Questions:
- Can one implement a secure voting system having all the features described below?
- e.g. without disclosing any individual's vote to the government server (or the third party), preserving all the desired criteria of a ZKP vote, etc.
- Are there any other security issues to consider in this kind of system, and how would you solve them?
Motivation
I would like to have a secure online voting system that
- does not rely on a crypto chip (like the German identity card), which is a huge barrier to deployment because it requires users to have special chip-reading hardware rather than just their ID card, nor similar barriers (e.g. most normal people cannot use self-managed PGP)
- It needs to be usable by normal people, not just hackers or using special client-side software. More advanced functions like verifying a vote may require special software (so long as it could be done by any third party without more information than is publicly disclosed).
- can be decentralized, while preserving public proof that all participants in the decentralized vote are unique humans authorized to vote on that matter (i.e. without having to have a single party collect all the ZKP votes to ensure there is e.g. no double voting)
- does not provably disclose the person's vote to anyone, including the government auth server and any third party service (or client-side software) that they use to enter their vote
- does allow the user to non-provably disclose their preferences to the third party, e.g. so that the third party can provide recommendations for good proxies
"Security"
Preemptively: "secure" here means "at least as secure as current voting methods", including vote by mail, not "perfectly secure against all possible attacks". However, it'd be good if attacks can be mitigated — e.g. if a TOTP ID card is stolen (and thus its signature revoked), it would be good to be able to invalidate that vote without knowing which vote it is.
For the purposes of this question, please don't derail to issues such as general website security, transport security, whether you trust the government to run such an auth server or have unique IDs, whether someone could steal your ID card and learn your password, etc, which are not unique to this issue.
My focus here is on the cryptographic question: can you have a ZKP of a vote, authenticated by a server trusted only to do authentication, without disclosing the vote to any of the intermediaries (etc.), and without requiring client-side crypto (like a cryptochip ID or a user-managed PGP key).
Background
Auth server
Suppose there is a government-operated server which:
- Knows all of your officially registered information (i.e. anything on a driver's license, voter registration, etc)
- Gives you a physical ID card (e.g. your driver's license), with an embedded TOTP display
- the server should be able to revoke the TOTP by simply flagging it, with revocation being an in-person process with your local DMV or similar agency saying your card has been lost/stolen, as well as put a time limit on its authority (i.e. the expiration date of the card)
- Allows you to authenticate to the server using your ID's TOTP + a password
Has an OpenID ish API, which permits third parties to request, and you to selectively authorize, any subset of the following information:
- identification, such as any subset of:
- a requester-unique, human-unique ID (basically, a non-reversible hash that proves to the third party that you are a unique human, but can't be associated with other sites' site-unique IDs)
- sites wanting to correlate information on users would need to use a common requester (much like "single sign on" solutions), or at least a common pseudo-requester (e.g. for distributed votes on a single item, all sites cooperating on it could use a hash of the item being voted on as the 'requester'; for such situations, a site could request both an ID for their own persistent use, and one that's sharable on that issue)
- name(s)
- physical address (or subset thereof, e.g. county, city, or state only)
- a requester-unique, human-unique ID (basically, a non-reversible hash that proves to the third party that you are a unique human, but can't be associated with other sites' site-unique IDs)
- demographic information, such as any subset of:
- gender
- DOB
- age
- hair color
- eye color
- height
- photograph
- legal authority, such as any subset of:
- voting endorsements (e.g. a list of jurisdictions in which you are registered to vote, parties with which you are registered, previous election participation history)
- driving endorsements (e.g. car, motorcycle, truck etc)
- police or government power endorsements (e.g. being a police officer, judge, district attorney, general attorney, etc)
All such responses would also include a (site-specific) hash of the TOTP card used to sign it (for retroactively invalidating authentications made with stolen IDs).
Again, note that you could authorize any subset of this information; e.g. if you want you can only authorize disclosure of a site-unique hash plus voting credentials, which provides the third party with only the bare minimum of "this is a unique human who is authorized to vote in districts XYZ".
- identification, such as any subset of:
Has an API allowing the third party to provide a blob (text or binary, which could also be just a hash) to the government server, and request that you sign it.
When signing the provided blob (which would be displayed by the server), you could again authorize any of the above information to be part of the signature, as well as an optional timestamp.
The signature itself could be use any number of methods.
IMHO the simplest would be a government-managed PGP system, where the government owns a signing key for you associated with a given ID card, can revoke that key, signs that key using the key of the government agent who authenticated you, etc.
The server would then just sign (using either your associated key or its own [if you're not disclosing your identity]) the tuple of (a) the blob plus (b) whatever information you choose to associate with that signing (in a standardized format).
Trust
Assume that this server is trusted only to provide authentication of someone's legal information (or human-uniqueness), and their authorization for government-related issues (e.g. voting power).
You do not necessarily trust this server to know what you may want your users to sign. E.g. it could be used to sign a private contract, by giving the server only a secure hash of the contract; then the user signs the hash, thereby signing the contract, without disclosing the contract to the government and without having to disclose more information than they want to the third party.
ZKP voting
Finally, suppose that you want a zero-knowledge-proof based voting system, in which:
- Everyone knows who participated in the vote (and that they are authorized to participate in it)
- Everyone can verify, in aggregate, that the vote count is correct — or in other words, can prove that each (anonymous) vote comes from a unique member of the public list of participants
- This should work even for votes more complex than simple yes/no with deadline; e.g. ranked choice, percentage allocation among several choices, no deadline, can update/revoke a previously cast vote, etc.
- A specific voter can verify that their own vote was correctly tallied
- Nobody can prove which voter voted which way, even with the voter's cooperation (e.g. because the voter could easily lie about which vote is theirs)
- Liquid democracy style proxies can be given a vote, and can in turn proxy to another proxy. (The proxies' votes are public, but not identified, so this is simply an adjunct system; votes for the proxy can be publicly traced to a vote for a final outcome.)
- Can be operated by distributed services (which need to coordinate only on the topic of the vote and to share the )
I'm open to protocol suggestions other than ZKP per se; what I care about is simply the featureset above, and ZKP (as implemented by e.g. Helios Voting) is the only method I know of that satisfies them.
The problem is that all secure voting methods I've seen rely on client-side crypto (either client-managed PGP or a cryptochip ID), which is not feasible to roll out for use by normal users. I want something that everyone can use, but is still adequately secure.