Securing abstention in an electronic legislature

Brian King
Purdue School of Eng. & Tech.
Indiana Univ. Purdue Univ. Indianapolis
briking@iupui.edu
Yvo Desmedt
University College London
Florida State Univ.
desmedt@cs.fsu.edu
AbstractThe reasons for developing an electronic legislature
(e-legislature) include: an improved legislature, increasing the
constituents access to the legislator, improving participation
in government and providing our goverment with a mobile
distributed legislature that will be able to continue to meet
even in the face of some drastic activity like terrorism. The
essence of a legislature is political and consequently its members
will certainly act in such a way. Thus one must assume that
legislators would take advantage of the lack of physical presence
in a legislature if it was not secured. In [5], [6] an electronic
legislation scheme was proposed that secured the government
from malicious behavior of legislators. The protocol described in
[5], [6] provided only minimal legislative voting options, to create
a realistic e-legislature one must support all likely functions.
Most legislatures allow their members to abstain. The process
of introducing abstention into an e-legislature can be formative
especially in the case when the legislature passes statutes by
simple majority. Here we discuss how to secure an e-legislature
which supports abstention.
I. INTRODUCTION
The process of integrating digital technology into our gov-
ernment to achieve e-government will provide improved
services as well as bring greater accessibility of governmental
services to the people. However there exists several other
reasons to consider e-government, one that it may provide a
means to ensure the continuity of services/and government in
the case of some drastic action.
Within the context of this work we are interested in a
developing a special type of electronic voting which we
characterize as e-legislature or e-laws. Electronic voting for
general elections has become an active area of research, its
impact will be signicant, whenever (or if ever) a secure
and efcient e-voting scheme is constructed. An electronic
legislature will provide will provide several important services
like improving government, increasing access of constituents
to their representatives, and for several other reasons, including
that it will ensure the continuity of the government in cases
where the physical legislature cannot meet. Its impact will be
important for that reason alone.
There are several reasons to be interested in developing
an electronic legislature (e-legislature). One is that an e-
legislature is desirable since it will ensure the delivery of the
actions of a legislature, especially given the increasing specter
of a terrorist attack made of the government. In the September
11
th
terrorist attack, potential targets had included White
House and/or the Capitol Building. If either attack would have
been successful it is certain that a disruption of our governing
body would have occurred. Immediately following this attack,
a second terrorism attack occurred, the mailing of anthrax
spores to U.S. legislators. This attack successfully stopped the
U.S. House of Representatives from meeting, and restricted
the contact of the U.S. Senate. Fortunately the stoppage was
brief, due to the fact that the anthrax contamination was limited
to an ofce complex for the senators. Comparable attacks on
governing bodies have been enacted on other governments.
One solution to this problem of terrorism disrupting the
legislature is to create the means for the legislature to convene
remotely, i.e. a mobile legislature. The U. S. Congress has
recognized this need and has proposed legislation to develop
electronic legislatures as a means of continuing government
in the face of a terrorist attack [3].
In an electronic legislature, the legislatures ability to pass
or to not pass legislation should be thought of as the legislature
digitally signing (with some secret key) the legislation or not
signing the legislation. The power held by each legislator to
vote on legislation will need to be a share of the legislature
key (the one that will generate this legislature signature).
The potential threats to an electronic legislature can come
from both external and internal sources. Traditional computer
security and cryptographic tools can be used to protect the
e-legislature from most of these external threats (intrusion de-
tection, denial-of-service, authentication, condentiality, etc..).
However new tools need to be developed to protect the e-
legislature from internal threats. The internal abuse is the
potential that can seriously diminish the integrity of the legisla-
tive body. When considering an electronic legislature, we ask
will such a legislature be as representative as the physical
government in place?. The danger of using a distributed
electronic government is that the mechanisms for reigning-
in legislative abuse is not necessarily in-place due to lack of
the physical proximity of participants. The concern for the
possibility of cheating among participants in an electronic
legislature is warranted. Politics in government has always
been built with factions and coalitions. Required protocols
need to be secured. For example, the fact that the number
legislators vary will pose a security problem, because we will
need to redistribute the power to vote (i.e. redistribute digital
shares). One would not want to generate a new legislature
secret key, since a key should last as long as the legislature
(for example in the case of the U.S. House of Representatives,
its duration is 2 years).
A legislative body, like the Senate or House of Repre-
sentatives, will pass laws according to some minimum
number of required yes votes, which is often a proportion
0-7695-2268-8/05/$20.00 (C) 2005 IEEE
Proceedings of the 38th Hawaii International Conference on System Sciences - 2005
1
of the body present (some possibilities include majority or
two-thirds). This is an example of a threshold application,
however the threshold is dynamic since it will depend on
a proportion of the (legislative) body that is present. Con-
sequently to achieve an electronic legislature, a scheme is
needed which allows transfer of the legislative signing power
from the (original) fully attended body to the body present.
One problem that arises is that the entire original body is
not present to participate, but that is easy to overcome using
threshold cryptography. The difculty with developing such a
scheme is the realization that the legislators must be treated
as adversarial and hence untrustworthy. That is, the legislators
are in competition with each other and they may attempt to
take advantage, for political gain, the fact that the process of
transferring signature process will take place. In light of this
competition, a veriable transfer of power needs to take
place. In [5], [6], a model was introduced which described
the requirements for a veriable democracy. Protocols which
provided partial solutions and described how to achieve
veriable democracy were described in [5], [6], [10].
The protocols described in [5], [6], [10] provided only the
minimal amount of legislative services. For an e-legislature to
actually be implemented, other legislative services need to be
offered, for example abstention. Abstention of e-voting within
a general election has been examined [11], but abstention
within an e-legislature has never been examined. The act
of abstaining is a necessary voting option for a legislator.
Abstention allows a legislator to remove themselves from a
vote. There are several reasons to for a legislator to want to
abstain, some of the reasons include: abstaining because of a
conict in interest and abstaining to avoid problems with their
constituency.
Integral to the veriable democracy protocol described in
[5], [6] is the blinding of the message/law. The basis of
this requirement is discussed in detail in [5], [6]. Within a
legislature, it is possible that legislators may wish to abstain
from voting on certain legislation. Of course the decision for
abstaining (or for not to abstaining) must be made after the
content of the message is revealed. The way abstention is
handled may depend on the legislature, or it may depend on
the type of voting the legislature is utilizing or it may even
depend on what is being voted on. In a majority type vote,
there are two rules that are most likely to be used to handle
abstention: in the rst case the abstention will be noted but
it will be treated as a no vote, this is referred to as absolute
majority, and in the second case the majority will determined
by the total number of the yes and no votes, whichever is
larger constitutes the majority, this is called a simple majority
[7].
1
In the case of a simple majority, the threshold will
change whenever an abstention takes place, whereas in an
absolute majority the threshold remains unchanged. Roberts
Rule of Order [16] provides no guide as to how abstentions
should be handled. There are numerous examples of both
type of majorities used in legislatures. Simple majorities are
1
A third possible rule would be to count an abstaining vote as a yes vote.
used for several types of voting in both houses of the US
Congress, British House of Commons [7], Scottish Parliament
[17], and college of the Commission of the European Union
[19]. Absolute majority is used as well in several places,
for example certain votes in the U. S. Congress will require
absolute majorities. One can generalize the notion of the
classication of a majority, to classify the two-thirds type vote
and dene absolute two-thirds, as well as simple two-thirds.
Consequently since a legislature may use both absolute
majority as well as simple majority, an e-legislature must be
able to support both absolute and simple majority. The goal
of this paper is to describe a protocol that will provide the
means to implement abstention within the e-legislature.
II. BACKGROUND: TOOLS AND TERMINOLOGY
Suppose Alice wishes to send to Bob a signature of mes-
sage M. Alice applies a hash function h() to M, so that
m = h(M). Alice sends to Bob M and Sign(M, privKey),
whereupon Bob can verify the signature using the verify
function where verify(M, X, pubKey) is a boolean function,
it returns true provided X is Sign(M, privKey), otherwise it
returns false. If the signature is veried then Bob accepts the
message. Some examples of signature schemes that can be
used in this protocol include the RSA signature scheme and the
El Gamal signature scheme. In a k out of n threshold sharing
scheme the secret key privKey is shared out to n participants,
so that any subset B of k participants can combine their
shares and construct privKey while any subset of cardinality
k1 gain no information about the privKey. In a k out of n
threshold signature scheme, the signing key privKey is shared
out to n participants so that any k participants can sign a
message M. We let S
i
denote participant P
i
s partial signature
(think of a partial signature as a share of the signature). When
the participants wish to sign a message they will send their
partial signatures to some combiner who will combine their
shares to form the signature.
Sign(M, privKey) =

