D Shape of Valid Ballots - A Formal Analysis of the Norwegian E-Voting Protocol

In this section, we show that we can derive a specific shape for ballots that pass the different tests during the protocol execution. We first define a measure for the length of terms and provide a definition for what we call valid ballots.

Definition 8. We define|.| : T (Σ, X , N ) → N recursively as follows:

• |u| = 1 for u a constant or a variable,

• |f(u¹, . . . , un)| =P |uⁱ| if f ∈ {+, ∗, ◦, }.

• |f(u¹, . . . , un)| = 1 +P |uⁱ| otherwise.

We also defineL : T (Σ,X , N ) → N×N which is defined as L(M) = (||M||, |M|) where ||.|| : T (Σ, X , N ) → N is defined as follows with #◦(M ) the number of◦ symbols in M:

• ||u|| = 0 for u a constant or a variable,

• ||f(u¹, . . . , un)|| =







#_◦(f (u1, . . . , un)) +P ||uⁱ||, f ∈ {penc, renc}

P ||uⁱ||, otherwise.

Definition 9. Letid ∈ {id1, . . . , id_n}. A term M is said to be a id-valid ballot if φB(id, M ) is verified, equivalently:











M = hM¹, M2, M3, M4i M1 =E vk(id)

checksign(hM², M3i, M¹, M4) =E ok checkpfk1(M1, M2, M3) =E ok

Then, we can give the general shape of the two first ballots submitted by honest voters on which we have some extra information. But we first recall some definitions:

θ_init={^vk(id^k⁾/_idp_k,^s(id^k⁾/_s_k | k = 1..n} | {^vk(id^R⁾/_idp_R} | {^pk(a^k⁾/_g_k | k = 1..3}, θ0= θinit| {^penc(v^k^,t^k^,g¹⁾/ek,^pfk¹^(id^k^,t^k^,v^k^,e^k⁾/pk,^sign(he^k^,p^k^i,id^k⁾/sik| k = 1..2}, θk= θ_k−1| {sign(hash(Π1(M_k)),id_R)/sr_k,^d(p(id^k^),dec(Π²^(M^k^),a³⁾⁾/rec_k}, ˆ

σ_i^j={^M^k^α/xk | k = 1..i} | {^N^k^α/x_b^k| k = 1..min(i, 2)} | {^U^k^α/dk,^W^k^α/hbk| k = 1..j}.

Lemma 17. We consider i ∈ {1, 2} and M a free term such that fv(M) ⊆ dom(θⁱ−1σˆ⁰_i−1σL) and M θi−1σˆ⁰_i−1σL be anidi-valid ballot. We suppose thatν ˜ω.θi−1ˆσ_i−1⁰ σL ≈^s ν ˜ω.θi−1ˆσ_i−1⁰ σR. Then, we have, forσ∈ {σ^L, σR} :

M θi−1σˆ_i⁰₋₁σ =Ehidpi, e_i, p_i, si_iiθⁱ−1σˆ_i⁰₋₁σ.

Proof. Leti∈ {1, 2} and M a free term s.t. fv(M) ⊆ dom(θⁱ−1σˆ_i⁰₋₁σL) and M θi−1σˆ_i⁰₋₁σLis a idi-valid ballot. LetM⁰minimal in size - according to the measure of lengthL defined in Definition 8 - such that:

M⁰θi−1ˆσ_i⁰₋₁σL=EM θi−1σˆ⁰_i₋₁σL.

According to Definition 9, we haveM⁰θi−1σˆ⁰_i−1σL =EhP¹, P2, P3, P4i.

• Let suppose thatM⁰ is a variable. Since @ x ∈ dom(θi−1) such that xθ_i−1σˆ⁰_i₋₁σL is a id_i-valid ballot, there is a contradiction.

• Thus, M⁰ = f (M1, . . . , Mn) with f ∈ {dec, fst, pair, snd, unblind} since only equations (E-1), (E-2), (E-3) and (E-7) can lead tohP¹, P2, P3, P4i.

– Iff ∈ {dec, fst, snd, unblind}, using Lemma 15, we have a contradiction with the fact that head(M⁰θi−1σˆ_i⁰₋₁σL) = pair.

