Voting schemes
Now, let’s talk about the content
field.
When designing this solution, we identified some basic characteristics that the system would have, independently of the cryptographic method used.
We discovered that many of the E2E paper proposals and voting systems (Helios, ElectionGuard, AgoraVoting, Belenios among others) that we analysed have several things in common.
Therefore, we decided to split responsibilities between two different components to simplify the development and maintainability and to increase the extensibility. Thus, the bulletin board implements everything explained so far, and acts somehow as a postman: it guarantees that messages (our letters) reach its destination, but it doesn’t know anything about the content of the envelope. Its responsibilities are to provide a secure communications channel and the append-only log store. It also knows about the three phases of the election.
Continuing with the postman analogy, the voting scheme would be the part of the system that understands the content of the messages and that helps authorities, trustees and bulletin board to act based on the received messages. In other words, it takes care of the cryptographic part, to allow voters to cipher votes, trustees to protect the secrecy of the votes and the bulletin board to publish verifiable results.
Following this approach, the first voting scheme that was developed was the Dummy voting scheme. This voting scheme, as its name suggests, was created only for development purposes, as it doesn’t guarantee the secrecy of the vote. It helped us to develop the bulletin board, to check that it’s working properly and to create automated tests to guarantee it still works after changes. As it uses very simple mathematical methods, it allows to manually check that the calculations are right.
After this, we have implemented the ElectionGuard voting scheme. This scheme is based on the project developed by Microsoft. It uses the project’s python code to provide the first secure implementation of a voting scheme. All the details of the implementation of this voting scheme is explained in the next chapter.
Lastly, it’s important to remark that, despite the efforts to keep both parts separated, for security purposes, or just to keep the development as simple as possible, it could be possible to find the bulletin board takes on some responsibilities that should belong to the voting schemes. The idea of this project is to keep advancing in the right direction, and it’s very likely that the development of new voting schemes will help on this aspect.
Messages
Below is the list of the messages supported by the bulletin board, along with an example and a brief explanation for each of them. They reflect the order in which they are supposed to be sent, from the election creation to the results' publication.
Notice that the content
field is omitted, as it depends on the voting scheme implementation.
It contains a string with the information generated by the voting scheme and it’s used by the bulletin board only to generate the content hash related to the message, as explained before.
Election creation
create_election
Message sent by the authority to request the creation of an election.
It specifies the voting scheme and its required parameters, along with the complete definition of the election (metadata, dates, questions & answers).
-
scheme
specifies the desired voting scheme (see Implemented voting schemes for the complete list); -
authority
identifies the authority with its public identification key; -
trustees
contains the trustees with their public identification keys; -
polling_stations
contains the valid polling stations for the in person votes; -
description.contests
is a list of questions for the election;description.contests.number_elected
is the maximum number of answers a voter can select;description.contests.ballot_selections
is a list of references todescription.candidates
, the answers; -
description.candidates
represents the possible answers to the election’s questions.
{
"iat": 1602498171,
"message_id": "decidim-barcelona.1.create_election+a.decidim-barcelona",
"scheme": {
"name": "electionguard",
"params": {
"quorum": 2
}
},
"bulletin-board": {
"name": "metadecidim",
"public_key": "..."
},
"authority": {
"name": "decidim-barcelona",
"public_key": "..."
},
"trustees": [{
"name": "alicia",
"public_key": "..."
},
...
],
"polling_stations": [
"polling_station_1",
"polling_station_2"
],
"description": {
"name": {
"text": [{ "value": "Test election", "language": "en" }]
},
"start_date": "2021-03-01T08:00:00-05:00",
"end_date": "2021-03-01T20:00:00-05:00",
"candidates": [{
"object_id": "question1-yes",
"ballot_name": {
"text": [{ "value": "Yes", "language": "en" }]
}
},
{
"object_id": "question1-no",
"ballot_name": {
"text": [{ "value": "No", "language": "en" }]
}
}
],
"contests": [{
"@type": "ReferendumContest",
"object_id": "question1",
"sequence_order": 0,
"vote_variation": "one_of_m",
"name": "Question 1",
"number_elected": 1,
"minimum_elected": 1,
"ballot_title": {
"text": [{ "value": "Do you agree?", "language": "en" }]
},
"ballot_subtitle": {
"text": [{ "value": "Choose 'Yes' or 'No'", "language": "en" }]
},
"ballot_selections": [{
"object_id": "question1-yes-selection",
"sequence_order": 0,
"candidate_id": "question1-yes"
},
{
"object_id": "question1-no-selection",
"sequence_order": 1,
"candidate_id": "question1-no"
}
]
}
]
}
}
Key Ceremony
start_key_ceremony
Message sent by the authority to notify that the key ceremony is about to start.
{
"iat": 1602498171,
"message_id": "decidim-barcelona.1.start_key_ceremony+a.decidim-barcelona"
}
**key_ceremony**
Message sent by the trustees to perform their part of the the key ceremony.
The key ceremony can consist of one or more steps depending on the voting scheme implementation. Thus, the trustees can send more than one message of this type.
For example, in the ElectionGuard implementation trustees send three messages: key_ceremony.trustee_election_keys
, key_ceremony.trustee_partial_election_keys
, and key_ceremony.trustee_verification
.
{
"iat": 1602498171,
"message_id": "decidim-barcelona.1.key_ceremony.<subtype>+t.alicia",
"content": "..."
}
Voting period
start_vote
Message sent by the authority to request the opening of the ballot box.
{
"iat": 1602498171,
"message_id": "decidim-barcelona.1.start_vote+a.decidim-barcelona"
}
vote.cast
Message sent by the voters containing the encrypted ballot.
{
"iat": 1602498171,
"message_id": "decidim-barcelona.1.vote.cast+v.(an identifier for the voter)"
"content": ...
}
Tally
start_tally
Message sent by the authority to notify that the tally process is about to start.
{
"iat": 1602498171,
"message_id": "decidim-barcelona.1.start_tally+a.decidim-barcelona"
}
tally.cast
Message sent by the bulletin board as a response to the start_tally
message, containing the homomorphic sum of the encrypted ballots.
{
"iat": 1602498171,
"message_id": "decidim-barcelona.1.tally.cast+b.metadecidim",
"content": "..."
}
tally
Message sent by the trustees to perform their part of the tally process.
The tally process can consist of one or more steps depending on the voting scheme implementation. Thus, the trustees can send more than one message of this type.
For example, in the ElectionGuard implementation the trustee sends the tally.trustee_share
messages.
{
"iat": 1602498171,
"message_id": "decidim-barcelona.1.tally.<subtype>+t.alicia",
"content": ...
}
end_tally
Message sent by the bulletin board when finishing the tally operations.
results
contains the computed and decrypted results of the election.
{
"iat": 1602498171,
"message_id": "decidim-barcelona.1.end_tally+b.metadecidim",
"results": {
"question1": {
"question1-yes-selection": 6,
"question1-no-selection": 3
}
}
}