iB
S
i,B
i
= S
j
1
,B
j1
S
j
2
,B
j2
S
j
k
,B
j
k
where B is the set of k members B = P
j1
, . . . , P
j
k
,
i,B
is the appropriate scalar and S
i
is participant P
i
s partial
signature
2
.
Veriable signature sharing [1], [8], [14] is a cryptographic
sharing technique which allows a holder of document to
distribute shares of the signature of the document to proxies
(participants), so that the proxies can later reconstruct and
sign the document (if they wish). Further, by the end of
the distribution phase, honest proxies can verify that they
have been given shares of the authentic signature, without
reconstructing the signature. In an electronic voting scheme,
if a voter receives data/information such that this data allows
2
The most likely operation used with partial signatures is multiplication,
this operation is dependent on the cryptographic primitive used. The scalar

i,B
is a public value dependent on i and the set B of participants. In most
applications it is dened as
i,B
=

jB
j=i
0 x
j
x
i
x
j
.
0-7695-2268-8/05/$20.00 (C) 2005 IEEE
Proceedings of the 38th Hawaii International Conference on System Sciences - 2005
2
others (as well as the voter) to verify how the voters vote has
been counted, we say that the voter has left a receipt. A voting
scheme is said to be receipt-free provided that no receipt is
left for the voter which allows others to verify the voters
vote. In the case of an e-legislature, since the legislator is a
representative of the people, we would require that the voting
scheme leaves a receipt.
III. ILLUSTRATIONS OF PROBLEMS THAT CAN ARISE IN AN
ELECTRONIC LEGISLATURE
Let / = P
1
, . . . , P
n
denote the legislature. Let /
t
represent the set of legislators present at time t, thus /
t
/.
Suppose n represents the size of the original legislature and n
t
represents the number of legislators present at time t. A session
is a continuous period of time for which the legislators present
/
t
can vote on legislation and that the set of participants
present remain xed.
As noted earlier, the manner in which a legislature votes
is similar to a threshold signature scheme, and the power
to sign legislation is similar to possessing shares to sign. In
this application the threshold k denotes the quorum of the
legislature, the minimum number of legislators required to be
present in order for legislature to be passed. The threshold
k
t
represents the threshold required to pass legislation at
time t, for example in a legislature for which majority rules
k
t
= [/
t
[/2| + 1.
3
Every time the legislature /
t
changes,
some type of redistribution of shares will need to take place.
Redistribution is possible as long as a quorum k of legislators
exist, i.e. [/
t
[ k.
Some problems that the veriable democracy protocol must
overcome include (for more details/descriptions of these prob-
lems we suggest the reader to see [5], [6]). First, the transfer
of signature power needs to be temporary. If legislators send
their shares of the key to other legislators then these legislators
can use this information to sign other laws. In fact they can
impersonate this legislator in future votes. Temporary sharing
is achieved by having k participants P
i1
, . . . , P
i
k
transfer their
partial signatures instead of their power to sign. Consequently
the transfer will be message-oriented.
Secondly, observe that a few of the k (out of the n
t
) partic-
ipants P
i1
, . . . , P
i
k
could defeat the process by not properly
transferring their power (shares). This would be especially
true if the message (law) was such that they had a vested
interest that the law should not be passed. Thus, as the transfer
of power is message oriented, there is a need for the set
P
i1
, . . . , P
i
k
to transfer power blindly (i.e. encrypt the message
before sharing).
Third, the participants /
t
= P