– Iff = pair, then M⁰ = hM¹, M⁰⁰i, with some free M¹. By repeating this reasoning, we get thatM⁰=hM¹, M2, M3, M4i, with some free Mⁱfori∈J1, 4K. Thus we have :

M⁰θi−1σˆ⁰_i₋₁σL=EhM¹, M2, M3, M4iθⁱ−1σˆ_i⁰₋₁σL

=EM θi−1ˆσ_i−1⁰ σL.

Sinceν ˜ω.θi−1σˆ_i−1⁰ σL≈^sν ˜ω.θi−1σˆ⁰_i−1σR, then, forσ∈ {σ^L, σR}:

M θ_i−1ˆσ_i⁰₋₁σ =E hM¹, M2, M3, M4iθi−1σˆ⁰_i₋₁σ.

Moreover, using again Definition 9, we have that:

M1θi−1σˆ_i−1⁰ σL=Evk(idi),

M3θ_i−1σˆ_i⁰₋₁σL=Epfk₁(idi, N1, N2, M2θ_i−1σˆ⁰_i₋₁σL), M4σˆi−1σ_i⁰₋₁σL=Esign(hM², M3iθⁱ−1σˆ⁰_i₋₁σL, id_i).

According to Lemma 16, we know thatM1,M3andM4must be variables or constructed terms. But since, according Lemma 9,id_iis not deducible,M1,M3andM4 must be variables. In that case, we must have M1 = idpi,M3= piandM4 = sii. And, according to the fact thatν ˜ω.θ_i−1σˆ_i⁰₋₁σL ≈^sν ˜ω.θ_i−1ˆσ_i⁰₋₁σR, we have, forσ∈ {σ^L, σR} and for some free M²:

M θi−1σˆ⁰_i₋₁σ =Ehidpi, M2, pi, siiiθⁱ−1σˆ_i⁰₋₁σ.

Now, sinceM3 = piand according to Definition 9, we must have thatM2θi−1σˆ_i⁰₋₁σL=E penc(vi, ti, g1) withM2free. Thus,M2is a variable orM2= f (M₁⁰, . . . , M_k⁰) with f ∈ {◦, dec, fst, penc, renc, snd, unblind}:

• Iff ∈ {dec, fst, snd, unblind}, using Lemma 15, we get a contradiction on the fact that head(M²θi−1σˆ⁰_i−1σL) = penc.

• IfM2= penc(M₁⁰, M₂⁰, M₃⁰) with free terms M₁⁰,M₂⁰ andM₃⁰, then using Lemma 14 we must have M₂⁰ = t_iwhich is in contradiction with Lemma 9 and the fact thatt_iis not deducible.

• IfM2= renc(M₁⁰, M₂⁰) with M₁⁰andM₂⁰free terms. We must haveM₁⁰θ_i−1σˆ_i⁰₋₁σL=Epenc(M₁⁰⁰, M₂⁰⁰, pk(M₃⁰⁰)) leading to the fact that a₁ =AC M₃⁰⁰+ M₂⁰θ_i−1ˆσ_i⁰₋₁σL whereM₂⁰ is free which is a contradiction

with Lemma 9.

• IfM2 = _k=1◦^p M_k⁰ withM_k⁰ free andhead(M_k⁰)6= ◦ for k ∈ J1, pK. To have a reduction, we must have, fork ∈ J1, pK, that Mk⁰θi−1σˆ⁰_i₋₁σL =E penc(M_k¹, M_k², pk(M_k³)), and since e1ande2are the only variables leading to a penc-headed term, we must have one M_k⁰ which is not a variable, otherwise we would havet1q ∗ t2s = t1withq + s = p≥ 2. Due to the study of previous cases, we must have thatM_k⁰ = penc(M₁⁰⁰, M₂⁰⁰, M₃⁰⁰) or renc(penc(M₁⁰⁰, M₂⁰⁰, M₃⁰⁰), M₄⁰⁰), but this leads to M₂⁰⁰θi−1σˆ⁰_i−1σL∗ U = t1with freeM₂⁰⁰which leads to a contradiction due to Lemma 9.

Thus, we have M2 variable and M2 = e₁, which allows us to conclude the proof, using equivalence between the two frames.

