Abstract
We provide an overview of some of the security issues involved in securely implementing Lalley and Weyl’s “Quadratic Voting” (Lalley and Weyl, Quadratic voting, 2016), and suggest some possible implementation architectures. Our proposals blend end-to-end verifiable voting methods with anonymous payments. We also consider new refund rules for quadratic voting, such as a “lottery” method.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
While this is an already-existing concept in the secure voting literature, it does not have a widely agreed-upon name. As far as we know, this is the first use of the term “robustness against false accusations” to describe this property.
All expositions of QV of which we are aware focus solely on the two-candidate case. Extending to many candidates may well be possible, but generalizing the analysis of Lalley and Weyl (2016) to many candidates seems possibly non-trivial and the details have not been worked through. In this work, we consider only the better-studied, two-candidate case.
A somewhat similar voting scheme is range voting. In range voting, votes can have different magnitudes; more information on range voting is available at http://rangevoting.org. Unlike QV, however, range voting does not assign a cost per vote (and is mainly considered useful in the many-candidate setting).
Adida, the author of Helios, discourages the use of Helios for high-stakes elections since remote voting using currently available technology is inherently risky in scenarios where strongly adversarial behavior such as coercion and/or vote-buying are likely to occur (Adida 2008).
The voter token should be hard to forge; e.g. it could be a special kind of coin minted specially for this election.
The lock-box should be thought of as a “piggy bank” with a small opening to insert money, from which it is physically impossible to remove money unless the box is unlocked.
The wax block should be embossed with a hard-to-forge pattern specific to this election. Also, note that the wax need not be a monolithic block. For practical purposes, since we assume discrete money, it would likely be more manageable to have wax “coins” in set denominations, e.g. a 1-gram coin, 4-gram coin, 9-gram coin, etc.
In order to ensure that only valid wax blocks can enter the containers, the opening of the container should actually be protected by a box which mechanically checks whether the wax block has the correct embossing, and only drops it into the container if the check is passed.
In fact, the formal security requirement says that two encryptions of the same message must be indistinguishable from two encryptions of totally different messages.
The standard definition of additively homomorphic encryption actually requires that the described property holds for adding up not only two ciphertexts, but any (polynomial) number of ciphertexts. Note that in fact, we need this more general property in order to use additively homomorphic encryption for tallying (more than two) votes.
We remark that in fact, encryption schemes with an even stronger property are known: fully homomorphic encryption schemes allow arbitrary multiplications and additions of ciphertexts, whereas the Boneh et al. (2005) scheme allows arbitrary additions but only one multiplication per ciphertext. However, the known constructions of fully homomorphic encryption are too inefficient to be practical. We suggest the Boneh et al. (2005) scheme since it has the required properties for QV tallying (only one multiplication per ciphertext is needed, for the squaring), and—unlike the fully homomorphic schemes—it is efficient enough for practical use.
The first reference (Fontaine and Galand 2007) is self-designated “for non-specialists”, the next two (Vaikuntanathan 2011; Gentry 2014) are more recent and somewhat more technical surveys written by cryptographers at the forefront of theoretical developments in the field, and the last reference offers a perspective on practically deploying homomorphic encryption.
In the case of handwritten signatures, the latter property is effectively enforced by having the signature physically bound to the document, i.e., on the same piece of paper.
The printing of ballots and receipts could potentially be done by the same printing device.
Note that in QV, there are two candidates to choose between. We represent a vote of magnitude m for candidate 1 by the number m, and we represent a vote of magnitude m for candidate 2 by the number \(-m\).
This requirement is to prevent some subtle coercion attacks which are discussed in Benaloh (2007), which we will not detail here.
If not, she should abort and report the machine as malfunctioning. If Alice is able to compute squares, she should also check that the requested amount of money is indeed the square of the number of votes she decided to cast.
