firoorg / aura-paper Goto Github PK

It appears to be the case that an adversary can resubmit a ballot to the bulletin board. This means the following scenario is possible:

• A voter submits a ballot while under coercion
• The voter later submits a revised ballot
• The coercer resubmits the coerced ballot
• The coerced ballot is included in the tally

Duplicate ballots should fail verification, which removes this attack vector.

The DeVoS voting protocol preprint (and perhaps other constructions as well) achieves its form of coercion resistance through the use of a posting authority. At the start of an election, the election authority (who distributes voter keys) signs a null ballot for each voter. During the election, a voter submits its ballot (and any updates to it) to the posting authority, who verifies and caches it.

At the end of predefined epochs throughout the election, if the posting authority has received a valid ballot from a voter, it posts it to the bulletin board. If it has not received a valid ballot from a voter, it generates a re-randomization of the voter's most recent ballot, and posts this to the bulletin board. The intent is for a coercer to be unable to distinguish these cases. To ensure this, ballot signatures are generated using a disjunction proof, which shows that either the ballot is signed by the voter, or that the ballot is a re-randomization of the previous ballot.

This has benefits and drawbacks.

Benefits include:

• A coercer cannot tell if a previously-coerced voter has updated its ballot.
• Observers cannot tell if any particular voter has voted or not, nor how many times a voter has updated its ballot.
• Ballot contents remain private, even when updated by the posting authority.

Drawbacks include:

• The election authority knows voter keys and can forge ballots.
• The posting authority knows which voters have voted, and how many times each voter has updated its ballot.
• The posting authority can censor ballots.
• If the tally authority is corrupted, it can link individual ballot contents to voters.

A similar approach may work for Aura in a way that meets its primary goal of minimizing trust in authorities.

In this approach, ballot proofs are disjunctive, and show that either:

• a ballot contains a valid ambiguous signature and linking tag validity assertion; or
• a ballot is a re-randomization of another given ballot, and is signed by the updater

When a voter submits either its initial ballot or an updated ballot, it uses the former clause of the disjunction. Periodically, the updater examines the bulletin board and issues re-randomized ballots (based on linking tags) using the latter clause of the disjunction. It will likely be very important that this dual-submission approach, where voters still submit ballots directly to the bulletin board, does not leak metadata allowing observers to identify which ballots are likely to be submitted by the updater.

When the election ends, the tallying authorities discard all but the most recent ballot for each linking tag and proceed to tally as before.