1
, . . . , P

nt
, when given an
opportunity to act on legislation must know that the outcome
(sign or not sign) is a result of their decision and not a
result of bad faith on the part of the participants P
i1
, . . . , P
i
k
who had transferred them the power to sign. Hence, the
participants P

1
, . . . , P

nt
need to be able to verify that they
were actually given the power to sign that message.
3
The oor of x, denoted by x is the largest integer x.
Fourth, no set of participants should gain any information
about a motion made during an illegal session, a session
where either cheaters have been discovered or the number
of legislators present is less than the quorum k. Otherwise,
they could use this knowledge, to act in later sessions. This
provides another reason to blind the motion.
Fifth, in a receipt-required version of veriable democracy,
for each legislator belonging to /
t
there must exist a record as
to how that legislator voted. Note that if each legislator sends a
validated partial signature (which we interpret as a valid vote)
then this provides a receipt that the legislator voted in favor
of the message. We could use the lack of a validated partial
signature as a no vote.
Lastly, we assume that the network is sufciently reliable
(connected) even to deal with a few routers destroyed by
terrorists.
The requirements are described by the following model [5].
VERIFIABLE DEMOCRACY MODEL
(i) (completeness) If n
t
exceeds or equals the quorum k then
for any set of legislators B
t
, with [B
t
[ k
t
, either B
t
can
sign m
t
or they can identify the cheaters among themselves.
(ii) (soundness) If B

t
, A
t
or if [B

t
[ < k
t
then B

t
cannot
sign any new message m
t
.
(iii) The action of the cheaters should be independent of
the message. Therefore for any set B

(represents a set of
cheaters), with [B

[ < k, then one should not be able to

distinguish the way B

acts with message m as they do with

a message m

(distinguish in terms of cheating strategies).

(iv) If n
t
< k or if cheaters have been discovered, then
no subset of A
t
should gain any information about m
t
.
Therefore one should not be able to distinguish the information
distributed by the members of A
t
for message m with the
information distributed by a message m

.
(v) If the set of participants /
t
vote on m
t
, then for all P /
t
there exists a public receipt x
P
such that x
P
demonstrates how
P voted for m
t
.
The basic functions of the e-legislature protocol described in
[5], [6] are provided below.
A. Veriable Democracy Protocol a democratic threshold
scheme
During the set-up, the legislature is empowered with a secret
key so that any k out of n can compute the secret signing key.
If n
t
k we proceed with the protocol, if n
t
< k then there
are not enough legislators to pass the legislation. At any time
t, a message/law m
t
may be proposed. A
t
represents the set
of participants present at time t, n
t
= [A
t
[, and k
t
represents
the threshold (the minimal number of participants required to
sign). We now review the integral functions in the veriable
democracy protocol [5], [6], we omit technical details and refer
the reader to [5] for the technical details.
Legislative key generation. A secret key privKey is dis-
tributed to the n participants so that a blinded message/law
can be signed in a k out of n threshold manner. In addition
0-7695-2268-8/05/$20.00 (C) 2005 IEEE
Proceedings of the 38th Hawaii International Conference on System Sciences - 2005
3
to distributing shares of privKey this distributor generates
ancillary information
4
which is used later to verify partial
signatures. (For example if the protocol utilizes RSA sig-
natures a test message is generated and broadcasts all n
partial signatures of the test message. The test message and
partial signatures of test message play an important role in the
verication of future partial signatures. This can be performed
by a trusted third party or by the participants using a protocol
such as [5], [10]).
Blinding message. The participant P

, who proposes message

m
t
, blinds m
t
before they present it to the legislative body A
t
.
Transfer of Power Partial Signature Generation TPSG.
As long as n
t
exceeds (or equals) k, the message will be
considered for signing. If so, k participants in A
t
are chosen
and they generate partial signatures for the blinded m
t
.
Transfer of Power Partial Signature Distribution TPSD.
Each of the k participants share out their partial signatures in a
k
t
out of n
t
manner to A
t
(we will refer to these k participants
as partial signature distributors). Each participant in A
t
has
received k shares, whereupon they compress the k shares
to one share. In addition to distributing partial signatures,
the partial signature distributors will also distribute ancillary
information which allows the legislative body A
t
to verify the
correctness of the partial signatures of the blinded m
t
.
Transfer of Power Partial Signature Verication TPSV.
The ancillary information provided in TPSD is rst veried
by each legislator in A
t
. Upon verication the ancillary
information is used by each legislator to verify the correctness
of their share of the partial signature of the blinded m
t
. The
verication procedure is devised so that with overwhelming
probability it can be determined that a recipient has received
a valid share this is achieved via a verication and complaint
protocol. If a verication fails then a complaint will be raised,
at that time a cheater has been detected, what remains is a
protocol to determine whether the cheater is the partial share
distributor or the complainer. The consequence is that the
completion of this stage with no complaints implies that the
signature power for the message has been transferred to A
t
such that any k
t
can sign the message.
Unblind the message. The message is revealed to the legis-
lature. Who reveals the message? P