We know can give the general shape of the ballots submitted by the intruder, under the condition they are accepted by the Ballot Box. Once again, let us remind the usual notations:

θinit={^vk(id^k⁾/idpk,^s(id^k⁾/sk | k = 1..n} | {^vk(id^R⁾/idpR} | {^pk(a^k⁾/gk | k = 1..3}, θ0= θ_init| {^penc(v^k^,t^k^,g¹⁾/_e_k,^pfk¹^(id^k^,t^k^,v^k^,e^k⁾/_p_k,^sign(he^k^,p^k^i,id^k⁾/_si_k| k = 1..2}, θk= θk−1| {sign(hash(Π1(M_k)),id_R)/srk,^d(p(id^k^),dec(Π²^(M^k^),a³⁾⁾/reck}, ˆ

σ_i^j={^M^k^α/x_k | k = 1..i} | {^N^k^α/_x^k

b | k = 1..min(i, 2)} | {^U^k^α/d_k,^W^k^α/hb_k| k = 1..j}.

Lemma 18. Using previous notations, leti ∈ J3, nK and M a free term s.t. fv(M ) ⊆ dom(θi−1σˆ_i⁰₋₁) andM θi−1ˆσ_i⁰₋₁σLis anidi-valid ballot. We suppose thatν ˜ω.θi−1σˆ_i⁰₋₁σL≈^sν ˜ω.θi−1σˆ⁰_i₋₁σR. Then, for σ∈ {σ^L, σR} :

• M θi−1σˆ_i⁰₋₁σ =E hM¹, M2, M3, M4iθⁱ−1σˆ⁰_i₋₁σ with free M1,. . . ,M4,

• M1θi−1σˆ_i−1⁰ σ =Evk(id_i)θi−1ˆσ_i−1⁰ σ,

• M3θi−1σˆ_i−1⁰ σ =Epfk₁(id_i, N1, N2, N3)θi−1σˆ_i−1⁰ σ with free N1, . . . , N3,

• M2θi−1σˆ_i−1⁰ σ =Epenc(N2, N1, U )θi−1σˆ⁰_i−1σ with free U or U =ACpk(a_p+ U⁰) with free U⁰and a_p∈ {a1, a₃}.

Proof. Leti∈ {3, . . . , n}. Let M such that Mθi−1ˆσ_i⁰₋₁σLis a id_i-valid ballot. LetM⁰minimal in size -according to the measure of lengthL defined in Definition 8 - such that :

M⁰θ_i−1σˆ⁰_i₋₁σL=EM θ_i−1σˆ_i⁰₋₁σL (†) Using Definition 9, we haveM⁰θi−1σˆ⁰_i₋₁σL=hP¹, P2, P3, P4i.

• Let suppose thatM_i⁰ is a variable. Since @ x ∈ dom(θⁱ−1) such that xθi−1σˆ⁰_i₋₁σL is a idi-valid ballot, there is a contradiction.

• Thus, M⁰ = f (M1, . . . , Mp) with f ∈ {dec, fst, pair, snd, unblind} since only equations (E-1), (E-2), (E-3) and (E-7) can lead tohP¹, P2, P3, P4i.

– Iff ∈ {dec, fst, snd, unblind}, using Lemma 15, we have a contradiction with the fact that head(M_i⁰θi−1σˆ_i−1⁰ σL) = pair.

– Iff = pair, then M⁰ = hM¹, M⁰⁰i, with some free M¹. By repeating this reasoning, we get thatM⁰=hM¹, M2, M3, M4i, with some free terms M¹,M2,M3andM4. Thus we have :

M⁰θ_i−1σˆ⁰_i₋₁σL=EhM¹, M2, M3, M4iθi−1σˆ_i⁰₋₁σL

=EM θi−1σ_i⁰₋₁σL.

Sinceν ˜ω.θ_i−1σˆ_i⁰₋₁σL≈^sν ˜ω.θ_i−1σˆ⁰_i₋₁σR, then, forσ∈ {σ^L, σR}:

M θi−1σ_i−1⁰ σ =E hM¹, M2, M3, M4iθⁱ−1σ⁰_i−1σ.

Definition 9 implies thatM1θi−1σˆ⁰_i−1σL =E vk(id_i). Since idiis deducible (it is not restricted), we have here a public test and the equivalence is sufficient to show thatM1θi−1σˆ_i−1⁰ σ =E vk(id_i)θi−1ˆσ_i−1⁰ σ forσ∈ {σ^L, σR}.

Moreover, using Definition 9, we also have thatM3θi−1σˆ⁰_i−1σL=E pfk₁(id_i, P1, P2, P3).