Practically speaking, we would like the Ballot Machines to be kept well-stocked with change so that Alice can be given change if she doesn’t have exactly the right amount. However, opening and closing the lock-box of the machine during the election is a security concern. Hopefully, it would be possible and sufficient to pre-load each machine with an ample stock of change before the election starts, clearly record the amount that was pre-loaded into each machine, and subtract these amounts from the total when the cash is eventually counted.
Note that the receipts for spoilt ballots are not digitally signed by the Ballot Machine, so that Alice cannot claim falsely that a spoilt ballot was the real vote that she cast.
This means that voters can, if they wish, check that their vote is recorded correctly on the bulletin board, by comparing to their paper receipt. Note that the public posting of these encryptions does not compromise ballot secrecy, since without the secret key, no information about the values of the votes is revealed.
It is very important that the proof is zero-knowledge: in particular, seeing the proof does not enable observers to decrypt any ciphertexts other than \(c^*\).
Note that the amount of money may be more than \({\hat{v}}\), if some voters finalized and paid for their votes on the Ballot Machine, but then did not deposit their paper ballots in the Ballot Box, thus disqualifying their vote from being included in the tally. The phenomenon of voters leaving the polling place having only partially completed the voting process is known more generally as the “fleeing voter problem”.
Technically, for this implication to hold, the set of voters that audit needs to be not only sufficiently large, but also random (or at least, unpredictable to an adversary).
We believe that the standard security definition for homomorphic encryption would need further elaboration to accommodate the specific requirements for this system, which we do not detail here. However, we believe that the BGN cryptosystem (Boneh et al. 2005) satisfies the enhanced requirements.
Unless the customer deliberately takes precautions to prevent this, e.g. by withdrawing much more cash than they need for voting. Even if such precautions are taken, however, some information can be inferred about the payment amount (e.g. that it was probably less than or equal to the withdrawn amount). Moreover, we should not expect average users to take such precautions.
Section 4.3 described how to compute the tallies of votes and payments, in the context of STAR-Vote. These tallying methods are equally applicable in the context of Helios.
Certain “paid survey” companies implement a system where survey takers are paid to take surveys. This is a completely different setting from the QV setting, since such companies do not generally provide anonymity for survey takers, and payments are made unilaterally from the survey organizer to the survey takers, and the payment amount is independent of the survey takers’ choices in the survey.
In fact, Zerocash can be implemented as an extension to any cryptocurrency with basic structural resemblance to Bitcoin. Many such currencies exist: they are often collectively referred to as “altcoins”. The popularity of such altcoins is dwarfed by that of Bitcoin.
Zcash: https://z.cash.
From the perspective of practicality: the zero-knowledge proofs required here would be quite simple, so could be performed roughly as efficiently as the Zerocash payment itself (which, as mentioned earlier, is fast enough to be considered for practical deployment, e.g., by startup Zcash).
Tor project for anonymity online: https://www.torproject.org.
I2P anonymous network: https://geti2p.net/.
Private communication with Glen Weyl (2015b).
For randomized refund rules, we believe requiring expected efficiency is sufficient since the QV analysis assumes voters to be risk-neutral, as also confirmed in private communication with Glen Weyl (2015b).
As written, the rule only works when the number of voters is even. We wrote it thus for simplicity, and note that it can straightforwardly be extended to cover the odd case too.
Designing such a voting scheme in detail is tricky, and we do not currently have a detailed design. Some challenges include: (a) even if exchange of cash occurs solely between pairs of voters, it must somehow be ensured that each voter cannot cast more votes than he/she paid for, and (b) the pairings must be chosen randomly, so voters need a way of reliably transferring cash to a specific random stranger. Still, these issues seem like they could be resolved, at least for small-scale local elections where all voters are geographically close and the election can occur within a short time-frame.
Technically, the refund rule as stated only works when n is even. The rule can straightforwardly be modified to support odd n too.
References
Adida, B. (2008). Helios: Web-based open-audit voting. In Proceedings of the 17th USENIX security symposium, July 28-August 1, 2008, San Jose, CA, USA, pp. 335–348.
