Page 129 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 129
loss of generalty, but the malicious voter is unable to identify who is the cheated
verifier. In this case, the malicious voter is trying to post a modified polynomial
P (x)where P (x) = P(x). The verifier is trying to check the validity of the
proof by checking the equation Unconditionally Secure Electronic Voting 121
P (0) = 0
P (v k )= p k (p k − 1) + v k R i0 (v k )
where p k = S i1 (v k ,y)| y=0 + α i S i2 (v k ,y)| y=0 .Note that P (v k ) must agree with
the value computed by Verifier k from p k and R i0 (v k ). Here, P (0) = 0 must be
satisfied. Otherwise, every verifier reject the vote of the malicious voter. Thus, we
are interested in the case that second equation eventually holds for some verifier
k. Assuming the v k and the polynomials S i1 (x), S i2 (x), R i0 (x) are uniformly
) ≤ L/q.
distributed, the probability that this case happen is 1 − ( q−1 L
q
Now we prove (3). In the Tallying phase, tallying authority Authority j posts
(U j ,S j (x)) on the bulletin board, where U j is a set of indices of the votes which
the Authority j accepted and S j (x) is a verifiable share which is a sum of every
share of the votes posted for Authority j . If all the talliers are honest, then
all U j ’s for j =1,... ,N agree with the same set unless they are cheated by
the voters with negligible probability (This is from unanimity property of US-
PVSS). Furthermore, every honest verifier accepts the verifiable shares {S j (x)}
and can compute the final tally. We will consider the case that there exists at
least one verifier, for example k, is cheated by some malicious tallying authorities
(colluding up to t), but the malicious tallying authorities have no idea on who
is cheated. Thus, the goal of the malicious tallying authorities is to cheat some
verifier k with a wrong pair (U ,S (x)) where (U ,S (x)) =(U j ,S j (x)) to be
j j j j
accepted.
Here, S j (x) can be written as follows:
S j (x)= E ij (x) − R ij (x)
i∈U j i∈U j
= S i1 (x, j)+ α i S i2 (x, j).
i∈U j
Verifier k checks the validity of S j (x) by the following equation:
S j (v k )= S i1 (v k ,j)+ α i S i2 (v k ,j).
i∈U j
In a case that U j = U , this must be the case that the malicious authority,
j
Authority j output a tallying result S j (x) = S j (x) and there exists at least one
k such that Verifier k accepted S j (x) . From the similar discussion as above, the
probability that at least one public verifier, Verifier k , accept the wrong polyno-
) ≤ L/q.
mial S j (x) is 1 − ( q−1 L
q
Otherwise, U j = U . This must be the case that there exists at least one
j
E ij (x) and at leasat one
This case happen is bounded by L/q. Thus, the success probability for the
malicious tallying authorities is again exponentially small.
