key: cord-0645626-0ixj7cwd authors: Tassa, Tamir; Dery, Lihi title: Towards Secure Virtual Elections: Multiparty Computation of Order Based Voting Rules date: 2022-05-21 journal: nan DOI: nan sha: 37022b44f86d96615fa60acd56d210857cbd1f1d doc_id: 645626 cord_uid: 0ixj7cwd Electronic voting systems are essential for holding virtual elections, and the need for such systems increases due to the COVID-19 pandemic and the social distancing that it mandates. One of the main challenges in e-voting systems is to secure the voting process: namely, to certify that the computed results are consistent with the cast ballots, and that the privacy of the voters is preserved. We propose herein a secure voting protocol for elections that are governed by order-based voting rules. Our protocol offers perfect ballot secrecy, in the sense that it issues only the required output, while no other information on the cast ballots is revealed. Such perfect secrecy, which is achieved by employing secure multiparty computation tools, may increase the voters' confidence and, consequently, encourage them to vote according to their true preferences. Evaluation of the protocol's computational costs establishes that it is lightweight and can be readily implemented in real-life electronic elections. Electronic voting has significant advantages in comparison with the more commonplace physical voting: it is faster, it reduces costs, it is more sustainable, and in addition it may increase voters' participation. In the past two years, due to the COVID-19 pandemic and the need for social distancing, e-voting platforms have become even more essential. One of the main challenges in holding e-voting is to secure the voting process: namely, to make sure that it is secure against attempted manipulations so that the computed results are consistent with the cast ballots, and that the privacy of the voters is preserved. The usual meaning of voter privacy is that the voters remain anonymous. Namely, even though the ballots are revealed (as is the case when opening the ballot box at the end of an election day), no ballot can be traced back to the voter who cast it. We go one step further and consider perfect ballot secrecy, or full privacy [11] , i.e., given any coalition of voters, the protocol does not reveal any information on the ballots, beyond what can be inferred from the published results. Such perfect secrecy may increase the voters' confidence and, consequently, encourage them to vote according to their true preferences. There are various families of voting rules that can be used in elections. For example, in score-based voting rules, a score for each candidate is computed subject to the specifications of the underlying voting rule, and then the winning candidate is the one whose aggregated score is highest. In this study we focus on order-based (a.k.a pairwise-comparison) voting rules, where the relative order of the candidates is considered by the underlying voting rule [7] . Our contributions. We consider a scenario in which there is a set of voters that hold an election over a given set of candidates. We devise a fully private protocol for computing the results of elections that are governed by order-based voting rules. The output of the election is a ranking of the candidates, from which the winning candidate(s) can be determined. Our protocol, which is based on cryptographic tools of multiparty computation, is lightweight and can be readily implemented in virtual elections. The bulk of this study is devoted to two rules in this family -Copeland [14] , and Maximin [36] (a.k.a Kramer-Simpson), which are formally defined in Section 4.1. In Section 6 we describe two other rules in this family, Kemeny-Young [26, 39] and Modal Ranking [9] , and describe the extension of our methods for those rules as well. The paper is structured as follows. We first present related work in Section 2. Then, in Section 3, we explain the cryptographic foundations on which our protocol is based. In Section 4 we present our secure voting protocol for Copeland and Maximin rules and then, in Section 5, we evaluate its computational costs. In Section 6 we discuss secure protocols for Kemeny-Young and Modal Ranking rules. Our concluding discussion is given in Section 7. Secure e-voting can be approached using various cryptographic techniques. The earliest suggestion is that of Chaum [12] , who suggested to use a mix network (mixnet). The idea is to treat the ballots as ciphertexts. Voters encrypt their ballots and agents collect and shuffle these messages and thus anonymity of the ballots is preserved. Other studies followed and improved this model, e.g. [34, 1, 5, 25, 27, 30] . However, while this system preserves anonymity, the talliers are exposed to the actual ballots. The mere anonymity of the ballots might not provide sufficient security and this may encourage voters to abstain or vote untruthfully [19] . Homomorphic encryption is an encryption that allows performing computations on encrypted values without decrypting them first. The most common ciphers of that class are additively homomorphic, in the sense that the product of several ciphertexts is the encryption of the sum of the corresponding plaintexts. Such encryptions are suitable for secure voting, as was first suggested by Benaloh [3] . The main idea here is to encrypt the ballots, using a public-key homomorphic cipher. An agent aggregates the encrypted ballots and then sends an aggregated encrypted value to the tallier. The tallier who decrypts the received ciphertext recovers the aggregation of the ballots, but not the ballots themselves. Secure voting protocols that are based on homomorphic encryption were presented in e.g. [15, 16, 37, 24, 33, 32] . While most studies on secure voting offered protocols for securing the voting process, only few studies considered the question of private execution of the computation that the underlying voting rule dictates. Canard et al. [8] considered the Majority Judgment (MJ) voting rule [2] . They first translated the complex control flow and branching instructions that the MJ rule entails into a branchless algorithm; then they devised a privacypreserving implementation of it using homomorphic encryption, distributed decryption schemes, distributed evaluation of Boolean gates, and distributed comparisons. Nair et al. [29] suggested to use secret sharing for the tallying process in Plurality voting [6] . Their protocol provides anonymity but does not provide perfect secrecy as it reveals the final aggregated score of each candidate. In addition, their protocol is vulnerable to cheating attacks, as it does not include means for detecting illegal votes. Yang et al. [37] suggested using homomorphic encryption specifically for Approval voting [6] . Lastly, Dery et al. [19] offered a solution based on multiparty computation in order to securely determine the winners in elections governed by score-based voting rules. To the best of our knowledge, no study so far addressed the question of securely computing election results where the governing voting rule is orderbased. We undertake this challenge herein. Our protocol relies heavily on cryptographic machinery. This section provides the required cryptographic background and an explanation on how the presented techniques are implemented in our protocol. In Section 3.1 we provide a brief introduction to secret sharing. In Section 3.2 we discuss the concept of secure multiparty computation (MPC). In the next subsections we discuss solutions to specific problems of MPC, which are used in our protocol: secure comparisons (Section 3.3), secure testing of positivity (Section 3.4), and secure testing of equality to zero (Section 3.5). Secret sharing methods [35] enable distributing a secret among a group of participants. Each participant is given a random share of the secret so that: (a) the secret can be reconstructed only by combining the shares given to specific authorized subsets of participants, and (b) combinations of shares belonging to unauthorized subsets of participants reveal zero information on the underlying secret. The notion of secret sharing was introduced, independently, by Shamir [35] and Blakley [4] , for the case of threshold secret sharing. Let D be the number of participants and let D ≤ D be some threshold. Then the authorized subsets in Shamir's and in Blakley's schemes are those of size at least D . Such secret sharing schemes are called D -out-of-D. Shamir's D -out-of-D secret sharing scheme operates over a finite field Z p , where p > D is a prime sufficiently large so that all possible secrets may be represented in Z p . It has two procedures: Share and Reconstruct: • Share D ,D (x). The procedure samples a uniformly random polynomial g(·) over Z p , of degree at most D − 1, where the free coefficient is the secret s. That is, are selected independently and uniformly at random from Z p . The procedure outputs D values, • Reconstruct D (s 1 , . . . , s D ). The procedure is given any selection of D shares out of {s 1 , . . . , s D }; it then interpolates a polynomial g(·) of degree at most D − 1 using the given points, and outputs s = g(0). Clearly, any selection of D shares out of the D shares will yield the same polynomial g(·) that was used to generate the shares, as D point values determine a unique polynomial of degree at most D − 1. Hence, any selection of D shares will issue the secret s. On the other hand, any selection of D − 1 shares reveals nothing about the secret s. Our protocol involves a set of third parties, {T 1 , . . . , T D }, which are called talliers. In the protocol, each voter creates shares of his private ballot and distributes them to the D talliers. As those ballots are matrices (see the definitions in Section 4), the secret sharing is carried out for each entry independently, so that each of the talliers receives a share matrix in each ballot matrix. The talliers then verify the legality of the cast ballots and, at the end the election period, compute the desired election results. Those computations are executed based only on the shares that the talliers had received, i.e., without actually recovering the private ballots. Such a computation, that depends on secret inputs that cannot be disclosed, is called secure multiparty computation; we elaborate on that topic in Section 3.2 below. We will use Shamir's D -out-of-D secret sharing with D := (D + 1)/2 (namely, the value (D + 1)/2 rounded down to the nearest integer). With that setting, at least half of the talliers would need to collude in order to recover the secret ballots. If the set of the talliers is trusted to have an honest majority, then such a betrayal scenario is impossible. Namely, if more than half of the talliers are honest, in the sense that they would not attempt cheating, then even if all other dishonest talliers attempt to recover the secret ballots from the shares that they hold, they will not be able to extract any information on the ballots. The secret sharing mechanism prevents such unauthorized subsets from inferring any information on the shared secrets from the shares that they hold. Higher values of D (and consequently of D := (D + 1)/2 ) will imply greater security against coalitions of corrupted talliers, but at the same time they will also imply higher costs. As described above, the talliers hold shares in the voters' ballots and perform computations on those shares. First, they need to verify that the shares for each cast ballot correspond to a legal ballot (see Section 4.2 where we explain what constitutes a legal ballot). Then, they need to compute the identity of the K winning candidates, as dictated by the rule. Those two tasks would be easy if the talliers could use their shares in order to recover the ballots. However, they must not do so, in order to protect the voters' privacy. Instead, they must perform those computations on the distributed shares, without revealing the shares to each other. As shown in Section 4, both of those computations boil down to arithmetic computations only (namely, to computations of additions and multiplications of secret-shared values). To do so, the talliers execute sub-protocols of secure multiparty computation (MPC) [38] . An MPC protocol allows a set of parties, T 1 , . . . , T D , to compute any function f over private inputs that they hold, x 1 , . . . , x D , where x d is known only to T d , d ∈ [D], so that at the end of the protocol everyone learns f (x 1 , . . . , x D ), but nothing beyond that value and what can be naturally inferred from it. In cases where the desired function f may be expressed as an arithmetic function of the inputs, then one may represent f by an arithmetic circuit C such that for every set of inputs, x 1 , . . . , x D , the output of the circuit, C(x 1 , . . . , x D ), equals f (x 1 , . . . , x D ). The circuit has several input wires and a single output wire. Each input wire is fed with a single secret value by one of the parties. The output wire determines a single value that is revealed to all parties. Between the input and output wires there are multiple layers of arithmetic gates that connect them. An arithmetic gate can be either addition or multiplication. Each gate is fed by exactly two input wires, and it produces one output wire such that the output of a gate in layer k can be given as input to multiple gates in layer k+1. For illustration, consider the arithmetic function f (x 1 , x 2 , x 3 ) = x 1 ·x 2 +x 2 ·x 3 ·(x 2 +x 3 ). The circuit C in Figure 1 evaluates that function. It consists of three layers. The first layer has two multiplication gates that compute x 1 · x 2 and x 2 · x 3 , and one addition gate that computes x 2 + x 3 . The second layer has a single multiplication gate for computing . Finally, the third and last layer has a single addition gate that issues the desired output. In a secret-sharing-based MPC protocol, all values along all wires are secret shared among the D parties (as described in Section 3.1); in particular, they are never reconstructed and thus remain secret. Only the value on the final output wire is reconstructed: when reaching the output gate, each party broadcasts the corresponding share that he 1 holds in the output wire, and subsequently everyone can use the broadcast shares in order to reconstruct the output. The computational challenge in this context is how to emulate the operation of an arithmetic circuit when operating on shared values. As an arithmetic circuit consists of two types of gates -addition and multiplication, the challenge is as follows: given D -out-of-D shares in two secret values u, v ∈ Z p , how can the parties compute D -out-of-D shares in u+v and in u·v, without reconstructing any of those values. In the circuit shown in Figure 1 , the parties have D -out-of-D shares in each of the input values x 1 , x 2 , x 3 . With those shares they proceed to emulate the circuit layer by layer, by computing proper D -out-of-D shares in the output wires of the three gates in the first layer, then proceeding to computing D -out-of-D shares in the output of the multiplication gate in the second layer, using the already computed shares in the output wires of two of the gates in the first layer, and finally computing D -out-of-D shares in the output