could. Or if one utilizes

a trusted chairperson as in [10], then the trusted chairperson
could reveal m
t
. In [5], the protocol utilized RSA signatures
and so the legislators themselves could unblind the message
without the legislators revealing their partial signature of m
t
.
Decision vote on m
t
. The legislators decide whether to vote
for or against m
t
.
4
This ancillary information will be broadcasted to all, i.e. public record.
The nature of the ancillary information is dependent on the veriable sharing
scheme that is used. For example for El Gamal use [14] and for RSA use [9]
and [2].
Partial Signatures Sent PSS. If any legislator wishes to vote
for the by now known m
t
they send their share of the partial
signature of the blinded m
t
.
Verication of the signature determining the passage
of m
t
PSV. If k
t
or more participants have sent their partial
signatures then the message may be passed. If so, the combiner
selects any k
t
of the sent partial signatures and veries the
correctness of these partial signatures using the ancillary
information provided within this protocol. For each one of
these invalid partial signatures the combiner selects one of the
remaining partial signatures sent and veries it. If the number
of valid partial signatures is less than k
t
then the message
m
t
is automatically not passed. We have adopted a receipt-
required version of the veriable democracy protocol. The
partial signature sends (PSS) together with the partial signature
verication (PSV) implies k
t
valid votes. Who can play the
role of the combiner? Any person, collection of people, or
even the legislators.
Message passed. The message is passed if a signature of m
t
can be computed and there were k
t
valid votes sent and
veried. A vote for m
t
is a valid partial signature.
Note that the verication procedures TPSV and PSV may
utilize different veriable secret sharing schemes due to the
amount of information the senders TPSD and PSS, respec-
tively, know. In TPSD the senders know the actual shares,
whereas in PSS the senders know only the partial signatures.
Whether TPSV and PSV require different veriable sharing
schemes may depend on the threshold signature scheme that
is used.
IV. ABSTAINING
As stated earlier, a legislature may use both absolute ma-
jority as well as simple majority, an e-legislature must be
able to support both absolute and simple majority. To secure
abstention in an absolute majority type vote, it was suggested
[12] to run the veriable democracy protocol twice, once
for the yes votes and then require those that vote no to
participate in a veriable democracy protocol using a no
vote. Now use some method for counting in a secure manner
such as [13].
What remains is how to handle simple majority when an
abstention takes place. This is a much more challenging
problem, since the threshold will change. Recall that the
veriable democracy protocol requires blinding the vote before
transferring power. An abstention will require a transfer of
signature power (since the threshold will change), but the
transfer cannot be achieved in the blind as the veriable
democracy protocol does, since a legislator can only decide
on whether to abstain based on the knowledge of the pending
legislation. The remainder of the paper is devoted to how to
solve abstention within a simple majority.
Recall we represent the legislature by / = P
1
, . . . , P
n
.
We use /
t
represents the legislators present at time t. We use
L
t
to denote those members of /
t
who wish to abstain once
0-7695-2268-8/05/$20.00 (C) 2005 IEEE
Proceedings of the 38th Hawaii International Conference on System Sciences - 2005
4
the message is revealed. Once n
Lt
participants abstain, the
new threshold is k

t
out of n
t
n
Lt
, where k

t
is the result of
going from a k
t
out of n
t
threshold and having n
Lt
abstain.
Let k
Lt
= k
t
k

t
.
Model IV.1. A veriable democratic legislature which sup-
ports abstention should possess properties (1) - (4).
(1) Abstainers should be able to abstain after the message
m has been revealed.
(2) Any action taken by the abstainer should be independent
of B (the set of legislators who vote yes to pass the m).
(3) A cheating abstainer should be revealed.
(4) Cheating by an abstainer should not cause termination
of a vote.
(5) A cheating abstainer who is trying to prevent the vote
should be treated as a no vote, and a cheating abstainer who
is trying to pass the law should be treated as a yes voter.
When one considers the above model, the question becomes
how does one determine if a cheating abstainer is trying to
prevent the vote or pass the law. Further, a cheater may be
such that they do not belong to either category and may just
be mischievous. This difculty of determining motive makes
the application of (5) impossible. Since it is clear that the
intent of a cheater cannot be gauged, we must treat a cheating
participant as either a no-voter or an abstainer. We will treat
them as a no voter.
A. Protocols required for abstainers - resharing a share
The following three protocols have been described in [5].
Due to their complexity we will treat them as black-box func-
tions. Realize that one must be careful when to utilizing these
functions, valid inputs must be available to these functions
to achieve the desired results. In the technical version of
this paper, the complete details will be discussed thoroughly.
In this paper we will assume that the implementation of
the veriable democracy protocol has ensured that there is
sufcient ancillary information available either publicly or
to each shareholder to assure that each invocation of these
protocols will achieve the desired results.
Resharing a Share - Share Generation RSSG Suppose a
participant holds a share S and they wish to share S in an
a
t
out of b
t
manner. This is straightforward, except that the
shares that are generated will need to be veried. Since this
protocol will reside within the Veriable Democracy protocol
there will exist ancillary information concerning S. Based
on this ancillary information this participant will be able to
generate ancillary information concerning the shares of S so
they can be veried. For example if participant P
i
wishes to
share their partial signature S
i
to P
j1
, P
j2
, . . . , P
bt

