115

A family of N people (where N >= 3) are members of a cult. A suggestion is floated anonymously among them to leave the cult. If, in fact, every single person secretly harbors the desire to leave, it would be best if the family knew about that so that they could be open with each other and plan their exit. However, if this isn't the case, then the family would not want to know the actual results, in order to prevent infighting and witch hunting.

Therefore, is there some scheme by which, if everyone in the family votes yes, the family knows, but all other results (all no, any combination of yes and no) are indistinguishable from each other for all family members?

Some notes:

  • N does have to be at least 3 - N=1 is trivial, and N=2 is impossible, since a yes voter can know the other person's vote depending on the result.
  • The anonymous suggestor is not important - it could well be someone outside the family, such as a someone distributing propoganda.
  • It is important that all no is indistinguishable from mixed yes and no - we do not want the family to discover that there is some kind of schism. However, if that result is impossible, I'm OK with a result where any unanimous result is discoverable, but any mixed vote is indistinguishable.

Some things I've already tried:

  • Of course, this can be done with a trusted third party - they all tell one person their votes, and the third party announces whether all the votes are yes. However, this isn't quite satisfying of an answer to me, since the third party could get compromised by a zealous no voter (or other cult member) to figure out who the yes votes are. Plus, this person knows the votes, and may, in a mixed vote situation, meet with the yes voters in private to help them escape, which the no voters won't take kindly to.
  • One can use a second third party to anonymize the votes - one party (which could really just be a shaken hat) collects the votes without reading them and sends them anonymized to the second party, who reads them and announces the result. This is the best solution I could think of, however I still think I want to do better than this - after all, in a live-in settlement cult, there probably isn't any trustworthy third party you could find. I'd like to find a solution that uses a third party that isn't necessarily trusted.
  • However, I do recognize that you need at least something to hold secret information, because if you're working with an entirely public ledger, then participants could make secret copies of the information and simulate what effect their votes would have, before submitting their actual vote. In particular, if all participants vote yes but the last one has yet to vote, they can simulate a yes vote and find out that everyone else has voted yes, but then themselves vote no - they are now alone in knowing everyone else's yes votes, which is power that you would not want the remaining no voter to have.

EDIT: After BlueRaja's comments, I realize that the concept of "trusted third party" isn't quite well-defined, and that at some level, I probably actually do need a trusted third party at least for reliably holding state. The key is what I would be trusting the third party to do - for instance, in the first and second bullet point examples, I may not trust a third party to know who voted what, but may trust them with the contents of the votes. Ideally, of course, I would still like to be able to operate without a trusted third party at all, but failing that, I would like to minimize what I have to trust the third party to do. (Also, yes, a third party can include an inanimate object or machine, as long as it can withhold any amount of information from the participants).

TheHans255
  • 1,268
  • 2
  • 6
  • 13
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/111602/discussion-on-question-by-thehansinator-how-could-i-make-the-results-of-a-yes-no). – Rory Alsop Aug 09 '20 at 20:33

24 Answers24

58

The theory

This could be implemented in several ways, by applying the principle of idempotency.

You want a system that only produces a result (binary 1) if all the inputs are active, that is, it tells you that everybody wants to leave the cult only if everybody has voted yes, otherwise the system must not return any kind of information (binary 0). This is basically an AND relationship between the inputs, as seen in the following table (0 = no/false, 1 = yes/true):

Input: You want to leave the cult.
Output: Everybody wants to leave the cult.

0 0 0 | 0 
0 0 1 | 0
0 1 0 | 0
0 1 1 | 0
1 0 0 | 0
1 0 1 | 0
1 1 0 | 0
1 1 1 | 1 ---> hooray, everybody wants to leave, we can talk about it!

Now, that might not be trivial to implement safely, because you need something that can count (N-1 will not be enough to trigger the result, but N will), and something that is able to count might also be able to leak information about the number of votes. So let's forget about that, and realize that since you are actually dealing with single bits of information (either yes or no, 0 or 1), then you will be able to get valuable information if you just check the opposite (no instead of yes, 0 instead of 1, etc.). So if you check if they want to stay in the cult instead of leaving, and if you check if at least one person want to stay instead of checking if they all want to leave, you get the following truth table where all 1s have been replaced with 0s and vice versa:

Input: You want to stay in the cult.
Output: Somebody wants to stay.

1 1 1 | 1
1 1 0 | 1
1 0 1 | 1
1 0 0 | 1
0 1 1 | 1
0 1 0 | 1
0 0 1 | 1
0 0 0 | 0 ---> hooray, nobody wants to stay, we can talk about it!

Note that now we have an OR relationship between the inputs, which I believe is easier to implement safely, because you just need a system that respond to any input in the exact same way. Such a system would be idempotent: one vote is enough to trigger the output, and any subsequent votes would have no effect. Now, what can we use to implement such a system? The system would need the following features:

  • It must be trusted by everybody. It can't be built or bought by a single member of the family, or by someone else. So I suppose it must be something very simple that everybody can understand and trust. To avoid malicious manipulation of the system, it should also be operated while being supervised by all the members.
  • The voters must not be able to check the output before the experiment is over. This means that the vote must not return any feedback about the current state of the system. For example, blowing out a candle is not safe if you can see it, or feel the heat, or smell anything.

The system

The simplest solution I can think of is something involving an electronic device with an idempotent button, like a remote control to change the channel on a TV. Here's an example of how I would set up the system:

  • Get a device with an idempotent button. It might be a TV with a remote control, providing that changing to channel N always has the same effect no matter how many times you do it (idempotency). Or anything else you have at home, like a button to open a gate (if opening an open gate leaves it open), etc. The important thing though is that the system needs to be trusted by everybody, so if you really want to do everything safely the family might consider buying a new device (going to the mall, all together, and buying a trusted device).
  • Set up the system safely. All the family must be present while setting up the system, otherwise the system might be corrupted by the one who sets it up. In general, the whole family must be present and check all the operations from the beginning to the end of the experiment (like from buying the equipment to throwing it away safely).
  • Avoid any kind of feedback from the system while voting. For example, to change the TV channel, the TV and the remote could be under a huge thick blanket, and to vote you need to slide your hand under the blanket. But the volume should be muted, and maybe you'd better turn on some music in the background, loud enough to not be able to hear any possible buzz or noise from the TV. You might even want to define some delay between one vote and the next, to avoid getting any feedback from the possible heat of the remote control caused by the hand of the previous voter.
  • The voting process should be the same for everybody. During the experiment the other members must make sure the voter is not cheating (like peeping under the blanket, acting strange, etc.), so everybody is present during the experiment. There is a relatively fixed length of time that the voter should be able to stay with their hand under the blanket. Sliding it under the blanket and immediately pulling it out is not considered valid, since that would be an obvious and publicly distinguishable NO vote. From the outside, every vote must look pretty much the same.
  • Test the system before using it for the real experiment. You need to make sure everybody understand the process, votes correctly, and the system responds accordingly. The whole family takes part in several simulated votes for testing the system (simulated votes are fake and publicly known, not secret).
  • At the end, the system must be dismantled safely. Any buttons or parts that have been touched might need to be cleaned carefully, to remove fingerprints. If the family members don't trust the system after the vote, fearing that somebody might be able to extract information from it, all the parts of the system might need to be thrown away.

The vote

Supposing they have chosen to implement the TV-remote-blanket system, what happens is this. "Ok everybody, the TV is on, the current channel is 123. If you want to stay in the cult, change it to channel 0". Each member in turn slides a hand under the blanket and either changes the channel (if they want to stay in the cult), or pretends to change it (if the want to leave). At the end, the blanket is removed and... Channel 123! Then nobody wants to stay in the cult, hooray! ...or ...Channel 0! Then at least one member wants to stay in the cult! Or maybe all of them, there's no way to know.

