Electronic Legislature

7/27/2019 Electronic Legislature

1/8

Securing abstention in an electronic legislature

Brian King

Purdue School of Eng. & Tech.Indiana Univ. Purdue Univ. Indianapolis

[email protected]

Yvo Desmedt

University College London

Florida State Univ.

[email protected]

Abstract The reasons for developing an electronic legislature(e-legislature) include: an improved legislature, increasing theconstituents access to the legislator, improving participationin government and providing our goverment with a mobiledistributed legislature that will be able to continue to meeteven in the face of some drastic activity like terrorism. Theessence of a legislature is political and consequently its memberswill certainly act in such a way. Thus one must assume thatlegislators would take advantage of the lack of physical presencein a legislature if it was not secured. In [5], [6] an electroniclegislation scheme was proposed that secured the governmentfrom malicious behavior of legislators. The protocol described in

[5], [6] provided only minimal legislative voting options, to createa realistic e-legislature one must support all likely functions.Most legislatures allow their members to abstain. The processof introducing abstention into an e-legislature can be formativeespecially in the case when the legislature passes statutes bysimple majority. Here we discuss how to secure an e-legislaturewhich supports abstention.

I. INTRODUCTION

The process of integrating digital technology into our gov-

ernment to achieve e-government will provide improved

services as well as bring greater accessibility of governmental

services to the people. However there exists several other

reasons to consider e-government, one that it may provide a

means to ensure the continuity of services/and government inthe case of some drastic action.

Within the context of this work we are interested in a

developing a special type of electronic voting which we

characterize as e-legislature or e-laws. Electronic voting for

general elections has become an active area of research, its

impact will be significant, whenever (or if ever) a secure

and efficient e-voting scheme is constructed. An electronic

legislature will provide will provide several important services

like improving government, increasing access of constituents

to their representatives, and for several other reasons, including

that it will ensure the continuity of the government in cases

where the physical legislature cannot meet. Its impact will be

important for that reason alone.There are several reasons to be interested in developing

an electronic legislature (e-legislature). One is that an e-

legislature is desirable since it will ensure the delivery of the

actions of a legislature, especially given the increasing specter

of a terrorist attack made of the government. In the September

11th terrorist attack, potential targets had included WhiteHouse and/or the Capitol Building. If either attack would have

been successful it is certain that a disruption of our governing

body would have occurred. Immediately following this attack,

a second terrorism attack occurred, the mailing of anthrax

spores to U.S. legislators. This attack successfully stopped the

U.S. House of Representatives from meeting, and restricted

the contact of the U.S. Senate. Fortunately the stoppage was

brief, due to the fact that the anthrax contamination was limited

to an office complex for the senators. Comparable attacks on

governing bodies have been enacted on other governments.

One solution to this problem of terrorism disrupting the

legislature is to create the means for the legislature to convene

remotely, i.e. a mobile legislature. The U. S. Congress has

recognized this need and has proposed legislation to developelectronic legislatures as a means of continuing government

in the face of a terrorist attack [3].

In an electronic legislature, the legislatures ability to pass

or to not pass legislation should be thought of as the legislature

digitally signing (with some secret key) the legislation or not

signing the legislation. The power held by each legislator to

vote on legislation will need to be a share of the legislature

key (the one that will generate this legislature signature).

The potential threats to an electronic legislature can come

from both external and internal sources. Traditional computer

security and cryptographic tools can be used to protect the

e-legislature from most of these external threats (intrusion de-

tection, denial-of-service, authentication, confidentiality, etc..).However new tools need to be developed to protect the e-

legislature from internal threats. The internal abuse is the

potential that can seriously diminish the integrity of the legisla-

tive body. When considering an electronic legislature, we ask

will such a legislature be as representative as the physical

government in place?. The danger of using a distributed

electronic government is that the mechanisms for reigning-

in legislative abuse is not necessarily in-place due to lack of

the physical proximity of participants. The concern for the

possibility of cheating among participants in an electronic

legislature is warranted. Politics in government has always

been built with factions and coalitions. Required protocols

need to be secured. For example, the fact that the numberlegislators vary will pose a security problem, because we will

need to redistribute the power to vote (i.e. redistribute digital

shares). One would not want to generate a new legislature

secret key, since a key should last as long as the legislature

(for example in the case of the U.S. House of Representatives,

its duration is 2 years).

A legislative body, like the Senate or House of Repre-

sentatives, will pass laws according to some minimum

number of required yes votes, which is often a proportion

0-7695-2268-8/05/$20.00 (C) 2005 IEEE

Proceedings of the 38th Hawaii International Conference on System Sciences - 2005

1


2/8

of the body present (some possibilities include majority or

two-thirds). This is an example of a threshold application,

however the threshold is dynamic since it will depend on

a proportion of the (legislative) body that is present. Con-

sequently to achieve an electronic legislature, a scheme is

needed which allows transfer of the legislative signing power

from the (original) fully attended body to the body present.

One problem that arises is that the entire original body is

not present to participate, but that is easy to overcome using

threshold cryptography. The difficulty with developing such a

scheme is the realization that the legislators must be treated

as adversarial and hence untrustworthy. That is, the legislators

are in competition with each other and they may attempt to

take advantage, for political gain, the fact that the process of

transferring signature process will take place. In light of this

competition, a verifiable transfer of power needs to take

place. In [5], [6], a model was introduced which described

the requirements for a verifiable democracy. Protocols which

provided partial solutions and described how to achieve

verifiable democracy were described in [5], [6], [10].

