Making Code Voting Secure against Insider Threats using Unconditionally Secure MIX Schemes and Human PSMT Protocols

Code voting was introduced by Chaum as a solution for using a possibly infected-by-malware device to cast a vote in an electronic voting application. Chaum’s work on code voting assumed voting codes are physically delivered to voters using the mail system, implicitly requiring to trust the mail system. This is not necessarily a valid assumption to make - especially if the mail system cannot be trusted. When conspiring with the recipient of the cast ballots, privacy is broken. It is clear to the public that when it comes to privacy, computers and “secure” communication over the Internet cannot fully be trusted. This emphasizes the importance of using: (1) Unconditional security for secure network communication. (2) Reduce reliance on untrusted computers. In this paper we explore how to remove the mail system trust assumption in code voting. We use PSMT protocols (SCN 2012) where with the help of visual aids, humans can carry out $\mod 10$ addition correctly with a 99% degree of accuracy. We introduce an unconditionally secure MIX based on the combinatorics of set systems. Given that end users of our proposed voting scheme construction are humans we \emph{cannot use} classical Secure Multi Party Computation protocols. Our solutions are for both single and multi-seat elections achieving: \begin{enumerate}[i)] \item An anonymous and perfectly secure communication network secure against a $t$-bounded passive adversary used to deliver voting, \item The end step of the protocol can be handled by a human to evade the threat of malware. \end{enumerate} We do not focus on active adversaries.

💡 Research Summary

The paper revisits Chaum’s code‑voting scheme, whose security hinges on the assumption that voting codes can be safely delivered by postal mail. Recognizing that the mail system may be untrustworthy—especially when insiders collude with returning officers—the authors propose a fully information‑theoretic solution that eliminates any reliance on physical mail. Their construction combines two novel components: (1) an unconditionally secure MIX network built from set‑system combinatorics, and (2) a Human‑Centric Perfectly Secure Message Transmission (PSMT) protocol that lets voters reconstruct secret messages using simple mod 10 addition with visual aids.

The MIX design uses an (m, b, t)‑Verifier set system, where X = {1,…,m} indexes MIX servers and B = {B₁,…,B_b} are blocks each containing t + 1 servers. By the property of verifier set systems, any coalition of at most t corrupted servers leaves at least one block completely honest, guaranteeing “existential honesty”. Private channels are assumed between consecutive blocks and between the first/last block and the sender/receiver. This structure provides perfect anonymity, perfect privacy, perfect reliability, and thus perfect security against a t‑bounded passive adversary, regardless of computational power (including future quantum attacks).

The human‑centric PSMT protocol, introduced in earlier work (SCN 2012), exploits the fact that humans can reliably perform addition modulo 10 when guided by clear instructions and visual cues. Experiments show a 99 % success rate. In the voting context, the election authority splits each voting code into several shares, distributes them over t + 1 disjoint network paths (each path traversing a different MIX block), and the voter recombines the shares by performing mod 10 addition. Because the voter performs the final reconstruction manually, malware on the voter’s device cannot learn or alter the vote.

The overall voting protocol works as follows. For a single‑seat election, the authority generates a unique code per candidate, encodes it into t + 1 shares, and sends each share through a distinct MIX path. The MIX servers shuffle and re‑encrypt the shares, preserving anonymity. The voter receives the shares on multiple devices (e.g., PC, smartphone, tablet) possibly using different Internet or cellular providers, reflecting the authors’ “diversity” principle. After manually adding the shares mod 10, the voter obtains the final code, encrypts it with the election’s public key, and submits it to the tallying server. For multi‑seat elections, the same mechanism is applied to vectors of codes, with additional shuffling to hide the association between seats and candidates.

Security analysis proves that, under the assumption of at most t corrupted MIX servers and t + 1 node‑disjoint paths, any coalition of t parties cannot determine the sender of a message (perfect anonymity) nor learn its content (perfect privacy). The protocol also guarantees perfect reliability: every share sent by the authority is received with probability 1, because the MIX network is designed to be t‑reliable. The authors explicitly limit their threat model to passive adversaries; active attacks such as message tampering, replay, or denial‑of‑service are left for future work.

Practical considerations are discussed. The scheme requires voters to possess multiple devices or at least multiple network interfaces, which may be feasible in many developed regions but could be a barrier in low‑resource settings. Human error, while low, is non‑zero; the paper does not embed error‑correction codes to mitigate occasional mis‑additions. The need for private channels between MIX blocks is assumed but not concretely instantiated, leaving implementation details open.

In summary, the paper makes a significant conceptual contribution by removing the mail‑trust assumption from code voting and replacing it with an information‑theoretic MIX combined with a human‑operated PSMT layer. It demonstrates how set‑system combinatorics can yield unconditional security against t‑bounded insiders, and how simple modular arithmetic can be leveraged for secure human interaction. Future extensions should address active adversaries, incorporate robust error‑correction, and provide concrete deployment architectures to make the scheme practical for real‑world elections.