Final notes

It was fun trying to think of a solution to this problem, but I consider this more of a thought experiment than a real security question. The problem is that the threat model is incomplete, because I don't think this scenario can actually make sense in a family where all the members are part of a cult. Cult members are brainwashed and paranoid by definition. They might not even trust a store to buy a new TV or a remote control, thinking anyone they don't already know (including any sellers) might be "enemies". It is definitely possible to set up a system without any electronic devices, using only simple objects like candles, pots, water, ropes, etc. That stuff might be easier to trust, compared to a black-boxed electronic device, but it might also be harder to make such systems work reliably. I'm also wondering: if a member of the family suggests that a vote is needed, isn't that suspicious? Why should a member of the cult want to know if everybody in the family wants to leave? Chances are the one who proposes this system is the one who wants to leave. Or this might all be a trap to find out who wants to leave.

reed
  • 15,538
  • 6
  • 44
  • 65
  • 40
    Regarding the TV-system, you could also remove/disable all buttons other than the 0, for a true binary choice (push or don't push) Otherwise voters also have the additional option of "resetting" by changing the channel to 123. – DBS Aug 03 '20 at 12:25
  • 16
    _"if a member of the family suggests that a vote is needed, isn't that suspicious?"_ This is the flaw in the premise I've mentally arguing the whole time. – Michael Aug 03 '20 at 15:37
  • Perhaps the "let's vote" suggestion is *also* anonymous (e.g. a typed note appears on the kitchen fridge overnight). Only the people leaving the notes would know if both notes ("I was thinking about leaving" and "let's hold an anonymous vote") were by the same person... – Chronocidal Aug 03 '20 at 15:48
  • Idempotence is really the key. You could simplify the operation to something as simple as pouring water into a closed bucket using a funnel. If each individual can independently choose how much water to pour in the bucket, there's no information revealed by how full the bucket is beyond the fact that the bottom is wet (assuming that the bucket can't be tampered with during voting and doesn't emit noise, etc). – zzzzBov Aug 03 '20 at 17:16
  • One could also setup two bowls of rice, one dyed in red on the right and one kept white on the left, then put them under a blanket. Voters have to take a few grains from the bowl on the right and put them in the bowl on the left if they want to stay. If the white rice remains clear of red grains, everyone wants to leave. – MFlop Aug 03 '20 at 19:05
  • 6
    -1 This answer relies on a trusted third party - a television, which we're trusting to not keep track of which remote the signal came from. Just because the trusted third party is commonly available and easily trusted does not mean it's no longer a trusted third party... – BlueRaja - Danny Pflughoeft Aug 03 '20 at 19:34
  • Put out a blank piece of paper and an ink stamp next to it. If there's still no stamp on the paper after 3 days, we all leave. – usul Aug 03 '20 at 20:02
  • 3
    @usul That leaks information though. If you go to it and see that there is already a stamp then you know someone else wants to leave. Maybe you could rig one of those stamp/ink pad combos to only be able to stamp one location but then you'd need to block the view of it and you could possibly tell by how dark the stamp is. – Captain Man Aug 03 '20 at 20:57
  • I downvoted this, because "just get a device which is programmed not to reveal the secrets, and make sure nobody takes it apart" is hardly a serious answer to a cryptography question. I think you've solved efficient public-key cryptography - we just send a flash drive in a box which anyone can close, but which won't open unless Alice inputs her password! – user253751 Aug 04 '20 at 16:06
  • @Michael: it does not have to be a suggestion of one person. It can be something which happens spontaneously and there is no one person who decided to. I have this a lot when with friends and when we are hungry - somehow everyone goes to restaurant X but nobody is seen as the one who "decided" (this includes the ones who wanted to go to Y but did not voice out a string opposition) – WoJ Aug 04 '20 at 16:13
  • 1
    @CaptainMan, the paper and stamp would indicate that someone wants to stay. So, no stamps after 3 days, you all leave. If at any point someone wants to stay, they make a stamp and everyone stays, not knowing who made the stamp (except for the stamper). – JPhi1618 Aug 04 '20 at 19:38
  • 1
    @JPhi1618 Say you're the second person in and there is a stamp... Well, you know who stamped. You need to hide that there is a stamp or not. – Captain Man Aug 04 '20 at 19:46
  • 1
    @CaptainMan, Oh, I just imagined it in a common area for a few days as people come and go, so there would be no order to the visits. You could come and go 30 times and then finally stamp it. I guess the others could be watching the area and see you, so not perfect, but could work in a pinch. – JPhi1618 Aug 04 '20 at 19:48
  • 1
    @JPhi1618 that’s not the point. Point is that if you have three people Stayven, Stayuart, and Goregory, then if Stayven stamps the paper, Stayuart will know that at least one other person wants to stay, so they know that it’s 2/3 to stay and not 1/3. They’re the only one who has this information but it’s still a leak. – Jeff Aug 04 '20 at 20:30
  • You're looking for an XNOR gate – marcellothearcane Aug 05 '20 at 14:07
  • 1
    Votes are classically done by putting a piece of paper into a box through a thin opening. This can be done here as well: Put paper in=you want to stay, otherwise not. To prevent being able to count votes even at the end, you can replace the single sheet of paper with confetti. All these TV/water/… solutions are pretty complicated. But neither of those, nor my solution addresses one more issue: Someone who wants to stay can still just not do it and vote for leaving, then spy on the others making their preparations and leak that to the cult. That's a problem in the question, not the answers. – Fabian Röling Aug 26 '20 at 15:28
38

This sounds like a classic case for cryptographically secure Multi-Party Computation.

The functionality to be realised using SMPC would be an AND tree-reduction which requires N-1 AND gates and has a depth of about log_2(N) AND gates with each "yes" vote being a truthy (1) input to the circuit and each "no" being a falsey (0) input.

The simplest solution for this would likely be to use the GMW SMPC protocol which allows for N-1 parties to work together without leaking any secret information. There is also a variant that allows for at most N/2 persons to deviate from the protocol.

The basic flow of the protocol is as follows:

  1. Each party has a 1-bit input and chooses N-1 random bits and computes the XOR of the random bits with the input bit. Then one random bit is distributed to one other party each and the owner keeps the XOR of the random bits and the inputs.
  2. Then the circuit is evaluated gate-by-gate which gives everyone an XOR-random share of the output value of that gate. XOR gates can be computed locally by simply XORing the shares of the input values. AND gates require an interactive protocol, which is a bit complicated, so I'll refer you to the (formatted) paper for that: "How to Play any Mental Game" by Goldreich, Micali and Wigderson (STOCS'87; PDF).
  3. At the end (after all the gates have been evaluated) everyone broadcasts their share of the output bit so that everyone can locally XOR them together.

Overall the above GMW protocol will require N * (N-1)/2 1-out-of-4 Oblivious Transfers from each party which should be somewhat efficiently computable for any reasonably-sized "family" and might not even require fancy techniques like OT Extension for this small number of participants.

As for software, MP-SPDZ seems to be a good starting point to look for implementations (as well as the awesome-mpc list). Though note that you will mostly find more advanced schemes there.

SEJPM
  • 9,540
  • 6
  • 37
  • 67
  • This looks probably correct, but I'm having a hard time following the steps. Doesn't the AND in step 2 screw up the XOR in step 3 _(which, if I understand, is intended to remove the random bits from the computation)_? – BlueRaja - Danny Pflughoeft Aug 03 '20 at 20:12
  • 1
    @BlueRaja-DannyPflughoeft The basic idea for the end calculations in step 2 is that for each gate each party has one XOR-share of each input and at the end of the (non-trivial) sub-protocol each party has one XOR-share of the AND of the two previously XOR-shared inputs. To clarify this imagine the two-party case: A has L_A, R_A and B has L_B, R_B s.t. L_A XOR L_B = L and R_A XOR R_B = R. The protocol now allows to A to get O_A and B to get O_B s.t. O_A XOR O_B = L AND R. (the lack of LaTeX on this site really sucks :( ) – SEJPM Aug 03 '20 at 20:46
26

A very low-tech method: give each voter a card with a hole punched in one end, offset from the center. Make a container that holds the cards, and has a hole punched through it that lines up with where the hole in the card would be if entered face-up. Everyone votes by placing their card in the container face-up for yes, face-down for no (with the box suitably concealed to prevent anyone from seeing the votes themselves). A rod is then inserted through the hole in the container. If everyone voted yes, the rod falls through. If at least one person voted no, the rod will be stopped.

user240587
  • 261
  • 2
  • 2
  • 9
    This is a nice solution (+1). It is important to find out a way to discard the voting cards securely, so that the votes themselves (and the order they were stacked) is not known. – WoJ Aug 04 '20 at 10:04
  • I would use a tube, with a glass cap at the end. Each person is given a clear (leave) and black (stay) marble, They each roll one marble into the tube, without looking into it, the other marble is put into a bag.. Afterwards, one more clear marble is rolled into it. Finally a light is shone through the tube. If it comes out the other end, then all voted leave. The tube, bag, and marbles are then destroyed. – CSM Aug 04 '20 at 11:29
  • How do you prevent the box from being inspected? For instance, I might have noticed that Joe placed the first card into the box, and check the bottom card to see how Joe voted ... – meriton Aug 04 '20 at 12:59
  • 1
    @meriton the box could be made out of cardboard and burned after the vote takes place. You could also pad the box with a number of "yes" oriented cards on either end to make it difficult to ascertain who in the voting order placed the first "no" vote. – Paul Belanger Aug 04 '20 at 20:13
  • 1
    https://en.wikipedia.org/wiki/Blackballing done with providing each voter two balls of different colors, both placed into the voting device, or a single ball and a voting device with separate drawers, etc. – Jeff Ferland Aug 05 '20 at 17:23
15