The protocols described in [5], [6], [10] provided only theminimal amount of legislative services. For an e-legislature to

actually be implemented, other legislative services need to be

offered, for example abstention. Abstention of e-voting within

a general election has been examined [11], but abstention

within an e-legislature has never been examined. The act

of abstaining is a necessary voting option for a legislator.

Abstention allows a legislator to remove themselves from a

vote. There are several reasons to for a legislator to want to

abstain, some of the reasons include: abstaining because of a

conflict in interest and abstaining to avoid problems with their

constituency.

Integral to the verifiable democracy protocol described in

[5], [6] is the blinding of the message/law. The basis ofthis requirement is discussed in detail in [5], [6]. Within a

legislature, it is possible that legislators may wish to abstain

from voting on certain legislation. Of course the decision for

abstaining (or for not to abstaining) must be made after the

content of the message is revealed. The way abstention is

handled may depend on the legislature, or it may depend on

the type of voting the legislature is utilizing or it may even

depend on what is being voted on. In a majority type vote,

there are two rules that are most likely to be used to handle

abstention: in the first case the abstention will be noted but

it will be treated as a no vote, this is referred to as absolute

majority, and in the second case the majority will determined

by the total number of the yes and no votes, whichever islarger constitutes the majority, this is called a simple majority

[7].1 In the case of a simple majority, the threshold will

change whenever an abstention takes place, whereas in an

absolute majority the threshold remains unchanged. Roberts

Rule of Order [16] provides no guide as to how abstentions

should be handled. There are numerous examples of both

type of majorities used in legislatures. Simple majorities are

1A third possible rule would be to count an abstaining vote as a yes vote.

used for several types of voting in both houses of the US

Congress, British House of Commons [7], Scottish Parliament

[17], and college of the Commission of the European Union

[19]. Absolute majority is used as well in several places,

for example certain votes in the U. S. Congress will require

absolute majorities. One can generalize the notion of the

classification of a majority, to classify the two-thirds type vote

and define absolute two-thirds, as well as simple two-thirds.

Consequently since a legislature may use both absolute

majority as well as simple majority, an e-legislature must be

able to support both absolute and simple majority. The goal

of this paper is to describe a protocol that will provide the

means to implement abstention within the e-legislature.

I I . BACKGROUND: TOOLS AND TERMINOLOGY

Suppose Alice wishes to send to Bob a signature of mes-

sage M. Alice applies a hash function h() to M, so thatm = h(M). Alice sends to Bob M and Sign(M, privKey),whereupon Bob can verify the signature using the verifyfunction where verify(M, X, pubKey) is a boolean function,

it returns true provided X is Sign(M, privKey), otherwise itreturns false. If the signature is verified then Bob accepts themessage. Some examples of signature schemes that can be

used in this protocol include the RSA signature scheme and the

El Gamal signature scheme. In a k out ofn threshold sharingscheme the secret key privKey is shared out to n participants,so that any subset B of k participants can combine theirshares and construct privKey while any subset of cardinality k 1 gain no information about the privKey. In a k out ofnthreshold signature scheme, the signing key privKey is sharedout to n participants so that any k participants can sign amessage M. We let Si denote participant Pis partial signature(think of a partial signature as a share of the signature). When

the participants wish to sign a message they will send theirpartial signatures to some combiner who will combine their

shares to form the signature.

Sign(M, privKey) =iB

Si,Bi = S

j1,Bj1

Sj2,Bj2

Sjk,B

jk

where B is the set of k members B = {Pj1 , . . . , P jk}, i,Bis the appropriate scalar and Si is participant Pis partialsignature2.

Verifiable signature sharing [1], [8], [14] is a cryptographic

sharing technique which allows a holder of document to

distribute shares of the signature of the document to proxies

(participants), so that the proxies can later reconstruct and

sign the document (if they wish). Further, by the end of

the distribution phase, honest proxies can verify that they

have been given shares of the authentic signature, without

reconstructing the signature. In an electronic voting scheme,

if a voter receives data/information such that this data allows

2The most likely operation used with partial signatures is multiplication,this operation is dependent on the cryptographic primitive used. The scalari,B is a public value dependent on i and the set B of participants. In most

applications it is defined as i,B =

jBj=i

0 xj

xi xj.

0-7695-2268-8/05/$20.00 (C) 2005 IEEE


2


3/8

others (as well as the voter) to verify how the voters vote has

been counted, we say that the voter has left a receipt. A voting

scheme is said to be receipt-free provided that no receipt is

left for the voter which allows others to verify the voters

vote. In the case of an e-legislature, since the legislator is a

representative of the people, we would require that the voting

scheme leaves a receipt.

III. ILLUSTRATIONS OF PROBLEMS THAT CAN ARISE IN AN

ELECTRONIC LEGISL ATURE

Let A = {P1, . . . , P n} denote the legislature. Let Atrepresent the set of legislators present at time t, thus At A.Suppose n represents the size of the original legislature and ntrepresents the number of legislators present at time t. A sessionis a continuous period of time for which the legislators present

At can vote on legislation and that the set of participantspresent remain fixed.

