A glimpse into the blockchain governance
With a focus on privacy and security issues
Disclaimer: The views expressed in this article are those of the authors and do not necessarily reflect the official position of the DFINITY Foundation.
Blockchain code base evolves over time. To update the blockchain codes, various interest groups, e.g. users, core developers and full-node providers (also known as miners in Bitcoin system), need to reach a consensus on what to keep and what to change. This is not easy as the interests of these stakeholders are often at odds with each other. To tackle these issues, every blockchain project has a governance system to coordinate conflicts among participants and to align their incentives with the benign development of the blockchain system. Generally speaking, there are two types of blockchain governance system: off-chain governance like Bitcoin and Ethereum and on-chain governance like Cosmos and DFINITY. The difference lies in whether the voting is conducted and recorded on the blockchain ledger or not.
With the off-chain governance system, core developers submit protocol updates via formal improvement proposals (e.g. Bitcoin Improvement Proposals, Ethereum Improvement Proposals) to the official repository (e.g. Github). Users and full-node providers could signal their opinions in the community forums and social media, such as slack channel, Telegram and Twitter. If the majority of the interest groups agree to the protocol updates, then the changes are encoded into the blockchain protocol. If they cannot reach a consensus, the core developers could either revoke the proposal or still implement the protocol changes. The latter typically leads to hard forks (e.g. hard forks of Ethereum/Ethereum Classic in 2016 and Bitcoin/Bitcoin Cash in 2017) as certain full-node providers might not adopt the protocol changes accordingly. The off-chain governance system has attracted criticism of violating the decentralization ethos, as core developers and full-node providers have much more power than ordinary users in the decision making.
A more decentralized form of governance, on-chain governance, has gained momentum in recent years with the development of the Proof-of-Stake (PoS) blockchain projects. PoS projects typically require staked tokens to represent the voting right and voting power. Therefore, users could stake native tokens in the system and gain voting power on the protocol updates. Compared to the indefinite debates involved in the off-chain governance system, the on-chain governance system has much quicker turnaround time for decision making. In addition, the on-chain governance system is more transparent in the sense that voting rules are predefined and communicated to the public in advance. The decision making is not controlled or interpreted by centralized entities. Moreover, since voting rules are embedded in the system code, protocol updates are implemented automatically upon ratification, which could largely deter hard forks.
In the following we address the typical design issues of the on-chain governance system at a very high level.
Design of on-chain governance
What to propose?
Proposals can be of any relevant topics such as freeze of hacked tokens, parameter changes, penalizing malicious full-node providers etc.
How to propose?
To submit a proposal, one needs to stake a minimum amount of tokens required by the governance system. To encourage high-quality proposals, the stake is refunded and rewarded if the proposal gets adopted (the reward could come from newly minted tokens or the foundation’s endowment). Otherwise, the stake is refunded but not rewarded. If the proposal is considered spam, the staked tokens are slashed.
Which proposal gets voted first?
Users could stake their tokens to endorse various proposals. The proposal that attracts the most staked tokens is considered as the most urgent one to get voted. The token reward is dispensed to the proposer (e.g. 50%) and the endorsers (e.g. 50%, proportional to the amount of staked tokens) upon adoption of the proposal. Note that proposals with less relevant topics attract fewer endorsers and get voted at a later stage. Since the staked tokens are unlocked to the owners only after the voting, the proposers and endorsers face an opportunity cost of their token deposit. Such a design disincentivizes the submission of spamming proposals. Alternatively, the system could set a minimum amount of staked tokens required for the proposal to be passed to the voting stage (similar to the “We the People” White House petition).
How to gain voting power and preserve vote privacy?
To gain voting power in the governance system, users need to stake their tokens in the system for a certain period. By doing so, voters have skin in the game and thus incentive to vote rationally. Homomorphic encryption technique (see the next section for technical details) is one of the mainstream approaches to preserve vote privacy. Votes are encrypted so that only voters with private keys could check their own votes. All votes are aggregated and tallied after the voting period. Only the final result is decrypted and revealed to the public.