There's a cat in a box with a vial of poison gas. The vial is rigged to a button (marked "No") that will release the gas. Right next to that button, there's also a dummy button that makes an identical clicking sound (marked "Yes"). The box is soundproof and you can't see into it. The family is seated in front. The buttons are at the back. Each person gets a turn to walk behind the box and press a button. When everyone has had a turn, the cat—and hence by extension the cult—is in a superposition of states. Collapse this by opening the box—or, for even better results: put on gas masks, then open the box. Finally, either bury the cat or disband the cult, as appropriate. In the latter case, use a secondary voting procedure to decide who keeps the cat.

jez
  • 287
  • 1
  • 4
  • 2
    We should use a rat instead of a cat, to avoid impact to the results by cat lovers or ASPCA. – Aganju Aug 03 '20 at 18:17
  • 2
    LOL - I love how we're trying to decide which animal to kill, when you could just change it to 'spills some paint' or such. Definite +1 on the answer - this is definitely the right applicable way to solve the problem. – Kevin Aug 03 '20 at 18:38
  • 7
    @Kevin I had a whole spiel written out, about each person putting an arbitrary number of drops of ink into a jar of water, and I was about to hit submit when I realized what it was isomorphic to. – jez Aug 03 '20 at 18:51
  • 1
    This device is by definition a trusted third party – BlueRaja - Danny Pflughoeft Aug 03 '20 at 19:43
  • @BlueRaja-DannyPflughoeft not in the sense the OP is worried about: (1) it is not compromised if we allow all family members examine the mechanism and procedure, to satisfy themselves that it works as intended (analogy: open-source encryption); and (2) the machine retains no information about who/how many pressed the "No" button, so cannot be compromised for witch-hunting purposes. – jez Aug 03 '20 at 19:59
  • 2
    If we're going to allow "open-source devices" to not be considered "trusted third parties", then then the answer is trivial, and doesn't require killing any cats: use literally any open-source automated voting machine. But by the normal definition, all those devices (including yours) are trusted third parties. – BlueRaja - Danny Pflughoeft Aug 03 '20 at 20:24
  • 9
    And a tertiary voting system to decide who has to open the box, ideally with gas mask *and* body armour. To quote Terry Pratchett, a cat in a box has three possible states: alive, dead, and bloody furious. – Graham Aug 03 '20 at 22:47
  • How many cats does the family have? The process should be repeteable – bradbury9 Aug 05 '20 at 11:43
  • @bradbury9 They know a guy who knows a guy. You want a cat? He can get you a cat. – jez Aug 05 '20 at 12:04
  • 1
    The cat votes yes for leaving this cult! – Esa Jokinen Aug 06 '20 at 19:29
14

This is actually a tough problem! So here's my paper-and-pencil solution, trying to keep it as simple as possible.

  1. Every person gets 3 slips of paper. They secretly write down a different 2-digit number on each of them and put them face-down in front of them.

  2. Each person grabs 3 slips from other people, ideally no two from the same person.

  3. Each person writes what those 3 slips add up to. If they wish to vote no, they may write a number higher than the real total. Go ahead and display this info.

  4. Repeat step 2, so each person has 3 new slips of paper.

  5. Each person writes what those 3 slips add up to, but this time keeps their sum face down. If they wish to vote no, they should write a number lower than the real total. (This is optional if they already mistotaled back in step 3.)

  6. Each person destroys the original slips of paper in front of them. All that's left after this is the sum they did in step 3 and the sum they did in step 5.

  7. Everyone displays their sums at the same time.

Do all the sums in step 3 add up to all the sums in step 7? If not, there's at least one 'No' vote.

Why does this work?

There's no secret generated by a third party. Aka, nothing is generating a large prime or anything like that. If 'something' is generating info, it'd have to be trusted by all the parties involved. This bypasses this, because the secret (what the total is) is generated by all the involved parties, while not being something that any of them know.

There's no chaining of info. Person B's work doesn't depend on output from anyone else. They can't use their input to figure out whether Person A is lying.

There's no way of determining whether someone's total is legit. If they say '218', the only way of knowing whether that's a possible number is to know what all the slips of paper said. But nobody has seen all the slips of paper.

Kevin
  • 882
  • 5
  • 10
  • Cute. It's like designing an unwinnable "defector" board game. – Michael Aug 03 '20 at 20:12
  • 1
    How dependent is this on the randomness and untraceability of the two "grabbing" procedures? If you were able to watch and memorize who grabbed which slips when, would that give you any information about people's votes? – jez Aug 03 '20 at 22:14
  • @jez - not sure, but I doubt it. I mean, if you saw that person A grabbed slips written by B, C, and D - you could ask B, C, and D what three values they wrote down, and then use that to determine whether A was lying when they said the total was '162'. But you'd be relying on B, C, and D all telling you the truth (and remembering accurately what three original numbers they wrote.) You might also ask E, F, and G - all of whom took person A's slips for the second round, but you're in the same boat: you're trusting them to all tell you the truth and remember accurately. – Kevin Aug 04 '20 at 03:14
  • It's also worth noting: I purposely kept the process as simple/easy as possible to grok. If I was trying to make this as bullet-proof as possible, I would suggest using N-1 pieces of paper. So if the family had 11 members, they'd each have 10 slips of paper to fill out. That way, the only way of determining whether someone lied or not would be to trust every single other member of the family to tell the truth (instead of just needing to trust 3.) Which you can already do ("Did you all vote Yes? Then Bob must've voted No.") – Kevin Aug 04 '20 at 15:33
  • 5
    Can't this leak information if only one person votes "No"? If they increase the sum by x in step 3 and decrease it by y in step 5, then the final sums are different by (x+y). The person who voted "No" would immediately know that they were the only one who voted that way. "I have proof that everyone else in my family wants to betray the cult!" sounds like bad information to leak. – Rob Watts Aug 04 '20 at 19:55
  • 3
    One more caution: This also presumes they can all perform basic math as well as being numerically literate, which is more of a gamble than trying to defect. Your lack of faith in the team has been reported. /s – CodeShane Aug 05 '20 at 06:38
  • @RobWatts They're adding up different numbers. Nobody knows who altered the sums, only that they were altered. – Loren Pechtel Aug 05 '20 at 19:17
  • @LorenPechtel - what he's saying is, if I voted no and adjusted the first total by 3 and the second total by 5... if I see the difference is 8, I'll know that nobody else manipulated the numbers. Which is a good point, but I'm not sure how much difference it makes to the specific question by the OP (witchunts and the like.) – Kevin Aug 05 '20 at 20:54
  • It's unlikely, but also possible that two or more people make offsetting lies. – Sam Aug 05 '20 at 21:39
  • 2
    As written, this protocol would be subject to collusion by a group of people to ascertain how a third voted without having to be counted as voting "yes" themselves. – supercat Aug 05 '20 at 22:13
  • @Kevin Good point--you can determine if you're the only no voter. The information doesn't seem too useful, though, in that case you know you have no allies. – Loren Pechtel Aug 05 '20 at 22:26
  • 1
    @LorenPechtel unfortunately the one person does have allies - the entire rest of the cult. – Rob Watts Aug 05 '20 at 22:38
  • @RobWatts Huh? The only leak I see is when only one person chooses to stay. They find out that everyone else wants to leave. No allies. – Loren Pechtel Aug 06 '20 at 00:02
  • 2
    @RobWatts - that's a good point. The person who knows "I'm the only person that wants to stay here" decides, "Heck with my family, I'm going to report them all to the Grand Wahoobah! I have a new family now, and they all love me" – Kevin Aug 06 '20 at 00:50
  • @supercat - that's why I added that comment - that if that's a fear you have, just change '3' to 'N-1'. That way, the only way you could deduce another's vote is if everyone else got together and trusted each others' statements – Kevin Aug 06 '20 at 00:50
  • @Kevin: I appreciate that you're trying to approach this from a mathematical/cryptographic perspective, but I think a robust solution should generate indelible proof that every person has voted yes before anyone would be able to ascertain that to be the case. Even if at the last step someone tried to change their mind, other participants would end up with proof that they had previously voted yes. – supercat Aug 06 '20 at 04:51
13

Required utensils: Pen and paper.


As a group, pick a big prime p.

Everybody picks a secret pair of numbers ai, bi with aibi ≡ 1(mod p). For example, pick ai randomly in the range 1…p − 1 and find bi by the extended Euclidean algorithm. If either ai or bi is suspiciously small (say, less than half as many digits as p), just start over with a new random value. Those who want to answer "no", pick both ai and bi at random instead.

Now the numbers are swapped around: Everybody gives their ai to their left neighbour, and receives aj from their right neighbour.