S
j1,i
,

S
j2,i
, . . . ,

S
j
b
t
,i
) = RSSG(i, pubInfo, S
i
).
So that S
i
=

jB

j,

B
j,i
where

B is a set of a
t
participants

B = P
j1
, . . . , P
ja
t

5
.
Resharing a Share - Share Distribution RSSD The partici-
pant who is sharing out S in an a
t
out of b
t
manner distributes
the shares to the b
t
participants. In addition this participant will
distribute the ancillary information that will used to verify the
correctness of these shares.
for all r

S
jr,i
P
jr
xxxpubInfo_RSSD_S
i
generated and distributed
Resharing a Share - Share Verication RSSV The ancillary
information provided in RSSD is rst veried by each par-
ticipant. Upon verication, the ancillary information is used
by each legislator to verify the correctness of their share
of S. The verication procedure is devised so that with
overwhelming probability it can be determined that a recipient
has received a valid share this is achieved via a verication
and complaint protocol.
for all r
xxxverify(

S
jr,i
, i, pubInfo_RSSD_S
i
, pubInfo) = true
V. ATTEMPTS AT A SOLUTION
We assume for the sake of simplicity that all legislative
decisions are made according to majority rules
6
. The result
is that the set of participants L
t
wish to abstain, so we must go
from a k
t
out of n
t
threshold scheme to a k

t
out of n

t
where
k
t
=
nt
2
| +1; k

t
=
n

t
2
|+1; n

t
= n
t
n
Lt
; and k

t
= k
t
k
Lt
.
The change in threshold must occur after message m
t
has been
unblinded. Consequently we have a set of participants L
t
who
can act based on the knowledge of this information.
A. A rst attempt at a solution
To achieve a transfer after abstention, any k
Lt
of the set
abstainers L
t
share out their partial signature in a k
t
k
Lt
out of n
t
n
Lt
manner by applying the RSSG+RSSD+RSSV
protocol to share out their share. Once L
t
has completed their
application of the RSSG+RSSD+RSSV protocol, then all n

t
participants possess 1+ k
Lt
shares. Due to the manner in
which the shares will be combined, the n

t
participants cannot
compress their shares. We clarify with an example.
Example V.1. Suppose we have a majority rules in a 100
person legislature. At time t, there are n
t
= 83 members
present. Thus k
t
is 42. Consequently any set of 42 legislators
can sign m
t
, for example
Sign(M, privKey) =
42

i=1
S
i,B
i
5
The scalar
j,

B
is dened as
j,

B
=

B
j=i
0 x
j
x
i
x
j
.

S
j,i
denotes the
share of the partial signature S
i
distributed to participant P
j
by participant
P
i
.
6
Majority rules is not a required assumption, this assumption makes it easier
to describe the protocol
0-7695-2268-8/05/$20.00 (C) 2005 IEEE
Proceedings of the 38th Hawaii International Conference on System Sciences - 2005
5
where B = P
1
, . . . , P
42
,
i,B
is the appropriate scalar and
S
i
is participant P
i
s partial signature.
Suppose n
Lt
= 6 wish to abstain. Let us assume without
loss of generality that P
1
, . . . , P
6
abstain. Let us also assume
that P
1
, P
2
, P
3
were the abstaining members that were selected
to share out their share S
i
. So each S
i
(for i = 1, 2, 3) is shared
out in a 39 out of 77 manner to the participants P
7
, . . . , P
83
.
Now suppose

B = P
7
, . . . , P
45
wish to sign the message.
Then S
u
=

45
i=7

i,

B
u,i
where

B = P
7
, . . . , P
45

7
. Conse-
quently
Sign(M, privKey)
=
45

i=7
S
i,B
i

45

i=7

i,

B
1,B
1,i

45

i=7

i,

B
2,B
2,i

45

i=7

i,

B
3,B
3,i
where B = P
1
, P
2
, P
3


B and

B = P
7
, . . . , P
45
. So
Sign(M, privKey)
=
45

i=7

S
i,B
i


S

i,

B
1,B
1,i


S

i,

B
2,B
2,i


S

i,

B
3,B
3,i

.
Problems with this solution
The k
Lt
abstainers P
1
, P
2
, P
3
that participated in the
RSSG+RSSD+RSSV protocol have documented that they will
abstain. That is, there is a record in terms of information
distributed that they abstained, in many cases the information
would have been broadcasted (this would be the ancillary
information that is used in the verication RSSD+RSSV part
of the protocol). However, there is no record that the other
n
Lt
k
Lt
participants P
4
, P
5
, P
6
abstained. In fact there
is nothing that would stop them from participating in the
vote and be on record as a yes voter. (Although in our
model, if an abstainer backs out and decides to vote they
can only contribute to passing a m
t
that would have been
passed without their vote.) However in this protocol, if a
abstainer who participated in the RSSG+RSSD+RSSV part
of the protocol tries to vote yes (i.e. backs out on being
an abstainer) there is a record that they abstained and so
they will not be given credit for voting yes. The problem
with allowing the n
Lt
k
Lt
participants to participate in the
vote is that the threshold has been lowered to 39 because
they announced they were abstaining. If just one of them
decides to reenter as a voter then the threshold should be 40,
however according to this protocol 39 will be able to pass the
legislation. Another problem with this protocol in that each of
the n

