INTERMEDIATERESEARCHREPORT|FEBRUARY15TH2017

ETHEREUMCLASSICTREASURYSYSTEM
PROPOSAL

TheVeritasTeam
DmytroKaidalov,LyudmilaKovalchuk,AndriiNastenko,MariiaRodinko,OleksiyShevtsov,RomanOliynykov

IOHK.io

Abstract
We propose the Ethereum Classic Treasury System (ECTS) whose main purpose is to establish a decentralized
funding mechanism for development and maintenance of the Ethereum Classic platform. Anyone can submit a
projectproposalandthestakeholderswilldecideonitsnecessitythroughatransparentvotingprocedure.Thesystem
is fully verifiable, having no significant influence on ETC performance. We expect that the ECTS implementation
will increase stability and the outlook of the system, providing additionalbenefitsbothforstakeholdersandminers
fromamorestableandpredictablesystem.

 TableofContents
1.Introduction 5
1.1.Objectiveanddesiredpropertiesofthetreasurysystem 5
1.2.Overviewoftheproposedtreasurysystem 6

2.EthereumClassicTreasurySystem 9
2.1.EthereumClassicBlockchain 9
2.2.BasicTreasuryModel 10
2.2.1.Fundingepochs 11
2.2.2.Epochstages 12
2.3.Proposalsubmission 15
2.3.1.Proposalballotformation 15
2.3.2.Submissionrulesandcost 16
2.3.3.Miscellaneous:revocationandmoneyreducing 16
2.4.Voters 17
2.4.1.Depositsubmissionandredemption 18
2.4.2.Incentives 19
2.5.Treasurysource 20
2.6.Electionmethod 21
2.6.1.Tievote 23
2.7.Delegation 24
2.7.1.FullDelegation 24
2.7.2.DisposableDelegation 25
2.7.3.Rewardsdistribution 26

3.Technicalimplementationapproaches 27
3.1.Coreconsensusimplementation 27
3.2.Smartcontractimplementation 27

4.Designrationale 29
4.1.Fundingepochanditssize 29
4.2.Blockchainbasedvoting 29
4.3.Treasurysource 30
4.4.Votingprocess 30
4.4.1.Fixedproposalsandvoters 30
4.4.2.Secretballots 31
4.5.Incentivesstructure 31
 4.5.1.Expectednumberofvoters 31
4.5.2.55%attack 33
4.5.3.Selfbalancedsetofvoters 33
4.5.4.Freezingperiod 34
4.6.Electionrule 34
4.6.1.Typesofvotingsystems 35
4.6.2.Avotingschemeforthetreasurysystem 37
4.7Computationalandstorageburden 38
4.8Directionsforfurtherdevelopment 40

5.Attacksoverview 41
5.1Takingcontrolovertreasurycoins 41
5.1.1Directattacksonthevotingprocedure 41
5.1.2Influenceonthevotingprocess 41
5.1.3Takingcontrolovera"treasuryaccount" 42
5.1.4Bribinginfluentialpartofvoters 42
5.1.5Attackof55% 42
5.2Blockingthetreasuryoperation 43
5.2.1Issuinglargeamountofproposals 43
5.2.2Creationofexcessivenumberofvotingaccounts 43
5.2.3Generationofmanycommitmentsandopeningsfromeachvotingaccount 43

6.Conclusions 44

References 45

AppendixA.VotingModelFuzzyThresholdVoting 48
A.1.Introduction 48
A.2.DefinitionofFTVmodel 48
A.3.SomepropertiesofFTVmodel 54
A.4.Thenecessityofsecretballots 60
A.5.Conclusions 61
A.6.References 61

AppendixB.Dashvotingstatistics 63

AppendixC.EVotingprotocols 65

AppendixD.ThresholdCryptographyanditsApplicationtoSecureVoting 70
D.1.ThresholdCryptosystems.BasicIdeas 70
 D.2.DistributedKeyGenerationProtocols 70
D.2.1.PedersensDKG(JointFeldman)Protocol 71
D.2.2.SecureDKGProtocol 72
D.2.3.DKGonEllipticCurves 74
D.3.ThresholdCryptosystems.Examples 74
D.3.1.ThresholdBLSSignature 74
D.3.2.ThresholdSignaturesonEllipticCurves 76
D.3.3.ThresholdEncryptionSchemeonElGamalcryptosystem 76
D.4.PossibleApplicationtoCryptocurrencyTreasurySystem 77
D.5.References 78

1.Introduction

The cryptocurrency phenomenon emerged in 2008 with Bitcoin [1]. Then hundreds of
different cryptocurrencies were invented, and now the market capitalization only of 10 most
popular cryptocurrencies exceeds US$17 billion [2]. Traditional financial institutions and
governments show interest in adopting blockchain technologies developed by this industry
[3,4,5].
Absence of a centralized control over the operation process is a key feature expected
from the blockchain systems. It can be ensured with decentralization and honest majority
governance. When there is no central authority controlling coin emission and transactions it is
considered a serious guarantee of operation stability and drives users' interest in
cryptocurrencies.
In shortterm perspective, a cryptocurrency operation requires having a decentralized
honestmajorityofnodesthatsupportsadistributedledgermaintenance.
In the middle and longterm perspective, an additional factor is crucial. Any
cryptocurrency exists as a complex technical system that requires continuous designing and
implementation of multiple complex protocols and algorithms that, in turn, requires the
appropriate funding level. Lack offundingwouldleadtocryptocurrencyoperationfreeze,andto
a deficient issue resolution routine. Occasional funding with weakly managed voluntary
contributions may result in security vulnerabilities and system instability that would affect the
exchange rate and lead to dramatic halt of its market extension. Thus, stable funding for the
system support and development is a key to the cryptocurrency middle and long term market
outlook.
We may consider different options to providetheneededfunding.Itcanbemoneyraised
from venture funds which are interested in a potential of the blockchain technology or it canbe
community donations raised through the crowdfunding process. The third approach is a
cryptocurrencyselfsufficiencytoensuresustainablefunding[6,7,8].
ThisreportintroducesaproposalfortheETCTreasurySystem(ECTS)thatisintendedto
provide a sustainable funding system for the cryptocurrency development under the community
control.

1.1.Objectiveanddesiredpropertiesofthetreasurysystem

The ETC Treasury System is a community controlled and decentralized process for
funding of the Ethereum Classic development. The presented treasury system is not a
comprehensive governance system with a hard fork adoption subsystem, but it is onlyatoolfor
thecryptocurrencydevelopmentfunding.
TheECTSisdesignedtohavethefollowingproperties:
 1. Supported and boosted stability and future prospects of the Ethereum Classic platform.
Cryptocurrency miners as well as regular users should have no negative influence but
benefitsfromamorestableandpredictablesystem.
2. Acceptable computation and blockchain space load for the system, with no significant
impactonperformance.
3. Possibility for anyone to submit proposals for funding (with the system protected from
DoS),andselectionofthebestones.
4. Community members have incentives to select proposals for funding. Voters are
interested in stability and further development of the cryptocurrency, so take part in the
process.
5. An immediate economic incentive to become a voter and to be involved in the decision
making. The ETCS should support a selfbalanced set of voters to ensure a good
participation level (if the number of participants drops, then the reward per participant
increasesthatwouldattractnewmembers).
6. Decisions made are transparent and traceable. Everyone accessing ETC blockchain can
completelyandindependentlyverifycorrectnessofthetreasuryoperations.
7. Regular decision making on funding with ample time for analysis and limiting of the
treasurylossesfrominappropriateproposals.
8. Voting procedure should minimize complexity of voting strategies. No voter should win
orlosefromvotingearlierorsoonerthanothers.
9. A delegation procedure allowing voters to follow trusted qualified participants as to
decisionsthatneedtimeandskillintensiveanalysis.
10. Adequate security properties to protect the system from malicious participants. An
attacker must involve significant resources for small potential gains. Ability for honest
participantstointerfereandpreventfurtherattacks.

We designed the relevant functionalities for the proposed ECTS, theformalanalysiswas

postponedforthefurtherstagesofresearch.

1.2.Overviewoftheproposedtreasurysystem

Here weprovideanoverviewoftheproposedtreasurysystem.Thedetaileddescriptionis
giveninthefollowingsections.

The development fundingpipelineisdesignedastheprocessofcointransferstoaccounts
linked to community approved proposals. The proposals to be funded will solve tasks of the
cryptocurrencyenhancingandmaintenance.
 Coin transfers will be made in a constant number of blockscalledatreasuryepoch,with
duration of approximately one month. At the end of each epoch, a payment block with extra
coinbasetransactionsforproposalswalletsisissued.
The epoch funding budget will have a constant upper limit. It can be presented as
follows: each issued block within the epoch provides one coin for the treasury (added to the
current 5 coins of the miners' reward). The project proposals are funded at the end of theepoch
upto80%ofthistreasurycoinamount.
Anyone can submit a proposal before the start of an epoch when the proposal is to be
funded. The proposalsubmissionburns5coinsandisincludedintotheblockchain(thus,alistof
proposals to be funded within the epoch is always fixed in advance). A proposal may request
fundingforasingleepochorformultipleepochs.
Proposals are approved for funding in the currentepochviafuzzythresholdvoting.Each
voter may issue aballotthatindicatesyes,noorabstainforaspecificproposal(ballotsfor
differentproposalsfromonevoterareusuallygroupedtogethertosavetheblockchainspace).
The proposal score is the number of yes votes minus the number of no votes.
Proposals that got at least 10% (ofallvotes)ofthepositivedifferenceareacceptablecandidates,
and all the rest are discarded. Acceptable candidates are rankedaccordingtotheirscore,andthe
most popular proposal is funded according to the requested amount of money, then the next
acceptable candidate, and so on, till the limit is reached (some portion of epoch treasury may
remainunspentcoinsforitarenotissuedatall).
Ballots are kept secret during the firststageoftheepoch(withthedurationofapprox.26
days), instead every voter is supposed to provide correspondingcommitmentforavotingballot.
The last stage (approx. 4 days) is opening, where each voter is incentivized to open her ballot
(that must strictly correspond to the previously issued commitment). Open ballots are also
includedintotheblockchain.
Voters are cryptocurrency stakeholders who made a special locked deposit, from 500
coins (a special locking transaction is issued). A deposit can be withdrawn by the owner by
issuing of another transaction, and that stake becomes available after the following three full
funding epochs. Thus, a list of voters in each epoch is also always fixed, similarly to the list of
proposals. The voting power is proportional to the deposit size with respect to the sum of all
votingdeposits.
There is an incentive to makevotingdepositsandtotakepartinthevotingprocess.Each
voter gets a reward from the remaining 20% treasury coin amount, according to her share with
respect to the sum of all voting deposits (similarly to the voting power). The voters treasury
reward is paid within her share proportionally to the number of voted proposals(withrespectto
total number of proposal in the current epoch). If a voter skipped some proposals, the
correspondingcoinsarenotissuedatall(thereisnoredistributiontoothervoters).
A voter can make delegation for a specific proposal ballot orforasetofthemtoanother
voter. In thiscaseheropenballot(andthecorrespondingcommitment)containsthespecialvalue
follow the voter ID instead of yes/no/abstain. On proposalrankingthedelegatedvoting
power for a proposal(oritsset)isaddedtothedelegateballot.Fulldelegationtosomeparticular
delegateisalsoprovided.

2.EthereumClassicTreasurySystem

In this section we give an abstract description of a treasury system which can be

implemented for establishment of a selffunding mechanism for a blockchainbased
cryptocurrency system. We focus on the Ethereum Classic blockchain, but the model could be
usedforothercryptocurrencies,possiblywithsomemodifications.
First, we briefly discuss the Ethereum Classic blockchain, its rewards scheme and then
continuewithadetaileddescriptionoftheproposedtreasurysystem.