Everybody now multiplies mod p their now held pair of numbers and announce the result. Now the announced numbers are multiplied mod p. If everybody voted "yes", the final result will be 1. If any number of them voted "no", the result will be a random number and so very likely not 1 (so we may want to make p bigger to increase confidence).

kelalaka
  • 5,474
  • 4
  • 24
  • 47
Hagen von Eitzen
  • 1,098
  • 8
  • 19
  • 7
    Wouldn't the person on your right and the person on your left be able to collaborate to figure out whether you were voting 'Yes', though? If we're worried about witch hunts, couldn't one person say "Hey, I'm kinda suspicious of Bob. He gave me ###### - what did he give you? Let's find out if he voted Yes" – Kevin Aug 03 '20 at 18:36
  • 1
    Can't you just throw all the numbers into a hat so there's no way to trace individual numbers back to a specific person? – NotThatGuy Aug 03 '20 at 21:12
  • Are we assuming the cult members here are performing these computations by hand? If so, is there something that would prevent them from simply falsifying their computations? I'd suggest we would want to require them to prove their answers to all other members. – securityOrange Aug 04 '20 at 03:09
  • @Kevin Bob only gives one person one number, his *a*. He *receives* a number from a different person – timuzhti Aug 04 '20 at 12:52
  • 2
    @securityOrange doing the multiplication and then lying and giving a random number isn't really distinguishable from just doing the multiplication with a random number in the first place (i.e. simply voting no). Of course, there may be side channels, if the effective-no-voter decides that actually doing the multiplication is too much bother and just gives the answer ;) – timuzhti Aug 04 '20 at 12:58
  • @timuzhti - ah, I missed there wasn't a pass both directions. But it's still the same issue. Whoever Bob gives his number to? If Bob is telling the truth, there's only one other number they can have (the one, multiplied by the other, that is mod=1 with respect to P.) If that person collaborates and asks, "Hey, what number did you give Bob?" it should be trivial to figure out whether Bob is lying. – Kevin Aug 04 '20 at 13:44
  • I believe your scheme could be significantly simplified (in particular, by working in the additive group modulo an arbitrary large number _m_ instead of the multiplicative group modulo _p_), but it also suffers from a fundamental flaw: a "no" voter can determine whether or not everyone else voted "yes". And I don't see any way to fix that. – Ilmari Karonen Aug 04 '20 at 15:55
  • You lost me at "pick a big prime". (in reality the answer is fine, I just feel that that since OP provided an actual context for the question (family, cult, ...), the answer should be understandable by the art major cousin) – WoJ Aug 04 '20 at 16:15
  • Worth noting: Any individual's vote could be discovered by their two neighbors collaborating; if I wrote numbers A and B, my left neighbor learns A directly and my right neighbor can figure out B by multiplying what I say by the inverse of the number they gave me. If my neighbors wanted to break the system and trust each other, they could work together to learn AB. – Milo Brandt Aug 05 '20 at 15:51
  • @timuzhti I wouldn't agree, since the variation that lying about your computations could undo the vote. For example, if N = 3 and there was 1 vote, and if 2 out of 3 people do the multiplication honestly except for the last, there's a 50% chance that person gives a yes and undoes the outcome of the vote. Relying on only 1 negative vote makes it a brittle system, so a single dishonest person - a single Byzantine general, shall we say :D - corrupts the result. Know what I mean? :) Thoughts? – securityOrange Aug 06 '20 at 04:47
  • 1
    @securityOrange The cipher used is fragile, yes, which is honestly a good illustration of why you shouldn't roll your own. The way I see it, this answer *tries* to use/design a homomorphic cipher that's hopefully reducible to integer factorisation or the discrete log, and also at least OW-CPA if not IND-CPA (which is hardly impossible, RSA does it), but doesn't quite work—because in the process of simplifying things, it ended up using the wrong function, which reduces to an easy problem! The best ciphers for this are probabilistic by default, so they can be IND-CPA while remaining homomorphic. – timuzhti Aug 06 '20 at 13:15
10

This is a really cool and interesting question. I really like this.

So, I think we should start by breaking down what you're trying to do in the most abstract, information theory-y way possible. Here's my understanding:

  • N > 3 nodes in a group are communicating with one another.
  • They're transmitting either a 0 or a 1, a yes or a no.
  • We're going to take all inputs, then AND them. In other words, we don't care about outcome unless everything is a 1; if it's not all 1, it's 0. (If you're not super familiar with logic gates, this might be interesting.)
  • Each node's transmission must be unknown by all other nodes.

The question then becomes how technical the solution should be. A more technical solution, with a single fundamental technique, makes this pretty simple:

  1. All nodes attest to their identities in-person, and each node produces a public-private key-pair and gives their public keys to a centralized server.
  2. They then transmit their votes to the centralized server, which decrypts them using their public keys.
  3. The server performs an AND and returns the result.

If we wanted to try and make it lower tech, I think we would want to go with some weirder solutions. Here's one that comes to mind:

  • Some dissolvable material is placed in a container, with a small amount of water. Each person takes turn pouring a chemical into it, blindfolded and holding their breath, with significant background noise.
  • They select either water for yes or a colorless, odorless acid for no. The acid is strong enough as to dissolve materials in a considerable amount of solvent, over time.
  • After pouring their votes, the setup then stands undisturbed for some amount of time. This amount is determined by finding the amount of time required to visibly dissolve the object, given a vote result of N - 1 negative votes.
  • After the determined amount of time passes, all members view the results, separately (in order to avoid expressing reactions), then converge to discuss the results.

Ultimately, regardless of how much computers play into the choice, the answer is about preserving confidentiality and integrity in a transmission environment that drops confidentiality if the transmissions pass an AND gate. The water-acid solution is one among many possibles, but in my opinion it still gets the job done.

Great question! This was really fun to think about. If I missed any constraints you already mentioned, stick it in a comment and I'll revise.

Edit: initially I said that water was "no" and acid was "yes". It should've been the other way around. Thanks for pointing that out, @TripeHound.

securityOrange
  • 921
  • 5
  • 12
  • 3
    I like the chemical solution, and there might be a simple solution with chemicals changing color based on a slight change in pH. If yes is adding just water and no is adding a solution that slightly alters the pH, both yes and no can be odorless and colorless. The bottle used as a ballot box can be painted, so the results are only revealed after pouring it out of the bottle. – Esa Jokinen Aug 03 '20 at 06:21
  • It's only too bad that scientist like chemists are less likely to join a religious cult. :) – Esa Jokinen Aug 03 '20 at 06:22
  • 7
    Is your no=water, yes=acid not the wrong way around? My reading is that the acid dissolves the material (if it dissolves in water, since it starts in water, it will always dissolve). Therefore, if _anyone_ says "yes" (=acid), even if all the others say "no", the material will (after sufficient time) dissolve. If no=acid, then if _at least one person_ says "no", the material dissolves: it will _only_ remain if they all say "yes" (i.e. all add water). Or have I missed something? An ingenious solution (?) in any case! – TripeHound Aug 03 '20 at 12:54
  • Both of these examples use trusted third parties (in the second case, the "third party" is the chemical we're trusting to behave as we expect) – BlueRaja - Danny Pflughoeft Aug 03 '20 at 19:51
  • @TripeHound You're right! I made a mistake. Thanks for pointing that out! Yes, the negative vote should be the acid, and the positive vote should be the water. Really, the acid/water combination can be anything: the important thing is idempotence properly, as jez mentions. The "yes" should be the idempotent answer, so that by default we have no effect; the "no" should be strongly non-idempotent. – securityOrange Aug 04 '20 at 03:02
  • @EsaJokinen I completely agree - rather than being an acid, you could also make it a color. I thought about that too. I think it works? But in practice, measuring the amount of coloring in the water might be hard, unless you looked at pigment particles per million or something, whereas if you dissolve an object you could measure a change in volume or something similar. (Just be sure it's waterlogged when you measure the volume the first time.) What are your thoughts? – securityOrange Aug 04 '20 at 03:03
  • @BlueRaja-DannyPflughoeft I don't agree. As long as all cult members source the chemical together, I think it's not a third party at all. What are your thoughts? – securityOrange Aug 04 '20 at 03:07
  • @securityOrange: No, I wasn't talking about coloring the water, but about **pH indicators** that will change the color completely after a certain threshold level of hydronium (H3O+) or hydrogen (H+) ions. See [the complete solution as an answer](https://security.stackexchange.com/a/236622/70406). – Esa Jokinen Aug 04 '20 at 06:39
  • 1
    You forgot the important step of pouring an equal amount of the other liquid either into a separate container or down the drain. That way no one can look at the reduced volumes of liquids between answers and determine how someone voted. – user3067860 Aug 05 '20 at 13:51
10

Can't comment because I am newbie.
To add/comment @reeds and @securityOranges answers:
This seems like it could be easily done with switches as semi low tech option.

