[crdrost]

To address the inevitable “what is this useful for” questions, my go-to example is cryptographic voting mechanisms.

The idea is that you segment a large integer into a couple of different bins by its bitwise representation. So you have a 60-bit integer and you segment it into four 15-bit bins. You use one of those to randomize what the encrypted versions are going to be, and you use the other three for different vote tallies of three candidates for some office.

You can then hand people three numbers each corresponding to a different candidate, and ask them to commit to one as their vote. Public authorities can then aggregate votes which they cannot actually see, and we don't decrypt until we get to some large enough context where your vote has been anonymized among ten thousand others, and you can check that the random seeds have been properly added, or other such things.

This also allows you to create a big online database where anybody can see their vote was counted, but nobody can figure out who someone else voted for.

There is a slight difficulty in that you cannot see directly what your numbers are actually voting for, so that the machines you are using to vote with need to be able to decrypt a ballot for you and then immediately destroy it, to verify that it was what you thought it was, so that you can trust that your three numbers do not all happen to vote for the same person because if someone tried that on any scale that could affect an election, even if they only poison 1% of ballots in a 500 person district, if everyone burns one to test the system then the fraud gets discovered at least once with 99.3% certainty. But the point is that all of these other issues can be handled “out-of-band” once you protect the important stuff.

[compsciphd]

I'd think there's a simpler way to accomplish what you said above (though in both cases, any voting mechanism that lets the voter verify their vote after the fact also runs into the problem of people complaining about encouraging vote buying).

i.e.

imagine every polling place would output to you (after you voted) a random number in the 128 bit space.

the votes are recorded with this random number. we can verify after polls closed that the voting machine has an appropriate number of votes (i.e. not more or less than people who came through the booths)

all these vote data is aggregated into public record. you can look up after the fact your random number and see that it matched who you voted for. No encryption needed (beyond the technology that goes into making a secure rng)

[crdrost]

Well, no, if you do it cryptographically, at least with the proper mechanism, you can prevent votes from being buyable. In your case, if someone wants to buy your vote, they can ask you to text the number to them before it has appeared as a matter of public record—and if you voted for the Right Person they will pay you. The 128-bit number makes this very hard to forge, whereas to destroy vote-buying you want to make something very easy to forge.

Suppose that you receive a ballot from a machine which tears it down the middle: on the right hand side are bar codes containing the voting numbers; on the left-hand-side are candidates' metadata—names, parties, etc. So from the very moment I hand you the ballot, you can see that there is a connection between these numbers and those names, but as long as I provide a supply of other left-hand-sides in other orders, it becomes very easy for you to fake it when displaying it to someone else. That ease-of-forgery is the key to making it impossible to buy votes.

[compsciphd]

maybe I'm missing something, but I can't see any system that allows me to verify my vote after the fact not enabling a vote buying mechanism.

As I understand it (perhaps incorrectly), the primary thing that makes vote buying financially difficult is the fact that a person's vote can't be verified. how does homomorphic encryption enable me to verify my own vote but prevent anyone else from using the info I'd give them that I'd use myself to verify my vote.

[crdrost]

Just the way I said in the comment you are replying to. Well, actually, I know two ways, that is just one of them.

Let me put it a different way. Let us suppose that you are in New York State in 2016, voting for the US president, and let's ignore the strange things that can happen with write-ins. After a random shuffle your ballot might look like this:

                         | BALLOT #5846
                         |
    1. Hillary Clinton   |  [  ]  [barcode]
       Democratic Party  |
    2. Jill Stein        |  [  ]  [barcode]
       Green Party       |
    3. Gary Johnson      |  [  ]  [barcode]
       Libertarian Party |
    4. Donald Trump      |  [  ]  [barcode]
       Republican Party  |

As this ballot is being presented to you, it is being cut by a sharp blade along that line through the center. So you have these two halves, and you know that they once belonged to the same piece of paper.

The right hand side is scanned and it is what we make public. Everyone can confirm that you voted in this past election, and you punched the third (say) square in your ballot. But we also make it really easy for you to take, outside of the voting booth, any of a number of other left-hand sides in other random permutations. So if you wanted a left-hand side that said "Trump, Johnson, Stein, Clinton" that is easily available for you to take out of the booth.

Now after the election you can keep either or both papers and go to a government-run website and confirm that that right-hand side corresponds to who you voted for, and you can start a political watchdog group to make sure that the homomorphic operations were properly done on all of these peoples' right-hand-sides-of-ballots. But that web site is not saying "Oh hi it's you, you voted for Gary Johnson," it's saying "Oh hi it's you, you voted for the third person on your ballot." You know that the left-hand side you have says that candidate #3 was Gary Johnson, you saw the paper cut with your own eyes. But to everyone else, that left-hand-side is just a piece of paper.

