Statement Voting

Abstract

The conventional (election) voting systems, e.g., representative democracy, have many limitations and often fail to serve the best interest of the people in a collective decision-making process. To address this issue, the concept of liquid democracy has been emerging as an alternative decision-making model to make better use of “the wisdom of crowds”. However, there is no known cryptographically secure e-voting implementation that supports liquid democracy.

In this work, we propose a new voting concept called statement voting, which can be viewed as a natural extension of the conventional voting approaches. In the statement voting, instead of defining a concrete election candidate, each voter can define a statement in his/her ballot but leave the vote “undefined” during the voting phase. During the tally phase, the (conditional) actions expressed in the statement will be carried out to determine the final vote. We initiate the study of statement voting under the Universal Composability (UC) framework, and propose several construction frameworks together with their instantiations. As an application, we show how statement voting can be used to realize a UC-secure liquid democracy voting system. We remark that our statement voting can be extended to enable more complex voting and generic ledger-based non-interactive multi-party computation. We believe that the statement voting concept opens a door for constructing a new class of e-voting schemes.

A Security Definition for TRE

Definition 3

We say \(\mathsf {TRE}= \{\mathsf {Setup}, \mathsf {Keygen}, \mathsf {Enc}, \mathsf {Dec}, \mathsf {CombinePK}, \mathsf {CombineSK},\) \(\mathsf {ShareDec}, \mathsf {ShareCombine}, \mathsf {ReRand}\}\) is a secure threshold re-randomizable public key encryption if the following properties hold:

• Key combination correctness: If \(\{(\mathtt {pk} _i,\mathtt {sk} _i)\}_{i\in [k]}\) are all valid key pairs,

  \(\mathtt {pk}:=\mathsf {TRE}.\mathsf {CombinePK}(\{\mathtt {pk} _i\}_{i\in [k]})\) and \(\mathtt {sk}:= \mathsf {TRE}.\mathsf {CombineSK}(\{\mathtt {sk} _i\}_{i\in [k]})\), then \((\mathtt {pk},\mathtt {sk})\) is also a valid key pair. For all ciphertext \(c \in \mathcal C _\mathtt {pk} \), where \(\mathcal C _\mathtt {pk} \) is the ciphertext-space defined by \(\mathtt {pk} \), we have

  $$ \mathsf {TRE}.\mathsf {Dec}(\mathtt {sk},c) = \mathsf {TRE}.\mathsf {ShareCombine}(c, \mathsf {TRE}.\mathsf {ShareDec}(\mathtt {sk} _1,c), \ldots , \mathsf {TRE}.\mathsf {ShareDec}(\mathtt {sk} _k,c)) $$

• Ciphertext transformative indistinguishability:

  There exists a \(\textsc {ppt}\) algorithm \(\mathsf {Trans}\) such that if \(\{(\mathtt {pk} _i,\mathtt {sk} _i)\}_{i\in [k]}\) are all valid key pairs, \(\mathtt {pk}:=\mathsf {TRE}.\mathsf {CombinePK}(\{\mathtt {pk} _i\}_{i\in [k]})\) and \(\mathtt {sk}:= \mathsf {TRE}.\mathsf {CombineSK}(\{\mathtt {sk} _i\}_{i\in [k]})\), then for all message m, for any \(j\in [k]\), the following holds.

  $$ \big ( \mathsf {param}, \mathsf {TRE}.\mathsf {Trans}(c,\{\mathtt {sk} _i\}_{i\in [k]\setminus \{j\}})\big ) \; \approx \; \big ( \mathsf {param}, \mathsf {TRE}.\mathsf {Enc}(\mathtt {pk}, m)\big ) $$

• IND-CPA security: We say that a \(\mathsf {TRE}\) scheme achieves indistinguishability under plaintext attacks (IND-CPA) if for any \(\textsc {ppt}\) adversary \(\mathcal A \) the following advantage \(\mathsf {AdvCPA}\) is negligible.

