arxiv:1810.05083v3 [quant-ph] 16 dec 2019

Definitions and Security of Quantum ElectronicVoting

Myrto Arapinis1, Elham Kashefi1,2, Nikolaos Lamprou1, and Anna Pappa3,4

1 School of Informatics, University of Edinburgh, UK2 LIP6, University Pierre et Marie Curie, France

3 Department of Electrical Engineering and Computer Science, Technische UniversittBerlin, Germany

4 Dahlem Center for Complex Quantum Systems, Freie Universitt Berlin, Germany

Abstract. Recent advances indicate that quantum computers will soonbe reality. Motivated by this ever more realistic threat for existing classi-cal cryptographic protocols, researchers have developed several schemesto resist “quantum attacks”. In particular, for electronic voting, severale-voting schemes relying on properties of quantum mechanics have beenproposed. However, each of these proposals comes with a different andoften not well-articulated corruption model, has different objectives, andis accompanied by security claims which are never formalized and are atbest justified only against specific attacks. To address this, we proposethe first formal security definitions for quantum e-voting protocols. Withthese at hand, we systematize and evaluate the security of previously-proposed quantum e-voting protocols; we examine the claims of theseworks concerning privacy, correctness and verifiability, and if they arecorrectly attributed to the proposed protocols. In all non-trivial cases,we identify specific quantum attacks that violate these properties. We ar-gue that the cause of these failures lies in the absence of formal securitymodels and references to the existing cryptographic literature.

Keywords: quantum electronic voting, quantum cryptography, attacks

1 Introduction

Voting is a fundamental procedure in democratic societies. With the technolog-ical advances of the computer era, voting could benefit to become more secureand efficient and as a result more democratic. For this reason, over the last twodecades, several cryptographic protocols for electronic voting were proposed andimplemented [1,9,25,28,40]. The security of all these systems relies on computa-tional assumptions such as the hardness of integer factorization and the discretelogarithm problem. But, these are easy to solve with quantum computers usingShor’s algorithm [42]. Although not yet available, recent technological advancesindicate that quantum computers will soon be built threatening existing cryp-tographic protocols. In this context, researchers have proposed to use quantumcommunication to implement primitives like key distribution, bit commitment

arX

iv:1

810.

0508

3v3

[qu

ant-

ph]

16

Dec

201

9

2 Myrto Arapinis, Elham Kashefi, Nikolaos Lamprou, and Anna Pappa

and oblivious transfer. Unfortunately, perfect security without assumptions hasproven to be challenging in the quantum setting [31,33], and the need to studydifferent corruption models has emerged. This includes limiting the number ofdishonest participants and introducing different non-colluding authorities.

More than a decade of studies on quantum electronic voting has resulted inseveral protocols that use the properties of quantum mechanical systems. How-ever, all these new protocols are studied against different and not well-articulatedcorruption models, and claim security using ad-hoc proofs that are not formalizedand backed only against limited classes of quantum attacks. In particular, noneof the proposed schemes provides rigorous definitions of privacy and verifiability,nor formal security proofs against specific, well-defined (quantum) attacker mod-els. When it comes to electronic voting schemes, it is particularly hard to ensurethat all the, somehow conflicting, properties hold; it is therefore important thatthese new quantum protocols be rigorously and mathematically studied and thenecessary assumptions and limitations formally established.

This is precisely what we set to address in this paper. We first give formaldefinitions for verifiability and vote privacy in the quantum setting consideringadaptive corruption. Subsequently, we systematize and assess the security of ex-isting e-voting protocols based on quantum technology. We specifically examinethe claims of each of these solutions concerning the above-mentioned well-definedproperties. Unfortunately our analyses uncover vulnerabilities in all the proposedschemes. While some of them suffer from trivial attacks due to inconsistenciesin the security definitions, the main contribution of the paper is to argue thatsophisticated attacks can exist even in protocols that “seem secure” if the secu-rity is proven ad hoc, and not in a formal framework. We argue that the causeof these failures is the absence of an appropriate security framework in which toestablish formal security proofs, which we have now introduced.

Therefore, this paper follows previous works [2,39,45] in their effort to high-light the importance of formally defining and proving security in the relativelynew field of quantum cryptography. This also includes studying classical proto-cols that are secure against unbounded attackers [6], as well as ones based onproblems believed to be hard even for quantum computers e.g. lattice-based [11].However, it is out of the scope of this study to review such classical protocols,as we are focusing on the possible contribution of quantum computers to thesecurity of e-voting.Contributions: We propose the first formal definitions for vote privacy anduniversal verifiability in the quantum setting considering adaptive corruption,and show that none of the proposed quantum protocols so far satisfy them. Tothis end, we systematize the proposed quantum e-voting approaches according tokey technical features. To our knowledge, our study covers all relevant researchin the field, identifying four main families. Table 1 summarises our results.

– Two measurement bases protocols - These protocols rely on two measurementbases to verify the correct distribution of an entangled state. We specificallyprove that the probability that a number of corrupted states are not testedand used later in the protocol, is non-negligible, which leads to a violation

Definitions and Security of Quantum Electronic Voting 3

ProtocolsSecurity

Privacy Correctness Corruption

Dual basis measurement based protocols 5 ? ε fraction of voters

Travelling ballot based protocols 5 5 two voters

Distributed ballot based protocols ? 5∗ ε fraction of voters

Quantum voting based on conjugate coding 5 ? election authority

Table 1. 5: Insecure, ?: Unexplored Area, ∗:Protocol runs less than exp(Ω(N)) rounds.

of voters’ privacy. Furthermore, even if the states are shared by a trustedauthority, we show that privacy can still be violated in case of abort.

– Traveling ballot protocols - In these protocols the “ballot box” circulatesamong all voters who add their vote by applying a unitary to it. We show howcolluding voters can break honest voters’ vote privacy just by measuring theballot box before and after the victim has cast their ballot. These protocolsfurther suffer as we will see from double voting attacks, whereby a dishonestvoter can simply apply multiple time the voting operator.

– Distributed ballot protocols - These schemes exploit properties of entangledstates that allow voters to cast their votes by applying operations on partsof them. We present an attack that allows the adversary to double-voteand therefore change the outcome of the voting process with probabilityat least 0.25, if the protocol runs fewer than exponentially many rounds inthe number of voters. The intuition behind this attack is that an adversarydoes not need to find exactly how the ballots have been created in orderto influence the outcome of the election; it suffices to find a specific relationbetween them from left-over voting ballots provided by the corrupted voters.

– Conjugate coding protocols - These protocols exploit BB84 states addingsome verification mechanism. The main issue with these schemes, as weshow, is that ballots are malleable, allowing an attacker to modify the partof the ballot which encodes the candidate choice to their advantage.

2 Preliminaries

We use the term quantum bit or qubit [35] to denote the simplest quantummechanical object we will use. We say that a qubit is in a pure state if it can beexpressed as a linear combination of other pure states:

|x〉 = α |0〉+ β |1〉 , where |0〉 =

[10

], |1〉 =

[01

]where |α|2 + |β|2 = 1 for any α, β ∈ C. The states |0〉 and |1〉 are called thecomputational basis vectors. Sometimes it is also helpful to think of a qubit asa vector in the two-dimensional Hilbert space H. If a qubit cannot be written inthe above form, then we say it is in a mixed state. The generalization of a qubit


to an m-dimensional quantum system is called qudit :

|y〉 =

m−1∑j=0

aj |j〉 , where

m−1∑j=0

|aj |2 = 1

Let’s now suppose that we have two qubits; we can write the state vector as:

|ψ〉 =∑

i,j∈0,1

αij |ij〉

where∑

i,j∈0,1|αij |2 = 1. If the total state vector |ψ〉 cannot be written as a

tensor product of two qubits (i.e. |x1〉 ⊗ |x2〉), then we say that qubits |x1〉 and|x2〉 are entangled. An example of two-qubit entangled states, are the four Bellstates, which form a basis of the two-dimensional Hilbert space:

|Φ±〉 = 1√2(|00〉 ± |11〉), |Ψ±〉 =

1√2

(|01〉 ± |10〉)

A quantum system that is in one of the above states is also called an EPRpair [17]. The way we obtain information about a quantum system is by per-forming a measurement using a family of linear operators Mj acting on thestate space of the system, where j denotes the different outcomes of the mea-surement. It holds for the discrete and the continuous case respectively that:∑

j

M†jMj =

∫M†jMjdj = I

where M†j is the conjugate transpose of matrix Mj , and I the identity opera-tor. For qudit |y〉, the probability that the measurement outcome is w is: Pr(w) =

〈y|M†wMw |y〉 and in the continuous case Pr(w ∈ [w1, w2]) =∫ w2

w1〈y|M†jMj |y〉 dj.

For a single qubit |x〉 = α |0〉+β |1〉, measurement in the computational basiswill give outcome zero with probability |α|2 and outcome one with probability|β|2. If our state is entangled, a partial measurement (i.e. a measurement inone of the entangled qudits), not only reveals information about the measuredqudit, but possibly about the remaining state. For example, let us recall the Bellstate |Φ+〉. A measurement of the first qubit in the computational basis will givemeasurement outcome 0 or 1 with equal probability and the remaining qubitwill collapse to the state |0〉 or |1〉 respectively.

In quantum cryptography, the correlations in the measurement outcomesof entangled states are frequently exploited. Another entangled state of inter-est used in Section 4, gives measurement outcomes that sum up to zero whenmeasured in the computational basis, and equal outcomes when measured in theFourier basis (denoted by |〉F ). In the three-qubit case, the state is the following:

|D〉 =1√3

(|0〉F |0〉F |0〉F + |1〉F |1〉F |1〉F

)=

1

2

(|000〉+ |011〉+ |101〉+ |110〉

)


Finally, the evolution of a closed quantum system can be described by the appli-cation of a unitary operator. Unitary operators are reversible and preserve theinner product. Recall our first example, and let’s say we would like to swap theamplitudes on state |x〉, then we can apply the operator Z (known as NOT-gate):

Z |x〉 = β |0〉+ α |1〉 , where Z =

[0 11 0

]The Z-gate is one of the Pauli operators, which together with X and Y , as wellas the identity operator I, form a basis for the vector space of 2 × 2 Hermitianmatrices. These operators are unitaries, and as such preserve the inner product.

A very important difference between quantum and classical information, isthat there is no mechanism to create a copy of an unknown quantum state[35]. This result, known as the no-cloning theorem, is one of the fundamentaladvantages and at the same time limitations of quantum information. It becomesextremely relevant for cryptography, since brute-force types of attacks cannot beapplied on quantum channels that carry unknown information. When verifyingquantum resources however, it is necessary to apply a cut-and-choose techniquein order to test that the received quantum states are correcting produced. Thequantum source would therefore need to send exponentially many copies of thequantum state [26], in order for the verifier to measure most of them and deducethat with high probability, the remaining ones are correct.