Aho, A. V. (Ed.) (1987). Proceedings of the 19th annual ACM symposium on theory of computing, 1987, New York, NY. ACM.
Andrychowicz, M., Dziembowski, S., Malinowski, D., & Mazurek, L. (2014). Secure multiparty computations on Bitcoin. In Proceedings of the 2014 IEEE Symposium on Security and Privacy, SP ’14, pp. 443–458, Washington, DC, 2014. IEEE Computer Society.
Baldimtsi, F., & Lysyanskaya, A. (2013). Anonymous credentials light. In 2013 ACM SIGSAC conference on computer and communications security, CCS’13, Berlin, Germany, November 4-8, pp. 1087–1098.
Baudron, O., Bouque, P.-A., Pointcheval, D., Poupard, G., & Stern, J. (2001). Practical multi-candidate election system. In N. Shavit (Ed.), Proceedings of 20th ACM PODC ’01, pp. 274–283. ACM.
Belenkiy, M., Chase, M., Kohlweiss, M., & Lysyanskaya, A. (2008). P-signatures and noninteractive anonymous credentials. In Theory of cryptography, fifth theory of cryptography conference, TCC 2008, New York, pp. 356–374.
Bell, S., Benaloh, J., Byrne, M. D., Eakin, B., Kortum, P., McBurnett, N., Pereira, O., Stark, P. B., Wallach, D. S., Fisher, G., Montoya, J., Parker, M., & Winn, M. (2013). STAR-Vote: A secure, transparent, auditable, and reliable voting system. In Presented as part of the 2013 electronic voting technology workshop/workshop on trustworthy elections, Berkeley, CA, 2013. USENIX.
Ben-Or, M., Goldwasser, S., & Wigderson, A. (1988). Completeness theorems for non-cryptographic fault-tolerant distributed computation. In Proceedings of the twentieth annual ACM symposium on Theory of computing, pp. 1–10. ACM.
Ben-Sasson, E., Chiesa, A., Garman, C., Green, M., Miers, I., Tromer, E., & Virza, M. (2014). Zerocash: Decentralized anonymous payments from Bitcoin. In 2014 IEEE symposium on security and privacy, SP 2014, Berkeley, CA, USA, May 18-21, 2014, pp. 459–474.
Benaloh, J. (2007). Ballot casting assurance via voter-initiated poll station auditing. In 2007 USENIX/ACCURATE Electronic Voting Technology Workshop, EVT’07, Boston, MA, USA, August 6.
Benaloh, J., Rivest, R. L., Ryan, P. Y. A., Stark, P. B., Teague, V., & Vora, P. L. (2015). End-to-end verifiability. CoRR, abs/1504.03778.
Boneh, D., Goh, E-J., & Nissim, K. (2005). Evaluating 2-DNF formulas on ciphertexts. In Theory of cryptography, second theory of cryptography conference, TCC 2005, Cambridge, MA, USA, February 10-12, pp. 325–341.
Brands, S., Demuynck, L., & Decker, B. De. (2007). A practical system for globally revoking the unlinkable pseudonyms of unknown users. In Information Security and Privacy, 12th Australasian Conference, ACISP 2007, Townsville, Australia, July 2-4, 2007, Proceedings, volume 4586 of Lecture Notes in Computer Science, pp. 400–415.
Brands, S., & Légaré, F. (2002). Digital identity management based on digital credentials. In Informatik bewegt: Infor- matik 2002 - 32. Jahrestagung der Gesellschaft für Informatik e.v. (GI), 30. September - 3.Oktober 2002 in Dortmund, volume 19 of LNI, pp. 120–126.
Camenisch, J., & Lysyanskaya, A. (2001). An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In Advances in cryptology - EUROCRYPT 2001, international conference on the theory and application of cryptographic techniques, Innsbruck, Austria, May 6-10, 2001, Proceeding, volume 2045 of Lecture Notes in Computer Sci- ence, pp. 93–118.
