After the election is over, the voting records from each polling
location are aggregated and tallied by the trustees. [1] They each submit a share of the decrypted tallies to the coordinator. [2] The coordinator may request fragments of shares from trustees in order to
compensate for missing trustees. [3]
Then the coordinator combines the
shares to form the decrypted tallies, and publishes them along with
the necessary information for external verifiers to verify the
tallies, and for individual voters to verify that their vote was
included in the tally. [4]
| [1] | Decryption_Trustee_tally_voting_record() |
| [2] | Decryption_Coordinator_receive_share() |
| [3] | Decryption_Coordinator_all_shares_received(), Decryption_Trustee_compute_fragments() |
| [4] | Decryption_Coordinator_all_fragments_received() |
Note
It’s easy to get confused if we aren’t careful about distinguishing
between a trustee’s portion of a
decrypted total (which I refer to as a share) and a trustee’s portion of some other missing
trustee’s portion of a decrypted
total (which I refer to as a share fragment). I think it’s okay if
we also use share to refer to the pieces of the other trustee’s private keys, because in both cases every
trustee has exactly \(n\) of them.
After the election, the encrypted totals need to be transported to
each trustee individually and combined to
form the voting record of the election. [5] Independently, each trustee
then computes their share of the decrypted tallies. [6]
| [5] | Decryption_Trustee_tally_voting_record() |
| [6] | Decryption_Trustee_compute_share() |
Each trustee announces their presence by
publishing their share of the encrypted tally. [7] The proof of
correctness ensures that each trustee is
actually in possession of that trustee’s private key.
| [7] | Decryption_Coordinator_receive_share() |
Once the coordinator decides that all
trustees who are going to announce have
announced, it checks how many trustees
have announced. [8]
If fewer than the threshold have announced, error.
If enough trustees have announced to
reach the threshold, it returns a list of requests for some of the announced trustees. These requests must be passed to the trustees, who will respond with share
fragments to fulfill those requests. [9]
It is up to the coordinator how to
split the task of compensating for missing trustees between the announced trustees. The coordinator can choose not to produce
requests for some of the announced trustees, or to produce requests that request no
fragments.
After all missing trustees have been compensated for, the
coordinator publishes the decrypted
totals and the necessary information to verify the election. [10]
| [8] | Decryption_Coordinator_all_shares_received() |
| [9] | Decryption_Trustee_compute_fragments() |
| [10] | Decryption_Coordinator_all_fragments_received() |