3 Definitions of secure quantum electronic voting

Electronic voting protocols consist of election authorities, talliers, voters andbulletin boards [1,25,28]. In this work, we will be dealing with protocols involvingonly one election authority EA and/or one tallier T , as well as the voters V =VkNk=1. EA sets the parameters of the protocol, V cast ballots and T gathersthe votes, computes and announces the election outcome. Informally, a votingprotocol Π has three distinct phases (setup, casting, and tally) and running timeproportional to a security parameter δ0. For formalising security we adopt thestandard game-based security framework. The security of a protocol is capturedby a game between a challenger C that models the honest parties, and a QuantumProbabilistic Polynomial Time adversary A that captures the corrupted parties.A can adaptively corrupt a fraction ε of the voters. We assume that the eligibilitylist is provided a priori in a trusted manner and that A chooses the honest votes,in order to provide stronger definitions [25]. The order p with which honestparties cast their ballots is initially unknown to A but might leak during theexecution of the protocol, if for example anonymous channels are not used orthe casting order is decided by the voters. Finally, we consider that the partiesuse quantum registers to communicate and store information (denoted by B andX respectively), to account for the case where the states are entangled betweendifferent parties.

Setup phase: A defines the voting choices of all voters. C and A generate theprotocol parameters X according to Π.


Casting phase: The protocol Π specifies the algorithm CastBallot for generat-ing and casting the ballots. C generates ballots according to the CastBallotalgorithm on behalf of honest voters and A on behalf of the corrupted ones.

Tally phase: The protocol Π specifies the tallying algorithm Tally. C computesthe election result on behalf of the parties specified in Π by running the Tallyalgorithm. If none of these parties is honest, A computes the tally instead.

Ideally, an e-voting protocol will satisfy at least the following properties ([4,13,15];Correctness: compute the correct outcome if the adversary doesn’t interfere, Dou-ble voting: allow voters to vote at most once, Privacy: keep the vote of a voterprivate, Verifiability: allow for verification of the results by voters and externalauditors. We focus on privacy and verifiability type properties.

Universal Verifiability - Our definition of universal verifiability is similar to[13] and is captured by the experiment EXPΠ

Qver.

The experiment EXPΠQver(A, ε, δ0)

– Setup phase: C and A generate the protocol parameters in quantum registerX as specified by Π and the adversarial model. Furthermore, A chooses thevotes for all voters vkVk∈V .

– Casting phase: For each k ∈ 1, . . . , |V|,• A chooses to corrupt Vp(k) or not. If A decides to corrupt Vp(k) is added

to VA.• If Vp(k) 6∈ VA, C generates the ballot Bp(k),⊥ ←

CastBallot(vp(k),Xp(k),B, δ0). If it is not ⊥, C sends it to A. If C re-ceives Bp(k) back from A, then C stores Bp(k) in B, where Bp(k), Xp(k),and B are local and global quantum registers respectively. Note thatwhen A receives Bp(k) from C, it is possible to apply quantum operationson the register that are dependent on the specifications of Π.

• If Vp(k) ∈ VA, then A creates a ballot Bp(k) and sends it to C.– Tally phase: If the tallier is corrupted, A outputs the election outcome X.

Otherwise C computes X ← Tally(B,XC , δ0):• If (X 6= ⊥ ∧ VerifyΠ(X,B, δ0)) and PΠVCounted(vkVk 6∈VA , X) = 0 or

NballotsΠ(X) > |V|, then output 1, else output 0.

First, A defines how honest voters vote. Then, C and A generate the protocolparameters X according to Π and the corruption model of A. In the castingphase, A can choose to corrupt voters adaptively. For honest voters, C followsthe CastBallot algorithm as specified by Π to generate the ballot, and sendsit to A. Depending on the protocol specification, A might then perform someallowed quantum operation on the received ballot (e.g. in the case where Πuses quantum authenticated channels, the ballots cannot be modified by A).For corrupted voters, A casts the ballot on their behalf. After all votes havebeen cast, the election outcome is computed; if the tallier is honest, C runs the


algorithm Tally as specified by Π. EXPΠQver outputs 1 if the election outcome

is not ⊥ and is accepted by C, while either an honest vote has not be countedin the final outcome, or the number of cast votes exceeds the number of voters;Otherwise the experiment outputs 0. To account for these events, we define threepredicates; VerifyΠ which is the protocol-specific public test parties can run toverify the election, PΠVCounted reveals if honest votes are discarded from or altered

in the final outcome and NballotsΠ reveals the number of votes included theelection result X. If A deviates from the protocol specification, the predicateVerifyΠ should return false.

Definition 1. A quantum e-voting protocol Π satisfies ε-quantum verifiabil-ity if for every QPPT A the probability of winning the experiment EXPΠ

Qver(A, ε, δ0)is negligible with respect to δ0:

Pr[1← EXPΠQver(A, ε, δ0)] = negl(δ0).

Vote privacy - The experiment EXPΠQpriv captures vote privacy which ensures

that the adversary A cannot link honest voters to their votes.

The experiment EXPΠQpriv(A, ε, δ0)

– Setup phase: A chooses a permutation FA,Vl , the set of candidates vkVk∈Veach voter will vote for. C and A generate the protocol parameters in quantumregister X as specified by Π and the adversarial model. C randomly picks bit

β$← 0, 1.

– Casting phase: For each k ∈ 1, . . . , |V|,• A chooses to corrupt Vp(k) or not. If A decides to corrupt Vp(k) is added

to VA.• If Vp(k) 6∈ VA, C generates the ballot Bp(k),⊥ ←

CastBallot(FA,Vl (vp(k), p(k))β · v1−βp(k) ,Xp(k),B, δ0). If the generated ballotis not ⊥, C sends it to A. If C receives Bp(k) back from A, then C storesBp(k) to B. Note that when A receives Bp(k) from C, it is possible toapply quantum operations on the register that are dependent on thespecifications of Π.

• If Vp(k) ∈ VA, then A creates a ballot Bp(k) and sends it to C.– Tally phase: If FA,Vl (VA) = FA,VAl′ , C announces the election outcome X ←

Tally(Bp(k)Vk∈V ,XC , δ0) to A. Else output -1.

A guesses bit β∗. If β∗ = β then output 1, else output 0.

A defines how honest voters vote and chooses a permutation FA,Vl ∈ FA,Vover the voting choices of all voters in V. After the parameters of the protocol Xare generated, C chooses a random bit β which defines two worlds; when β = 0,


the honest voters vote as specified by A, while when β = 1, the honest votersswap their votes according to permutation FA,Vl again specified by A. If thechoices of the honest voters during the casting phase are still a permutationof their initial choices the experiment proceeds to the next phase, else it outputs−1. In the tally phase, C computes the election outcome. Finally, A tries to guessif the honest voters controlled by C have permuted their votes (β = 1) or not(β = 0), by outputting guess bit β∗. If A guessed correctly EXPΠ

Qpriv outputs 1;

otherwise EXPΠQpriv outputs 0.

Definition 2. A quantum e-voting protocol Π satisfies ε-quantum privacy iffor every QPPT A the probability of winning the experiment EXPΠ

Qpriv(A, ε, δ0) isnegligibly close to 1/2 with respect to δ0 under the condition event ¬False Attackhappens, where False Attack = − 1← EXPΠ

Qpriv(A, ε, δ0):

Pr[1← EXPΠQpriv(A, ε, δ0)|¬False Attack] = 1/2 + negl(δ0)

The most established game-based definitions for privacy in the classical set-ting [4] assume two ballot boxes, where one holds the real tally and the otherholds either the real or the fake tally. In the quantum case, the adaptation isnot straightforward mainly because of the no-cloning theorem. The existence oftwo such boxes assumes that information is copyable, which is not the case withquantum information. Similarly, we can’t assume that the experiment runs twotimes because A could correlate the two executions by entangling their param-eters, something that a classical adversary cannot do. We address this difficultyby introducing quantum registers to capture the network activity and model thespecial handling of quantum information (e.g entangled states). Moreover, theelection result is produced on the actual ballots rather than the intended ones.With this, we capture a broader spectrum of attacks (e.g Helios replay attack),at the same time introduce trivial distinctions corresponding to false attacks.We tackle this by allowing the experiment to output -1 in such undesired caseswhich are mainly artifacts of the model. So an advantage of our privacy def-inition is that it allows the analysis of self-tallying type protocols in contrastwith previous definitions of privacy [4]. In self-tallying elections the adversaryis able to derive the election outcome on their own without the need of secretinformation. Therefore, the bulletin board (in our case the register B) must beconsistent with the result without linking the identity and the vote of a voter.

Note - Our definitions of verifiability and privacy capture both classical andquantum protocols. For the classical case, the quantum registers will be used forstoring and communicating purely classical information. Devising our definitionsfor the quantum setting was not a trivial task as there are many aspects that arehard to define, like bulletin boards, and others that need to be introduced, likequantum registers potentially containing entangled quantum states. Moreover,our experiments capture protocols that use anonymous channels, by assumingthat the casting order is unknown to A, as well as self-tallying protocols.

In the rest of the paper, we examine all existing proposals for quantum e-voting. For each of them, we identify attacks that violate the previously defined


properties. Note that since the proposed protocols do not involve any verifiabilitymechanism, we need to define an experiment that involves an honest Tallier, andthat captures security against double voting and vote deletion/alteration againstmalicious voters. We term this property integrity and therefore need to considerexperiment EXPΠ

Qint which is the same as EXPΠQver but without the predicate

VerifyΠ . The experiment EXPΠQint is detailed in Section A of the Supplementary

Material.

4 Dual Basis Measurement Based Protocols

In this section we discuss protocols that use the dual basis measurement tech-nique [24,48], and use as a blank ballot an entangled state with an interestingproperty: when measured in the computational basis, the sum of the outcomesis equal to zero, while when measured in the Fourier basis, all the outcomes areequal. Both of these protocols use cut-and-choose techniques in order to ver-ify that the state was distributed correctly. This means that a large amount ofstates are checked for correctness and a remaining few are kept at the end un-measured, to proceed with the rest of the protocol. Although a cut-and-choosetechnique with just one verifying party is secure if the states that are sampledare exponentially many and the remaining ones are constant, it is not clear howthis generalizes to multiple verifying parties. Specifically, we show that if thecorrupted parties sample their states last, then the probability with which thecorrupted states are not checked and remain after all the honest parties sample,is at least a constant with respect to the security parameter of the protocol.

4.1 Protocol Specification

We will now present the self-tallying protocol of [48], which is based on the clas-sical protocol of [27]. The voters VkNk=1, without the presence of any trustedauthority or tallier, need to verify that they share specific quantum states. Atthe end of the verification process, the voters share a classical matrix; every castvote is equal to the sum of the elements of a row in the matrix.

Setup phase

1. One of the voters, not necessarily trusted, prepares N +N2δ0 states:

|D1〉 =1√

mN−1

∑∑Nk=1 ik=0 mod c

|i1〉 |i2〉 . . . |iN 〉

where m is the dimension of the qudits’ Hilbert space, c is the number ofthe possible candidates such that m ≥ c and δ0 the security parameter. Thevoter also shares 1 +N2δ0 states of the form:

|D2〉 =1√N !

∑(i1,i2,...,iN )∈PN

|i1〉 |i2〉 . . . |iN 〉


where PN is the set of all possible permutations with N elements. Each Vkreceives the kth particle from each of the states.

2. The voters agree that the states they receive are indeed |D1〉 , |D2〉 by usinga cut-and choose technique. Specifically, voter Vk chooses at random 2δ0 ofthe |D1〉 states and asks the other voters to measure half of their particles inthe computational and half in the Fourier basis. Whenever the chosen basisis the computational, the measurement results need to add up to 0, whilewhen the basis is the Fourier, then the measurement results are all the same.All voters simultaneously broadcast their results and if one of them noticesa discrepancy, the protocol aborts. The states |D2〉 are similarly checked.

