Confidential, Distributed
Aggregation for Voting

Robert Riemann with supervision of Stéphane Grumbach

Do you have confidence in Postal Voting?

Yes No Don't tell
# of votes 34 17 12

Result:

The Voting Protocol shall provide legitimacy for the voting outcome.

Security Voting
Protocol Properties

secrecy

eligibility

correctness

verifiability

System-wide Voting Protocol Properties

robustness (resilience)

convenience (mobility)

scalability

Further protocol properties:
coercion-resistance, proof of participation, support for write-ins, etc.

1

2

  1. Badge Reader
  2. Buttons in black hole

Computer-Assisted Voting by Show of Hands

Implements:

  • correctness
  • verifiability
  • eligibility

Lacks:

  • secrecy

Online Voting Today

  • PKI to identify eligible voter
  • voter encrypts and signs own vote
  • encrypted votes are gather by voting server
  • to ensure secrecy:
    • Mix-Networks destroy link between vote and voter
    • Homomorphic encryption allows aggregation of encrypted votes
  • decryption of aggregates votes
  • verification with Zero-knowledge-Proofs

Issues of Today’s Online Voting Protocols

  • need trusted experts to witness protocol properties
  • crypto unproven
  • centralisation of knowledge / single point of failure
  • rely on procedure compliance of voting officials
    • early decryption of single votes

However, Online Voting used in:

Estonia, Australia, Brazil, India

Promises of Distributed Online Voting

  • balance of knowledge among all voters
    • limited impact of data breaches
  • balance of power (equipotent voters)
    • no single point of failure
    • interruption-resistant
  • balance of trust (no voting officials)

Distributed Online Voting: ADVOKAT

Concepts

Tree Overlay
(Peers = Leafs)

Aggregation Algebra

Aggregation Algorithm

Aggregation

Aggregation Algebra

\oplus: \mathbb{A}\times\mathbb{A} \mapsto \mathbb{A}
:A×AA\oplus: \mathbb{A}\times\mathbb{A} \mapsto \mathbb{A}

Two child aggregates are aggregated to a parent aggregate.

Aggregation Operator must be:

  • commutative
  • associative

For plurality voting, an aggregate corresponds to the set of casted votes and the operation is the union of sets.

Tree Overlay Network

based on the Kademlia DHT

Maymounkov, P., & Mazieres, D. (2002). Kademlia: A peer-to-peer information system based on the xor metric

image/svg+xml

Tree for:

  • finding peers
  • guiding aggregation

Kademlia used in:

  • BitTorrent Tracker
  • IPFS file system
  • Storj cloud storage

peer

Aggregation Algorithm

  1. peers connect (with a Tracker) to the DHT with KID
  2. peers update their k-Buckets with peers in sibling subtrees
  3. peers request intermediate aggregates of sibling subtrees
    to compute aggregate of common parent node
x_i
xix_i

L & R is the sum of inverse aggregate size of all sent & received aggregates of each peer.

Robust Aggregation I

Eligibility:

  • peers create key pair
  • authorization token       (blind signature on        )
  • KID                           hence determined by peer and authority

Verifiability:

  • aggregates are embedded in aggregate container with
    meta-data: hashes of child aggregate containers
  • chain of hashes ensures immutability of descendant aggregates
(pk_i,sk_i)
(pki,ski)(pk_i,sk_i)
x_i = \text{sha3}(t_i)
xi=sha3(ti)x_i = \text{sha3}(t_i)
t_i
tit_i
pk_i
pkipk_i

Robust Aggregation 

Correctness and Completeness (probabilistic):

  • signatures on aggregate container express consensus
  • redundantant requests; find majority consens
  • ban of Byzantine peers signing conflicting containers

Protocol Outlook

Scalability

  • measure and reduce #
    of exchanged messages
  • distributed tracker

Dishonest Peers

Colluding

  • analyse limits of
    potential manipulations 

Applications

  • distributed lottery
  • distributed auction

Peer Churn

  • deal with efficient updates
  • use case: peers partially offline 
Made with Slides.com