2.1.EthereumC
lassicB
lockchain

In a nutshell, the Ethereum Classic is a proofofwork based decentralized public ledger

with a builtin Turingcomplete programming language which allows to write smart contracts
anddecentralizedapplications[9,10].
The foundations of the Ethereum Classic blockchainarebasicallythesameasinBitcoin,
whichisthemostwellknownandsuccessfulcryptocurrencyatthemoment[1].Consistencyofa
public ledger of blocks in a proofofwork based scheme is secured through the decentralized
mining process. Theminerscontinuouslytrytosolveahardcomputationalproblemoffindingof
a hash value which is lower than some target. In the case of success, they get an opportunity to
generateablockandclaimarewardfromthisblock(Fig.1).
.

Fig.1Generalschemeofablockchainsystem

We do not go too deeplyintotechnicaldetailsoftheEthereumplatform,thoughthereare
many remarkable changes compared to Bitcoin, including accounts instead ofUTXO,improved
internal structures, Turingcomplete scripting languages etc. An interested reader could find all
necessary informationintheoriginalsources[8,9].Instead,wehighlightonlyafewthingswhich
arerelatedinsomewaytotheproposedtreasurysystem
First of all, it should be mentioned that an average block time is about 14 seconds. It
meansthatapproximatelyB month = 1851428 blocksaregeneratedevery30days.
The second important difference is a block reward. Each blockincludesaspecialreward
payment to the miner who generated this block. Currently in the Ethereum Classic, this reward
equals to 5 newly created coins (uncle blocks are not considered here). It is approximately
Rmonth = B month 5 = 9257140 coins per month. The full amount of rewards is paid to miners,
andthisistheonlysourceofnewcoinsinthesystem.
To summarize, we can say that though the Ethereum provides advanced features like
Turingcomplete programming language,improvedMerkletrees,modifiedGHOSTprotocol,the
basicprinciplesaresimilartothoseusedinBitcoinandotherproofofworkaltcoins.

2.2.BasicTreasuryModel

The basic idea is to introduce a mechanism for funding of different proposals from a
treasury store. The funds for proposals couldbeallocatedthroughtherewardmechanism.Atthe
moment the most wellknown and successful treasury system was deployed in the Dash
cryptocurrency [6,11,12]. It is called the Dash GovernanceSystemandsupposedtouseasimple
schemewhere10%ofcoinbaseblockrewardiscollectedforfundingdifferentproposals.
The proposed treasury model for the Ethereum Classic platform relies on the block
rewards as a source of funding. The general idea is presented on the Fig. 2. There is an entity
Treasury Store that serves as anaccumulatoroffundsforfutureusage.Suchstoreshouldnot
necessarily be implemented as a special account or a smart contract the treasury fund can be
easily calculated for a specific block height and created when it is really needed. In this case
there is no need of special reward transactions to put money into the treasury store. The
proposals could be funded directly from the coinbase transactions. The decisions regarding
funding of the particular proposals could be made collectively by the stakeholders through a
votingprocedure.
A proposal itself is a funding request. It exists in the form of a proposal ballot which is
submitted to the blockchain so every valid voter can review it and vote. Anyone can submit a
proposal ballot. For instance, a core development team representative could request a payment
forITinfrastructureservices,developer'ssalaryetc.
In this section we present highlevel architecture of the proposed treasury system for
EthereumClassic.



Fig.2Treasurystore

2.2.1.Fundingepochs

The funding procedure includes several stages. An important point is that this processis
iterative.Wewillcalleachiterationafundingepoch.
A funding epoch is a period of time (measured in blocks) during which a predefined set
of voters decides on funds allocation among predefined set of proposals. The funds are
accumulatedduringtheepoch.
More formally, let B = (B (1) , B (2) , ) be a blockchain of a cryptocurrency with a
treasurysystem,where B (i) = (b(i)
1
, b(i)
2
(i)
, , blen ) representsan i th fundingepochconsistingof len
blocks.Fundinglimitfortheepochi isdefinedas
len
(i) (i)
T r(B ) = tr(bj ),
j=1

(i)
wheretr(bj ) isaportionoftheblockrewardwhichisassignedtothetreasurystore.
There is also a list of projects P (i)

= (p(i)
1
, p(i)
2
(i)
, , p(i) ) at the i th funding epoch which
should be voted by thesetvoters V (i)

= (v(i)
1
, v(i)
2
(i)
, , v(i) ) todecideonfunds T r(B (i) ) allocation
(votersalsogetsomeportionofthesefundsasareward,itisdiscussedinsection2.4.2).
Generally speaking an entire blockchain is divided intotheepochsofaconstantduration
(Fig. 3). The epoch duration is equivalent to 1 month (30 days). For the Ethereum Classic
platform where an average block time is close to 14 seconds it means that an epoch duration
wouldbelen = 185142 blocks.

Fig.3Fundingepochs

2.2.2.Epochstages

In this section we define different stages of the funding epoch and discuss purposes of
each of them. In general, the further stages could be marked out as follows: submission, voting
andfinalization.
The necessity of separate voting and finalization stages stemsfromthefactthatweusea
simple commitment/reveal scheme [13] to keep voting ballots in secret during the voting.
Disclosing of ballots happens only at the finalization stage when all voters have already
submittedtheircommitments.

2.2.2.1.Submissionstage

The purpose of the submission stage is to collectproposalswhichshouldbereviewedby

the voters. This stage lasts before the funding epoch begins because a set of proposals
P (i)

= (p(i)
1
, p(i)
2
(i)
, , p(i) ) shouldbefixedatthemomentwhenthevotingstarts.
The proposalsshouldbesubmittedinoneoftheepochwhichprecedestheepochwhereit
should be voted and paid (Fig. 4). The purpose of such restriction is rather simple: thereshould
be at least one full voting cycle, so thevotershaveenoughtimetoreviewallproposals.Thereis
no restriction regarding the early submission, but voting for aparticularproposalwilltakeplace
onlyintheepochwherethatproposalrequestsfunds.
So if a proposal is supposed to be voted and paid in the epoch B (t) , then it should be
submittedintheepochB (i) ,wherei < t .
Detailed specificationofaproposalballotisgiveninfurthersections.Nowitisonlyneed
to mention that all valid proposals are included into the blockchain, so it is trivial to find out
whenaspecificproposalwassubmitted.


Fig.4Proposalssubmission

2.2.2.2.Votingstage

During the voting stage voters express their opinions regarding the submitted proposals.
Selections of voters is discussed later at the beginning of eachepochthereisalwaysauniquely
definedsetofvotersV (i)

= (v(i)
1
, v(i)
2
(i)
, , v(i) ) ).
At this stage the voters submit commitments for their voting ballots. The voting ballots
themselves remain secret at this moment. They should be opened only at the finalization stage
when all voters have already submitted their commitments. In such simple way secrecy is
provided for the voting procedure that is a very desirable property of voting schemes (see
AppendixAand[14]).
More formally, in the funding epoch B (i) a voter v(i) 1
computes and publishes a
commitment(i) whichuniquelyrepresentshervotingballotvb(i) :
v1 v1
(i) (i)
= H (vb r) ,(1)
v1 v1

where H (x) is a cryptographically strong hash function and r is some random value generated
bythevoter.
The voting stage lasts first k blocks of the epoch where k = 160457 . The value of k is
chosensothatitisapproximatelyequalto26days(Fig.5).
The commitments for the current epoch are taken into account only if they are included
intotheblockchain(inblocksb(i)
1
, b(i)
2
(i)
, , b160457 ).
A particular voter can issue only one commitment per epoch. A commitment is
consideredvalidonlyifitissignedbyavalidvoter.

Fig.5Epochstages

So at the end of the voting stage there will be a set of commitments

(i)

= ((i) , (i) , , (i) ) . Note that it is not necessary that all voterssubmittheircommitments.In
v1 v2 vn

thiscase,theirvoteswillbeautomaticallycountedasabstain.
The specific voting procedure and the structure ofavotingballotarediscussedinfurther
sections.

2.2.2.3.Finalizationstage

The finalizationstagelasts24685blocks(approximately4days)attheendofthefunding
epoch(Fig.5).Duringthisstagethosevoterswhosubmittedcommitmentsinthevotingstageare
(i)
supposed to submit their voting ballots vb togetherwiththerandomness r (openingsinterms
vj

ofcommitment/revealscheme),soeveryonecancheckthatthevotingballotcorrespondstosome
previouslysubmittedcommitmentc(i) .
vj

A voting ballotcontainsallinformationregardinguserpreferencesamongproposals.The
votingballotisvalidonlyifitisproperlyconstructed:
theuserwhosignedthevotingballotisavalidvoter
thecommitmentforthisvotingballotwaspreviouslysubmittedbythesamevoter
thevotingballotcontainsvotesonlyforproposalsfromthesetP (i)

= (p(i)
1
, p(i)
2
(i)
, , p(i) )
(i) (i)
itisincludedinoneoftheblocksb160459 , , blen 1
.
 It isnotnecessarythatallvoterswhosubmitcommitmentswillalsosubmitvotingballots
at the finalization stage, but we assume that they will (an incentive mechanism for this will be
discussedfurther).
(i)
Finallyattheendofthefinalizationstage(afterblock blen 1
)therewillbedeterminedset
of voting ballots V B(i)

= (vb(i) , , vb(i) ) which represents choices of voters. All voting ballots
v1 vm

areincludeddirectlyintotheblockchainsoeveryonecanseeandverifytheresults.
(i)
The last block in the epoch blen is a payment block. It doesnt contain commitments or
votingballotsbutinsteaditcontainstransactionswithpaymentsforthewinningproposals.

2.3.Proposalsubmission

The firststepforobtainingfundsfromthetreasurysystemistosubmitaprojectproposal.
Anyone can submit a proposal to the network. In this section we describe the process of
submissiontogetherwiththeformatofavotingballot.

2.3.1.Proposalballotformation

A proposal p(i)
j
which is submitted to the network should follow a special format. Only
valid proposals are included into the blockchain. There are six mandatory fields, they are
representedintable1.

Table1Proposaldata
Fieldname Description

1.Proposalname The symbols can be [azAZ09_]. It should be unique among any existing
proposalnames.

2.URLtotheproposal AcharstringrepresentinganURLtothedescription.
description

3.Hashoftheproposal Hashvalueofthedescription.Forexample,ifURLlinkstoapdffilewith
description description,thishashvalueisahashofthepdffile.

4.Startblock A block number when the first payment is expected. Note that a payment can
(i)
occur only in the last block of the epoch blen . So theStartBlocknumbermust
bedivisiblebylen .

5.Endblock A block number when the last payment is expected to be made. It must be
greaterorequaltoStartBlockandaswellbedivisiblebylen .
 6.Paymentaddress Shouldbeavalidaccountaddress.

7.Paymentamount Shouldbeanonnegativevalue,notmorethanthemaxbudgetofafunding
(i)
epoch( 0 < paymentAmount P r(B ) ).

8.CollateraltransactionID AnIDofacollateraltransaction.Acollateraltransactionisminimalpayment
forproposalsubmission.

Note that there are two values startBlock(p(i)
j
) and endBlock(p(i)
j
) which represent the
funding period for the proposal p(i)
j
. If p(i)
j
is a onetime payment, then both values are equal:
startBlock(p(i)
j
) = endBlock(p(i)
j
) .Otherwisethereismultipaymentproposal:
k len = endBlock(p(i)
j
) startBlock(p(i)
j
) ,
wherek representsanumberofpaymentsandlen isthesizeofafundingepoch.

2.3.2.Submissionrulesandcost

Prior to submission of a proposal, a special collateral transaction must be created (one

such transaction may be referred by one proposal only). This transaction burns 5 coins, it is a
minimal payment for proposal submission. The purpose of such payment is DoS attacks
preventionsoitwouldbeharderandmorecostlytospamthenetworkwithmaliciousproposals.
After submission, the proposal is relayed through the p2p network to all nodes like a
typical transaction. For the proposal to be valid itshouldbeincludedintotheblockchainatleast
len blockspriortothestartBlock(p(i)
j
) (see2.2.2.1Submissionstagesection).

