Trustless, Censorship-Resilient and Scalable Votings in the Permission-Based Blockchain Model

Voting systems are the tool of choice when it comes to settle an agreement of different opinions. We propose a solution for a trustless, censorship-resilient and scalable electronic voting platform. By leveraging the blockchain together with the functional encryption paradigm, we fully decentralize the system and reduce the risks that a voting provider, like a corrupt government, does censor or manipulate the outcome.


Introduction
In many countries, the de facto mechanism to realize democratic choices are votings. It is well-known that voting systems are subjected to attacks, which threaten democratic decision-making [10]. This includes vote-buying, ballotstuffing, destruction or invalidation of ballots, mis-recording of votes, aggravating the voting access or tampering with the electronic voting machines [9,11]. The commonality of all these threats is to affect the outcome of the voting. For important decisions (e.g. presidential or shareholder elections) one tries to reduce the threats by recruiting trusted helpers and the engagement of neutral observers. These entities are appointed by a central authority, like the government or a corporation, and are crucial to the election process. Centralized trust is fragile. Even if their implementation is cost-efficient, the history has shown that central authorities can misuse their responsibility and power to influence the outcome of an election to their favor.

Previous Work
Electronic voting systems and their security properties have been actively studied in the research community, since their introduction in the celebrated work of Chaum [3,5,15]. Due to their scalability and fault-tolerance properties [4], it Supported by the European Commission through H2020 project FENTEC (grant no. 780108). Properties [21] [13] [22] [29] [20] This work Vote Type Any Any Yes-no Any Any Any turns out that the blockchain is a promising tool for electronic voting systems [7]. Even if blockchain-based e-voting systems come with some compromises [14,24], their main advantage is the provision of a tamper-proof way to achieve a publicly verifiable consensus that makes it interesting even for governmental institutions, which aim to extend the involvement of citizens in local community decisions [28]. It has been verified in practice that particular solutions are able to handle hundreds of thousands of voters [18]. A lightweight solution for an Etherium-based e-voting protocol, which focuses on reducing trust against the voting provider, is given by Lai et al. [20]. Their protocol works in a way that key managers have to agree on a common key using secret sharing techniques, which is then used by eligible voters to create obfuscated addresses for available candidates. In order to prevent double voting, a one-time ring signature has to be created by every voter. Because ballots are stored as normal transactions to obfuscated addresses within the network, verification and tallying has to be processed off-chain by every interested party after the key managers publish their secret keys. The fact that expensive computations have to take place outside the blockchain in order to reduce gas costs may exclude low power devices from verifying the results. Liu et al. propose a voting protocol within the permissioned and permissionless blockchain model [21]. A voter casts a ballot by encrypting the vote with the organizer's public key before the inspector signs it. The system thus assumes to trust both parties not to violate ballot and voter privacy. An implementation based on the blockchain framework Ethereum is given in [2]. With regard to today's gas prices and Ethereum's throughput, the system is unsuitable for frequent or large-scale elections. Hardwick et al. propose a voting scheme in the permission-based blockchain model, satisfying the basic notions of fairness, eligibility, privacy and verifiability [13]. Their protocol uses the blockchain as a transparent ballot box. The system relies on a central certification authority to authenticate voters and give permission to access the network. Hence, an authority when byzantine, breaks the link between voter identity and vote and therefore violates the ballot privacy. Their implementation within a private Ethereum chain requires a non-negligible amount of gas per vote, which makes the approach less appealing for frequent votings like in DAOs. McCorry et al. propose a variant of the Open Vote Network (OVN) in the permissionless blockchain model [22]. The OVN is a self-tallying protocol, which avoids a central counting authority. A self-tallying protocol converts tallying into an open procedure, which allows any voter or a third-party observer to perform the tally computation once all ballots are cast. This removes the role of a tallying authority from an election as anyone can compute the tally without assistance. Unfortunately, self-tallying protocols have a fairness drawback as the last voter can compute the tally before anyone else, which results in both, adaptive and abortive issues. Moreover, the protocol is limited to boardroom votes, where board members take a yes-no decision. Their implementation in Ethereum shows suitable gas costs for 40 voters, but does not scale with larger numbers. Yu et al. propose a platform-independent approach [29]. To achieve the comprehensive goal, the authors employ Paillier encryption to enable ballots to be counted without leaking candidature information in the ballots. To leverage the homomorphic property for summation of votes, an administrator decrypts the plain text sum. If byzantine, the administrator can use the same decryption key to decrypt each encrypted ballot and break the ballot privacy. A proof-of-knowledge is employed to convince the voting system that the ballot is valid without revealing its content. Linkable ring signatures are used to ensure that the ballot is from one of the valid voters, while no one can trace the owner of the ballot. To this end, a voter needs to download the public keys of all other voters, which entails a space allocation linear in the number of voters. Their reference implementation in Hyperledger Fabric allows handling millions of voters, provided that they are grouped in sufficient batches.
A comparison of the above mentioned e-voting schemes by their properties can be found in Table 1.