3. The voters are left to share N copies of |D1〉 states and one |D2〉 state. Eachvoter holds one qudit for each state. They now all measure their qudits in thecomputational basis. As a result, each Vk holds a “blank ballot” of dimensionN with the measurement outcomes corresponding to parts of |D1〉 states:

Bk = [ξ1k · · · ξ

skkk · · · ξNk ]ᵀ

and a unique index, skk ∈ 1, . . . , N, from the measurement outcome of thequdit that belongs to |D2〉. The set of all the blank ballots has the property∑Nk=1 ξ

jk = 0 mod c for all j = 1, . . . , N .

Casting phase

4. Based on skk, all voters add their vote, vk ∈ Zc, to the corresponding rowof their “secret” column. Specifically, Vk applies ξskkk → ξskkk + vk.

5. All voters simultaneously broadcast their columns, resulting in a public N ×N table, whose k-th column encodes Vk’s candidate choice.

B =

ξ1k...

Bv11 · · · ξskkk + vk · · · BvNN

...ξNk

Tally phase

6. Each Vk verifies that their vote is counted by checking that the correspondingrow of the matrix adds up to their vote. If this fails, the protocol aborts.

7. Each voter can tally the final outcome of the election by computing the sumof the elements of each row of the public N × N table. The resulting Nelements are the result of the election.

4.2 Vulnerabilities Of Dual Basis Measurement Protocols

In this section we present an attack on the cut-and-choose technique of theprotocol in the setup phase, that can be used to violate privacy. We consider


a static adversary that corrupts t voters, including the one that distributes thestates. Suppose that the adversary corrupts N out of N +N2δ0 states |D1〉. Wedenote with Bad, the event that all the corrupted voters choose last which statesthey want to test, and with Win, the event that the N corrupted states are notchecked. We want to compute the probability that event Win happens, givenevent Bad, i.e. the probability none of the N corrupted states is checked bythe honest voters, and therefore remain intact until the corrupted voters’ turn.The corrupted voters will of course not sample any of the corrupted states andtherefore the corrupted states will be accepted as valid.

The number of corrupted states that an honest voter will check, follows amixture distribution with each mixture component being one of the hypergeo-metric distributions HG(Lik , bik , 2

δ0) : 0 ≤ bik ≤ N , where Lik is the numberof states left to sample from the previous voter and bik the number of the re-maining corrupted states. We can therefore define the random variable Xik thatfollows the above mixture distribution, where i1, . . . , iN−t is a permutation ofthe honest voters’ indices (by slightly abusing notation, we consider the firstN − t voters to be honest). The following lemma is proven by induction:

Lemma 1. Let Xik be a random variable that follows the previous mixture dis-tribution. It holds that:

Pr[

N−t∑k=1

Xik = 0] =

N−t∏k=1

Pr[X∗ik = 0] where X∗ik ∼ HG(Lik , N, 2δ0).

We are now ready to prove that with at least a constant probability, the cor-rupted states will remain intact until the end of the verification process.

Proposition 1. For 0 < ε < 1, let t = εN be the fraction of voters controlledby the adversary. It holds that :

Pr[Win | Bad] >(ε

2

)NProof.

Pr[Win | Bad] = Pr[

N−t∑k=1

Xik = 0] =

N−t∏k=1

P [X∗ik = 0]

=

N−t−1∏k=0

(N +N2δ0 −N − k2δ0

2δ0

)/

(N +N2δ0 − k2δ0

2δ0

)=

(N + t2δ0 −N + 1) · . . . · (N + t2δ0)

(N +N2δ0 −N + 1) · . . . · (N +N2δ0)

>( t2δ0 + 1

N +N2δ0

)N=( t2δ0

N +N2δ0+

1

N +N2δ0

)N>( t2δ0

N +N2δ0

)N=( ε

2−δ0 + 1

)N>(ε

2

)N


The question now is with what probability event Bad occurs, i.e how likely isthe fact that voters controlled by the adversary are asked to sample last? Theanswer is irrelevant, because this probability depends on N and t, and are bothindependent of δ0. As a result,

Pr[Win] > Pr[Win | Bad] Pr[Bad] = (ε/2)Nf(N, t)

where f(N, t) is a constant function with respect to the security parameter δ0,making Pr[Win] non-negligible in δ0. As a matter of fact, a static adversary willcorrupt the voters that maximize Pr[Bad]. Therefore, we can assume that thehonest voters sample the states at random, in order to not favor sets of corruptedvoters. Now let us examine how this affects the privacy of the scheme.

Theorem 1. Let Π(N, t, δ0) be an execution of the self-tallying protocol with Nvoters, t of them corrupted, and δ0 the security parameter. We can construct anadversary A, which with non-negligible probability in δ0 violates privacy.

Proof. Let CA be the set of indices of the corrupted voters with |CA| = t. Supposethe voter distributing the states is also corrupted, and prepares 1 +N2δ0 statesof the form of |D2〉, N2δ0 states of the form |D1〉 and N states of the form:

|DCorrupt〉 = |ξ1〉 ⊗ . . .⊗ |ξN 〉

where ξk ∈R 0, . . . , c− 1 for all k ∈ 2, . . . , N, ξ1 ∈ 0, . . . , c− 1 such that5:

ξ1 + . . .+ ξN = 0 mod c

From Proposition 1 and the previous observations we know that the prob-ability that states |DCorrupt〉 remain intact after the verification procedure instep 2 (i.e. event Win), happens with non-negligible probability in the securityparameter δ0. Therefore, with non-negligible probability, the remaining states instep 3 are: one of the form |D2〉 and N of the form |DCorrupt〉. All honest votersVk measure their qudits in the computational basis and end up with a secretnumber skk (from measuring the corresponding part of |D2〉) and a column

Bk = [ξ1k . . . ξskkk . . . ξNk ]ᵀ

(from measuring states |DCorrupt〉), that is known to the adversary. Now allvoters apply their vote vk to the Bk according to skk. As a result:

Bvkk = [ξ1k . . . ξskkk + vk . . . ξNk ]ᵀ

At this point all voters simultaneously broadcast their Bvkk , as the protocolspecifies, and end up with the matrix B = (Bv11 . . . BvNN ). Each Vk, k 6∈ CAchecks that

N∑j=1

B[skk, j] = vk mod c

5 ∈R denotes that the element is chosen uniformly at random from a specific domain.


which happens with probability 1 from the description of the attack in the pre-vious steps. As a result, each voter accepts the election result. The adversaryknowing both the pre-vote matrix and the post-vote matrix can therefore extractthe vote of all honest voters.

A similar attack can be mounted if the adversary instead of corrupting N out ofN +N2δ0 |D1〉 states, corrupts just 1 of the |D2〉 states. The attack is similar tothe one mentioned above but in this case the adversary knows the row in whicheach voter voted instead of the pre-vote matrix. Moreover, the probability oftheorem 1 is improved from (ε/2)N to ε/2 (the proof works in a similar way).

Based on the previous observations we can construct an adversary that vio-lates ε-quantum privacy for any 0 < ε < 1 and any non-trivial permutation.

Theorem 2. The quantum self tallying protocol Π(N,N/ε, δ0) doesn’t satisfythe ε-quantum privacy property for any 0 < ε < 1.

Proof. (sketch) First A picks a non-trivial permutation FA. It is easy to see thatA can corrupt the quantum states in experiment EXPΠ

Qpriv and C accepts withprobability at least α(δ0) the corrupted parameters, where α() a non negligiblefunction, based on theorem 1. Next, A by reading all the quantum registers Bjone by one, can find how each voter has voted individually as in theorem 1. Asa result, A can find out if the honest voters have permute their votes or not andguess the challenge bit β with probability at least 1/2 + α(δ0). Note that theprobability for that A the EXPΠ

Qpriv to output −1, is 0, because A can choosewhich voters to corrupt such that both the cut-and-choose attack in the Setup

phase was successful and the condition FA,Vl (VA) = FA,VAl′ is satisfied.

So far we have seen how voters’ privacy can be violated if an adversarydistributes the quantum states in the protocol. However, even if the sharingof the states is done honestly by a trusted authority, still an adversary A canviolate the privacy of a voter. This is done by replacing one element in a columnof one of the players controlled by A with a random number. As a result, instep 6, the honest voter whose row doesn’t pass the test, will abort the protocolby broadcasting it. A will therefore know the identity of the voter aborting andtheir corresponding vote, since it knows the matrix before the modification ofthe column element. Similarly, in experiment EXPΠ

Qpriv the adversary can findout if the voters permute their vote or not.

A possible solution might be to use a classical anonymous broadcast channel,so that the voters can anonymously broadcast abort if they detect any misbe-haviour at step 6. However, this might open a path to other types of attacks,like denial-of-service, and requires further study in order to be a viable solution.

5 Traveling Ballot Based Protocols

In this section we discuss the traveling ballot family of protocols for referendumtype elections. Here, T also plays the role of EA, as it sets up the parameters of


the protocol in addition to producing the election result. Specifically, it preparestwo entangled qudits, and sends one of them (the ballot qudit) to travel fromvoter to voter. When the voters receive the ballot qudit, they apply some unitaryoperation according to their vote and forward the qudit to the next voter. Whenall voters have voted, the ballot qudit is sent back to T who measures the wholestate to compute the result of the referendum. The first quantum scheme in thiscategory was introduced by Vaccaro et al. [47] and later improved [5,22,30].


Here we present the travelling ballot protocol of [22]; an alternative form [47]encodes the vote in a phase factor rather than in the qudit itself.

Set up phase T prepares the state |Ω0〉 = 1√N

N−1∑j=0

|j〉V |j〉T , keeps the second

qudit and passes the first (the ballot qudit) to voter V1.Casting phase For k = 1, . . . , N , Vk receives the ballot qudit and applies the

unitary Uvk =N−1∑j=0

|j + 1〉〈j|, where vk = 1 signifies a “yes vote and vk = 0 a

“no” vote (i.e. applying the identity operator). Then, Vk forwards the ballotqudit to the next voter Vk+1 and VN to to T .

Tally phase The global state held by T after all voters have voted, is:

|ΩN 〉 =1√N

N−1∑j=0

|j +m〉V |j〉T

where m is the number of ”yes” votes. T measures the two qudits in thecomputational basis, subtracts the two results and obtains the outcome m.

5.2 Vulnerabilities Of Traveling Ballot Based Protocols

The first obvious weakness of this type of protocols is that they are subject todouble voting. A corrupted voter can apply the “yes” unitary operation manytimes without being detected (this issue is addressed in the next session, wherewe study the distributed ballot voting schemes). As a result we can easily con-struct an adversary A that wins in the integrity experiment described in theAppendix (Figure A) with probability 1. Furthermore, these protocols are sub-ject to privacy attacks, when several voters are colluding. In what follows, wedescribe such an attack on privacy, in the case of two colluding voters. Figure 1depicts this attack.