Camenisch, J., & Lysyanskaya, A. (2004). Signature schemes and anonymous credentials from bilinear maps. In Advances in cryptology - CRYPTO 2004, 24th annual international cryptology conference, Santa Barbara, California, USA, August 15-19, 2004, Proceedings, volume 3152 of Lecture Notes in Computer Science, pp. 56–72.
Canetti, R. (Ed.) (2008). Theory of cryptography, fifth theory of cryptography conference, TCC 2008, New York, USA, March 19-21, 2008, volume 4948 of Lecture Notes in Computer Science. Springer.
Carback, R., Chaum, D., Clark, J., Conway, J., Essex, A., Herrnson, P. S., et al. (2010). Scantegrity II municipal election at Takoma Park: The first E2E binding governmental election with ballot privacy. In I. Goldberg (Ed.), Proceedings USENIX Security 2010. : USENIX.
Chaum, D., Crépeau, C., & Damgard, I. (1988). Multiparty unconditionally secure protocols. In Proceedings of the twentieth annual ACM symposium on theory of computing, STOC ’88, pp. 11–19, New York, NY. ACM.
Damgård, I., Jurik, M., & Nielsen, J. B. (2010). A generalization of paillier’s public-key system with applications to electronic voting. International Journal of Information Security, 9(6), 371–385.
Elgamal, T. (1985). A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory, 31(4), 469–472.
Fontaine, C., & Galand, F. (2007). A survey of homomorphic encryption for nonspecialists. EURASIP Journal on Information Security, 15(1–15), 15.
Franklin, M. K. (Ed). (2004). Advances in Cryptology - CRYPTO 2004, 24th Annual International CryptologyConference, Santa Barbara, California, USA, August 15-19, 2004, Proceedings, volume 3152 of Lecture Notes in Computer Science. Springer.
Gentry, C. (2014). Computing on the edge of chaos: Structure and randomness in encrypted computation. IACR Cryptology ePrint Archive, 2014, 610.
Goldreich, O., Micali, S., & Wigderson, A. (1987). How toplay any mental game or a completeness theorem for protocols withhonest majority. In Proceedings of the 19th annual ACM symposium on theory of computing, 1987, New York, pp. 218–229.
Grewal, G. S., Ryan, M. D., Chen, L., & Clarkson, M. R. (2015). Du-Vote: Remote electronic voting with untrusted computers. In Proceedings o 28th IEEE computer security foundations symposium.
Hohenberger, S., Myers, S., Pass, R., & Shelat, A. (2015). An overview of ANONIZE: A large-scale anonymous survey system. IEEE Security & Privacy, 13(2), 22–29.
Jones, D. W., & Simons, B. (2012). Broken Ballots–Will Your Vote Count?. : CSLI.
Katz, J., & Lindell, Y. (2007). Introduction to Modern Cryptography (Chapman & Hall/Crc Cryptography and Network Security Series). Boca Raton, FL: Chapman & Hall/CRC.
Kilian, J. (Ed.) (2005). Theory of cryptography, second theory of cryptography conference, TCC 2005, Cambridge, MA, USA, February 10-12, 2005, Proceedings, volume 3378 of Lecture Notes in Computer Science. Springer.
Lalley, S. P., & Weyl, E. G. (2016). Quadratic voting. 2016. Available online at SSRN: http://ssrn.com/abstract=2003531.
Martinez, R., & Wagner, D. (Ed.) (2007). 2007 USENIX/ACCURATE electronic voting technology workshop, EVT’07, Boston, MA, USA, August 6, 2007. USENIX Association.
Meiklejohn, S., Pomarole, M., Jordan, G., Levchenko, K., McCoy, D., Voelker, G. M., & Savage, S. (2013). A fistful of bitcoins: Characterizing payments among men with no names. In Proceedings of the 2013 internet measurement conference, IMC 2013, Barcelona, Spain, October 23-25, 2013, pp. 127–140.
Moore, C., O’Neill, M., O’Sullivan, E., Dorz, Y., & Sunar, B. (2014). Practical homomorphic encryption: A survey. In IEEE international symposium on circuits and systems (ISCAS), 2014, pp. 2792–2795.
