-
Notifications
You must be signed in to change notification settings - Fork 0
/
document.tex
2983 lines (2669 loc) · 145 KB
/
document.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
\documentclass[numbers=noenddot, abstract=on, a4paper, headsepline,
footsepline, oneside, openright, draft=off, listof=leveldown]{scrreprt}
% Setting heading fonts to serif
\addtokomafont{disposition}{\rmfamily}
% Setting description label fonts to serif
\addtokomafont{descriptionlabel}{\rmfamily}
\usepackage[T1]{fontenc}
\usepackage[english]{babel}
\usepackage[utf8]{inputenc}
% biblatex
\usepackage[backend=bibtex8]{biblatex}
\bibliography{bib/bibliography.bib}
% switch last names in bibliography to small caps
\renewcommand*{\mkbibnamelast}[1]{\textsc{#1}}
% we need these packages for the gantt chart
\usepackage{pgfgantt}
\usepackage{rotating}
% We need this to display the group symbols correctly
\usepackage{amssymb}
\usepackage{amsmath}
\usepackage{upgreek}
% activate the headings
\pagestyle{headings}
% make sure that the headings also appear on the first page of the chapter
\renewcommand*{\chapterpagestyle}{headings}
% change the font of the headings to smallcaps
\setkomafont{pagehead}{\scshape}
% UML stuff
\usepackage{tikz}
\usepackage{tikz-uml}
\usetikzlibrary{matrix,arrows,positioning,decorations.pathreplacing,calc,decorations.pathmorphing}
\usepackage{dot2texi}
% Intelligent references
\usepackage{varioref}
% Nomenclauture
\usepackage{nomencl}
% Draft watermark
%\usepackage[firstpage]{draftwatermark}
%\SetWatermarkScale{5}
%\SetWatermarkLightness{0.9}
\usepackage{subcaption}
\usepackage[section]{placeins}
% improve word spacing
\usepackage{microtype}
\usepackage{gnuplottex}
\usepackage{epstopdf}
% Using links in PDFs, but without the ugly borders
\usepackage{hyperref}
\hypersetup{
colorlinks=false,
pdfborder={0 0 0},
pdfauthor={Jürg Ritter},
pdftitle={Decentralized E-Voting on Android Devices Using Homomorphic
Tallying},
pdfsubject={Master's Thesis},
pdfkeywords={E-Voting;Android;Master's Thesis},
}
\usepackage{cleveref}
% definitions of own commands
%\newcommand{\myref}[1]{(see section \ref{#1} on page \pageref{#1})}
\newcommand{\myref}[1]{(see \Vref{#1})}
% Pretty tables
\usepackage{tabularx}
\usepackage{booktabs}
\usepackage{multirow}
\usepackage{siunitx}
\usepackage{graphicx}
% menukeys for handbook in appendix
\usepackage{menukeys}
\renewmenumacro{\menu}{roundedmenus} % default: menus
\renewmenumacro{\keys}{roundedkeys}
\begin{document}
\title{\bf Decentralized E-Voting on Android Devices Using Homomorphic Tallying}
\subject{Master's Thesis}
\author{Jürg Ritter\\
\\
Bern University of Applied Sciences\\
Engineering and Information Technology\\
CH-2501 Biel, Switzerland\\
}
\date{\today}
\publishers{Advisor:\\
Prof. Dr. Rolf Haenni, Bern University of Applied Sciences\\
\bigskip
Expert:\\
Stephan Neumann, Technical University of Darmstadt}
\maketitle
\clearpage
\pagenumbering{roman}
\begin{abstract}
During this master's thesis, a decentralized e-voting system for mobile devices
such as smartphones and tablets running Android has been implemented. The term
``decentralized'' in that context means that there is no central server
infrastructure involved in the voting process. The main application of such
e-voting systems are votes with a low number of participants, for example the
board of directors in a company. The idea is that the participants create an
ad-hoc network with their mobile devices and then use this network to run a
secure e-voting protocol. In order to guarantee privacy and verifiability, a
voting scheme that uses homomorphic tallying is used. It also provides
robustness in the sense that it is not possible for a single party to break the
voting process just by refusing the collaboration at a certain step throughout
the voting process. A big focus area is also the usability of this system, it
should be possible for participants without extensive knowledge in the area of
information security to use this e-voting system.
\end{abstract}
\chapter*{Statutory declaration}
\label{chap:decalration}
I hereby declare having done this master's thesis myself without any
unauthorized help. All information sources that strongly helped me in my work,
are fully referenced in this document or directly in the source code.
\begin{flushleft}
\vspace{3.5cm}
\begin{tabbing}
xxxxxxxxxxxxxxxxxxxxxx\=xxxxxxxxxxxxxxxxxxxxxxx \kill
Title of the thesis: \> Decentralized E-Voting on Android Devices\\
\> Using Homomorphic Tallying
\\
\\
Firstname, Lastname: \> Jürg Ritter \\
\\
\\
Date, Place: \> \today, \\
\>Biel, Switzerland \\
\\
\\
Signature:
\end{tabbing}
\end{flushleft}
\tableofcontents
\listoffigures
\listoftables
\markright{Acknowledgements}
\chapter*{Acknowledgements} I would like to thank the E-Voting Group of the Bern
University of Applied Sciences for giving me the opportunity to realize this
project. Many interesting and inspiring discussions helped driving on this
project. A special thanks goes to my advisor Prof. Dr. Rolf Haenni who supported
me throughout the whole time during my master studies. A big thank you also goes
to my fellow student Philémon von Bergen, with whom I worked closely during this
master's thesis. Coming a long way from Germany for serving as an Expert for
this master's thesis, I would like to express my gratitude to Stephan Neumann.
I am also deeply grateful for the support of my employer Swisscom for supporting
me during the whole time of my studies, especially my team who always gave me
the necessary flexibility.