Let us assume that the adversary corrupts voters Vk−1 and Vk+1 for anyk. Upon receipt of the ballot qudit, instead of applying the appropriate uni-tary, Vk−1 performs a measurement on the traveling ballot in the computationalbasis. As a result the global state becomes |Ωk−1〉 = |h+m〉V ⊗ |h〉T , where

|h+m〉V is one of the possible eigenstates of the observable O =N−1∑j=0

|j〉〈j|,


and m is the number of “yes” votes cast by the voters V1, . . . , Vk−2 (note thatVk−1 does not get any other information about the votes of the previous voters,except number h+m). Then Vk−1 passes the ballot qudit |h+m〉V to Vk, whoapplies the respective unitary for voting “yes” or “no”. As a result the ballotqudit is in the state |h+m+ vk〉V . Next, the ballot qudit is forwarded to thecorrupted voter Vk+1, who measures it again in the computational basis andgets the result h+m+ vk. A can now infer vote vk from the two measurementresults and figure out how Vk+1 voted. Similarly, A can guess the correct bit βin EXPΠ

Qpriv with probability 1 by measuring the quantum registers Bp(j)−1 andBp(j)+1, where Vp(j) an honest party (A might need to corrupt two more voters

such that EXPΠQpriv will not output -1). The same attack can also be applied

in the case where there are many voters between the two corrupted parties. Inthis case the adversary can’t learn the individual votes but only the total votes.One suggestion presented in [47] is to allow T to perform extra measurements

Fig. 1. A corrupts voters Vk−1,Vk+1 and learns how voter Vk voted with probability 1.

to detect a malicious action during the protocol’s execution. However, this onlyidentifies an attack and does not prevent the adversary from learning some ofthe votes, as described above. Furthermore, the probability of detecting a devi-ation from the protocol is constant and as such does not depend on the securityparameter and does not lead to a substantial improvement of security. It shouldalso be noted that verifiability of the election result is not addressed in any ofthese works, since T is assumed to generate the initial state honestly. In the casewhere T is corrupted, privacy is trivially violated.

All traveling ballot protocols proposed ([47,5,22,30]) suffer from the aboveprivacy attack. Next, we discuss how this issue has been addressed by revisitingthe structure of the protocols. Unfortunately, as we will see, new issues arise.


6 Distributed Ballot Based Protocols

Here we describe the family of quantum distributed ballot protocols [5,22,47].In these schemes, T prepares and distributes to each voter a blank ballot, andgathers it back after all voters have cast their vote in order to compute the finaloutcome. This type of protocols give strong guarantees for privacy against othervoters but not against a malicious T which is trusted to prepare correctly specificstates. So it is not hard to see that if the states are not the correct ones, thenthe privacy of a voter can be violated.

A first attempt presented in [47] suffers from double voting similarly to thediscussion in the previous section. The same problem also appears in [16]. Laterworks [5,22] address this issue with a very elaborate countermeasure. The intu-ition behind the proposed technique is that T chooses a secret number δ accord-ing to which it prepares two different quantum states: the “yes” and the “no”states. This δ value is hard to predict due to the non-orthogonality of the sharedstates and the no-cloning theorem. The authors suggest that many rounds of theprotocol be executed. As a result, any attempt of the adversary to learn δ givesrise to a different result in each round. However, the number of required rounds,as well as a rigorous proof are not presented in the study.

More importantly, a careful analysis reveals that the proposed solution is stillvulnerable to double voting. As we will see, an adversary can mount what we calla d-transfer attack, and transfer d votes for one option of the referendum electionto the other. To achieve this attack, the adversary does not need to find the exactvalue of δ (as the authors believed), but knowing the difference of the angles usedto create the “yes” and “no” states suffices. We construct a polynomial quantumadversary that performs the d-transfer attack with probability at least 0.25, ifthe number of rounds is smaller than exponential in the number of voters. As aresult this makes the protocol practically unrealistic for large scale elections.


We first present the protocol from [5,22]:Setup phase

1. T prepares an N -qudit ballot state: |Φ〉 = 1√D

∑D−1j=0 |j〉

⊗N, where the states

|j〉 , j = 0, ..., D−1, form an orthonormal basis for the D-dimensional Hilbertspace, and D > N . The k-th qudit of |Φ〉 corresponds to Vk’s blank ballot.

2. T sends to Vk the corresponding blank ballot together with two option qudits,one for the “yes” and one for the “no” option:

yes: |ψ(θy)〉 = 1√D

∑D−1j=0 eijθy |j〉 ,no: |ψ(θn)〉 =

1√D

D−1∑j=0

eijθn |j〉

For v ∈ y, n we have θv = (2πlv/D) + δ, where lv ∈ 0, . . . , D − 1 andδ ∈ [0, 2π/D). Values ly and δ are chosen uniformly at random from theirdomain and ln is chosen such that N(ly − ln mod D) < D . These valuesare known only to T .


Casting phase

3. Each Vk decides on “yes” or “no” by appending the corresponding op-tion qudit to the blank ballot and performing a 2-qudit measurement R =∑D−1r=0 rPr, where:

Pr =

D−1∑j=0

|j + r〉〈j + r| ⊗ |j〉〈j|

According to the result rk, Vk performs a unitary correction Urk = I ⊗∑D−1j=0 |j + rk〉〈j| and sends the 2-qudits ballot along with rk back to T .

Tally phase

4. The global state of the system (up to normalization) is:

1√D

D−1∑j=0

N∏k=1

αj,rk |j〉⊗2N

where,

αj,rk =

ei(D+j−rk)θkv , 0 ≤ j ≤ rk − 1

ei(j−rk)θkv rk ≤ j ≤ D − 1

5. For every k, using the announced results rk, T applies the unitary operator:

Wk =

rk−1∑j=0

e−iDδ |j〉〈j|+D−1∑j=rk

|j〉〈j|

on one of the qudits in the global state (it is not important on which one,since changes to the phase factor of a qudit that is part of a bigger entangledstate take effect globally). Now T has the state:

|Ωm〉 =1√D

D−1∑j=0

eij(mθy+(N−m)θn) |j〉⊗2N

where m is the number of “yes” votes.6. By applying the unitary operator

∑D−1j=0 e−ijNθn |j〉〈j| on one of the qudits

and setting q = m(ly − ln), we have:

|Ωq〉 =1√D

D−1∑j=0

e2πijq/D |j〉⊗2N

We note here that q must be between 0 and D−1, so that the different outcomesbe distinguishable. Now with the corresponding measurement T can retrieve q.Since T knows values ly and ln, it can derive the number m of ”yes” votes. Notethat if a voter does not send back a valid ballot, the protocol execution aborts.


6.2 Vulnerabilities Of Distributed Ballot Protocols

In this section, we show how the adversary can perform the d-transfer attackin favor of the “yes” outcome. We proceed as follows. We first show that thisis possible if the adversary knows the difference ly − ln. We then show howthe adversary can find out this value, and conclude the section with the prob-abilistic analysis of our attack which establishes that it can be performed withoverwhelming probability in the number of voters.

The d-transfer attack: Given the difference ly − ln, a dishonest voter canviolate the no-double-voting. From the definition of ly and ln it holds that:

2π(ly − ln)/D = θy − θn (1)

If a corrupted voter (e.g. V1) knows ly− ln, then they proceed as follows (w.l.o.g.we assume that they want to increase the number of “yes” votes by d):

1. V1 applies the unitary operator: Cd =D−1∑j=0

eijd(θy−θn) |j〉〈j| to the received

option qudit |ψ(θy)〉. As a result, the state becomes:

Cd |ψ(θy)〉 =1√D

D−1∑j=0

eijd(θy−θn)eijθy |j〉

2. V1 now performs the 2-qudit measurement specified in the Casting phase ofthe protocol and obtains the outcome r1.

3. V1 performs the unitary correction Ur1 . For θ = d(θy − θn) + θy, the globalstate now is:

Ur1Pr1(|Φ〉 ⊗ Cd |ψ(θy)〉

)=

1√D

[ r1−1∑j=0

ei(D+j−r1)θ |j〉⊗N+1+

D−1∑j=r1

ei(j−r1)θ |j〉⊗N+1]

4. Before sending the two qudit ballot and the value r1 to T , V1 performs thefollowing operation to the option qudit:

Correctr1 =

e−iDd(θy−θn) |j〉〈j| , 0 ≤ j ≤ r1 − 1

|j〉〈j| r1 ≤ j ≤ D − 1

5. After all voters have cast their ballots to T , the global state of the system(up to normalization) is:

1√D

(

r1−1∑j=0

ei(j−r1)d(θy−θn)ei(D+j−r1)θy

N∏k=2

αj,rk |j〉⊗2N

+

D−1∑j=r1

ei(j−r1)d(θy−θn)ei(j−r1)θy

N∏k=2

αj,rk |j〉⊗2N

)


where,

αj,rk =

ei(D+j−rk)θkv , 0 ≤ j ≤ rk − 1

ei(j−rk)θkv rk ≤ j ≤ D − 1

and θkv describes the vote of voter Vk, where v ∈ y, n. T just follows theprotocol specification. It applies some corrections on the state given theannounced results rk and finally the state becomes:

1√D

D−1∑j=0

ei(j−r1)d(θy−θn)ei(j−r1)θy · . . . · ei(j−rn)θnv |j〉⊗2N

which under a global phase factor is equivalent to:

1√D

D−1∑j=0

eijd(θy−θn)eij(mθy+(N−m)θn) |j〉⊗2N

6. T removes the unwanted factor eijNθn as prescribed by the protocol, andthe final state is:

|Ωm+d〉 =1√D

D−1∑j=0

eijd(θy−θn)eijm(θy−θn) |j〉⊗2N

=1√D

D−1∑j=0

e2πij(m+d)(ly−ln)/D |j〉⊗2N

7. After measuring the state, the result is m+ d instead of m.

Finding the difference between ly and ln: What remains in order to com-plete our attack is to find the difference ly − ln. We now show how an adversarycan learn this difference with overwhelming probability in N . We assume thatthe adversary controls a fraction ε of the voters (0 < ε < 1), who are (all but one)instructed to vote half the times ”yes” and the other half ”no”. Instead of de-stroying the remaining option qudits (exactly εN/2 ”yes” and εN/2 ”no” votes),the adversary keeps them to run Algorithm 1. In essence, the algorithm is exe-cuted twice - once for each set of option qudits |ψ(θv)〉εN/2, where v ∈ y, n.It measures the states in each set and attributes to each one an integer. Afterall states have been measured, the algorithm creates a vector Record, whichcontains the number of times each integer appeared during the measurements.Finally, Algorithm 1 creates the vector Solution in which it registers the valuesthat appeared at least 40% of times during the measurements, equivalently thevalues for which the Record vector assigned a number greater or equal than 40%of times. The algorithm outputs the first value in the Solution vector. As we seein Figure 2, with high probability the value that algorithm outputs is either lv orlv−1, for both values of v. Hence, we can find the difference ly− ln. After havingacquired knowledge of ly− ln, the adversary can instruct the last corrupted voterto change the outcome of the voting process as previously described.