As noted earlier, the manner in which a legislature votes

is similar to a threshold signature scheme, and the power

to sign legislation is similar to possessing shares to sign. In

this application the threshold k denotes the quorum of thelegislature, the minimum number of legislators required to be

present in order for legislature to be passed. The threshold

kt represents the threshold required to pass legislation attime t, for example in a legislature for which majority ruleskt = |At|/2 + 1.3 Every time the legislature At changes,some type of redistribution of shares will need to take place.

Redistribution is possible as long as a quorum k of legislatorsexist, i.e. |At| k.

Some problems that the verifiable democracy protocol must

overcome include (for more details/descriptions of these prob-

lems we suggest the reader to see [5], [6]). First, the transfer

of signature power needs to be temporary. If legislators send

their shares of the key to other legislators then these legislatorscan use this information to sign other laws. In fact they can

impersonate this legislator in future votes. Temporary sharing

is achieved by having k participants Pi1 , . . . , P ik transfer theirpartial signatures instead of their power to sign. Consequently

the transfer will be message-oriented.

Secondly, observe that a few of the k (out of the nt) partic-ipants Pi1 , . . . , P ik could defeat the process by not properlytransferring their power (shares). This would be especially

true if the message (law) was such that they had a vested

interest that the law should not be passed. Thus, as the transfer

of power is message oriented, there is a need for the set

Pi1 , . . . , P ik to transfer power blindly (i.e. encrypt the messagebefore sharing).

Third, the participants At = {P1, . . . , P

nt}, when given an

opportunity to act on legislation must know that the outcome

(sign or not sign) is a result of their decision and not a

result of bad faith on the part of the participants Pi1 , . . . , P ikwho had transferred them the power to sign. Hence, the

participants P1, . . . , P

ntneed to be able to verify that they

were actually given the power to sign that message.

3The floor ofx, denoted by x is the largest integer x.

Fourth, no set of participants should gain any information

about a motion made during an illegal session, a session

where either cheaters have been discovered or the number

of legislators present is less than the quorum k. Otherwise,they could use this knowledge, to act in later sessions. This

provides another reason to blind the motion.

Fifth, in a receipt-required version of verifiable democracy,

for each legislator belonging to At there must exist a record asto how that legislator voted. Note that if each legislator sends a

validated partial signature (which we interpret as a valid vote)

then this provides a receipt that the legislator voted in favor

of the message. We could use the lack of a validated partial

signature as a no vote.

Lastly, we assume that the network is sufficiently reliable

(connected) even to deal with a few routers destroyed by

terrorists.

The requirements are described by the following model [5].

VERIFIABLE DEMOCRACY MODEL

(i) (completeness) If nt exceeds or equals the quorum k then

for any set of legislators Bt, with |Bt| kt, either Bt cansign mt or they can identify the cheaters among themselves.(ii) (soundness) If Bt At or if |B

t| < kt then B

t cannot

sign any new message mt.(iii) The action of the cheaters should be independent ofthe message. Therefore for any set B (represents a set ofcheaters), with |B| < k, then one should not be able todistinguish the way B acts with message m as they do witha message m (distinguish in terms of cheating strategies).(iv) If nt < k or if cheaters have been discovered, thenno subset of At should gain any information about mt.Therefore one should not be able to distinguish the information

distributed by the members of At for message m with the

information distributed by a message m.(v) If the set of participants At vote on mt, then for all P Atthere exists a public receiptxP such thatxP demonstrates howP voted for mt.The basic functions of the e-legislature protocol described in

[5], [6] are provided below.

A. Verifiable Democracy Protocol a democratic threshold

scheme

During the set-up, the legislature is empowered with a secret

key so that any k out ofn can compute the secret signing key.If nt k we proceed with the protocol, if nt < k then thereare not enough legislators to pass the legislation. At any time

t, a message/law mt may be proposed. At represents the setof participants present at time t, nt = |At|, and kt representsthe threshold (the minimal number of participants required to

sign). We now review the integral functions in the verifiable

democracy protocol [5], [6], we omit technical details and refer

the reader to [5] for the technical details.

Legislative key generation. A secret key privKey is dis-tributed to the n participants so that a blinded message/lawcan be signed in a k out of n threshold manner. In addition

0-7695-2268-8/05/$20.00 (C) 2005 IEEE


3


4/8

to distributing shares of privKey this distributor generatesancillary information4 which is used later to verify partial

signatures. (For example if the protocol utilizes RSA sig-

natures a test message is generated and broadcasts all npartial signatures of the test message. The test message and

partial signatures of test message play an important role in the

verification of future partial signatures. This can be performed

by a trusted third party or by the participants using a protocol

such as [5], [10]).

Blinding message. The participant P, who proposes messagemt, blinds mt before they present it to the legislative body At.

Transfer of Power Partial Signature Generation TPSG.

As long as nt exceeds (or equals) k, the message will beconsidered for signing. If so, k participants in At are chosenand they generate partial signatures for the blinded mt.

Transfer of Power Partial Signature Distribution TPSD.