Nakamoto, S. (2009). Bitcoin: A peer-to-peer electronic cash system. http://bitcoin.org/bitcoin.pdf.
Overseas Vote Foundation. The future of voting: End-to-end verifiable internet voting specification and feasibility assessment study. https://www.usvotefoundation.org/news/E2E-VIV-press, 2015.
Paillier, P. (1999). Public-key cryptosystems based on composite degree residuosity classes. In Proceedings of the 17th international conference on theory and application of cryptographic techniques, EUROCRYPT’99, pp. 223–238. Berlin: Springer.
Papagiannaki, K., Gummadi, P. K., & Partridge, C. (Eds.) (2013). Proceedings of the 2013 internet measurement conference, IMC 2013, Barcelona, Spain, October 23-25, 2013. ACM.
Pfitzmann, B. (Ed.) (2001). Advances in Cryptology - EUROCRYPT 2001, international conference on the theory and application of cryptographic techniques, innsbruck, Austria, May 6-10, 2001, Proceeding, volume 2045 of Lecture Notes in Computer Science. Springer.
Pieprzyk, J., Ghodosi, H., & Dawson, (Eds.) (2007). Information security and privacy, 12th Australasian conference, ACISP 2007, Townsville, Australia, July 2-4, 2007, Proceedings, volume 4586 of Lecture Notes in Computer Science. Springer.
Popoveniuc, S., & Stanton, J. (2007). Undervote and pattern voting: Vulnerability and a mitigation technique. In 2007 USENIX/ACCURATE electronic voting technology workshop, EVT’07, Boston, August 6, 2007.
Ron, D., & Shamir, A. (2013). Quantitative analysis of the full Bitcoin transaction graph. In Financial cryptography and data security–17th international conference, FC 2013, Okinawa, Japan, April 1-5, 2013, Revised Selected Papers, volume 7859 of Lecture Notes in Computer Science, pp. 6–24.
Sadeghi, A.-R. (Ed.) (2013). Financial cryptography and data security–17th international conference, FC 2013, Okinawa, Japan, April 1-5, 2013, Revised Selected Papers, volume 7859 of Lecture Notes in Computer Science. Springer.
Sadeghi, A.-R., Gligor, V. D., Yung, M. (Eds.) (2013). 2013 ACM SIGSAC conference on computer and communications security, CCS’13, Berlin, Germany, November 4-8, 2013. ACM.
Schubert, S. E., Reusch, B., & Jesse, N. (Eds.) (2002). Informatik bewegt: Informatik 2002 - 32. Jahrestagung der Gesellschaft für Informatik e.v. (GI), 30. September - 3.Oktober 2002 in Dortmund, volume 19 of LNI. GI.
Shamir, A. (1979). How to share a secret. Communications of the ACM, 22(11), 612–613.
Vaikuntanathan, V. (2011). Computing blindfolded: New developments in fully homomorphic encryption. In IEEE 52nd annual symposium on foundations of computer science (FOCS), 2011, pp. 5–16.
van Oorschot, P. C. (Ed.) (2008). Proceedings of the 17th USENIX Security Symposium, July 28-August 1, 2008, San Jose, CA. USENIX Association.
Weyl, E. G. (2015a). The robustness of quadratic voting. 2015. Available online at SSRN: http://ssrn.com/abstract=2571012.
Weyl, E. G. (2015b). Private communication.
Acknowledgements
This work was supported by the Center for Science of Information STC (CSoI), an NSF Science and Technology Center, under grant agreement CCF-0939370. We also received support from the MACS project NSF grant CNS-1413920 and a Simons Investigator Award Agreement dated 2012-06-05.
We would also like to thank Glen Weyl for encouraging us to work on these issues, and for his helpful feedback at many points during this research.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Park, S., Rivest, R.L. Towards secure quadratic voting. Public Choice 172, 151–175 (2017). https://doi.org/10.1007/s11127-017-0407-2
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11127-017-0407-2