Upload
anonymous011
View
216
Download
0
Embed Size (px)
Citation preview
7/27/2019 Electronic Legislature
1/8
Securing abstention in an electronic legislature
Brian King
Purdue School of Eng. & Tech.Indiana Univ. Purdue Univ. Indianapolis
Yvo Desmedt
University College London
Florida State Univ.
Abstract The reasons for developing an electronic legislature(e-legislature) include: an improved legislature, increasing theconstituents access to the legislator, improving participationin government and providing our goverment with a mobiledistributed legislature that will be able to continue to meeteven in the face of some drastic activity like terrorism. Theessence of a legislature is political and consequently its memberswill certainly act in such a way. Thus one must assume thatlegislators would take advantage of the lack of physical presencein a legislature if it was not secured. In [5], [6] an electroniclegislation scheme was proposed that secured the governmentfrom malicious behavior of legislators. The protocol described in
[5], [6] provided only minimal legislative voting options, to createa realistic e-legislature one must support all likely functions.Most legislatures allow their members to abstain. The processof introducing abstention into an e-legislature can be formativeespecially in the case when the legislature passes statutes bysimple majority. Here we discuss how to secure an e-legislaturewhich supports abstention.
I. INTRODUCTION
The process of integrating digital technology into our gov-
ernment to achieve e-government will provide improved
services as well as bring greater accessibility of governmental
services to the people. However there exists several other
reasons to consider e-government, one that it may provide a
means to ensure the continuity of services/and government inthe case of some drastic action.
Within the context of this work we are interested in a
developing a special type of electronic voting which we
characterize as e-legislature or e-laws. Electronic voting for
general elections has become an active area of research, its
impact will be significant, whenever (or if ever) a secure
and efficient e-voting scheme is constructed. An electronic
legislature will provide will provide several important services
like improving government, increasing access of constituents
to their representatives, and for several other reasons, including
that it will ensure the continuity of the government in cases
where the physical legislature cannot meet. Its impact will be
important for that reason alone.There are several reasons to be interested in developing
an electronic legislature (e-legislature). One is that an e-
legislature is desirable since it will ensure the delivery of the
actions of a legislature, especially given the increasing specter
of a terrorist attack made of the government. In the September
11th terrorist attack, potential targets had included WhiteHouse and/or the Capitol Building. If either attack would have
been successful it is certain that a disruption of our governing
body would have occurred. Immediately following this attack,
a second terrorism attack occurred, the mailing of anthrax
spores to U.S. legislators. This attack successfully stopped the
U.S. House of Representatives from meeting, and restricted
the contact of the U.S. Senate. Fortunately the stoppage was
brief, due to the fact that the anthrax contamination was limited
to an office complex for the senators. Comparable attacks on
governing bodies have been enacted on other governments.
One solution to this problem of terrorism disrupting the
legislature is to create the means for the legislature to convene
remotely, i.e. a mobile legislature. The U. S. Congress has
recognized this need and has proposed legislation to developelectronic legislatures as a means of continuing government
in the face of a terrorist attack [3].
In an electronic legislature, the legislatures ability to pass
or to not pass legislation should be thought of as the legislature
digitally signing (with some secret key) the legislation or not
signing the legislation. The power held by each legislator to
vote on legislation will need to be a share of the legislature
key (the one that will generate this legislature signature).
The potential threats to an electronic legislature can come
from both external and internal sources. Traditional computer
security and cryptographic tools can be used to protect the
e-legislature from most of these external threats (intrusion de-
tection, denial-of-service, authentication, confidentiality, etc..).However new tools need to be developed to protect the e-
legislature from internal threats. The internal abuse is the
potential that can seriously diminish the integrity of the legisla-
tive body. When considering an electronic legislature, we ask
will such a legislature be as representative as the physical
government in place?. The danger of using a distributed
electronic government is that the mechanisms for reigning-
in legislative abuse is not necessarily in-place due to lack of
the physical proximity of participants. The concern for the
possibility of cheating among participants in an electronic
legislature is warranted. Politics in government has always
been built with factions and coalitions. Required protocols
need to be secured. For example, the fact that the numberlegislators vary will pose a security problem, because we will
need to redistribute the power to vote (i.e. redistribute digital
shares). One would not want to generate a new legislature
secret key, since a key should last as long as the legislature
(for example in the case of the U.S. House of Representatives,
its duration is 2 years).
A legislative body, like the Senate or House of Repre-
sentatives, will pass laws according to some minimum
number of required yes votes, which is often a proportion
0-7695-2268-8/05/$20.00 (C) 2005 IEEE
Proceedings of the 38th Hawaii International Conference on System Sciences - 2005
1
7/27/2019 Electronic Legislature
2/8
of the body present (some possibilities include majority or
two-thirds). This is an example of a threshold application,
however the threshold is dynamic since it will depend on
a proportion of the (legislative) body that is present. Con-
sequently to achieve an electronic legislature, a scheme is
needed which allows transfer of the legislative signing power
from the (original) fully attended body to the body present.
One problem that arises is that the entire original body is
not present to participate, but that is easy to overcome using
threshold cryptography. The difficulty with developing such a
scheme is the realization that the legislators must be treated
as adversarial and hence untrustworthy. That is, the legislators
are in competition with each other and they may attempt to
take advantage, for political gain, the fact that the process of
transferring signature process will take place. In light of this
competition, a verifiable transfer of power needs to take
place. In [5], [6], a model was introduced which described
the requirements for a verifiable democracy. Protocols which
provided partial solutions and described how to achieve
verifiable democracy were described in [5], [6], [10].