t
participants will now have a share 1+k
Lt
the size of the
original share. Lastly, there must be communication that takes
place to determine who will abstain because it is required
that the abstainers know n
Lt
. The latter two problems are
insignicant in comparison to the rst.
B. A second attempt at a solution
The rst attempt failed due to the fact that the n
Lt
k
Lt
participants have not participated and there does not exist any
public information that documents that they have abstained.
7
S
u,i
denotes the partial signature distributed to participant Pu by partic-
ipant P
i
where i = 1, 2, 3.
We now address this problem. In a k out of n threshold signa-
ture application, it is possible that more than k participants will
send their partial signatures. In such a case, a combiner will
select k veried partial signatures and compute the signature.
In our second attempt at a solution, rather than having only
k
Lt
participate in the RSSG+RSSD+RSSV protocol, we have
all n
Lt
abstainers participate in the RSSG+RSSD+RSSV
protocol. By doing so there is a public record that all n
Lt
have abstained.
So we have all n
Lt
abstainers share out their shares using
the RSSG+RSSD+RSSV protocol in a k
t
k
Lt
out of n
t
n
Lt
manner and send those shares to the non-abstainers. In this
case, each of n
t
n
Lt
abstainers have received n
Lt
shares, so
each possess 1 + n
Lt
shares. Again these participants cannot
compress their shares.
To compute the signature it will require that the k

t
partic-
ipants (non-abstainers) send their partial signatures. However
when these participants send their partial signatures they will
send two partial signatures, one their original and the other the
correct combination of the abstainers shares(see example
below). The combiner will have veried partial signatures.
When the combiner creates the signature, the actual number
of valid partial signatures that the combiner will have received
will be k

t
+n
Lt
which exceeds k
t
. So the combiner will discard
n
Lt
k
Lt
of the non-abstainers original partial signatures and
compute the signature.
Example V.2. Suppose we have a majority rules in a 100
person legislature. At time t, there are n
t
= 83 members
present. Thus k
t
is 42. Consequently any set of 42 legislators
can sign m
t
, for example
Sign(M, privKey) =

42
i=1
S
i,B
i
where B = P
1
, . . . , P
42
,
and S
i
is participant P
i
s partial signature.
Now suppose that n
Lt
= 6 participants wish to abstain.
Thus in this example k
Lt
= 3. Again assume that P
1
, . . . , P
6
abstain. So each S
i
(for i = 1, . . . , 6) is shared out in
a 39 out of 77 manner to the participants P
7
, . . . , P
83
.
Suppose that the set

B = P
7
, . . . , P
45
wishes to vote
for the message. First observe that S
u
=

45
i=7

i,

B
u,i
where

B = P
7
, . . . , P
45
. Therefore each P
i


B will send S
i,B
i
and

6
u=1

S
u,B
i,

B
u,i
where B = P
1
, . . . , P
6


B. Now the
combiner selects 36 = 39 (6 3) = k

t
(n
Lt
k
Lt
) of the
original partial signatures S
i,B
i
. Assume that the combiner
selected P
7
, . . . P
42
. Then
Sign(M, privKey)
=
42

i=7
S
i,B
i

45

i=7

u=1

S
u,B
i,

B
u,i

.
Problems with this solution
There is a problem with this solution in the case of a cheat-
ing abstainer. If an abstainer is caught cheating, then they de-
nitely should not be characterized as an abstainer. That is sup-
pose P
6
was caught cheating during the RSSG+RSSD+RSSV
protocol, then n
Lt
becomes 5. In our example this will affect
k
Lt
, under the premise that P
6
is caught cheating, k
Lt
changes
to 2 and k

t
becomes 40. However given the information
0-7695-2268-8/05/$20.00 (C) 2005 IEEE
Proceedings of the 38th Hawaii International Conference on System Sciences - 2005
6
distributed in the protocol, any 39 of the non-abstainers can
compute the partial signatures of P
1
, . . . , P
5
. Altogether
these 39 would control 39 +5 partial signatures and hence they
can sign. But k

t
would be 40. The problem with this solution
is that a cheating abstainer would be treated as an abstainer.
There is another problem with this protocol in that each of the
n

t
participants will now have a share 1 +n
Lt
the size of the
original share. Lastly there must be communication that takes
place to determine who will abstain because it is required that
the abstainers know n
Lt
.
VI. THE THIRD ATTEMPT A PARTIAL SOLUTION
This attempt at a solution does not require the abstainer
to determine n
Lt
, and so the extra communication that the
previous attempts at a solution required will not be needed.
Assume we have applied the Veriable Democracy protocol
and achieved k
t
out of n
t
scheme. If a participant wishes
to abstain they wait until the rst abstainer completes their
communications and then they share out their partial signature
in a k
t,1
out of n
t,1
manner using the RSSG+RSSD+RSSV
protocol. Here n
t,1
= n
t
1 and k
t,1
is the appropriate
threshold (it will either be k
t
or k
t
1 depending if n
t
was
odd or even). If another participant wishes to abstain they
share out their partial signature in a k
t,2
out of n
t,2
manner
using the RSSG+RSSD+RSSV protocol where n
t,2
= n
t,1
1
and k
t,2
is the appropriate threshold (either k
t,1
or k
t,1
1).
Once the RSSG+RSSD+RSSV protocol has been completed,
if k
t,2
k
t,1
< 0 then this abstainer broadcasts the share dis-
tributed from the rst abstainer, otherwise (if k
t,2
k
t,1
0)
they broadcast nothing. The remaining participants can verify
its correctness using the RSSV protocol and the ancillary
information that was provided by the rst abstainer within
the RSSG+RSSD+RSSV protocol. (This participant is not
considered a true abstainer unless this broadcasted share is
veried.) This continues in this manner, until the last abstainer
has shared out their partial signature. Here the last abstainer
broadcasts each share it received from the previous abstainers
or nothing depending if k
t,nL
t
k
t,nL
t
1
< 0 or not. Again,
each of these shares can be veried (using information from a
previous RSSG+RSSD+RSSV session). This last abstainer is
not treated as an abstainer until all shares are veried. If n
Lt
represents the number of abstainers then each of the k