2.3.3.Miscellaneous:revocationandmoneyreducing

The proposed treasury system allows to revoke a previouslysubmittedproposal.Itcould

be quiteusefulindifferentsituations,e.g.inthecaseofanotherapprovedproposalimplementing
more advanced functionality (developers cancel previously approved multi epoch funding in
favoroftheirownneweralreadyapprovedproposal).
In this case the owner of the proposal should have a possibility to submit a revocation
transaction with no cost. To take effect, such transaction should be included into theblockchain
before the payment block. In this case voting ballots for this project should not be counted,and
the proposal itself should not be considered during the winner'sselectionprocedure.Themoney
whichhavealreadybeenallocatedcannotberevoked.
 It is also possible to reduce the amount of the requested coins. The same approach is
applicable in this case: such transaction should be included into the blockchain before the
paymentblock.

2.4.Voters

One of the most important parts of the developed treasury system is to define a set of
voters V (i)

who are empowered to participate in a voting procedure in the epoch B(i)
. An
importance of this part of the system comesfromthefactthatselectedvotersshouldbeproperly
incentivizedtoactnotonlyfortheirbenefit,butforthebenefitoftheentiresystem.
Oneeasysolutiontothisproblemistogivevotingpowertoallstakeholdersinthesystem
(according to the amount of stakes they possess). In this case a list of stakeholders is fixed at
some moment in time (for example, after the last block b(ilen1) in the previous epoch) and those
who have some positive balance can participate in voting in the epoch B(i)

. But such a scheme
hassignificantdisadvantages:
it does not introduce direct personal incentives to participate. Why would someone
spend time to review proposals and voteforproposals,ifshedoesnothaveanybenefitstodoso
comparedtothosewhodoesnotparticipate
the stake of participants is not locked sotheycanspenditrightaftertheblock b(ilen1) .It
means that nonstakeholders will decide on proposals, which is undesirable property of the
systembecauseitcouldleadtononoptimalorevenmaliciousdecisions
uncontrolledparticipationwillcomplicateestimationsofthecomputationalandnetwork
burden. In the worst case it would lead to a situation when the stakeholders are completely
agnosticanddonotwanttoparticipate.
All arguments mentioned above show the need of a more robust voters selection
procedurewithstrongincentivestoparticipateandbehavehonestly.
The proposed solution is based on locked deposits which should be submitted by the
voters who want to participate in a voting procedure. An incentive to do so is a special reward
whichispaidattheendofeachfundingepoch.
The idea of deposits utilization is also used in other cryptocurrencies, for example, in
Tezos[15,16]andDfinity[8].

2.4.1.Depositsubmissionandredemption

Technical implementation of locked deposits is quite simple: the user vj posts special

transaction Depov to the blockchain where she specifies a number of deposited coins
j

amount(Depov ) . Note that for the Depov transaction to be valid, the user should have the
j j

sufficientnumberofcoinsonherbalance:

balance(vj ) amount(Depo ) ,
vj

wherethefunctionbalance(vj ) returnsanamountofthestakeownedbythevotervj .
The user will get voting rights in the epoch B(i+1)

which follows the epoch B(i)

where
thedepositwasmade(Fig.6).

Fig.6Depositsubmissionandredemption

The number of the deposited coins must not be smaller than the minimal threshold

amount(Depov ) minDepo . For now we assume that minDepo = 500 . Such threshold is
j

neededforseveralreasonswhichwillbesubstantiatedlater.

Since the Depov transaction has been submitted, the corresponding stake cannot be
j

spent by the user. To unlock the deposited funds, the user needs to submit another transaction

RedeemDepov . Then after the freezing time tf reeze she will be able to access her funds. At the
j

momentwesupposethat

tf reeze = 3 * len (blocks),
where len is the size of a funding epoch. It means that the user should wait 3 full epochs. The
(i+1)
freezing period tf reeze starts only from the epoch B which immediately follows the epoch
B(i)

, when the redemption was made. The user does not have a right to participate in voting

duringthefreezingperiodtf reeze , butkeepsthisrighttilltheendofthecurrentepoch.
The proposed scheme has one significant advantage: italwayskeepsaparticularfunding
epoch B(i)

consistent, the sets of voters V (i)

and proposals P (i)

are determined and can notbe
changed during the epoch. This reduces some possible vectors of attacks and provides better
approaches to future formal analysis. The deposit size also constraints creation of excessive
numberofvotingaccountsthatalsoprotectssystemfromfloodingattacks.

2.4.2.Incentives

A special reward mechanism is introduced to incentivize stakeholders to deposit their
stakes and participate in voting. As we discussed in section 2.2.1, the number of coinsintended
for the treasury is equal to T r(B (i) ) per epoch. A portion of these funds is directed towards
rewardsforthevoters.
Let V r(B (i) ) be a reward for voters for thecurrentepoch B (i) .Followingthesuggestion
thatrewardsforthevotersaretakenfromthetreasuryfund,wehavethat
(i) (i)
V r(B ) = kV r T r(B ) ,
wherekV r isaportionofthetreasuryfundpaidtovoters,0 kV r < 1 .
From this it follows that the amount of the treasury fund assigned to the proposals
themselveswillbe
(i) (i) (i) (i)
P r(B ) = (1 kV r ) T r(B ) = T r(B ) V r(B ) .
WetakekV r = 0.2 ,therationaleofthischoicewillbegiveninfurthersections.

The second important question is how the voters reward V r(B (i) ) will be allocated
among the set of voters V (i)

= (v(i)
1
, v(i)
2
(i)
, , v(i) ) . Recall that the set V (i)

and the reward
V r(B (i) ) are constants during the funding epoch B (i) . To introduce the distributionfunctionwe
firstneedtodefinethenotionofavotingpower.
Definition 2.1. A particular voter v(i) j
hasavotingpower vpv (i) whichreflectsherability
j

toinfluencethefinalresult.Thevotingpowervpv (i) isdefinedasfollows:

j

Depo (i)
v
j
vp (i) = ,
vj
Depo (i)
v
v (i) V (i) k
k

so the voting power roughly equals to the portion of the deposited stake of the voter v(i)
j
in
relationtothetotalamountofdepositedstakebyallvotersintheepochB (i) (includingv(i)
j
).
Now it is easy to define an upper bound of the voting reward for a particular voter. It is
proportionaltohervotingpower:
vr (i) V r(B (i) ) vp (i) .
vj vj

 The exact reward function will depend on one more parameter which is called
ParticipationRate.
Definition 2.2. Given a set ofallproposals P (i)

= (p(i)
1
, p(i)
2
(i)
, , p(i) ) intheepoch B (i) we
defineaParticipationRateofavoterv(i)
j
asfollows:

pratev (i) =
{
#
(i)
pk ,sothatpk vb
(i)
v
j
}
(i)

.
j
#P (i)

Simply speaking, it is a portion of proposals which are reviewed and voted by the voter
v(i)
j
.
Givenallthattherewardfunctionisdefinedasfollows:
(i)
vr (i) = pratev (i) V r(B ) vp (i) .
vj j vj

So it is easy to see that a reward is dependent on the voters participation. Such scheme
introduces a direct incentive to participate in a voting procedure. Together with theconceptofa
freezing period, it creates an extra incentive to behave honestly. Supportingmaliciousproposals
will immediately reflect on the coins price and accordingly reduce the actual value of the
depositedstake.

2.5.Treasurysource

As mentioned in section 2.2.1 Funding epochs, the only source for a treasury is block
rewards.Thetreasuryfunctionwasintroducedasfollows:
len
(i) (i)
T r(B ) = tr(bj ) ,
j=1

where tr(b(i)
j
) is a portion of the block reward of the particular block b(i)
j
which isintendedfor
thetreasury.
At the moment, the block reward in Ethereum equals to 5 coins, and all this amount is
taken by the miner. We propose to increase a block reward to 6 coins, from which 5 would be
taken by the miner (as before), and 1 coin is intended for the treasury. In this case we will get
tr(b(i)
j
) = 1 .
Thenitiseasytocountanamountoftreasuryperfundingepoch:
len
(i) (i)
T r(B ) = tr(bj ) = len = 185142(coins).
j=1


2.6.Electionmethod

In this section we will give a description of the election rule which is actually a core of
anyvotingprocess.
In a nutshell the voting method is rather simple: given a set of voters and a set of
proposals, each voter issues a voting ballot where she marks each proposal with one of the
possible values: Accept, Abstain or Reject.Aftergatheringallvotingballotsitbecomespossible
to count the final score for each proposal, which is roughly equal to the difference between the
number of coins which accept proposal and those which reject. If the score of a proposal is at
least 10% of the total number of deposited coins, it is considered to be accepted. Then all
accepted proposals are sorted in the descending order by their scores and funded onebyone
until run out of epoch treasury fund (or proposals). If a proposal does not fit into the remaining
budget, then it is skipped andtheprocesscontinueswiththefollowingproposals(alsorecallthat
the necessary condition for a proposal to be accepted is at least 10% support by the voters,
accordingtotheirvotingpower).
Now we give a formal description for an election E and the election rule R, which
(i)
definesasetofwinnersW (B ) .
An election E = {P (i)

, V (i)

, V B(i)

} is given by a set P (i)

= {p(i)
1
(i)
, , p(i) } of project
proposals, a set V (i)

= {v(i)
1
(i)
, , v(i) } of voters and a set of voting ballots
(i) (i) (i) (i) (i)
V B = {vb , , vb } , where each vb represents preferences of the voter v(i)
j
V . The
v1 vm vj

votingballotofthej th voterconsistsof3setsvb(i) = {vbYv , vbvA , vbNv } :

vj j j j

Y (i) Y
vbv P (a set of proposals vbv = {p(i)j (1) , p(i)j (2) , ..., p(i)j (n ) } which were voted
j j j

positivelybythevoterv(i)
j
V (i) )
A (i) A
vbv P (a set of proposals vbv = {p(i)j (1) , p(i)j (2) , ..., p(i)j } which were voted
j j (mj )

neutrallybythevoterv(i)
j
V (i) )
vbNv P (i)

(a set of proposals vbNv = {p(i)j (1) , p(i)j (2) , ..., p(i)j (k ) } which were voted
j j j

negativelybythevoterv(i)
j
V (i)
).
(i)
A voter v j cannot issue different votes for the same proposal:
Y N Y A N A (i) (i)
(vbv vbv = ) (vbv vbv = ) (vbv vbv = ) . It follows that vb P (a set of
j j j j j j vj

proposalswhichwerevotedbythevoterv i V isalwaysasubsetofP ).
 (i)
Note that it is possible that someproposal p(i)
t
vb .Itmeansthatthevoter v(i)
j
didnot
vj

vote for this proposal. In this case it is assumed that the voter has abstained. Recall that if a
proposal is not explicitly included into the voting ballot, the reward of the corresponding user
wouldbereducedaccordingtotherulespresentedinsection2.4.2Incentives.
An election rule R is a mapping that given an election E = {P (i)
, V (i)

, V B(i)

} outputsa
(i)(i) (i) (i)
set of winners W (B ) = {p(1) , p(2) , ..., p(k) } that are selected to be paid in the funding

epochB(i)

.AsetofwinnersiseventuallyasubsetofallproposalsW (B(i)

) P (i)

.
TodefineelectionruleR ,wewillrecalltwoutilityfunctionsamount(p(i)
j
) andP r(B (i) ) :
amount(p(i)
j
) given a proposal p(i)
j
returns an amount of moneyrequestedbythis
proposal
P r(B (i) ) given a funding epoch B (i) returns a reward limit forthisepoch(thatis
maximalamountofmoneywhichcanbepaidtoallproposals).