The protocols described in [5], [6], [10] provided only theminimal amount of legislative services. For an e-legislature to
actually be implemented, other legislative services need to be
offered, for example abstention. Abstention of e-voting within
a general election has been examined [11], but abstention
within an e-legislature has never been examined. The act
of abstaining is a necessary voting option for a legislator.
Abstention allows a legislator to remove themselves from a
vote. There are several reasons to for a legislator to want to
abstain, some of the reasons include: abstaining because of a
conflict in interest and abstaining to avoid problems with their
constituency.
Integral to the verifiable democracy protocol described in
[5], [6] is the blinding of the message/law. The basis ofthis requirement is discussed in detail in [5], [6]. Within a
legislature, it is possible that legislators may wish to abstain
from voting on certain legislation. Of course the decision for
abstaining (or for not to abstaining) must be made after the
content of the message is revealed. The way abstention is
handled may depend on the legislature, or it may depend on
the type of voting the legislature is utilizing or it may even
depend on what is being voted on. In a majority type vote,
there are two rules that are most likely to be used to handle
abstention: in the first case the abstention will be noted but
it will be treated as a no vote, this is referred to as absolute
majority, and in the second case the majority will determined
by the total number of the yes and no votes, whichever islarger constitutes the majority, this is called a simple majority
[7].1 In the case of a simple majority, the threshold will
change whenever an abstention takes place, whereas in an
absolute majority the threshold remains unchanged. Roberts
Rule of Order [16] provides no guide as to how abstentions
should be handled. There are numerous examples of both
type of majorities used in legislatures. Simple majorities are
1A third possible rule would be to count an abstaining vote as a yes vote.
used for several types of voting in both houses of the US
Congress, British House of Commons [7], Scottish Parliament
[17], and college of the Commission of the European Union
[19]. Absolute majority is used as well in several places,
for example certain votes in the U. S. Congress will require
absolute majorities. One can generalize the notion of the
classification of a majority, to classify the two-thirds type vote
and define absolute two-thirds, as well as simple two-thirds.
Consequently since a legislature may use both absolute
majority as well as simple majority, an e-legislature must be
able to support both absolute and simple majority. The goal
of this paper is to describe a protocol that will provide the
means to implement abstention within the e-legislature.
I I . BACKGROUND: TOOLS AND TERMINOLOGY
Suppose Alice wishes to send to Bob a signature of mes-
sage M. Alice applies a hash function h() to M, so thatm = h(M). Alice sends to Bob M and Sign(M, privKey),whereupon Bob can verify the signature using the verifyfunction where verify(M, X, pubKey) is a boolean function,
it returns true provided X is Sign(M, privKey), otherwise itreturns false. If the signature is verified then Bob accepts themessage. Some examples of signature schemes that can be
used in this protocol include the RSA signature scheme and the
El Gamal signature scheme. In a k out ofn threshold sharingscheme the secret key privKey is shared out to n participants,so that any subset B of k participants can combine theirshares and construct privKey while any subset of cardinality k 1 gain no information about the privKey. In a k out ofnthreshold signature scheme, the signing key privKey is sharedout to n participants so that any k participants can sign amessage M. We let Si denote participant Pis partial signature(think of a partial signature as a share of the signature). When
the participants wish to sign a message they will send theirpartial signatures to some combiner who will combine their
shares to form the signature.
Sign(M, privKey) =iB
Si,Bi = S
j1,Bj1
Sj2,Bj2
Sjk,B
jk
where B is the set of k members B = {Pj1 , . . . , P jk}, i,Bis the appropriate scalar and Si is participant Pis partialsignature2.
Verifiable signature sharing [1], [8], [14] is a cryptographic
sharing technique which allows a holder of document to
distribute shares of the signature of the document to proxies
(participants), so that the proxies can later reconstruct and
sign the document (if they wish). Further, by the end of
the distribution phase, honest proxies can verify that they
have been given shares of the authentic signature, without
reconstructing the signature. In an electronic voting scheme,
if a voter receives data/information such that this data allows
2The most likely operation used with partial signatures is multiplication,this operation is dependent on the cryptographic primitive used. The scalari,B is a public value dependent on i and the set B of participants. In most
applications it is defined as i,B =
jBj=i
0 xj
xi xj.
0-7695-2268-8/05/$20.00 (C) 2005 IEEE
Proceedings of the 38th Hawaii International Conference on System Sciences - 2005
2
7/27/2019 Electronic Legislature
3/8
others (as well as the voter) to verify how the voters vote has
been counted, we say that the voter has left a receipt. A voting
scheme is said to be receipt-free provided that no receipt is
left for the voter which allows others to verify the voters
vote. In the case of an e-legislature, since the legislator is a
representative of the people, we would require that the voting
scheme leaves a receipt.
III. ILLUSTRATIONS OF PROBLEMS THAT CAN ARISE IN AN
ELECTRONIC LEGISL ATURE
Let A = {P1, . . . , P n} denote the legislature. Let Atrepresent the set of legislators present at time t, thus At A.Suppose n represents the size of the original legislature and ntrepresents the number of legislators present at time t. A sessionis a continuous period of time for which the legislators present
At can vote on legislation and that the set of participantspresent remain fixed.