wire using the computed shares in the output wires of the multiplication gate in the second layer and the first multiplication gate in the first layer. Let u d and v d denote the shares held by T d , d ∈ [D], in the two input values u and v, respectively. Emulating addition gates is easy: the linearity of secret sharing implies that for any two public field elements a, b ∈ Z p , the values au d + bv d , d ∈ [D], are proper D -out-of-D shares in au + bv. In particular, each party may compute his share in the output wire from his shares in the input wires without any interaction with the other parties. Emulating multiplication gates is trickier. Here, in order to compute proper D -out-of-D shares in the output wire u·v, the parties need to interact, and the required computation is more involved. In our protocol we use the construction proposed by Damgård and Nielsen [17] , enhanced by a work by Chida et al. [13] that demonstrates some performance optimizations. The details of this computation are not essential for understanding our secure voting protocol, but for the sake of completeness we describe the computation in Appendix A. When computing election results, it is essential to repeatedly compare scores of two candidates in order to determine which is larger. In our protocol, those scores are kept hidden from all parties, but the talliers hold secret shares in them. Of course, the talliers could use those shares in order to recover the scores and then compare them. However, for the sake of achieving perfect ballot secrecy, our goal is to determine which of two given scores is larger without explicitly recovering those scores. To that end, we consider the problem of secure comparison, which is defined below. Assume that the D parties, T 1 , . . . , T D , hold D -out-of-D shares in two integers a and b, where both a and b are smaller than p, which is the size of the underlying field Z p . The parties wish to compute D -out-of-D secret shares in the binary variable, denoted 1 a p 2 then 2q > p. Hence, 2q mod p = 2q − p. Since that number is odd, its LSB is 1. In view of Lemma 1, the parties may compute D -out-of-D shares in w = 1 a< p 2 (and similarly for x = 1 b< p 2 , and y = 1 [(a−b) mod p]< p 2 ) as follows: each party T d will translate the share he holds in a to a share in 2a by multiplying the share by 2; then, all parties will use their shares in 2a in order to compute shares in the LSB of 2a. The reader is referred to Nishide and Ohta [31] for the details of that last step in the computation. We conclude this section by commenting on the complexity of the above described secure comparison protocol. Computing shares in the LSB of a shared value requires 13 rounds of communication and 93 + 1 multiplications, where hereinafter = log 2 (p). Since we have to compute three such bits (i.e., w, x, and y) then we can compute shares of those three bits in 13 rounds and a total of 279 + 3 multiplications. Finally, we should evaluate the expression in Eq. (2), which entails two additional rounds and two additional multiplications. Hence, the total complexity is 15 rounds and 279 + 5 multiplications. where the underlying field is Z p , and p > 2N . Our goal here is to design an MPC protocol that will issue to T 1 , . . . , T D D -out-of-D shares in the bit 1 x>0 , without learning any further information on x. One way of solving such a problem would be to set y = x + N and then test whether N < y using the protocol of secure comparison that we described in Section 3.3 (with a = N and b = y). In order to execute the secure comparison protocol, the parties need to have secret shares in the two compared values. It is easy to see that {N, . . . , N } are D -out-of-D shares in a = N . In addition, if we denote by {x 1 , . . . , x D } the D -out-of-D shares in However, we would like to propose here a more efficient way of solving the problem of positivity testing. To that end we state and prove the following lemma. Lemma 2. Under the above assumptions, x > 0 if and only if the LSB of (−2x mod p) is 1. As that number is even, its LSB is 0. Hence, while the secure comparison of two secret values required computing the LSB of three values, testing the positivity of a secret requires the computation of an LSB of just one value. Hence, the computational cost of that task is 13 rounds of communication and 93 + 1 multiplications (as opposed to 15 rounds and 279 + 5 multiplications for secure comparison of two secrets). where the underlying field is Z p , and p > 2N . Our goal here is to design an MPC protocol that will issue to T 1 , . . . , T D D -out-of-D shares in the bit 1 x=0 , without learning any further information on x. It is possible to solve that problem by implementing the MPC positivity testing that we described above in Section 3.4, once for x and once for −x. Clearly, x = 0 if and only if both of those tests fail. However, we can solve that problem in a much more efficient manner, as we proceed to describe. Fermat . Therefore, shares in the bit 1 x =0 can be obtained by simply computing x p−1 mod p. The latter computation can be carried out by the square-and-multiply algorithm with up to 2 consecutive multiplications, where, as before, = log p. Finally, as 1 x=0 = 1 − 1 x =0 , then shares in 1 x =0 can be readily translated into shares in 1 x=0 . The cost of the above described computation is significantly smaller than the cost of the alternative approach that performs positivity testing of both x and −x. In this section we describe our method for securely computing the winners in two order-based voting rules, Copeland and Maximin. 3 We begin with formal definitions in Section 4.1. Then, in Section 4.2, we characterize legal ballot matrices for each of the two rules. Such a characterization is an essential part of our method, since the talliers need to verify, in an oblivious manner, that each cast ballot is indeed legal, and does not hide a malicious attempt to cheat or to sabotage the elections. In other words, the talliers need to verify the legality of each cast ballot only through its secret shares, i.e., without getting access to the actual ballot. The characterization that we describe in Section 4.2 will be used later on to perform such an oblivious validation. Then, in Section 4.3 we introduce our secure voting protocol. That protocol description includes a sub-protocol for validating the cast ballots, and sub-protocols for computing the final election results from all legal ballots. The validation sub-protocol is described in Section 4.4. The sub-protocols for computing the election results are described in Sections 4.5 and 4.6 for Copeland and Maximin rules, respectively. We conclude this section with a discussion on how to set the size of the underlying field in which all computations take place (Section 4.7), and a discussion of the overall security of our protocol (Section 4.8). We consider a setting in which there are N voters, V = {V 1 , . . . , V N }, that wish to hold an election over M candidates, C = {C 1 , . . . , C M }. The output of the election is a ranking of C. We proceed to define the two order-based rules for which we devise a secure MPC protocol in this section. • Copeland. Define for each V n a matrix P n = (P n (m, m ) : m, m ∈ [M ]), where P n (m, m ) = 1 if C m is ranked higher than C m in V n 's ranking, P n (m, m ) = −1 if C m is ranked lower than C m , and all diagonal entries are 0. Then the sum matrix, induces the following score for each candidate: Namely, w(m) equals the number of candidates C m that a majority of the voters ranked lower than C m , plus α times the number of candidates C m who broke