AnelectionruleR(E) returnsasetofwinnersaccordingtothefollowingrules:

1.Let score(pk(i) ) beafunctiongivenacertainproposal pk(i) P (i)

returnsascoreforthis
(i)
(i)
proposal score(pk(i) ) = (pref (pk(i) , vb ) depov ) , where depov is the number of deposited
j=1 v j j j

coins1bythevotervj andfunctionpref returnsherpreferenceregardingtheproposalpk(i) :

pref (pk(i) , vb(i) ) = 1if pk(i) vbYv ,

vj j

(i) N
pref (pk(i) , vb ) = 1if pk(i) vbv ,
vj j

pref (pk(i) , vb(i) ) = 0if pk(i) vbvA pk(i) / vb(i) .

vj j vj

(i) (i) (i) (i)

2. Let P accepted = {p(1) , p(2) , ..., p((z)) } P (i)

be a sorted list of proposals so that
(i) (i) (i) (i)
score(p(1) ) score(p(2) ) .... score(p((z)) ) , and for each pk(i) P accepted it holds that

(i)
score(pk(i) ) 0.1 depov (proposals which have score(pk(i) ) < 0.1 V are considered
vj V (i) j

(i)
unacceptedandarenotincludedintothesetP accepted ).

1
Generally speaking multiplying by depo reflects a voting power of a particular voter. In this case score
functionshowsamountofstakethatsupportsproposal(insteadofnumberofvoters).
 (i)
(i) (i) (i)
3. A set of winners W (B ) = {p(1) , p(2) , ..., p(k) } consists of the proposals from

(i) (i) (i) (i)
P accepted where score(p(1) ) score(p(2) ) .... score(p(k) ) , so that
k
(i)
amount(p(j) ) P r(B ) .
j=1

RecallthattherewardlimitP r(B (i) ) ofthefundingepochB (i) isdefinedasfollows

len
(i) (i) (i)
P r(B ) = (1 kV r ) T r(B ) = (1 kV r ) tr(bj ) ,
j=1
(i)
where tr(bj ) is a portion of the block reward intended for the treasury, and kV r isaportionof
thetreasuryfundpaidtovoters( kV r = 0.2 ).

2.6.1.Tievote

It is theoretically possible that there are two or more proposals which have equal scores
(i)
score(p(i) (i) (i)
n ) = score(pm ) = .... = score(pk ) but cannot be included into W (B ) simultaneously

because it would exceed funding limit P r(B (i) ) . In this case we need additional rules to rank
suchproposalstobeabletodefinewhichofthemarewinners.
In our model, we assume thefollowingsimplerulesforbreakingtieswhichapplyoneby
oneuntiltievoteissolved:
1. The proposals are ranked accordingtotheamountoffundsgatheredfromtheprevious
funding epochs. We denote the function which returns such amount as scoreprev (p(i) j
) . A
particular proposal would have scoreprev (p(i)
j
) > 0 only inthecaseifitisamultiepochproposal
(which requests continuous funding during more than one epoch) and it has already received
funds during previous epochs. Such rule will provide an advantage to the wellknown and
previouslyacceptedprojects:
scoreprev (p(i) (i) (i)
n ) scoreprev (pm ) .... scoreprev (pk ) .

2.Ifthereisastilltievoteamongsomeproposals,thenitissolvedbytherulefirstcome
first served(FCFS).Theproposalswhichhavebeensubmittedearlier(includedtoearlierblock
havealowerindexinthecaseofthesameblock)haveanadvantage.

Nevertheless, when we consider tie vote resolution rules, it is expected that such events
couldhappenquiterarely.

2.7.Delegation

 To get rewards, voters need to be online to track the list of proposals, review them and
vote. To mitigate risks of low participation rate or poor proposal analysis, and to providevoters
with more flexibility, weputforthadelegationscheme,wherebyvoterscanautomaticallyfollow
someothervoter.
There are two typesofdelegation:fulldelegationanddisposabledelegationforaspecific
proposal. While the firstoneneedsaspecifictransaction,thesecondoneisimplementeddirectly
throughavotingballot.

2.7.1.FullDelegation

Implementation of the full delegationisrathersimple.Weonlyneedtwoadditionaltypes
oftransactions:theoneforthedelegationitselfandanotheroneforrevocation.
Fig. 7 represents the basic idea. To delegate her voting right, a user needs to submit a

special transaction Delegatev . This transaction will point to the particular voter (delegate)
j

whichshouldbefollowed(forexample,itmaycontainherpublickey).

Fig.7Delegation


The Delegatev transaction could be issued at any time by a valid voter (who made a
j

deposit). Note that delegationandrevocationwilltakeeffectinthecurrentepochonlyiftheyare

submittedbeforethefinalizationstage.
Even if the delegation has been made, the voter still has a right to vote herself. For
instance, she may vote for some proposals which she is interested in, and delegate decisions
about others to someone else. The voting ballotofausertakesprecedenceoverthevotingballot
of a delegate. So the votes of the delegate would be taken into account only if the original user
doesnotincludethemintohervotingballot(orshedoesnotissuethevotingballotatall).

TorevokedelegationrightsavoterneedtosubmitRevokeDelegatev transaction.
j

To change a delegate, a voter needs to revoke the previousone.Onlyonedelegationand

onerevocationisallowedduringanepoch.
 Note that if a delegate has not voted for some proposals, then a voter who delegates her
voting rights will not receive a reward for these proposals. If a delegate herself delegates her
votes,thenthedelegationrewardshouldbepaidtothosewhoactuallyvoted.

2.7.2.DisposableDelegation

A delegation for a specific proposal allows the voter to include into her voting ballot a
special value follow the voter ID instead of yes/no/abstain. In thiscasethevoteforthis
proposalwillbethesameasinthevotingballotofthecorrespondingdelegate.
The samerulesasforthefulldelegationareappliedhere.Ifthedelegatehasnotvotedfor
the proposal, it is considered as nonvoted by the original voter (so she would not receive the
reward).
The disposable delegation has a precedence over the full delegation, so if the voter
t t
includes follow the voter Delegatevj statementforsomeproposal,thevoteofthe Delegatevj

t
would be taken first. If Delegatevj has not voted, then the vote of the full delegate would be
takenintoaccount.

2.7.3.Rewardsdistribution

In the case ofdelegation,someportionofthevotingrewardisredirectedtothedelegates.
From one side, it incentivizes the delegate to vote more deliberately (so more voters want to
followher),fromtheothersideitpreventsthoughtlessdelegation.
There is a parameter 0 kDel 1 which defines the portion of the voting reward which
goes to the delegate ( kDel = 0.05 ). Recall from the section 2.4.2 Incentives that the reward
functionforavoterisdefinedas
(i)
vr (i) = pratev (i) V r(B ) vp (i) ,
vj j vj

where

pratev (i) isaparticipationrate(howmanyproposalswerevotedinrelationtothetotal
j

numberofproposals)
V r(B (i) ) isatotalvotingrewardfortheepochB (i)
vp (i) isthevotingpowerofthevoterv(i)
vj j
.

As far as one voter could have several delegates in a particular epoch (one full delegate
and several disposable delegates), we will define a set of delegatesfortheparticularvoter v j as
Delegatesvj = {Delegatev1j , ..., Delegatevnj } .
 If a voter made a delegation (either full or disposable), her reward function will be
definedasfollows:
n
vr (i) = (pratev (i) + pdratevt (i) (1 kDel )) V r(B (i) ) vp (i) ,
vj j t=1 j vj

where

t
pdratev (i) =
{
# p(i)
k
,sothatp(i)
k
vb(i) p(i)
v
j
(i)
k
vb(i)
Delegatevt

j
} .
j
#P
t
Literally speaking pdratev (i) is a portion of proposals, which where voted by the
j
t t
Delegatevj .NowitiseasytodefinetherewardoftheDelegatevj :
t t (i)
drv (i) = pdratev (i) kDel V r(B ) vp (i) .
j j vj

3.Technicalimplementationapproaches

It was proposed to integrate an architecture of the treasury system into the Ethereum
Classic platform. Inthissectionwebrieflypresentahighleveldescriptionoftheimplementation
options.

3.1.Coreconsensusimplementation

One possible solution is to change the consensus algorithm directly. A hardfork is

required to put forth necessary changes in block structure. All data related to voting need to be
includedintotheblocktogetherwiththeusualtransactions(forinstance,theycouldbecombined
intotheMerkletree).Blockvalidationrulesarealsochanged.


Fig.8Extendingblockwiththedatarelatedtovoting

The main disadvantage of this approach is that it requires a lot of changes for the
underlying consensus protocol (including block format, validation rules, etc.) which could be
difficultfortheexistingcryptocurrencysystemlikeEthereumC
lassic.

3.2.Smartcontractimplementation

Considering that Ethereum platform has apowerfulinternalsmartcontractsystemwitha

Turingcomplete scripting language, it becomes possible to implement a treasury system as a
special smart contract. In this case voters will communicate only with smart contracts whereall
datarelatedtovotingwillbestored.

 Fig.9Treasurysmartcontract

Suchapproachwillalsorequireahardfork,butwithonlyonesignificantchangethat
willincreaseamountoftheblockrewardandsendittothetreasurycontract.

4.Designrationale

In this section we provide design rationale for the architectural solutions which were
presentedabove.

4.1.Fundingepochanditssize

An important aspect while developing a treasury system with regular funding is the
duration of each funding period. The epoch duration should notbetoolarge,sothedelaybefore
proposal submission and payment is suitable for realworld applications on the other hand the
duration of an epoch should notbesmall,sothevoterswillhaveenoughtimetoreviewandvote
forallproposals,etc.
A period of 1 month is a wellestablishedvalueinpractice.Alotofdifferentactivitiesin
the financial world are bounded by the scope of 1 month. In the case of the treasury, it is also
appropriateforthefollowingreasons:
1. It allows to control a project execution on themonthlybasis.Forinstance,ifthereisa
longterm project, it would be reevaluated each funding epoch, and if the voters community is
not satisfied with results, they could stop funding. And that cutoff could be done on the early
stageswhenthefinanciallossesremainsmall.
2. One month is a quite long period, so the voters have enough time to make
wellconsidereddecisions.
3. The reward for voting is also paid at the end of the funding epoch, so voters do not
waittoolongfortheirrewards.

4.2.Blockchainbasedvoting

The only communicational channelintheproposedtreasurysystemisablockchainitself.

It means that all messages (e.g. deposits, proposals, voting ballots, delegation, etc.) are stored
directly in a form of special transactions. So the whole voting procedure is noninteractive and
doesnotrequiredirectcommunicationamongvoters.
Constructing the whole procedure on the blockchain gives great benefits over simple
message exchange via p2p network and keeping a separate voting database. It provides much
higher level of the general transparency and verifiability of the system, as well as allows full
verification without need of trusted parties. Everyone can easily check that the voting results
correspond to the genuine preference of the voters because all voting ballots could be
recalculated. Validity of the voters list could also be easily verified by checking oftherelevant
deposittransactions.
Blockchainvotingsatisfiesthefollowingdesirablevotingproperties[14,17]:
 1. Eligibility. With consistent chain ofblocksitisveryeasytocheckthatonlylegitimate
voters made their votes and only once. It could be done by checking that a deposit transaction
was made before the voting ballot is issued, and that here is only one voting ballot for a
particularvoter.
2. Fairness. Noearlyresultscanbeobtainedwhichcouldinfluencetheremainingvoters.
This is also true for the presented voting scheme because on the voting stage the only
commitments are submitted to the blockchain, so no one can see the results of other voters
duringthevotingstage.
3. Individual verifiability. A voter can verify thathervotewasreallycounted.Itiseasy
toseethatthispropertyalsoholdsforblockchainbasedvoting.
4.Universalverifiability.Thepublishedoutcomereallyisthesumofallthevotes.