As noted earlier, the manner in which a legislature votes
is similar to a threshold signature scheme, and the power
to sign legislation is similar to possessing shares to sign. In
this application the threshold k denotes the quorum of thelegislature, the minimum number of legislators required to be
present in order for legislature to be passed. The threshold
kt represents the threshold required to pass legislation attime t, for example in a legislature for which majority ruleskt = |At|/2 + 1.3 Every time the legislature At changes,some type of redistribution of shares will need to take place.
Redistribution is possible as long as a quorum k of legislatorsexist, i.e. |At| k.
Some problems that the verifiable democracy protocol must
overcome include (for more details/descriptions of these prob-
lems we suggest the reader to see [5], [6]). First, the transfer
of signature power needs to be temporary. If legislators send
their shares of the key to other legislators then these legislatorscan use this information to sign other laws. In fact they can
impersonate this legislator in future votes. Temporary sharing
is achieved by having k participants Pi1 , . . . , P ik transfer theirpartial signatures instead of their power to sign. Consequently
the transfer will be message-oriented.
Secondly, observe that a few of the k (out of the nt) partic-ipants Pi1 , . . . , P ik could defeat the process by not properlytransferring their power (shares). This would be especially
true if the message (law) was such that they had a vested
interest that the law should not be passed. Thus, as the transfer
of power is message oriented, there is a need for the set
Pi1 , . . . , P ik to transfer power blindly (i.e. encrypt the messagebefore sharing).
Third, the participants At = {P1, . . . , P
nt}, when given an
opportunity to act on legislation must know that the outcome
(sign or not sign) is a result of their decision and not a
result of bad faith on the part of the participants Pi1 , . . . , P ikwho had transferred them the power to sign. Hence, the
participants P1, . . . , P
ntneed to be able to verify that they
were actually given the power to sign that message.
3The floor ofx, denoted by x is the largest integer x.
Fourth, no set of participants should gain any information
about a motion made during an illegal session, a session
where either cheaters have been discovered or the number
of legislators present is less than the quorum k. Otherwise,they could use this knowledge, to act in later sessions. This
provides another reason to blind the motion.
Fifth, in a receipt-required version of verifiable democracy,
for each legislator belonging to At there must exist a record asto how that legislator voted. Note that if each legislator sends a
validated partial signature (which we interpret as a valid vote)
then this provides a receipt that the legislator voted in favor
of the message. We could use the lack of a validated partial
signature as a no vote.
Lastly, we assume that the network is sufficiently reliable
(connected) even to deal with a few routers destroyed by
terrorists.
The requirements are described by the following model [5].
VERIFIABLE DEMOCRACY MODEL
(i) (completeness) If nt exceeds or equals the quorum k then
for any set of legislators Bt, with |Bt| kt, either Bt cansign mt or they can identify the cheaters among themselves.(ii) (soundness) If Bt At or if |B
t| < kt then B
t cannot
sign any new message mt.(iii) The action of the cheaters should be independent ofthe message. Therefore for any set B (represents a set ofcheaters), with |B| < k, then one should not be able todistinguish the way B acts with message m as they do witha message m (distinguish in terms of cheating strategies).(iv) If nt < k or if cheaters have been discovered, thenno subset of At should gain any information about mt.Therefore one should not be able to distinguish the information
distributed by the members of At for message m with the
information distributed by a message m.(v) If the set of participants At vote on mt, then for all P Atthere exists a public receiptxP such thatxP demonstrates howP voted for mt.The basic functions of the e-legislature protocol described in
[5], [6] are provided below.
A. Verifiable Democracy Protocol a democratic threshold
scheme
During the set-up, the legislature is empowered with a secret
key so that any k out ofn can compute the secret signing key.If nt k we proceed with the protocol, if nt < k then thereare not enough legislators to pass the legislation. At any time
t, a message/law mt may be proposed. At represents the setof participants present at time t, nt = |At|, and kt representsthe threshold (the minimal number of participants required to
sign). We now review the integral functions in the verifiable
democracy protocol [5], [6], we omit technical details and refer
the reader to [5] for the technical details.
Legislative key generation. A secret key privKey is dis-tributed to the n participants so that a blinded message/lawcan be signed in a k out of n threshold manner. In addition
0-7695-2268-8/05/$20.00 (C) 2005 IEEE
Proceedings of the 38th Hawaii International Conference on System Sciences - 2005
3
7/27/2019 Electronic Legislature
4/8
to distributing shares of privKey this distributor generatesancillary information4 which is used later to verify partial
signatures. (For example if the protocol utilizes RSA sig-
natures a test message is generated and broadcasts all npartial signatures of the test message. The test message and
partial signatures of test message play an important role in the
verification of future partial signatures. This can be performed
by a trusted third party or by the participants using a protocol
such as [5], [10]).
Blinding message. The participant P, who proposes messagemt, blinds mt before they present it to the legislative body At.
Transfer of Power Partial Signature Generation TPSG.
As long as nt exceeds (or equals) k, the message will beconsidered for signing. If so, k participants in At are chosenand they generate partial signatures for the blinded mt.
Transfer of Power Partial Signature Distribution TPSD.
