A. Otsuka and H. Imai
                          120
                            Next, we prove the privacy property is satisfied by the protocol.
                            From the definition of privacy, the adversary is allowed to corrupt with T
                          public verifiers and to corrupt with t public verifiers. Without loss of generalty,
                          we assume the adversary is corrupting a set of public verifiers
                                               Y T = {Verifier 1 ,... , Verifier T }
                          and a set of tallying authorities
                                             Z t = {Authority ,..., Authority },
                                                            1
                                                                          t
                          respectively.
                            Let Voter i be a target voter, again without loss of generalty. The information
                          posted by Voter i is in the following form (E i1 (x),E i2 (x),...,E iN (x),α i ,P i (x))
                          where
                                             E ij = S i1 (x, j)+ αS i2 (x, j)+ R ij (x)

                          for j =1,... ,N and
                                          P i (x)= (S i1 (x, 0) + αS i2 (x, 0))
                                            ×((S i1 (x, 0) + αS i2 (x, 0) − 1) + xR i0 (x).
                            The casted information except for P i (x) isexactly the sameasthat inthe
                          US-PVSS. Thus, we focus on the information leak from P i (x).
                            From Y T , the adversary already knows

                                                  {R i0 (v 1 ),...,R i0 (v T )},

                                               {S i1 (v 1 ,y),... ,S i1 (v T ,y)}, and
                                                 {S i2 (v 1 ,y),... ,S i2 (v T ,y)}.
                          The adversary cannot recover R i0 (x)from {R i0 (v 1 ),...,R i0 (v T )},since R i0 (x)
                          is degree 2T . Further, the adversary still has the same entropy on a target
                          univariate polynomial S i1 (x, 0) + αS i2 (x, 0).
                            The rest of information available to the adversary is exactly the same as that
                          in the US-PVSS. The construction described above is based on the US-PVSS
                          construction in Section 3.2, thus it is perfectly-private from Theorem 3.
                            To prove integrity, we have to show that (1) the consistency of encrypted
                          shares, (2) security of the proof P i (x) which convinces the verifiers that the
                          secret of each voter’s PVSS lies in 0 and 1, and (3) validity of the output of each
                          tallying authority.
                            (1) is straight-forward from the property of US-PVSS. In the construction,
                          we have L public verifiers. Thus, the probability that the malicious voter to put
                          inconsistent ballot E    to be accepted at least one of the honest public verifiers
                                            ij
                          is upper-bounded by L/q from Theorem 3.
                            Next, we prove (2). It is easy to see that if the voter is honest, every honest
                          verifier will accept the proof with probability 1. We will further consider the case
                          that a malicious voter is trying to cheat at least one verifier, Verfier k , without