% Nomenclature
% ------------------------------------------------------------------
%\nomenclature{$p, q, g$}{The ElGamal parameters}
%\nomenclature{$m$}{A cleartext message}
%\nomenclature{$(a, b)$}{An ElGamal ciphertext tuple}
%\nomenclature{$x$}{An ElGamal private key}
%\nomenclature{$y$}{An ElGamal public key}
%\printnomenclature
% ------------------------------------------------------------------
\chapter{Introduction}
\pagenumbering{arabic}
\label{cha:introduction}
The history of voting on a particular question in order to determine the will of
a group of people goes far back to the ancient Greeks, who laid the groundwork of
today's democratic societies. Over the years, the purpose of holding elections
remained the same, while the procedures on how voting is done has changed
significantly. The most ancient way of expressing the will by a hand sign has
been replaced by modern technologies. The 20th century has seen a lot of changes
in this area. Paper based voting has been introduced, and with the
industrialization, the first voting machines appeared on the surface. The
purpose of these machines was to simplify the counting process. In today's internet
society where a lot of tasks such as banking, shopping, mailing, etc. have been
revolutionized by the internet, it is not surprising that there are a lot of
efforts going on to revolutionize the process of voting as well.
One of the research fields of the Bern University of Applied Sciences is the
area of electronic voting, hereinafter abbreviated as e-voting. E-voting has
become a big field of research in the past couple years. Still, there is no
generic approach which meets all the criteria such as privacy, transparency,
etc. which we want in e-voting. These properties are discussed in
\Vref{sec:evoting}. The e-voting research group of the Bern University of
Applied Sciences\footnote{\url{http://e-voting.bfh.ch/}} tries to improve this
situation with the following approaches:
\begin{itemize}
\item Contribute to the scientific community in the area of e-voting by
publishing new approaches.
\item Take existing approaches and evaluate them in terms of practicability.
These approaches are usually available as scientific papers.
\end{itemize}
The evaluation of these approaches is usually done by implementing them into a
prototype level application. This implementation is used to show that the
approach works in practice and provides a certain usability. The E-Voting Group
would like to gain some experience on how decentralized e-voting systems could
be implemented and how they behave in practice. A decentralized e-voting system
aims to provide a platform to do secure e-voting without the need of having a
central infrastructure (e.g. a server) available. There are some approaches which
focus explicitly on this kind of e-voting systems, such as the proposal of D.
Khader et al. \cite{HKRS12}. In this project however, we would like to adapt the
voting scheme proposed by Cramer et. al. \cite{CGS97} in a way that it can be
used as a decentralized e-voting system.
A potential use case of such a system could be boardroom voting, for example a
vote held in a board of directors of a company. The architecture of our system
requires that all the participants are in a confined space and are able to
exchange some sort of credential using a communication channel which relies on
physical proximity (e.g. near field communication) or visual contact (e.g.
QR-codes).
In previous projects during the master studies, some groundwork has been
implemented which can now be used as a foundation for this project. The
previously implemented projects are the following:
\begin{itemize}
\item \textbf{UniCrypt:} UniCrypt is a cryptographic library developed by the
members of the E-Voting Group of the Bern University of Applied Sciences. It
provides cryptographic building blocks such as the ElGamal cryptosystem, zero
knowledge proofs, digital signatures, etc.
\item \textbf{InstaCircle: } InstaCircle provides a decentralized
communication platform for Android devices. It allows to exchange messages
using Wi-Fi communication among a closed user group.
\end{itemize}
The projects mentioned above will be discussed in more detail in \Vref{cha:brw}.
\section{Goals}
\label{cha:goals}
The final result of this project is a fully-fledged decentralized e-voting
application which runs on Android devices and does not require any equipment
other than the Android smartphones or tablets. The CGS97 e-voting
scheme \cite{CGS97} will be used as the theoretical foundation for this project.
Having said this, we divide the following goals for this project:
\paragraph{E-Voting Functionality.}
The main goal of this project is the implementation of the logic of CGS97
\cite{CGS97}, by assembling the cryptographic building blocks to a working
application. The final product needs to be able to handle a
voting scenario \emph{one-out-of-k}, meaning that a user can choose exactly one
out of $k$ options.
\paragraph{Graphical User Interface.}
In many cases, cryptographic functions which are heavily used in the context of
e-voting have a negative impact on the usability. Many steps such as key
generation, decryption, etc. have to be done in order to guarantee all the
desired properties for e-voting. All these steps bring a certain complexity
into the handling of the application. Therefore it is crucial to guide the user
through the process, and this can only be done by providing them a carefully
crafted user interface. A further goal of this project is to implement a user
interface which provides a good usability.
\paragraph{Extension of UniCrypt.}
UniCrypt implements many cryptographic building blocks which are necessary in
order to implement a CGS97 based e-voting system, however two crucial parts are
missing:
\begin{itemize}
\item \textbf{ElGamal Proof of Validity:} This type of zero-knowledge proof is
used in order to make sure that a cipher text is an ElGamal encryption of an
element which belongs to a set of possible plain texts. This type of proof is
an instance of a more generic \emph{OR-composition} of multiple proofs of
knowledge. This type of zero-knowledge proof is discussed in detail in
\Vref{sec:zeroknowledgeproofs}.
\item \textbf{Threshold Cryptosystem:} In order to ensure privacy of
the ballots, the CGS97 e-voting scheme uses a so called threshold system. This
system allows to split a private key and distribute \emph{key shares} to a
given set of participants. In order to decrypt a cipher text, the parties have
to collaborate in order to reconstruct the private key. Threshold cryptosystems
are discussed in further detail in \Vref{sec:secretsharing}.
\end{itemize}
As a goal of this project, these two essential building blocks have to be
implemented and integrated into the UniCrypt library.
\\
The time budget of this master's thesis is one year, although the project will
be implemented part time. It is equivalent to 27 ECTS credits.
