Some communities may wish to nudge their members to vote, providing benefits for those who have already cast a vote or punishing those who ignore democratic decision-making. In ordinary e-voting systems, that can be easily achieved through a voter's registry. However, this is not possible for PeaceFounder because voters are completely anonymous when they cast a vote.
One way to address this issue is with a blind signature scheme. The voter takes his identity pseudonym, blinds it with a random factor and includes that in the vote when it is sent to the ballot box. The collector checks that the vote is valid and, if so, signs the blinded group element at the time when the vote is recorded in the ledger. The previous blind signature is used if the voter has already cast a ballot.
The voter then receives an acknowledgement that the vote is permanently recorded in the chain together with the blind signature and timestamp. The voter unblinds the blind signature with its blinding factor and obtains a signature on his identity pseudonym as proof of participation. That can then be safely shown publicly for anyone who wants to see that the person has voted without being linked to the casted vote.
The assumptions for this scheme to work are:
The voter's device is free of malware and does not attempt to sabotage the process
The collector does not issue more blind signatures as necessary
It's hard to imagine what could be the end goal for malware to sabotage the process. For certain, it would make voters immediately aware of an issue of voting, which would raise suspicion for security being compromised of the device and consequently would give a stimulus to be addressed.
The second assumption would be easily found out. Furthermore, as a signature is issued on the identity pseudonym, there are no ways for the adversary to get a practical advantage as one is sufficient. Thus this scheme should be fairly secure for proving participation.
Requirements
Let's list a few properties which are essential when selecting a blind signature to use:
The blind signature can be publically verified to be valid.
Blinded messages can't be linked to unblinded ones, even with the knowledge of the signer's secret key.
A malformed signature which could enable it to be linked to unblinded one could not be made undetected.
It seems that the first property is not satisfied by RSA blind signatures; nevertheless, it perhaps could be addressed using zero-knowledge proof. The second property is critical to satisfy as it can spoil all anonymity gained through braiding.
Implementation
The work has already started as inclusion for timestamp added the possibility to record votes together with other fields. The changed types of supporting the scheme could look as follows:
struct Vote
proposal::Digest
seed::Digest
selection::Selection
seq::Int
approval::Union{Seal, Nothing}
blinded_commitment
end
A blinded commitment is constructed from the voter's identity pseudonym with a hash-like function.
struct CastRecord
vote::Vote
timestamp::DateTime
blind_signature
end
Note that to ensure fairness in property and prevent also disclosing information for revoting, the signature is not published as a receipt, but it is rather a hash calculated as H(vote|blind_signature).
struct CastReceipt
vote::Digest
timestamp::DateTime
blind_signature::Digest # H(vote|blind_signature)
end
When the vote is cast, the blind signature is returned with the CastAck message:
struct CastAck
blind_signature
receipt::CastReceipt
ack::InclusionProof
end
Alternatives
Perhaps, something could be done with accumulators.
Blind signature for proving participation
Some communities may wish to nudge their members to vote, providing benefits for those who have already cast a vote or punishing those who ignore democratic decision-making. In ordinary e-voting systems, that can be easily achieved through a voter's registry. However, this is not possible for PeaceFounder because voters are completely anonymous when they cast a vote.
One way to address this issue is with a blind signature scheme. The voter takes his identity pseudonym, blinds it with a random factor and includes that in the vote when it is sent to the ballot box. The collector checks that the vote is valid and, if so, signs the blinded group element at the time when the vote is recorded in the ledger. The previous blind signature is used if the voter has already cast a ballot.
The voter then receives an acknowledgement that the vote is permanently recorded in the chain together with the blind signature and timestamp. The voter unblinds the blind signature with its blinding factor and obtains a signature on his identity pseudonym as proof of participation. That can then be safely shown publicly for anyone who wants to see that the person has voted without being linked to the casted vote.
The assumptions for this scheme to work are:
It's hard to imagine what could be the end goal for malware to sabotage the process. For certain, it would make voters immediately aware of an issue of voting, which would raise suspicion for security being compromised of the device and consequently would give a stimulus to be addressed.
The second assumption would be easily found out. Furthermore, as a signature is issued on the identity pseudonym, there are no ways for the adversary to get a practical advantage as one is sufficient. Thus this scheme should be fairly secure for proving participation.
Requirements
Let's list a few properties which are essential when selecting a blind signature to use:
It seems that the first property is not satisfied by RSA blind signatures; nevertheless, it perhaps could be addressed using zero-knowledge proof. The second property is critical to satisfy as it can spoil all anonymity gained through braiding.
Implementation
The work has already started as inclusion for timestamp added the possibility to record votes together with other fields. The changed types of supporting the scheme could look as follows:
A blinded commitment is constructed from the voter's identity pseudonym with a hash-like function.
Note that to ensure fairness in property and prevent also disclosing information for revoting, the signature is not published as a receipt, but it is rather a hash calculated as
H(vote|blind_signature).When the vote is cast, the blind signature is returned with the
CastAckmessage:Alternatives