Workshop on Electronic voting

Independent verifier for Mixnet

Fall 2012

D:\C:\Program Files\ 2.0\share\gallery\rulers\blurulr6.gif


General Information

Lecturer: Amnon Ta-Shma.

T.A.: Tomer Hasid,

Lecture Hours: Wednesdays, 10:10-12:00. Location: TBA

** Our first meeting is on Wedensday, 24/10/2012, 10:10 **







Background Electronic Voting, Crypto.

Detailed description: DLOG, ElGamal encryption, Zero-knowledge proofs.

High-level description of other important crypto primitives: digital signatures, symmetric encryption, Mix-nets.


Projects description. How to design an independent verifier to Verificatum?


Send us E-mail telling us which team you are(and let us know if you still don't have one).


     Each person should read the project description.

         Set up a team meeting: Try to understand together the parts that are less clear to you in the document and plan your work on the design.

18.11.12 - 5.12.12

         Write the design specification - What should be in your design specification?


         Set up meetings with us or send E-mails if you need help.


         Design approval (and design fixes if needed).


         Implementing and testing.



Mixnet Verification


4 students, further divided into specific tasks

Wombat- Ballot Verification using Mobile Phones


1 student

Improving the GUI of last year project:

Given an audit ballot, scan it and verify its correctness using android. Alternatively, write such an application for iphone (2 students).



o   Verificatum a mixnet system

o   Slides

o   How to design an independent verifier to Verificatum?

o   Verificatum manual

o   How to install Verificatum? Install scripts


         General background on basic cryptographic primitives.

o   Nikos lecture notes.

o   Great summary of the main primitives we use (written by Tomer Levinboim).

o   Number theory background:

o   Amos Fiat and Adi Shamir: How to prove yourself: practical solutions to identification and signatures problems.

o   Ben Riva's thesis.

o   Elliptic curve cryptography


         General background on e-voting.

o   Links to some US newspaper articles and other sources of information.

o   Voting system malfunction at the Likud's primaries .



o   Wombat home page

o   An android application for verifying Wombat ballots.



What should be in your design specification?




FAQ from previous semesters

(answers by Oded Schwartz and Ben Riva):



Should we describe the ZKP needed in our project?




What is the coverage of the design (e.g. how many pages are expected?)


The design should be such that it is clear to us (and to you) what you are going to do. It should be only a few pages long, but it should contain, for each part of your project:

- A description of the interface (UI and/or software interface, whichever is relevant).
- A short explanation of which algorithm(s) you use. If you choose from a few options explain your choice.
- What are the algorithm's main building blocks, functions and data-structures and how they interact.


How do we know for sure on which elements one may trust (e.g, maybe the public board show a copy of your vote, then later changes it to something else)?


Actually you don't. You should write in your design a short section describing the trust issue (i.e, what one has to trust so that we know the system works properly).


How do we do a non-interactive ZKP?


The method we use is called Fiat-Shamir heuristic (or method) because it is not proven (see link above). In their paper they presented a signature protocol which uses it, and on the way, they present the novel idea of using hash function instead of a challenge. That is why this paper is cited in every paper which use this method (even though it doesn't generally talk about Non-Interactive-ZKP).


Which hash should we use in practice for the non-interactive ZK signature?


I don't think it really matters which hash you use. I basically like MD5 (Pseudocode and nice info at Also, you can google "md5 implementation" and find it implemented in any language.

SHA-1 is also good (again, wiki is a good start

Moreover, There are many implementations of other methods like in

You just need to choose and google a little.


How can we generate a large prime with the respective generator?


Finding general large primes and generators is not an easy task, but, finding a specific kind is an easier problem.

Usually we use p = 2q + 1 as our primes (where p,q are primes), and then we can find a generator by:

while 1

choose a random number x

if x^2 != 1 (mod p) and x^q != 1 (mod p)

return x

See, for example, slides 5-6 at:


We have problems finding libraries which support large numbers on the one hand, and UI on the other hand, and can be easily compiled together.


A few suggestions:
For Java: IIRC Java has its own, built-in BigNumber library.

For C/C++ programs, you may want to use the GMP library.

Unfortunately, it doesn't compile all that well with MSVC (it is possible, but really it's a lot easier to use on linux/unix systems).

To make the UI programming easier, You may use a web-based solution: the UI is programmed in PHP. PHP has modules for GMP and MySQL databases, and it's very easy to learn (especially if you already know C or Java). The only glaring omission is secure random number generation.

If you run the webserver on linux, you can bypass that by reading from

/dev/random or /dev/urandom.  You can see an example server at

where there is also a link to the source code. Other suggestions are Crypto++ and MIRACL. You may also search for big integers on google.