Privocracy: Online Democracy through Private Voting

In traditional access control policies, every access granted and administrative account introduces an additional vulnerability, as a corruption of a high-privilege user can compromise several sensitive files. Privocracy is an access control mechanism that minimizes the need to attribute high privileges by triggering a secure e-voting procedure to run commands that require using sensitive resources. With Privocracy an organization can distribute trust in resource access, minimizing the system vulnerabilities from single points of failure, all while maintaining the high flexibility of discretionary access control policies. The Privocracy voting mechanism achieves everlasting privacy, ensuring votes remain confidential regardless of an adversary’s computational power, while addressing the dependability requirements of a practical and secure system. The procedure incorporates useful features such as vote delegation to reduce voter fatigue, rapid voting rounds to enable quick action during emergencies, and selective vote auditing for application-level accountability. Our experimental results demonstrate that Privocracy processes votes efficiently and can be deployed on commodity hardware.

💡 Research Summary

**
The paper introduces Privocracy, a novel access‑control framework that replaces the traditional reliance on high‑privilege administrative accounts with a private, distributed e‑voting mechanism. When a user requests execution of a command that accesses a protected resource, the request is intercepted by a Privocracy front‑end, which launches a voting round among a set of voter instances. Each voter manually approves or rejects the request, but their individual choices are kept secret through information‑theoretic secret sharing (Shamir’s scheme) and Pedersen commitments. Voters also generate zero‑knowledge proofs (ZKPs) to demonstrate that their committed vote is a valid bit (0 or 1) without revealing which value they chose.

The system model separates the operational space (the actual services such as file or mail servers) from the voting space (the voter processes). The operational space follows an honest‑but‑curious fault model, while the voting space tolerates Byzantine faults with up to f < n/3 corrupted processes. Communication assumes a partially synchronous network that eventually stabilizes, allowing the protocol to progress after a Global Stabilization Time.

Key cryptographic building blocks include:

• Asynchronous Verifiable Secret Sharing (AVSS) – ensures that shares are consistently delivered even under Byzantine behavior, providing agreement and totality.
• Pedersen commitments – give computational binding and information‑theoretic hiding, enabling public verification of share consistency.
• Zero‑knowledge Sigma protocols – allow each voter to prove that its share encodes either 0 or 1, preventing malicious participants from injecting arbitrary values.
• Byzantine Reliable Broadcast (BRB) – guarantees that all correct voters receive the same set of messages, preserving consistency.

The voting algorithm proceeds as follows: (1) the command triggers a voting round; (2) each voter creates a secret share of its binary vote, attaches a Pedersen commitment and a ZKP, and broadcasts them via BRB; (3) AVSS is used to reconstruct weighted shares homomorphically, allowing the system to compute a weighted tally without ever revealing individual votes; (4) the partial tallies are sent to a Trusted Execution Environment (TEE) or an otherwise secure aggregation module, which checks whether the tally exceeds a configurable threshold; (5) if the threshold is met, the command is executed, otherwise it is rejected. Optional audit logs and ZKP verification records can be released for accountability.

Privocracy adds several practical features tailored to real‑world access‑control scenarios:

• Weighted voting – each voter can be assigned a dynamic weight reflecting role or trust level, enabling fine‑grained influence over decisions.
• Vote delegation – inactive or overloaded voters may delegate their voting power to another trusted participant while preserving K‑anonymity.
• Rapid emergency rounds – the protocol can be configured to lower the approval threshold or reduce the number of rounds, allowing swift decisions during crises.
• Selective auditing – administrators can request proof of how a particular command was approved, providing post‑hoc accountability without compromising overall ballot secrecy.

Performance evaluation on a prototype implementation shows that a 60‑voter election completes in under 100 seconds on commodity hardware (4‑core CPU, 8 GB RAM). The protocol incurs O(n²) message complexity but only constant‑time asynchronous rounds, making it scalable for typical enterprise sizes. Experiments also demonstrate that delegation and emergency‑mode configurations reduce latency by up to 30 %.

Security analysis confirms everlasting privacy: because the secret sharing is information‑theoretic and the commitments are information‑theoretically hiding, even an adversary with unbounded computational power cannot recover individual votes. Integrity is guaranteed by ZKPs and VSS, while availability stems from AVSS and BRB’s tolerance to crashes and Byzantine behavior. The authors acknowledge that, in deployments lacking a TEE, some meta‑information (e.g., whether a voter participated) may leak; they discuss mitigations and argue that the leakage remains bounded.

Compared to prior work, Privocracy uniquely combines private e‑voting with access‑control enforcement. Existing e‑voting schemes target large, infrequent public elections and prioritize auditability over low latency, while distributed access‑control proposals often rely on multi‑signature or multi‑approval without protecting ballot secrecy. Privocracy bridges this gap, delivering a system that is both private and democratic while preserving the flexibility of discretionary access control.

In conclusion, Privocracy demonstrates that integrating cryptographic voting primitives into operating‑system‑level access control can eliminate single points of failure, reduce the attack surface associated with privileged accounts, and provide a practical, accountable, and privacy‑preserving mechanism for managing sensitive resources. Future work includes fine‑tuning threshold parameters for very small groups, extending the design to operate without TEEs while maintaining everlasting privacy, and conducting real‑world pilot deployments in enterprise environments.