even with C m . The parameter α can be set to any rational number between 0 and 1. The most common setting is α = 1 2 ; the Copeland rule with this setting of α is known as Copeland 1 2 [22] . • Maximin. Define the matrices P n so that P n (m, m ) = 1 if C m is ranked higher than C m in V n 's ranking, while P n (m, m ) = 0 otherwise. As in Copeland rule, we let P denote the sum of all ballot matrices, see Eq. (3). Then P (m, m ) is the number of voters who preferred C m over C m . The final score of C m , m ∈ [M ], is then set to w(m) := min m =m P (m, m ). In both these order-based rules, we shall refer hereinafter to the matrix P n as V n 's ballot matrix, and to P as the aggregated ballot matrix. Here, we characterize the ballot matrices in each of the two order-based rules that we consider. Such a characterization will be used later on in the secure voting protocol. The proof of Theorem 4 is similar to that of Theorem 3 and thus omitted. We conclude this section with the following observation. Let us define a projection mapping Γ : Conditions 2 and 3 in Theorems 3 and 4 imply that every ballot matrix, P n , is fully determined by its upper triangle, Γ(P n ), in either of the two voting rules that we consider. Here we present Protocol 1, a privacy-preserving implementation of the Copeland and Maximin order-based rules. The protocol computes, in a privacy-preserving manner, the winners in elections that are governed by those rules. It has two phases. We begin with a bird's-eye view of those two phases, and afterwards we provide a more detailed explanation. Phase 1 (Lines 1-8) is the voting phase. In that phase, each voter V n , n ∈ [N ] := {1, . . . , N }, constructs his ballot matrix, P n (Line 2), and then creates and distributes to all talliers corresponding D -out-of-D shares, with D = (D + 1)/2 , as described in Section 3.1 (Lines 3-7). Following that, the talliers jointly verify the legality of the shared ballot (Line 8). Phase 2 of the protocol (Lines 9-11) is carried out after the voting phase had ended; in that phase, the talliers perform an MPC sub-protocol on the distributed shares in order to find the winning candidates, while remaining oblivious to the actual ballots. After constructing his ballot matrix in Line 2, voter V n , n ∈ [N ], samples a random share-generating polynomial of degree D −1 for each of the M (M − 1)/2 entries in Γ(P n ), where Γ is the projection mapping defined in Section 4.2 (Lines 3-5). Then, V n sends each tallier T d his relevant share in each of those entries, namely, the value of the corresponding share-generating polynomial at x = d, d ∈ [D] (Lines 6-7). In Line 8, the talliers engage in an MPC sub-protocol to verify the legality of V n 's ballot, without actually recovering that ballot. We describe the validation sub-protocol in Section 4.4. Ballots that are found to be illegal are discarded. (In such cases it is possible to notify the voter that his ballot was rejected and allow him to resubmit it.) Phase 2 (Lines 9-11) takes place at the end of the voting period, after the voters cast their ballots. First (Lines 9-10 The heart of the protocol is in Line 11: here, the talliers engage in an MPC sub-protocol in order to find the indices of the K winning candidates. How can the talliers do that when none of them actually holds the matrix P ? We devote our discussion in Sections 4.5 and 4.6 to that interesting computational challenge. Select uniformly at random a n,m,m ,j ∈ Z p , 1 ≤ j ≤ D − 1; Voters may attempt to cheat by submitting illegal ballots in order to help their preferred candidate. For example, a dishonest voter may send the talliers shares of the matrix cQ, where Q is his true ballot matrix and c is an "inflating factor" greater than 1. If such a cheating attempt remains undetected, that voter manages to multiply his vote by a factor of c. The shares of the illegal "inflated" matrix are indistinguishable from the shares of the legal ballot matrix (unless, of course, a majority of D talliers collude and recover the ballot -a scenario that is impossible under our assumption that the talliers have an honest majority). Hence, it is necessary to devise a mechanism that would enable the talliers to check that the shares they received from each of the voters correspond to a legal ballot matrix, without actually recovering that matrix. Malicious voters can sabotage the elections also in other manners. For example, a voter may create a legal ballot matrix Q and then alter the sign of some of the ±1 entries in the shared upper triangle Γ(Q), so that the resulting matrix does no longer correspond to an ordering of the candidates. Even though such a manipulated matrix cannot serve a dishonest voter in an attempt to help a specific candidate, it still must be detected and discarded. Failing to detect the illegality of such a ballot may result in an aggregated matrix P that differs from the aggregated matrix P that corresponds to the case in which that ballot is rejected. In such an unfortunate case, it is possible that the set of winners that P would dictate differs from that which P dictates. In summary, it is essential to validate each of the cast ballots in order to prevent any undesirable sabotaging of the elections. In real-life electronic elections where voters typically cast their ballots on certified computers in voting centers, the chances of hacking such computers and tampering with the software that they run are small. However, for fullproof security and as a countermeasure against dishonest voters that might manage to hack the voting system, we proceed to describe an MPC solution that enables the talliers to verify the legality of each ballot, even though those ballots remain hidden from them. We note that in case a ballot is found to be illegal, the talliers may reconstruct it (by means of interpolation from the shares of D talliers) and use the recovered ballot as a proof of the voter's dishonesty. The ability of constructing such proofs, that could be used in legal actions against dishonest voters, might deter voters from attempting cheating in the first place. We proceed to explain how the talliers can verify the legality of the cast ballots in each of the two order-based rules. That validation is based on the characterizations of legal ballots as provided in Theorems 3 and 4 for Copeland and Maximin, respectively. Note that the talliers need only to verify conditions 1 and 4; condition 2 needs no verification since the voters do not distribute shares in the diagonal entries, as those entries are known to be zero; and condition 3 needs no verification since the voters distribute shares only in the upper triangle and then the talliers use condition 3 in order to infer the lower triangle from the shared upper triangle. Consider the shares that a voter distributed in Γ(Q), where Q is his ballot matrix. The talliers need to verify that each entry in the shared Γ(Q) is either 1 or −1 in Copeland, or either 1 or 0 in Maximin. The verification is performed independently on each of the M (M − 1)/2 entries of the shared upper triangle. A shared scalar x is in {−1, 1} (resp. in {0, 1}) if and only if (x+1)·(x−1) = 0 (resp. x·(x−1) = 0). Hence, the talliers input their shares in x to an arithmetic circuit that outputs the product (x + 1) · (x − 1) for Copeland or x · (x − 1) for Maximin. If the output of such a circuit is zero for each of the M (M −1)/2 entries of Γ(Q), then Γ(Q) satisfies condition 1 in Theorem 3 (Copeland) or in Theorem 4 (Maximin). If, on the other hand, some of the multiplication gates issue a nonzero output, then the ballot will be rejected. First, we make the following