• M3cannot be a variable since there is nox∈ dom(θi−1) s.t. xθ_i−1ˆσ_i⁰₋₁σL = pfk₁(id_i, P1, P2, P3) withi≥ 3.

• Thus, M3 = f (N1, . . . , Np) with f ∈ {dec, fst, pfk1, snd, unblind} since only equations (E-1), (E-2), (E-3) and (E-7) lead topfk₁(idi, P1, P2, P3).

– Iff ∈ {dec, fst, snd, unblind}, using Lemma 15, we have a contradiction with the fact that head(M3θ_i−1σˆ_i⁰₋₁σL) = pfk1.

– Iff = pfk1, thenM3= pfk₁(idi, N1, N2, N3), with some free N1,N2,N3. Sinceν ˜ω.θi−1σˆ_i⁰₋₁σL

≈^sν ˜ω.θi−1σˆ⁰_i₋₁σR, we have, forσ∈ {σ^L, σR}:

M3θ_i−1σˆ⁰_i₋₁σ =Epfk₁(idi, N1, N2, N3)θ_i−1σˆ_i⁰₋₁σ.

Finally, Definition 9 gives us that, for some termU , we have:

M2θ_i−1σˆ⁰_i₋₁σL=Epenc(N2θ_i−1σ_i−1σL, N1θ_i−1σˆ⁰_i₋₁σL, U ).

• IfM2is a variable, thenM2∈ {e1, e2}. In that case, we would have N¹θi−1ˆσ_i⁰₋₁σL =E t1(ort2) with freeN1which would mean thatt1(ort2) is deducible which is in contradiction with Lemma 9.

• Thus, M2 = f (V1, . . . , Vp) with f ∈ {dec, fst, penc, renc, snd, unblind, ◦} since only equations (E-1) to (E-3) and (E-5) to (E-7) lead topenc(P1, P2, P3).

– Iff ∈ {dec, fst, snd, unblind}, using Lemma 15, we have a contradiction with the fact that head(M2θ_i−1σˆ_i⁰₋₁σL) = penc.

– If f = renc i.e. M2 = renc(V1, V2). If V1 is variable, then V1 ∈ {e1, e₂} and we would have a contradiction with Lemma 9 since we would haveN1θ_i−1σˆ⁰_i₋₁σL =E tiandtiwould be deducible. Then V1 = g(V₁⁰, . . . , V_p⁰) with g ∈ {dec, fst, penc, renc, unblind, ◦} since head(V1θi−1σ⁰_i₋₁σL) = penc.

* If g ∈ {dec, fst, snd, unblind}, using Lemma 15, we have a contradiction with the fact that head(V1θi−1σˆ⁰_i₋₁σL) = penc.

* If g = renc and V¹ = renc(V₁⁰, V₂⁰), we have a contradiction with the minimality of M2

sincerenc(V₁⁰, V₂⁰+ V2) is a smaller recipe than renc(renc(V₁⁰, V₂⁰), V2) for L.

* If g = ◦ and V¹ = V₁⁰◦ V2⁰, we also have a contradiction with the minimality ofM2

sincerenc(V₁⁰, V2)◦ renc(V2⁰, V2) is a smaller recipe than renc(V₁⁰◦ V2⁰, V2) according to the Definition 8 of the measureL. Indeed, since M2θ_i−1σˆ⁰_i₋₁σL is reducing, we have (V₁⁰θ_i−1ˆσ_i⁰₋₁σL)↓= penc(U¹, U₁⁰, U₁⁰⁰) and (V₂⁰θ_i−1σ_i⁰₋₁σL)↓= penc(U², U₂⁰, U₂⁰⁰) with U₁⁰⁰= U₂⁰⁰implying that the two recipes lead to the same term.

* If g = penc and V¹= penc(V₁⁰, V₂⁰, V₃⁰). We have two cases :

· IfV₃⁰is a variable, thenV₃⁰ ∈ {g1, g2, g3} and M² = renc(penc(V₁⁰, V₂⁰, gp), V2) with free termsV₁⁰,V₂⁰andV2. In that case, we have :

M2θi−1σˆ⁰_i₋₁σL=Erenc(penc(V₁⁰, V₂⁰, g_p), V2)θi−1σˆ_i⁰₋₁σL(‡)