So: we have made it very easy for you to forge any other vote, as far as any other party would be able to verify. Nobody else can confirm the connection between the piece of paper you hold in your hand and the piece of paper that has been scanned and appears in the public database. And since this is very easy to forge it is very valueless as a piece of information for vote-buying purposes.

So that stuff is all really straightforward. The only dodgy thing is, what if I were to hand you a ballot like this where every vote on the right hand side happened to be a bar code for Jill Stein? Since the number is encrypted, that is not something you would otherwise have access to.

And the solution there is burning ballots on-demand. You can make requests to the election authority asking to decrypt a ballot during the election; indeed we print a lot of extra ballots expecting folks to do this and we declare it their civic duty. When you do so, you get to reveal the "true" left-hand-side for a given right-hand-side and confirm that they are the same—but that ballot is thereafter invalidated and cannot participate in the election. As more and more people do this, it becomes more and more costly to do less and less vote-rigging in this way. So you get an implicit assurance that no tampering has happened in the process of getting this ballot to you, if you can trust that your communication pipeline to the decryption authority is secure and they are not compromised. (And if they are compromised there is very little you can do in any case.)

(The other mechanism just has a ballot which is two pieces of paper attached above each other with labels on the one piece of paper and holes that let you punch out the other piece of paper -- you can go online after the election and verify that the hole which was punched was the one you punched, but your ability to get other front-sheets at the voting booth makes it very easy for you to forge a ballot for say your employer where you appear to have publicly voted for their preferred candidate but secretly you voted for another one.)

[compsciphd]

re burning ballots.

If it's possible to burn a ballot (i.e. associate the set of bar codes to actual candidates), shouldn't it be possible to "burn" a ballot after the fact as well?

i.e. we have 4 barcodes, I need a way to associate each barcode with a candidate to burn it, so why couldn't this happen after the fact as well?

I assume homomorphic encryption might help here, I just am missing it.

[crdrost]

Homomorphic encryption does not affect that problem... It's just down to policy. If the decryption authority “stays open” after the election and no longer insists on checking ballots to see if they have already been cast, then yeah, you can abuse the system to decrypt placed ballots.

If the keys are destroyed after a valid election, as one would expect, then there is no possibility for that.

One way to better ensure the keys are destroyed is to use secret-sharing schemes so that multiple parties that are adversaries would have to lie similarly about destroying the keys, then conspire to work together to decrypt ballots after the fact. But I hope you see that this is all chasing social problems that must be solved as a precondition to have fair elections in the first place.

[monocasa]

You open yourself to vote buying and voter cohersion attacks, historically the most common voting fraud mechanism in the states.

[compsciphd]

any verifiable voting mechanism opens oneself up to vote buying.

if I can use homomorphic encryption to verify my vote I can give the same info needed (say this 128 bit number) to someone else.

[monocasa]

Define "verifiable". There are absolutely schemes where I can't verify what my vote was after the fact, but can verify that it was counted.

[compsciphd]

verify that my vote was counted correctly. i.e. that my vote wasn't changed or fraudelently presented to me.

[monocasa]

You can do that with quite a few pen and paper systems today, without being to verify what you voted for after the fact.

[weberc2]

This could allow us to build a universal distributed network of compute resources and a real-time auction system that allows agents to bid for time on. No need to worry that the hardware owners are snooping on your computation. Of course, economics rarely favor distributed networks, and and the "no need to worry" is really just "diminished need to worry", but it's an interesting thought nevertheless.

[jayd16]

So conceptually, I get sent a locked voting box, I slip my vote in, return the box. No one can open the box until the election and nothing is identifiable about the tallies at the end. Ok...

What is stopping me from putting in multiple votes?

Whats stopping someone from checking my single vote difference? (ie, skipping the anonymization through aggregation part)

[crdrost]

1. The box only fits one ballot. This is easier to do with bits than with real boxes, of course. "This is box number 12345" and that number is present also within the homomorphically-encrypted payload and we can confirm that the sum of the box numbers in the public database is the same as the sum of the decrypted box numbers. And of course I can tie you-the-person with the box number that you voted with publicly, to prevent you from sending multiple boxes to be counted.

2. The tallies are added without opening the boxes, so anyone can confirm that computations to add together the tallies for a region were all done properly. But we don't give everyone the ability to decrypt ballots ad-hoc.

The only big question here is about key compromise at the end; that is a matter of properly destroying the decryption key at the end of the decryption of the tallies, so that this key cannot be leaked out to someone to try and decrypt individual votes. There are some options for making this part more robust—open-source software and secret sharing schemes—but I mean there can be very fundamental issues of trust at the highest level and if those issues are sufficiently pervasive then no amount of cryptography can protect the election; you just have a dictator who is prepared to fix it at all costs or so.

[jayd16]

If any such decryption key exists that can decrypt single votes, it's already a failure. Not only can we not trust that it will stay secret, we also must ensure its secret from the vote counter themselves.