IPC분류정보
| 국가/구분 |
United States(US) Patent
등록
|
| 국제특허분류(IPC7판) |
|
| 출원번호 |
US-0816869
(2001-03-24)
|
|
발명자
/ 주소 |
|
| 출원인 / 주소 |
|
| 대리인 / 주소 |
|
| 인용정보 |
피인용 횟수 :
71 인용 특허 :
19 |
초록
▼
A cryptographic process permits one to verifiably shuffle a series of input data elements. One or more authorities or individuals “shuffle,” or “anonymize” the input data (e.g. public keys in discrete log form or ElGamal encrypted ballot data). The process includes a validity construction that preve
A cryptographic process permits one to verifiably shuffle a series of input data elements. One or more authorities or individuals “shuffle,” or “anonymize” the input data (e.g. public keys in discrete log form or ElGamal encrypted ballot data). The process includes a validity construction that prevents any one or more of the authorities or individuals from making any changes to the original data without being discovered by anyone auditing a resulting proof transcript. The shuffling may be performed at various times. In the election example, the shuffling may be performed, e.g., after ballots are collected or during the registration, or ballot request phase of the election, thereby anonymizing the identities of the voters.
대표청구항
▼
1. An electronic voting system for use with a computerized network, comprising:a plurality of voting computers coupled to the computerized network, wherein each voting computer provides an electronic encrypted ballot, wherein each electronic ballot is encrypted under a discrete log asymmetric encryp
1. An electronic voting system for use with a computerized network, comprising:a plurality of voting computers coupled to the computerized network, wherein each voting computer provides an electronic encrypted ballot, wherein each electronic ballot is encrypted under a discrete log asymmetric encryption process using underlying groups Zp or elliptic curve; at least first, second and third authority computers coupled to the computerized network, wherein the first authority computer is configured to receive a series of electronic ballots corresponding to an aggregation of each of the electronic ballots received from the plurality of voting computers, and to apply a secret, one-way cryptographic transformation using at least a first secret key to anonymously shuffle the series of electronic ballots and produce a first shuffled series of ballots, wherein only the first authority computer knows a correspondence between the first series of shuffled ballots and the series of electronic ballots, and wherein the first authority computer is further configured to provide a first non-interactive proof of correctness for the first series of shuffled ballots based on a scaled iterated logarithmic multiplication proof; wherein the second authority computer is configured to receive the first series of shuffled ballots, to apply the cryptographic transformation using at least a second secret key to anonymously shuffle the first series of shuffled ballots and produce a second series of shuffled ballots, wherein only the second authority computer knows a correspondence between the first series of shuffled ballots and the second series of shuffled ballots, and wherein the second authority computer is further configured to provide a second non-interactive proof of correctness for the second series of shuffled ballots based on the scaled iterated logarithmic multiplication proof; wherein the third authority computer is configured to receive the second series of shuffled ballots, to apply the cryptographic transformation using at least a third secret key to anonymously shuffle the second series of shuffled ballots and produce a third series of shuffled ballots, wherein only the third authority computer knows a correspondence between the third series of shuffled ballots and the second series of shuffled ballots, and wherein the third authority computer is further configured to provide a third non-interactive proof of correctness for the third series of shuffled ballots based on the scaled iterated logarithmic multiplication proof; and a verification computer coupled to the computerized network, wherein the verification computer is configured to receive the proofs of correctness from the first, second and third authority computers and without interacting with the first, second and third authority computers, to verify a correctness of the shuffled ballots. 2. The system of claim 1, further comprising:a server computer system coupled to the computerized network, wherein the server computer system is configured to: receive the plurality of electronic ballots from the plurality of voting computers; verify a proof of validity of each of the plurality of electronic ballots; form an encrypted tally of the votes from the plurality of electronic ballots; transmit the encrypted tally to the first, second and third authority computers; receive ballot decryption shares produced from at least two of the first, second and third authority computers; and compute a decrypted tally; and at least one voting poll computer coupled to the computerized network and providing some of the plurality of electronic encrypted ballots to the server computer system. 