@@ -65,6 +65,9 @@ Before any voting will start an initial setup procedure should be performed.
6565* As most of the crypto algorithms are group dependent
6666 (more about this you can read in [ appendix A] ( #a-group-definition ) ),
6767 it is needed to specifically define which cryptographically secure group would be used.
68+ * Define a hash function which will be used by the underlying crypto algorithms.
69+ * Define a commitment key $ck$,
70+ which will be used during the voter proof generation and verification procedures.
6871
6972### Vote
7073
@@ -177,24 +180,24 @@ so everyone could validate a correctness of the encrypted vote data,
177180without revealing a voting choice itself.
178181
179182To achieve that a some sophisticated ZK (Zero Knowledge) algorithm is used,
180- noted as $VoteProof(\mathbf{c}, \mathbf{e}_ i, \mathbf{r}, pk)$.
183+ noted as $VoteProof(\mathbf{c}, \mathbf{e}_ i, \mathbf{r}, pk, ck )$.
181184It takes an encrypted vote vector $\mathbf{c}$,
182185an original vote unit vector $\mathbf{e}_ i$,
183186a randomness vector $\mathbf{r}$,
184187which was used during encryption algorithm $VoteEnc$
185- and an shared election public key $pk$.
188+ a shared election public key $pk$ and a commitment key $ck $.
186189As a result it generates a proof value $\pi$.
187190\begin{equation}
188- \pi = VoteProof(\mathbf{c}, \mathbf{e}_ i, \mathbf{r}, pk)
191+ \pi = VoteProof(\mathbf{c}, \mathbf{e}_ i, \mathbf{r}, pk, ck )
189192\end{equation}
190193
191- So to validate a $VoteCheck(\mathbf{c}, \pi, pk)$ procedure should be used,
192- which takes an encrypted vote $\mathbf{c}$, corresponded proof $\pi$
193- and the same hared election public key $pk$
194+ So to validate a $VoteCheck(\mathbf{c}, \pi, pk, ck )$ procedure should be used,
195+ which takes an encrypted vote $\mathbf{c}$, corresponded proof $\pi$,
196+ the same shared election public key $pk$ and a commitment key $ck $
194197as arguments and returns ` true ` or ` false ` ,
195198is it valid or not.
196199\begin{equation}
197- true | false = VoteCheck(\mathbf{c}, \pi, pk)
200+ true | false = VoteCheck(\mathbf{c}, \pi, pk, ck )
198201\end{equation}
199202
200203A more detailed description of how $VoteProof$, $VoteCheck$ work
@@ -465,14 +468,15 @@ The prover algorithm takes as arguments:
465468* $\mathbf{r} = (r_0, \ldots, r_ {M-1})$ - a vector of randomnesses,
466469 which was used during encryption.
467470* $pk$ - is a public key, which was used to encrypt a unit vector.
471+ * $ck \in \mathbb{G}$ - a commitment key.
468472
469473So basically here is the relation between all these values:
470474\begin{equation}
471475\mathbf{c} = (c_1, \ldots, c_M) = (VoteEnc(e_ {i,1}, r_1, pk), \ldots, VoteEnc(e_ {i,M}, r_M, pk))
472476\end{equation}
473477
474478\begin{equation}
475- VoteProof(\mathbf{c}, \mathbf{e}_ i, \mathbf{r}, pk) = \pi
479+ VoteProof(\mathbf{c}, \mathbf{e}_ i, \mathbf{r}, pk, ck ) = \pi
476480\end{equation}
477481
478482Important to note that the following notation would be used
@@ -485,48 +489,47 @@ To compute it, prover needs to perform the next steps:
485489 extend the vector $\mathbf{c}$ with $c_j = VoteEnc(0, 0, pk)$,
486490 where $N$ is a perfect power of $2$, $j \in [ M, \ldots, N - 1] $.
487491 So the resulted $\mathbf{c} = (c_1, \ldots, c_M, \{ c_j\} )$.
488- 2 . Generate a commitment key $ck \in \mathbb{G}$.
489- 3 . Let $i_k$ is a bit value of the $i$-th binary representation (little-endian order),
492+ 2 . Let $i_k$ is a bit value of the $i$-th binary representation (little-endian order),
490493 where $k \in [ 0, log_2(N) - 1] $.
491494 E.g. $i=3$ and $N=8, log_2(N) = 3$,
492495 its binary representation $i=011$,
493496 $i_0=1, i_1=1, i_2=0$.
494- 4 . For $l \in [ 0, \ldots, log_2(N)-1] $ generate a random values
497+ 3 . For $l \in [ 0, \ldots, log_2(N)-1] $ generate a random values
495498 $\alpha_l, \beta_l, \gamma_l, \delta_l, \in \mathbb{Z}_ q$.
496- 5 . For $l \in [ 0, \ldots, log_2(N)-1] $ calculate, where $g$ is the group generator:
499+ 4 . For $l \in [ 0, \ldots, log_2(N)-1] $ calculate, where $g$ is the group generator:
497500 * $I_l = g^{i_l} \circ ck^{\alpha_l}, I_l \in \mathbb{G}$.
498501 * $B_l = g^{\beta_l} \circ ck^{\gamma_l}, B_l \in \mathbb{G}$.