Each of the k participants share out their partial signatures in akt out ofnt manner to At (we will refer to these k participants
as partial signature distributors). Each participant in At hasreceived k shares, whereupon they compress the k sharesto one share. In addition to distributing partial signatures,
the partial signature distributors will also distribute ancillary
information which allows the legislative body At to verify thecorrectness of the partial signatures of the blinded mt.
Transfer of Power Partial Signature Verification TPSV.
The ancillary information provided in TPSD is first verified
by each legislator in At. Upon verification the ancillaryinformation is used by each legislator to verify the correctness
of their share of the partial signature of the blinded mt. Theverification procedure is devised so that with overwhelming
probability it can be determined that a recipient has receiveda valid share this is achieved via a verification and complaint
protocol. If a verification fails then a complaint will be raised,
at that time a cheater has been detected, what remains is a
protocol to determine whether the cheater is the partial share
distributor or the complainer. The consequence is that the
completion of this stage with no complaints implies that the
signature power for the message has been transferred to Atsuch that any kt can sign the message.
Unblind the message. The message is revealed to the legis-
lature. Who reveals the message? P could. Or if one utilizesa trusted chairperson as in [10], then the trusted chairperson
could reveal mt. In [5], the protocol utilized RSA signaturesand so the legislators themselves could unblind the message
without the legislators revealing their partial signature of mt.
Decision vote on mt. The legislators decide whether to votefor or against mt.
4This ancillary information will be broadcasted to all, i.e. public record.The nature of the ancillary information is dependent on the verifiable sharingscheme that is used. For example for El Gamal use [14] and for RSA use [9]and [2].
Partial Signatures Sent PSS. If any legislator wishes to vote
for the by now known mt they send their share of the partialsignature of the blinded mt.
Verification of the signature determining the passage
of mt PSV. If kt or more participants have sent their partialsignatures then the message may be passed. If so, the combiner
selects any kt of the sent partial signatures and verifies the
correctness of these partial signatures using the ancillaryinformation provided within this protocol. For each one of
these invalid partial signatures the combiner selects one of the
remaining partial signatures sent and verifies it. If the number
of valid partial signatures is less than kt then the messagemt is automatically not passed. We have adopted a receipt-required version of the verifiable democracy protocol. The
partial signature sends (PSS) together with the partial signature
verification (PSV) implies kt valid votes. Who can play therole of the combiner? Any person, collection of people, or
even the legislators.
Message passed. The message is passed if a signature of mtcan be computed and there were kt valid votes sent andverified. A vote for mt is a valid partial signature.
Note that the verification procedures TPSV and PSV may
utilize different verifiable secret sharing schemes due to the
amount of information the senders TPSD and PSS, respec-
tively, know. In TPSD the senders know the actual shares,
whereas in PSS the senders know only the partial signatures.
Whether TPSV and PSV require different verifiable sharing
schemes may depend on the threshold signature scheme that
is used.
IV. ABSTAINING
As stated earlier, a legislature may use both absolute ma-jority as well as simple majority, an e-legislature must be
able to support both absolute and simple majority. To secure
abstention in an absolute majority type vote, it was suggested
[12] to run the verifiable democracy protocol twice, once
for the yes votes and then require those that vote no to
participate in a verifiable democracy protocol using a no
vote. Now use some method for counting in a secure manner
such as [13].
What remains is how to handle simple majority when an
abstention takes place. This is a much more challenging
problem, since the threshold will change. Recall that the
verifiable democracy protocol requires blinding the vote before
transferring power. An abstention will require a transfer ofsignature power (since the threshold will change), but the
transfer cannot be achieved in the blind as the verifiable
democracy protocol does, since a legislator can only decide
on whether to abstain based on the knowledge of the pending
legislation. The remainder of the paper is devoted to how to
solve abstention within a simple majority.
Recall we represent the legislature by A = {P1, . . . , P n}.We use At represents the legislators present at time t. We useLt to denote those members of At who wish to abstain once
0-7695-2268-8/05/$20.00 (C) 2005 IEEE
Proceedings of the 38th Hawaii International Conference on System Sciences - 2005
4
7/27/2019 Electronic Legislature
5/8
the message is revealed. Once nLt participants abstain, thenew threshold is kt out of nt nLt , where k
t is the result of
going from a kt out of nt threshold and having nLt abstain.Let kLt = kt k
t.
Model IV.1. A verifiable democratic legislature which sup-
ports abstention should possess properties (1) - (4).
(1) Abstainers should be able to abstain after the message
m has been revealed.
(2) Any action taken by the abstainer should be independent
of B (the set of legislators who vote yes to pass the m).
(3) A cheating abstainer should be revealed.
(4) Cheating by an abstainer should not cause termination
of a vote.
(5) A cheating abstainer who is trying to prevent the vote
should be treated as a no vote, and a cheating abstainer who
is trying to pass the law should be treated as a yes voter.
When one considers the above model, the question becomes
how does one determine if a cheating abstainer is trying to
prevent the vote or pass the law. Further, a cheater may besuch that they do not belong to either category and may just
be mischievous. This difficulty of determining motive makes
the application of (5) impossible. Since it is clear that the
intent of a cheater cannot be gauged, we must treat a cheating
participant as either a no-voter or an abstainer. We will treat
them as a no voter.
A. Protocols required for abstainers - resharing a share
The following three protocols have been described in [5].