3. The system of claim 1 wherein the first, second and third authority computers are configured to provide Chaum-Pedersen proofs for the first, second and third shuffles of the ballots, respectively, and wherein each of the first, second and third authority computers generate an initial challenge series, receive a challenge from at least one verification computer, and generate the cryptographic transformation based on an exponentiation of the initial and received challenges.4. The system of claim 1 wherein the computerized network includes the World Wide Web, wherein each of the plurality of voting computers and first, second and third authority computers include a web browser program.5. The system of claim 1 wherein the plurality of voter computers include at least one palm-sized computer, cell phone, wearable computer, interactive television terminal or Internet appliance.6. A computer system for receiving a sequence of elements, comprising:a server computer coupled to a computer network and configured to: receive a sequence of electronic data elements representing individual data files, apply a cryptographic transformation using at least a first secret key to anonymously permute the sequence of electronic data elements and produce a first shuffled sequence of electronic data elements, wherein the server computer knows a correspondence between the first shuffled sequence of electronic data elements and the sequence of electronic data elements, and generate a first proof of correctness for the first shuffled sequence of electronic data elements based on a scaled iterated logarithmic multiplication proof. 7. The system of claim 6 wherein the received sequence of electronic data elements are encrypted using Zp or elliptic curve groups using a key unknown to the server computer, and wherein the server computer is further configured to:receive a series of randomly generated values ei from a verifier computer; secretly generate a series of values Ui based on a secret, one-way cryptographic transformation that employs the received series of values ei and secretly generated values ?i permute the sequence of electronic data elements to produce the first shuffled sequence of elements based on the series of values Ui and a secret value d; and provide the values Ui and a series of proof values based on the cryptographic transformation as a proof of knowledge that the server computer has access to how the cryptographic transformation permuted the sequence of electronic data elements to produce the first shuffled sequence of elements without revealing the cryptographic transformation to the verifier computer. 8. The system of claim 6 wherein the server computer is further configured for:receiving a plurality of public keys from a corresponding plurality of individuals, wherein each of the plurality of individuals have a private key corresponding to one of the plurality of public keys; receiving a request for a certificate from one of the plurality of individuals having a one private key; providing at least a subset of the plurality of public keys to the requesting individual; receiving a shuffle of the plurality of public keys and a linear size proof of correctness for the shuffled public keys based on a scaled iterated logarithmic multiplication proof and a value corresponding to the one private key, wherein the value provides proof that the one individual has knowledge of the one private key without revealing the one private key; checking the proof of correctness; checking that the value is mathematically related to a one of the public keys that corresponds to the one private key; issuing a certificate to the one individual; and reducing the plurality of public keys by the one public key. 9. The system of claim 6 wherein the sequence of electronic elements are public keys, and wherein the server if further configured to check, in response to a request from an individual, that the individual has a value uniquely and mathematically related to a one of the public keys; andif so, issue a certificate to the one individual. 10. A computer-implemented method, comprising:receiving a plurality of public keys from a corresponding plurality of individuals, wherein each of the plurality of individuals have a private key corresponding to one of the plurality of public keys; receiving a request for a certificate from one of the plurality of individuals having a one private key; providing at least a subset of the plurality of public keys to the requesting individual; receiving a shuffle of the plurality of public keys and a proof of correctness for the shuffled public keys based on a scaled iterated logarithmic multiplication proof and a value corresponding to the one private key, wherein the value provides proof that the one individual has knowledge of the one private key without revealing the one private key; checking the proof of correctness; checking that the value is mathematically related to a one of the public keys that corresponds to the one private key; issuing a certificate to the one individual; and reducing the plurality of public keys by the one public key. 11. The method of claim 10 wherein the method further includes setting a value G to a subgroup operator g from an Zp or elliptic curve group, wherein providing at least a subset of the plurality of public keys includes providing all of the then current public keys H.12. The method of claim 10 wherein