\section{Contribution}
\label{sec:contribution}
Currently there are a couple of Android apps available in the Google Play
store\footnote{\url{http://play.google.com/}} which allow to do simple votes, or
else they are clients of e-voting systems of a specific organisation. A
decentralized e-voting system which offers the cryptographic level of this
project is currently not available. The implementation and the evaluation of
this project will help to understand further strong and weak points of the CGS97
e-voting scheme, especially when using it in a decentralized configuration. So
far, the E-Voting Group of the Bern University of Applied Sciences has gained
expertise by implementing and operating e-voting systems on centralized systems
which are usually operated on notebooks or desktop computers. This project will
help gaining some experience in how e-voting systems can be used on mobile
devices.
Furthermore, the extensions for the UniCrypt library can be used for other
projects as well. In the area of e-voting, threshold cryptosystems and validity
proofs are considered being standard building blocks and can be used for the
implementation of other e-voting schemes.
\section{Outline}
\label{sec:outline}
\Vref{cha:brw} gives an overview of the work on which this project has been
based on. The cryptographic building blocks which we use are discussed, as well
as the e-voting scheme on which this work is based on. We also discuss projects
which have been implemented as a preparation of this master's thesis.
The project setup and the administrative aspects are covered in
\Vref{cha:organisation}. \Vref{cha:results} explains the resulting
implementation in detail.
\Vref{cha:discussion} reflects on the work which has been done, before ending
the document with a conclusion that summarizes the achievements
\myref{cha:conclusion}.
A handbook of the product which has been implemented during this project can be
found in the Appendix \myref{cha:handbook}.
\chapter{Background and Related Work}
\label{cha:brw}
This section gives an overview of the theoretical foundations and some projects
which have been implemented earlier in order to serve as a foundation for this
project.
\section{E-Voting in 2014}
\label{sec:evoting}
Electronic voting has been a field of research ever since the internet
revolutionized many areas of our daily life. Nevertheless, only few governments
have made e-voting publicly available for their citizens. Some countries, among
them Switzerland, are putting high efforts into officially introduce
e-voting as an official way of voting, along with paper based voting. The reason
why the introduction of e-voting takes much more time than for example e-banking
stems from the fact that e-voting requires some properties which are not easy to
implement. What follows is a non-exhaustive list of these properties.
\begin{description}
\item[Democracy:] Only eligible voters can vote, and each voter can
cast at most one ballot which will be included in the result.
\item[Accuracy:] The result is derived from \emph{all} valid
votes as they were cast, i.e. cast votes cannot be modified. No other factors
than valid votes can influence the result.
\item[Universal verifiability:] Anybody, even people who are not involved in
the voting process, can verify the correctness of the result.
\item[Individual verifiability:] A voter can verify that her vote
is included in the result as she cast it.
\item[Privacy:] The e-voting system does not reveal any information about what
option the voter has chosen.
\item[Receipt-freeness:] The voter cannot prove to anybody else how
she voted.
\item[Coercion-resistance:] The voter cannot be coerced, meaning it is not
possible to force a voter to vote in a particular way, or prevent a voter to
vote at all.
\item[Robustness:] An attacker or a small colluding set of the electorate is
not able to disrupt an election process or change the outcome by damaging a
small set of system components.
\end{description}
All these properties are discussed in detail in \cite{HS11} and \cite{Jonker09}.
The currently ongoing research efforts are put into developing approaches how
e-voting systems that meet all these requirements could be built. Many of the
properties mentioned above can be achieved by employing cryptographic building
blocks, which are discussed in the next section. The robustness property is
probably the biggest factor that prevents the breakthrough of e-voting on large scales.
E-voting systems are the perfect targets for an intended manipulation or a
boycott of an election. That is the reason why e-voting is currently used
only on small scales. The size of the electorate is limited so that it is
statistically unlikely to tip the scale to one side or the other.
\section{Cryptographic Building Blocks}
\label{sec:buildingblocks}
The voting scheme that is used in this project is assembled from some
well known cryptographic building blocks which are briefly explained in this section.
All these cryptographic building blocks belong to the area of \emph{asymmetric}
cryptography, which is usually based on a key pair, containing a
\emph{public key} and a \emph{private key}.
\subsection{Discrete Logarithm Problem}
\label{sec:discretelogarithm}
Asymmetric cryptography relies on a mathematical problem, which is nowadays
considered to be hard to solve, meaning that so far there is no known algorithm
to find a solution for a given problem efficiently. An example of such a problem
is the prime factorization of large numbers on which the security of the famous
RSA cryptosystem \cite{RSA78} is based on. The other hard problem of this kind
is known as the \emph{Discrete Logarithm Problem}. The formal definition of
the problem is as follows:
Given a prime $p$, a generator $g$ of a multiplicative modular group
$\mathbb{Z}^*_p$ and an element $b \in \mathbb{Z}^*_p$, find the integer $x,0
\leq x \leq p - 2$, such that $g^x \equiv b \mod p$.
Currently there is no efficient way of solving this equation in an efficient
manner. There are some more sophisticated approaches than the naive way of
iterating over all elements of the group, for example the baby-step giant-step
algorithm\footnote{\url{http://en.wikipedia.org/wiki/Baby-step_giant-step}}, but
it is still not possible to find a solution in polynomial time with respect to
the order of the group. The security of most of the building blocks which are
used in this project is based on this problem. Further information concerning
the discrete logarithm problem can be found in Chapter 3 of the Handbook of Applied
Cryptography by A. Menezes et. al.
\cite{book:hac}.