Each of the k participants share out their partial signatures in akt out ofnt manner to At (we will refer to these k participants

as partial signature distributors). Each participant in At hasreceived k shares, whereupon they compress the k sharesto one share. In addition to distributing partial signatures,

the partial signature distributors will also distribute ancillary

information which allows the legislative body At to verify thecorrectness of the partial signatures of the blinded mt.

Transfer of Power Partial Signature Verification TPSV.

The ancillary information provided in TPSD is first verified

by each legislator in At. Upon verification the ancillaryinformation is used by each legislator to verify the correctness

of their share of the partial signature of the blinded mt. Theverification procedure is devised so that with overwhelming

probability it can be determined that a recipient has receiveda valid share this is achieved via a verification and complaint

protocol. If a verification fails then a complaint will be raised,

at that time a cheater has been detected, what remains is a

protocol to determine whether the cheater is the partial share

distributor or the complainer. The consequence is that the

completion of this stage with no complaints implies that the

signature power for the message has been transferred to Atsuch that any kt can sign the message.

Unblind the message. The message is revealed to the legis-

lature. Who reveals the message? P could. Or if one utilizesa trusted chairperson as in [10], then the trusted chairperson

could reveal mt. In [5], the protocol utilized RSA signaturesand so the legislators themselves could unblind the message

without the legislators revealing their partial signature of mt.

Decision vote on mt. The legislators decide whether to votefor or against mt.

4This ancillary information will be broadcasted to all, i.e. public record.The nature of the ancillary information is dependent on the verifiable sharingscheme that is used. For example for El Gamal use [14] and for RSA use [9]and [2].

Partial Signatures Sent PSS. If any legislator wishes to vote

for the by now known mt they send their share of the partialsignature of the blinded mt.

Verification of the signature determining the passage

of mt PSV. If kt or more participants have sent their partialsignatures then the message may be passed. If so, the combiner

selects any kt of the sent partial signatures and verifies the

correctness of these partial signatures using the ancillaryinformation provided within this protocol. For each one of

these invalid partial signatures the combiner selects one of the

remaining partial signatures sent and verifies it. If the number

of valid partial signatures is less than kt then the messagemt is automatically not passed. We have adopted a receipt-required version of the verifiable democracy protocol. The

partial signature sends (PSS) together with the partial signature

verification (PSV) implies kt valid votes. Who can play therole of the combiner? Any person, collection of people, or

even the legislators.

Message passed. The message is passed if a signature of mtcan be computed and there were kt valid votes sent andverified. A vote for mt is a valid partial signature.

Note that the verification procedures TPSV and PSV may

utilize different verifiable secret sharing schemes due to the

amount of information the senders TPSD and PSS, respec-

tively, know. In TPSD the senders know the actual shares,

whereas in PSS the senders know only the partial signatures.

Whether TPSV and PSV require different verifiable sharing

schemes may depend on the threshold signature scheme that

is used.

IV. ABSTAINING

As stated earlier, a legislature may use both absolute ma-jority as well as simple majority, an e-legislature must be

able to support both absolute and simple majority. To secure

abstention in an absolute majority type vote, it was suggested

[12] to run the verifiable democracy protocol twice, once

for the yes votes and then require those that vote no to

participate in a verifiable democracy protocol using a no

vote. Now use some method for counting in a secure manner

such as [13].

What remains is how to handle simple majority when an

abstention takes place. This is a much more challenging

problem, since the threshold will change. Recall that the

verifiable democracy protocol requires blinding the vote before

transferring power. An abstention will require a transfer ofsignature power (since the threshold will change), but the

transfer cannot be achieved in the blind as the verifiable

democracy protocol does, since a legislator can only decide

on whether to abstain based on the knowledge of the pending

legislation. The remainder of the paper is devoted to how to

solve abstention within a simple majority.

Recall we represent the legislature by A = {P1, . . . , P n}.We use At represents the legislators present at time t. We useLt to denote those members of At who wish to abstain once

0-7695-2268-8/05/$20.00 (C) 2005 IEEE


4


5/8

the message is revealed. Once nLt participants abstain, thenew threshold is kt out of nt nLt , where k

t is the result of

going from a kt out of nt threshold and having nLt abstain.Let kLt = kt k

t.

Model IV.1. A verifiable democratic legislature which sup-

ports abstention should possess properties (1) - (4).

(1) Abstainers should be able to abstain after the message

m has been revealed.

(2) Any action taken by the abstainer should be independent

of B (the set of legislators who vote yes to pass the m).

(3) A cheating abstainer should be revealed.

(4) Cheating by an abstainer should not cause termination

of a vote.

(5) A cheating abstainer who is trying to prevent the vote

should be treated as a no vote, and a cheating abstainer who

is trying to pass the law should be treated as a yes voter.

When one considers the above model, the question becomes

how does one determine if a cheating abstainer is trying to

prevent the vote or pass the law. Further, a cheater may besuch that they do not belong to either category and may just

be mischievous. This difficulty of determining motive makes

the application of (5) impossible. Since it is clear that the

intent of a cheater cannot be gauged, we must treat a cheating

participant as either a no-voter or an abstainer. We will treat

them as a no voter.

A. Protocols required for abstainers - resharing a share

The following three protocols have been described in [5].

