Voting System Properties Most voting systems assume no collusion between more than one party for keys Most voting systems require a consistency check by each voter for a small piece of the protocol If 5-20% of voters check, the correctness of the entire protocol is determined by this weakest link

Choosing a Mixnet If we can trade a mixnet that requires only one honest* mix for a mixnet that is faster but requires more than one honest mix: good trade for voting If we can trade cryptographic soundness (1-ε) for statistical soundness (99%) and speed: good trade for voting * keep permutation private from other mixes

2 Such Mixnets Assuming re-encryption: Randomized Partial Checking [JJR02] Almost Entirely Correct Mixing [BG02] Open problem 1: others? Open problem 2: throw combinatorics at BG02

C 1 =E(m 1 ) C 2 =E(m 2 ) C 3 =E(m 3 ) C 4 =E(m 4 ) C 5 =E(m 5 ) C 6 =E(m 6 ) Mix C π1 C π2 C π3 C π4 C π5 C π6

C 1 =E(m 1 ) C 2 =E(m 2 ) C 3 =E(m 3 ) C 4 =E(m 4 ) C 5 =E(m 5 ) C 6 =E(m 6 ) Mix C π1 C π2 C π3 C π4 C π5 C π6 ΣΣ

C 1 =E(m 1 ) C 2 =E(m 2 ) C 3 =E(m 3 ) C 4 =E(m 4 ) C 5 =E(m 5 ) C 6 =E(m 6 ) Mix C π1 (C π2 )*a C π3 C π4 (C π5 )*a -1 C π6 ΣΣ Necessary but not sufficient

C 1 =E(m 1 ) C 2 =E(m 2 ) C 3 =E(m 3 ) C 4 =E(m 4 ) C 5 =E(m 5 ) C 6 =E(m 6 ) Mix C π1 (C π2 )*a C π3 C π4 (C π5 )*a -1 C π6 ΣΣ H T T T H T ≠

Properties Testing product of subsets is probabilistic: boost soundness by repeating Testing product of subsets reduces anonymity: repeating makes worst Adding additional honest mixes increases anonymity Optimize number of tests per mix and number of honest mixes to balance anonymity and soundness

Open Problem 2 Analysis in paper is tricky Complexity seems to result from using random coins Idea: throw a combinatorial design at the problem Choose random instance from a family of { ? } so that guarantees can be made by anonymity sets within mixes and with adjacent honest mixes