4.3.Treasurysource

The only source of the treasury fund is theblockreward.Specifically,eachblockcreates

anextracoinfortreasuryproposals(uptoone,ifnotallcoinsarespent).
Now in Ethereum Classic each new block creates 5 new coins which are paid to the
miner.Withatreasurysystem,eachblockwillcreate6coins,sotheannualmoneysupplywillbe
increased by approximately 20%. Note that the inflation rate decreases from year to year,
becausethenumberofissuedcoinsisalwaysconstant,oppositetothetotalcoinsupply.
A number of coins issued for the treasury system waschosenwithrespecttothepriceof
the Ethereum Classic coin in a real market. At thetimeofwriting,thepriceof1ETCtokenwas
approximately US$1.32. It means that the total treasury monthly fund is estimated as
US$241000, from which US$193000aresupposedtobepaidforproposalsitself,andUS$48000
to voters as their reward. These values also provide sufficiently large safety margin forpossible
risksofdecreasingoftheETCexchangerate.

4.4.Votingprocess

4.4.1.Fixedproposalsandvoters

An important property of the developed voting scheme is that the sets of proposals and
voters are fixed before the voting begins. Such architectural solution reducespossiblemalicious
actions during the voting process (for example, it becomes impossible to inject a malicious
proposal at the end of voting stage and quickly accept it, so the other voters dont have enough
time to analyze and reject it). This also significantly reduces possible adversarial voting
strategiesandsimplifiesfurthertheoreticalanalysis.

2
AccordingtoUSDT/ETCpaironh
ttps://poloniex.com/exchange#usdt_etc

4.4.2.Secretballots

Secretballotsarethekeypointtoprovidefairnessproperty.Itiswidelyacceptedthatthis
property is very important for a good voting scheme [14, 17, Appendix A.3]. It guarantees that
nobody can gain any knowledge about the partial tally before the counting stage begins. The
knowledge of the partial tally could affect the intentions ofthevoterswhohasnotyetvotedand
givesthemanadvantagetomodifytheirvotingstrategyaccordingtoanewknowledge.
By providingfairnesspropertywithsecretballots,weguaranteethatallvotershaveequal
rightsandpossibilities.

4.5.Incentivesstructure

In section 2.4.2 Incentives we presented the paid role of voters in a treasury system.
The reward function forvotershasalsobeenpresented.Themainideaoftheincentiveschemeis
to involve in a votingprocedureareasonablenumberofhonestandrationalstakeholders.Onthe
other hand, a number of voters should be at least predictable, and it should not be too large, so
thecomputationalandstorageloadissuitablefortheblockchainsystem.

4.5.1.Expectednumberofvoters

Recallthatthetotalvotersrewardisdefinedasfollows:
(i) (i)
V r(B ) = kV r T r(B ) ,
where kV r is a portion of the treasury fund paid to voters. This reward is distributed amongall
voters according to their voting power and participation rate. Previously we mentioned that the
suitable value for parameter kV r is 0.2 which means that 20% of the monthly treasury fund is
paidtothevotersandtheremainderofit(80%)ispaidtowardstheproposals.
It is reasonable to assume that the stakeholders would deposit their stake only if an
interest rate is at least some value kM inReward . So the parameter kM inReward defines the annual
incomewhichismeasuredinaproportiontotheamountofthedepositedstake.
It is a highly nontrivial task that requires external complex economical analysis to
estimate the exact value of kM inReward which would be suitable for stakeholders, because it
depends on variety of different economic factors which are hardly predictable in the realworld.
Probablythemostinfluentialfactorisapricevolatilityrisks.
 From the real world examples3 we can assume that the minimal interest rate for the
cryptocurrency investors is about 10% of annual return. Given that, we have also taken
kM inReward = 0.1 asastartingpointinourcalculations.
As far as total reward of the voters per month is fixed by V r(B (i) ) , we can estimate the
total amount of reward per year. We will assume that a funding year consists of 12 funding
epochs (in reality it should be slightly less than 365 days because a funding epoch is equal to
approximately30days).GiventhatwehavethattheannualrewardAr isdefinedasfollows:
(i) (i) (i)
Ar(B ) = V r(B ) 12 = kV r T r(B ) 12 .
len
(i) (i)
RecallthattheT r(B ) = tr(bj ) = 185142 ,sofinally
j=1
(i)
Ar(B ) = kV r 185142 12 = kV r 2221704 coins.
Given that the stakeholders expect a returnofinvestmentsatleastatthelevelof10%per
year, we could easily count expected amount of stake E AS which would participate to keepup
thisrate:
(i)
k V r T r(B )12
E AS = k M inReward
= kV r 22217040 .
As it is known the coins supply in Ethereum Classic is equal to
60102216 (1.198 + 0.26 n) , where n isthenumberofyearsafterthegenesisblock[8].Atthe
time of writing total coins supply is approximately equal to 88,390,704. From this we can
evaluatepercentageofthetotalstakewhichisexpectedtobedeposited:
(i)
EAS k V r T r(B )12
E AS % = 88390704
100% = k M inReward 88390704
100% .
Sotherearetwomainparameterswhichhavesignificantinfluenceonthe E AS % :amount
of the block reward intended for the treasury,andtheportionofthetreasuryfundwhichisgiven
to voters.Adjustingthesetwoparameters,wecanfindabalancebetweenthetreasurysupplyand
theexpectedamountoftheparticipatingstake.

As we have already stated, the initial values of the mentioned parameters are taken as
follows:
kV r = 0.2 ,sothat20%ofthetreasuryfundgoestovoters
tr(b(i)
j
) = 1 ,sothat1newcoinperblockisissuedtotreasuryneeds.

3
In some sense, a similar incentive structure is used in the Dash cryptocurrency, where so called
masternodes deposit their stake, providesomeservice(includingvotingforproposals)andgetrewardfor
this [4,5]. As far as Dash has been deployed and is quite common (top 10 by Volume according to
http://poloniex.com) it is useful to see the real reward which is achieved. At the moment of writing, our
calculations show that the annual return of investments for Dash masternodes is approximately equalto
10%.Thesecalculationscloselyagreewithcalculationsprovidedonh
ttp://dashmasternode.org.
 Following that we have E AS % 8% which means that given such parameters we will
expect that8%ofthetotalstakewillparticipateinavotingprocedure4.Atthefirstglance,itmay
seem that participation rate is not high enough to secure the voting procedure, but recall that
these 8% of stake would decide on allocationofapproximately0.2%ofthetotalstake(issuedto
thetreasury)permonth.
An absolute number of voters will also depend on the minDepo which regulates the
minimal amount of the stake to be deposited. Adjusting this parameter, it is possible to
effectively regulate the total number of participants in a voting procedure. Taking
minDepo = 500 ,wecanestimatethemaximalexpectednumberofvoters(MENV):
EAS 4443408
M EN V = minDepo = 500 8886 voters.
Note that it is highly unlikely that all deposits would be on the minimal level of 500
coins.Sotheactualnumberofvotersshouldbelower.

4.5.2.55%attack

For the guaranteed control over the voting process, an attacker needstohave55%ofthe
voting power which is expectedtobeapproximately4.4%ofthetotalstakeinthesystem.Inthis
case, she will be able to push any malicious proposal up. Given that a profit from this action is
equal to 0.2% of the total stake per month, it follows that the attack is reasonable only if the
negativeimpactonthetokenspriceissmallerthan 0.2
4.4 100% = 4.5%.
Taking into account that any successful malicious actions are expected to significantly
impact the tokens priceandaswellasthedepositofanattacker(theexpectedpricedropismuch
morethan4.5%)itmakessuchattacksunreasonable.

4.5.3.Selfbalancedsetofvoters

A fixed amount of the totalrewardbringsanimportantpropertytothedevelopedsystem.

It becomes selfbalanced in terms of the amount of the participating stake (which consequently
will be reflected on the actual number of voters). It means that after the initial bootstrap, an
amount of the participating stake will reach some consistent value (we expect up to 8% of the
totalstake)andthenthisvaluemostlyholds.
If a significant amount of deposited stake is revoked, then it would automatically boost
up rewards for other voters. Overstated rewards,inturn,wouldattractnewstakeholderstomake
a deposit until finally the rewards reach a consistent value. The same argumentation also works
totheoppositeside,anditwillpreventfromtoomuchstaketobedeposited.

4
Weneedtomentionthattheexpectedparticipationratewilldecreasefromyeartoyear,aswellasthe
relativenumberofissuedcoinsduetocreationofnewcoinsforblockrewards.
 As system grows, it becomes more stable and reliable that accordingly increases the
E AS % value, as there are fewer risks for stakeholders, so they are able to accept lower interest
rate.

4.5.4.Freezingperiod

The rationale behind introduction of a freezing period tf reeze is to provide a mechanism
for restricting voters from malicious actions and incentivize them to make optimal choices. If a
voter acts maliciously,itwouldbeimmediatelyaffectthecoinspricethatrespectivelyreducesan
actualvalueofthedepositedstake.
So the voters are incentivized to act in such a way that it will at least preserve an entire
stability of the system and, accordingly, the tokens price. In reality, assuming that voters are
willingtoincreasetheirprofit,weexpectrationaldecisions.
Together with direct rewards for active participation, the freezing period creates a
wellestablished system for making optimal decisions regarding investments into different
proposals.

4.6.Electionrule

An election rule (voting system) is one of the main components of cryptocurrency

treasury system which should be chosen very carefully. There isabigvarietyofvotingsystems:
plurality voting, preferential voting, cardinal voting etc. [18, 19,20,21etc.]Theyhavedifferent
approaches and properties, but all of them try to meet the same goal to satisfy as much as
possible voters with election results. It is a difficult task because voters may act strategically
(stepping down their direct preferences) in order to increase likelihoodoftheirownsatisfaction.
Theanalysisofsuchbehavioriswithinthescopeofthegametheorymethods.
The voting systems comparison, usually, is based upon asetofspecificcriteria:majority
rule, Pareto condition, independence of irrelevant alternatives (IIA), Arrows impossibility
theorem, Condorcets method, Condorcet winner (loser) criterion, monotonicity criterion,
participation criterion etc. [22] However, there is no voting system that satisfies all criteria.
Furthermore, while choosing the election rule for a governance system, some other properties,
likeballotandcalculationsimplicity,lowvotingmachinecostsetc.shouldbetakenintoaccount.