Algorithm 1 Adversary’s algorithmInput: D, |ψ(θv)〉1 , · · · , |ψ(θv)〉εN/2Output: l ∈ 0, . . . , D − 11: Record = [0, . . . , 0] ∈ N1×D; . This vector shows us how many values are observed in each interval

2: Solution = [”Null”, ”Null”] ∈ N1×2;3: i, l,m = 0;4: while i ≤ εN/2 do5: Measure |ψ(θv)〉i by using POVM operator E(θ) from Eq.(2), the result is yi;

6: Find the interval for which 2πjD ≤ yi ≤ 2π(j+1)

D ;7: Record[j] =++;8: i++;9: end while

10: while l < D do11: if Record[l] ≥ 40%(εN/2) then12: Solution[m] = l;13: m+ +;14: end if15: l + +;16: end while17: if Solution == [0, D − 1] then18: Solution = [Solution[1], Solution[0]];19: end if20: return l = Solution[0];

Fig. 2. The probabilities with which Algorithm 1 records a value in lv − 1, lv, lv + 1after measuring state |ψ(θv)〉 for δ1 = π

235, δ2 = π

230, and δ3 = π(26−1)

235.


Probabilistic analysis We prove here that the adversary’s algorithm succeedswith overwhelming probability in N , where N is the number of voters. There-fore, as we later prove in Theorem 6, the election protocol needs to run at leastexponentially many times with respect to N in order to guarantee that the suc-cess probability of the adversary is at most 0.25. We present here the necessarylemmas and give the full proofs in the Supplementary Material.

In order to compute the success probability of the attack, we first need tocompute the probability of measuring a value in the interval (xl, xl+w), where

xl =2πl

D, l ∈ 0, 1, . . . , D − 16.

Lemma 2. Let ΘvD,δ ∈ [0, 2π] be the continuous random variable that describesthe outcome of the measurement of an option qudit |ψ(θv)〉 , v ∈ y,n usingoperators:

E(θ) =D

2π|Φ(θ)〉〈Φ(θ)| (2)

where |Φ(θ)〉 = 1√D

D−1∑j=0

eijθ |j〉. It holds that:

Pr[xl < ΘvD,δ < xl+w] =1

2πD

∫ xl+w

xl

sin2[D(θ − θv)/2]

sin2[(θ − θv)/2]dθ

According to Algorithm 1, an option qudit is attributed with the correct value lvwhen the result of the measurement is in the interval [xlv , xlv+1]. Using Lemma2, we can prove the following:

Lemma 3. Let |ψ(θv)〉 be an option qudit of the protocol. Then it holds:

Pr[xlv < ΘvD,δ < xlv+1] > 0.405

Lemma 3 shows that with probability at least 0.405, the result of the measure-ment is in the interval (xlv , xlv+1). Since Algorithm 1 inserts an integer to theSolution vector if it corresponds to at least 40% of the total measured values,lv will most likely be included in the vector (we formally prove it later). Further-more, we prove now that with high probability, there will be no other values tobe inserted in Solution, except the neighbours of the value lv (namely lv ± 1).

Lemma 4. Let |ψ(θv)〉 be an option qudit of the protocol. Then it holds:

Pr[xlv−1 < ΘvD,δ < xlv+2] > 0.9

Here we need to note that we are aware of the cases lv ∈ 0, D − 1 where themembers xlv−1 and xlv+2 are not defined. It turns out not to be a problem andthe same thing can be proven for these values (see Supplementary Material).

We have shown that the probability the measurement outcome lies in theinterval (xlv−1, xlv+2), and therefore gets attributed with a value of lv − 1, lv orlv + 1, is larger than 0.9. If we treat each measurement performed by Algorithm1 on each option qudit |ψ(θv)〉, as an independent Bernoulli trial with successprobability pl = Pr[xl < ΘvD,δ < xl+1], we can prove the following theorem:

6 It is convenient to think of l as the Dth roots of unity.


Theorem 3. With overwhelming probability in the number of voters N , Algo-rithm 1 includes lv in the Solution vector

Pr[Solution[0] = lv ∨ Solution[1] = lv] > 1− 1/exp(Ω(N))

We have proven that with overwhelming probability in N , integer lv occupiesone of the two positions of vector Solution, but what about the other value? Inthe next theorem, we show that with overwhelming probability in N , the othervalue is one of the neighbours of lv, namely lv + 1 or lv − 1.

Theorem 4. With negligible probability in the number of voters N , Algorithm1 includes a value other than (lv − 1, lv, lv + 1) in the Solution vector, i.e.∀w ∈ 0, . . . , lv − 2, lv + 2, . . . , D − 1:

Pr[Solution[0] = w ∨ Solution[1] = w] < 1/exp(Ω(N))

Lemma 5. With overwhelming probability in N , the Solution vector in Algo-rithm 1, is equal to [lv − 1, lv], [lv, ”Null”] or [lv, lv + 1]. Specifically,

Pr[Solution ∈ [lv − 1, lv], [lv, ”Null”], [lv, lv + 1]] > 1− 1/exp(Ω(N))

Now consider we have two executions of the Algorithm 1, one for the ”yes” andone for the ”no” option qudits. It turns out that the values in the positionsly − 1 and ln− 1 of the vector Record, follow the same Binomial distribution (itis easy to see that ply−1 = pln−1). Also, each of them can be seen as a functionof δ which is a monotonic decreasing function that takes a maximum value forδ = 0 (the proof technique is similar to Lemma 3). At this point the probabilityis equal to plv , which is at least 0.405 as we have proven in Lemma 37. Armedwith this observation we can prove the next theorem.

Theorem 5. If we define the event ”Cheat” as:

Cheat =[Algo(y)−Algo(n) = ly − ln

]where Algo(v) is the execution of Algorithm 1 with v ∈ y, n, then it holds that:

Pr[”Cheat”] > 1− 1/exp(Ω(N))

Proof. (sketch) We have seen that there exists a δ0 such that the probabilityplv−1 is equal to 0.4 for both values of v. It holds that:

Pr[”Cheat”] = Pr[”Cheat”|δ ∈ [0, δ0)] · Pr[δ ∈ [0, δ0)]

+ Pr[”Cheat”|δ = δ0] · Pr[δ = δ0]

+ Pr[”Cheat”|δ ∈ (δ0, 2π/D)] · Pr[δ ∈ (δ0, 2π/D)]

For the first interval, for both values of v, Algorithm 1 registers Solution =[lv − 1, lv] with overwhelming probability in N . This holds because of Theorem

7 The same holds for the ply+1, pln+1 except that probability is a monotonic increasingfunction with maximum value at point δ = 2π/D and value equal to plv .


5 and the previous observation. Therefore, for both values of v the algorithmoutputs the values lv − 1. As a result, ly − 1− (ln − 1) = ly − ln.

For the second term, Pr[δ = δ0] = 0, because δ is a continuous randomvariable. Finally, in the last term, the probability that the algorithm registersSolution = [lv − 1, lv] is negligible in N , and by Theorem 5, Solution has theform [lv] or [lv, lv + 1]. So for both values of v, the printed values are ly and ln.

At this point we have proven that the adversary succeeds with overwhelmingprobability in N to perform the d-transfer attack in one round. But how manyrounds should the protocol run in order to prevent this attack?

In the next theorem we prove that if the number of rounds is at mostexp(Ω(N)), the adversary succeeds with probability at least 0.25. Although ina small election these numbers might not be big, in a large scale election it isinfeasible to run the protocol as many times, making it either inefficient or inse-cure. We also note that the probabilistic analysis for one round is independentof the value D, so cannot be used to improve the security of the protocol.

Theorem 6. Let (|Φ〉 , |ψ(θy)〉 , |ψ(θn)〉 , δ,D,N) define one round of the proto-col. If the protocol runs ρ rounds, where 2 ≤ ρ ≤ exp(Ω(N)) , the d-transferattack succeeds with probability at least 0.25.

Proof. According to Theorem 5 the probability that an adversary successfullyperforms the d-transfer attack is:

Pr[”Cheat”] > 1− 1/exp(Ω(N))

Now, for ρ protocol runs, where 2 ≤ ρ ≤ exp(Ω(N)), this probability becomes:

(Pr[”Cheat”])ρ > (1− 1/exp(Ω(N)))ρ ≥ (1− 1/ρ)ρ > 0.25

Now, based on Theorem 6, we can create an adversary such that A wins theEXPΠ

Qint with probability at least 25% if the protocol runs fewer than exponen-tial number of rounds with respect to the number of voters.

Theorem 7. The adversary from section 6.2 wins the experiment EXPΠQint,

where Π is the protocol as described in section 6.1, with probability at least0.25% for every ε > 0 and number of rounds 2 ≤ ρ ≤ exp(Ω(N)).

Proof. (sketch) When A sends the ballot to C on behalf of a corrupted voterin Casting phase, A applies the operations as described in section 6.2. Next,in Tally phase C computes the election outcome. If in a round the result isdifferent from a previous round, C outputs ”⊥”. However, from Theorem 6, weknow that C will not output ”⊥” with probability at least 0.25%.

7 Quantum voting based on conjugate coding

This section looks at protocols based on conjugate coding ([36,50]). The partic-ipants in this family of protocols are one or more election authorities, the tallier


and the voters. The election authorities are only trusted for the purpose of eligi-bility; privacy should be guaranteed by the protocol against both malicious EAand T . Unlike the previous protocols, here the voters do not share any entangledstates with neither EA nor T in order to cast their ballots. One of the main dif-ferences between the two protocols is that [36] does not provide any verificationof the election outcome, while [50] does, but at the expense of receipt freeness,which [36] satisfies. Specifically, in [50] each Vk establishes two keys with T inan anonymous way by using part of protocol [36] as a subroutine. It’s worth tomention that in order for these keys to be established, further interaction be-tween the voters and EA is required and EA is assumed trusted for that task. Atthe end of an execution, Vk encrypts the ballot with one of the keys and sends itto T over a quantum anonymous channel. T announces the result of each ballotaccompanied with the second key so that the voters can verify that their ballothas been counted. This makes it also possible for a coercer to verify how a votervoted, by showing them the second key used as a receipt. It is worth mentioningthat protocol [36] could easily be made to satisfy the same notion of verifiability.


Set up phase

1. EA picks a vector b = (b1, . . . , bn+1) ∈R 0, 1n+1, where n is the securityparameter of the protocol. This vector will be used by EA for the encodingof the ballots and it will be kept secret from T until the end of the ballotcasting phase.

2. For each Vk, EA prepares w = poly(n) blank ballot fragments each of theform |φaj ,b〉 = |ψa1j ,b1〉 ⊗ . . . ⊗ |ψan+1

j ,bn+1〉 , j ∈ 1, . . . , w, where aj =

(a1j , . . . , a

n+1j ) such that:

(a1j , . . . , a

nj ) ∈R 0, 1n, an+1

j = a1j ⊕ . . .⊕ anj

and: |ψ0,0〉 = |0〉 , |ψ1,0〉 = |1〉 , |ψ0,1〉 = 1√2(|0〉+|1〉), |ψ1,1〉 = 1√

2(|0〉−|1〉).

These w fragments will constitute a blank ballot (e.g the first row of Fig. 3is a blank ballot fragment).

3. EA sends one blank ballot to each Vk over an authenticated channel.

Casting phase

4. After reception of the blank ballot, each Vk re-randomizes it by picking foreach fragment a vector dj = (d1

j , . . . , dn+1j ) such that:

(d1j , . . . , d

nj ) ∈R 0, 1n, dn+1

j = d1j ⊕ . . .⊕ dnj .