  • \(\underline{\textsc {Experiment}^{\mathsf {CPA}} (1^\lambda )}\)

    1.:

    Run \(\mathsf {param}\leftarrow \mathsf {TRE}.\mathsf {Setup}(1^\lambda )\).

    2.:

    Run \((\mathtt {pk},\mathtt {sk})\leftarrow \mathsf {TRE}.\mathsf {Keygen}(\mathsf {param})\);

    4.:

    \(\mathcal A ( \mathtt {pk})\) outputs \(m_0,m_1\) of equal length;

    5.:

    Pick \(b\leftarrow \big \{0,1\big \}\); Run \(c \leftarrow \mathsf {TRE}.\mathsf {Enc}(\mathtt {pk},m_b)\);

    6.:

    \(\mathcal A (c)\) outputs \(b^*\); It returns 1 if \(b=b^*\); else, returns 0.

  We define the advantage of \(\mathcal A \) as

  $$ \mathsf {AdvCPA}_{\mathcal A}(1^\lambda ) = \left| \mathrm{Pr}[\textsc {Experiment}^{\mathsf {CPA}}(1^\lambda ) = 1] - \frac{1}{2} \right| .$$

• Unlinkability: We say a \(\mathsf {TRE}\) scheme is unlinkable if for any \(\textsc {ppt}\) adversary \(\mathcal A \) the following advantage \(\mathsf {AdvUnlink}\) is negligible.

  • \(\underline{\textsc {Experiment}^{\mathsf {Unlink}}_{} (1^\lambda )}\)

    1.:

    \(\mathcal A \) outputs a set \(\mathcal I_{} \subset \big \{1,\ldots ,k\big \}\) of up to \(k-1\) corrupted indices.

    2.:

    For \(i = [n]\), run \((\overline{\mathtt {pk}}_i,\overline{\mathtt {sk}}_i)\leftarrow \mathsf {TRE}.\mathsf {Keygen}(1^\lambda ;\omega _i)\);

    3.:

    \(\mathcal A ( \big \{\mathtt {pk} _j\big \}_{j\in [k] \setminus \mathcal I_{}} )\) outputs \(c_0,c_1\);

    4.:

    \(b\leftarrow \big \{0,1\big \}\); \(c'\leftarrow \mathsf {TRE}.\mathsf {ReRand}(\mathtt {pk},c_b;\omega )\);

    5.:

    \(\mathcal A (c')\) outputs \(b^*\); It returns 1 if \(b=b^*\); else, returns 0.

  We define the advantage of \(\mathcal A \) as

  $$ \mathsf {AdvUnlink}_{\mathcal A}(1^\lambda ) = \left| \mathrm{Pr}[\textsc {Experiment}^{\mathsf {Unlink}}_{}(1^\lambda ) = 1] - \frac{1}{2} \right| .$$

• Share-simulation indistinguishability: We say \(\mathsf {TRE}\) scheme achieves share-simulation indistinguishability if there exists a \(\textsc {ppt}\) simulator \(\mathsf {SimShareDec} \) such that for all valid key pairs \(\{(\mathtt {pk} _i,\mathtt {sk} _i)\}_{i\in [k]}\), all subsets \(\mathcal I_{} \subsetneq [k]\), all message m, the following two distributions are computationally indistinguishable:

  $$ \big ( \mathsf {param}, c, \mathsf {SimShareDec} (c, m, \{\mu _i\}_{i\in \mathcal I_{}} ) \big ) \approx \big (\mathsf {param}, c , \{\mu _j\}_{j\in [k] \setminus \mathcal I_{}} \big ) $$

  where \(\mathsf {param}\leftarrow \mathsf {TRE}.\mathsf {Setup}(1^\lambda )\), \(c\leftarrow \mathsf {TRE}.\mathsf {Enc}(\mathtt {pk},m)\) and \(\mu _j \leftarrow \mathsf {TRE}.\mathsf {ShareDec}(\mathtt {sk} _j, c)\) for \(j\in [k] \setminus \mathcal I_{} \).