Due to their complexity we will treat them as black-box func-

tions. Realize that one must be careful when to utilizing these

functions, valid inputs must be available to these functions

to achieve the desired results. In the technical version of

this paper, the complete details will be discussed thoroughly.

In this paper we will assume that the implementation of

the verifiable democracy protocol has ensured that there is

sufficient ancillary information available either publicly or

to each shareholder to assure that each invocation of these

protocols will achieve the desired results.

Resharing a Share - Share Generation RSSG Suppose a

participant holds a share S and they wish to share S in anat out of bt manner. This is straightforward, except that theshares that are generated will need to be verified. Since this

protocol will reside within the Verifiable Democracy protocolthere will exist ancillary information concerning S. Basedon this ancillary information this participant will be able to

generate ancillary information concerning the shares of S sothey can be verified. For example if participant Pi wishes toshare their partial signature Si to {Pj1 , Pj2 , . . . , P bt}

(Sj1,i, Sj2,i, . . . , Sjbt ,i) = RSSG(i, pubInfo, Si).

So that Si =

jB Sj,Bj,i where B is a set of at participants

B = {Pj1 , . . . , P jat }5.

Resharing a Share - Share Distribution RSSD The partici-

pant who is sharing out S in an at out ofbt manner distributesthe shares to the bt participants. In addition this participant willdistribute the ancillary information that will used to verify the

correctness of these shares.

for all r Sjr,i PjrxxxpubInfo_RSSD_Si generated and distributed

Resharing a Share - Share Verification RSSV The ancillary

information provided in RSSD is first verified by each par-

ticipant. Upon verification, the ancillary information is used

by each legislator to verify the correctness of their share

of S. The verification procedure is devised so that withoverwhelming probability it can be determined that a recipient

has received a valid share this is achieved via a verification

and complaint protocol.

for all r

xxxverify(Sjr,i, i, pubInfo_RSSD_Si, pubInfo) = true

V. ATTEMPTS AT A SOLUTION

We assume for the sake of simplicity that all legislative

decisions are made according to majority rules 6. The result

is that the set of participants Lt wish to abstain, so we must gofrom a kt out of nt threshold scheme to a kt out of n

t where

kt = nt2 +1; k

t = nt2 +1; n

t = ntnLt ; and k

t = ktkLt .The change in threshold must occur after message mt has beenunblinded. Consequently we have a set of participants Lt whocan act based on the knowledge of this information.

A. A first attempt at a solution

To achieve a transfer after abstention, any kLt of the setabstainers Lt share out their partial signature in a kt kLtout of nt nLt manner by applying the RSSG+RSSD+RSSVprotocol to share out their share. Once Lt has completed theirapplication of the RSSG+RSSD+RSSV protocol, then all ntparticipants possess 1+ kLt shares. Due to the manner inwhich the shares will be combined, the nt participants cannotcompress their shares. We clarify with an example.

Example V.1. Suppose we have a majority rules in a 100

person legislature. At time t, there are nt = 83 memberspresent. Thus kt is 42. Consequently any set of 42 legislatorscan sign mt, for example

Sign(M, privKey) =

42i=1

Si,Bi

5The scalar j,B

is defined as j,B =

jBj=i

0 xj

xi xj. Sj,i denotes the

share of the partial signature Si distributed to participant Pj by participantPi.

6Majority rules is not a required assumption, this assumption makes it easierto describe the protocol

0-7695-2268-8/05/$20.00 (C) 2005 IEEE


5


6/8

where B = {P1, . . . , P 42}, i,B is the appropriate scalar andSi is participant Pis partial signature.

Suppose nLt = 6 wish to abstain. Let us assume withoutloss of generality that P1, . . . , P 6 abstain. Let us also assumethat P1, P2, P3 were the abstaining members that were selectedto share out their share Si. So each Si (for i = 1, 2, 3) is sharedout in a 39 out of 77 manner to the participants {P7, . . . , P 83}.Now suppose B = {P

7, . . . , P

45} wish to sign the message.

Then Su =

45i=7 S

i,Bu,i where B = {P7, . . . , P 45}

7. Conse-

quently

Sign(M, privKey)

=

45i=7

Si,Bi

45i=7

Si,B

1,B

1,i 45i=7

Si,B

2,B

2,i 45i=7

Si,B

3,B

3,i

where B = {P1, P2, P3} B and B = {P7, . . . , P 45}. SoSign(M, privKey)

=

45i=7

Si,Bi S

i,B1,B

1,i Si,B2,B

2,i Si,B3,B

3,i

.

Problems with this solution

The kLt abstainers {P1, P2, P3} that participated in theRSSG+RSSD+RSSV protocol have documented that they will

abstain. That is, there is a record in terms of information

distributed that they abstained, in many cases the information

would have been broadcasted (this would be the ancillary

information that is used in the verification RSSD+RSSV part

of the protocol). However, there is no record that the other

nLt kLt participants {P4, P5, P6} abstained. In fact thereis nothing that would stop them from participating in the

vote and be on record as a yes voter. (Although in our

model, if an abstainer backs out and decides to vote they

can only contribute to passing a mt that would have beenpassed without their vote.) However in this protocol, if a

abstainer who participated in the RSSG+RSSD+RSSV part

of the protocol tries to vote yes (i.e. backs out on being

an abstainer) there is a record that they abstained and so

they will not be given credit for voting yes. The problem

with allowing the nLt kLt participants to participate in thevote is that the threshold has been lowered to 39 because

they announced they were abstaining. If just one of them

decides to reenter as a voter then the threshold should be 40,

however according to this protocol 39 will be able to pass the

legislation. Another problem with this protocol in that each of

the nt participants will now have a share 1+kLt the size of theoriginal share. Lastly, there must be communication that takes

place to determine who will abstain because it is requiredthat the abstainers know nLt . The latter two problems areinsignificant in comparison to the first.