=Epenc(V₁⁰, V₂⁰, pk(ap+ V2))θi−1σˆ⁰_i−1σL

Thanks to the fact thatν ˜ω.θi−1σˆ_i⁰₋₁σL≈^sν ˜ω.θi−1σˆ⁰_i₋₁σRand (‡), we also have that:

M2θi−1σˆi−1σR=Erenc(penc(V₁⁰, V₂⁰, g_p), V2)θi−1σˆ_i−1⁰ σR

=Epenc(V₁⁰, V₂⁰, pk(ap+ V2))θi−1σˆ⁰_i−1σR

Then, we have, forσ∈ {σ^L, σR} :

M2θ_i−1σˆ_i⁰₋₁σ =Epenc(V₁⁰, V₂⁰, pk(a_p+ V2)))θ_i−1σˆ_i⁰₋₁σ.

Since

M2θi−1σˆ_i−1⁰ σL=Epenc(N2θi−1σˆ⁰_i−1σL, N1θi−1σˆ⁰_i−1σL, U ) we have thatV₁⁰θi−1σˆ_i−1⁰ σL=EN2θi−1σˆ⁰_i−1σLand

V₂⁰θi−1σˆ⁰_i−1σL =EN1θi−1σˆ⁰_i−1σL. Using the fact thatν ˜ω.θi−1σˆ⁰_i−1σL≈^sν ˜ω.θi−1ˆσ_i−1⁰ σR, these equalities hold withσR. Finally, forσ∈ {σ^L, σR} and free V²:

M2θi−1σˆ⁰_i₋₁σ =Epenc(N2, N1, pk(ap+ V2))θi−1σˆ⁰_i₋₁σ.

(Witha₂deducible,pk(a₂+ V2) can be seen as a free U .)

· If V₃⁰ = h(V₁⁰⁰, . . . , V_q⁰⁰) with h ∈ {dec, fst, pk, snd, unblind}, we conclude easily with a contradiction whenh 6= pk using Lemma 15. If h = pk then there is con-tradiction with minimality ofM2 sincepenc(V₁⁰, V₂⁰, pk(V₁⁰⁰+ V2)) is smaller than W₃^j = g2 otherwise this would imply that a1 or a3 is deducible which is contradic-tion with Lemma 9. Since ∀j ∈ J1, nK we have W

Then, we have, forσ∈ {σ^L, σR} :

M2θi−1σˆ_i⁰₋₁σ =E penc(V₁⁰, V₂⁰, pk(a₂+ V₃⁰))θi−1σˆ⁰_i₋₁σ.

* If p¹ = 0, we have M = ◦^pj=1² renc(penc(W₁^j, W₂^j, W₃^j), V₅^j) with W₃^j variables. To have a reduction, we still need to have that∀p, q ∈ J1, nK pk(ap+ V₅^p) = pk(a_q+ V₅^q) wherea_p, a_q ∈ {a1, a₂, a₃}. That leads us to M² = ◦^pj=1² renc(penc(W₁^j, W₂^j, g_k), V₅¹) withk∈ {1, 2, 3} and free W1^j,W₂^j,V₅¹(V₅¹is the minimal recipe among allV₅^j).

Then, we have :

M2θ_i−1σˆ_i⁰₋₁σL

=◦^pj=1² renc(penc(W₁^j, W₂^j, gk), V₅^k)θi−1σ_i−1⁰ σL(††)

=Epenc(^pj=1² W₁^j,∗^pj=1² W₂^j, pk(ak+ V₅¹))θi−1σˆ⁰_i₋₁σL.

Thanks to the fact thatν ˜ω.θ_i−1σˆ⁰_i₋₁σL≈^sν ˜ω.θ_i−1σˆ⁰_i₋₁σRand (††), we also have that:

M2θ_i−1σˆ⁰_i₋₁σR

=◦^pj=1² renc(penc(W₁^j, W₂^j, gk), V₅¹)θi−1ˆσ_i−1⁰ σR

=E penc(^pj=1² W₁^j,∗^pj=1² W₂^j, pk(ak+ V₅¹))θi−1σˆ_i⁰₋₁σR. Then, we have, forσ∈ {σ^L, σR} :

M2θi−1σˆ_i−1⁰ σ =Epenc(V₁⁰, V₂⁰, pk(ak+ V₃⁰))θi−1σˆ⁰_i−1σ.