Due to their complexity we will treat them as black-box func-
tions. Realize that one must be careful when to utilizing these
functions, valid inputs must be available to these functions
to achieve the desired results. In the technical version of
this paper, the complete details will be discussed thoroughly.
In this paper we will assume that the implementation of
the verifiable democracy protocol has ensured that there is
sufficient ancillary information available either publicly or
to each shareholder to assure that each invocation of these
protocols will achieve the desired results.
Resharing a Share - Share Generation RSSG Suppose a
participant holds a share S and they wish to share S in anat out of bt manner. This is straightforward, except that theshares that are generated will need to be verified. Since this
protocol will reside within the Verifiable Democracy protocolthere will exist ancillary information concerning S. Basedon this ancillary information this participant will be able to
generate ancillary information concerning the shares of S sothey can be verified. For example if participant Pi wishes toshare their partial signature Si to {Pj1 , Pj2 , . . . , P bt}
(Sj1,i, Sj2,i, . . . , Sjbt ,i) = RSSG(i, pubInfo, Si).
So that Si =
jB Sj,Bj,i where B is a set of at participants
B = {Pj1 , . . . , P jat }5.
Resharing a Share - Share Distribution RSSD The partici-
pant who is sharing out S in an at out ofbt manner distributesthe shares to the bt participants. In addition this participant willdistribute the ancillary information that will used to verify the
correctness of these shares.
for all r Sjr,i PjrxxxpubInfo_RSSD_Si generated and distributed
Resharing a Share - Share Verification RSSV The ancillary
information provided in RSSD is first verified by each par-
ticipant. Upon verification, the ancillary information is used
by each legislator to verify the correctness of their share
of S. The verification procedure is devised so that withoverwhelming probability it can be determined that a recipient
has received a valid share this is achieved via a verification
and complaint protocol.
for all r
xxxverify(Sjr,i, i, pubInfo_RSSD_Si, pubInfo) = true
V. ATTEMPTS AT A SOLUTION
We assume for the sake of simplicity that all legislative
decisions are made according to majority rules 6. The result
is that the set of participants Lt wish to abstain, so we must gofrom a kt out of nt threshold scheme to a kt out of n
t where
kt = nt2 +1; k
t = nt2 +1; n
t = ntnLt ; and k
t = ktkLt .The change in threshold must occur after message mt has beenunblinded. Consequently we have a set of participants Lt whocan act based on the knowledge of this information.
A. A first attempt at a solution
To achieve a transfer after abstention, any kLt of the setabstainers Lt share out their partial signature in a kt kLtout of nt nLt manner by applying the RSSG+RSSD+RSSVprotocol to share out their share. Once Lt has completed theirapplication of the RSSG+RSSD+RSSV protocol, then all ntparticipants possess 1+ kLt shares. Due to the manner inwhich the shares will be combined, the nt participants cannotcompress their shares. We clarify with an example.
Example V.1. Suppose we have a majority rules in a 100
person legislature. At time t, there are nt = 83 memberspresent. Thus kt is 42. Consequently any set of 42 legislatorscan sign mt, for example
Sign(M, privKey) =
42i=1
Si,Bi
5The scalar j,B
is defined as j,B =
jBj=i
0 xj
xi xj. Sj,i denotes the
share of the partial signature Si distributed to participant Pj by participantPi.
6Majority rules is not a required assumption, this assumption makes it easierto describe the protocol
0-7695-2268-8/05/$20.00 (C) 2005 IEEE
Proceedings of the 38th Hawaii International Conference on System Sciences - 2005
5
7/27/2019 Electronic Legislature
6/8
where B = {P1, . . . , P 42}, i,B is the appropriate scalar andSi is participant Pis partial signature.
Suppose nLt = 6 wish to abstain. Let us assume withoutloss of generality that P1, . . . , P 6 abstain. Let us also assumethat P1, P2, P3 were the abstaining members that were selectedto share out their share Si. So each Si (for i = 1, 2, 3) is sharedout in a 39 out of 77 manner to the participants {P7, . . . , P 83}.Now suppose B = {P
7, . . . , P
45} wish to sign the message.
Then Su =
45i=7 S
i,Bu,i where B = {P7, . . . , P 45}
7. Conse-
quently
Sign(M, privKey)
=
45i=7
Si,Bi
45i=7
Si,B
1,B
1,i 45i=7
Si,B
2,B
2,i 45i=7
Si,B
3,B
3,i
where B = {P1, P2, P3} B and B = {P7, . . . , P 45}. SoSign(M, privKey)
=
45i=7
Si,Bi S
i,B1,B
1,i Si,B2,B
2,i Si,B3,B
3,i
.
Problems with this solution
The kLt abstainers {P1, P2, P3} that participated in theRSSG+RSSD+RSSV protocol have documented that they will
abstain. That is, there is a record in terms of information
distributed that they abstained, in many cases the information
would have been broadcasted (this would be the ancillary
information that is used in the verification RSSD+RSSV part
of the protocol). However, there is no record that the other
nLt kLt participants {P4, P5, P6} abstained. In fact thereis nothing that would stop them from participating in the
vote and be on record as a yes voter. (Although in our
model, if an abstainer backs out and decides to vote they
can only contribute to passing a mt that would have beenpassed without their vote.) However in this protocol, if a
abstainer who participated in the RSSG+RSSD+RSSV part
of the protocol tries to vote yes (i.e. backs out on being
an abstainer) there is a record that they abstained and so
they will not be given credit for voting yes. The problem
with allowing the nLt kLt participants to participate in thevote is that the threshold has been lowered to 39 because
they announced they were abstaining. If just one of them
decides to reenter as a voter then the threshold should be 40,
however according to this protocol 39 will be able to pass the
legislation. Another problem with this protocol in that each of
the nt participants will now have a share 1+kLt the size of theoriginal share. Lastly, there must be communication that takes
place to determine who will abstain because it is requiredthat the abstainers know nLt . The latter two problems areinsignificant in comparison to the first.
