anonymousvoting icon indicating copy to clipboard operation
anonymousvoting copied to clipboard

Published 20 hours ago verified publisher icon stonecoldpat

Monitoring order of votes breaks anonymity

Open yrdeboer opened this issue 5 years ago • 7 comments

Hi,

I'm not a cryptographer so I must be missing something, please go easy on me.

Anyway, if anyone can do the tally as votes are coming in, then it would be trivial to know what everybody voted, right? The tally after the first vote would already trivially expose the vote of the first voter.

So, what am I missing?

yrdeboer avatar Sep 12 '19 15:09 yrdeboer

Hi @yrdeboer

All votes sent to the smart contract are encrypted (ElGamal) with a ZKP that the vote is well-formed.

So an observer will just seen encrypted blobs hit the blockchain.

The magic trick in the protocol is that, by aggregating all the encrytped votes, it will cancel out all random factors and leave us with g^votes. We just brute force it from that point.

stonecoldpat avatar Sep 18 '19 09:09 stonecoldpat

Hi, thanks for answering, how are you doing? Yes, I think I understand that. You are saying that all votes are encrypted so they cannot be read.

But I also understood that one can do the tally at any point in time. Also after the first vote was cast. So one could look up the historic block in the chain in which that first vote was cast then do the tally. That would reveal the first voter's vote. And then one would look up the second voter's vote and do the tally again. Together with the result of the previous (first) tally, one could figure out this vote as well, etc. etc. ...

yrdeboer avatar Sep 18 '19 11:09 yrdeboer

Oh no!

The limitation of the protocol is that, all votes must be cast, before the tally can be computed. So you need all votes and cannot do that trick to deanonymize them.

On Wed, Sep 18, 2019 at 12:54 PM yrdeboer [email protected] wrote:

Hi, thanks for answering, how are you doing? Yes, I think I understand that. You are saying that once all votes are encrypted.

But I also understood that one can do the tally at any point in time. Also after the first vote was cast. So one could look up the historic block in the chain in which that first vote was cast then do the tally. That would reveal the first voter's vote. And then one would look up the second voter's vote and do the tally again. Together with the result of the previous (first) tally, one could figure out this vote as well, etc. etc. ...

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/stonecoldpat/anonymousvoting/issues/24?email_source=notifications&email_token=ABRG6ASJQICQZ6B66J4WFKTQKIJG5A5CNFSM4IWF6762YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD67ZUPA#issuecomment-532650556, or mute the thread https://github.com/notifications/unsubscribe-auth/ABRG6AQBZQ7EBALEOTHIQKLQKIJG5ANCNFSM4IWF676Q .

stonecoldpat avatar Sep 18 '19 12:09 stonecoldpat

Ah, but wait, you need all votes you say before the tally becomes possible. Is that because the contract will only start the tally once all votes are in or is that because it is cryptographically impossible?

yrdeboer avatar Oct 02 '19 09:10 yrdeboer

For this construction, it's the cryptography that requires all the votes. The tradeoff of not having a tallying authority.

On Wed, 2 Oct 2019, 10:04 yrdeboer, [email protected] wrote:

Ah, but wait, you need all votes you say before the tally becomes possible. Is that because the contract will only start the tally once all votes are in or is that because it is cryptographically impossible?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/stonecoldpat/anonymousvoting/issues/24?email_source=notifications&email_token=ABRG6AXFXQVGZHGZA3BHUHTQMRPYHA5CNFSM4IWF6762YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEAECJRQ#issuecomment-537404614, or mute the thread https://github.com/notifications/unsubscribe-auth/ABRG6AVIE55QA43AOTHIGA3QMRPYHANCNFSM4IWF676Q .

stonecoldpat avatar Oct 02 '19 09:10 stonecoldpat

That's pretty great actually :+1:

Too bad there is no proof-generator that can run in the browser client-side yet!

yrdeboer avatar Oct 03 '19 11:10 yrdeboer

It should all work client side! 😁 You may need to use an older version of geth. 2016ish

On Thu, 3 Oct 2019, 12:40 yrdeboer, [email protected] wrote:

That's pretty great actually 👍

Too bad there is no proof-generator that can run in the browser client-side yet!

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/stonecoldpat/anonymousvoting/issues/24?email_source=notifications&email_token=ABRG6AXENOPNIGY42XR54ZLQMXK2PA5CNFSM4IWF6762YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEAH5N3Q#issuecomment-537908974, or mute the thread https://github.com/notifications/unsubscribe-auth/ABRG6AQHGYV3NV4YU3WEUZTQMXK2PANCNFSM4IWF676Q .

stonecoldpat avatar Oct 03 '19 11:10 stonecoldpat