Voting anonymization

#1

This Minimal implementation of the MimbleWimble protocol is written in rust.

mimblewimble/grin

mimblewimble/grin

Minimal implementation of the MimbleWimble protocol. - mimblewimble/grin

Thoughts on using it for the anonymization of voting for delegates would be appriciated.

Phoenix1969

#2

Dear Lisk community,

I agree that anonymous voting would be a cool and desirable feature. But I don't think it is feasible for our DPoS blockchain at the moment. Already the much simpler scenario of only a single election, all voters have the same weight and most people have the interest to keep their votes private is a very hard problem (see https://www.coindesk.com/voting-scheme-ethereum-doesnt-give-away-vote for an example of academic research on it).

Our setting is much harder:

  • voters are not indistinguishable, because their vote weight depends on their balance
  • votes are cast all the time and we must calculate the outcome at the end of every round
  • the mechanism must be efficient and allow to compute the outcome in seconds
  • people may have the interest to disclose their votes to receive shared rewards

In particular, it would not be sufficient to just keep votes, but not balances and balance transfers private: Imagine you had a crypto black box that would compute the active delegates with all balances and vote transactions as input. Now I just increase the balance of account X by 100 million LSK and again put the data into the crypto box. If account X voted, the new active delegates are those voted by X because X has more tokens than any other account.

So please understand that the science team does not pursue researching anonymous voting further as this would require a huge amount of research (where the feasibility is completely unclear) and we have a lot of other important tasks to complete. We are of course happy to see a LIP with a complete technical specification that would solve this problem.

#3

Hi all, first of all I want to second everything that @janhack said, but still add some thoughts to this very interesting topic.

Mimblewimble is a privacy variant of the UTXO model (as used by Bitcoin). In contrast to Bitcoin, Mimblewimble does not even have the most simple scripting language. Transactions can only be private and verifyable at the same time because they are incredibly simple (sum(inputs) + sum(outputs) = 0; no output < 0). This is very powerful technology but only in the very specific niche of sending tokens around.

As implicitly mentioned by Jan, there are different aspects of privacy (which are well defined in the academic literature), including:

  • ballot privacy: a voter can keep their vote private if they want to
  • receipt freeness: a voter has no way to prove to someone else how they voted, even if the voter wants to

The second property is crucial if you want to avoid vote buying.

When taking a closer look into this very interesting paper, you see that after casting a vote, the voter can send their private voting key (different from their usual account key) x_i and the vote choice v_i to a vote buyer. The vote buyer can re-compute the vote using public data, x_i and v_i and check if that vote is on-chain. If the on-chain vote matches the agreed choice, the voter gets a reward. Vote sold.

2 Likes