Confidential, Distributed
Aggregation for Voting

Robert Riemann with supervision of Stéphane Grumbach

Do you have confidence in Postal Voting?

Yes No Don't tell
# of votes 34 17 12

Result:

The Voting Protocol shall provide legitimacy for the voting outcome.

Security Voting
Protocol Properties

secrecy

eligibility

correctness

verifiability

System-wide Voting Protocol Properties

robustness (resilience)

convenience (mobility)

scalability

Further protocol properties:
coercion-resistance, proof of participation, support for write-ins, etc.

1

2

  1. Badge Reader
  2. Buttons in black hole

Computer-Assisted Voting by Show of Hands

Implements:

  • correctness
  • verifiability
  • eligibility

Lacks:

  • secrecy

Online Voting Today

  • PKI to identify eligible voter
  • voter encrypts and signs own vote
  • encrypted votes are gather by voting server
  • to ensure secrecy:
    • Mix-Networks destroy link between vote and voter
    • Homomorphic encryption allows aggregation of encrypted votes
  • decryption of aggregates votes
  • verification with Zero-knowledge-Proofs

Issues of Today’s Online Voting Protocols

  • need trusted experts to witness protocol properties
  • crypto unproven
  • centralisation of knowledge / single point of failure
  • rely on procedure compliance of voting officials
    • early decryption of single votes

However, Online Voting used in:

Estonia, Australia, Brazil, India

Promises of Distributed Online Voting

  • balance of knowledge among all voters
    • limited impact of data breaches
  • balance of power (equipotent voters)
    • no single point of failure
    • interruption-resistant
  • balance of trust (no voting officials)

Distributed Online Voting: ADVOKAT

Concepts

Tree Overlay
(Peers = Leafs)

Aggregation Algebra

Aggregation Algorithm

Aggregation

Aggregation Algebra

\oplus: \mathbb{A}\times\mathbb{A} \mapsto \mathbb{A}
:A×AA\oplus: \mathbb{A}\times\mathbb{A} \mapsto \mathbb{A}

Two child aggregates are aggregated to a parent aggregate.

Aggregation Operator must be:

  • commutative
  • associative

For plurality voting, an aggregate corresponds to the set of casted votes and the operation is the union of sets.

Tree Overlay Network

based on the Kademlia DHT

image/svg+xml

Tree for:

  • finding peers
  • guiding aggregation

Kademlia used in:

  • BitTorrent Tracker
  • IPFS file system
  • Storj cloud storage

peer

Aggregation Algorithm

  1. peers connect (with a Tracker) to the DHT with KID
  2. peers update their k-Buckets with peers in sibling subtrees
  3. peers request intermediate aggregates of sibling subtrees
    to compute aggregate of common parent node
x_i
xix_i

L & R is the sum of inverse aggregate size of all sent & received aggregates of each peer.

Robust Aggregation I

Eligibility:

  • peers create key pair
  • authorization token       (blind signature on        )
  • KID                           hence determined by peer and authority

Verifiability:

  • aggregates are embedded in aggregate container with
    meta-data: hashes of child aggregate containers
  • chain of hashes ensures immutability of descendant aggregates
(pk_i,sk_i)
(pki,ski)(pk_i,sk_i)
x_i = \text{sha3}(t_i)
xi=sha3(ti)x_i = \text{sha3}(t_i)
t_i
tit_i
pk_i
pkipk_i

Robust Aggregation 

Correctness and Completeness (probabilistic):

  • signatures on aggregate container express consensus
  • redundantant requests; find majority consens
  • ban of Byzantine peers signing conflicting containers

Protocol Outlook

Scalability

  • measure and reduce #
    of exchanged messages
  • distributed tracker

Dishonest Peers

Colluding

  • analyse limits of
    potential manipulations 

Applications

  • distributed lottery
  • distributed auction

Peer Churn

  • deal with efficient updates
  • use case: peers partially offline 
Made with Slides.com