\subsection{ElGamal Cryptosystem}
\label{sec:elgamal}
The ElGamal cryptosystem \cite{EG84}, proposed by T. El Gamal in 1984, is the
asymmetric cryptosystem which is mostly used in the context of e-voting. An
asymmetric cryptosystem uses two keys to operate, one which is used to encrypt a
certain message (the public key) and another to decrypt the message (the private
key). The security of this cryptosystem is based on the fact that it is hard to
compute the logarithm in discrete modular groups and hence making the
exponentiation in modular groups a one way function. A major advantage of the
ElGamal cryptosystem is the fact, that the encryption function includes a random
value. Especially in the context of e-voting this is a crucial property, because
when encrypting a value (for example the value $1$ which means \textit{yes})
multiple times using the same public key, the resulting cipher text is always
different. That is why ElGamal is also called a \textit{randomized}
cryptosystem.
In order to define an ElGamal cryptosystem, three parameters are required. Let
$p$ and $q$ be large prime numbers such that $q|p-1$.\footnote{In the case of
$p=2q+1$ where $p$ and $q$ are primes, $p$ is called \emph{safe prime} and $q$
is called \emph{Sophie Germain prime}.}
The prime number $q$ defines the order of a subgroup $G_q$ of the multiplicative
modular group $\mathbb{Z}^*_p$. $\mathbb{Z}_q$ is an additive modular group of order $q$. The
last parameter needed is an arbitrarily chosen generator $g$ of the group $G_q$.
Further information concerning group theory can be found in Chapter 2 of the
Handbook of Applied Cryptography by Alfred Menezes et. al. \cite{book:hac}. We
can now derive the asymmetric key pair containing the private key $x \in_R
\mathbb{Z}_q$ and the public key $y=g^x \in G_q$. A message $m \in G_q$ can be
encrypted by first choosing a random value $r \in_R \mathbb{Z}_q$, and then
applying the following function:
\begin{equation}
Enc_y : G_q \times \mathbb{Z}_q \rightarrow G_q \times G_q,
(a, b)=Enc_y(m, r)=(g^r, y^r \cdot m) \notag
\end{equation}
The tuple $(a, b)$ is the cipher text of the message $m$. $m$ can be recovered using the private key $x$
by applying the decryption function:
\begin{equation}
Dec_x : G_q \times G_q \rightarrow G_q,
m=Dec_x(a, b)=a^{-x} \cdot b \notag
\end{equation}
\subsubsection{Exponential ElGamal}
\label{sec:expelgamal}
In the area of e-voting, we often find a slight variation of ElGamal which is
called \emph{exponential ElGamal}. In exponential ElGamal, we encode a message
$\hat{m}$ by using a generator $\hat{g}$ of $G_q$ and raise it to the power of
the message $\hat{m} \in \mathbb{Z}_q$. In many cases, the ElGamal parameter $g$
is used as $\hat{g}$, which makes it unnecessary to define a fourth
predefined parameter. Note that the message $\hat{m}$ is an element of the additive group
$\mathbb{Z}_q$ as opposed to the classical ElGamal where $m$ is an element of
the multiplicative group $G_q$. The modified encryption function of exponential
ElGamal looks as follows:
\begin{equation}
\hat{Enc_y} : \mathbb{Z}_q \times \mathbb{Z}_q \rightarrow G_q \times G_q,
(a, b)=\hat{Enc_y}(\hat{m}, r)=(g^r, y^r \cdot \hat{g}^{\hat{m}}) \notag
\end{equation}
In order to decrypt a given cipher text, we apply the ordinary ElGamal decryption
function and obtain the value $\hat{g}^{\hat{m}} \in G_q$. To reveal $\hat{m}$,
we would have to compute the discrete logarithm, which is a hard problem in
general. If we have knowledge about all the possible plain texts (e.g. we know
that a ballot either contains 0 for \emph{no} or 1 for \emph{yes}), we can just try all
possible plain texts.
Exponential ElGamal has another property which is important in the context of
e-voting: It transforms the right part of the ElGamal encryption function from a
multiplicative homomorphic function into an additive homomorphic function.
Homomorphic encryption is discussed in detail in \Cref{sec:homenc}.
\subsection{Homomorphic encryption}
\label{sec:homenc}
The ElGamal cryptosystem has a property
which is important for building verifiable e-voting schemes, namely the property
of \emph{homomorphism}. Given two mathematical groups $(X,\oplus)$ and
$(Y,\otimes)$, a mathematical function $f:X \rightarrow Y$ is $(\oplus, \otimes)$-homomorphic if
the following condition holds:
\begin{equation}
f(m_1) \otimes f(m_2) = f(m_1 \oplus m_2) \notag
\end{equation}
The ElGamal function offers exactly that property for its encryption function
$Enc_y:G_q \times \mathbb{Z}_q \rightarrow G_q \times G_q$ using the same public key $y$:
\begin{equation}
Enc_y(m_1, r_1) \cdot Enc_y(m_2, r_2) = Enc_y(m_1 \cdot m_2, r_1 + r_2)
\notag
\end{equation}
This property allows to calculate the encrypted product of all messages out of
the encrypted messages and decrypt only the result. Applied to e-voting, the
result can be computed out of the encrypted ballots and only the final result
needs to be decrypted. The ballots themselves can remain encrypted, which is
important for maintaining privacy. The ElGamal cryptosystem is homomorphic
respective to the multiplication operation in the message part, which is not
very fortunate for counting votes. Votes should be summed up in order to get the
final result. In order to reach this, we use the following mathematical property:
\begin{equation}
x^a \cdot x^b = x^{a+b} \notag
\end{equation}
This is exactly the property that we obtain by using exponential ElGamal as
discussed in \Vref{sec:expelgamal}. The product of all cipher text
values results in the encrypted sum of the cast ballots, encrypted using the
exponential ElGamal encryption function $\hat{Enc_y}:\mathbb{Z}_q \times
\mathbb{Z}_q \rightarrow G_q \times G_q$:
\begin{equation}
\hat{Enc_y}(m_1, r_1) \cdot \hat{Enc_y}(m_2, r_2) = \hat{Enc_y}(m_1 + m_2, r_1 +
r_2)
\notag
\end{equation}
After decrypting the product of all cipher texts, we end up with a value of the
form $\hat{g}^{(m_1+m_2)}$. The value that we are interested in is $m_1+m_2$.