4.6.1.Typesofvotingsystems

Therearethefollowingmaintypesofvotingsystems[ 21]:
pluralityvoting[18]
majorityvoting
 preferential(ranked)voting(Borda,STV,IRVetc.)[19,20]
cardinal(rated)voting(Approval,Range,Cumulative)[21].
Thesesystemsareessentiallyorientedtosinglewinnerelections,butmostofthemcanbe
alsousedinmultiwinnerelections.
A plurality voting system is a voting system in which each voter is allowed to votefor
only onecandidate,andthecandidatewhopollsmorevotesthananyothercandidate(aplurality)
is elected [18]. Plurality rule is also known as a simple majority (not absolute majority) rule. If
there are only two alternatives, then it is a very good procedure. However, for more than two
alternativesthepluralityvotinghasseveralproblems[ 18,21]:
the information on voter preferences isgetsignored(onlythemostfavoritecandidate
canbechosen)
thereisadispersionofvotesacrossideologicallysimilarcandidates
It encourages voters not to vote for their true favourite, if that candidateisperceived
tohavelittlechanceofwinning
encourages voters to voteforoneofthetwocandidatestheypredictaremostlikelyto
win, even if their true preference is neither, because a vote for any other candidate
willlikelyhavenoimpactonthefinalresult.
Plural voting is distinguished from a majority voting system, in which, to win, a
candidate must receive an absolute majority of votes (more votes than all other candidates
combined)[18].Majorityvotinghasalmostthesameproblemsaspluralityone.
Preferential or ranked voting describes certain voting systems in which voters rank
outcomes in a hierarchy on the ordinal scale. When choosing among more than two options,
preferential voting systems provide a number of advantages over plurality voting. One of the
main advantages is that election results will more accurately reflect the level of support for all
candidates.
There are many preferential voting systems: Instantrunoff voting (IRV) [19], Borda
count [23], Single transferable vote [24], Schulze method [25], an optimal singlewinner
preferential voting system (the GT system) based on optimal mixed strategies computation [26]
etc.
For example, IRV system has majority winners [19], but does not satisfy several criteria
(IIA, Condorcet winner and monotonicitycriteria)andhashigherprobabilityfortiesinelections
ascomparedtopluralityvoting[22].
Borda voting [23] system is simple, transparent and stable to small changes in rankings,
but it also does not satisfy several criteria (majority rule, Condorcet winner and clone
independencecriteria)[22].
The analysis made in [27] has revealed several defects ofpreferentialvotingwhichwere
formulatedasthefollowingfourparadoxes.
1. Noshow paradox. The addition of identicalballotswithcandidate x rankedlastmay
changethewinnerfromanothercandidatetox .
 2. ThwartedMajorities paradox. A candidate who can defeat every other candidate in
directcomparisonmajorityvotesmaylosetheelection.
3. MultipleDistricts paradox. A candidate can win in each district separately, yet lose
thegeneralelectioninthecombineddistricts.
4. Moreisless paradox. If the winner were ranked higher by some voters, all else
unchanged,thenanothercandidatemighthavewon.
Although the probabilities of these paradoxes seems to be very small, until their
estimationsreceived,aconcernaboutpreferentialvotingremains.
Furthermore, the Arrow's impossibility theorem [28,29] and the GibbardSatterthwaite
theorem [30] prove that any useful singlewinner voting system based on preference ranking is
prone to some kind of manipulation. It has been shown by the GibbardSatterthwaite theorem
thatanyrankedvotingmethodwhichisnotdictatorialmustbesusceptibletotacticalvoting.
Cardinal voting systems [20] are voting systems which allow a voter to give each
candidate an independent rating or grade from among at least two levels of approval. The
simplest possible cardinal system is approval voting, which allows only the two grades
approvedorunapproved.
According to [20], under any cardinal system, if a candidate is given the maximal score
for strategic reasons, the voter can still give that score also to all candidates whom she ranks
higher. It is more sincere and if it has any effect at all, it will have contributed to the win of a
candidate more preferred by the voter than her strategicchoice.Cardinalsystemsareconsidered
tobeequallysuperiortopluralityonesunderbothstrategicandsincerevoting.
Approval voting (AV) is a voting method that allows voters to approve any number of
candidates [31]. The winner isthecandidate(s)chosenbythelargestnumberofvoters.Approval
voting is most often discussed in the context of singlewinner elections, but variations using an
approvalstyleballotcanalsobeappliedtomultiwinner(atlarge)elections.
AVhasanumberofadvantages[32]:
simplicity
actualvotingprocessisquickandeasy
results are still easy to understand: a simple list of the candidates along with how
manyvotestheyreceived
tendstoelectcandidateswhowouldbeatallrivalsheadtohead
tendstoelectmoremoderatewinners
alternatecandidatesgetamoreaccuratemeasureofsupport
itisimmunetoP ushOver5andB urying6.

5
Pushover (also called mischief voting) is a type of tactical voting in which a voterranksaperceived
weakalternativehigher,butnotinthehopeofgettingitelected.
6
Burying is a type of tactical voting in whichavoterinsincerelyranksanalternativelowerinthehopeof
defeatingit.
 Under AV a voter can make a decision about candidates to vote for inthetwofollowing
ways[33]:
he divides all candidates into two groups: those she approves and those she
disapproves. There is no difference among candidates in each group (no one is
superiortoanyoneinthegroup).Suchvotingiscalleddichotomous.
shehassomepreferencelistP andshevotesaccordingtothislist.
There is no full analysis of strategic voting under AV. Most of existed AV analysis is
based on an assumption that the voters preference is simply dichotomous. However, the
dichotomous voting and voting according to an own preference list have quite different
properties. The complexity of AV analysis is defined by quite large set of outcomes (it is larger
thanpreferentialvotingone)[34]..
There is anumberofAVvariations.Themostknownaresatisfactionapprovalvotingand
YesNovoting.
Satisfaction approval voting (SAV) [35] is a voting system applicable to multiwinner
elections. It uses an approval ballot,wherebyvoterscanapproveasmanycandidatesastheylike
(no rankings). A voters satisfaction score is the fraction of her approved candidates who are
elected. If k candidates are to beelected,SAVchoosesthesetofkcandidatesthatmaximizesthe
sumofallvoterssatisfactionscores.
In YesNo voting each voter may vote yes, abstain, orvoteno,theoutcomeisyes
or no, and all voters play interchangeable roles. There are many rules of elections outcome
determination: absolute majority rule, qualified absolute majority rule, simple (or relative)
majorityrule,votingusingratioanddifferencequotas.

4.6.2.Avotingschemeforthetreasurysystem

The analysis shows there is no voting system which satisfies all the criteria: while some
of them does not satisfy IIA and Condorcet criterion, others Pareto property or monotonicity,
etc.
There is also no voting system which is completelyimmunetostrategicvoting.Cardinal
voting systems are considered to be less vulnerable to strategic voting compared with plurality
andpreferentialones[20].
Preferential voting appeared in contrast to plurality voting, and allows voter to express
her preference more accurately. However, the analysis of preferential voting systems hasshown
theyhaveanumberofparadoxesandarehighlyvulnerabletostrategicvotinganddictatorship.
AV has several advantages compared with the preferential one: simplicity, tendency to
elect more moderate winners, more accurate measure of support for alternate candidates etc.
There is no big reason to use range voting because of its complexity, but practically the same
properties as AV. Furthermore, the most known cryptocurrency treasury (governance) systems
use the AV modification YesNoAbstain voting: Dash [6], The DAO [7], Fermat [36] etc.
Thereby, we suppose that some of the approval voting options is the most suitable solution for
theETCtreasurysystem.
We also propose to use YesNoAbstain voting, so in our model each voter may vote
yes, no or abstain. Besides, we make voting depositweighted (the vote power is
proportional to deposit voter made). Like in Dash, the election outcome is determined using
difference quota: the alternative defeats the status quo if a number of yes votes exceeds a
numberofnovotesbyatleastsomespecifiedabsolutenumber,ordifferencequota,d .
Finally, the important difference between our voting system and classical YesNo voting
is that in our model (as in other cryptocurrency treasury voting systems) the numberofwinners
is dynamic andlimitedbytreasuryfundingreward.Actually,thisnumberdependsontheamount
of coins allocated for the treasury funding and amounts required by each winning proposal.
Obviously, such conditions should be taken into account in the formal analysis of the voting
system. We propose a new formal votingmodelwhichconsiderallmentionedmodificationsand
call it Fuzzy Threshold Voting(FTV).TheAppendixAcontainsthedescriptionandanalysisof
theproposedmodel.

4.7Computationalandstorageburden

It becomes very important for the developed system to estimate the introduced
computational overhead. In this section we show that the proposed system does not have a
significantimpactonthegeneralETCperformance.
First of all, we should mention that all ECTS transactions have a reasonable level of
computational complexity (or gas consumption, if it wouldbeimplementedasasmartcontract).
TheycouldbecomparedtothesimpletransfertransactionsinEthereum.
Thereareseveraltypesoftransactions:
1. Deposit/RevokeDeposit this typeoftransactionsarenotexpectedtobetoofrequent.
Once a stakeholder made a deposit, sheisabletoparticipateinavotingprocedureup
untilrevocation,soshedoesnotneedtodothisineachfundingepoch.
2. Delegate/RevokeDelegate thistypeoftransactionisalsoexpectedtoberare.Oncea
voter decided on her delegation, she does notneedtoresubmitdelegationtransaction
ineachfundingepoch.
3. Proposal ballot a special transaction for project proposal submission.Somenumber
of new proposals are expected in each funding epoch, but, from other
cryptocurrencies experience, it isunlikelythatthenumberofnewproposalswouldbe
morethanacoupleofdozens.
4. Commitments/Voting ballots these are the most frequent transactions because each
voter will submit one commitment and the corresponding voting ballot in each
fundingepoch.
 5. Payment onetime transaction at the end of each epoch which pays money to the
acceptedproposals.
Thus it can be seen that the computational burden highly depends on the number of
voters. From the previous section, we already know that thesetofvotersisselfbalanced,sothe
stable level of voter participation is expected during the normaloperation.Giventhatthereisan
economic constraint forthetotalamountofthedepositedstake,themaximalexpectednumberof
votersisestimatedasM EN V = 8886 (seesection4.5.1Expectednumberofvoters).
Let us assume that we have 8886 voters and 100 proposals (it is unlikely to have such
large number of proposals in the real world, but it is needed to estimate peak computational
overhead). Given that each voter can submit only one deposit and delegation transaction per
epoch,wecanestimatethemaximalnumberoftransactionsforafundingepoch(MNT):
M N T = 100 + 8886 4 = 35644 transactions.
Given that Ethereum Classic can handle up to 15 tps on average whichisapproximately
38, 8 106 transactions per funding epoch, we can calculate the transactions overhead (TO)
introducedbythetreasurysystem:
35644
T O% = 38,810 6 100% = 0.09% .

So it can be seen that even with an overestimated computational load, an impact of the
treasurysystemontheEthereumperformanceisnegligible.

4.8Directionsforfurtherdevelopment

In the process othe ECTS development, we took into accounttheexperienceoftheDash
Governance System (DGS), the most advanced practically deployed system ofsuchtype,which
effectivelyprovidesfundingforDashteamsinceSeptember2015.
From the analysis of voting history in the DGS (see Appendix B), it follows that the
voters (Dash Masternodes who take part in voting and issuetheirvotingballots)havehighlevel
of consensus on most proposals: for more than 72% of proposals approximately 90% of voters
provided the same opinion (most proposals were accepted or rejected by the overwhelming
majority).
Thus, we expect the high level of consensus among voters in the decision making inthe
ECTS. In addition to the delegation that is already proposed in ECTS, that can be used to
incentivize voting community to make decisions with high level of consensus and community
approval (providing additional personal responsibility of each voter for selection of proposals
thathavethemostcommunitysupport).
For deep effective implementation we can consider advanced cryptographic voting
protocols (see Appendix C) and threshold cryptography (see AppendixD)fortheverificationof
delegatesvoting.
Developmentofthisfunctionalityisplannedduringthenextstagesofresearch.

5.Attacksoverview

This section gives a brief overview of potential attacks on the proposedtreasurysystem.
As mentioned above, the current version of the report does not provide strict formal analysis,
gametheoreticproofs,etc.,leavingthatforthefurtherstagesofresearch.

Attacksonthetreasurysystemmayhavethefollowingobjectives:
1.Totakefullorpartialcontrolovertreasurycoinstoownthem(stealtreasurycoins).
2. To block treasury operation to prevent funding of cryptocurrency development (DoS
attack).

Obviously, if the attacker takes the full control and steals treasury coins, she blocks
treasury operation, so implementation of first type of the attack leads to automatic
implementationofthesecondone.
But approaches may exist where an attacker cannot steal treasury funds, but for some
purposeattemptstoblockcryptocurrencyfunding.

5.1Takingcontrolovertreasurycoins

5.1.1Directattacksonthevotingprocedure

All treasury information is included into the blockchain, so falsifying the winner
selectionprocedure(see4.2)mustbreakunderlyingcryptocurrencyconsensusprotocol.

