-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathintro.tex
85 lines (79 loc) · 5.26 KB
/
intro.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
In \HistContext, \Tyrant~legally became \Office. Over the next several years,
\Congress~passed a series of electoral reforms that ultimately allowed for
\Axis~ control of \Congress~and granted \Tyrant~complete, authoritarian control
of \Domain. \Tyrant~established \MartialLaw, and it took \War~to reverse this.
Of course, \Tyrant~did have a great deal of popular support, at least initially.
He promised \Platform. As the saying goes, Mussolini made the trains run on
time. But whether or not a majority of the people of \Domain~ever supported
\Axis, by the time \Congress~had given them control, the people could not revoke
his power without \War.
This is one example of a more general problem in group decision-making:
% In very
% small groups, action can proceed by consensus - all members have the opportunity
% to be heard, and only actions that have the support of the entire group proceed.
% In any moderately sized group, however, this peer-to-peer approach to consensus
% becomes unweildly. Most governance structures implement some sort of delegation
% of power \tocite, whether by way of an elected legislature or a military
% dictator.
%
In order to maintain the advantages of democracy and decentralized
trust, while also allowing efficient governance at scale, it must be possible to
delegate power to individuals or small groups, and it must be possible to revoke
that power.
Further, if the collective is to retain power to revoke what it has delegated,
it must be able to do so as a collective instead of as individuals. Differential
situation of groups within the collective can complicate this. For example, in
a \GrassContext, a \Org~is often established as an equalizing force:
\Marginalized s and \Dominant s alike can share in governance, with one vote per
person. The \BadGuys, however, can monitor all meetings of this \Org. If a
\Marginalized~made a proposal unpopular with \BadGuys, the \Marginalized~would
be \Disappeared; if a \Dominant~made the same proposal, \BadGuys~could do
nothing. This coercive power reduces the power of the collective to the power of
its most disempowered subset. Introducing anonymity to such a context, however,
would prevent \BadGuys~from targeting \Marginalized s without riskng targeting
\Dominant s. Anonymity can thus be leveraged to instead augment the power of the
collective to the power of its most empowered subset.
Various computational approaches exist to providing secure and trustworthy
democratic elections, where each individual's vote is anonymous and where the
result is verifiable. As the case of \Tyrant~shows, however, securing the
election process itself is not enough when a central power determines whether
and what elections should be held \todosubst{maybe communist elections are a
better example here}.
Noam Chomsky writes that
``[t]he smart way to keep people passive and obedient is to strictly limit the
spectrum of acceptable opinion, but allow very lively debate within that
spectrum'' \cite{chomsky1998common}. To have truly free elections, the means for
calling for a vote and drafting the ballot must also be decentralized and secure
against coercion. We shall henceforth refer to this process of initiating a vote
as a \emph{petition}. If \Congress~had a mechanism for anonymously petitioning
for a vote of no confidence, for example, it might have been possible to
determine support for removing \Tyrant~without endangering the instigator of
that vote and without resorting to \War.
% \note{I don't think this matters right now}
% Further, voting over the internet poses additional trust problems beyond those
% inherent to electronic voting in general. A dissident group organizing in
% defiance of a powerful entity with control over the network must protect its
% members' anonymity not only from other group members, but from a global passive
% adversary who can analyze all message transmissions and traffic patterns among
% all nodes in the system.
%
\todogrunt{Probably could be better/fix the rest of this section for real
outline}
This paper makes three contributions. First, we provide what we believe to be
a novel examination of anonymity in the context of electronic voting. Next, we
propose a specification and implementation sketch for a verifiable, anonymous,
and decentralized petition protocol. Finally, we show how this can be applied to
provide group management in the Dissent in Numbers\cite{din} anonymity protocol,
with applications for scalable anonymous web browsing.
We begin with an overview of existing tools dealing with various aspects of this
problem (Chapter~\ref{Chapter:Existing}). We then outline the properties
provided by our protocol, and specify the threat
model against which it is secure (Chapter~\ref{Chapter:Goals}). In
Chapter~\ref{Chapter:Spec}, we provide a detailed specification for a protocol
providing the properties laid out in Chapter~\ref{Chapter:Goals}. In
Chapter~\ref{Chapter:Protocol}, we outline one potential implementation of this
specification\todo{TODO: proofs section?}, and argue for its correctness.
In Appendix~\ref{Appendix:Dissent}, we discuss how this protocol can be used to
enhance the security and decentralization properties of the scalable Dissent in
Numbers anonymity protocol. Finally, we conclude and discuss directions for
future work (Chapter~\ref{Chapter:Conclusion}).\todoword{fewer ``outline''}