Then, in both cases (p1 = 1 or p1 = 0), we have, for σ ∈ {σ^L, σR}, there is i ∈J1, 3K such that:

M2θi−1σˆ_i−1⁰ σ =Epenc(V₁⁰, V₂⁰, pk(ak+ V₃⁰))θi−1σˆ⁰_i−1σ.

SinceM2θi−1σˆ⁰_i−1σL =E penc(N2θi−1ˆσ_i−1⁰ σL, N1θi−1ˆσ_i−1⁰ σL, U ) then V₁⁰θi−1ˆσ_i−1⁰ σL =E

N2θi−1σˆ⁰_i−1σLandV₂⁰θi−1σˆ⁰_i−1σL=E N1θi−1ˆσ_i−1⁰ σL. Using the fact thatν ˜ω.θi−1ˆσ_i−1⁰ σL≈^s ν ˜ω.θi−1σˆ_i−1⁰ σR, these equalities hold withσR. Finally, we have, forσ∈ {σ^L, σR}:

M2θi−1σˆ_i⁰₋₁σ =Epenc(N2, N1, pk(a_k+ V₃⁰))θi−1σ_i⁰₋₁σ.

Again,pk(a2+ V₃⁰) can be seen as a free term U since a2is deducible.

The next lemma gives the general shape of a ballot submitted by the intruder provided the fact that it is accepted by the Receipt generator in the first execution and shows that it is also accepted in the second execution. As usual, let us remind the usual notations:

σ_i^j={^M^k^α/x_k | k = 1..i} | {^N^k^α/x_b^k| k = 1..min(i, 2)} | {^U^k^α/d_k,^W^k^α/hb_k| k = 1..j}.

Lemma 19. We consideri∈J1, nK and M a free term such that fv(M ) ⊆ dom(θi−1σˆ⁰_i₋₁) and such that φR(idpi, M )θ_i−1σˆ_i⁰₋₁σL=Eok with:

φ_R(id, x) = (x =hx¹, x2, x3i) ∧ (x¹=hy¹, y2, y3, y4i) ∧ (y¹= id)

∧ (checksign(hy², y3i, y¹, y4))∧ (checkpfk1(y1, y2, y3))

∧ (checkpfk2(y1, y2, x2, x3)) .

Assuming thatν ˜ω.θi−1σˆ_i−1⁰ σL≈^sν ˜ω.θi−1ˆσ_i−1⁰ σR, then, forσ∈ {σ^L, σR}:

• φ_R(idp_i, M )θ_i−1σˆ⁰_i₋₁σ =Eok,

• M θi−1σˆ_i⁰₋₁σ =E hP, Q, Riθⁱ−1σˆ⁰_i₋₁σ for free terms P , Q and R.

• Fori∈ {1, 2}, we have:

– P θ_i−1σaˆ ⁰_i₋₁σ =E hidpⁱ, ei, pi, siiiθi−1ˆσ_i⁰₋₁σ

– Qθi−1σˆ⁰_i₋₁σ =Eblind(renc(ei, Q1), Q2)θi−1ˆσ_i⁰₋₁σ with Q1andQ2free terms.

• Fori∈J3, nK, we have:

– P θ_i−1σˆ⁰_i₋₁σ =EhP¹, P2, P3, P4iθi−1σˆ⁰_i₋₁σ with P1,. . . ,P4free terms,

– Qθi−1σˆ⁰_i₋₁σ =E blind(penc(Q1, Q2, U ), Q3)θi−1σˆ_i⁰₋₁σ with free Q1,Q2,Q3,U or U =AC

pk(a_p+ U⁰) with free U⁰anda_p∈ {a1, a3}.

Proof.

• Using the fact thatν ˜ω.θi−1σˆ_i⁰₋₁σL ≈^s ν ˜ω.θi−1σˆ⁰_i₋₁σR and sinceφR(idpi, M ) is a public test, we have that the first property holds obviously.

• Now, using thatφ_R(idp_i, M )θi−1σˆ_i−1⁰ σ =E ok, we have that, M θi−1σˆ_i−1⁰ σL =E hM¹, M2, M3i.

By repeating the same reasoning as we did in the proof of Lemma 18, we have thatM θ_i−1σˆ_i⁰₋₁σ =E

hP, Q, Riθi−1σˆ_i⁰₋₁σ with free term P , Q and R for σ∈ {σ^L, σR}.

• Leti∈ {1, 2}.

