In order to ensure the integrity of elections, it is crucial that independent auditors audit the legitimacy of members. However, the records that support the membership cannot be made public as it would violate the members' right to freedom of association and would also infringe on GDPR. Keeping these records confidential while ensuring they are sufficiently audited can be challenging and may require reducing openness to prevent any possible leaks.
To overcome this dilemma in favour of more openness, a sampling of the electoral roll could be used. A large enough sample size can provide sufficient confidence that a potentially corrupt registrar could not have affected the election result, whereas keeping it small reduces the impact of leaks from the auditors. This lowers the trust barrier and opens the electoral roll auditing for more independent parties.
However, the sampling of electoral roll records introduces the following threat vectors:
If the auditor is allowed to choose which particular member records they want to get, that could be used for spying, an opportunity for collecting information for the association of yet unknown members for the adversary;
If the registrar is allowed to choose which records to provide, it could simply provide those which are authentic and hide the fake members to affect the results of important votes;
Another strategy a corrupt registrar could corroborate with a small minority is that fake credentials can be signed multiple times. Thus, the supporting documents for the sample can be compiled so that signed records would not reveal this kind of abuse.
The solution to the first two issues requires a verifiably random sample. This can be achieved by sorting members with a random number and taking the top of the list. The random number can be generated verifiably with the League of Entropy. The time of closing could be taken as the identifier for the pulse, which has a robust case for commitment as it is signed by every member who casts a vote for a particular proposal.
The second ingredient to protect against a corrupt registrar and conspiring minority is to keep an immutable append-only log for all supporting records for membership certificates. The log must list document hashes (which can be randomised with a secret factor) and the member index for which it is recorded. A hash that fixates the list can be put within the proposal to prevent tampering with this list after the vote.
It seems reasonable to embed the document hashes into a history tree. If it would be used, then we could use proposals to store the current tree root hash. This could be combined with a fancy consistency proof with respect to the previous tree root hash, thus ensuring that new records are only appended to the electoral roll ledger. This property, for instance, ensures that auditing of the legitimacy of the latest proposal also automatically legitimises previous ones.
The electoral roll would need to anticipate that a member may want to terminate their membership and request the removal of associated data. To do so, the electoral roll would have a special PRUNED record which contains hashes of all removed records so that the integrity of the history tree would not be affected.
For auditors to audit the electoral roll, they would need the complete list of record hashes, which lists when the record was created and for which member it was made, together with receiving the member record sample records. The auditor then would verify the following:
All records linked to membership are provided unless the member records have been explicitly pruned before the vote started and membership was terminated accordingly;
That history tree is consistent with the root hash encoded in the proposal;
That member sample is verifiably random according to the provided evidence used for correctly used randomness;
That every provided member's record is authentic.
The first three steps can be automated with a single command, whereas the auditor does the last step manually as before.
The changes which need to be done are to add a field electoral_roll::AckConsistency{ElectoralRollState} in the Proposal type and add checks to the proposal. Another required addition is the public key from the League of Entropy, which will be authorised to issue the randomness. On top of that comes the implementation of electoral roll record management and coupling it to proposal creation to get these parameters.
Implementation of the proposal would add an assumption that randomness generated by the League of Entropy can be trusted and will be available. This assumption is also needed to implement ballot sharding, which could be explored in the future. In addition, a sampling could also be applied to the votes to provide them to the auditors before the cooldown period has ended so that the probability that coercers/bribers could learn whether their efforts had been effective could be too small to bother.
In order to ensure the integrity of elections, it is crucial that independent auditors audit the legitimacy of members. However, the records that support the membership cannot be made public as it would violate the members' right to freedom of association and would also infringe on GDPR. Keeping these records confidential while ensuring they are sufficiently audited can be challenging and may require reducing openness to prevent any possible leaks.
To overcome this dilemma in favour of more openness, a sampling of the electoral roll could be used. A large enough sample size can provide sufficient confidence that a potentially corrupt registrar could not have affected the election result, whereas keeping it small reduces the impact of leaks from the auditors. This lowers the trust barrier and opens the electoral roll auditing for more independent parties.
However, the sampling of electoral roll records introduces the following threat vectors:
The solution to the first two issues requires a verifiably random sample. This can be achieved by sorting members with a random number and taking the top of the list. The random number can be generated verifiably with the League of Entropy. The time of closing could be taken as the identifier for the pulse, which has a robust case for commitment as it is signed by every member who casts a vote for a particular proposal.
The second ingredient to protect against a corrupt registrar and conspiring minority is to keep an immutable append-only log for all supporting records for membership certificates. The log must list document hashes (which can be randomised with a secret factor) and the member index for which it is recorded. A hash that fixates the list can be put within the proposal to prevent tampering with this list after the vote.
It seems reasonable to embed the document hashes into a history tree. If it would be used, then we could use proposals to store the current tree root hash. This could be combined with a fancy consistency proof with respect to the previous tree root hash, thus ensuring that new records are only appended to the electoral roll ledger. This property, for instance, ensures that auditing of the legitimacy of the latest proposal also automatically legitimises previous ones.
The electoral roll would need to anticipate that a member may want to terminate their membership and request the removal of associated data. To do so, the electoral roll would have a special
PRUNEDrecord which contains hashes of all removed records so that the integrity of the history tree would not be affected.For auditors to audit the electoral roll, they would need the complete list of record hashes, which lists when the record was created and for which member it was made, together with receiving the member record sample records. The auditor then would verify the following:
The first three steps can be automated with a single command, whereas the auditor does the last step manually as before.
The changes which need to be done are to add a field
electoral_roll::AckConsistency{ElectoralRollState}in theProposaltype and add checks to the proposal. Another required addition is the public key from the League of Entropy, which will be authorised to issue the randomness. On top of that comes the implementation of electoral roll record management and coupling it to proposal creation to get these parameters.Implementation of the proposal would add an assumption that randomness generated by the League of Entropy can be trusted and will be available. This assumption is also needed to implement ballot sharding, which could be explored in the future. In addition, a sampling could also be applied to the votes to provide them to the auditors before the cooldown period has ended so that the probability that coercers/bribers could learn whether their efforts had been effective could be too small to bother.