B. A second attempt at a solution

The first attempt failed due to the fact that the nLt kLtparticipants have not participated and there does not exist any

public information that documents that they have abstained.

7Su,i denotes the partial signature distributed to participant Pu by partic-ipant Pi where i = 1, 2, 3.

We now address this problem. In a k out ofn threshold signa-ture application, it is possible that more than k participants willsend their partial signatures. In such a case, a combiner will

select k verified partial signatures and compute the signature.In our second attempt at a solution, rather than having only

kLt participate in the RSSG+RSSD+RSSV protocol, we haveall nLt abstainers participate in the RSSG+RSSD+RSSVprotocol. By doing so there is a public record that all nL

thave abstained.

So we have all nLt abstainers share out their shares usingthe RSSG+RSSD+RSSV protocol in a ktkLt out ofntnLtmanner and send those shares to the non-abstainers. In this

case, each of nt nLt abstainers have received nLt shares, soeach possess 1 + nLt shares. Again these participants cannotcompress their shares.

To compute the signature it will require that the kt partic-ipants (non-abstainers) send their partial signatures. However

when these participants send their partial signatures they will

send two partial signatures, one their original and the other the

correct combination of the abstainers shares(see example

below). The combiner will have verified partial signatures.When the combiner creates the signature, the actual number

of valid partial signatures that the combiner will have received

will be kt+nLt which exceeds kt. So the combiner will discardnLt kLt of the non-abstainers original partial signatures andcompute the signature.

Example V.2. Suppose we have a majority rules in a 100

person legislature. At time t, there are nt = 83 memberspresent. Thus kt is 42. Consequently any set of 42 legislatorscan sign mt, for exampleSign(M, privKey) =

42i=1 S

i,Bi where B = {P1, . . . , P 42},

and Si is participant Pis partial signature.Now suppose that nL

t

= 6 participants wish to abstain.Thus in this example kLt = 3. Again assume that P1, . . . , P 6abstain. So each Si (for i = 1, . . . , 6) is shared out ina 39 out of 77 manner to the participants {P7, . . . , P 83}.Suppose that the set B = {P7, . . . , P 45} wishes to votefor the message. First observe that Su =

45i=7 S

i,Bu,i where

B = {P7, . . . , P 45}. Therefore each Pi B will send Si,Bi

and6

u=1 Su,Bi,Bu,i where B = {P1, . . . , P 6} B. Now the

combiner selects 36 = 39 (6 3) = kt (nLt kLt) of the

original partial signatures Si,Bi . Assume that the combiner

selected {P7, . . . P 42}. ThenSign(M, privKey)

=

42i=7

Si,Bi

45i=7

6u=1

Su,Bi,Bu,i

.


There is a problem with this solution in the case of a cheat-

ing abstainer. If an abstainer is caught cheating, then they defi-

nitely should not be characterized as an abstainer. That is sup-

pose P6 was caught cheating during the RSSG+RSSD+RSSVprotocol, then nLt becomes 5. In our example this will affectkLt , under the premise that P6 is caught cheating, kLt changesto 2 and kt becomes 40. However given the information

0-7695-2268-8/05/$20.00 (C) 2005 IEEE


6


7/8

distributed in the protocol, any 39 of the non-abstainers can

compute the partial signatures of {P1, . . . , P 5}. Altogetherthese 39 would control 39 +5 partial signatures and hence they

can sign. But kt would be 40. The problem with this solutionis that a cheating abstainer would be treated as an abstainer.

There is another problem with this protocol in that each of the

nt participants will now have a share 1 + nLt the size of theoriginal share. Lastly there must be communication that takes

place to determine who will abstain because it is required that

the abstainers know nLt .

VI. THE THIRD ATTEMPT A PARTIAL SOLUTION

This attempt at a solution does not require the abstainer

to determine nLt , and so the extra communication that theprevious attempts at a solution required will not be needed.

Assume we have applied the Verifiable Democracy protocol

and achieved kt out of nt scheme. If a participant wishesto abstain they wait until the first abstainer completes their

communications and then they share out their partial signature

in a kt,1 out of nt,1 manner using the RSSG+RSSD+RSSVprotocol. Here nt,1 = nt 1 and kt,1 is the appropriatethreshold (it will either be kt or kt 1 depending if nt wasodd or even). If another participant wishes to abstain they

share out their partial signature in a kt,2 out of nt,2 mannerusing the RSSG+RSSD+RSSV protocol where nt,2 = nt,1 1and kt,2 is the appropriate threshold (either kt,1 or kt,1 1).Once the RSSG+RSSD+RSSV protocol has been completed,

