Voting System Properties Most voting systems assume no

Voting System Properties • Most voting systems assume no collusion between more than one party for keys • Most voting systems require a consistency check by each voter for a small piece of the protocol • If 5 -20% of voters check, the correctness of the entire protocol is determined by this weakest link

Choosing a Mixnet • If we can trade a mixnet that requires only one honest* mix for a mixnet that is faster but requires more than one honest mix: good trade for voting • If we can trade cryptographic soundness (1 -ε) for statistical soundness (99%) and speed: good trade for voting * keep permutation private from other mixes

2 Such Mixnets Assuming re-encryption: Randomized Partial Checking [JJR 02] Almost Entirely Correct Mixing [BG 02] Open problem 1: others? Open problem 2: throw combinatorics at BG 02

C 1=E(m 1) C 2=E(m 2) C 3=E(m 3) C 4=E(m 4) C 5=E(m 5) C 6=E(m 6) Mix Cπ1 Cπ2 Cπ3 Cπ4 Cπ5 Cπ6

C 1=E(m 1) C 2=E(m 2) C 3=E(m 3) C 4=E(m 4) C 5=E(m 5) C 6=E(m 6) Σ Mix Cπ1 Cπ2 Cπ3 Cπ4 Cπ5 Cπ6 Σ

Necessary but not sufficient C 1=E(m 1) C 2=E(m 2) C 3=E(m 3) C 4=E(m 4) C 5=E(m 5) C 6=E(m 6) Σ Mix Cπ1 (Cπ2)*a Cπ3 Cπ4 (Cπ5)*a-1 Cπ6 Σ

H T T T H T C 1=E(m 1) C 2=E(m 2) C 3=E(m 3) C 4=E(m 4) C 5=E(m 5) C 6=E(m 6) Mix Cπ1 (Cπ2)*a Cπ3 Cπ4 (Cπ5)*a-1 Cπ6 Σ ≠ Σ

Properties Testing product of subsets is probabilistic: boost soundness by repeating Testing product of subsets reduces anonymity: repeating makes worst Adding additional honest mixes increases anonymity Optimize number of tests per mix and number of honest mixes to balance anonymity and soundness

Open Problem 2 Analysis in paper is tricky Complexity seems to result from using random coins Idea: throw a combinatorial design at the problem Choose random instance from a family of { ? } so that guarantees can be made by anonymity sets within mixes and with adjacent honest mixes