B. A second attempt at a solution
The first attempt failed due to the fact that the nLt kLtparticipants have not participated and there does not exist any
public information that documents that they have abstained.
7Su,i denotes the partial signature distributed to participant Pu by partic-ipant Pi where i = 1, 2, 3.
We now address this problem. In a k out ofn threshold signa-ture application, it is possible that more than k participants willsend their partial signatures. In such a case, a combiner will
select k verified partial signatures and compute the signature.In our second attempt at a solution, rather than having only
kLt participate in the RSSG+RSSD+RSSV protocol, we haveall nLt abstainers participate in the RSSG+RSSD+RSSVprotocol. By doing so there is a public record that all nL
thave abstained.
So we have all nLt abstainers share out their shares usingthe RSSG+RSSD+RSSV protocol in a ktkLt out ofntnLtmanner and send those shares to the non-abstainers. In this
case, each of nt nLt abstainers have received nLt shares, soeach possess 1 + nLt shares. Again these participants cannotcompress their shares.
To compute the signature it will require that the kt partic-ipants (non-abstainers) send their partial signatures. However
when these participants send their partial signatures they will
send two partial signatures, one their original and the other the
correct combination of the abstainers shares(see example
below). The combiner will have verified partial signatures.When the combiner creates the signature, the actual number
of valid partial signatures that the combiner will have received
will be kt+nLt which exceeds kt. So the combiner will discardnLt kLt of the non-abstainers original partial signatures andcompute the signature.
Example V.2. Suppose we have a majority rules in a 100
person legislature. At time t, there are nt = 83 memberspresent. Thus kt is 42. Consequently any set of 42 legislatorscan sign mt, for exampleSign(M, privKey) =
42i=1 S
i,Bi where B = {P1, . . . , P 42},
and Si is participant Pis partial signature.Now suppose that nL
t
= 6 participants wish to abstain.Thus in this example kLt = 3. Again assume that P1, . . . , P 6abstain. So each Si (for i = 1, . . . , 6) is shared out ina 39 out of 77 manner to the participants {P7, . . . , P 83}.Suppose that the set B = {P7, . . . , P 45} wishes to votefor the message. First observe that Su =
45i=7 S
i,Bu,i where
B = {P7, . . . , P 45}. Therefore each Pi B will send Si,Bi
and6
u=1 Su,Bi,Bu,i where B = {P1, . . . , P 6} B. Now the
combiner selects 36 = 39 (6 3) = kt (nLt kLt) of the
original partial signatures Si,Bi . Assume that the combiner
selected {P7, . . . P 42}. ThenSign(M, privKey)
=
42i=7
Si,Bi
45i=7
6u=1
Su,Bi,Bu,i
.
Problems with this solution
There is a problem with this solution in the case of a cheat-
ing abstainer. If an abstainer is caught cheating, then they defi-
nitely should not be characterized as an abstainer. That is sup-
pose P6 was caught cheating during the RSSG+RSSD+RSSVprotocol, then nLt becomes 5. In our example this will affectkLt , under the premise that P6 is caught cheating, kLt changesto 2 and kt becomes 40. However given the information
0-7695-2268-8/05/$20.00 (C) 2005 IEEE
Proceedings of the 38th Hawaii International Conference on System Sciences - 2005
6
7/27/2019 Electronic Legislature
7/8
distributed in the protocol, any 39 of the non-abstainers can
compute the partial signatures of {P1, . . . , P 5}. Altogetherthese 39 would control 39 +5 partial signatures and hence they
can sign. But kt would be 40. The problem with this solutionis that a cheating abstainer would be treated as an abstainer.
There is another problem with this protocol in that each of the
nt participants will now have a share 1 + nLt the size of theoriginal share. Lastly there must be communication that takes
place to determine who will abstain because it is required that
the abstainers know nLt .
VI. THE THIRD ATTEMPT A PARTIAL SOLUTION
This attempt at a solution does not require the abstainer
to determine nLt , and so the extra communication that theprevious attempts at a solution required will not be needed.
