Aggregation for Voting

Robert Riemann with supervision of Stéphane Grumbach

Yes | No | Don't tell | |
---|---|---|---|

# of votes | 34 | 17 | 12 |

The Voting Protocol shall provide legitimacy for the voting outcome.

Protocol Properties

Further protocol properties:

coercion-resistance, proof of participation, support for write-ins, etc.

- Badge Reader
- Buttons in black hole

Implements:

- correctness
- verifiability
- eligibility

Lacks:

- secrecy

- PKI to identify eligible voter
- voter encrypts and signs own vote
- encrypted votes are gather by voting server
- to ensure secrecy:
- Mix-Networks destroy link between vote and voter
- Homomorphic encryption allows aggregation of encrypted votes

- decryption of aggregates votes
- verification with Zero-knowledge-Proofs

- need trusted experts to witness protocol properties
- crypto unproven
- centralisation of knowledge / single point of failure
- rely on procedure compliance of voting officials
- early decryption of single votes

However, Online Voting used in:

Estonia, Australia, Brazil, India

- balance of knowledge among all voters
- limited impact of data breaches

- balance of power (equipotent voters)
- no single point of failure
- interruption-resistant

- balance of trust (no voting officials)

Tree Overlay

(Peers = Leafs)

Aggregation Algebra

Aggregation Algorithm

\oplus: \mathbb{A}\times\mathbb{A} \mapsto \mathbb{A}

$\oplus: \mathbb{A}\times\mathbb{A} \mapsto \mathbb{A}$

Two *child aggregates* are aggregated to a *parent aggregate*.

Aggregation Operator must be:

- commutative
- associative

For plurality voting, an aggregate corresponds to the set of casted votes and the operation is the union of sets.

Maymounkov, P., & Mazieres, D. (2002). Kademlia: A peer-to-peer information system based on the xor metric

Tree for:

- finding peers
- guiding aggregation

peer

- peers connect (with a Tracker) to the DHT with KID
- peers update their
*k*-Buckets with peers in sibling subtrees - peers request intermediate aggregates of sibling subtrees

to compute aggregate of common parent node

x_i

$x_i$

*L** *& *R* is the sum of inverse aggregate size of all sent & received aggregates of each peer.

Eligibility:

- peers create key pair
- authorization token (blind signature on )
- KID hence determined by peer and authority

Verifiability:

- aggregates are embedded in
*aggregate container*with

meta-data: hashes of child aggregate containers - chain of hashes ensures immutability of descendant aggregates

(pk_i,sk_i)

$(pk_i,sk_i)$

x_i = \text{sha3}(t_i)

$x_i = \text{sha3}(t_i)$

t_i

$t_i$

pk_i

$pk_i$

Correctness and Completeness (probabilistic):

- signatures on aggregate container express consensus
- redundantant requests; find majority consens
- ban of Byzantine peers signing conflicting containers

- measure and reduce #

of exchanged messages - distributed tracker

- analyse limits of

potential manipulations

- distributed lottery
- distributed auction

- deal with efficient updates
- use case: peers partially offline