Paper 2020/909

When is a test not a proof?

Eleanor McMurtry, Olivier Pereira, and Vanessa Teague


A common primitive in election and auction protocols is plaintext equivalence test (PET) in which two ciphertexts are tested for equality of their plaintexts, and a verifiable proof of the test's outcome is provided. The most commonly-cited PETs require at least one honest party, but many applications claim universal verifiability, at odds with this requirement. If a test that relies on at least one honest participant is mistakenly used in a place where universally verifiable proof is needed, then a collusion by all participants can insert a forged proof of equality into the tallying transcript. We show this breaks universal verifiability for the JCJ/Civitas scheme among others, because the only PETs they reference are not universally verifiable. We then demonstrate how to fix the problem.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. MINOR revision.European Symposium on Research in Computer Security
election schemescryptographic protocolszero knowledge
Contact author(s)
emcmurtry @ student unimelb edu au
2020-09-03: revised
2020-07-18: received
See all versions
Short URL
Creative Commons Attribution


      author = {Eleanor McMurtry and Olivier Pereira and Vanessa Teague},
      title = {When is a test not a proof?},
      howpublished = {Cryptology ePrint Archive, Paper 2020/909},
      year = {2020},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.