HIVE Verifiable Voting Schema — Technical Briefing  ·  Patent Pending — HC-2026-VVS-001  ·  For Election Authorities, CISA, and State AGs
HIVE Verifiable Voting Schema · HVVS

Six proofs.
One verifiable election.

Cryptographic election infrastructure that proves every ballot was counted, no one voted twice, and no one can discover how any individual voted — without trusting the software vendor, the government IT system, or anyone.

Patent Pending — HC-2026-VVS-001 — Filed 2026-06-03
What the system proves

Six guarantees. Each cryptographically binding.

These are not policy claims or procedural assurances. Each of the six is a mathematical proof, independently verifiable by anyone.

PROOF 01
This voter is eligible
Zero-knowledge proof of valid credential, issued by the Election Authority, without revealing the voter's identity to any vote-processing system.
ZK Eligibility Proof HiveVoterCredential ML-DSA-65
PROOF 02
This voter voted exactly once
A nullifier hash — H(nullifier_secret || election_id) — is unique to this voter for this election, and is rejected on any duplicate submission. Unlinkable to identity.
Nullifier Registry HiveAnonymousVoteToken Double-Vote Prevention
PROOF 03
This ballot was counted
Merkle inclusion proof: every voter receives a path from their ballot commitment to the published root. The root is anchored on Base. Any third party can verify inclusion.
Merkle Inclusion HAHS Receipt Base Anchor
PROOF 04
This ballot was not altered
ML-KEM-768 encrypted ballot commitment, signed at submission time with ML-DSA-65. The HAHS receipt captures the exact state of the ballot before processing begins. Any tampering breaks the signature chain.
ML-KEM-768 ML-DSA-65 HiveBallotCommitment
PROOF 05
The final tally is correct
HiveElectionTally includes a ZK tally proof demonstrating the announced result is mathematically derived from the complete set of committed ballots — without decrypting any individual vote.
ZK Tally Proof HiveElectionTally ML-DSA-65 signed
PROOF 06
No one can discover how any individual voted
Identity is verified at credential issuance. Identity is hidden at vote casting. The structural design makes it impossible for a voter to prove to a third party how they voted — coercion resistance is cryptographic, not procedural.
ZK Anonymity Coercion Resistance Unlinkable Credential
Architecture

Six layers. No trusted intermediary required.

Each layer is independently verifiable. Remove any single party and the audit still holds.

L1
Eligibility Credential Issuance
HiveVoterCredential
Election Authority issues a post-quantum signed credential containing voter_id_hash, jurisdiction_hash, election_id, and nullifier_secret_commitment. Identity verified once at issuance. Never transmitted again.
LIVE
L2
Anonymous Vote Token Generation
HiveAnonymousVoteToken
Voter locally generates a ZK eligibility proof and nullifier_hash. The nullifier identifies this voter for this election without linking to any identity field in the credential.
LIVE
L3
Ballot Commitment
HiveBallotCommitment
Voter locally constructs an ML-KEM-768 encrypted ballot with a ZK proof that the ballot choice is within valid options. Encrypted to Election Authority public key. Commitment hash generated before any network transmission.
LIVE
L4
HAHS Attestation Receipt
Hash-Anchored Hash Signature — 7ms
Upon submission, HIVE generates a receipt within 7ms: dual-signed Ed25519 + ML-DSA-65, containing ballot_commitment_hash, nullifier_hash, zk_proof_hash, device attestation (secure enclave), and Base blockchain anchor with merkle_root + tx_hash. The receipt is the record. It exists before any decision is made.
LIVE
L5
Public Election Ledger
Append-Only Merkle Bulletin Board · Base Anchored
All ballot commitments, nullifier hashes, and Merkle roots published publicly. Any independent verifier can confirm: every ballot has a valid ZK proof, every nullifier appears once, every ballot is included in the tally computation. No trusted authority required for this verification.
LIVE
L6
Tally Verification
HiveElectionTally — ZK Tally Proof
ZK tally proof mathematically demonstrates that the announced result is derived from the complete set of committed ballots. No individual ballot is decrypted. Signed ML-DSA-65. Any auditor can verify the tally without access to any vote.
LIVE
The Receipt

What a HAHS Election Receipt looks like

Generated in 7ms. Signed twice. Anchored on-chain. The voter receives a Merkle inclusion path — not the full receipt — so they can verify inclusion without proving how they voted.

HAHS ELECTION RECEIPT · v1.0
event_type vote.cast
election_id US-2026-11-03-GE
ballot_commitment_hash 0x4a9f…8c2d
nullifier_hash 0x8b1e…f740
zk_proof_hash 0x2c7d…a391
device_attestation secure_enclave · verified
ed25519_sig e5f2…c9a1
ml_dsa_65_sig FIPS 204 · post-quantum
base_anchor.tx_hash 0x9d3f…5b22
base_anchor.block 24,891,044
merkle_root 0x7a6c…d8f3
receipt_timestamp 2026-11-03T08:14:22.381Z
generation_latency 6.8ms
Why does the receipt contain no vote?
The ballot is ML-KEM-768 encrypted before the receipt is generated. The receipt attests that a valid, cryptographically committed ballot was submitted — not what was inside it. The vote remains encrypted until tally.
Why does ML-DSA-65 matter for elections?
Election outcomes are litigated for years, sometimes decades. A quantum-capable adversary in 2035 could break Ed25519-only signatures retroactively. ML-DSA-65 (NIST FIPS 204) is secure against quantum adversaries. Receipts signed today remain legally binding in 2040.
What does the voter get?
The voter receives: ballot_commitment_hash, Merkle inclusion path, and public ledger URL. They can verify their ballot is included. They cannot prove to anyone else how they voted — coercion resistance is structural, not a policy.
What is HIVE Verifiable Voting not?
Not blockchain voting. The blockchain is a public timestamped bulletin board only. HIVE is a verifiable election trust layer — the cryptographic substrate that existing election systems can anchor into.
Trust Model

Who sees what. Who can prove what. Who cannot.

The core design property: no single party has enough information to compromise both anonymity and integrity simultaneously.

Party Sees Cannot See Can Verify
Election Authority Eligibility list, credentials issued How any voter voted. Which nullifier belongs to which voter. Total eligible voters
HIVE Attestation Layer Ballot commitment hash, nullifier hash, ZK proof hashes Vote content. Voter identity. Which nullifier belongs to whom. Proof validity, non-duplication
Voter Own ballot commitment hash, own Merkle inclusion path How anyone else voted. Tally before official announcement. Own ballot included in tally
Independent Verifier Public ledger: all commitments, nullifiers, ZK proofs, Merkle roots, tally proof Any individual vote. Any voter identity. Every ballot valid · every nullifier unique · tally correct
Coercer Voter's commitment hash (if disclosed) How the voter voted. Cannot force voter to prove vote choice. Structurally blocked by ZK design
Acknowledged Limitations

What the cryptography does not solve.

Any honest technical briefing names the remaining hard problems. These are known. They are addressed at the policy and implementation layer, not the cryptographic layer.

Remaining Hard Problems

Acknowledged openly — cryptography does not eliminate these
For Election Authorities · CISA · State AGs

Request the technical briefing

HVVS is available for pilot engagement with election authorities, CISA, and state-level partners. The provisional patent has been filed. The cryptographic architecture is complete.

Request Briefing Hive Infrastructure Overview
Patent Pending — HC-2026-VVS-001 · Filed 2026-06-03