Page 263 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 263
Thus, our upper bound on the probability that the election authority gets
away with malforming k out of n ballots when f of those ballots are audited
f k
is min[(1 − ) , (1 − ) ].
n
n
7.4 Second Audit k f An Introduction to PunchScan 255
In order to check that a given ballot receipt was properly printed, one can reen-
crypt it (that is, recompute the commitments) and compare it with the P-matrix.
Suppose n ballots remain unspoiled after the first audit, f are actually used by
voters who later check the commitments, and k of them are improperly printed.
Once again, the upper bound on the probability that none of the misprinted
f k
k f
ballots are detected is min[(1 − ) , (1 − ) ].
n n
7.5 Third Audit
In addition to checking that the ballot is correctly printed, one can also verify
that the recorded ballot mark matches the mark on the receipt. In effect, this
verifies the correctness of P 3 . Again, if n ballots remain unspoiled after the
first audit, f are actually used by voters who verify that their ballot marks
are correctly recorded online, and k ballots are incorrectly recorded, then the
upper bound on the probability that none of the incorrectly-recorded marks are
k f
f k
detected is min[(1 − ) , (1 − ) ].
n n
7.6 Fourth Audit
The election authority may influence the vote tally by incorrectly decrypting the
ballots. There are two methods we may use for auditing the election authority
to ensure that this does not occur.
Ballot-wise Auditing. Suppose the auditor goes through a D-matrix ballot-
by-ballot (that is, row-by-row) and randomly chooses whether to inspect (open)
the “left” or “right” commitment for each ballot. This situation is different from
the first three audits because all ballots are inspected, but each inspection has
only a 1 chance of catching a modification. This makes the situation simpler;
2
the chance of k modified ballots all escaping detection is 2 −k .
Table-wise Auditing. On the other hand, the auditor may choose to open
all the “left” or “right” commitments for a given D-matrix. Assuming that the
election authority intends to cheat during the decryption and is aware of this,
he will put all his cheating in a given D-matrix in either the “left” or “right”
commitment, so that he has a 1 chance of escaping detection when that D-matrix
2
is inspected. If there are nD-matrices, then the chance of escaping detection if
any ballots are incorrectly decrypted is 2 −n .
Comparison. Both of these methods have desirable properties. The ballot-wise
method has the feature that the probability of detecting cheating is a function of
the number of ballots cheated on, and increases exponentially with a linear in-
crease in number of cheated ballots. The table-wise method has the feature that
the audit does not reduce the size of the anonymity set created by the shuffle.