t
non-
abstainers will have received n
Lt
shares (they also possess
their own partial signature). As before, these participants can-
not compress their shares. In addition to the shares possessed
by the participants, there exists the broadcasted shares that
will need to be used. The total number of broadcasted shares
is on the order of O(n
2
Lt
) (a better approximation would be
n
2
L
t
4
). To clarify consider the following example.
Example VI.1. Suppose we have a majority rules in a 100
person legislature. At time t, there are n
t
= 83 members
present. Thus k
t
is 42. Consequently any set of 42 legislators
can sign m
t
, for example signature of m
t
=

42
i=1
S
i,B
i
where B = P
1
, . . . , P
42
, and S
i
is the partial signature.
Now suppose n
Lt
= 6 participants wish to abstain. Again
assume that P
1
, . . . , P
6
abstain. P
1
shares out their partial sig-
nature in a 42 out of 82 manner using the RSSG+RSSD+RSSV
protocol. P
2
shares out their partial signature in a 41 out of
81 manner using the RSSG+RSSD+RSSV protocol. Once the
verication has been completed, P
2
broadcasts its share

S
2,1
that it received from P
1
. (This share

S
2,1
is veried by all
participants.) P
3
shares out their partial signature 41 out of
80 manner using the RSSG+RSSD+RSSV protocol. P
4
shares
out their partial signature in a 40 out of 79 manner using
the RSSG+RSSD+RSSV protocol and then broadcasts all 3
shares distributed to them by the rst three abstainers. P
5
shares out their partial signature n a 40 out of 78 manner
using the RSSG+RSSD+RSSV protocol. Finally, P
6
shares
out their partial signature in a 39 out of 77 manner using the
RSSG+RSSD+RSSV protocol. Once the verication has been
completed, P
6
broadcasts one at a time

S
6,1
,

S
6,2
, . . . ,

S
6,5
.
The set of broadcasted shares is

S
i,j
: i = 2, 4, 6, 1 j <
i. The total number of broadcasted shares is 1+3+5 = 6
2
/4
(here n
Lt
= 6).
It is clear that the set

B = P
7
, . . . , P
45
can sign the
message m
t
, since they possess their partial signatures, as well
they have the information to compute the partial signatures for
P
1
, . . . , P
6
. Hence they possess 38+6 = 44 > 42 = k
t
partial
signatures.
Problems with this solution
The main problem with this attempt is that there is an attack,
but the attack will be detected by the Veriable Democracy
protocol. Let us discuss the attack. Suppose that P
7
provides
to a coalition of 38 (perhaps their political party or faction)
all the shares they received from the other abstainers, but P
7
does NOT share their partial signature. That is, P
7
is willing
to help this coalition of 38 to pass the legislation but P
7
does
not want to publicly vote yes to this legislation (perhaps P
7
fears retribution from their constituents if they vote on m
t
).
The result is that P
7
provides help to pass the message without
voting for it. With this help from P
7
, this coalition of 38 will
be able to sign the message, yet they never used P
7
s share.
We now point out that the Veriable Democracy protocol will
require that shares sent to be combined need to be veried and
so the this will be detected. There is another problem with this
protocol in that each of the n

t
participants will now have a
share O(1 +
nL
t
(nL
t
+1)
2
) the size of the original share.
Improving the partial solution
According to our model, the abstainers should have doc-
umentation that they abstain. Yet in all of our previous
attempts this documentation never appears in the signature.
The improvement that we make to our third attempt will
incorporate the abstainers into the signature. Here will modify
what we mean by a signature and how we verify signature
(what it means to say a law is passed). Abstainers will follow
the same procedure described above. If a participant wishes
to abstain they share out their partial signature in a k
t,1
out of n
t,1
manner using the RSSG+RSSD+RSSV protocol.
0-7695-2268-8/05/$20.00 (C) 2005 IEEE
Proceedings of the 38th Hawaii International Conference on System Sciences - 2005
7
Here n
t,1
= n
t
1 and k
t,1
is the appropriate threshold
(it will either be k
t
or k
t
1 depending if n
t
was odd or
even). If another participant wishes to abstain they share out
their partial signature in a k
t,2
out of n
t,2
manner using
the RSSG+RSSD+RSSV protocol where n
t,2
= n
t,1
1 and
k
t,2
is the appropriate threshold (either k
t,1
or k
t,1
1).
Once the RSSG+RSSD+RSSV protocol has been completed,
if k
t,2
k
t,1
< 0 then this abstainer broadcasts the share
distributed from the rst abstainer otherwise (if k
t,2
k
t,1
0)
they broadcast nothing. We continue in this manner until the
last abstainer has completed the required operations. Again
assume that n
Lt
is the number of abstainers. Once a call for
votes is made each yes voter will submit both their partial
signature as well as the combination of the shares distributed
to them by the abstainers. Let B denote the set of yes
voters and let denote the number of partial signatures sent
to the combiner (this includes both the partial signatures held
by the participants in B as well as the partial signatures of
the abstainers). Then if the combiner use the [B[ original
partial signatures as well as the n
Lt
(result of manipulating
the combinations) many abstainers partial signatures then the
combiner will possess = [B[ +n
Lt
partial signatures. Thus
the signature can be generated if [B[ k
t,nL
t
which implies
that = [B[ + n
Lt
k
t,nL
t
+ n
Lt
k
t
. Dene by
k
t,nL
t
+ n
Lt
= k
t
+ . The combiner now selects + 1
many participants who have submitted (perhaps in proxy) their
partial signatures, this set is denoted by P
i1
, ..., P
i+1
(this
could include, by proxy, the abstainers since the abstainers par-
tial signatures were submitted by the [B[ many yes voters).
Then for each j = 1, . . . , + 1 using the partial signatures
from