This value can be obtained by computing the discrete logarithm, but we have seen in
\Vref{sec:discretelogarithm} that this is a hard problem. In the context of
e-voting, we can solve this problem by iterating over all possible solutions and
compare it with the decrypted value. The number of possible solutions cannot be
bigger than the number of cast ballots, therefore iterating over these solutions
is not a big problem.
\subsection{Secret sharing}
\label{sec:secretsharing}
In e-voting scenarios it is crucial that not a
single entity can manipulate the result or reveal single votes. This
responsibility, or in our case the private key which is needed to obtain the
final result, has to be spread across a set of so called trustees. In the CGS97
scheme, this property is achieved by using a secret sharing mechanism as
proposed by A. Shamir in 1979 \cite{Shamir79}. This scheme even allows to define a so called
\textit{threshold}, which defines the minimal amount of participating trustees
in order to decrypt the result. Such a system is also known as a
$(t-n)$-threshold scheme, where $n$ defines the number of shares which are
issued at the beginning and $t$ defines the minimal number of shares
needed to recover the secret. Equal to the ElGamal cryptosystem, we need two large primes
$p$ and $p$ such that $q|p-1$. The prime number $q$ defines the order of a
subgroup $G_q$ of the multiplicative modular group $\mathbb{Z}^*_p$.
$\mathbb{Z}_q$ is an additive modular group of order $q$. Having defined these
prerequisites, a secret can be shared as follows:
\begin{enumerate}
\item A trusted dealer chooses a polynomial $f(z) \in \mathbb{Z}_q(z)$ with
uniformly random chosen coefficients $f_0, \ldots, f_{t-1}$.
If the secret $x \in \mathbb{Z}_q$ has been defined earlier, the coefficient of degree $0$ has to
be equal to $x$.
\item The trusted dealer calculates a share $x_i = f(i)$ for $i = 1,\ldots,
n$.
\item The trusted dealer \emph{secretly} communicates the share $x_i$ to each
individual trustee.
\end{enumerate}
The secret itself, at this stage only known by the trusted dealer, is defined by
$x=f(0)$. In order to reproduce the secret using the shares distributed among
all trustees, we can use an interpolation technique such as Lagrange
interpolation, which allows us to reproduce the secret $f(0)$. Since a
polynomial function of degree $t-1$ is defined by at least $t$ points, the
secret can only be reproduced if at least $t$ trustees are collaborating and
contribute their shares.
The approach of Shamir is quite simple, but has one major drawback though: It
requires a trusted dealer which has the knowledge of the secret. It
it would be nice to have a scheme where the group of trustees collaborate to create
the shares in a way that nobody can derive the secret unless a
sufficient amount of trustees collaborate. In 1991, T. P. Pedersen proposed a scheme
\cite{PED91} where this trusted dealer is no longer required. In order to
jointly generate a secret, the trustees perform the following steps:
\begin{enumerate}
\item All trustees $\tau_i$ for $i = 1, \ldots, n$ choose a polynomial $f_i(z)
\in \mathbb{Z}_q(z)$ for $i = 1, \ldots, n$ with uniformly random chosen coefficients $f_{i0}, \ldots,
f_{i, t-1}$.
\item All trustees commit themselves to their chosen coefficients by
publishing the values $F_{ij} = g^{f_{ij}}$ for $j=0,\ldots, t-1$.
\item All trustees generate a secret $x_{ij} = f_i(j)$ for each
trustee $\tau_j, j=1,\ldots,n$ and send it through a secure channel to
$\tau_j$.
\item All trustees verify that the received shares are consistent with the
previously published coefficient commitments by verifying that the following
equation holds:
\begin{equation}
g^{x_{ji}} \stackrel{?}{=} \prod_{l=0}^{t-1} F_{jl}^{i^l} \notag
\end{equation}
If this verification fails, $\tau_i$ broadcasts a message that there was a
problem, publishes the malicious share $x_{ji}$, and stops the protocol.
\item All trustees with correct shares can now compute their share $x_i$ by
computing $x_i=\sum_{j=1}^n s_{ji}$.
\item The public key $y$ can be computed by calculating $y=\sum_{j=1}^n
F_{j0}$.
\end{enumerate}
The public key $y$ can now be used by anybody, for example to do an ElGamal
encryption. In order to decrypt an ElGamal cipher text $(a, b)$ created using the
public key $y$, at least $t$ trustees have to collaborate and execute the following steps:
\begin{enumerate}
\item Each collaborating trustee $\tau_i$ publishes a part decryption $w_i =
a^{s_j}$
\item Along with the part decryption $w_i$, each trustee has to publish a
proof that testifies the following relation:
\begin{equation}
\log_g g^{x_i} = \log_a w_i \notag
\end{equation}
This proves that the trustee $\tau_i$ indeed used its key share to do the part
decryption. Further details about zero-knowledge proofs can be found in
\Vref{sec:zeroknowledgeproofs}.
\end{enumerate}
As soon as at least $t$ part decryptions are publicly available, anyone can use
the Lagrange interpolation algorithm to recover the plain text. Let $\Lambda$ be a set of
at least $t$ available shares. Using this set, the Lagrange coefficients can be
calculated as follows:
\begin{equation}
\lambda_{j,\Lambda} = \prod_{l\in \Lambda \backslash \{j\}} \frac{l}{l-j} \notag
\end{equation}
The plain text $m$ of the ElGamal cipher text $(a, b)$ can then be recovered as
follows:
\begin{equation}
m = \frac{b}{\prod_{j \in \Lambda} w_j^{\lambda_{j,\Lambda}}} \notag
\end{equation}
Note that a set of at least $t$ trustees could recover the secret $x$ just
by running an interpolation algorithm. If $f(z)$ is the function recovered by
interpolation, the secret $x$ can be found by calculating $x=f(0)$. Recovering
the secret is not desirable in the CGS97 voting scheme though, because a
reunited secret key could be used to violate the privacy of the voters.
