Consider using third-party ballot updating

[AaronFeickert]

The DeVoS voting protocol preprint (and perhaps other constructions as well) achieves its form of coercion resistance through the use of a posting authority. At the start of an election, the election authority (who distributes voter keys) signs a null ballot for each voter. During the election, a voter submits its ballot (and any updates to it) to the posting authority, who verifies and caches it.

At the end of predefined epochs throughout the election, if the posting authority has received a valid ballot from a voter, it posts it to the bulletin board. If it has not received a valid ballot from a voter, it generates a re-randomization of the voter's most recent ballot, and posts this to the bulletin board. The intent is for a coercer to be unable to distinguish these cases. To ensure this, ballot signatures are generated using a disjunction proof, which shows that either the ballot is signed by the voter, or that the ballot is a re-randomization of the previous ballot.

This has benefits and drawbacks.

Benefits include:

• A coercer cannot tell if a previously-coerced voter has updated its ballot.
• Observers cannot tell if any particular voter has voted or not, nor how many times a voter has updated its ballot.
• Ballot contents remain private, even when updated by the posting authority.

Drawbacks include:

• The election authority knows voter keys and can forge ballots.
• The posting authority knows which voters have voted, and how many times each voter has updated its ballot.
• The posting authority can censor ballots.
• If the tally authority is corrupted, it can link individual ballot contents to voters.

A similar approach may work for Aura in a way that meets its primary goal of minimizing trust in authorities.

In this approach, ballot proofs are disjunctive, and show that either:

• a ballot contains a valid ambiguous signature and linking tag validity assertion; or
• a ballot is a re-randomization of another given ballot, and is signed by the updater

When a voter submits either its initial ballot or an updated ballot, it uses the former clause of the disjunction. Periodically, the updater examines the bulletin board and issues re-randomized ballots (based on linking tags) using the latter clause of the disjunction. It will likely be very important that this dual-submission approach, where voters still submit ballots directly to the bulletin board, does not leak metadata allowing observers to identify which ballots are likely to be submitted by the updater.

When the election ends, the tallying authorities discard all but the most recent ballot for each linking tag and proceed to tally as before.

[AaronFeickert]

Note that in the current design, it is not possible for a coercer to see if its voter updated its ballot during the election, but the coercer learns this after the election ends.

In the updated design, provided the updater performs its updates sufficiently, it is never possible for a coercer to learn this information. However, there are failure modes if the updater is dishonest or corrupted:

• If the updater does not perform ballot updates, a coercer can assert that its voter's ballot was not updated.
• If the updater colludes with the coercer during or after the election, the coercer learns if/when its voter's ballot is updated.

Effectively, the only new failure mode arises if the updater colludes with the coercer during the election.

[AaronFeickert]

The above failure mode is mitigated if multiple entities act as updaters and do not fully collude. In this case, the disjunctive proof needs to be modified to account for the presence of multiple valid updater verification keys.