providing at least a subset of the plurality of public keys includes providing at least a subset of a plurality of public key pairs, wherein receiving a shuffle of the plurality of public keys includes receiving a shuffle of a true subset of the plurality of public key pairs as selected by the one individual.13. The method of claim 10, further comprising:receiving from each of a plurality of authorities, in sequence, a shuffled set of the plurality of public keys H′ based on a secret cryptographic shuffle operation performed on at least a subset of the plurality of public keys to produce the shuffled set of the plurality of public keys H′; receiving from each of a plurality of authorities, in sequence, a verification transcript of the cryptographic shuffle operation; and verifying a correctness of the cryptographic shuffle operation based on the verification transcript; and if verified, then setting at least a subset of the plurality of public keys to H to H′. 14. The method of claim 10, further comprising:at a time after receiving at least some of the plurality of public keys, setting at least a subset of the then received plurality of public keys to a received shuffled set of the plurality of public keys, wherein the shuffled set of the plurality of public keys have been received from a third party. 15. The method of claim 10, further comprising:receiving the issued certificate from the one of the plurality of individuals; and providing an electronic ballot to the one individual. 16. The method of claim 10 wherein issuing a certificate includes digitally signing the received request to produce a public key infrastructure (“PKI”) certificate.17. The method of claim 10, further comprising:receiving issued certificates from at least some of the plurality of individuals and providing initial electronic ballots in response thereto; and receiving unencrypted voted ballots from the at least some of the plurality of individuals. 18. A computer-implemented cryptographic method between a prover computer and a verifier computer with respect to first and second sequences of data elements, the method comprising:selecting a subgroup generator g selected from a group G; secretly generating a prover key c, and a commitment value C based on the subgroup generator g; secretly establishing a cryptographic relationship between first and second sequences of elements, wherein the cryptographic relationship employs scaled iterated logarithmic multiplication; providing to the verifier computer the commitment C and the first and second sequences of elements, but not the cryptographic relationship; computing a series of proof values based on the cryptographic relationship; and providing the series of computed proof values to the verifier computer as a non-interactive proof of knowledge that the prover computer has access to the cryptographic relationship without revealing the cryptographic relationship to the verifier computer. 19. The method of claim 18 wherein at least the second sequence of elements is a sequence of encrypted ballots, wherein each ballot is encrypted using Zp or elliptic curve groups;wherein the first and second sequences of elements are respectively (X1, . . . , Xk) and (Y1, . . . , Yk) wherein the first and second sequence of elements have the cryptographic relationship and wherein computing and providing the series of proof (gu1, . . . ,guk)=(X1, . . . ,Xk) (gv1, . . . ,gvk)=(Y1, . . . ,Yk) and where ?values includes providing Chaum-Pedersen proofs based on: for each 0?i?k generate random ri Ri=gri for each 1?i?kwi=riui/ri?1 Wi=gwi zi=wi/vi Zi=gzi ?wherein the Chaum-Pedersen proofs provided to the verifier computer are of a form: (Ri?1,Xi,Ri,Wi) and (Yi,Wi,Zi). 20. The method of claim 18, further comprising:permuting the first sequence of elements to produce the second sequence of elements based on a cryptographic transformation; receiving a randomly generated value t from the verifier computer; secretly generating a value T based on the received value t and the subgroup generator, and secretly generating a value S based on the received value t and the prover key c; and wherein computing and providing to the verifier computer the series of proof values includes providing a series of values based on the cryptographic transformation as a proof of knowledge that the prover computer has access to how the cryptographic transformation permuted the first sequence of elements to produce the second sequence of elements without revealing the cryptographic transformation to the verifier computer. 21. The method of claim 18, further comprising:permuting the first sequence of elements to produce the second sequence of elements based on a cryptographic transformation in a form of (gu1, . . . ,guk) and (X1, . . . ,Xk) (gcuπ(1), . . . , gcuπ(k))=(Y1, . . . ,Yk) receiving a randomly generated value t from the verifier computer; secretly generating a value T based on raising the subgroup generator g to the received value t, and secretly generating a value S based on raising the value T to the prover key c; and wherein computing and providing to the verifier computer the series of proof values includes providing a series of values based on the cryptographic transformation in a form of: Ui=Xi/T Vi=Yi/S ?as a proof of knowledge that the prover computer has access to how the cryptographic transformation permuted the first sequence of element to provide the second sequence of elements without revealing the cryptographic transformation to the verifier computer. 