Make circuit such as:
Battery to switch to switch to switch to led back to battery.
Then one can even build and demonstrate its fair working in front of all participants.
Wires could be as pretty much as long as needed.
Lights/leds could even be added to next to each switch.
Thou I would probably just give people cardboard box to hold their hand while being in same room.

Buttons can be used to ensure that even if system is physically stolen during votes they return to their original state fast enough that no information can be gained.
Then just people to look at the clock and everyone will vote for ~10 seconds when clock hits certain time.

Edit: I build demonstration of this:
https://imgur.com/a/kb6XQe6

In brief:
1. and 3. button being pressed, No blue LED

Above two of three buttons are pressed but no light. Bellow all of the three buttons are pressed and thus light came. All the buttons being pressed, blue LED

And here hopefully picture to clear connections between components: Connections explained

1, 2 and 3: From battery to first button
4, 5 and 6: Buttons
7, 8, 9 and 10: connection to resistor
11: the resistor
12: the LED
13:Connection back to "Battery"

I used Arduino as my battery but could have been any other method to deliver power for the led.

Qmppu842
  • 109
  • 4
  • 1
    One improvement is to combine this with a latch circuit triggered by a timer so that the results of the voting are sampled exactly once. Otherwise someone can potentially test whether they were the only dissenting vote by toggling their vote while the output is displayed. – Dan Bryant Aug 03 '20 at 15:59
  • @DanBryant No need for even that, a fuse that blows more or less instantly when current is connected is sufficient. – March Ho Aug 03 '20 at 16:10
  • I think you people are still thinking too high level. I made physical demonstration of this working with all the combinations shown for fun. [Here in this gallery https://imgur.com/a/kb6XQe6](https://imgur.com/a/kb6XQe6) that you should be able to see, I demoed it. – Qmppu842 Aug 03 '20 at 19:12
  • This device is by definition a trusted third party – BlueRaja - Danny Pflughoeft Aug 03 '20 at 19:42
  • @BlueRaja-DannyPflughoeft Can you explain? I fail to reason myself how or what part needs third party trust. – Qmppu842 Aug 03 '20 at 20:01
  • A "trusted third party" doesn't need to be a person, it can be a device we're trusting to be secure and anonymous. In this answer, that device is a custom circuit built by you. – BlueRaja - Danny Pflughoeft Aug 03 '20 at 20:20
  • 3
    But point is that it is so simple that it can be done in front of the voters. The voters can examine it and they could build as many as they want to to add redundancy. They could even build each their own and test them separately and press all of them at the same time. – Qmppu842 Aug 03 '20 at 20:26
  • @Qmppu842. I mean, sort of. To be honest, if you handed me that device, my first thought would be "Wait, how do I know if the wiring is as its been described to me?" And I'd play around with it, trying out all the buttons, and be happy for a bit... until I thought "Wait, how do I know there's not a hidden Nth button that alters the behavior of the device?" I mean, if I was proficient enough, I might be able to examine the device and trace all its inner workings and have full trust in it... but apart from that, I'd have no guarantee that the end result of it was true. – Kevin Aug 03 '20 at 21:20
  • @Qmppu842: The simplicity of creating the trusted third party is irrelevant. It's still a trusted third party. – BlueRaja - Danny Pflughoeft Aug 04 '20 at 01:24
10

This improves securityOrange's thoughts, but in a more reliable form without waiting.

Chemical solution using a pH indicator

Let's look at different pH indicators, halochromic chemical compounds i.e. compounds that reacts to the acidity or basicity of the solution by changing color. This corrected picture from EduMission blog shows some examples, and there's a more complete and accurate chart available on Wikimedia.

enter image description here

As we don't want to get hurt while mixing these solutions, it's better to choose compounds where the transition is sharp enough to be clearly noticed, like thymolphthalein that is blue above pH 10.5 and colorless below 9.3. Phenolphthalein is not as good, because it turns back to colorless above pH 10. Also, too accurate measurement of the pH would give away the information on the vote count.

This works for quite large groups, because the pH scale is logarithmic: adding 1 grams of sodium hydroxide into 60 liters of water results in pH 10.6!

Voting arrangement:

  1. Prepare e.g. sodium hydroxide solution for casting no votes. If you add e.g. 0.4 grams of sodium hydroxide to 0.4 liters of water, you get a solution with pH 12.4.

  2. Have a flask of water for yes votes (pH 7). Both liquids are colorless and impossible to distinguish by eye. Therefore, it's important that the solutions are prepared together with the others.

  3. Everyone on their own turn takes a full pipet of either solution and pours it into a third flask; let's call it a ballot box solution. It's important to use a pipet small enough compared to the sizes of the flasks so that the surface height doesn't give any hint on which solution was already used.

  4. For counting the votes, drop thymolphthalein to the ballot box solution.

    If it turns blue, at least someone has casted a no vote. Let's see again how the logarithmic nature of pH affects if 10 people votes with this solution. The gray area shows the transition range of thymolphthalein where we cannot say for sure what the color would be.

    pH as a function of casted no votes

  5. To check the results, you could add thymolphthalein in both the original solutions to ensure it works as expected. After that, mix everything together to prevent more accurate measurement of the pH or the volumes afterwards, as it can reveal the exact vote counts.

Esa Jokinen
  • 16,725
  • 5
  • 51
  • 56
  • This is simply a chemical-based implementation of the "[blackball](https://en.wikipedia.org/wiki/Blackballing)" scheme. – schroeder Aug 06 '20 at 10:57
  • 2
    No, it's not. The blackball scheme preserves the vote count, and this problem was about **hiding the vote counts** in all other situations but when everyone has voted yes. – Esa Jokinen Aug 06 '20 at 11:54
8

With household items: Everyone prepares a glass of water, distilled would be best. If you want to vote no, dissolve any amount of salt in your glass. Everyone must stir their glass to prevent stirring motion being a give away.

Simultaneously combine the glasses of water into a pan. Glasses will be submerged in a bowl of water to prevent drops being traced back to the voter. Boil the water off, if there is a salt residue then it was not a unanimous yes vote.

Phil
  • 181
  • 3
  • The problem is that the current voter (the further they are in the voting line, the better) can check (by sampling the water) if someone has already voted "salt" or not. – WoJ Aug 04 '20 at 15:56
  • 2
    After being filled with water but before salt is added, the pan is in public view. All participants can watch the pan and can attack anyone who attempts to perform unauthorized sampling. – Brian Aug 04 '20 at 18:43
  • @Woj I had intended that the glasses be poured into the pan at the same time. Updated to clarify. – Phil Aug 05 '20 at 07:13
  • This is simply a salt-based version of the "[blackball](https://en.wikipedia.org/wiki/Blackballing)" scheme. – schroeder Aug 06 '20 at 11:00
  • 2
    @schroeder with blackball, you can afterwards count how many black balls were cast, which violates the requirements. With this scheme, you can never say how many people put salt in. – rumtscho Aug 06 '20 at 11:37
  • You assume a 1:1 ratio of balls to voters. – schroeder Aug 06 '20 at 11:39
  • 2
    @schroeder even without a 1:1 ratio of balls, if I put x black balls in, I can deduce if anyone else voted with me if there are >x black balls. Potentially if a voter in my scheme accurately weighed the salt beforehand and accurately weigh the residue after, they could make a similar deduction, but this could be trivially prevented by a washing the pan before anyone has a chance to weigh it. – Phil Aug 06 '20 at 14:12
6

Use layers of encryption, where each family member has a key to only one of the layers.

enter image description here

Step 1: Encryption

At the beginning of a vote, have one member of the family encrypt a simple message that says "Yes, we all want to leave." After the first person encrypts the message with a private key they've just generated, the first person emails it to another family member to encrypt the already-encrypted-message again with their own private key, and then passing it on until all members of the family have added a layer of encryption. This provides an "onion" of encryption, with each member of the family having added a layer of encryption to the message.

Step 2: Decryption

During voting, members email out their real or fake private key. If any fakes are provided, the message cannot be decrypted.

Only when all members of the family have provided their true key to each other, they can all decrypt all layers of the encrypted message.

Step 3: Future voting

If the family decides to hold another vote next year, they'll need to come up with new private keys for themselves and begin the process again from the start.