\subsection{Zero-knowledge proofs}
\label{sec:zeroknowledgeproofs}
Zero-knowledge proofs (ZKPs) in their sense are conversations between a
\textit{prover} and a \textit{verifier}. They allow the prover to demonstrate,
that she knows a secret without actually revealing the secret itself. The
conversation is similar to a challenge-response protocol. The verifier asks the
prover certain questions about the secret and the verifier answers them. This
kind of conversations are also known as $\Sigma$-protocols. Of course, the
prover could just guess the correct answer to the question and cheat, but if the
verifier repeats the challenge process with a different input, chances are
almost zero that the prover can guess all the correct answers if she is not in
fact in possession of the secret. Zero-knowledge proofs offer therefore a
\textit{probabilistic} security. In the context of e-voting, these
zero-knowledge proofs are used to make sure that none of the participants are
cheating.
\subsubsection{Non-interactive zero-knowledge proofs}
\label{sec:nizkp}
Zero-knowledge proofs as described earlier are \textit{interactive}
conversations between a prover and a verifier. This also means that the prover
proves only to the verifier that she has knowledge of the secret. Of course, any
observer could observe the conversation, but there is no way to determine
whether the verifier actually accepts the the proof or not. The verifier could
of course testify that the prover has the knowledge of the secret, but that
would require a trust relationship between the observer and the verifier. In
an e-voting scenario, we need a proof which can be verified by anybody and does
not require an interactive conversation between the verifier and the prover.
Such proofs are called \textit{non-interactive zero-knowledge proofs} or
\textit{NIZKPs}. The foundations of these NIZKPs were introduced by A. Fiat and
A. Shamir in 1986 \cite{FS87}, later known as the \textit{Fiat-Shamir
heuristic}. Instead of the verifier challenging the prover, the prover
challenges himself by using a \emph{hash function} such as SHA-256. As input for
this hash function, publicly known values are used. A verifier can use these
publicly known values later to verify that the challenge was created correctly.
The result of such a non-interactive zero-knowledge proof is similar to a
digital signature. Once published, everybody can verify the integrity of the
data over which the signature has been calculated. In a similar way,
non-interactive zero-knowledge proofs can be verified, with the important
difference that the secret of course remains secret. So far, we did not specify
what a secret actually is. There are multiple types of secrets and therefore
also multiple types of zero-knowledge proofs, but due to the work of U. Maurer
\cite{Maurer09}, we can formulate a general recipe how such a NIZKP is
assembled:
Let $(X,\oplus)$ and $(Y,\otimes)$ be two mathematical groups and
$f:X \rightarrow Y$ be a one-way homomorphic function. The prover wants to prove
that she knows the preimage $\alpha \in X$ of the publicly known value $\beta \in
Y$, where $\beta=f(\alpha)$. In order to prove the knowledge of the value
$\alpha$, the prover performs the following steps:
\begin{enumerate}
\item Choose a uniformly random value $\omega \in_R X$
\item Compute $t=f(\omega)$
\item Compute $c=H(\beta||t)$, where $H$ represents a \emph{hash function} such
as SHA-256
\item Compute $s=\omega \oplus c \cdot \alpha$
\item Publish the proof $\pi = (t,s)$
\end{enumerate}
A verifier can now calculate $c=H(\beta||t)$ and check whether the following
condition holds:
\begin{equation}
f(s) \stackrel{?}{=} t \otimes \beta^c \notag
\end{equation}
In the following paragraphs, the different types of proofs used in this
project are briefly explained and adapted to the generalized scheme explained
before.
\subsubsection{Proving the Knowledge of Discrete Logarithm}
\label{sec:proofknowledgedlog}
This type of proof was first presented by C. P. Schnorr in 1991
\cite{Schnorr91}. We have seen that the ElGamal encryption function has the
homomorphic property \myref{sec:homenc}. Therefore, it is possible to prove the
knowledge of the plain text of a given cipher text by applying the scheme above.
We define the ElGamal encryption function using the public key $y$ and the
predefined generator $g$ of the group $G_q$ as follows:
\begin{equation}
Enc_y:G_q \times \mathbb{Z}_q \rightarrow G_q \times G_q, (a,b) = Enc_y(m,
r)=(g^r, y^r \cdot m) \notag
\end{equation}
Since $g$ and $y$ are publicly known values, the knowledge of the value $r$
implies the knowledge of $m$, therefore the prover only needs to prove the
knowledge of $r$, which can be done by substituting the following variables in
the generic scheme above:
\begin{align}
X &= \mathbb{Z}_q \notag \\
Y &= G_q \notag \\
\alpha &=r \notag \\
\beta &=a \notag \\
f(x) &= g^x \notag
\end{align}
This translates to the following steps:
\begin{enumerate}
\item Choose a uniformly random value $\omega \in_R \mathbb{Z}_q$
\item Compute $t=g^\omega$
\item Compute $c=H(a||t)$, where $H$ represents a \emph{hash function} such
as SHA-256
\item Compute $s=\omega + c \cdot r$
\item Publish the proof $\pi = (t,s)$
\end{enumerate}
A verifier can now verify the knowledge of $r$ and therefore $m$ by calculating
$c=H(a||t)$ and check whether the following condition holds:
\begin{equation}
g^s \stackrel{?}{=} t \cdot a^c \notag
\end{equation}
\subsubsection{Proving the Equality of Discrete Logarithms}
\label{sec:proofeqdlog}
This type of proof due to D. Chaum and T. P. Pedersen \cite{CP93}
proves the relation $log_{g_1} c_1 = log_{g_2} c_2 $ for two values $c_1 =
g_1^m$ and $c_2 = g_2^m$, where $g_1$ and $g_2$ are generators of the
mathematical group $G_q$. In order to prove this relation, we can again
substitute the variables in the scheme above:
\begin{align}
X &= \mathbb{Z}_q \notag \\
Y &= G_q \times G_q \notag \\
\alpha &=m \notag \\
\beta &=(c_1, c_2) \notag \\
f(x) &= (g_1^x, g_2^x) \notag
\end{align}
This translates to the following steps:
\begin{enumerate}
\item Choose a uniformly random value $\omega \in_R \mathbb{Z}_q$
\item Compute $t=(g_1^\omega, g_2^\omega)$
\item Compute $c=H(c_1||c_2||t)$, where $H$ represents a
\emph{hash function} such as SHA-256
\item Compute $s=\omega + c \cdot m$
\item Publish the proof $\pi = (t,s)$
\end{enumerate}
A verifier can now verify the relation by calculating
$c=H(c_1||c_2||t)$ and check whether the following condition holds:
\begin{equation}
(g_1^s, g_2^s) \stackrel{?}{=} t \cdot (c_1, c_2)^c \notag
\end{equation}
\subsubsection{Proving Validity}
\label{sec:proofofvalidity}
Proofs of validity are used to prove that a certain image of a homomorphic one
way function is in fact the image of a preimage, and the preimage is an element
of a set of possible preimages. The proof however does not reveal which preimage
it actually is. This type of proof is not a straight forward application of the
generalized scheme of Maurer \cite{Maurer09}, it is rather an OR-composition of
several zero-knowledge proofs of knowledge. The idea is to \emph{simulate}
accepting conversations for the preimages which do not correspond to the
calculated image and combine those simulated proofs with the actual proof from
the image we calculated.
