Cryptology ePrint Archive: Report 2020/909

When is a test not a proof?

Eleanor McMurtry and Olivier Pereira and Vanessa Teague

Abstract: A common primitive in election and auction protocols is plaintext equivalence test (PET) in which two ciphertexts are tested for equality of their plaintexts, and a verifiable proof of the test's outcome is provided. The most commonly-cited PETs require at least one honest party, but many applications claim universal verifiability, at odds with this requirement. If a test that relies on at least one honest participant is mistakenly used in a place where universally verifiable proof is needed, then a collusion by all participants can insert a forged proof of equality into the tallying transcript. We show this breaks universal verifiability for the JCJ/Civitas scheme among others, because the only PETs they reference are not universally verifiable. We then demonstrate how to fix the problem.

Category / Keywords: cryptographic protocols / election schemes, cryptographic protocols, zero knowledge

Date: received 18 Jul 2020, last revised 18 Jul 2020

Contact author: emcmurtry at student unimelb edu au

Available format(s): PDF | BibTeX Citation

Version: 20200718:161816 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]