Nick Bonilla
  • 217
  • 1
  • 3
  • 1
    I think this works provided the fake private key leads to an incorrect decryption rather than a failed decryption. That way the group won't see whose key failed to decrypt. – niemiro Aug 03 '20 at 17:45
  • 2
    Indeed. It seems like a symmetric scheme, such as one akin to a one-time pad (XOR with random bytes), could have the same effect but be less traceable. – David Z Aug 03 '20 at 18:08
  • 5
    I'm not sure this works. Person B has access to two pieces of data: what Person A sent them, and what everyone says their keys are. So Person B can figure out what Person A voted (just check: is the data that they were given decipherable with what A later said their key was?) Likewise, Person C has the the data that B sent to them, along with what A and B both said their keys were. If A and B both voted Yes, C should be able to decipher the data. If not, then one (or both) of them voted No. – Kevin Aug 03 '20 at 18:49
  • 1
    This is by far the best answer so far _(most of the others rely on trusted third parties that they've disguised as televisions or chemicals)_, but it still has some issues. The most glaring is what @Kevin mentioned: the second-to-last person will know what the last person voted. I think this can be fixed by having everyone do a second round of encryption. The other issue is that it's [repudiable](https://en.wikipedia.org/wiki/Non-repudiation) _(someone who voted 'yes' can prove they voted yes)_. – BlueRaja - Danny Pflughoeft Aug 03 '20 at 19:55
  • decrypting the message with either the real or fake key both lead to gibberish, like @niemiro stated. – Nick Bonilla Aug 04 '20 at 01:56
  • @NickBonilla - we're not talking about decrypting the original/final message - but the *input* that a specific person has. Let's say there are 4 people: Alice, Bob, Charlie, and Diane, and they're encrypting in that order. Alice encrypts a message and hands it to Bob. Later on, Alice is going to tell everyone her encryption key - so at that point, Bob knows how Alice voted (aka, was his input decryptable by Alice's key?) Likewise, when Bob hands Charlie the second layer of the onion, Charlie is later on going to find out what Alice and Bob had for keys, and know if they both voted yes. – Kevin Aug 04 '20 at 15:26
  • Since encryption/decryption of each of the layers is dependent on the previous one, how do you ensure that the right key is applied? You keep track of the orders of the votes? – WoJ Aug 04 '20 at 16:05
5

Trying to keep this as low-tech as possible.

  • Everyone is given two small pellets, a steel BB and a plastic airsoft pellet (equal size but different composition).
  • Inside the voting booth are two slots, one labeled "Vote" and one labeled "Discard". Each slot leads to an opaque bag. Neither the bags nor their contents can be observed directly.
  • The "Vote" bag is pre-populated with several plastic pellets, and the "Discard" bag is pre-populated by several steel pellets.
  • If the voter wants to leave, they will place their plastic pellet in the "Vote" slot. If they want to stay they place their steel pellet in the "Vote" slot. The remaining pellet gets placed in the "Discard" slot.
  • After everyone has voted, the bags get tested with a rare-earth magnet. If the "Vote" bag is attracted to the magnet, then it contains at least one steel pellet (thus at least one person voted to stay). If it is not attracted to the magnet, then everyone voted to leave.
  • The "Discard" bag is the control group. Since it was pre-populated with steel pellets, it should always be attracted to the magnet regardless of the vote.
  • Once the result has been determined, each voter visits the voting booth one last time. On this last trip, they can place any number of pellets of either type into either (or both) slots.

This should keep voting anonymous and untraceable. The voting tokens contain no traceable information like handwriting, and the voter uses both of them regardless of their choice. An eavesdropper cannot determine your vote by listening for the sound of the pellet because there's no way to know which bag the voter used first. The magnet allows you to test for the presence of a "stay" vote without directly examining the votes themselves. The final trip through the voting booth adds enough random noise to the data that the original vote counts will be completely unrecoverable by whoever tears down the voting booth.

The only information that leaks from the process is the strength of the attraction between the magnet and the bag's contents. A weaker attraction means fewer "stay" votes. This is an acceptable level of leakage for a couple of reasons. First, attraction strength is not something that humans can quantify without special equipment. Perhaps more importantly, attraction strength will vary considerably based on how the pellets are arranged in the bag (i.e., stronger pull when closer to the magnet). This unpredictability should add a large enough margin of error to any vote count guesses to make those guesses worthless.

The drawback is that this procedure might work for a family but could be tricky if the number of voters grows too large. A single metal pellet mixed in with a large number of plastic pellets could be missed unless you have an unreasonably powerful magnet.

bta
  • 1,111
  • 6
  • 10
  • This is a very complex variation of the "[blackball](https://en.wikipedia.org/wiki/Blackballing)" scheme. – schroeder Aug 06 '20 at 11:00
  • 1
    @schroeder - That's the basic idea. The extra complexity is just there to provide the requested anonymity and masking of vote totals. – bta Aug 06 '20 at 15:32
4

I think this problem can be solved in the following simple low-tech way. Give each voter two rocks, a heavy rock which stands for yes and a light rock which stands for no. Voting is done by putting one of your rocks in a floating object. The object only sinks when all of the voters put their heavy (yes) rock in the floating object.

thieupepijn
  • 140
  • 3
  • 1
    You would need to make the rocks visually identical (or someone would know the vote status so far). Then you need to block the floating object so that the submersion does not change (giving a hint about the previous votes). Then the voter must not be able to touch the setup, otherwise they could check the weights and have an idea about the votes so far. – WoJ Aug 04 '20 at 16:02
  • Finally the submersion based on all the weights being present to submerge the object is complicated to do : if you have a small difference between the weights, you must be extremely precise with the system (only a small difference will trigger submersion). If the differences are large, then several light objects may equal one heavy. – WoJ Aug 04 '20 at 16:02
  • Or just give everyone an identical cannister and two weights, 1kg and 3kg. Everyone discreetly places one of the weights in his cannister then everyone comes together and places them on one side of a set of scaled. After everyone has placed their cannister, place a weight of mass 3n - e kg for some small e on the other side. Determine the outcome. Remove the 3n kg weight then allow each participant to remove his cannister. – Hugh Aug 06 '20 at 06:20
  • This is simply a variation of the "[blackball](https://en.wikipedia.org/wiki/Blackballing)" scheme. – schroeder Aug 06 '20 at 10:59
  • 1
    @Schroeder I don't think this a variation of the blackball scheme. In the blackball scheme the (exact) number of positive and negative votes are known. Something the OP explicitly doesn't want. – thieupepijn Aug 06 '20 at 21:58
3

Get some plywood, some small felt (or other soft, non-noisy) balls that are indistinguishable from one another, and some wood screws. Build a box with two holes in the front, one marked "Leave" and the other marked "Stay". It needs to be difficult to disassemble to prevent tampering, so don't skimp on the screws. Each hole leads to a ramp which will deposit a ball in the bottom of the box, however, the "Stay" hole has a notch the size of one ball. Attach the box to the wall (to prevent anyone from tilting it). Set up a "voting booth" of sheets or something around it to keep anyone from seeing another person's vote, and limit the time each person spends in the booth to just long enough to put their ball in a hole.

If anyone puts their ball in the "Stay" hole, that ball will fall into the notch. Any subsequent "Stay" voter's ball will roll over the the notch (similar to the yellow marble in this video; some tuning may be required to make sure other balls roll over the way they're supposed to) and fall into the bottom, same as the "Leave" votes. Once everyone has had a chance to vote, disassemble the box and see if there's a ball in the notch.

  • This is simply a variation of the "[blackball](https://en.wikipedia.org/wiki/Blackballing)" scheme. – schroeder Aug 06 '20 at 11:01
  • @schroeder In blackball voting, everyone can see how many negative votes there are. The OP required that nobody can know how many people voted negative, only whether at least one person voted negative. – HiddenWindshield Aug 06 '20 at 13:51
  • You're assuming 1:1 ratio of voters to balls. – schroeder Aug 06 '20 at 13:52
  • 1
    @schroeder the blackball scheme leaks information if only one person voted stay - they know how many black balls they put in, so if they see that many they know they are the only one who voted no. This solution cleverly avoids that problem. – Rob Watts Aug 06 '20 at 17:32
3

This can be reduced to the dining cryptographers problem.

The protocol is relatively simple.

  1. Get some dice for generating uniform numbers in the range 0..M-1.

  2. Arrange everyone in a circle, so that they are next to two people: one to the left, and one to the right.

  3. Everyone meets with their partners and generates a shared secret, a uniform number in the range 0..M-1. Each person ends up with two shared secrets because they are paired with two people.

  4. Everyone goes off by themselves, and generates a personal secret, also a uniform number in the range 0..M-1.

  5. Everyone submits a number on a piece of paper.

    • If they vote remain, they submit their personal secret number.

    • If they vote stay, they submit the left secret minus the right secret, reduced modulo M.

  6. All votes are added up and reduced modulo M. If everyone voted to stay, then the result is 0, since all the shared secrets will appear once positive and once negative. If anyone voted to leave, the result is a uniform random number in the range 0..M-1.

So,

  • If all participants vote “leave”, the result will be “leave”.

  • If any participant votes “stay“, the result will be “leave” with probability 1/M and “stay” otherwise.

