ 〈g〉; a∈Z _q are randomly selected at the polling station; m is a choice on the ballot, and in which a second encrypted component of the ballot is generated by evaluating the expressions g ^α and h ^α m, where h∈ 〈g〉; a∈Z _q are randomly and independently selected at the polling station; m is the choice on the ballot. 42. The method according to paragraph 41, wherein it further comprises generating a confirmation of the vote by evaluating the expression V _i = K _i h ^{(βi (αi + αi)} m ^{(d + 1) βI} , where p is primary; g∈Zp, which has a primary multiple order q with the property that q is a multiple of 1 divided by p-1; h∈ 〈g〉; h∈ is h raised to the power of d, which is kept secret; α∈Z _q and α∈Z _q are randomly selected at the election site; Ki∈ 〈g〉; β _i ∈Z _q ; m is a choice on the ballot, and by evaluating the expression h ^β I, and in which these two evaluated expressions are transmitted to the executive computer system as a confirmation of the vote. 43. The method according to item 42, wherein the vote confirmation is decrypted by means of an assessment V _i / ((h ^βi ) ^{(αi + αi)} ), where p is primary; g∈Z _p , which has a primary multiplication order q, with the property that q is a multiple of 1 divided by p-1; h∈ 〈g〉; h∈ is h raised to the power of d, which is kept secret; a α∈Z _q and α∈Z _q are randomly selected at the election site; Ki∈ 〈g〉; β _i ∈Z _q and V _i are accepted as part of the vote confirmation. 44. A computer-readable storage medium whose contents cause the computer system to transmit a selection in a ballot paper made by a voter by encrypting a selection in a ballot paper using the first secret known only to the performer to generate the first encrypted component of the ballot paper; encrypting the choice in the ballot using a second secret known only to the performer, the second secret being chosen independently of the first secret to generate a second encrypted component of the ballot; generating evidence demonstrating that the first and second components of the ballot are encrypted for the same choice on the ballot; transmitting the first and second components of the ballot paper and evidence to the computer system of collecting votes. 45. A method of receiving a choice in a ballot paper made by a voter, performed in a computer system, comprising receiving from the executive computer system the first encrypted selection in the ballot, encrypted using the first secret known only to the performer, to generate the first encrypted component of the ballot; a second encrypted election on the ballot, encrypted using a second secret known only to the performer, the second secret being chosen independently of the first secret, and evidence and only when the evidence demonstrates that the first and second encrypted elections on the ballot are encrypted of the same choice on the ballot, recognition of the election. Priorities: 02/20/2001 - according to claims 1-26, 40-45; 02/11/2002 - according to paragraphs 27-39.

Images