Assume we have applied the Verifiable Democracy protocol
and achieved kt out of nt scheme. If a participant wishesto abstain they wait until the first abstainer completes their
communications and then they share out their partial signature
in a kt,1 out of nt,1 manner using the RSSG+RSSD+RSSVprotocol. Here nt,1 = nt 1 and kt,1 is the appropriatethreshold (it will either be kt or kt 1 depending if nt wasodd or even). If another participant wishes to abstain they
share out their partial signature in a kt,2 out of nt,2 mannerusing the RSSG+RSSD+RSSV protocol where nt,2 = nt,1 1and kt,2 is the appropriate threshold (either kt,1 or kt,1 1).Once the RSSG+RSSD+RSSV protocol has been completed,
if kt,2 kt,1 < 0 then this abstainer broadcasts the share dis-tributed from the first abstainer, otherwise (if kt,2 kt,1 0)they broadcast nothing. The remaining participants can verify
its correctness using the RSSV protocol and the ancillary
information that was provided by the first abstainer within
the RSSG+RSSD+RSSV protocol. (This participant is notconsidered a true abstainer unless this broadcasted share is
verified.) This continues in this manner, until the last abstainer
has shared out their partial signature. Here the last abstainer
broadcasts each share it received from the previous abstainers
or nothing depending if kt,nLt kt,nLt1 < 0 or not. Again,each of these shares can be verified (using information from a
previous RSSG+RSSD+RSSV session). This last abstainer is
not treated as an abstainer until all shares are verified. If nLtrepresents the number of abstainers then each of the kt non-abstainers will have received nLt shares (they also possesstheir own partial signature). As before, these participants can-
not compress their shares. In addition to the shares possessed
by the participants, there exists the broadcasted shares thatwill need to be used. The total number of broadcasted shares
is on the order of O(n2Lt) (a better approximation would ben2Lt4 ). To clarify consider the following example.
Example VI.1. Suppose we have a majority rules in a 100
person legislature. At time t, there are nt = 83 memberspresent. Thus kt is 42. Consequently any set of 42 legislatorscan sign mt, for example signature of mt =
42i=1 S
i,Bi
where B = {P1, . . . , P 42}, and Si is the partial signature.
Now suppose nLt = 6 participants wish to abstain. Againassume that P1, . . . , P 6 abstain. P1 shares out their partial sig-nature in a 42 out of 82 manner using the RSSG+RSSD+RSSV
protocol. P2 shares out their partial signature in a 41 out of81 manner using the RSSG+RSSD+RSSV protocol. Once the
verification has been completed, P2 broadcasts its share S2,1that it received from P1. (This share S2,1 is verified by allparticipants.) P
3shares out their partial signature 41 out of
80 manner using the RSSG+RSSD+RSSV protocol. P4 sharesout their partial signature in a 40 out of 79 manner using
the RSSG+RSSD+RSSV protocol and then broadcasts all 3
shares distributed to them by the first three abstainers. P5shares out their partial signature n a 40 out of 78 manner
using the RSSG+RSSD+RSSV protocol. Finally, P6 sharesout their partial signature in a 39 out of 77 manner using the
RSSG+RSSD+RSSV protocol. Once the verification has been
completed, P6 broadcasts one at a time S6,1, S6,2, . . . , S6,5.The set of broadcasted shares is {Si,j : i = 2, 4, 6, 1 j 42 = kt partialsignatures.
Problems with this solution
The main problem with this attempt is that there is an attack,
but the attack will be detected by the Verifiable Democracy
protocol. Let us discuss the attack. Suppose that P7 providesto a coalition of 38 (perhaps their political party or faction)
all the shares they received from the other abstainers, but P7does NOT share their partial signature. That is, P7 is willing
to help this coalition of 38 to pass the legislation but P7 doesnot want to publicly vote yes to this legislation (perhaps P7fears retribution from their constituents if they vote on mt).The result is that P7 provides help to pass the message withoutvoting for it. With this help from P7, this coalition of 38 willbe able to sign the message, yet they never used P7s share.We now point out that the Verifiable Democracy protocol will
require that shares sent to be combined need to be verified and
so the this will be detected. There is another problem with this
protocol in that each of the nt participants will now have a
share O(1 +nLt (nLt+1)
2 ) the size of the original share.
Improving the partial solution
According to our model, the abstainers should have doc-umentation that they abstain. Yet in all of our previous
attempts this documentation never appears in the signature.
The improvement that we make to our third attempt will
incorporate the abstainers into the signature. Here will modify
what we mean by a signature and how we verify signature
(what it means to say a law is passed). Abstainers will follow
the same procedure described above. If a participant wishes
to abstain they share out their partial signature in a kt,1out of nt,1 manner using the RSSG+RSSD+RSSV protocol.
0-7695-2268-8/05/$20.00 (C) 2005 IEEE
Proceedings of the 38th Hawaii International Conference on System Sciences - 2005
7
7/27/2019 Electronic Legislature
8/8
Here nt,1 = nt 1 and kt,1 is the appropriate threshold(it will either be kt or kt 1 depending if nt was odd oreven). If another participant wishes to abstain they share out
their partial signature in a kt,2 out of nt,2 manner usingthe RSSG+RSSD+RSSV protocol where nt,2 = nt,1 1 andkt,2 is the appropriate threshold (either kt,1 or kt,1 1).Once the RSSG+RSSD+RSSV protocol has been completed,
if kt,2
kt,1
< 0 then this abstainer broadcasts the sharedistributed from the first abstainer otherwise (ifkt,2kt,1 0)they broadcast nothing. We continue in this manner until the
last abstainer has completed the required operations. Again
assume that nLt is the number of abstainers. Once a call forvotes is made each yes voter will submit both their partial
signature as well as the combination of the shares distributed
to them by the abstainers. Let B denote the set of yesvoters and let denote the number of partial signatures sentto the combiner (this includes both the partial signatures held
by the participants in B as well as the partial signatures ofthe abstainers). Then if the combiner use the |B| originalpartial signatures as well as the nLt (result of manipulating
the combinations) many abstainers partial signatures then thecombiner will possess = |B| + nLt partial signatures. Thusthe signature can be generated if |B| kt,nLt which impliesthat = |B| + nLt kt,nLt + nLt kt. Define bykt,nLt + nLt = kt + . The combiner now selects + 1many participants who have submitted (perhaps in proxy) their
partial signatures, this set is denoted by {Pi1 ,...,Pi+1} (thiscould include, by proxy, the abstainers since the abstainers par-
tial signatures were submitted by the |B| many yes voters).Then for each j = 1, . . . , + 1 using the partial signaturesfrom
(B Lt) \ {Pi1 ,...,Pi+1}
{Pij}, the combiner can
compute the signature of mt. The law is passed provided thatall of the + 1 reconstructed threshold signatures turn out
to be a verified signature. This verify function will definewhat it means to say that a law mt is passed (i.e. that thesignature is verified). The attack described earlier is no longer
relevant, since the coalition of 38 will not be able to pass the
legislation, unless P7 actually is willing to send their partialsignature which implies that they commit to a yes vote.