Let $(X,\oplus)$ and $(Y,\otimes)$ be two mathematical groups, $f:X \rightarrow
Y$ be a one-way homomorphic function and $A=\{\alpha_1,\ldots,\alpha_n\} \subseteq X$
be a set of $n$ possible preimages. The prover wants to prove that the publicly known
image $\beta=f(\alpha_i) \in Y$ belongs to a preimage $\alpha_i$ without
revealing which preimage it actually is.
\paragraph{Value Precomputation.} In this phase, we need to compute a specially
crafted image for all the possible preimages without the preimage for which the
proof is being created. This can be done by executing the following step:
\begin{enumerate}
\item Compute $\beta_j = \beta \cdot \alpha_j^{-1}$ for $j=(1,...,n)$.
\end{enumerate}
\paragraph{Proof Generation.} Now the proof can be created using the
values $b_j$ created in the precomputation phase, the chosen preimage $a_i$ and
the index $i$.
\begin{enumerate}
\item Select challenges $(c_1, \ldots, c_{i-1}, c_{i+1}, \ldots, c_n) \in_R
X^{n-1}$
\item Select responses $(s_1, \ldots, s_{i-1}, s_{i+1}, \ldots, s_n) \in_R
X^{n-1}$
\item Compute commitments $t_j=f(s_j) \cdot \beta_j^{-c_j} \in Y$ for
$j=(1, \ldots, i-1, i+1, \ldots, n)$
\item Select $\omega_i \in_R X$
\item Compute $t_i=f(\omega_i) \in Y$
\item Compute challenge $c\in X$ with hash function\footnote{Usually a
hash function such as SHA-256 is used, which does not necessary produce an
element of $X$. Some sort of mapping is required.} $H$:
$c=H(\beta_1||\ldots||\beta_n||t_1||\ldots||t_n)$
\item Compute $c_i=c\oplus(\sum_{j=1, j \neq i}^n c_j)^{-1} \in X$
\item Compute $s_i=\omega_i \oplus c_i \cdot \alpha \in X$
\item Publish the proof $\pi = (t_1,\ldots,t_n,c_1,\ldots,c_n,s_1,\ldots,s_n)$
\end{enumerate}
\paragraph{Verification.} The verification step needs the same precomputation
for all the values $\beta_j$. The proof itself can be verified checking that
the following conditions hold:
\begin{align}
f(s_j) &\stackrel{?}{=} t_j \cdot \beta_j^{c_j} \text{ for } j=(1...n)
\notag \\
\sum_{j=1,}^n c_j &\stackrel{?}{=}
H(\beta_1||\ldots||\beta_n||t_1||\ldots||t_n)
\notag
\end{align}
The formal description above depicts how a general OR-proof is assembled. The
cryptographic building block we need for our implementation is a proof of
validity, which proves that the plain text $m$ of a certain ElGamal cipher text
$(a, b)$ is an element of a set of possible plain texts $M=\{m_1, \ldots, m_n\}$. This
scenario can be seen as an instance of an OR-proof. We can show this relation by
substituting the variables in the generalized schema above as follows:
\begin{align}
X &= \mathbb{Z}_q \notag \\
Y &= G_q \times G_q \notag \\
\alpha &=r \notag \\
\beta &=(a, b) \notag \\
f(x) &= (g^x, y^x) \notag
\end{align}
Note that as a function $f(x)$, we use the \emph{identity function} of ElGamal,
which encrypts the identity element of the domain (in the case of the
multiplicative cyclic group $G_q$, the identity element is $1$).
\subsection{Bulletin Board}
\label{sec:bulletinboard}
The so called bulletin board is the public communication channel which is used
to communicate between the participants of the vote. It is a
transcript of all the communication steps between the participants and therefore
contains encrypted ballots, zero knowledge proofs, etc. The bulletin board is
also available for observers. Using the content of the bulletin board, everybody
can verify that all the participants are following the protocol or that
dishonest participants are excluded from the voting process. A voter can verify
that his/her own ballot is counted properly and also reflects in the final
result. In theory, it is not possible to delete anything from a bulletin board
(append only). There are several approaches on how to create such an
append-only bulletin board. The CGS97 protocol itself only assumes this
append-only property. Append-only bulletin boards are discussed in more detail
in \cite{HL09}. Since the bulletin board is a good target for a
denial-of-service attack, it is a good idea to replicate the content of the bulletin board to multiple systems.