if kt,2 kt,1 < 0 then this abstainer broadcasts the share dis-tributed from the first abstainer, otherwise (if kt,2 kt,1 0)they broadcast nothing. The remaining participants can verify

its correctness using the RSSV protocol and the ancillary

information that was provided by the first abstainer within

the RSSG+RSSD+RSSV protocol. (This participant is notconsidered a true abstainer unless this broadcasted share is

verified.) This continues in this manner, until the last abstainer

has shared out their partial signature. Here the last abstainer

broadcasts each share it received from the previous abstainers

or nothing depending if kt,nLt kt,nLt1 < 0 or not. Again,each of these shares can be verified (using information from a

previous RSSG+RSSD+RSSV session). This last abstainer is

not treated as an abstainer until all shares are verified. If nLtrepresents the number of abstainers then each of the kt non-abstainers will have received nLt shares (they also possesstheir own partial signature). As before, these participants can-

not compress their shares. In addition to the shares possessed

by the participants, there exists the broadcasted shares thatwill need to be used. The total number of broadcasted shares

is on the order of O(n2Lt) (a better approximation would ben2Lt4 ). To clarify consider the following example.

Example VI.1. Suppose we have a majority rules in a 100

person legislature. At time t, there are nt = 83 memberspresent. Thus kt is 42. Consequently any set of 42 legislatorscan sign mt, for example signature of mt =

42i=1 S

i,Bi

where B = {P1, . . . , P 42}, and Si is the partial signature.

Now suppose nLt = 6 participants wish to abstain. Againassume that P1, . . . , P 6 abstain. P1 shares out their partial sig-nature in a 42 out of 82 manner using the RSSG+RSSD+RSSV

protocol. P2 shares out their partial signature in a 41 out of81 manner using the RSSG+RSSD+RSSV protocol. Once the

verification has been completed, P2 broadcasts its share S2,1that it received from P1. (This share S2,1 is verified by allparticipants.) P

3shares out their partial signature 41 out of

80 manner using the RSSG+RSSD+RSSV protocol. P4 sharesout their partial signature in a 40 out of 79 manner using

the RSSG+RSSD+RSSV protocol and then broadcasts all 3

shares distributed to them by the first three abstainers. P5shares out their partial signature n a 40 out of 78 manner

using the RSSG+RSSD+RSSV protocol. Finally, P6 sharesout their partial signature in a 39 out of 77 manner using the

RSSG+RSSD+RSSV protocol. Once the verification has been

completed, P6 broadcasts one at a time S6,1, S6,2, . . . , S6,5.The set of broadcasted shares is {Si,j : i = 2, 4, 6, 1 j 42 = kt partialsignatures.


The main problem with this attempt is that there is an attack,

but the attack will be detected by the Verifiable Democracy

protocol. Let us discuss the attack. Suppose that P7 providesto a coalition of 38 (perhaps their political party or faction)

all the shares they received from the other abstainers, but P7does NOT share their partial signature. That is, P7 is willing

to help this coalition of 38 to pass the legislation but P7 doesnot want to publicly vote yes to this legislation (perhaps P7fears retribution from their constituents if they vote on mt).The result is that P7 provides help to pass the message withoutvoting for it. With this help from P7, this coalition of 38 willbe able to sign the message, yet they never used P7s share.We now point out that the Verifiable Democracy protocol will

require that shares sent to be combined need to be verified and

so the this will be detected. There is another problem with this

protocol in that each of the nt participants will now have a

share O(1 +nLt (nLt+1)

2 ) the size of the original share.

Improving the partial solution

According to our model, the abstainers should have doc-umentation that they abstain. Yet in all of our previous

attempts this documentation never appears in the signature.

The improvement that we make to our third attempt will

incorporate the abstainers into the signature. Here will modify

what we mean by a signature and how we verify signature

(what it means to say a law is passed). Abstainers will follow

the same procedure described above. If a participant wishes

to abstain they share out their partial signature in a kt,1out of nt,1 manner using the RSSG+RSSD+RSSV protocol.

0-7695-2268-8/05/$20.00 (C) 2005 IEEE


7


8/8

Here nt,1 = nt 1 and kt,1 is the appropriate threshold(it will either be kt or kt 1 depending if nt was odd oreven). If another participant wishes to abstain they share out

their partial signature in a kt,2 out of nt,2 manner usingthe RSSG+RSSD+RSSV protocol where nt,2 = nt,1 1 andkt,2 is the appropriate threshold (either kt,1 or kt,1 1).Once the RSSG+RSSD+RSSV protocol has been completed,

if kt,2

kt,1

< 0 then this abstainer broadcasts the sharedistributed from the first abstainer otherwise (ifkt,2kt,1 0)they broadcast nothing. We continue in this manner until the

last abstainer has completed the required operations. Again

assume that nLt is the number of abstainers. Once a call forvotes is made each yes voter will submit both their partial

signature as well as the combination of the shares distributed

to them by the abstainers. Let B denote the set of yesvoters and let denote the number of partial signatures sentto the combiner (this includes both the partial signatures held

by the participants in B as well as the partial signatures ofthe abstainers). Then if the combiner use the |B| originalpartial signatures as well as the nLt (result of manipulating

the combinations) many abstainers partial signatures then thecombiner will possess = |B| + nLt partial signatures. Thusthe signature can be generated if |B| kt,nLt which impliesthat = |B| + nLt kt,nLt + nLt kt. Define bykt,nLt + nLt = kt + . The combiner now selects + 1many participants who have submitted (perhaps in proxy) their

partial signatures, this set is denoted by {Pi1 ,...,Pi+1} (thiscould include, by proxy, the abstainers since the abstainers par-

tial signatures were submitted by the |B| many yes voters).Then for each j = 1, . . . , + 1 using the partial signaturesfrom