(B L
t
) P
i1
, ..., P
i+1

P
ij
, the combiner can
compute the signature of m
t
. The law is passed provided that
all of the + 1 reconstructed threshold signatures turn out
to be a veried signature. This verify function will dene
what it means to say that a law m
t
is passed (i.e. that the
signature is veried). The attack described earlier is no longer
relevant, since the coalition of 38 will not be able to pass the
legislation, unless P
7
actually is willing to send their partial
signature which implies that they commit to a yes vote.
VII. CONCLUSION
We have described a partial solution to abstaining in an
electronic legislature. A minority can attempt to generate a
signature of a message/law but they would be detected. We
have provided a remedy by re-thinking the interpretation
of what it means for a message to become law. As we
have noted, a single legislature any require both absolute
majority type votes as well as simple majority type votes. It is
awkward to have two different solutions. In particular the real
awkwardness is to have two distinct ways to verify that the
vote has passed the message. Future work will be to develop
abstention schemes for absolute majority and simple majority
whose verication protocol are identical. Other future work
will include implementing, enhancing, and developing an e-
legislature prototype which supports the Veriable Democracy
protocol as well as supporting protocols that support absten-
tion. The nal outcome is expected to support a real-time e-
legislature.
REFERENCES
[1] B. Chor, S. Goldwasser, S. Micali, and B. Awerbuch. Veriable
secret sharing and achieving simultaneity in the presence of faults.
In Proceedings of the 26
th
IEEE Symposium on the Foundations of
Computer Science, FOCS, pages 383-395, 1985.
[2] M. Burmester. Homomorphisms of secret sharing scheme: a tool for
veriable signature sharing In Proc. of Eurocrypt96, Lecture Notes in
Computer Science, LNCS 1070, Springer Verlag, pages 96-105,1996.
[3] Continuity of government commision. 2002.
http://www.continuityofgovernment.org.
[4] Y. Desmedt and Y. Frankel. Homomorphic zero-knowledge threshold
schemes over any nite Abelian group SIAM J. on Discrete Math.,
vol.7, no. 4 pages 667-679, 1994.
[5] Y. Desmedt and B. King. Veriable democracy. IFIP TC6/TC11
Joint Working Conference on Communications and Multimedia Security
(CMS99), Kluwer Academic Publishers, 1999, pages 53-70.
[6] Y. Desmedt and B. King. Veriable democracy a protocol to secure an
electronic legislature. EGOV 2002, eGovernment: State of the Art and
Perspectives, Aix-en-Provence (France), September 2 - 6, 2002, (Lecture
Notes in Computer Science), Springer Verlag.
[7] K. Dougherty and J. Edward Simple vs. Absolute Majority Rule,
http://www.fiu.edu/dougherk/simple.pdf
[8] M. Franklin and M. Reiter. Veriable signature sharing In Advances
in Cryptology - Eurocrypt 95,. Lecture Notes in Computer Science 435,
Springer Verlag, pages 50-63, 1990.
[9] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust and efcient
sharing of RSA functions In Advances in Cryptology - Crypto 96,.
Lecture Notes in Computer Science
1109, Springer Verlag, pages 157-172, 1996.
[10] H. Ghodosi and Josef Pieprzyk. Democratic Systems. ACISP 2001, pages
392-402.
[11] W. Juang, C. Lei and H. Liaw. A Veriable Multi-Authority Secret
Election Allowing Abstention from Voting, The Computer Journal,
Volume 45, Issue 6, 2002. pp. 672-682
[12] M. Kuhn. Personal communication.
[13] M. Kuhn. Probabilistic Counting of Large Digital Signature Collec-
tions, Proceedings of the 9th USENIX Security Symposium, Denver,
Colorado, USA, August 14-17, 2000, USENIX Association, pp. 73-83.
[14] T. Pederson. A threshold cryptosystem without a trusted party In
Advances in Cryptology, Proc. of Eurocrypt 91 LNCS 547, Springer-
Verlag, pages 522-526, 1991.
576,
[15] R. Rivest, A. Shamir, and L. Adelman. A method for obtaining digital
signatures and public key cryptosystems. Commun. ACM, 21, pages
120-126, 1978.
[16] Roberts Rules of Order Revised.
http://www.constitution.org/rror/rror--00.htm.
[17] Standing orders of the Scottish Parliament. Session 1(2001).
http://www.scottish.parliament.uk/parl_bus/sto-3.htm
[18] A. Shamir. How to share a secret Commun. ACM, 22, pages 612-613,
Nov., 1979.
[19] U.S. House of Representatives Committee on Financial
Services The European Unions Financial Services Action Plan.
http://financialservices.house.gov/media/pdf/052202dd.pdf
0-7695-2268-8/05/$20.00 (C) 2005 IEEE
Proceedings of the 38th Hawaii International Conference on System Sciences - 2005
8