∀j ∈ 1, . . . , w, Vk applies unitary Udjj = Y d

1j ⊗ . . . ⊗ Y d

n+1j to the blank

ballot fragment |φaj ,b〉 ,, where:

Y 1 =

[0 −11 0

], Y 0 = I


5. Vk encodes the candidate of choice in the (n + 1)th-qubit of the last blankballot fragments8. For example, if we assume a referendum type election,Vk votes for c ∈ 0, 1 by applying to the blank ballot fragment |φaw,b〉 theunitary operations U cw respectively, where: c = (0, . . . , 0, c) (see Fig. 3).

6. Vk sends the ballot to T over an anonymous channel.

Tally phase

7. Once the ballot casting phase ends, EA announces b to T .8. With this knowledge, T can decode each cast ballot in the correct basis.

Specifically, T decodes each ballot fragment by measuring it in the basisdescribed by vector b and XORs the resulting bits. After doing this to eachballot fragment, T ends up with a string, which is the actual vote cast.

9. T announces the election result.

Fig. 3. The ballot consisting of w ballot fragments, which encode the binary choice“0. . . 01” in a referendum type election example.

7.2 Vulnerabilities of Conjugate Coding Protocols

The technique underlying this protocol is closely related to the one used in thefirst quantum key distribution protocols ([3,43]). However, it has some limita-tions in the context of these voting schemes.

8 Candidate choices are encoded in binary format.


Malleable blank ballots: An adversary can change the vote of an eligible voter,when the corresponding ballot is cast over the anonymous channel. AssumeVk has applied the appropriate unitary on the blank ballot in order to votefor the candidate of their choice. And let us consider that the last m ballotfragments encode the candidate. When the adversary sees the cast ballot over thequantum anonymous channel, they apply the unitary U c1w−(m−1), . . . , U

cmw , where

cr is either 0 or 1, depending on their choice to flip the candidate bit or not. As aresult the adversary modifies the ballot of Vk such that it decodes to a differentcandidate than the intended one. This is possible because the adversary is awareof the ballot fragments used to encode the candidate choice. Furthermore, if theadversary has side channel information about the likely winning candidate (frompre-election polls for instance), they will be able to change the vote encoded inthe ballot into one of their desire. This is possible because the adversary is awareof which bits are encoded in the ballot more frequently and knows exactly whichunitary operator to apply in order to decode to a specific candidate.Violation of privacy: It is already acknowledged by the authors of [36] thatthe EA can introduce a “serial number” in a blank ballot to identify a voter,i.e some of the blank ballot fragments in the head of the ballot decode to “1”instead of “0”. This allows the EA to decode any ballot cast over the quantumanonymous channel, linking the identity of the voters with their choice.One-more-unforgeability: The security of the protocol relies on a quantumproblem introduced in [36], named one-more-unforgeability and the assumptionthat it is computationally hard for a quantum adversary. The game that capturesthis assumption goes as follows: a challenger encodes w blank ballot fragments ina basis b and gives them to the adversary. The adversary wins the game if theyproduce w+ 1 valid blank ballot fragments in the basis b. The authors claim theprobability of the adversary of winning this game is at most 1/2 + 1/2(negl(n)).On the security parameter: Because of the ballots’ malleability, an adversarycould substitute the parts of the corrupted voters’ blank ballot fragments thatencode a candidate, with blank ballot fragments in a random base. Of coursethese ballots would open into random candidates in a specific domain but wouldstill be valid, since the leading zeros would not be affected by this change. This isbecause blank ballots contain no entanglement. Now the adversary can keep thesevalid spare blank ballot fragments to create new valid blank ballots. To addressthis problem, the size of blank ballots needs to be substantially big compared tothe number of voters and the size of the candidate space (Nm << w).

8 Other Protocols

Other protocols have also been proposed, with main characteristic that the EAcontrols when ballots get counted. This can be achieved with either the use ofshared entangled states between EA, T , and Vk [44,49] or Bell pairs [44] betweenT and Vk with EA knowing the identity of the holder of each pair particle.However, we do not fully analyse these protocols in this review, as they havemany and serious flaws making even the correctness arguable. The protocol of


[49] claims to provide verifiability of the election outcome, but without explaininghow this can be achieved. From our understanding of the protocol this seemsunlikely to be the case. From the description of the protocol each voter canchange their mind and announce a different vote from the originally cast one.This is possible because the function every voter uses to encode their vote is notcommitted in any way. Two protocols introduced in [44] have similar limitations.For instance, there is no mechanism for verifiability of the election outcome. Inaddition, privacy against T is not satisfied in contrast to protocols we saw insection 6. This is because each voter’s vote is handled individually and not in ahomomorphic manner. All of these could be achieved just by a classical securechannel. Last, the protocol appearing in [23] shares many of the limitations ofthe former protocols as well as some further ones. The method introduced fordetecting eavesdropping in the election process is insecure, as trust is put intoanother voter in order to detect any deviation from the protocol specification.Moreover, the way each voter casts their vote is not well defined in the protocol,which makes privacy and correctness trivially violated.

9 Discussion

In this work, we have examined the current state of the art in quantum e-voting,by presenting the most prominent proposals and analyzing their security. Whatwe have found is that all the proposed protocols fail to satisfy the necessarysecurity definitions for future implementations. Despite this, these protocols openthe way to new avenues of research, specifically on whether quantum informationcan solve some long-standing issues in e-voting and cryptography in general. Bystudying them, we can identify several interesting ideas for further developmentas well as possible bottlenecks in future quantum protocols.

For instance, we saw that, unless combined with some new technique, thetraveling ballot protocols do not provide a viable solution, as double-voting isalways possible, and there is no straightforward way to guarantee privacy. Onthe other hand, the distributed ballot protocols give us very strong privacy guar-antees because of the entanglement between the ballot states, but it seems thatverifiability against malicious talliers might be hard to achieve. In fact, one ofthe most intriguing questions in quantum e-voting is whether we can achieveall desired properties simultaneously. For instance, every classical definition ofverifiability [13] assumes a trusted bulletin board that the participants can read,write on, and finally verify the outcome of the election. However, implementinga quantum bulletin board to achieve the same properties is not straightforward,since reading a quantum state can ’disturb’ it in an irreversible way. For thatreason we have defined in our experiment EXPΠ

QVer the public quantum register

B, and the predicate VerifyΠ . Of course, an implementation of such predicateseems hard to realize in the quantum setting and more research is needed.

We have also shown that the cut-and-choose technique used by the protocolsin Section 4 is both inefficient and insecure. A solution could be to provide sometype of randomness to the voters (e.g. in the form of a common random string),


which would determine if a state should be verified or used for the voting phase(a similar process is shown in [34,37]). However, even if the problem with thecut-and-choose technique is addressed, privacy can still be violated as we haveseen, and possible corrections might require the use of more advanced techniques.Notwithstanding these limitations, we believe that our analysis opens new re-search directions for the study of the quantum cut-and-choose technique, whichplays a fundamental role in the secure distribution of quantum information.

The general aim of studying quantum cryptographic protocols, is to providebetter guarantees than classically possible, be that in security or efficiency. Thishas been achieved for primitives like coin flipping and oblivious transfer, againstunbounded adversaries [8,38], and against bounded ones that are more rele-vant to practical implementations (e.g. with limited storage [14], noisy storage[29], or bounded by relativistic constraints [32]). The question whether quantumtechnology could enhance electronic voting as well has not yet been answered,and requires further study of both the existing classical and quantum literature.First, bottlenecks in classical election protocols that could potentially be solvedby using quantum subroutines, need to be identified. Then, quantum protocolsneed to be designed, that satisfy well articulated definitions of all the requiredproperties in composable frameworks. In classical cryptography, this was pur-sued with the help of automated provers and model checkers such as EasyCrypt[12], game based definitions [13,4], and by employing the Universal Compos-ability Framework [7,20]. However, in quantum cryptography, it remains unclearhow these techniques can be adopted. An interesting approach appears in [18],where the authors provide an automated verification tool that enables checkingproperties of systems which can be expressed within the quantum stabilizer for-malism. Finally, a recent work by Unruh [46] on quantum relational Hoare logicmight open new avenues and help provide a solution to this problem.

References

1. Adida, B.: Helios: Web-based open-audit voting. In: USENIX security symposium.vol. 17, pp. 335–348 (2008)

2. Barnum, H., Crepeau, C., Gottesman, D., Smith, A., Tapp, A.: Authentication ofquantum messages. In: Foundations of Computer Science, 2002. Proceedings. The43rd Annual IEEE Symposium on. pp. 449–458. IEEE (2002)

3. Bennett, C.H., Brassard, G.: Quantum cryptography: Public key distribution andcoin tossing. In: Proceedings of IEEE International Conference on Computers,Systems and Signal Processing. vol. 175, p. 8. New York (1984)

4. Bernhard, D., Cortier, V., Galindo, D., Pereira, O., Warinschi, B.: Sok: A compre-hensive analysis of game-based ballot privacy definitions. In: Security and Privacy(SP), 2015 IEEE Symposium on. pp. 499–516. IEEE (2015)

5. Bonanome, M., Buzek, V., Hillery, M., Ziman, M.: Toward protocols for quantum-ensured privacy and secure voting. vol. 84, p. 022331. APS (2011)

6. Broadbent, A., Tapp, A.: Information-theoretic security without an honest ma-jority. In: Kurosawa, K. (ed.) Advances in Cryptology – ASIACRYPT 2007. pp.410–426. Springer Berlin Heidelberg, Berlin, Heidelberg (2007)


7. Canetti, R.: Universally composable security: A new paradigm for cryptographicprotocols. In: Foundations of Computer Science, 2001. Proceedings. 42nd IEEESymposium on. pp. 136–145. IEEE (2001)

8. Chailloux, A., Kerenidis, I.: Optimal quantum strong coin flipping. In: Proceedingsof the 2009 50th Annual IEEE Symposium on Foundations of Computer Science.pp. 527–533. FOCS ’09 (2009)

9. Chaum, D., Carback, R., Clark, J., Essex, A., Popoveniuc, S., Rivest, R.L., Ryan,P.Y.A., Shen, E., Sherman, A.T., Vora, P.L.: Scantegrity II: end-to-end verifiabil-ity by voters of optical scan elections through confirmation codes. IEEE Trans.Information Forensics and Security 4(4), 611–627 (2009)

10. Chevallier-Mames, B., Fouque, P.A., Pointcheval, D., Stern, J., Traore, J.: OnSome Incompatible Properties of Voting Schemes, pp. 191–199. Springer BerlinHeidelberg, Berlin, Heidelberg (2010)

11. Chillotti, I., Gama, N., Georgieva, M., Izabachene, M.: A homomorphic lwe basede-voting scheme. In: International Workshop on Post-Quantum Cryptography. pp.245–265. Springer (2016)

12. Cortier, V., Drgan, C.C., Dupressoir, F., Schmidt, B., Strub, P., Warinschi, B.:Machine-checked proofs of privacy for electronic voting protocols. In: 2017 IEEESymposium on Security and Privacy (SP). pp. 993–1008 (2017)

13. Cortier, V., Galindo, D., Ksters, R., Mller, J., Truderung, T.: Sok: Verifiabilitynotions for e-voting protocols. In: 2016 IEEE Symposium on Security and Privacy(SP). pp. 779–798 (2016)