(B Lt) \ {Pi1 ,...,Pi+1}

{Pij}, the combiner can

compute the signature of mt. The law is passed provided thatall of the + 1 reconstructed threshold signatures turn out

to be a verified signature. This verify function will definewhat it means to say that a law mt is passed (i.e. that thesignature is verified). The attack described earlier is no longer

relevant, since the coalition of 38 will not be able to pass the

legislation, unless P7 actually is willing to send their partialsignature which implies that they commit to a yes vote.

VII. CONCLUSION

We have described a partial solution to abstaining in an

electronic legislature. A minority can attempt to generate a

signature of a message/law but they would be detected. We

have provided a remedy by re-thinking the interpretation

of what it means for a message to become law. As we

have noted, a single legislature any require both absolutemajority type votes as well as simple majority type votes. It is

awkward to have two different solutions. In particular the real

awkwardness is to have two distinct ways to verify that the

vote has passed the message. Future work will be to develop

abstention schemes for absolute majority and simple majority

whose verification protocol are identical. Other future work

will include implementing, enhancing, and developing an e-

legislature prototype which supports the Verifiable Democracy

protocol as well as supporting protocols that support absten-

tion. The final outcome is expected to support a real-time e-

legislature.

REFERENCES

[1] B. Chor, S. Goldwasser, S. Micali, and B. Awerbuch. Verifiablesecret sharing and achieving simultaneity in the presence of faults.In Proceedings of the 26th IEEE Symposium on the Foundations ofComputer Science, FOCS, pages 383-395, 1985.

[2] M. Burmester. Homomorphisms of secret sharing scheme: a tool for

verifiable signature sharing In Proc. of Eurocrypt96, Lecture Notes inComputer Science, LNCS 1070, Springer Verlag, pages 96-105,1996.

[3] Continuity of government commision. 2002.http://www.continuityofgovernment.org .

[4] Y. Desmedt and Y. Frankel. Homomorphic zero-knowledge thresholdschemes over any finite Abelian group SIAM J. on Discrete Math.,vol.7, no. 4 pages 667-679, 1994.

[5] Y. Desmedt and B. King. Verifiable democracy. IFIP TC6/TC11Joint Working Conference on Communications and Multimedia Security(CMS99), Kluwer Academic Publishers, 1999, pages 53-70.

[6] Y. Desmedt and B. King. Verifiable democracy a protocol to secure anelectronic legislature. EGOV 2002, eGovernment: State of the Art andPerspectives , Aix-en-Provence (France), September 2 - 6, 2002, (LectureNotes in Computer Science), Springer Verlag.

[7] K. Dougherty and J. Edward Simple vs. Absolute Majority Rule,http://www.fiu.edu/dougherk/simple.pdf

[8] M. Franklin and M. Reiter. Verifiable signature sharing In Advances

in Cryptology - Eurocrypt 95,. Lecture Notes in Computer Science 435,Springer Verlag, pages 50-63, 1990.

[9] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust and efficientsharing of RSA functions In Advances in Cryptology - Crypto 96,.

Lecture Notes in Computer Science1109, Springer Verlag, pages 157-172, 1996.

[10] H. Ghodosi and Josef Pieprzyk. Democratic Systems. ACISP 2001, pages392-402.

[11] W. Juang, C. Lei and H. Liaw. A Verifiable Multi-Authority SecretElection Allowing Abstention from Voting, The Computer Journal,Volume 45, Issue 6, 2002. pp. 672-682

[12] M. Kuhn. Personal communication.[13] M. Kuhn. Probabilistic Counting of Large Digital Signature Collec-

tions, Proceedings of the 9th USENIX Security Symposium, Denver,Colorado, USA, August 14-17, 2000, USENIX Association, pp. 73-83.

[14] T. Pederson. A threshold cryptosystem without a trusted party InAdvances in Cryptology, Proc. of Eurocrypt 91 LNCS 547, Springer-

Verlag, pages 522-526, 1991.576,

[15] R. Rivest, A. Shamir, and L. Adelman. A method for obtaining digitalsignatures and public key cryptosystems. Commun. ACM, 21, pages120-126, 1978.

[16] Roberts Rules of Order Revised.http://www.constitution.org/rror/rror--00.htm .

[17] Standing orders of the Scottish Parliament. Session 1(2001).http://www.scottish.parliament.uk/parl_bus/sto-3.htm

[18] A. Shamir. How to share a secret Commun. ACM, 22, pages 612-613,Nov., 1979.

[19] U.S. House of Representatives Committee on FinancialServices The European Unions Financial Services Action Plan.http://financialservices.house.gov/media/pdf/052202dd.pdf

0-7695-2268-8/05/$20 00 (C) 2005 IEEE


8

Documents

Electronic Legislature