499502 * $A_l = g^{i_l * \beta_l} \circ ck^{\delta_l}, A_l \in \mathbb{G}$.
500- 6 . Calculate a first verifier challenge
503+ 5 . Calculate a first verifier challenge
501504 $ch_1 = H(ck, pk, \{ c_j\} , \{ I_l\} , \{ B_l\} , \{ A_l\} )$,
502505 where $H$ is a hash function,
503506 $j \in [ 0, \ldots, N-1] $
504507 and $l \in [ 0, \ldots, log_2(N)-1] $.
505- 7 . For $j \in [ 0, \ldots, N-1] $ calculate polynomials
508+ 6 . For $j \in [ 0, \ldots, N-1] $ calculate polynomials
506509 in the following form $p_j(x) = e_ {i, j}* x^{log_2(N)} + \sum_ {l=0}^{log_2(N)-1} p_ {j,l} * x^l$:
507- * $j_l$ is a bit value of the $j$-th binary representation (same as was described in step ` 3 ` ).
510+ * $j_l$ is a bit value of the $j$-th binary representation (same as was described in step ` 2 ` ).
508511 * $z_l^{1} = i_l * x + \beta_l$.
509512 * $z_l^{0} = x - z_l^{1} = (1 - i_l)* x - \beta_l$.
510513 * Calculate the polynomial itself $p_j(x) = \prod_ {l=0}^{log_2(N)-1} z_l^{j_l}$
511- 8 . For $l \in [ 0, \ldots, log_2(N)-1] $ generate a random $R_l \in \mathbb{Z}_ q$.
512- 9 . For $l \in [ 0, \ldots, log_2(N)-1] $ compute
514+ 7 . For $l \in [ 0, \ldots, log_2(N)-1] $ generate a random $R_l \in \mathbb{Z}_ q$.
515+ 8 . For $l \in [ 0, \ldots, log_2(N)-1] $ compute
513516 $D_l = VoteEnc(sum_l, R_l, pk)$,
514517 where $sum_l = \sum_ {j=0}^{N-1}(p_ {j,l} * ch_1^j)$
515518 and $p_ {j,l}$ - corresponding coefficients of the polynomial $p_j(x)$ calculated on step ` 7 ` .
516- 10 . Calculate a second verifier challenge
519+ 9 . Calculate a second verifier challenge
517520 $ch_2 = H(ch_1, \{ D_l\} )$,
518521 where $H$ is a hash function
519522 and $l \in [ 0, \ldots, log_2(N)-1] $.
520- 11 . For $l \in [ 0, \ldots, log_2(N)-1] $ calculate:
523+ 10 . For $l \in [ 0, \ldots, log_2(N)-1] $ calculate:
521524 * $z_l = i_l * ch_2 + \beta_l, z_l \in \mathbb{Z}_ q$.
522525 * $w_l = \alpha_l * ch_2 + \gamma_l, w_l \in \mathbb{Z}_ q$.
523526 * $v_l = \alpha_l * (ch_2 - z_l) + \delta_l, v_l \in \mathbb{Z}_ q$.
524- 12 . Calculate
527+ 11 . Calculate
525528 $R=\sum_ {j=0}^{N-1}(r_j * (ch_2)^{log_2(N)} * (ch_1)^j) + \sum_ {l=0}^{log_2(N)-1}(R_l * (ch_2)^l)$,
526529 where $r_j$ original random values which was used to encrypt $c_j$
527530 and $R_l$ random values generated in step ` 8 ` .
528531
529- Finally, the proof is $\pi = (ck, \{ I_l\} , \{ B_l\} , \{ A_l\} , \{ D_l\} , \{ z_l\} , \{ w_l\} , \{ v_l\} , R)$,
532+ Finally, the proof is $\pi = (\{ I_l\} , \{ B_l\} , \{ A_l\} , \{ D_l\} , \{ z_l\} , \{ w_l\} , \{ v_l\} , R)$,
530533where $l \in [ 0, \ldots, log_2(N)-1] $.
531534
532535### Verifier
@@ -537,15 +540,16 @@ The verifier algorithm takes as arguments:
537540 where $M$ is amount of voting options.
538541* $\pi$ - a prover's proof generated on the [ previous step] ( #prover )
539542* $pk$ - is a public key, which was used to encrypt a unit vector.
543+ * $ck \in \mathbb{G}$ - a commitment key, same which was used by the prover.
540544
541545\begin{equation}
542- VoteCheck(\mathbf{c}, \pi, pk) = true | false
546+ VoteCheck(\mathbf{c}, \pi, pk, ck ) = true | false
543547\end{equation}
544548
545549As a result algorithm will return ` true ` or ` false ` ,
546550is the verification was succeeded or not respectively.
547551
548- Knowing that $\pi$ equals to $(ck, \{ I_l\} , \{ B_l\} , \{ A_l\} , \{ D_l\} , \{ z_l\} , \{ w_l\} , \{ v_l\} , R)$,
552+ Knowing that $\pi$ equals to $(\{ I_l\} , \{ B_l\} , \{ A_l\} , \{ D_l\} , \{ z_l\} , \{ w_l\} , \{ v_l\} , R)$,
549553verifier needs to perform the next steps:
550554
5515551 . If the number of voting options $M$ is not a perfect power of $2$,
0 commit comments