5.1.2Influenceonthevotingprocess

Proposals and a list of voters are fixed and cannot be changed during thetreasuryepoch
(see4.4.1).
Ascomparedtodifferentvotingsystem,thechosenone(fuzzythresholdvoting)has
very goodpropertiestoexpresshonestmajorityopinion(maximizesgeneralsatisfaction
level)
less manipulative strategies for an attacker (with no paradoxical cases happening, as
e.g.,inthepreferentialvoting)
easily understandable without deep learning of specialized voting literature (for more
detailssee4.6).

 Ballots are committedsecretlyandopenedwheneveryvoterhasmadetheircommitment,
andthatsignificantlylimitsattackersstrategies.

Thus, the voting scheme is transparent and easily verifiable. Some properties of the
schemeareformallyanalyzedandprovedintheAppendixA).

5.1.3Takingcontrolovera"treasuryaccount"

The proposed treasury has no specific account for accumulating and redistributing of
funds for coreconsensusimplementation.Coinsaresentdirectlytoaccountsofproposalowners.
To organize a successful attack of this type, it is needed to take control over multiple accounts
breakingunderlyingcryptocurrency.

5.1.4Bribinginfluentialpartofvoters

An attacker and bribed participants must have sufficient amount of stake,andsuccessful
attacksleadtodecreasedcryptocurrencyexchangerate.Duetothedepositlockfor3months(see
2.4), the attack is expected to have a negative influence on theadversarialstake(withrespectto
somefiatcurrencythathasaconstantvalue).
The monthly treasury budget is significantly lower than the stakeneededtocontrolit,so
theexpectedlossesarehigherthanattackergains.
There is an economic incentive for an honest rational stakeholder to take part in the
treasuryvotingthathelpstohaves ufficientlylargeamountofhonestvoters(see4.5.3).

5.1.5Attackof55%

For a guaranteed control over the voting process an attacker needs to have over 55% of
the voting power, which is currently expected to be approximately 4.4% of thetotalstakeinthe
system. A successful attack decreases exchange rate, so expected losses of locked malicious
depositsarehigherthantheattackersgains(see4.5.2and5.1.4).


5.2Blockingthetreasuryoperation

5.2.1Issuinglargeamountofproposals

Each proposal has a fixed cost (5 coins in this proposal). Thus, to flood the system, an
attacker must burn the stake proportionally to theamountofherproposals.Moreover,thevoting
client software can easily sorts requests according to the requested funding, so flood proposals
wont interfere with honest proposals (or a DoS attack will require a budget comparable with a
moreexpensiveattackoftakingcontroloveralltreasurycoins).

5.2.2Creationofexcessivenumberofvotingaccounts

To become a voter, a stake hold deposit is needed (500 coins in this proposal).
Consideringasignificantreserveofvotingschemeperformance,thestakerequiredforthisattack
ishigherthanfortakingcontroloveralltreasurycoins.

5.2.3Generationofmanycommitmentsandopeningsfromeachvotingaccount

There is only one commitment per voter included into the blockchain (all the rest are
discarded by miners). Only one opening that strictly corresponds to thecommitmentisincluded
intotheblockchain.
Thus, the treasury architecture accepts only one commitment and opening per voting
account.
Together with this, there is a limited amount of delegation transactions (one per epoch)
thatalsopreventsanattackerfromsuccessfulattackimplementation.

6.Conclusions

The proposed Ethereum Classic Treasury System (ECTS) is intended to create

community controlled decentralized process for funding of cryptocurrency development and
furtherimprovement.

ECTS has acceptable computation and blockchain space load for the system, having no
significantinfluenceontheETCperformance.

Development funding is provided via regular coin transfers to accounts associated with
community approved proposals intended to solve tasks of cryptocurrency improvement and
maintenance.

The system is open and verifiable, so anyone can provide her proposal and trace any
decisionmadeinthesystem,uptothefullhistoryofanECTSoperation.

Selection of winners for funding among all proposals are made by ETC community
members,wholockedtheirstakeandincentivizedfortakingpartinanhonesttreasuryoperation.

The voting scheme chosen for ECTS (fuzzy threshold voting, FTV) hasadvantagesover
other voting schemes. It is also introduced the formal mathematical model of FTV, andsomeof
itspropertieswerealreadyproved.

Voters in ECTS have the ability to makedelegationtotrustedqualifiedparticipants(who

alsohavetheirownincentive).

Initial analysis found no attack on ECTS that allows attacker to increase her stake (an
attacker loses her funds even in a very unlikely case of taking full control over the treasury
system). Honest community participants always have the ability to interfere for future attack
prevention.
Thedetailedformalanalysisandproofsareplannedforthefurtherstagesoftheresearch.

We expect that the ECTS implementation will increase ETC stability and future
prospects, providing additional benefits both forstakeholdersandminersfromamorestableand
predictablesystem.

References

1. SatoshiNakamoto.Bitcoin:APeertoPeerElectronicCashSystem.
https://bitcoin.org/bitcoin.pdf
2. CryptoCurrencyMarketCapitalizationshttp://coinmarketcap.com/
3. R3CEVblockchainconsortium:presentstate.
https://www.linkedin.com/pulse/r3cevblockchainconsortiumpresentstatecarlorwde
meijer
4. TheRussianGovernmentisTestingBlockchainforDocumentStorage.
http://www.coindesk.com/therussiangovernmentistestingblockchainfordocumentst
orage/.
5. BlockchainTracker:GovernmentsTrustInBlockchain.
http://fintechranking.com/2017/02/04/blockchaintrackergovernmentstrustinblockchai
n/.
6. E.Duffield,D.Diaz.Dash:APrivacyCentricCryptoCurrency.
https://www.dash.org/wpcontent/uploads/2015/04/DashWhitepaperV1.pdf
7. Whitepaper:DECENTRALIZEDAUTONOMOUSORGANIZATIONTOAUTOMATE
GOVERNANCE.
8. D.Williams.TheDFINITYBlockchainnervoussystem.
https://medium.com/dfinitynetworkblog/thedfinityblockchainnervoussystema5dd17
83288e#.pwji0ajtf
9. EthereumWhitePaperh ttps://github.com/ethereum/wiki/wiki/WhitePaper
10. GavinWood.Ethereum:ASecureDecentralisedGeneralisedTransactionLedger.
http://gavwood.com/paper.pdf
11. DashGovernanceSystem:AnalysisandSuggestionsforImprovements.
https://iohk.io/research/papers/dashgovernancesystemanalysisandsuggestionsforimp
rovement/
12. DashGovernanceSystem:DashCoreTeamResponsetothereport"DashGovernance
System:AnalysisandSuggestionsforImprovement"
https://www.dash.org/wpcontent/uploads/2016/12/DashGovernanceSystemDashCore
TeamResponse.pdf
13. GillesBrassard,DavidChaum,andClaudeCrepeau,MinimumDisclosureProofsof
Knowledge,JournalofComputerandSystemSciences,vol.37,pp.156189,1988.
http://crypto.cs.mcgill.ca/~crepeau/PDF/BCC88jcss.pdf
14. StephanieDelaune,SteveKremer,andMarkRyan.Verifyingprivacytypepropertiesof
electronicvotingprotocols.JournalofComputerSecurity,17(4):435487,2009.
http://people.irisa.fr/Stephanie.Delaune/PUBLICATIONS/DKRjcs08.pdf
15. L.M.Goodman.Tezosaselfamendingcryptoledger.Whitepaper.
https://www.tezos.com/pdf/white_paper.pdf
16. L.M.Goodman.Tezos:ASelfAmendingCryptoLedgerPositionPaper.
https://tezos.com/pdf/position_paper.pdf
17. SvetlanaZ.Lowry,PoorviL.Vora.Desirablepropertiesofvotingsystems.
http://ws680.nist.gov/publication/get_pdf.cfm?pub_id=903961.
18. Plurality/majoritysystems.Accessmode:
https://www.mtholyoke.edu/acad/polit/damy/BeginnningReading/plurality.htm.
19. StevenHill.InstantRunoffVoting.Accessmode:
https://static.newamerica.org/attachments/4119instantrunoffvoting/NAF_10big_Ideas_
9.677a9863789b4a23bc356ed7940b5cb8.pdf.
20. ClaudeHillinger.TheCaseforUtilitarianVoting.
21. Votingproceduresandtheirproperties.Accessmode:
http://formal.iti.kit.edu/teaching/FormSys2SoSe2016/02socialchoiceB.pdf.
22. EricErdmann.StrengthsandDrawbacksofVotingMethodsforPoliticalElections.
Accessmode:
http://www.d.umn.edu/math/Technical%20Reports/Technical%20Reports%202007/TR
%202011/TR_2011_4.pdf.
23. PeterEmerson.TheoriginalBordacountandpartialvoting.
24. SingleTransferableVotehttp://www.electoralreform.org.uk/singletransferablevote
25. Schulze,Markus."Anewmonotonic,cloneindependent,reversalsymmetric,and
condorcetconsistentsinglewinnerelectionmethod."SocialChoiceandWelfare36.2
(2011):267303.
26. RonaldL.RivestandEmilyShen.AnOptimalSingleWinnerPreferentialVoting
SystemBasedonGameTheory.
27. PeterC.FishburnandStevenJ.Brams.ParadoxesofPreferentialVoting.Accessmode:
http://www.jstor.org/stable/2689808?seq=1#page_scan_tab_contents.
28. Arrow,KennethJ.ADifficultyintheConceptofSocialWelfare.Accessmode:
https://www.stat.uchicago.edu/~lekheng/meetings/mathofranking/ref/arrow.pdf.
29. Arrow,KennethJ.HandbookofSocialChoiceandWelfare.
30. AndrewC.Eggers.ASimpleProofoftheGibbardSatterthwaiteTheorem.Access
mode:h ttp://andy.egge.rs/papers/Eggers_GibbardSatterthwaite.pdf.
31. Brams,Steven,Fishburn,Peter."ApprovalVoting".
32. https://electology.org/approvalvoting.
33. Niemi,R.(1984).TheProblemofStrategicBehaviorunderApprovalVoting.The
AmericanPoliticalScienceReview,78(4),952958.doi:10.2307/1955800.
34. StevenJ.Brams,M.RemziSanver.CriticalStrategiesUnderApprovalVoting:Who
GetsRuledInAndRuledOut.
 35. StevenJ.Brams,D.MarcKilgour.SatisfactionApprovalVoting.Accessmode:
http://politics.as.nyu.edu/docs/IO/2578/SAV(July11).pdf.
36. Fermat,theInternetofPeopleandthePersontoPersonEconomy.
https://hackernoon.com/fermattheinternetofpeopleandthepersontopersoneconomy
ce933865a0b0#.e07m1vd9b.

AppendixA.VotingModelFuzzyThresholdVoting

A.1.Introduction

In this document, we introduce a mathematical model for a voting system which isused
mainly in cryptocurrencies [1]. We call it Fuzzy Threshold Voting (FTV). The word fuzzy
emphasizes that the set of winners in some cases may contain the candidates with lower scores
and may not contain the candidates with higher scores. This property is a result of the fact that
voting outcome depends not only on the scores of candidates (i.e. on their rankings in voters
ballots) but also on other factors budgets of corresponding projects (actually projects are the
candidates).This is the main difference of our voting modelincomparisonwiththeAV(asother
voting models) [211]. On onehand,thisisalsothemainproblemoftheFTVmodel,becauseall
existing theoretical analysis forvotingmodelsfailsinthiscase.Ontheotherhand,knowledgeof
projects budgets gives voters some additional information which helps them to make more
consideratedecisionsduringthevotingortoformmoreaccuratepreferences.
The proposed FTV voting model is considered to be some generalization of YesNo
votingmodelwithexpandedfeatures.
Twofactor dependence of the voting procedure anditsfuzzythresholdmakestheoretical
analysis of this model much more complicated. But in spite of this, wemanagedtoobtainsome
resultsthatmaybeconsideredanalogiesofthemainresultsfortheclassicalAVmodel[12,13].
In this part,inadditiontobuildingofanadequatemathematicalmodelforthenewvoting
system, we also analyzed its main properties, such as optimality (in some sense) of the voting
procedure, existence of admissible strategies, advantages of sincere voting and necessity of
secret voting. We also show that one of the unquestionable advantages of this model is the
Condorcet rule. It means that the Condorcet winner, or the obvious leader of voting, always
belongstothesetofwinners(except,maybe,someimprobablecaseofspecifictievoting).


