[Aloisius]

Crypto doesn't limit participation, unlike voting.

At some point, one needs determine whether voting transaction 123 by votecoin address 3456 was made by a valid voter and that the voter has only voted once.

So how do you do that? If a central authority does it by say, issuing votecoin addresses to voters or asks voters for their self-generated addresses, then your ballot is no longer secret since they can see exactly who voted for what.

If a voter shares their votecoin address with anyone, then anyone can see how they voted inviting vote buying and pressure schemes.

[didibus]

I think you're restricting your thinking to Bitcoin. The question is, can cryptography methods solve the problem, not can Bitcoin solve it.

I'm not a super expert, but from the little I know, I think it's possible to issue a one time use key that lets you sign a private/public key pair.

So when that public key enter the network with 1 vote and cast it on the distributed ledger, the network can validate the key is signed by the authority.

You know that the authority allowed the key to exist, but not who the key ties back too.

And the user could only sign one key, so they can't create more.

[tadfisher]

> I think it's possible to issue a one time use key that lets you sign a private/public key pair

Keys are just numbers, there's nothing inherent to them that prevents their reuse. These one-time-use schemes rely on out-of-band protocols to honor that they should not be reused, for example by trusting in a central authority to check and reject such keys, which defeats the purpose of using the cryptographic scheme in the first place.

> You know that the authority allowed the key to exist, but not who the key ties back too.

That's not the point of ballot secrecy. Under this scheme, I can be coerced into revealing my vote, because you can't create a control to prevent me from storing the signing key or signed keypair; either of which would suffice for a third party to find the public key on the chain which corresponds to my signing key. If you make these actions entirely remote, so I have no access to key material, then you are trusting the remote authority to issue me a secure keypair that can't be reused.

That said, there's no good reason to issue a keypair or use PKI for this, as there is no encryption happening and there's only one subject (the voter). A cryptographically-signed ID in this case can only be useful to tie votes to voters, which we have established violates the secret-ballot constraint.

[didibus]

With zero-knowledge proofs and a trusted decentralized ledger, you can prevent double-counting and make the vote untraceable back to the voter. You can also guarantee that the voter was authorized to vote as per the authority, but the authority cannot know which specific vote was theirs.

As for coercion, there are really two types: coercing someone into voting a certain way, and coercing them afterward to reveal how they voted.

I don’t think the second one is much of a problem, because you can just delete your keys after using them if you don’t want to be coerced. It might suck if the coercer doesn’t believe you and you really did delete them, but at that point thugs beating you up is kind of its own separate problem. Similar to if they asked you to take a photo or video at the poll booth and if you didn't they might beat you up.

If the coercion is about making you vote a particular way, some schemes let you vote multiple times and only count the last one, so you can just vote again after the coercer leaves.

And even then, I believe some schemes actually make it impossible to show proof of your vote.

Here's two papers that are promising in all those areas for example:

- https://www.semanticscholar.org/paper/zkVoting-%3A-Zero-know...

- https://www.semanticscholar.org/paper/SmartphoneDemocracy%3A...

[tadfisher]

> As for coercion, there are really two types: coercing someone into voting a certain way, and coercing them afterward to reveal how they voted.

These amount to the same thing. The ability to reveal how one votes is what allows them to be coerced.

> It might suck if the coercer doesn’t believe you and you really did delete them, but at that point thugs beating you up is kind of its own separate problem.

The point of the secret ballot requirement is to make potential thugs aware that evidence of how someone voted does not exist. It is this problem that creates the need for the secret ballot requirement.

> If the coercion is about making you vote a particular way, some schemes let you vote multiple times and only count the last one, so you can just vote again after the coercer leaves.

You can do this in the poll booth as well; because the ballots cannot be distinguished, you can fill out a fake ballot and simply avoid depositing it. But being able to vote multiple times in an online election doesn't prevent coercion, because presumably the election has to have a result and voting can no longer occur after a certain time; so the coercer only needs to wait until after the election results are "locked" before requesting proof.

The first paper you link is a marked downgrade from existing voting systems which can achieve ballot secrecy without requiring fake ballots.

The second paper is more fleshed-out from a voting systems standpoint, but it makes a poignant qualification around registration security:

> Network-level anonymity remains vulnerable to timing correlation attacks. An adversary observing network patterns could potentially link registration and voting transactions from the same IP address. Mitigation strategies could include randomized transaction delays, Tor integration for network anonymity, or mixing services at the application layer. However, these additions would significantly complicate the user experience and mobile deployment.

And this is what makes electronic voting so hard to recommend even as a computer scientist. I think folks don't truly understand the breadth of side channels we create when we take a physical process (show ID, fill out ballot, drop in box) and move it to the Internet. The side channels are concerning because they can be observed and correlated without getting caught or impeding the process, unlike someone planting cameras or following you into the voting booth.

[didibus]

These do seem like things that could be solved eventually. But really I'd say my take is that you're not putting the same effort, and probably since you have more knowledge of the digital side, have a bias, towards seeing its flaws while not putting the same effort in seeing the flaws in the current process.

Trade offs, that's the known answer to all comp sci problems :p. Here too it applies.