observation. Let x, y ∈ Z p be two values that are shared among the talliers. Denote by x d and y d the D -out-of-D shares that T d has in x and y, respectively. Then if a, b ∈ Z p are two publicly known field elements, it is easy to see that ax d + by d is a proper D -out-of-D share in ax + by, d ∈ [D]. Also a + x d is a proper D -out-of-D share in a + x. Using the above observation regarding the linearity of secret sharing, then once the talliers receive D -out-of-D shares in each entry in Γ(Q), they can proceed to compute D -out-of-D shares in the corresponding column sums, Q m , m ∈ [M ], as we proceed to show. In Copeland, conditions 2 and 3 in Theorem 3 imply that A natural question that arises is whether the above described validation process poses a risk to the privacy of the voters. In other words, a voter that casts a legal ballot wants to be ascertained that the validation process only reveals that the ballot is legal, while all other information is kept hidden from the talliers. We proceed to examine that question. The procedure for verifying condition 1 in Theorems 3 and 4 offers perfect privacy for honest voters. If the ballot Q is legal then all multiplication gates will issue a zero output. Hence, apart from the legality of the ballot, the talliers will not learn anything on the content of the ballot. The procedure for verifying condition 4 in Theorems 3 and 4 offers almost perfect privacy, in the following sense. If Q is a valid ballot in Copeland, then the ordered tuple (Q 1 , . . . , Q M ) is a permutation of the ordered tuple (−M + 1, −M + 3, . . . , M − 3, M − 1). This statement follows from the proof of condition 4 in Theorem 3, see Appendix B. Hence, as can be readily verified, if Q is a legal ballot then the value of F (Q), Eq. (7), which the talliers compute in the validation procedure, equals where the sign of the product in Eq. (8) is determined by the signature of (Q 1 , . . . , Q M ) when viewed as a permutation of the ordered tuple (−M + 1, −M + 3, . . . , M − 3, M − 1). Hence, since a ballot in Copeland describes some ordering (permutation) of the candidates, the talliers will be able to infer the signature of that permutation, but nothing beyond that. Such a leakage of information is meaningless, but it can be eliminated by squaring the result and recovering F (Q) 2 . Similarly, the procedure for verifying condition 4 in Theorem 4, for Maximin, is also privacy-preserving in the same manner. Indeed, in the case of Maximin, (Q 1 , . . . , Q M ) is a permutation of the ordered tuple (0, 1, . . . , M − 2, M − 1), and, therefore, where the sign of the above product is determined by the signature of (Q 1 , . . . , Q M ) as a permutation of (0, 1, . . . , M − 2, M − 1). Verifying condition 1 can be performed in parallel for all M (M − 1)/2 entries in a given ballot, and also for several different ballots. Hence, in order to perform a batch validation of B ballots, the talliers need to compute BM (M − 1)/2 simultaneous multiplication gates. The verification of condition 4 over a single ballot requires performing a sequence of M (M − 1)/2 multiplications. Hence, in order to perform a batch validation of B ballots, the talliers need to go through M (M − 1)/2 rounds, where in each round they compute B simultaneous multiplication gates. The parameter α in Eq. (4) is always a rational number; typical settings of α are 0, 1, or 1 2 [22] . Assume that α = s t for some integers s and t. Then The expression in Eq. Eq. (10) expresses the score of candidate C m , re-scaled by a factor of t, only by entries in P above the diagonal, in which the talliers hold D -out-of-D secret shares. In view of the above, the talliers may begin by computing secret shares in the bits of positivity in the first sum on the right hand side of Eq. (10), by using the MPC sub-protocol described in Section 3.4. As for the bits of equality to zero in the second sum on the right hand side of Eq. (10), the talliers can compute secret shares in them using the MPC sub-protocol described in Section 3.5. As the value of t · w(m) is a linear combination of those bits, the talliers can then use the secret shares in those bits and Eq. (10) in order to get secret shares in t · w(m), for each of the candidates, C m , m ∈ [M ]. Next, they perform secure comparisons among the values tw(m), m ∈ [M ], in order to find the K candidates with the highest scores. To do that, they need to perform M − 1 secure comparisons (as described in Section 3.3) in order to find the candidate with the highest score, M − 2 additional comparisons to find the next one, and so forth down to M − K comparisons in order to find the Kth winning candidate. Namely, the overall number of comparisons in this final stage is The above number is bounded by M (M − 1)/2 for all K < M . Once this computational task is concluded, the talliers publish the indices of the K winners (Line 11 in Protocol 1)). We summarize the above described computation in Sub-protocol 2, which is an implementation of Line 11 in Protocol 1. It assumes that the talliers hold D -out-of-D secret shares in P (m, m ) for all 1 ≤ m < m ≤ M . Indeed, that computation has already taken place in Lines 9-10 of Protocol 1. Subprotocol 2 starts with a computation of D -out-of-D shares in all of the positivity bits and equality to zero bits that relate to the entries above the diagonal in P (Lines 1-4) . Then, in Lines 5-7, the talliers use those shares in order to obtain D -out-of-D shares in t·w(m) for each of the candidates, using Eq. (10); the D -out-of-D shares in t · w(m) are denoted {w d (m) : d ∈ [D]}. Finally, using the secure comparison sub-protocol, they find the K winners (Lines 8-10). Input: The talliers apply the positivity sub-protocol to translate The talliers apply the positivity sub-protocol to translate The talliers apply the equality to zero sub-protocol to translate The talliers perform M − k invocations of the secure comparison sub-protocol over the M − k + 1 candidates in C in order to find the kth elected candidate; 10 The talliers output the candidate that was found and remove him from C; Output: The K winning candidates from C. The talliers hold D -out-of-D shares in each of the ballot matrices, P n , n ∈ [N ], as well as in the aggregated ballot matrix P . Under our assumption of honest majority, and our setting of D = (D + 1)/2 , the talliers cannot recover any entry in any of the ballot matrices nor in the aggregated ballot matrix. In computing the final election results, they input the shares that they hold into the secure comparison sub-protocol, the positivity testing subprotocol, or the sub-protocol that tests equality to zero (Sections 3.3-3.5). The secure comparison sub-protocol is perfectly secure, as was shown in [31] . The positivity testing sub-protocol that we presented here is just an implementation of one component from the secure comparison sub-protocol, hence it is also perfectly secure. Finally, the testing of equality to zero invokes the arithmetic circuit construction of [17] and [13] , that was shown there to be secure. Hence, Sub-protocol 2 is perfectly secure. Here we comment on the requirements of our protocol regarding the size p of the underlying field Z p . The prime p should be selected to be greater than the following four values: (i) D, as that is the number of talliers (see Section 3.1). (ii) 2N , since the field should be large enough to hold the entries of the sum P of all ballot matrices, Eq. (3), and the entries of that matrix are confined to the range [−N, N ]. (iii) max{t, s} · (M − 1), since that is the upper bound on t · w(m), see Eq. (9), which is secret-shared among