Our Contribution
We propose a solution for a trustless voting system based on Hyperledger Fabric [1]. By trustless, we mean a system in which byzantine parties, including the voting organizer, are unable to manipulate the outcome of an election. A bit more precisely, malicious organizers are prevented from opening ballots before the official tallying. We leverage techniques from functional encryption [26] and implement decentralized off-chain opening oracles in order to allow voters to encrypt their votes and store them secretly within the blockchain. This technique already leads to censorship-resilience of the cast votes, as the blockchain guarantees the immutability of the storage. Off-chain oracles, like for example time-triggered servers, open the encrypted ballots by writing their decryption keys into the blockchain. Only if a sufficient subset of keys, matching a predefined quorum policy, has been stored, the blockchain or any other auditing entity is capable of opening and publicly tallying the ballots. This way we fully decentralize the opening phase and lift the byzantine fault-tolerance properties of blockchains to the off-chain perimeter. Furthermore, we introduce off-chain anonymizer oracles, which cooperatively unlink the encrypted vote from the user's identity and enforce the eligibility to cast a single vote. To instantiate the oracles, we leverage techniques from threshold blind signatures [17], which allows us to scale the byzantine fault-tolerance of the voting system by making adjustments to the threshold parameter. Only if the eligible voter receives sufficient signatures from the anonymizer oracles, she can unblind and reconstruct an anonymous voting credential, which is necessary to submit her encrypted vote.

Trust Model
Our goal is to provide a platform in which voters are not required to put their trust in the honest behavior of individual system components, a property to which we refer as trustlessness. Our approach to provide such a trustless voting system is built upon the decentralization of critical security components and entities. For example, we decentralize the need to trust a single eligibilitycontrolling entity, and by leveraging threshold blind signatures, we distribute the voter admission process over several authorities. At the same time, we also ensure that each voter is only able to cast a single ballot. Further, we make use of distributed multi-authority functional encryption to prevent that a single authority is able to open ballots without prior agreement of other authorities. Another aspect of our trustless voting system leverages the blockchain as a distributed ballot box and tamper-resistant tallying entity. The blockchain operating principle ensures that no malicious node is able to add or remove ballots, or write a wrong decryption result to the blockchain, on its own. While public blockchains are considered as trustless networks, we decide to use a hybrid between public and (trusted) private blockchain, because of performance reasons. However, we claim that with the permission-based blockchain Hyperledger Fabric, this trustlessness also holds to some degree [27]. With a proper selection of voting providers which host the peer nodes, e.g. well-known companies, the trust can be minimized as it can be assumed that they do not help each other tampering with the data and risk their reputation in the process.

Cryptographic Building Blocks
In order to protect the voter's privacy, we use a decentralized multiauthority functional encryption system with inner-product functionality, for short, decentralized inner-product predicate encryption DIPPE = (DIPPE.GlobalSetup, DIPPE.AuthSetup, DIPPE.KeyGen, DIPPE.Encrypt, DIPPE. Decrypt). The reason of using this scheme is to ensure that no single authority is able to decrypt, and therefore break the secrecy of the ballot, on her own. For our prototype we use the scheme of Michalevsky et al. [23] as it best fits our need for an adaptive secure scheme with excellent decryption performance that doesn't scale with the number of authorities.
To implement the voter's eligibility check, we utilize a t-out-of-n threshold blind signature scheme TBS = (TBS.ParGen, TBS.KeyGen, TBS.Sign, TBS.Verify). We require the blindness property to prevent that authorities make conclusions about the voter's identity as soon as the ballots are published to the blockchain. In addition, we use the threshold property to prevent that voters request more than one signature from distinct authorities and therefore contradict our one-person-one-vote approach. For our implementation we use the scheme of Kuchta et al. [19]. While the base version of this scheme requires a trusted dealer, the TBS.KeyGen can be completely decentralized through a distributed key generation protocol [12]. For formal definitions we refer the reader to the appropriate articles.