VII. CONCLUSION
We have described a partial solution to abstaining in an
electronic legislature. A minority can attempt to generate a
signature of a message/law but they would be detected. We
have provided a remedy by re-thinking the interpretation
of what it means for a message to become law. As we
have noted, a single legislature any require both absolutemajority type votes as well as simple majority type votes. It is
awkward to have two different solutions. In particular the real
awkwardness is to have two distinct ways to verify that the
vote has passed the message. Future work will be to develop
abstention schemes for absolute majority and simple majority
whose verification protocol are identical. Other future work
will include implementing, enhancing, and developing an e-
legislature prototype which supports the Verifiable Democracy
protocol as well as supporting protocols that support absten-
tion. The final outcome is expected to support a real-time e-
legislature.
REFERENCES
[1] B. Chor, S. Goldwasser, S. Micali, and B. Awerbuch. Verifiablesecret sharing and achieving simultaneity in the presence of faults.In Proceedings of the 26th IEEE Symposium on the Foundations ofComputer Science, FOCS, pages 383-395, 1985.
[2] M. Burmester. Homomorphisms of secret sharing scheme: a tool for
verifiable signature sharing In Proc. of Eurocrypt96, Lecture Notes inComputer Science, LNCS 1070, Springer Verlag, pages 96-105,1996.
[3] Continuity of government commision. 2002.http://www.continuityofgovernment.org .
[4] Y. Desmedt and Y. Frankel. Homomorphic zero-knowledge thresholdschemes over any finite Abelian group SIAM J. on Discrete Math.,vol.7, no. 4 pages 667-679, 1994.
[5] Y. Desmedt and B. King. Verifiable democracy. IFIP TC6/TC11Joint Working Conference on Communications and Multimedia Security(CMS99), Kluwer Academic Publishers, 1999, pages 53-70.
[6] Y. Desmedt and B. King. Verifiable democracy a protocol to secure anelectronic legislature. EGOV 2002, eGovernment: State of the Art andPerspectives , Aix-en-Provence (France), September 2 - 6, 2002, (LectureNotes in Computer Science), Springer Verlag.
[7] K. Dougherty and J. Edward Simple vs. Absolute Majority Rule,http://www.fiu.edu/dougherk/simple.pdf
[8] M. Franklin and M. Reiter. Verifiable signature sharing In Advances
in Cryptology - Eurocrypt 95,. Lecture Notes in Computer Science 435,Springer Verlag, pages 50-63, 1990.
[9] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust and efficientsharing of RSA functions In Advances in Cryptology - Crypto 96,.
Lecture Notes in Computer Science1109, Springer Verlag, pages 157-172, 1996.
[10] H. Ghodosi and Josef Pieprzyk. Democratic Systems. ACISP 2001, pages392-402.
[11] W. Juang, C. Lei and H. Liaw. A Verifiable Multi-Authority SecretElection Allowing Abstention from Voting, The Computer Journal,Volume 45, Issue 6, 2002. pp. 672-682
[12] M. Kuhn. Personal communication.[13] M. Kuhn. Probabilistic Counting of Large Digital Signature Collec-
tions, Proceedings of the 9th USENIX Security Symposium, Denver,Colorado, USA, August 14-17, 2000, USENIX Association, pp. 73-83.
[14] T. Pederson. A threshold cryptosystem without a trusted party InAdvances in Cryptology, Proc. of Eurocrypt 91 LNCS 547, Springer-
Verlag, pages 522-526, 1991.576,
[15] R. Rivest, A. Shamir, and L. Adelman. A method for obtaining digitalsignatures and public key cryptosystems. Commun. ACM, 21, pages120-126, 1978.
[16] Roberts Rules of Order Revised.http://www.constitution.org/rror/rror--00.htm .
[17] Standing orders of the Scottish Parliament. Session 1(2001).http://www.scottish.parliament.uk/parl_bus/sto-3.htm
[18] A. Shamir. How to share a secret Commun. ACM, 22, pages 612-613,Nov., 1979.
[19] U.S. House of Representatives Committee on FinancialServices The European Unions Financial Services Action Plan.http://financialservices.house.gov/media/pdf/052202dd.pdf
0-7695-2268-8/05/$20 00 (C) 2005 IEEE
Proceedings of the 38th Hawaii International Conference on System Sciences - 2005
8