the talliers. (iv) 2(M − 1), since in validating a given ballot matrix Q, the talliers need to test the equality to zero of F (Q), see Eq. (7) . As F (Q) is a product of the differences Q m − Q m , and each of those differences can be at most 2(M − 1) (in Copeland) or M − 1 (in Maximin), it is necessary to set p to be larger than that maximal value. Hence, in summary, p should be selected to be larger than each of the above four values. Since D (number of talliers), M (number of candidates), and s and t (the numerator and denominator in the coefficient α in Copeland rule, Eq. (4)), are typically much smaller than N , number of voters, the essential lower bound on p is 2N . In our evaluation we selected p = 2 31 − 1, which is sufficiently large for any conceivable election scenario. An important goal of secure voting is to provide anonymity; namely, it should be impossible to connect a ballot to the voter who cast it. Protocol 1 achieves that goal, and beyond. Indeed, each cast ballot is distributed into D -out-of-D random shares and then each share is designated to a unique tallier. Under the honest majority assumption, the voters' privacy is perfectly preserved. Namely, unless at least D ≥ D/2 talliers betray the trust vested in them and collude, the ballots remain secret. Therefore, not only that a ballot cannot be connected to a voter, even the content of the ballots is never exposed, and not even the aggregated ballot matrix. The only information that anyone learns at the end of Protocol 1's execution is the final election results. This is a level of privacy that exceeds mere anonymity. A scenario in which at least half of the talliers collude is highly improbable, and its probability decreases as D increases. Ideally, the talliers would be parties that enjoy a high level of trust within the organization or state in which the elections take place, and whose business is based on such trust. Betraying that trust may incur devastating consequences for the talliers. Hence, even if D is set to a low value such as D = 5 or even D = 3, the probability of a privacy breach (namely, that D = (D + 1)/2 talliers choose to betray the trust vested in them) would be small. Instead of using a D -out-of-D threshold secret sharing, we could use an additive "All or Nothing" secret sharing scheme, in which all D shares of all D talliers are needed in order to reconstruct the shared secrets, and use suitable MPC protocols for multiplication and comparison. Such an approach would result in higher security, since the privacy of the voters would be jeopardized only if all D talliers betray the trust vested in them and not just D out of them. However, such a scheme is not robust: if even a single tallier is attacked or becomes dysfunctional for whatever reason, then all ballots would be lost. Such a risk is utterly unacceptable in voting systems. Our protocols, on the other hand, can withstand the loss of D − D talliers. In view of the above discussion, the tradeoff in setting the number of talliers D is clear: higher values of D provide higher security since more talliers would need to be corrupted in order to breach the system's security. Higher values of D also provide higher robustness, since the system can withstand higher numbers of tallier failures. However, increasing D has its costs: more independent and reputable talliers are needed, and the computational costs of our protocols increase, albeit modestly (see Section 5). We would like to stress that our protocols focus on securing the computation of the election results. Needless to say that those protocols must be integrated into a comprehensive system that takes care of other aspects of voting systems. For example, it is essential to guarantee that only registered voters can vote, and that each one can vote just once. It is possible to ensure such conditions by standard means. Another requirement is the need to prevent attacks of malicious adversaries. In the context of our protocols, an adversary may eavesdrop on the communication link between some voter V n and at least D of the talliers, and intercept the messages that V n sends to them (in Protocol 1's Line 7) in order to recover V n 's ballot. That adversary may also replace V n 's original messages to all D talliers with other messages (say, ones that carry shares of a ballot that reflects the adversary's preferences). Such attacks can be easily thwarted by requiring each party (a voter or a tallier) to have a certified public key, encrypt each message that he sends out using the receiver's public key and then sign it using his own private key; also, when receiving messages, each party must first verify them using the public key of the sender and then send a suitable message of confirmation to the receiver. Namely, each message that a voter V n sends to a tallier T d in Line 7 of Protocol 1 should be signed with V n 's private key and then encrypted by T d 's public key; and T d must acknowledge its receipt and verification. Our goal herein is to establish the practicality of our protocol. Our protocol relies on expensive cryptographic sub-protocols -secure comparisons and secure multiplications. All other operations that the voters and talliers do (random number generation, and standard/non-secure additions and multiplications) have negligible costs in comparison to those of the cryptographic computations. In this section we provide upper bounds for the overall cost of the cryptographic computations, in various election settings, in order to show that our protocol is viable and can be implemented in practical elections with very light overhead. There are four parameters that affect the performance of our protocol: (a) The size p of the underlying field. We chose the prime p = 2 31 −1 as the size of the underlying field. It is sufficiently large for our purposes, as discussed in Section 4.7. Moreover, that specific setting of p serves us well also due to another reason. p = 2 31 − 1 is a Mersenne prime (namely, a prime of the form 2 t − 1 for some integer t). Choosing such primes is advantageous, from computational point of view, since multiplying two elements in such fields can be done without performing an expensive division (in case the multiplication result exceeds the modulus). (b) The number D of talliers. We set that number to be D ∈ {3, 5, 7, 9}, where, as explained in Section 4.8, larger values of D provide greater security, as well as higher runtimes. (c) The number M of candidates. Order-based rules require each voter to provide a full ordering of the entire set of candidates. Pairwise comparisons is a common method for eliciting voter preferences when a full order is required. A sequence of comparative questions in the form of "Which of the following two candidates do you prefer?" are easier for the voter than a request for a complete order, see [18] . Whether the voters are required to submit a full ranking of the set of M candidates, or they need to compare pairs of candidates (in which case roughly log 2 (M !) questions are needed in order to determine a full ordering of the M candidates), it is clear that such order-based rules are relevant only for a small number of candidates. In our evaluation we considered M ∈ {5, 10, 20}. (d) The number N of voters. That number affects only the time for validating the cast ballots. We provide here runtimes for validating batches of B ballots, for B ∈ {500, 5000, 25000}. Those runtimes should be multiplied by N/B in order to get the overall time for validating all incoming ballots. Chida et al. [13] report runtimes for performing secure multiplications. Their experiments were carried on