14. Damgard, I.B., Fehr, S., Salvail, L., Schaffner, C.: Cryptography in the boundedquantum-storage model. In: IEEE Information Theory Workshop on Theory andPractice in Information-Theoretic Security, 2005. pp. 24–27 (2005)

15. Delaune, S., Kremer, S., Ryan, M.: Coercion-resistance and receipt-freeness in elec-tronic voting. In: Computer Security Foundations Workshop, 2006. 19th IEEE. pp.12–pp. IEEE (2006)

16. Dolev, S., Pitowsky, I., Tamir, B.: A quantum secret ballot. arXiv preprint quant-ph/0602087 (2006)

17. Einstein, A., Podolsky, B., Rosen, N.: Can quantum-mechanical description ofphysical reality be considered complete? Phys. Rev. 47, 777–780 (1935)

18. Gay, S.J., Nagarajan, R., Papanikolaou, N.: Qmc: A model checker for quantumsystems. In: Proceedings of CAV 2008. vol. LNCS 5123, pp. 543–547. Springer-Verlag, Berlin, Heidelberg (2008)

19. Greenberger, D., Horne, M., Zeilinger, A.: Going beyond bell’s theorem. In:Kafatos, M. (ed.) Bell’s Theorem, Quantum Theory and Conceptions of the Uni-verse. Fundamental Theories of Physics, vol 37. pp. 69–72. Springer, Dordrecht(1989)

20. Groth, J.: Evaluating security of voting schemes in the universal composabilityframework. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) Applied Cryptographyand Network Security. pp. 46–60. Springer Berlin Heidelberg, Berlin, Heidelberg(2004)

21. Hallgren, S., Smith, A., Song, F.: Classical cryptographic protocols in a quantumworld. In: Rogaway, P. (ed.) Advances in Cryptology–CRYPTO 2011. pp. 411–428.Springer Berlin Heidelberg (2011)

22. Hillery, M., Ziman, M., Buzek, V., Bielikova, M.: Towards quantum-based privacyand voting. In: Physics Letters A. vol. 349, pp. 75–81. Elsevier (2006)

23. Horoshko, D., Kilin, S.: Quantum anonymous voting with anonymity check. In:Physics Letters A. vol. 375, pp. 1172–1175. Elsevier (2011)

http://arxiv.org/abs/quant-ph/0602087

http://arxiv.org/abs/quant-ph/0602087


24. Huang, W., Wen, Q.Y., Liu, B., Su, Q., Qin, S.J., Gao, F.: Quantum anonymousranking. In: Physical Review A. vol. 89, p. 032325. APS (2014)

25. Juels, A., Catalano, D., Jakobsson, M.: Coercion-resistant electronic elections. In:Proceedings of the 2005 ACM workshop on Privacy in the electronic society. pp.61–70. ACM (2005)

26. Kashefi, E., Music, L., Wallden, P.: The quantum cut-and-choose technique andquantum two-party computation. arXiv preprint arXiv:1703.03754 (2017)

27. Kiayias, A., Yung, M.: Self-tallying elections and perfect ballot secrecy. In: Nac-cache, D., Paillier, P. (eds.) Public Key Cryptography. vol. 2274, pp. 141–158.Springer Berlin Heidelberg (2002)

28. Kiayias, A., Zacharias, T., Zhang, B.: End-to-end verifiable elections in the stan-dard model. In: Oswald, E., Fischlin, M. (eds.) Advances in Cryptology - EURO-CRYPT 2015. pp. 468–498. Springer Berlin Heidelberg (2015)

29. Konig, R., Wehner, S., Wullschleger, J.: Unconditional security from noisy quantumstorage. IEEE Transactions on Information Theory 58(3), 1962–1984 (2012)

30. Li, Y., Zeng, G.: Quantum anonymous voting systems based on entangled state.In: Optical review. vol. 15, pp. 219–223. Springer (2008)

31. Lo, H.K., Chau, H.: Why quantum bit commitment and ideal quantum coin tossingare impossible. In: Physica D: Nonlinear Phenomena. vol. 120, pp. 177 – 187 (1998)

32. Lunghi, T., Kaniewski, J., Bussieres, F., Houlmann, R., Tomamichel, M., Wehner,S., Zbinden, H.: Practical relativistic bit commitment. Phys. Rev. Lett. 115, 030502

33. Mayers, D.: Unconditionally secure quantum bit commitment is impossible. In:Phys. Rev. Lett. vol. 78, pp. 3414–3417. American Physical Society (Apr 1997)

34. McCutcheon, W., Pappa, A., Bell, B., McMillan, A., Chailloux, A., Lawson, T.,Mafu, M., Markham, D., Diamanti, E., Kerenidis, I., et al.: Experimental verifica-tion of multipartite entanglement in quantum networks. In: Nature Communica-tions. vol. 7, p. 13251. Nature Publishing Group (2016)

35. Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information:10th Anniversary Edition. Cambridge University Press, New York, NY, USA, 10thedn. (2011)

36. Okamoto, K.S.T., Tokunaga, Y.: Quantum voting scheme based on conjugate cod-ing. NTT Technical Review 6(1), 1–8 (2008)

37. Pappa, A., Chailloux, A., Wehner, S., Diamanti, E., Kerenidis, I.: Multipartiteentanglement verification resistant against dishonest parties. vol. 108, p. 260502.APS (2012)

38. Pappa, A., Jouguet, P., Lawson, T., Chailloux, A., Legre, M., Trinkler, P., Kereni-dis, I., Diamanti, E.: Experimental plug and play quantum coin flipping 5(3717)(2014)

39. Portmann, C.: Quantum authentication with key recycling. In: Coron, J.S., Nielsen,J.B. (eds.) Advances in Cryptology – EUROCRYPT 2017. pp. 339–368. SpringerInternational Publishing (2017)

40. Ryan, P.Y.A., Schneider, S.A.: Pret-a-voter with re-encryption mixes. In: 11thEuropean Symp. On Research In Computer Security (ESORICS’06). vol. 4189,pp. 313–326. Springer (2006)

41. Sakurai, J.J., Commins, E.D.: Modern quantum mechanics, revised edition. AAPT(1995)

42. Shor, P.W.: Algorithms for quantum computation: Discrete logarithms and factor-ing. In: Proceedings of the 35th Annual Symposium on Foundations of ComputerScience. pp. 124–134. SFCS ’94, IEEE Computer Society, Washington, DC, USA(1994)

http://arxiv.org/abs/1703.03754


43. Shor, P.W., Preskill, J.: Simple proof of security of the bb84 quantum key distri-bution protocol. In: Physical review letters. vol. 85, p. 441. APS (2000)

44. Thapliyal, K., Sharma, R.D., Pathak, A.: Protocols for quantum binary voting. In:International Journal of Quantum Information. vol. 15, p. 1750007. World Scientific(2017)

45. Unruh, D.: Universally composable quantum multi-party computation. In: Gilbert,H. (ed.) Advances in Cryptology – EUROCRYPT 2010. vol. 6110, pp. 486–505.Springer Berlin Heidelberg (2010)

46. Unruh, D.: Quantum relational hoare logic. arXiv:1802.03188 [quant-ph] (2018)47. Vaccaro, J.A., Spring, J., Chefles, A.: Quantum protocols for anonymous voting

and surveying. In: Physical Review A. vol. 75, p. 012333. APS (2007)48. Wang, Q., Yu, C., Gao, F., Qi, H., Wen, Q.: Self-tallying quantum anonymous

voting. In: Physical Review A. vol. 94, p. 022333. APS (2016)49. Xue, P., Zhang, X.: A simple quantum voting scheme with multi-qubit entangle-

ment. In: Scientific Reports. vol. 7, p. 7586. Nature Publishing Group (2017)50. Zhou, R.R., Yang, L.: Distributed quantum election scheme. arXiv preprint

arXiv:1304.0555 (2013)




Supplementary Material

In the supplementary material we include some extra technical details that dueto lack of space could not be included in the main body of the paper, as well asour response to reviews received on previous submissions of this work.

A Formal definition of quantum integrity

The integrity experiment EXPΠQint is the same as EXPΠ

Qver with the only ex-ceptions that there isn’t a predicate PΠVerify and we don’t allow A to corrupt thetallier (if there exist in the protocol Π). As a result, we don’t capture universalverifiability in EXPΠ

Qint, but only double voting and vote deletion/alteration ofhonest ballots.

The experiment EXPΠQint(A, ε, δ0)

– Set up phase: C and A generate the protocol parameters in quantum registerX as specified by Π. Furthermore, A chooses the votes for all voters vkVk∈V .

– Casting phase: A chooses whether to corrupt Vp(k) or not (and therefore addthe voter or not to the set VA).• If Vp(k) 6∈ VA, C generates the ballot Bp(k),⊥ ←

CastBallot(vp(k),Xp(k),B, δ0). If it is not ⊥, C sends it to A. If C re-ceives Bp(k) back from A, then C stores Bp(k) in B, where Bp(k), Xp(k),and B are local and global quantum registers respectively. Note thatwhen A receives Bp(k) from C, it is possible to apply quantum operationson the register that are dependent on the specifications of Π.

• If Vp(k) ∈ VA, then A creates a ballot Bp(k) and sends it to C.– Tally phase: C computes X ← Tally(B,XC , δ0):• If X 6= ⊥ and PΠVCounted(vkVk 6∈VA , X) = 0 or NballotsΠ(X) > |V|, then

output 1, else output 0.

Definition 3. We say that a quantum e-voting protocol Π satisfies ε-quantumintegrity if for every quantum PPT A the probability to win the experimentEXPΠ

Qint(A, ε, δ0) is negligible with respect to δ0:

Pr[1← EXPΠQint(A, ε, δ0)] = negl(δ0).

B Proof of attack on Distributed Ballot protocols

Now we give detailed proofs of the theorems and lemmas of Section 6.


Lemma 2 Let ΘvD,δ ∈ [0, 2π] be the continuous random variable that describesthe outcome of the measurement of a vote state |ψ(θv)〉 , v ∈ y,n using opera-tors

E(θ) =D

2π|Φ(θ)〉〈Φ(θ)| (3)

where |Φ(θ)〉 = 1√D

D−1∑j=0

eijθ |j〉. It holds that:


2πD

∫ xl+w

xl


sin2[(θ − θv)/2]dθ (4)

Proof.