Dietrich Epp
  • 2,588
  • 1
  • 12
  • 9
  • "leave" not guaranteeing that everyone wants to leave is not a good solution. It would be usable the other way around - if "stay" had a chance of being generated by a "leave" vote, but "leave" always meant that everyone wants to leave. – Rob Watts Aug 06 '20 at 17:23
  • @RobWatts: That is an incorrect analysis. All physical systems have a nonzero probability of producing an incorrect result--so it is *always* possible to have a false "leave" result, no matter what technique you use. This solution is no different, but it does force you to quantify your tolerance for an erroneous result up front by choosing M. – Dietrich Epp Aug 06 '20 at 19:45
  • I don't agree with your dismal of the issue. Your answer has as much of an issue with producing an incorrect result (the people could always make a mistake when performing the calculation) so you have that level of error *on top of* the 1/M probability of the system itself failing. In fact, as M gets higher the chance of a human error increases, so efforts to reduce the error tolerance could actually make it worse. – Rob Watts Aug 07 '20 at 18:32
  • @RobWatts: Trivial problem with trivial solutions—you run the vote multiple times. All systems have this problem, all systems have this solution. There is nothing in this line of discussion that is specific to my answer. – Dietrich Epp Aug 07 '20 at 19:36
2

What you're asking is a system that outputs V = v(1) AND v(2) AND ... AND v(n) where v(i) is the binary vote of the same person. By DeMorgan Law, V = NOT W where W = w(1) OR w(2) OR ... OR w(n) and w(i) = NOT v(i). Hence we can rephrase the question to be simpler. We are only looking for a system that can answer whether:

Of the N people who voted, did at least one vote No?

This follows intuition; if you require unanimous consent then as soon as one person objects it doesn't matter what the rest of the votes are. Or in other words, you are asking for an anonymous veto system.

This can be implemented in many ways.

  • An electronic push button switch (labeled "press to stay in cult") in a closed room. The system starts in state 0 and pressing the button puts in state 1. After everyone has had the opportunity to go into the room and secretly press the button, the device is examined to see if anyone has.
  • A variation on the above: A button B inside the room that only closes the circuit, and a S outside the room where everyone can see. Both are wired to a light that comes on only if both buttons are pressed. At first S is turned off and B is not pressed. Everyone watches S to make sure it is not prematurely touched, and go inside the room to take turns at possibly pressing B. Once everyone is done, they flip S together to see if B has been pressed during the voting. You can even have multiple rooms, each with their own B connected to the same device, so that voting can happen simultaneously - that way it's not possible to conspire against one voter and flip S right after they vote.
  • A mechanical version in the form of a box with a marking in the middle of the inside. A little piece of paper is place exactly on the marker and the box is locked. Every voter has a chance to go in a closed room and shake the box. Once everyone done, the box is opened to see if the paper has moved.
  • A more robust version of the above, with many black and white papers arranged in two neat piles (shaking the box would mix them up).
Artimithe55
  • 229
  • 1
  • 7
  • 3
    A variant that's easy to perform: Get a can of beer. Each person enters the room in turn and shakes the can of beer if they want to vote no. At the end, open the can of beer. If it sprays everywhere, somebody voted no. Otherwise, it's unanimous yes. – Ken Shirriff Aug 03 '20 at 21:32
  • 1
    @KenShirriff Haha, that's a good one! Although you can un-fizz can that have been shaken so that they don't overflow when opened, if anyone knows the trick to it they could veto the veto. – Artimithe55 Aug 03 '20 at 21:39
  • i like the box shaking idea, but how do you keep people from (A) opening the box when it's their turn, and (B) hearing the sound of the box shaking? – shieldgenerator7 Aug 04 '20 at 15:05
  • 4
    @shieldgenerator7 {A} Tamper-evident seal; and/or lock the box and and key is seen to be outside during voting. {B} Have an alternative box to shake with uniform contents. Arti: Alternative to paper (or beer): Two layers of different-colored sand. You can't un-fizz sand. – Michael Aug 04 '20 at 18:07
2

Start with an identifiable plaintext: Let's break up. It's not you, it's all of us.

Each person generates a random bit pattern (one-time pad) and keeps it secret. Pass the message around the table, with each person XOR-ing it with their one-time pad. The person after you will be the only one who sees your output.

When you get back to the beginning of the circle, go round once again in the same order. This time, if you want to vote "yes", XOR the message with the same pattern you used before. If you want to vote "no", use a different randomly-generated pattern (again, keep it secret).

At the end of the second circuit, obey the resulting message: either break up, or sdfljhsdfhgvsladfj. In the latter case, nobody will know how many "no" voters were responsible for failing to unscramble the message.

This is very similar to Nick Bonilla's answer, except that the keys are not generally shared. If the family members are A through Z: Bob will be able to compare Alice's first output with the original plaintext, and so will be able to infer Alice's first secret, but will not know whether this was the same as Alice's second secret (only Zach knows Alice's second input). Yolanda will be able to compare the final public message with her own second output, and so will be able to infer Zach's second secret, but she will not know whether this was the same as Zach's first secret (only Alice saw Zach's first output). In the case of N=3, Bob and Yolanda are the same person, but I'm not sure this helps him/her.

jez
  • 287
  • 1
  • 4
  • 3
    What about when Charlie asks Alice what bitstring she handed to Bob the second time? This solution only works if there's no collaboration between parties, which isn't a constraint you can readily assume. – Sneftel Aug 04 '20 at 07:26
  • @Sneftel - Yeah, this is a problem with a lot of the 'chaining' solutions here. If Bob is given any input from Alice, that's essentially not private - because anyone can ask Alice what she handed him. – Kevin Aug 04 '20 at 16:28
  • Yep, combinations of people can gang up on individuals. This could be ameliorated by making people anonymous (everyone meets in the ante-room, puts on their identical cult robes and masks, mills around a bit, then files through to the voting room). But then the anonymization mechanism is a TTP (which we can’t actually, strictly, avoid—even face-down slips of paper are a TTP). – jez Aug 04 '20 at 17:28
  • Also, I would say we have to assume *some* limitation somewhere on the ability to confer post-hoc. Otherwise it’s trivially unsolvable: a “no” voter can simply ask all other “no” voters to identify themselves, which leads to the same objection that OP pointed out to N=2, but for all N. – jez Aug 04 '20 at 17:30
  • @Kevin but whenever you try to confer, you don’t know whether the answer you get is truthful – jez Aug 04 '20 at 22:26
1
  1. Call the number of people N.
  2. Each person is assigned a number from 1 to N.
  3. Each person creates a random N-order polynomial whose Y-intercept is zero if they wish to vote YES or whose Y-intercept is greater than zero if they wish to vote NO.
  4. Each person solves the equation of their polynomial for discrete points from X=1 through X=N.
  5. Each person passes the solution for each integer value of X from 1 to N to the person with that corresponding assigned number.
  6. Each person sums all their assigned numbers and discloses the sum.
  7. The resulting disclosed sums are used as the solutions to an N-order polynomial that goes through the corresponding points.
  8. The Y intercept of that resulting polynomial is computed using Lagrange interpolation. (Or any other convenient method if N is small.)
  9. If the Y intercept is zero, the result is YES. Otherwise, it's NO.

This works because the sum of any number of polynomials with a zero Y-intercept is a polynomial with a zero Y-intercept. No combination of participants less than all of them has enough points on any polynomial to determine its Y-intercept but of the resulting final curve because everyone discloses their sum point on that one.

You need N points on an N-order polynomial to determine its Y-intercept. The only polynomial any group smaller than all the participants has N points on is the final resulting sum polynomial. So only its Y-intercept can be determined by any subset of the group less than all of them.

Let's try an example with three people. We'll use Alice, Bob, and Charlie. We'll have only Bob vote NO. Each will pick a random polynomial that requires three points to solve whose Y-intercept is zero for YES and non-zero for NO.

Alice is 1. She votes YES. Her polynomial is Y = 3 (X^2) - 2 X
Bob is 2. He votes NO. His polynomial is Y = 2 (X^2) + X + 1
Charlie is 3. He votes YES. His polynomial is Y = 3 (X^2) - X

Notice that Bob has a "+1" term since he voted NO. Everyone else has no such term, so their curves have a zero Y-intercept.

Alice now solves her polynomial at points 1, 2, and 3.
She gives herself a 1, Bob an 8, and Charlie a 21.

Bob now solves his polynomial at points 1, 2, and 3.
He gives Alice a 4, himself an 11, and Charlie a 22.

Charlie now solves his polynomial at points 1, 2, and 3.
He gives Alice a 2, Bob a 10, and himself a 24.

They each now disclose their sums.
Alice computes 1 + 4 + 2 and discloses 7.
Bob computes 8 + 11 + 10 and discloses 29.
Charlie computes 21 + 22 + 24 and discloses 67.

They now need to solve the curve that goes through the points (1,7), (2,29) and (3,67) to see what its Y-intercept is. The solution is Y = 8 (X^2) - 2 (X) + 1.