Amazon AWS m5.4xlarge machines at N. Virginia over a network with bandwidth 9.6Gbps. They experimented over a larger field of size p = 2 61 − 1 (which is also a Mersenne prime). Clearly, runtimes for our smaller prime, p = 2 31 − 1, would be shorter; but since we are interested only in upper-bounding the computational overhead of our protocol, in order to establish its practicality, those numbers will suffice for our needs. They experimented with a circuit that consists of one million multiplication gates that are evenly spread over {20, 100, 1000} layers; hence, in each layer there are {5·10 4 , 10 4 , 10 3 } multiplication gates, respectively. The reported runtimes as a function of D, the number of talliers, are shown in Table 2 . We begin by computing the needed runtimes for performing batch validations when M = 20. We exemplify the computation in two cases: one in which the batch size is B = 500 and another in which the batch size is increased 50-fold, i.e., B = 25000. To row in Table 2 , if we multiply the runtimes shown there by a factor of 190 1000 . That is, the batch validation of B = 500 ballots would take 255/324/352/426 mili-seconds when D = 3/5/7/9. Therefore, to validate a million ballots, it would take 510/648/704/852 seconds. Those runtimes may be improved by enlarging the batch size. The time to validate a batch of B = 25000 ballots, when M = 20, can be inferred from the first row in Table 2 , if we multiply the runtimes shown there by a factor of 190 20 . That is, the batch validation of B = 25000 ballots would take 7.847/8.018/10.051/12.454 seconds when D = 3/5/7/9. Therefore, validating a million ballots, would take 314/321/402/498 seconds. In general, it is not hard to see that the runtimes for validating one million ballots in batches of size B = 500/5000/25000 can be read from Table 2 by multiplying the times reported there in the third/second/first row by a factor of M (M − 1). Elections usually span a long time (typically at least 1 day) and the batch validation of ballots can take place along that period whenever a number of B new ballots were received. Hence, the above analysis shows that the runtimes for validating incoming ballots are very realistic and are not expected to slow down the election process. To evaluate the runtime of performing the secure comparison sub-protocol we ran it on Amazon AWS m5.4xlarge machines at N. Virginia over a network with bandwidth 9.6Gbps. We performed our evaluation with D ∈ {3, 5, 7, 9} talliers. The measured runtimes are given in Table 4 . As can be seen, the implied runtimes are negligible. For example, when M = 5, the runtime of this stage is upper bounded by 1.2 seconds, when using the highest number of talliers, D = 9, while for M = 20 it is upper bounded by 22.8 seconds. The runtimes in the case of Maximin are even smaller, since then the number of secure comparisons is bounded only by 1.5 · M 2 (see Section 4.6). In summary, it is possible to achieve perfect ballot secrecy, as our protocol offers, at a very small computational price. Here we consider two other order-based rules -Kemeny-Young [26, 39] and Modal Ranking [9] , and describe secure protocols for implementing them. 6.1 Kemeny-Young 6 In this rule, the ballot of each voter is a ranking of all candidates, where ties are allowed. Hence, the ballot of V n , n ∈ [N ], may be described by an Mdimensional array, R n , where the mth entry in that array, R n (m), m ∈ [M ], is a number in [M ] that equals the rank of C m in V n 's preference list. For example, assume that there are four candidates: Alice (C 1 ), Bob (C 2 ), Carol (C 3 ) and David (C 4 ). Then if V n ranks Carol as her top candidate, Bob as her second choice, and either Alice or David as her last choices, then her ballot would be the vector R n = (3, 2, 1, 3). This vector ballot is then translated into a matrix P n of dimensions M × M , where P n (m, ) = 1 if C m is ranked strictly higher than C in R n , and P n (m, ) = 0 otherwise. In the above example, namely, one goes over all pairs of candidates C m and C such that ρ ranks C m higher than C (in the sense that σ m < σ ) and adds up the number of voters who agreed with this pairwise comparison. The ranking ρ with the highest score is selected, and the K leading candidates in that ranking are the winners of the election. As in Protocol 1 for Copeland and Maximin, each voter V n secret shares the entries of his ballot matrix P n among the D talliers using a D -out-of-D scheme. Secret sharing is applied on each of the M 2 −M non-diagonal entries of P n , since the diagonal entries are always zero. To validate each in-coming ballot matrix, the talliers only need to check that all entries are in {0, 1} and that for every 1 ≤ m < ≤ M , P n (m, ) + P n ( , m) ∈ {0, 1}. Indeed, the sum of two opposing entries, P n (m, ) and P n ( , m), will always equal 1 (if one of C m and C is ranked higher than the other) or 0 (if both are in a tie). The validation of such conditions goes along the lines that we described in Section 4.4.1. After validating the cast ballots, the talliers add up their shares in P n , for all validated ballot matrices, and then get D -out-of-D shares in each of the non-diagonal entries in P . To compute secret shares in the score of each possible ranking ρ, the talliers need only to perform summation according to Eq. (11) . Note that that computation does not require the talliers to interact. Finally, it is needed to find the ranking with the highest score. That computation can be done by performing secure comparisons, as described in Section 3.3. In modal ranking, every voter submits a ranking of all candidates, where the ranking has no ties. Namely, if R C is the set of all M ! rankings of the M candidates in C, the ballot of each voter is a selection of one ranking from R C , as determined by her preferences. The rule then outputs the ranking that was selected by the largest number of voters (i.e., the mode of the distribution of ballots over R C ). In case there are several rankings that were selected by the greatest number of voters, the rule outputs all of them, and then the winners are usually the candidates whose average position in those rankings is the highest. Modal ranking rule is an order-based voting rule over C, but it is equivalent to the Plurality score-based voting rule (see [6] ) over the set of candidate rankings R C . Hence, it can be securely implemented by the protocol that was presented in [19] . In this study we presented a protocol for the secure computation of orderbased voting rules. Securing the voting process is an essential step towards a fully online voting process, which is needed more than ever in these current times of social distancing. A fundamental assumption in all secure voting systems that rely on fully trusted talliers (that is, talliers who receive the actual ballots from the voters) is that the talliers do not misuse the ballot information and that they keep it secret. In contrast, our protocol significantly reduces the trust vested in the talliers, as it denies the talliers access to the actual ballots and utilizes MPC techniques in order to compute the desired output without allowing any party an access to the inputs (the private ballots). Even in scenarios where some (a minority) of the talliers betray that trust, privacy is ensured. Such a reduction of trust in the talliers is essential in order to increase the confidence of the voters in the voting system so that they would be further motivated to exercise their right to vote and, moreover, vote according to their true preferences, without fearing that their private vote will be disclosed to