Pr[xl < ΘvD,δ < xl+w] = 〈φ(θv)|∫ xl+w

xl

E(θ)dθ |φ(θv)〉

=

∫ xl+w

xl

〈φ(θv)|E(θ) |φ(θv)〉 dθ

=D

2πD2

∫ xl+w

xl

|D−1∑j=0

e(θ−θv)ij |2dθ

=1

2πD

∫ xl+w

xl

([

D−1∑j=0

cos[(θ − θv)j]]2

+ [

D−1∑j=0

sin[(θ − θv)j]]2)dθ

For any x ∈ R, the following two equations hold:

D−1∑j=0

cos[jx] =sin[Dx/2]

sin[x/2]cos[(D − 1)x/2]

D−1∑j=0

sin[jx] =sin[Dx/2]

sin[x/2]sin[(D − 1)x/2]

So finally we have:


2πD

∫ xl+w

xl



Lemma 3 Let |ψ(θv)〉 be a voting state of the protocol. Then it holds:

Pr[xlv < ΘvD,δ < xlv+1] > 0.405

Proof. A simple change of variables in Eq.(4) gives us:


Pr[xlv < ΘvD,δ < xlv+1] =1

2πD

∫ 2π/D

0

sin2[D(θ − δ)/2]

sin2[(θ − δ)/2]dθ

By setting (θ − δ)/2 = y, we get:

Pr[xlv < ΘvD,δ < xlv+1] =1

πD

∫ (2π/D−δ)/2

−δ/2

sin2[Dy]

sin2[y]dy

The above is just a function of δ, which we denote as F (δ). In order tolower-bound F (δ) we need to find its derivative:

dF (δ)

dδ=

1

2πD

(sin2[Dδ/2]

sin2[δ/2]− sin2[Dδ/2]

sin2[(2π/D − δ)/2]

)It is easy to check that:

dF (δ)

dδ= 0, when δ = 0 or δ = π/D

dF (δ)

dδ> 0, when 0 < δ < π/D

dF (δ)

dδ< 0, when π/D < δ < 2π/D

It also holds that F (0) = F (2π/D), so the minimum extreme points of ourfunction are equal. As a result we have:

F (δ) ≥ limδ→0−

F (δ) = F (0) (5)

From the fact that:

| sin[x]| ≤ |x|,∀x ∈ R| sin[x]| ≥ |(2/π)x|,∀x ∈ [0, π/2]

| sin[x]| ≥ | − (2/π)x+ 2|,∀x ∈ [π/2, π]

It follows:

F (0) ≥ 1

πD

∫ π2D

0

( 2

πDy

)2

/y2dy +

∫ πD

π2D

( 2

πDy+ 2)2

/y2dy

≥ 4

π2

> 0.405

Now in order to prove lemma 4, we need the following proposition:

Proposition 2. ∀x ∈ [−2π, 2π] it holds that:

sin2[x] >

20∑n=1

(−1)n+1 22n−1x2n

(2n)!(6)


Proof. From the Taylor series expansion at point 0 of cos[x], we know that:

cos[x] =

∞∑n=0

(−1)nx2n

(2n)!, ∀x ∈ R

Then:

sin2[x] =1

2− cos[2x]

2=

1

2− 1

2

∞∑n=0

(−1)n22nx2n

(2n)!

=

∞∑n=1

(−1)n+1 22n−1x2n

(2n)!

Given the above equation, in order to prove Eq.(6), we simply need to show:

∞∑n=21

(−1)n+1 22n−1x2n

(2n)!> 0

If we think of the above as a sum of terms an (n = 21, . . . ,∞), for integer j ≥ 10,it holds that:

an > 0, when n = 2j + 1,

an < 0, when n = 2j.

We therefore need to prove that∞∑

n=21an > 0, which in turn is equivalent to

proving that:

|an| > |an+1| ⇐⇒ 22n−1x2n/(2n)! > 22n+1x2n+2/(2n+ 2)!

⇐⇒ 1 > 4x2/((2n+ 1)(2n+ 2))

⇐⇒ (2n+ 1)(2n+ 2)/4 > x2

In this case, the above holds, because the minimum value of n is 21 and themaximum value of x2 is 4π2.

Lemma 4 Let |ψ(θv)〉 be a voting state of the protocol. Then it holds:

Pr[xlv−1 < ΘvD,δ < xlv+2] > 0.9

Proof. We follow exactly the same procedure as lemma 3 and get:

Pr[xlv−1 < ΘvD,δ < xlv+2] (7)

=1

2πD

∫ xlv+2

xlv−1



=1

2πD

∫ 4π/D

−2π/D

sin2[D(θ − δ)/2]

sin2[(θ − δ)/2]dθ

=1

πD

∫ 2π/D−δ/2

−π/D−δ/2

sin2[Dy]

sin2[y]dy (8)


where (θ − δ)/2 = y. Again the above probability depends only on δ and cantherefore be denoted with F (δ). In a similar way as before, we can prove thatthe minimum of this function is at δ = 0 and compute F (0).

F (0) =1

πD

∫ 2π/D

−π/D

sin2[Dy]

sin2[y]dy

≥ 1

πD

∫ 2π/D

−π/D

20∑n=1

(−1)n+122n−1(Dy)2n

(2n)!

y2dy

=1

πD

20∑n=1

∫ 2π/D

−π/D

(−1)n+122n−1D2ny2n

y2(2n)!dy

=1

πD

20∑n=1

(−1)n+122n−1D2n

(2n)!

∫ 2π/D

−π/Dy2(n−1)dy

=1

πD

20∑n=1

(−1)n+122n−1D2n

(2n)![y2n−1/(2n− 1)]

2π/D−π/D

=

20∑n=1

(−1)n+122n−1

(2n)!

π2n−2(22n−2 + 1)

2n− 1

≈ 0.9263 (9)

Theorem 3 With overwhelming probability in the number of voters N , algo-rithm 1 includes lv in the Solution vector (i.e. it measures a value in the interval[xlv , xlv+1] more than 40% of the time).

Pr[Solution[0] = lv ∨ Solution[1] = lv] > 1− 1/exp(Ω(N))

Proof. We can see each measurement that algorithm 1 performs at each votestate |ψ(θv)〉, as an independent Bernoulli trial Xl with probability of successpl = Pr[xl < ΘvD,δ < xl+1]. Then the value of Record[l] follows the binomialdistribution:

XRecord[l] ∼ B(εN

2, pl)

We can therefore compute:

Pr[Solution[0] = lv ∨ Solution[1] = lv

]= Pr

[Record[lv] ≥ 0.4εN/2

]≥ 1− Pr

[Record[lv] ≤ 0.4εN/2

]1= 1− Pr

[Record[lv] ≤ (1− γ)plvεN/2

]2≥ 1− exp(−γ2plvεN/6)

= 1− (exp(−γ2plvε/6))N

= 1− 1/exp(Ω(N))


Theorem 4 With negligible probability in the number of voters N , algorithm1 includes a value other than (lv − 1, lv, lv + 1) in the Solution vector, i.e.∀w ∈ 0, . . . , lv − 2, lv + 2, . . . , D − 1:

Pr[Solution[0] = w ∨ Solution[1] = w] < 1/exp(Ω(N))

Proof. Let w ∈ 0, . . . , D − 1 \ lv − 1, lv, lv + 1, then it holds:

Pr[Solution[0] = w ∨ Solution[1] = w]

= Pr[XRecord[w] ≥ 0.4εN/2]

We know from lemma 4 that pw < 0.1, so ∃γ > 0 such that:9

Pr[XRecord[w] ≥ 0.4εN/2]

= Pr[XRecord[w] ≥ (1 + γ)pwεN/2]

< exp(−γpwεN/6)

= (exp(−γpwε/6))N

= 1/exp(Ω(N))

Lemma 5 With overwhelming probability in N , the Solution vector in algo-rithm 1, is equal to [lv − 1, lv], [lv, “Null”] or [lv, lv + 1].Specifically,

Pr[Solution ∈ [lv − 1, lv], [lv, “Null”], [lv, lv + 1]]> 1− 1/exp(Ω(N))

Proof. Let as define the following events:

A =[Solution[0] = w ∨ Solution[1] = w,

w ∈ 0, . . . , lv − 2, lv + 2, . . . , D − 1]

B =[Solution[0] = lv ∨ Solution[1] = lv

]Since the cases Solution = [lv, lv − 1] and Solution = [lv + 1, lv] are impos-

sible from the construction of the algorithm, from theorems 3 and 4 it holds:

Pr[Solution ∈ [lv − 1, lv], [lv, “Null”], [lv, lv + 1]]= Pr[B ∧ ¬A]

= Pr[B]− Pr[B ∧A]

> 1− 1/exp(Ω(N))

1 plv > 0.405 =⇒ ∃γ > 0 s.t 0.4 = (1− γ)plv2 The Chernoff bound for a random variable X ∼ B(N, p) and expected value E[X] =µ is: Pr[X ≤ (1− γ)µ] ≤ exp(−γ2µ/3)

9 The Chernoff bound for a random variable X ∼ B(N, p) and expected value E[X] =µ is: Pr[X ≤ (1 + γ)µ] ≤ exp(−γµ/3), γ > 1


Lemma 6. Let |ψ(θv)〉 be a voting state with δ ∈ [0, 2π/D) and lv = D−1,whereδ is a continuous random variable .Then it holds:

Pr[xD−2 < ΘvD,δ < xD] + Pr[x0 < ΘvD,δ < x1] > 0.9

Proof.

Pr[x0 < ΘvD,δ < x1] (10)

= 1/(2πD)

∫ x1

x0

(Sin[D/2(θ − θv)]Sin[1/2(θ − θv)]

)2dθ (11)

Now we set θ = θ − xD to 11 and we have:

Pr[x0 < ΘvD,δ < x1] (12)

= 1/(2πD)

∫ xD+x1

xD

(Sin[−Dπ +D/2(θ − θv)]Sin[−π + 1/2(θ − θv)]

)2dθ (13)

= 1/(2πD)

∫ xD+x1

xD

(Sin[D/2(θ − θv)]Sin[1/2(θ − θv)]

)2dθ (14)

Finally we have:

Pr[xD−2 < ΘvD,δ < xD] + Pr[x0 < ΘvD,δ < x1] (15)

= 1/(2πD)

∫ xD+x1

xD−2

(Sin[D/2(θ − θv)]Sin[1/2(θ − θv)]

)2dθ (16)

= 1/(2πD)

∫ 4π/D

−2π/D

Sin2[D(θ − δ)/2]

Sin2[(θ − δ)/2]dθ (17)

From lemma 4 this integral is at least 0.9The proof is similar for lv = 0.

Lemma 7. Let Solution be the matrix of algorithm 1, then it holds:

Pr[Solution ∈ lv − 1, lv, lv, lv, lv + 1]= Pr[Solution ∈ [lv − 1, lv], [lv], [lv, lv + 1]]

Proof. (sketch)It holds that:

Pr[Solution ∈ lv − 1, lv, lv, lv, lv + 1] (18)

= Pr[Solution ∈ lv − 1, lv] (19)

+ Pr[Solution ∈ lv] (20)

+ Pr[Solution ∈ lv, lv + 1] (21)

We need to prove that:

Pr[Solution ∈ lv − 1, lv] = Pr[Solution = [lv − 1, lv]] (22)


From the construction of the algorithm 1 we know that:

Pr[Solution = [lv, lv − 1]|Solution ∈ lv − 1, lv] = 0 (23)

This is true because the values of the Solution are from the matrix Record in aprogressive manner. So under the assumption that both lv, lv − 1 had appearedat least 40% times, they inserted in a progressive order. The only time they willnot is the case in which lv = 0 and lv−1 = D−1. At first the order is [0, D−1],but because of the special condition we had in our algorithm the order switchesto [D − 1, 0].

It holds that:

Pr[Solution = [lv, lv − 1]|Solution ∈ lv − 1, lv] (24)

= Pr[Solution = [lv, lv − 1]] + Pr[∅] (25)

= Pr[Solution = [lv, lv − 1]] (26)

= 0 (27)

Similar are the other cases.

arxiv:1810.05083v3 [quant-ph] 16 dec 2019

Documents