|
Right - it seems like at most what you want is a Merkle tree published at the end of the election, with all counted votes (in a coercion-resistant way, using the mechanisms described). Need to order events to support a more complicated protocol? Do a "Merkle linked list" (i.e. a blockchain-ish thing but without a consensus mechanism, like a TPM PCR+audit log combination). Why do you want to use a public blockchain? Well, they try to explain that.... try. "So why is a blockchain better than a special purpose bulletin board? The answer is: setting up a k-of-n system that's actually trusted is hard, and blockchains are the only system that has already solved it, and at scale. Suppose that some government announced that it was making a voting system, and provided a list of 15 local organizations and universities that would be running a special-purpose bulletin board. How would you, as an outside observer, know that the government didn't just choose those 15 organizations from a list of 1000 based on their willingness to secretly collude with an intelligence agency? Public blockchains, on the other hand, have permissionless economic consensus mechanisms (proof of work or proof of stake) that anyone can participate in, and they have an existing diverse and highly incentivized infrastructure of block explorers, exchanges and other watching nodes to constantly verify in real time that nothing bad is going on." "anyone can participate in" is absolutely hilarious in this context. It's true, in the sense that pretty much anybody can buy a few kilograms of gold- if they have the money. Proof of stake is the most obvious here, because it's literally "the more money you have the more power you have"- there's SOME argument that this makes sense when the decisions made by stakers directly relate to the value of Ether, the idea being "rich person won't try to manipulate consensus, because that would make them much less rich" (especially if they actually get slashed). i.e. they have a stake in keeping consensus fair. But doing real-world elections breaks this entirely. Proof of work functions similarly, just indirectly, and also while spewing CO2 into the air and sucking down semiconductor manufacturing capability. Now, a common answer is "well, yes, but we could detect that manipulation happened after the fact, and then re-hold the election or whatever, possibly slashing malicious validators if we can somehow encode that into the protocol at a lower layer". Congratulations, you've figured out why blockchains are useless here. The actual security comes from being able to detect fraud- and a single Merkle root published by the government per election (and signed, so any forks could be immediately detected and proven bad). In other words, you want Certificate Transparency, not Ethereum. CT solves exactly the problem Ethereum tries to solve here, and does it much better, and without the obvious conflict of interest cryptocurrency voting advocates have (that if a government did use, say, Ethereum for elections, it'd drive the price way up, so anybody advocating that who also holds Ether has a bit of a credibility problem right out of the gate!) And this is all predicated on cryptographic voting being a good idea in the first place - in the short term, it's just not. You can verify the protocol, but you can't verify the endpoint- are people going to vote on their own devices? Just wait til the first claims (justified or not) that a major botnet flipped votes undetectably (and coercion-resistance guarantees that it really can be done undetectably). Or maybe on voting machines like we have today? Take a look at what happened to Dominion last cycle- so much for making elections more trustworthy. Paper is actually incredibly useful here, because it doesn't run code and everybody knows it. (You could say "oh this CPU has all its code in mask ROM and the code is formally verified" and maybe I could confirm that, but most people could easily be convinced, understandably, not to trust me). Voting machines that print out your vote on paper that goes into a box, in sight of the voter, where the voter can read their paper- that's brilliant here. Can you attack that? Sure- switch out the boxes when nobody's looking, etc, etc. But if I see, on the screen of my phone, "vote confirmed for Candidate A", for all I know my phone's actually sent to the server that I voted for Candidate B. And coercion-resistance requires that my phone can't ever prove to me that it really did vote for Candidate A - the phone's the actual voter here, not me, I'm not participating in the protocol. I'm just providing my phone some private keys and, on an unrelated note, giving it touchscreen input- nothing ties the two together. This is really important to understand. Your device is the voter in cryptographic schemes like this. You just tell it who to vote for, and trust it when it tells you it voted for them. (There's a workaround here but it has UX problems that seem to make it a non-starter too.) If I see, on paper, that my ballot says "vote for Candidate A"... well, that's what the paper says. If somebody looks at the paper later, they can be pretty sure that's what I saw on the paper, as long as nobody has messed with it in the meantime. And to ensure nobody has messed with it... well, we have hundreds of years of experience figuring that out. This is the key- paper that is later counted (or even only counted randomly to confirm electronic results) binds feedback to the actual voter with the vote. On a phone, network traffic is NOT bound to touchscreen input or display contents, and it can't be without breaking coercion resistance. |
You choose to trust the humans more, which is fine, but applications (or why not) devices with a well defined audit trail that they're doing what they're supposed to do are equally trust worthy (at least for me).