How is voting power/reward measured?
The voting power increases with the amount of staked tokens and staking period. Voters gain token reward only if they participate in voting. Staking itself does not generate any yield if token holders do not cast votes. The voting reward provides incentive for voters to actively participate in the governance.
How to delegate votes?
As voting is time/energy consuming and requires expertise in certain fields, voters could delegate their votes to others (e.g. cryptographers, economists, key opinion leaders, developers, foundation etc) and withdraw the delegation at any time (so called liquid democracy).
Who can vote?
Universal voting body: anyone who stakes tokens in the system could cast their own votes or delegate their votes.
Random voting body: a certain fraction of voters (e.g. 10%) is randomly selected for each proposal. Such a design facilitates multiple voting in parallel (scalable solution). As the voting body is smaller than the universal voting body, each vote has more impact on the outcome. Therefore, selected voters have more motivation to vote and vote carefully. The shortcoming is that it is more prone to collusion within a smaller group of voters. Therefore, the randomness of voters selection is critical to its success.
On the one hand, the number of voters should be as few as possible to reduce the voting cost (e.g. time and resource spent on researching the proposal) incurred by selected voters. On the other hand, it should be as many voters as possible to ensure the voting outcome is representative and aligned with the interests of the majority token holders. One way to reduce the probability of a surprise outcome is to adopt the assessment voting. If the voting outcome is close (e.g. in the range of 45%-55%), the system randomly selects another e.g. 5x voters voting for the second round. The final outcome hinges on votes of both rounds.
How to tackle the centralization of voting power?
In the real-life voting, plutocrat could manipulate elections by funding their favored candidates/puppets and financing their campaigns. One-man-one-vote mechanism is susceptible to this money effect. The current political systems designed in the last few centuries have shown feeble and clumsy signs in the presence of newly developed technology. The Cambridge Analytica scandal is a great example to demonstrate the potential of influencing the voting result through targeting social media users. With one-token-one-vote in the blockchain governance system, wealthy users/investors could purchase a large amount of tokens and steer the voting towards their favored direction even more easily than the one-man-one-vote system in real life.
One way to make the voting power more decentralized is to introduce the flexible lockup period. Users could lock their tokens longer for more voting power. For example, users with 10 tokens locked for 10 months could achieve the same voting power as those (wealthy users) with 100 tokens locked for 1 month. The long lockup period implies that the voter has more skin in the game and thus cares more about the long-run development of the system than those who lock for shorter periods.
Another way to make the voting power more decentralized is to replace the one-token-one-vote by the one-account-one-vote. Voters could register voting accounts by filling their government-issued ID information. Registered users have e.g. 10x voting power than the unregistered users. Namely, users could still choose to vote anonymously without registering their accounts. However, the voting power is much discounted compared to the registered accounts. The system uses the Zero Knowledge Proof technique (explained in the next section) to prevent misuse of users’ private data. The voting power increases non-linearly with the amount of tokens locked in the account. For example, to acquire one unit of voting power, the voter needs to lock one token in the account. To acquire ten units of voting power, the voter needs to lock more than ten tokens (e.g. 100 tokens for 10 units voting power, i.e. quadratic voting). Such a design reduces the voting power of the wealthy token holders.
For example, a whale token holder could lock all his 100 tokens in his registered accounts and gain 10 units of voting power (due to the concave voting power, assume square root). Alternatively, he could create 100 unregistered accounts with 1 token in each and gain, again, only 10 units of voting power (10x reduced voting power for unregistered accounts). Compared to the 100 units of voting power he would gain in the one-token-one-vote mechanism, the wealthy token holder’s voting power is much constrained in this setup.
In the next section we address the security issues of the on-chain voting with a focus on privacy.
