Setup

Let ${\displaystyle p}$ and ${\displaystyle q}$ be two large primes, where ${\textstyle q\,|\,p-1}$. ${\displaystyle G_{q}}$ is a subgroup of ${\displaystyle Z_{p}^{*}}$ of prime order ${\displaystyle q}$. Let ${\displaystyle g_{1}}$ and ${\displaystyle g_{2}}$ be two random generators of ${\displaystyle G_{q}}$, whose discrete logarithm relationship is unknown. This can be realized by choosing a non-identity element in ${\displaystyle G_{q}}$ as ${\displaystyle g_{1}}$ and computing ${\displaystyle g_{2}}$ based on applying a one-way hash function with the inclusion of election specific information such as the date, election title and questions as the input.^[4] All modulo operations are performed with respect to the modulus ${\displaystyle p}$. Alternatively, the protocol can be implemented using an elliptic curve, while the protocol specification remains unchanged.

Voting

For simplicity, the voting process is described for a single-candidate (Yes/No) election held in a polling station using a touch-screen DRE machine. There are standard ways to extend a single candidate election to support multiple candidates, e.g., providing a Yes/No selection for each of the candidates or using different encoded values for different candidates as described by Baudron et al.^[5]

After being authenticated at a polling station, a voter obtains an authentication credential, which can be a random passcode or a smartcard. The authentication credential allows the voter to log onto a DRE machine in a private voting booth and cast a vote, but the machine does not know the voter's real identity.

A voter casts a vote on a DRE machine in two steps. First, he is presented with "Yes" and "No" options for the displayed candidate on the screen. Once the voter makes a choice on the touch screen, the DRE prints the first part of the receipt, containing ${\displaystyle i,R_{i}=g_{2}^{r_{i}},Z_{i}=g_{1}^{r_{i}}g_{1}^{v_{i}}}$ where ${\displaystyle i}$ is a unique ballot index number, ${\displaystyle r_{i}}$ is a number chosen uniformly at random from ${\displaystyle [1,q-1]}$, and ${\displaystyle v_{i}}$ is either 1 or 0 (corresponding to "Yes" and "No" respectively). The cipher text also comes with a zero knowledge proof to prove that ${\displaystyle R_{i}}$ and ${\displaystyle Z_{i}}$ are well-formed. This zero knowledge proof can be realized by using a technique due to Ronald Cramer, Ivan Damgård and Berry Schoenmakers (also called the CDS technique).^[6] The interactive CDS technique can be made non-interactive by applying Fiat-Shamir heuristics.^[7]

In the second step, the voter has the option to either confirm or cancel the selection. In case of "confirm", the DRE updates the aggregated values ${\displaystyle t}$ and ${\displaystyle s}$ in memory as below, deletes individual values ${\displaystyle r_{i}}$ and ${\displaystyle v_{i}}$, and marks the ballot as "confirmed" on the receipt.

${\displaystyle t=\sum v_{i},s=\sum r_{i}}$.

In case of “cancel”, the DRE reveals ${\displaystyle r_{i}}$ and ${\displaystyle v_{i}}$ on the receipt, marks the ballot as "cancelled" and prompts the voter to choose again. The voter can check if the printed ${\displaystyle v_{i}}$ matches his previous selection and raise a dispute if it does not. The voter can cancel as many ballots as he wishes but can only cast one confirmed ballot. The canceling option allows the voter to verify if the data printed on the receipt during the first step corresponds to the correct encryption of the voter's choice, hence ensuring the vote is "cast as intended". This follows the same approach of voter-initiated auditing as proposed by Joshua Benaloh.^[8] However, in DRE-ip, voter-initiated auditing is realized without requiring the voter to understand cryptography (the voter merely needs to check whether the printed plaintext ${\displaystyle v_{i}}$ is correct).

After voting is finished, the voter leaves the voting booth with one receipt for the confirmed ballot and zero or more receipts for the canceled ballots. The same data printed on the receipts are also published on a mirrored public election website (also known as a public bulletin board) with a digital signature to prove the data authenticity. To ensure the vote is "recorded as cast", the voter just needs to check if the same receipt has been published on the election website.

Tallying

Once the election has finished, the DRE publishes the final values ${\displaystyle t}$ and ${\displaystyle s}$ on the election website, in addition to all the receipts. Anyone will be able to verify the tallying integrity by checking the published audit data, in particular, whether the following two equations hold. This ensures that all votes are "tallied as recorded", which together with the earlier assurance on "cast as intended" and "recorded as cast" guarantees that the entire voting process is "end-to-end verifiable".

An "end-to-end verifiable" voting system is also said to be "software independent", a phrase coined by Ron Rivest.^[9] The DRE-ip system differs from other E2E verifiable voting systems in that it does not require tallying authorities, hence the election management is much simpler.

${\displaystyle \prod R_{i}=g_{2}^{s}}$ and ${\displaystyle \prod Z_{i}=g_{1}^{s}g_{1}^{t}}$.