The ElectionGuard Key Ceremony is the process used by Election Officials to share encryption keys for an election. Before an election, a fixed number of Guardians are selection to hold the private keys needed to decrypt the election results. A Quorum count of Guardians can also be specified to compensate for guardians who may be missing at the time of Decryption. For instance, 5 Guardians may be selected to hold the keys, but only 3 of them are required to decrypt the election results.
Guardians are typically Election Officials, Trustees Canvass Board Members, Government Officials or other trusted authorities who are responsible and accountable for conducting the election.
The Key Ceremony is broken into several high-level steps. Each Guardian must announce their attendance in the key ceremony, generate their own public-private key pairs, and then share those key pairs with the Quorum. Then the data that is shared is mathematically verified using Non-Interactive Zero Knowledge Proofs, and finally a joint public key is created to encrypt ballots in the election.
Guardians exchange all public keys and ensure each fellow guardian has received an election public key ensuring at all guardians are in attendance.
Guardians generate a partial key backup for each guardian and share with that designated key with that guardian. Then each designated guardian sends a verification back to the sender. The sender then publishes to the group when all verifications are received.
The final step is to publish the joint election key after all keys and backups have been shared.
- Guardian A guardian of the election who holds the ability to partially decrypt the election results
- Key Ceremony Mediator A mediator to mediate communication (if needed) of information such as keys between the guardians
- Election Key Pair: Pair of keys (public & secret) used to encrypt/decrypt election
- Election Partial Key Backup: A point on a secret polynomial and commitments to verify this point for a designated guardian.
- Election Polynomial: The election polynomial is the mathematical expression that each Guardian defines to solve for his or her private key. A different point associated with the polynomial is shared with each of the other guardians so that the guardians can come together to derive the polynomial function and solve for the private key.
- Joint Key: Combined public key from election public keys of each guardian
- Quorum: Quantity of guardians (k) that is required to decrypt the election and is fewer than the total number of guardians available (n)
This is a detailed description of the entire Key Ceremony Process
- The ceremony details are decided upon. These include a
number_of_guardians
andquorum
of guardians required for decryption. - Each guardian creates a unique
id
andsequence_order
. - Each guardian must generate their
election key pair
(ElGamal key pair). This will generate a corresponding Schnorrproof
andpolynomial
used for generatingelection partial key backups
for sharing. - Each guardian must give the other guardians their
election public key
directly or through a mediator. - Each guardian must check if all
election public keys
are received. - Each guardian must generate
election partial key backup
for each other guardian. The guardian will use theirpolynomial
and the designated guardian'ssequence_order
to create the value. - Each guardian must send each encrypted
election partial key backup
to the designated guardian directly or through amediator
. - Each guardian checks if all encrypted
election partial key backups
have been received by their recipient guardian directly or through a mediator. - Each recipient guardian decrypts each received encrypted
election partial key backup
- Each recipient guardian verifies each
election partial key backup
and sends confirmation of verification- If the proof verifies, continue
- If the proof fails
- Sender guardian publishes the
election partial key backup
value sent to recipient as aelection partial key challenge
to all the other guardians - Alternate guardian (outside sender or original recipient) attempts to verify key
- If the proof verifies, continue
- If the proof fails again, the accused (sender guardian) should be evicted and process should be restarted with new guardian.
- Sender guardian publishes the
- On receipt of all verifications of
election partial private keys
by all guardians, generate and publishjoint key
from election public keys.
This example demonstrates a convenience method to generate guardians for an election
NUMBER_OF_GUARDIANS: int
QUORUM: int
details: CeremonyDetails
guardians: List[Guardian]
# Setup Guardians
for i in range(NUMBER_OF_GUARDIANS):
guardians.append(
Guardian.from_nonce(f"some_guardian_id_{str(i)}", i, NUMBER_OF_GUARDIANS, QUORUM)
)
mediator = KeyCeremonyMediator(details)
# Attendance (Public Key Share)
for guardian in guardians:
mediator.announce(guardian)
# Orchestation (Private Key Share)
orchestrated = mediator.orchestrate()
# Verify (Prove the guardians acted in good faith)
verified = mediator.verify()
# Publish the Joint Public Key
joint_public_key = mediator.publish_joint_key()
ElectionGuard can be run without the key ceremony. The key ceremony is the recommended process to generate keys for live end-to-end verifiable elections, however this process may not be necessary for other use cases such as privacy preserving risk limiting audits.