System Model
with each V i possessing two types of identities. First, an individual voter identity I Vi := {sk Vi , pk Vi , cert Vi } and second, an anonymous identity I anon := {sk anon , pk anon , cert anon }, which is shared between all voters. Both identities consist of a certificate and a pair of public and private key. While I Vi is uniquely bound to a voter and can be used to authenticate herself, the intention of I anon is to protect the privacy of the voter. Since we operate in a permission-based blockchain model, every request has to be signed by an authorized identity of the network. We use this approach of a shared identity, which can only be used to submit ballots to the blockchain, to bypass the membership check and to disguise the real origin of the request. To participate at a given voting vid, the voter fetches the corresponding voting description from the blockchain, casts an encrypted ballot, gets enough signatures from the signer authorities and submits all together to the blockchain. Peer: There exists a set of n P peers P := {P 1 , . . . , P i . . . , P nP }, with each peer P i owning an identity I Pi := {sk Pi , pk Pi , cert Pi } consisting of a certificate and a pair of public and private key. Peers are part of Hyperledger Fabric and are mainly responsible for maintaining the distributed ledger. Further, they provide the communication endpoint for all off-chain entities in the system. The application functionality is included within their smart contracts and can be invoked by appropriate entities.

Protocol
The voting system consists of four protocols: Setup, Pre-Voting, Voting and Tallying.

Setup
Preparation of the Hyperledger Fabric Network. This step encompasses the creation of the cryptographic material for organizations, smart-contracts and common configuration (genesis block) required to bootstrap the network peers. As this is standard process we refer the reader to the Hyperledger Fabric documentation [16].

Preparation of Off-Chain Entities.
In order to operate within the permission-based blockchain, each network participant has to obtain a digital certificate from an organization. The certificate encompasses information such as the public key, a type (registrar, voter, . . . ) to limit the operation set and possibly other metadata of the entity. During this step, each organization may also verify the physical identity of the requester. Details of the issuance policy as well as the decentralized implementation of the certification protocol (e.g. through an MPC protocol [6]) are out of scope.

Registration of Signer Authorities.
In order to fulfill their special purpose of ensuring the voter's eligibility, signer authorities need to perform an additional set up of the threshold blind signature scheme. Due to our focus on a decentralized voting platform, signer authorities, across organizational boundaries, start by engaging the common execution of the TBS.KeyGen(·) algorithm, with output the set of secret keys sk TBS,SAi for each signer authority SA i and public key components, which form the common public key pk TBS . Note that in order to be completely decentralized, the preceding execution of a distributed key generation protocol may be necessary. Public key components are then stored within the blockchain (Fig. 1). Fig. 1. Protocol flow of our voting system. Due to clarity of presentation, the setup protocol is left out. Components of Hyperledger Fabric are summarized as blockchain (BC) and its state is assumed to be known by every party.

Pre-voting
Register Voting. In our system, a registrar R i is capable of scheduling new votings. To do so, the registrar sends a signed request containing metadata like vid, title, expiration date, a set of eligible voters, a set of possible choices opt and a policy π, which specifies a set of responsible key authorities, to the blockchain.
Authorize Voting. Trustlessness within our system relies on the decentralization of critical entities. In case of key authorities this approach ensures that there is no single authority, which is capable of opening the encrypted ballots on her own. Now, in this sub-protocol the virtual ballot box is prepared. Therefore, every key authority KA i , mentioned within the policy π of a registered voting, generates a new functional encryption key pair {sk vid,KAi , pk vid,KAi } ← DIPPE.AuthSetup(pp, i) using the public parameters pp of the scheme. While the private key sk vid,KAi is stored locally, the public key pk vid,KAi is distributed to a blockchain peer in a signed request. If the blockchain is able to verify that the requesting key authority is part of the voting policy, it accepts and links the public key to the voting description, which is stored within the blockchain.

Voting
Cast Ballot. To cast a new ballot, the voter V i first fetches the appropriate voting description from the blockchain and calls ballot vid,Vi ← DIPPE.Encrypt(pp, x, opt vid,Vi ) using her choice opt vid,Vi ∈ opt, the public keys {pk KAm,vid } m∈π , a policy vector x derived from the policy π, and the scheme's public parameter pp.
In order to prevent double voting, the ballot ballot vid,Vi has to be signed by a set of at least t signer authorities. Note that the signing of the voter's ballot has to be done blindly in order to disguise associations from the ballot to the voter.