Privacy-preserving electronic voting
Voting on the blockchain falls in the category of electronic voting (i.e. e-voting). Secure e-voting is a well-studied subject in the cryptography literature. An advanced high-stakes e-voting system needs to take various properties into account, such as verifiability, privacy, robustness against false accusation (i.e., if the election is indeed conducted correctly, then it is not possible to produce evidence that the election was not conducted correctly) and usability etc [SR17]. In certain circumstances these properties could be in conflict with each other.
Privacy, our focus in this section, is one of the most important properties of an e-voting system since a voting system could become vulnerable to corruption and coercion if the adversary can identify how a voter votes. Therefore, a basic e-voting scheme should guarantee its voting privacy and voter anonymity.
Many cryptographic primitives have been proposed to resolve the privacy issues in e-voting, such as ring signature, blind signature, threshold homomorphic encryption, and mix-nets etc. A brief review of these techniques is presented in the following
Ring signature
One of the most extensively studied anonymous e-voting cryptographic primitives is linkable ring signature. Ring signature was proposed by Rivest, Shamir and Tauman [RST01] in 2001, and the one-time linkability [ES07] was later added as an improvement.
Digital signature usually assumes the involved party is identifiable by a public/secret key pair. A ring signature scheme allows any signer hidden in a randomly selected group of people (or a ring of public keys) to generate a ring signature without revealing which public key in the ring is responsible for the signature generation. Therefore, it provides anonymity protection for the true signer. However, since the signed message is public, the scheme does not provide vote secrecy.
Since a ring signature hides the voter’s identity, a voter might try to vote for a particular candidate many times in order to increase the odds of one’s favored candidate winning the vote. The one-time linkability property aims to ensure as long as one particular secret key in a ring is used twice, the duplicate signature will be linked and therefore ruled as illegitimate.
One-time linkable ring signature can be constructed using a special kind of zero-knowledge proof as shown in [GK15], i.e. membership proof. Zero-knowledge proof is a protocol that allows a prover to prove the correctness of a statement without revealing any extra information other than the statement itself. For instance, a zero-knowledge range proof scheme [Lin19] allows a prover to prove a secret integer belongs to a range, say [0, 1] without revealing which integer it is. In other words, the verifier will be convinced that the secret integer is binary after reading the proof without knowing whether it is 0 or 1.
Blind Signature
Another closely-related primitive is blind signature [C82,FOO92], which requires a registration phase controlled by a group manager. The voting involves an interaction between the voter and the manager so that the voter can obtain an untraceable blank ballot issued by the manager and cast its vote in encrypted/blinded form. Blind signature ensures the voter privacy, vote secrecy and one-time traceability. However, one needs to use the threshold blind signature scheme to reduce the centralized power of the group manager in the blockchain setting. Note “threshold” here means using threshold cryptography to replace a single group manager with multiple managers so that as long as the majority of them remain honest, both the voter anonymity and vote secrecy can be guaranteed.
Threshold homomorphic encryption
An encryption scheme turns a plaintext message into a random string to protect its secrecy. Once a message is encrypted, one has to decrypt the ciphertext before any operation (e.g. summation) can be applied to the underlying messages. However, in some application scenarios it might not be desirable for the underlying message to be known to those who perform the operation. For instance, the tally clerk only needs to know the sum of the individual votes instead of what each vote is. Homomorphic encryption is a special kind of encryption mechanism that allows anyone with access to the ciphertext of the messages to perform the desired operation homomorphically, meaning the operation over the underlying messages can be performed without decryption.
If each voter’s vote for a specific candidate or statement is encrypted using homomorphic encryption, the tally clerk will be able to homomorphically generate the encryption of the final vote count without decrypting the ciphertext of each individual vote.