22. The method of claim 18, further comprising:receiving the first sequence of elements as a set of elements that have previously been permuted in a manner unknown to the prover computer; receiving a series of randomly generated values ei from the verifier computer; secretly generating a series of values Ui based on a secret cryptographic transformation that employs the received series of values ei and secretly generated values ?i permuting the second sequence of elements with respect to the first sequence of elements based on the series of values Ui and a secret value d; and wherein computing and providing to the verifier computer the series of proof values includes providing the resulting values Ui and providing a series of proof values based on the cryptographic transformation as a proof of knowledge that the prover computer has access to how the cryptographic transformation permuted the first sequence of element to provide the second sequence of elements without revealing the cryptographic transformation to the verifier computer. 23. The method of claim 18, further comprising:receiving the first sequence of elements as a set of elements that have previously been permuted in a manner unknown to the prover computer; receiving a series of randomly generated values ei from the verifier computer; secretly generating a series of values Ui based on a secret cryptographic transformation of a form ui=?i+ei=loggUi permuting the second sequence of elements with respect to the first sequence of elements based on the series of values Ui and a secret value d based on the following operations (V1, . . . ,Vk)=(Uπ(1)d, . . . ,Uπ(k)d) D=gd vi=loggVi Ai=Xivi Bi=Yiui and wherein computing and providing to the verifier the series of proof values includes providing the resulting values Ui, ?and for 1?i?k, providing a series of proof Chaum-Pedersen of a form (g,Vi,Xi,Ai) and (g,Ui,Yi,Bi) and a Chaum-Pedersen proof for (D, A, C, B) as a proof of knowledge that the prover computer has access to how the cryptographic transformation permuted the first sequence of element to provide the second sequence of elements without revealing the cryptographic transformation to the verifier computer. 24. The method of claim 23, further comprising repeating the receiving the first sequence of elements, receiving a series of randomly generated values, secretly generating a series of values, and permuting the second sequence of elements for l-tuple of elements in the first sequence of elements.25. The method of claim 22 wherein receiving the first sequence of elements includes receiving a subset of a set of identifying elements, wherein each identifying element in the set corresponds to an individual, and wherein the method further comprises:receiving an anonymous certificate if the verifying computer verifies the series of proofs. 26. The method of claim 18 wherein the group G is zp.27. The method of claim 18 wherein the group G is an elliptic curve group.28. A computer-readable medium whose contents provide instructions, when implemented by a computer, perform a shuffling of a sequence of electronic data elements, comprising:receive the sequence of electronic data elements; apply a secret, one-way cryptographic transformation using at least a first secret key to anonymously permute the sequence of electronic data elements and produce a first shuffled sequence of electronic data elements; and generate a non-interactive proof of correctness for the first shuffled sequence of electronic data elements based on a scaled iterated logarithmic multiplication proof. 29. The computer-readable medium of claim 28 wherein the received sequence of electronic data elements are encrypted with an underlying mathematical group being a ring of integers having a modulus integer value p (Zp).30. The computer-readable medium of claim 28 wherein the computer-readable medium is a logical node in a computer network receiving the sequence of electronic data elements and the contents.31. The computer-readable medium of claim 28 wherein the computer-readable medium is a computer-readable disk.32. The computer-readable medium of claim 28 wherein the computer-readable medium is a data transmission medium transmitting a generated data signal containing the contents.33. The computer-readable medium of claim 28 wherein the computer-readable medium is a memory of a computer system.34. The computer-readable medium of claim 28 wherein the computer-readable medium is an Internet connection link to a voting authority server computer.35. In a cryptographic method, a transmitted signal for use by a computer, comprising:a shuffled sequence of electronic data elements representing individual data files, wherein a one-way cryptographic transformation using at least a first secret key anonymously permuted an input sequence of electronic data elements to produce the shuffled sequence of electronic data elements, and a proof of correctness for the shuffled sequence of electronic data elements based on a scaled iterated logarithmic multiplication proof.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.