– Sinceφ_R(idp_i, M )θi−1ˆσ_i−1⁰ σ =E ok, we have that P θi−1σˆ_i−1⁰ σLmust be an idi-valid ballot.

Then, we use Lemma 17 to conclude on the form ofP θi−1σˆ_i−1⁰ σ.

– We also have thatcheckpfk₂(idp_i, e_i, Q, R)θ_i−1σˆ_i⁰₋₁σL=Eok, thus Rθ_i−1σˆ⁰_i₋₁σL =Epfk₂(R1, R2, R3, R4, R5) withR1= vk(id_i) and R4 = e_iθ_i−1σˆ⁰_i₋₁σL. We considerR⁰minimal in size (for the measure

L) such that Rθ_i−1σˆ⁰_i₋₁σL =ER⁰θ_i−1σˆ⁰_i₋₁σL.

* R⁰cannot be a variable since there is no variablex∈ dom(θⁱ−1) such that head(xθi−1σˆ_i⁰₋₁σL) = pfk₂.

* R⁰ = f (R1, . . . , Rp) with f ∈ {dec, fst, pfk2, snd, unblind} since only equations (E-1), (E-2), (E-3) and (E-7) can lead to a term of the formpfk₂(R1, R2, R3, R4, R5).

· Iff ∈ {dec, fst, snd, unblind}, using Lemma 15, we have a contradiction with the fact thathead(R⁰θ_i−1σaˆ ⁰_i₋₁σL) = pfk₂.

· Iff = pfk2, thenR⁰ = pfk₂(R1, R2, R3, R4, R5), with some free Rjforj ∈J1, 5K.

Since we have that(R =Epfk₂(idpi, R1, R2, ei, R3))θi−1σˆ⁰_i₋₁σLandν ˜ω.θi−1σˆ⁰_i₋₁σL≈^s ν ˜ω.θi−1σˆ⁰_i₋₁σR, we conclude that:

(R =Epfk₂(idpi, R1, R2, ei, R3))θi−1σˆ⁰_i−1σR. Thus, forσ∈ {σ^L, σR}, we have:

Rθ_i−1σˆ_i⁰₋₁σ =Epfk₂(idp_i, R1, R2, e_i, R3)θ_i−1σaˆ ⁰_i₋₁σ.

Moreover, we also have, according to Equation E-10, and repeating the same development as we just did, that:

Qθi−1σˆ⁰_i−1σ =Eblind(renc(ei, R1), R2)θi−1σˆ_i−1⁰ σ.

• Leti∈J3, nK.

– SinceφR(idpi, M )θi−1σˆ⁰_i₋₁σ =E ok, we have that P θi−1σˆ⁰_i₋₁σLis an idi-valid ballot. Using Lemma 18, we haveP θi−1ˆσ_i−1⁰ σ =E hP¹, P2, P3, P4iθⁱ−1σˆ⁰_i−1σ with free terms Pj forj ∈ J1, 4K and σ ∈ {σL, σR}.

– According to Lemma 18, we also get thatP2θ_i−1ˆσ_i⁰₋₁σ =E penc(P₁⁰, P₂⁰, U )θ_i−1σˆ⁰_i₋₁σ for free termsP₁⁰,P₂⁰and free termU or U =AC pk(ap+ U⁰) with free U⁰andap∈ {a¹, a3}. Now, according to Equation E-10 and by repeating the same reasoning as in the previous case in this situation, we can deduce thatRθi−1σˆ⁰_i₋₁σ =E pfk₂(vk(idi), R1, R2, R3, R4)θi−1σˆ_i⁰₋₁σ with freeRi fori ∈ J1, 4K and σ ∈ {σL, σR}. This equation also provides that Qθⁱ−1σˆ⁰_i₋₁σ =E

blind(renc(P2, R1), R2)θi−1σˆ_i⁰₋₁σ. Now, since P2θi−1σˆ⁰_i₋₁σ =Epenc(P₁⁰, P₂⁰, U )θi−1σˆ⁰_i₋₁σ, we can conclude that:

Qθi−1σˆ⁰_i−1σ =Eblind(penc(Q1, Q2, U ), Q3)θi−1ˆσ_i−1⁰ σ

with freeQ1,Q2,Q3and freeU or U =AC pk(a_p+ U⁰) with free U⁰anda_p∈ {a1, a₃}.

In document A Formal Analysis of the Norwegian E-Voting Protocol (Page 38-45)