Secure electronic voting is one of the most important single applications of secure multi-party computation. Yet despite extensive work on this subject, no complete solution has been found in either the theoretical or practical domains. Even the general solutions to secure multi-party protocols fail to exhibit all of the desired properties of elections. For example, an article by J. C. Benaloh et al, entitled "Receipt-free Secret-ballot Election," in STOC 94, pp. 544-553 (1994) describes the receipt-free property. While these general solutions do have a wide breadth of security properties, and some hope of rigorous analysis, they are impractical both in their computational and communication costs.
A number of more practical voting protocols have been proposed, with widely differing security properties. Schemes based on anonymous channels/mixers have become very popular due to their superior efficiency and the arbitrary nature of the votes that are allowed. Such schemes are described in an article by D. Chaum entitled "Untraceable Electronic Mail, Return Address, and Digital Pseudonyms" in Communication of the ACM, ACM, 1981, pp 84 to 88, in an article by A. Fujioka et al, entitled "A Practical Secret Voting Scheme for Large Scale Elections," in Advances in Cryptology--Auscyrpt '92, 1992, pp. 244 to 251, and in an article by C. Park et al, entitled "Efficient Anonymous Channel and All/Nothing Election Scheme" in Advances in Cryptology, Eurocrypt '93, 1993, pp. 248 to 259. However, a price is paid for this efficiency. The simplest of these schemes does not allow a voter to securely protest the omission of a vote without allowing a malicious voter to block the election. In all the schemes known to the inventors there is a high round complexity--one round for each mixer used to implement the anonymous channel. Also, after the election each voter is typically responsible for checking that their vote was correctly tallied. There is usually no way for an outside observer to later verify that the election was properly performed. Another approach is the use of number theoretic techniques without anonymous channels or mixers. The protocol has desirable security properties, but as discussed below in detail, their communication complexity is quite high for realistic scenarios. Such techniques are described in an article by J. Benaloh and M. Yung entitled "Distributing the Power of a Government to Enhance the Privacy of Voters" in ACM Symposium on Principles of Distributed Computing, 1986, pp. 52 to 62, in a Ph.D. thesis by J. Benaloh entitled "Verifiable Secret-Ballot Elections" Ph.D. thesis Yale University 1987 Yaleu/DCS/TR-561, and in an article by J. Cohen et al entitled "A Robust and Verifiable Cryptographically Secure Election Scheme", in FOCS85, 1985, pp. 372 to 382.
The protocol of Benaloh and Yung enjoys most of the desirable security properties obtained in the present invention, and is based on partially compatible homomorphisms of the form E.sub.i (x)=y.sub.i.sup.x .multidot.g.sub.i.sup.r mod n.sub.i. The technical advances made by the present invention include:
Greater generality: The encryption used by Benaloh and Yung was tuned to the factoring problem. Each center i had the prime factorization of n.sub.i as part of its secret information. This secret information complicated the protocol in that the voters needed to verify the correctness of the centers' public information and the correctness of their subtallies through interactive protocols. Also, the present invention can be applied to "discrete-log type" problems.
Amortization techniques: Unlike most previous work in voting, the present invention considers how to run multiple elections more efficiently. Since there are usually many voters and checking each vote involves many subchecks, amortization techniques can be effectively used to speed up single elections as well.
Improved zero-knowledge proofs: Direct and efficient protocols show, for example, that x+y is either 1 or -1, without conveying which is the case. These proofs are more efficient than the cryptographic capsule methods used in the prior art.
Also, the present invention incorporates techniques, such as the Fiat-Shamir heuristic for removing interaction, that were not available at the time of Benaloh and Yung. Some of these techniques can also be applied to the original protocol (with varying degrees of difficulty and utility). By using more modern techniques the present invention realizes the basic approach laid out by Benaloh and Yung, but with greatly improved efficiency.
In accordance with the teaching of the present invention, a number-theoretic method for secure electronic voting provides a number of features including moderate communication cost, low round complexity, preprocessing potential, security, universal verifiability and flexibility, all as described below.