anyone. Our protocol offers perfect ballot secrecy: the protocol outputs the identity of the winning candidates, but the voters as well as the talliers remain oblivious of any other related information, such as the actual ballots or any other value that is computed during the tallying process (e.g., how many voters preferred one candidate over the other). The design of a mechanism that offers perfect ballot secrecy must be tailored to the specific voting rule that governs the elections. Others have studied Plurality, Majority Judgement, and Approval voting rules [29, 37, 8] , or the entire family of score-based rules [19] . However, ours is the first study that offers a privacy-preserving solution for order-based voting rules. We specifically demonstrated our solution on the following order-based rules: Copeland, Maximin, Kemeny-Young and Modal-Ranking. We showed that our solution is lightweight and can thus be readily implemented in real-life orderbased elections. The present study suggests several directions for future research: (a) A running voting system. To demonstrate the features and advantages of the secure protocols presented here, we intend to implement a running voting system, as was done in [20] for the secure protocols implementing score-based rules [19] . (b) Multi-winner elections. Typical voting rules are usually oblivious to external social constraints, and they determine the identity of the winners solely based on the private ballots. This is the case with the voting rules that we considered herein. In contrast, so called multi-winner election rules are designed specifically for selecting candidates that would satisfy the voters the most [23, 21] , in the sense that they also comply with additional social conditions (e.g., that the selected winners include a minimal number of representatives of specific gender, race, region etc.). This problem has unique features and it therefore requires its own secure protocols. Examples for voting rules that are designed for such a purpose are Chamberlin-Courant [10] and Monroe [28] . (c) Malicious talliers. Our protocol assumes that the talliers are semihonest, i.e., that they follow the prescribed protocol correctly. The semihonesty of the talliers can be ensured in practice by securing the software and hardware of the talliers. However, it is possible to design an MPC protocol that would be immune even to malicious talliers that may deviate from the prescribed protocol. While such protocols are expected to have significantly higher runtimes, they could enhance even further the security of the system and the trust of voters in the preservation of their privacy. Helios: Web-based open-audit voting A theory of measuring, electing, and ranking Secret sharing homomorphisms: Keeping shares of a secret secret Safeguarding cryptographic keys Almost entirely correct mixing with applications to voting Handbook of computational social choice Decentralized voting with unconditional privacy Practical strategy-resistant privacy-preserving elections Modal ranking: A uniquely robust voting rule Representative deliberations and representative decisions: Proportional representation and the borda rule Elections with unconditionally-secret ballots and disruption equivalent to breaking RSA Untraceable electronic mail, return addresses, and digital pseudonyms Fast large-scale honest-majority MPC for malicious adversaries A reasonable social welfare function A secure and optimally efficient multi-authority election scheme A generalization of pailliers public-key system with applications to electronic voting Scalable and unconditionally secure multiparty computation The method of paired comparisons Fear not, vote truthfully: Secure multiparty computation of score based rules A secure voting system for score based elections What do multiwinner voting rules do? an experiment over the two-dimensional euclidean domain Llull and copeland voting computationally resist bribery and constructive control Multiwinner voting: A new challenge for social choice theory Hse-voting: A secure high-efficiency electronic voting scheme based on homomorphic signcryption Making mix nets robust for electronic voting by randomized partial checking Mathematics without numbers Providing receipt-freeness in mixnet-based voting protocols Fully proportional representation An improved e-voting scheme using secret sharing based secure multi-party computation A verifiable secret shuffle and its application to evoting Multiparty computation for interval, equality, and comparison without bit-decomposition protocol Blockchain centered homomorphic encryption: A secure solution for e-balloting Provably secure (broadcast) homomorphic signcryption. International Journal of Foundations of Computer Science Receipt-free mix-type voting scheme How to share a secret On defining areas of voter choice: Professor tullock on stable voting A secure verifiable ranked choice online voting system based on homomorphic encryption Protocols for secure computation Sincew is a constant and r d is a D -out-of-D share in R, thenŵ d is a D -out-of-D share inw − R = w + R − R = w, as needed Such a matrix clearly satisfies conditions 1, 2 and 3 in the theorem. It also satisfies condition 4, as we proceed to show. Fix m ∈ [M ] and let k ∈ [M ] be the unique index for which m = j k . Then the mth column in Q consists of exactly k − 1 entries that equal 1, M − k entries that equal −1, and a single entry on the diagonal that equals 0. Hence, Q m , which is the sum of entries in that column, equals 2k − M − 1. Clearly, all those values are distinct, since the mapping m → k is a bijection Here we describe how the generic secret-sharing-based protocol of Damgård and Nielsen [17] emulates multiplication gates. That computation requires the interacting parties to generate shares in a random field element r, such that r distributes uniformly on Z p and it remains unknown to all parties. We begin by describing a manner in which this latter task can be carried out.To generate shares in a random field element, each party T d , d ∈ [D], generates a uniformly random field value ρ d and performs a D -out-of-D sharing of it among T 1 , . . . , T D . At the completion of this stage, each T d adds up all the D shares that he received and gets a value that we denote by r d . It is easy to see that {r 1 , . . . , r D } is a D -out-of-D sharing of the random value ρ = d∈[D] ρ d . Clearly, ρ is a uniformly random field element, as it is a sum of uniformly random independent field elements. Now we turn to explain the processing of multiplication gates. Let . Those values are point values of the polynomial f (·)g(·), which is a polynomial of degree 2D − 2. Hence, {w 1 , . . . , w D } is a (2D − 1)-out-of-D sharing of w. Note that as D := (D + 1)/2 , then 2D − 1 ≤ D; therefore, the D parties have a sufficient number of shares in order to recover w. However, our goal is to obtain a Dout-of-D sharing of w, namely a set of shares in w, of which any selection of only D shares can be used to reconstruct w. Hence, we proceed to describe a manner in which the parties can translate this (2D − 1)-out-of-D sharing of w into a D -out-of-D sharing of w.To do that, the parties generate two sharings of the same uniformly random (and unknown) field element R: a D -out-of-D sharing, denoted {r 1 , . . . , r D }, and a (2D − 1)-out-of-D sharing, denoted {R 1 , . . . , R D }. Next, each T d computesw d = w d +R d and sends the result to T 1 . Since {w 1 , . . . ,w d } is a (2D − 1)-out-of-D sharing of w + R, T 1 can use any 2D − 1 of those shares in order to reconstructw := w + R. T 1 broadcasts that value to all