Tallying
Unlock Ballots. In order to unlock an expired voting, key authorities have to send decryption keys to the blockchain. To do so, each responsible key authority KA i first fetches the voting description from the blockchain, and generates a decryption key sk KAi

Security Analysis
In this section, we analyze and informally argue security of our voting system.
Ballot Privacy: Ballot privacy means that an adversary is not able to reveal the way, a specific voter has voted. Our system ensures ballot privacy due to the fact that voters submit their ballots using a distinct anonymous identity, which is shared between all voters and therefore disguises the real user behind it. Even if ballots, which are stored within the blockchain, become publicly visible, an inference to a specific voter can not be established anymore. In order to prevent double voting, a ballot has to be submitted together with a signature over the ballot, created by a set of signer authorities. The blindness property of the threshold blind signature scheme ensures that even a (minority) set of malicious signer authorities is not able to learn the structure of the ballot and as a consequence, break the privacy as soon as the ballot is published to the blockchain. Fairness: Fairness means that an adversary is not able to obtain intermediate results of a voting before its expiration date. This property is ensured within our system as long as no majority of malicious key authorities collude. The reason is that all ballots, which enter the system, are encrypted client-side using an IND-CPA secure functional encryption scheme and in order to open ballots, which are stored within the blockchain, decryption keys from multiple key authorities are required. Eligibility: The eligibility property limits the voting attendance to voters that are entitled to it. Each voter within our system possesses a digital identity, which she obtains in exchange to a proof of her real identity. When registering a new voting at the system, a registrar is able to define the set of voters that are able to participate. The enforcement of the eligibility property is then performed by the signer authorities as they only create signatures in exchange for a proof of identity, for voters whose name is on the list. Verifiability: Verifiability means that interested parties are able to validate that results are correctly tallied. Here, we differentiate between two types of verifiability. Individual Verifiability: Individual verifiability means that every distinct voter is able to assure herself that the own ballot was correctly counted. Our system benefits from the fact that the decryption (ballot opening) is a transparent process, which is done by the smart contract. During this step, all necessary decryption keys are made public. Furthermore, voting data never leaves the blockchain and Hyperledger Fabric prevents that smart contracts are changed on single peers in order to manipulate the outcome. Universal Verifiability: Universal verifiability allows every interested party to verify the election result. The same argumentation, which was given for the individual case, is also applicable for the universal one. Every party that mistrust the result, is able to recalculate the outcome by decrypting and tallying the stored ballots herself.

Receipt-Freeness and Coercion-Resistance:
The two properties of receiptfreeness and coercion-resistance are closely related to each other, as they enable protection against coercion or profit intentions of the voter, e.g. vote buying. Receipt-freeness, basically, is the absence of information of the voter that can be used to prove to an attacker the way she voted. Coercionresistance assumes a stronger attacker, which not only cooperates with the voter in form of sharing secret information, but is also able to adaptively interact with the voter by preparing messages for her [8]. Our system is vulnerable to such type of attacks, due to the fact that all encrypted ballots are stored publicly within the blockchain. If the voter cooperates with an attacker by providing the random coins, which are used to encrypt the ballot, the attacker is able to make associations between the voter and her choice as soon as the ballots are opened. Double-Voting-Resistance: Double-voting is the threat in one-person-onevote systems that a voter is able to submit more than just one ballot. In our system, double-voting is prevented as long as a majority of signer authorities act honestly. The reason is that a ballot can only be submitted in combination with a valid signature, issued by a set of signer authorities. Signer authorities, however, will only issue signatures once for every eligible voter. We require that the used threshold blind signature scheme fulfills the unforgeability property, which prevents that valid signatures can be illegitimately cast by unauthorized entities. Censorship-Resistance: Our system is censorship-resistant in the sense that there is no solely responsible voting provider that is able to manipulate the outcome of the voting by adding undetected forgeries, declining to accept ballots from voters or even hiding ballots from the counting process. This follows from the fact that the blockchain itself is immutable and allows modifications only if a quorum of voting providers agree. Reliability: Attacks on the voting system in order to force malfunction or even the destruction of submitted ballots, and in consequence a change in the outcome of the election, are an actual threat. The fact that our voting system is built on top of a decentralized blockchain ensures protection against data loss, as a copy of the database is stored redundantly on each peer.

Conclusions and Future Work
In this paper, we proposed a trustless, censorship-resilient and scalable electronic voting system based on Hyperledger Fabric. Our system allows the parametrization of the number of peers in order to decrease the required tallying time of the ballots. A preliminary performance evaluation showed that Hyperledger Fabric is basically a good choice for such a system, because the smart contract hardly limits the performance of the underlying voting program. When considering large-scale votings like for example, the federal election 2017 in Germany with around 61,69 million eligible voters, our voting system needs approximately 8,77 h to perform the whole counting process with 512 peers (single-threaded on 3,60 GHz CPU) per organization, which is within the time frame of traditional, manual tallying processes. As future work remains a completion of the system, as it is only partially implemented up to this point and further, a performance analysis using the BFT based orderer. It would be interesting to investigate optimizations that can be applied, e.g. faster schemes and finally, a formal security analysis is still pending.