Confidential, Distributed
Aggregation for Voting
Robert Riemann with supervision of Stéphane Grumbach
Do you have confidence in Postal Voting?
| Yes | No | Don't tell | |
|---|---|---|---|
| # of votes | 34 | 17 | 12 |
Result:
The Voting Protocol shall provide legitimacy for the voting outcome.
Security Voting
Protocol Properties
secrecy
eligibility
correctness
verifiability
System-wide Voting Protocol Properties
robustness (resilience)
convenience (mobility)
scalability
Further protocol properties:
coercion-resistance, proof of participation, support for write-ins, etc.
1
2
- Badge Reader
- Buttons in black hole
Computer-Assisted Voting by Show of Hands
Implements:
- correctness
- verifiability
- eligibility
Lacks:
- secrecy
Online Voting Today
- PKI to identify eligible voter
- voter encrypts and signs own vote
- encrypted votes are gather by voting server
- to ensure secrecy:
- Mix-Networks destroy link between vote and voter
- Homomorphic encryption allows aggregation of encrypted votes
- decryption of aggregates votes
- verification with Zero-knowledge-Proofs
Issues of Today’s Online Voting Protocols
- need trusted experts to witness protocol properties
- crypto unproven
- centralisation of knowledge / single point of failure
- rely on procedure compliance of voting officials
- early decryption of single votes
However, Online Voting used in:
Estonia, Australia, Brazil, India
Promises of Distributed Online Voting
- balance of knowledge among all voters
- limited impact of data breaches
- balance of power (equipotent voters)
- no single point of failure
- interruption-resistant
- balance of trust (no voting officials)
Distributed Online Voting: ADVOKAT
Concepts
Tree Overlay
(Peers = Leafs)
Aggregation Algebra
Aggregation Algorithm
Aggregation
Aggregation Algebra
\oplus: \mathbb{A}\times\mathbb{A} \mapsto \mathbb{A}
Two child aggregates are aggregated to a parent aggregate.
Aggregation Operator must be:
- commutative
- associative
For plurality voting, an aggregate corresponds to the set of casted votes and the operation is the union of sets.
Tree Overlay Network
based on the Kademlia DHT
Maymounkov, P., & Mazieres, D. (2002). Kademlia: A peer-to-peer information system based on the xor metric
Tree for:
- finding peers
- guiding aggregation
peer
Aggregation Algorithm
- peers connect (with a Tracker) to the DHT with KID
- peers update their k-Buckets with peers in sibling subtrees
- peers request intermediate aggregates of sibling subtrees
to compute aggregate of common parent node
x_i
L & R is the sum of inverse aggregate size of all sent & received aggregates of each peer.
Robust Aggregation I
Eligibility:
- peers create key pair
- authorization token (blind signature on )
- KID hence determined by peer and authority
Verifiability:
- aggregates are embedded in aggregate container with
meta-data: hashes of child aggregate containers - chain of hashes ensures immutability of descendant aggregates
(pk_i,sk_i)
x_i = \text{sha3}(t_i)
t_i
pk_i
Robust Aggregation
Correctness and Completeness (probabilistic):
- signatures on aggregate container express consensus
- redundantant requests; find majority consens
- ban of Byzantine peers signing conflicting containers
Protocol Outlook
Scalability
- measure and reduce #
of exchanged messages - distributed tracker
Dishonest Peers
Colluding
- analyse limits of
potential manipulations
Applications
- distributed lottery
- distributed auction
Peer Churn
- deal with efficient updates
- use case: peers partially offline
ADVOKAT for Distributed Aggregation for Voting Applications
By Robert Riemann
ADVOKAT for Distributed Aggregation for Voting Applications
Introduction to a distributed online aggregation protocol ADVOKAT