Note a malicious voter can increase (or reduce) one’s favored candidate (or his opponent)’s chance of winning (or losing) by encrypting a large positive (or negative) number instead of a binary vote. Therefore homomorphic-encryption-based e-voting is usually accompanied with a zero-knowledge range proof, which can prove a secret number is binary without revealing the exact vote. Another challenge is that any entity owning the secret key of the homomorphic encryption scheme will be able to decrypt all the votes. Therefore, a threshold homomorphic decryption mechanism is needed to decentralize the decryption power to a group of entities.
Mix network
Mix network uses several independent servers to shuffle the input of the encrypted ballots and output the plaintext ballots. However, one has to assume at least one of these mixed servers perform the secret permutation honestly to guarantee voter anonymity.
More specifically, mix network usually employs layered encryption to encrypt the original votes under a sequence of public keys, each of which corresponds to one of the intermediate mix nodes. Each intermediate mix node would receive multiple ciphertexts, use its secret key to remove a layer of encryption and send the messages to the next node after random permutation. Therefore, as long as at least one of the mix nodes remains honest, the voter anonymity can be guaranteed to a certain extent. However, since all votes are delivered to the tally clerk in plaintext form, mix network does not guarantee vote secrecy.
The following table demonstrates the pros and cons of these techniques.
Discussion
Blockchain projects are complex systems that evolve over time. They are governed by rules and rules that define how to change rules. One needs to bear in mind the following fundamental questions when designing governance rules. What defines a valid voter and its voting power? Who can initiate a proposal? What qualifies a proposal for voting? What is the quorum?How to define voting results? How to change voting rules?
Ultimately, the questions boil down to the core principle: how to design a governance system to ensure the long-run prosperous development of the blockchain project. The secret of success is to align the interests of majority participants with the interest of the project.
Authors:
Yulin Liu (yulinzurich@gmail.com), currently leads research on token economics and governance system at DFINITY. He also serves as Affiliated Economics Professor at Huazhong University of Science and Technology. Yulin specialises in monetary theory, bank supervision, cryptocurrency, token economics and blockchain governance system. He holds a Master of Science in Quantum Computation and a Ph.D. in Economics from ETH Zurich. Yulin was a visiting scholar at the European System of Central Banks and has been invited for talks at major central banks and conferences worldwide.
Huang Lin (lh@suterusu.io), currently serves as CTO of Suterusu project. Huang is an applied cryptographer by training. Huang holds Ph.D. degrees in Applied cryptography and privacy-preserving distributed systems from Shanghai Jiao Tong University and the University of Florida, respectively. He worked as a postdoctoral researcher in Swiss Federal Institute of Technology (EPFL), and then as an associate principal engineer in ASTRI, HongKong. He has published over 20 papers with over 1000 citations on applied cryptography and information security.
Reference
[RST01], Rivest, Ronald L., Adi Shamir, and Yael Tauman. “How to leak a secret.” International Conference on the Theory and Application of Cryptology and Information Security. Springer, Berlin, Heidelberg, 2001.
[ES07] Fujisaki, Eiichiro, and Koutarou Suzuki. “Traceable ring signature.” International Workshop on Public Key Cryptography. Springer, Berlin, Heidelberg, 2007.
[C82] D. Chaum. Blind signatures for untraceable payments. In D. Chaum, R. Rivest, and A. Sherman, editors, CRYPTO ’82, pages 199–204. Prenum Publishing Corporation, 1982.
[FOO92] A. Fujioka, T. Okamoto, and K. Ohta. A practical secret voting scheme for large scale election. In AUSCRYPT 91, pages 244–260. Springer-Verlag, 1992. LNCS Vol. 718.
[SR17] Park, Sunoo, and Ronald L. Rivest. “Towards secure quadratic voting.” Public Choice 172.1–2 (2017): 151–175.
[GK15] Groth, Jens, and Markulf Kohlweiss. “One-out-of-many proofs: Or how to leak a secret and spend a coin.” Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, Berlin, Heidelberg, 2015.
[Lin19] Dr. Lin. Suterusu Yellowpaper 1.0. https://github.com/suterusu-team/Suter_yellowpaper.
