The following text is an open letter from Pau Escrich and the rest of the Vocdoni Team to
"Going from Bad to Worse: From Internet Voting to Blockchain Voting"draft paper published on November 6th, 2020 by The Digital Currency Initiative of MIT Medialab.
Retrieve it here: https://people.csail.mit.edu/rivest/pubs/PSNR20.pdf
Dear Neha, Sunoo, Michael, Ronald,
Vocdoni is a Free and Libre open source project building a digital voting infrastructure that is universally verifiable, decentralized, scalable and anonymous.
This project represents a new paradigm for digital voting as compared to existing solutions which rely solely on a blockchain for vote traceability, employ closed-source software and even operate as a centralized service.
When reading your recent paper , we found that it addresses many of the very important problems and challenges that many e-voting solutions have. We believe, however, that the paper is missing some recent and crucial developments to the field of digital voting, such as those proposed by Vocdoni.
We have designed a decentralized voting platform  that is not only attack-resistant and universally-verifiable but also enables voter anonymity with the use of zk-SNARKs technology. We believe our design would solve some of the most important problems listed in the paper.
Regarding Zero Knowledge, the paper states the following:
First, a digital-only solution does nothing to prevent physical monitoring by coercers or vote buyers. Secondly, zero-knowledge proofs are designed for a setting where the party with secret information wants to keep it secret (that’s why they’re using zero-knowledge proofs) — they generally do not prevent that party from revealing information voluntarily.
At Vocdoni we are working on a series of developments that overcome these concerns.
In its current development stage, our system anonymizes voters' census inclusion proofs which are submitted with their votes. The content of each vote, however, is still publicly available and verifiable. This means the choices on each ballot can be known, but an outsider cannot link this ballot to any individual voter. (It's important to note that, in addition to the vote anonymity, the sense of the vote might be temporarily encrypted with a set of cryptographic keys revealed at the end of the election).
With regards to coercion attacks, our current zk-SNARKs circuit  already reduces the attack surface by leveraging the following methods:
- When an election ends, a set of keys (commit and reveal keys in the circuit schema) is revealed by multiple trusted parties. Using these keys, anyone can generate a valid ZK-proof, which would be indistinguishable from a legitimate voter's proof. This secondary proof could only be used to manipulate an election in the case that all trusted keyholding parties collaborated maliciously.
- During an election, users can replace their vote as many times as they wish.
These measures do not altogether rule out the possibility of an attack; before the election ends, a user could still exhibit their vote to a third party in exchange for a bounty. A buyer would need this user to prove that their vote is associated with a given nullifier on the Vochain. Such a vote-buying system would be complex, but feasible, to scale.
In order to achieve complete anti-coercion while keeping our design principles, we visualize two possile schemes for digital vote anonymity in the not-so-distant future:
As ZK-Rollups become computationally viable, they could also be used to achieve ballot content anonymization.
In this scenario a voter would send their vote to a private network rather than a public Blockchain. A private ZK-Rollup service(s) connected to this network would aggregate user ZK-Proofs and votes, and compute a valid cryptographic proof to verify:
- the list of vote nullifiers
- the election Process identifier
- the census Root Hash
- the results of the vote batch
The ZK-Rollup proof would then be sent to a public ledger containing the batch data. Any voter would be able to validate the inclusion of their vote by querying their own nullifier. The individual ballot's content would never be publicly available, but the result (computed inside the zk-SNARKs circuit) would be verifiable (otherwise the ZK-Proof would be invalid).
More details on the ZK-Rollup proposal can be found here .
Another alternative would be the use of homomorphic encryption on top of zk-SNARKs, anonymizing the vote content in addition to the already anonymized census inclusion proof.
In this scenario, the content of a ballot would be encrypted and directly added to the last currently encrypted result aggregation (without decrypting). Some homomorphic schemas also allow for verification that an encrypted ballot is valid for a set of rules (i.e not larger than N).
These are only small pieces of the paradigm shift we're trying to trigger for digital voting. If you feel engaged by following the discussion with us, we would be delighted to continue the conversation.