\section{The Voting Scheme CGS97}
\label{sec:CGS97}
In 1997, R. Cramer, R. Gennaro and B. Schoenmakers proposed a scheme
\cite{CGS97} which allows to do e-voting in a secure and verifiable manner. The participants of
the protocol can be divided into four different roles:
\begin{itemize}
\item \textbf{Administrator:} The administrator is responsible for setting up
the election by defining the question and the possible options, the
electorate and the voting period. The administrator is also responsible for
orchestrating the activities during a voting cycle.
\item \textbf{Voter:} A voter is somebody who is eligible to participate on
a vote.
\item \textbf{Trustee:} A trustee is somebody who helps setting up the
election by creating an asymmetric key pair in cooperation with other
trustees.
At the end of the voting phase, the trustees have to cooperate in order to
reveal the result of the vote.
\item \textbf{Observer:} An observer is somebody who wants to verify that all
the voters and trustees of a voting cycle behave as they are supposed to.
\end{itemize}
In the case of a decentralized voting system, the voter, trustee and
observer roles can be combined and all participants impersonate these roles. The
administrator role needs to be assigned to one particular participant.
\subsection{The Protocol}
The CGS97 voting scheme has a well defined procedure on how a vote should be
performed. This procedure is explained in this section. Formally we define the set
of $n$ trustees as $T=\{\tau_1, \ldots, \tau_n\}$ and the set of $l$
voters as $V=\{v_1, \ldots, v_l\}$. Furthermore, the role of an
administrator $A$ needs to be assigned to a participant. The process of these role assignments
strongly depends on the political structure of the organisation which runs
the vote and is considered to be an administrative task and is hence not
further discussed at this point. The procedure how a vote is performed looks as
follows:
\paragraph{Initialization Phase.}
All the parties need to agree on the ElGamal parameters $p, q,$ and $g$. These
parameters can be seen as fixed parameters and do not need to be redefined for
each vote. Further details regarding these parameters can be found in
\Vref{sec:elgamal}. Furthermore, the administrator $A$ defines the question and
all the possible options of the upcoming vote.
\paragraph{Key Generation Phase.}
All the trustees execute a robust threshold key generation protocol as discussed
in \Vref{sec:secretsharing}. At this stage, a \emph{threshold}
$t\leq|T|$ must be defined. This parameter defines the minimal number of
trustees which are required to collaborate in order to decrypt the final result
in the tallying phase.
The transcript of the key generation protocol is posted on the bulletin board
\myref{sec:bulletinboard}. The outcome of this key generation protocol is an
ElGamal public key $y$ which needs to be communicated to all the voters.
\paragraph{Voting Phase.}
During a well defined time window, the voters can now create and cast a ballot.
To do so, the voters encrypt their ballots using the public key $y$ and post
them to the bulletin board. Note that we need to use \emph{exponential
ElGamal} \myref{sec:expelgamal} so that we can \emph{add} the result in an upcoming
stage.
Furthermore, each voter needs to post a proof of validity
\myref{sec:proofofvalidity} on the bulletin board in order to prove that
the encrypted ballot indeed contains a valid option of the election.
\paragraph{Tallying Phase.}
The tallying phase can start as soon as the voting period has come to an end. In
order to tally a vote, the cipher texts of the valid ballots are multiplied
and posted to the bulletin board. Since all the encrypted ballots are publicly
available, this multiplication step can be verified easily by doing the
multiplication individually and compare the result to the values on the
bulletin board. The product of all the valid ballots now represents the
\emph{encrypted result} of the vote. This result has to be decrypted by the
trustees. The trustees execute a threshold decryption
protocol in order to reveal the result of the election. Note that we only need a subset $\Lambda \subseteq T$ with minimal order $t$ in order to execute the
protocol properly. The transcript of the protocol and the result are posted on
the bulletin board. Furthermore, each participating trustee has to provide a
proof that he performed his decryption step in a correct fashion.
\subsection{Voting Properties}
\label{sec:secproperties}
In \Vref{sec:evoting} we discussed some security requirements which
are desirable for e-voting systems. The following paragraph assesses the CGS97
protocol against these requirements.
\paragraph{Democracy.} The CGS97 protocol does not specify how the access to
the virtual voting booth is controlled. The e-voting system which implements
the CGS97 protocol needs a sufficiently secure authentication mechanism in order to
fulfill the democracy requirement. The criteria that only one valid vote can be
cast is also tied to the authentication mechanism.
\paragraph{Accuracy.} A zero-knowledge proof is used to prove that all valid
ballots are tallied correctly. Since the all the relevant information is
publicly accessible on the bulletin board, this can be
verified by anybody.
\paragraph{Universal verifiability.} The bulletin board which is publicly
available (for voters as well as for observers who do not participate at the
vote) assures verifiability for anybody. The bulletin board can also
be seen as a transcript of the conversation between the actors during a voting
cycle.
\paragraph{Individual verifiability.} The voter can identify her own vote on
the bulletin board along with the other votes. By verifying the zero-knowledge
proofs of the trustees which are created during the tallying and
decryption of the result, the voter can be sure that her vote has been included
in the final result.
\paragraph{Privacy.} The ballot which has been encrypted and cast by the
voter always remains encrypted unless a sufficient amount of trustees decide
conspire and decrypt single votes and reveal information on how the participants
voted.
\paragraph{Receipt-freeness.} A voter using the CGS97 scheme is able to create a
receipt which can be used to prove to another person which option has been
chosen. The CGS97 scheme hence does not offer receipt-freeness.
\paragraph{Coercion-resistance.} Coercion resistant protocols have mechanisms
to allow the voter to lie about the vote when under coercion. The voter pretends