You'll notice that this equation is the sum of the chosen equations. And it has a "+ 1" on the end because of Bob's vote. Thus, the result is NO, as required. But nobody but Bob can tell whose curve had that "+ 1" on it (unless everyone else conspires against him).

This is a slight variant of the JZSS (Joint Zero Secret Sharing) algorithm. See M. Ben-Or, S. Goldwasser, and A. Wigderson, Completeness Theorems for Noncryptographic Fault-Tolerant Distributed Computations, Proceedings of the 20th ACM Symposium on the Theory of Computing, pages 1-10, 1988.

David Schwartz
  • 4,233
  • 24
  • 21
  • How can the players verify that no malicious actor has chosen a negative y-intercept? Suppose I am sure Joe wants to leave, and his favorite number is 13. If I input -13, I can cancel his vote. Or suppose I want to prevent tallying by entering a -1000. What will the players do if the sum is negative? – meriton Aug 04 '20 at 13:32
  • 1
    Also, revealing the sum of inputs also allows everyone to calculate the sum of inputs of the *other* players, which can leak information. In particular, if only a single player voted positive, he will learn that he was the only one. – meriton Aug 04 '20 at 14:04
  • @meriton If everyone does what they're supposed to do and nobody wants to leave, the result will be zero. If anybody does what they're not supposed to do or somebody wants to leave, the results will not be zero. Presumably, people who don't want to leave will follow instructions. You are correct that everyone but any single voter can release how that single voter voted. But that's true no matter what and no algorithm can prevent it. If everyone but you votes stay and the final result is leave, everyone else can, working together, know you voted leave since you are the only one not conspiring. – David Schwartz Aug 04 '20 at 16:17
  • I think you misunderstood my second concern. I am not concerned that everyone else, working together, can learn what a player voted. I am concerned that a player who votes "remain" can determine whether he was the only one to vote "remain", thereby leaking information that could not have been inferred from the aggregate decision taken (which the player knew to be "remain" irrespective what the others voted). In case of the cultists, I'd imagine it would end very badly if a cultist were to discover that everybody else was set on leaving ... – meriton Aug 04 '20 at 19:48
  • A player who votes remain cannot determine how many other players voted remain or not. The only curve they have enough points on is the sum curve. They can subtract their own vote, but a person who votes remain can always do that. If the result is remain, everyone voted remain. If it's leave, someone else voted leave. Perhaps your concern is that someone who votes leave can tell whether or not they were the only one to vote leave? (That can be fixed, but it makes the algorithm much more complex.) – David Schwartz Aug 04 '20 at 19:56
  • If the result is remain, at least one person must have voted remain. That doesn't imply that everyone has! – meriton Aug 04 '20 at 20:00
  • @meriton The remain/leave terminology might be confusing to me. Let's stick with yes/no. Yes must be unanimous. The only interesting case is when the final result is no, otherwise everyone knows everyone voted yes anyway. When there's a no, the only thing this leaks is that someone who voted no can tell whether they were the sole no vote or not by subtracting their curve from the resulting curve. Nothing else leaks. Yes voters cannot tell how many no votes there were, only that there was at least one. No voters cannot tell who else voted no, just whether there was at least one other no vote. – David Schwartz Aug 04 '20 at 20:02
  • Exactly, and this leak is quite the problem for our cultists, because a no voter might learn that there was no other no vote, i.e. everybody else voted yes! In cultist terms, this means that a cultist who wants to remain learns that everybody else wants to leave! – meriton Aug 04 '20 at 20:08
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/111429/discussion-between-david-schwartz-and-meriton). – David Schwartz Aug 04 '20 at 23:56
1

There are two empty cloth bags, and a pan-scale. The first bag represents how they want to vote, the second as a check.

Each person is given two clay or wood discs of slightly different weight. The heavier disc represents leave. They place the disc for their vote into one bag, and the other in the other bag. Afterwards, the bag is checked against a weight. The pan will just balance if all votes are for leave, but will remain fully down if even one is for stay.

If necessary, both bags can be weighted together against another weight to ensure there's been no skulduggery.

Once the vote is checked, both bags are destroyed in a fire.

CSM
  • 221
  • 1
  • 3
1

I took some inspiration from Qmppu852's answer, I'll try to make it simpler:

Get a generator and a really long cable, 10 meters (that's ~30 feet) should do.

Build multiple controllers, one for each family member. Each controller will have two buttons: one is a dummy, which does nothing. The other button is meant to close the circuit. Both buttons are visibly marked so everyone knows which is which.

Splice the controllers on the cable. Since they are all connected serially to the generator, the circuit is only closed while all the non-dummy buttons are pressed simultaneously.

When the voting time comes, everyone sits on a circle. Every family member holds a controller on their back and presses a button. In this way, everyone will see that everyone else is pressing a button, but no one knows which buttons the others are pressing. Every individual only knows which button they are pressing.

If everyone presses the non-dummy button on their controller, the circuit closes. You can connect a light bulb or a buzzer on the circuit so they can see whether it turns on. But I think it's more fun if the generator gives around 50V and the controllers are not insulating. If everyone votes yes, then everyone gets a jolt.

If anyone votes no, then the circuit does not close. But no one knows who is voting for no. To make it even harder to know everyone's vote, they could wear gloves so as not to leave fingerprints on the buttons. Or they could press both buttons prior to the vote, before activating the generator, to leave fingerprint on both buttons.

Script Kid
  • 215
  • 1
  • 9
1

Take a simple calculator, enter a number. Place it in a stiff box with a hole in it over the clear button. Put the whole thing inside another box with an opening on the side and a piece of cloth draped over the opening.

Everyone reaches into the outer box and pushes something--the clear button to vote no, any other spot to vote yes. An observer might be able to discern the muscle movement of pressing but they certainly can't tell if you're actually on the button.

Remove the calculator, examine it. If there's still a number you have a unanimous yes.

Loren Pechtel
  • 773
  • 4
  • 9
-1

Play a game of telephone. But with numbers.

Have people sit in a circle, and have 1 person start. They pick a random number between 1 and 1000 and keep it secret. Then they whisper that number into the ear of the person on their left. Then that person adds 1 to that number if "no", and they add 100 that number if "yes". That person then whispers the new number to the person on their left. This continues in a circle, making 2-3 "laps" around the group. The last person to receive a number keeps it a secret.

No one knows the starting number except the first person, but they know what number they said to the person on their left. If the 1's digit and 10's digit of the number they said and the number they received when it came around again is the same, then they know that everyone voted yes. If it's not the same, then they know that at least one person voted no.

The important thing is that because they don't know the starting number, and there's no definite end to the loop, they don't know who voted with what number. Everyone now knows if the vote is unanimous, but no one knows who voted what.

EDIT: Instead of adding 100 for yes and adding 1 for no, pick a random number between 1 and 5. If voting yes, multiple it by 100. If voting no, multiply it by 1. Then add that number to the running total and pass the running total to the next person. This solves the issue of leaking how many people voted yes or no.

-1

Construct a container which can have liquid poured into it but cannot be easily observed without obvious tampering. Something like an opaque fuel canister which has a nozzle attached to it.

Everyone gets a chance to add some clear liquid to the container.

Everyone votes by being able to either add some red dye, or pour some red dye down the drain.

At the end, the container is broken open and the contents is revealed. If it contains any amount of red dye then the vote was not unanimous.

Toby Smith
  • 531
  • 1
  • 4
  • 7
-2

Interesting problem. Low tech: A third party gives each voter two identical pieces of paper: one with typewritten "yes" the other with "no" (or some other symbol, 1/0, y/n, etc) This is the end of the third-party involvement. They adjourn to a private area where they can secretly select one piece of paper with their desired answer. All return and simultaneously place their vote in the ballot box which is shaken to randomize.

Although theoretically it may be possible to determine the source of the minority vote, even to the point of DNA sampling from the paper, in the real world even the most paranoid have some practical limitations and methods of control - e.g. burn the ballots after counting.

Medium-tech: hard-wire a relay/flip-flop in series with a "tally" switch that will complete a circuit to turn on a light or similar indicator. There is only one vote button, concealed from the tally button (e.g. in another room, box, etc), the tally button is public so it cannot be touched without witnesses.

Once everyone has a private opportunity to press (or not) the vote button, then together they flip the switch that will complete the circuit if the relay/flip-flop was triggered. In other words, flipping the tally switch only completes the circuit if the vote button was pressed by someone. Because the vote is private, there is only one button and it operates on a single point in the circuit (i.e. the relay or flip-flop, which can only be tripped once) there is no traceback to who tripped the vote.

  • Your low tech suggestion is simply a paper-based version of the "[blackball](https://en.wikipedia.org/wiki/Blackballing)" scheme. And there is no need for a 3rd party. Your Medium tech version is the same. – schroeder Aug 06 '20 at 11:04