# Tallyable encryption of votes, some options ## [Reputable List Curation from Decentralized Voting](https://eprint.iacr.org/2020/709.pdf) <div class="c-row"> <div class="c-column"> #### Pros: - Usable today - Can be very fast to generate, including possible on phones - Proving time : O(1) - Verification time : O(1) - Signature size : O(1) - End-to-end verifiability built in to the protocol </div> <div class="c-column"> #### Cons: - Protocols are generally not flexible – to support a different type of voting, you need to design a new scheme from the start - Use of cryptography means it’s not trivial to verify </div> </div> ## [A Smart Contract for Boardroom Voting with Maximum Voter Privacy](https://eprint.iacr.org/2017/110.pdf) <div class="c-row"> <div class="c-column"> #### Pros: - Usable today - Can be very fast to generate, including possible on phones - Proving time : O(1) - Verification time : O(1) - Signature size : O(1) - End-to-end verifiability built in to the protocol </div> <div class="c-column"> #### Cons: - Protocols are generally not flexible – to support a different type of voting, you need to design a new scheme from the start - Use of cryptography means it’s not trivial to verify </div> </div> ## Batravote Batravote doesn't aim for privacy, but there is a version in progress that should add privacy. After this version is complete, the pros and cons should be roughly as explained below. Note however that this is subject to change, apologies for any incorrect guesses here. <div class="c-row"> <div class="c-column"> #### Pros: - Usable today - Can be very fast to generate, including possible on phones - Proving time : O(1) - Verification time : O(1) - Signature size : O(1) - End-to-end verifiability built in to the protocol </div> <div class="c-column"> #### Cons: - Votes are revealed </div> </div> <style> .c-row{ background:#f0f0f0; } .c-row:after { content: ""; display: table; clear: both; } .c-column { float: left; width: 50%; padding: 10px; } /* CSS hack to add section numbers to titles, starting from h2.*/ /* Titles numbers */ .markdown-body h1 {counter-reset: h2} .markdown-body h2 {counter-reset: h3} .markdown-body h3 {counter-reset: h4} .markdown-body h2:before {counter-increment: h2; content: counter(h2) ". "} .markdown-body h3:before {counter-increment: h3; content: counter(h2) "." counter(h3) ". "} .markdown-body h2.nocount:before, .markdown-body h3.nocount:before { markdown-body: ""; counter-increment: none } .markdown-body h1:before, .markdown-body h2:before, .markdown-body h3:before { color: #737373!important; } /* TOC numbers */ .toc ul li ul { counter-reset: section; list-style-type: none; } .toc ul li ul li::before { color: #919191!important; counter-increment: section; content: counters(section, ".") " "; } </style>
Last changed by  
Rebekah Mercer
96

Read more

Decentralised private voting

References to sub-documents The slides that capture a subset of this information can be found here. An analysis of some membership proof based options can be found here. An analysis of some SNARK-based options can be found here. A brief comparison of some encrypted votes based options can be found here. Vocdoni's post on anonymous voting (introducing some helpful vocabulary) can be found here. What we want to achieve

12/5/2022
Linkable membership proofs, some options

In all of the options below, the way that the protocol works is that voters solve an equation that is only solvable to people who have a secret key corresponding to one of the public keys in the census, and use this proof to sign a message. The message is not encrypted, and the content of the message is the voter's vote. (Domain-separation information such as chain id and process id can also go into the message, in order to provide replay protection.) DualDory DualDory: Logarithmic-verifier linkable ring signatures through preprocessing This is an elliptic curve discrete log-based scheme, with pairings-based preprocessing. This scheme is very new, but a huge plus is that it is implementable and launchable today, with no future research needed. Pros: Usable today Linkable out of the box

11/16/2022
privacy without snarks — one of many proofs

Groth and Kohlweiss introduced the concept of one of many proofs in their 2014 paper, which also proposes the first O(logN) construction of the concept. One of many proofs are at their heart a membership proof, also know as a ring signature. In other words, whereas a normal digital signature attests to the statement ‘I know the private key that corresponds to this public key’, ring signatures prove the statement ‘I know the private key that corresponds to one of the public keys in this list’, without revealing which of the public keys that it is. Without the privacy requirement, the list of public keys could simply be a list, and the signature proving that the signer knows one of them could simply be a digital signature like ECDSA or edDSA, as is used in many multi-sig accounts. But that reveals which or the public keys the signature corresponds to, and so, would reveal, for example, specific individuals’ spending habits. This could make them, for example, more vulnerable to coercion, etc. So ring signatures keep that information private. Privacy in the cryptocurrency space, due to either Zcash’s domination of mindshare, or the simpler model of programming with a snark DSL, rather than reading 1 million cryptography papers and implementing things for scratch, and the specialists audits that requires, is often thought of as very snark based. The main way to do this is to put all the participants public keys into a merkle tree, and then have them prove knowledge of one of the merkle paths and the secret key corresponding to the public key at that leaf. Constructing this within a snark involves a lot of hashing, and traditional hash functions are famously snark-unfriendly. CUE RING SIGNATURES ;) At a high level, the way ring signatures work is that there is a challenge based on all of the potential PKs, and then the prover uses their secret information (their sk) to produce a response that will verify against the list of PKs, without revealing which specific PK their sk corresponds to.

10/7/2022
Read more from Rebekah Mercer
Published on HackMD