A.2.DefinitionofFTVmodel

In what follows, we will mainly usetermsanddefinitionsfrom[12].Wedenoteby I the

finite set of voters and by X the finite set of projects (alternatives, candidates) and for some
nN : L(n) = { n, (n 1), ..., 1, 0, 1, ..., n 1, n}. The set L(n) contains allpossiblerankings
that voters may give to projects. We assume #I2 and #X2 . Every voter iI has a
preference over X expressed by an utility function ui : X R .Insomeparticularcases,wewill
(n)
assume that ui : X L , i.e. the set of possible preferences coincides with the set of projects
rankings. For example, Proposition 1.1. that shows the optimality of voting procedure in some
sense, is proved just with such restrictions. But theserestrictionsarequiteappropriateandmuch
closer to reality than, for example, in the Satisfaction AV model [14] or in the Proportional AV
model[15],becauseourmodelseriouslytakesintoaccountthepreferencelevelsofallvoters.
Given twoprojects x, y X ,thevoter i finds x atleastasgoodas y if ui (x)ui (y) .A
project x ishighin ui if forall y X ui (x)ui (y) .Wesaythat x islowin ui if forall y X
ui (x)ui (y) . We call ui null whenever i is indifferent among all alternatives,i.e. ui (x)ui (y)
for every x, y X . If ui is null, then every project is both low and high in ui . If ui isnotnull
then the projects that are higher in ui and those which are lower in ui form disjoint sets. We
assume that each project the voter likes has some positive rating in her preferences,and each
projectthevoterdislikeshassomenegativerating.
A ballot B i ofthevoter i isanypartitionoftheset X on 2n + 1 subsets H (l)
i
, lL(n) ,
whichsatisfythefollowingconditions:
1)H (l)
i
H (k)
i
= foranyl, kL(n) ,lk
(l)
2)lS H i = X .
NotethatoneormoreofsubsetsH (l)
i
,lL(n) ,maybeempty.
It follows immediately from this definition that the number of possible ballots (or the
numberofvotingstrategies)foreachvoterisequalto(#X)2n+1 .
When the voter i , iI ,castsballot B i = (H (i n) , ..., H 0i , ..., H (n)
i
) ,wesaythat i approves
the projects in H (l)
i
, where l > 0 , with the (positive) score l , abstains from the vote on the
0 (l)
projectsinH i andr ejectstheprojectsinH i ,wherel < 0 ,withthe(negative)scorel .
Foreachvoter i , iI ,whocastsballot B i = (H (i n) , ..., H 0i , ..., H (n)
i
) ,wedefineherscore
functionsi : X L ,wheresi (x) = l ifxH (l)
i
.
The FTV model is rather similar to the Approval Voting (AV) model, but also has some
essential differences. The first difference is in the definition of a ballot. In the AV model ballot
B i consistsofonlyapprovedcandidates,i.e.candidatesfrom H (l) i
forapositive l .Andallthese
candidates have the same rating intheballotinspiteofavoterspreferences.Wealsomaysay
(0)
that in the AV model n = 1 and H i = for each iI . /The other differences we will see
belowinthedefinitionofscorefunctionandinthedefinitionofvotingprocedure.
For the AV model, the following natural restrictions are usually made [12,13]torestrict
thesetofvotingstrategiesthatavoterissupposedtopossiblyuse:
1. It is supposed that voters use undominated strategies that are often called admissible
strategies and can be characterized as follows: if a voters preference is strict, she
approves her preferred candidate, she does not approve her worst candidate and no
constraintisimposedtoother,intermediatecandidates.
2. The other restriction is sincerity requirement, which imposes that when the voter
 approvesacandidate,shealsoapprovesallthecandidatesshestrictlypreferstothisone.
But our model is rather different from the AV. We wont restrict strategies in the same
way, but we will use some definitions of sincere voting for FTV. Let the voter i have some
definitepreferencesonthesetX ofallprojects.

Definition1.1.L etui : X L(n) .Wesaythatthevoteri votessincerely(inanarrow

sense)ifforanyxX theequalityholds:

(l)
ui (x) = l(x, H i ) ,
lL
where(a, A) = 1, if aA and(a, A) = 0otherwise .

Definition1.2.W esaythatthevoteri votessincerely(inawidesense)fortwoprojects

x, y X ,iftheinequality
ui (x) > ui (y)
(l) (j)
involvesinequalitysi (x)si (y) (orinvolvesxH i ,y H forsomelj ).

i

We say that the voter i votes sincerely (in a wide sense) if she votes sincerely for any
x, y X .

Definition 1.3. We will call the set B = (B i )iI of all ballots a ballot profile and for all
iI define B i := B B i = (B j ) . We will write B = (B i , B i ) whenever we wish to
jI{i}
highlight the dependency of B with respect to i th ballot. We refer to B i as a ballot profile
withouti.

ivenaprofileB ,thescoreofprojectxX is
Definition1.4.G

(l)
s(x, B ) = l#{iI : xH i } .
lL
NotethatintheAVmodelthescoreofcandidatexX isdefinedas
s(x, B ) = #{iI : xB i }
thenumberofballotsthatcandidatex belongsto.

Definition 1.5.Givenaprofile B ,wesaythattheproject xX isacceptablecandidate,

if
s(x, B )0.1I .
Inthismodelonlyacceptablecandidatesmaybethewinners.

Definition1.6.W esetsomepositivevalueM andwillcallthisvaluea commonbudget

givenforrealizationofprojectsfromthesetX .
For each project xX we set some positive value m(x) which is the budget of the
projectx .InwhatfollowswewillassumethatxX : m(x)M .
 esaythatsomesubsetS X exhauststhecommonbudgetM ifthe
Definition1.7.W
followingconditionshold:

1) m(x)M
xS

2)IfS X thenyXS : m(x) + m(y) > M .
xS
Given a ballot profile B , among all (acceptable) projects X = {xi }iI wehavetochoose
the set of winners (winning projects) W (B)X . On onehand,thewinnersmustbetheprojects
with the highest scores on the other hand, the set of winners must exhaust the common budget
M .ThelatterrestrictiondefinesonemoredifferencebetweenAVandFTVmodels.

Definition1.8.L
et#X = k and,givenaballotprofileB ,thesequences
x1 , ..., xk ,xi X ,(1)
isorganizedinasuchwaythat
s(x1 , B )...s(xk , B ) .(2)
Inwhatfollowswewillassumethat,givenaballotprofileB ,conditions(1),(2)hold.
To define the set W (B)X of winners (winning projects) we will use the following
(iterative)v otingprocedure:
1)x1 W (B) (3)
i1
2)fori = 2, k :xi W (B) m(xj )(xj , W (B)) + m(xi )M .
j=1

Note 1.1: according to the restriction xX : m(x)M fromthedefinition1.6andto

the part 1) of the voting procedure, its obvious that a Condorcet winner (if exists) always
belongstothesetofwinners(except,maybe,someimprobablecaseofaspecifictievoting).

Note 1.2: in the case of x, y X : s(x B )s(y B ) the conditions (3) define the set
W uniquely. But in the opposite case (like in our model) a tie voting may happen. In what
followsweassumethatinthecaseoftievotingsomefairprocedureisused.

We should emphasize that the FTV voting procedure (3) is the main difference of the
FTV model from the AV model, because intheFTVcasethesetofwinnersdependsnotonlyon
the scores of candidates, but also on their budgets, and the latter dependence is veryessential
in forming of the set of winners. This dependence involves a lotofdifficultiesinanalysisofthe
FTVmodel.
We suppose that voters vote secretly by casting ballots while the FTV model is used as
the outcome function. So we consider a normal form game where strategy set foranyvoter i is
the set of all possible ballots (partitions of X ). Hence aballotprofileBisalsoastrategyprofile
andtheoutcomeisthesetofwinningprojectsW (B)X .
As W (B) usually contains more than one project, our strategic analysis requires
knowledge of voters preferences over nonempty setsof X .Weassumethattiesoveroutcomes
are broken according to the Note 1.2, and that votes evaluate outcomes by expected
VonNeumann Morgenstern utilities. So the utility that voter i attaches to a set S of winning
projectsis

1
ui (S) = #S ui (x) .(4)
xS
Ideally, we wished tochoosetheset W (B) ofwinningprojectsinasuchwaythatthisset
wouldmaximizetheaverageoutcome

1
U (S) = #I ui (S) .(5)
iI
But,generallyspeaking,itisntsoforourvotingprocedure.
Nevertheless, we can give some conditions that are sufficient for W to maximize the
function(5).

Proposition1.1.
Let, given a ballot profile B and under conditions (1), (2), W = W (B) = {x1 , ..., xt } .
ThenunderFTVsincerevotingassumption(inthenarrowsense):
maxSX:St U (S) = U (W ) ,
i.e.theaverage(onallvoters)valueofsatisfactoryfunction,oraverageoutcome,takesits
maximalvalueonthesetofwinnersdefinedbythevotingprocedure(3).

Proof.
Rewritethefunction(5)using(4)inasuchway:

1 1 1 1 1
U (S) = #I ui (S) = #I ( #S ui (x)) = #I #S ( ui (x)) . (6)
iI iI xS xS iI
Its easy to see that under FTV sincere assumption and according to thedefinitionofthe
scoreofproject

ui (x) = s(x, B ) .
iI
Sowecanrewritetheexpression(6)as

U (S) = #I1 #S1 ( ui (x)) = #I1 #S1 s(x B ) .
xS iI xS
NowitsenoughtoprovethatforanyS X ,#S = f t ,S = {s1 , ..., sf } :
U (S)U (W ) .
AccordingtothedefinitionoffunctionU (S) ,thisisthesamethat
 f t
s(si ,B) s(xi ,B)
i=1
f
i=1 t
.(7)
DefineT = S W ,W = W S ,S = S W ,f = t + v and

1 = s(x, B ) ,2 = s(x, B ) ,3 = s(x, B ) .
xT xW xS
= z ,thenS
LetW = v + z .Nowwecanrewrite(7)inequivalentform:
1 +3 1 +2
t+v t ,
or
t1 + t3 t1 + v 1 + t2 + v 2 ,
or
t3 v1 + t2 + v 2 .(8)
According to the conditions of this proposition, W = {x1 , ..., xt } , so S{xt+1 , ..., xk } ,
where k = #X and for any xW and any y S : s(x B ) < s(y B ) . Also note that 1 consists
oft z items,2 consistsofz items,and3 consistsofv + z items.
Thenwecanestimatetheleftsideof(8)as
t3 t(v + z ) maxxSs(x, B )t(v + z ) minxW s(x, B ) .
Analogically,wecanestimatetherightpartof(8)as
v 1 + t2 + v 2 (tz + v (t z ) + v z) minxW s(x B ) = t(z + v ) minxW s(x B ) ,
and(8)holds,thentheequivalentinequality(7)alsoholds.

Corollary1.1.
Let,givenaballotprofileB andunderconditions(1),(2),W = W (B) = {x1 , ..., xt } .
Let also for any S X the following condition hold: if S exhausts the commonbudget
M ,thenSt .
The,undertheFTVsincerevotingassumption(inthenarrowsense):
maxSX,SexhaustsM U (S) = U (W ) .

This corollary means that under its conditions the set ofwinnerschosenaccordingtothe
votingmodel(3)isthebestchoicetosatisfyinaverageallvoters.

Note 1.3: Proposition 1.1 also holds when preferences of voters are proportional to the
elementsofL ,i.e.whenC > 0 ,iI ,xX :ui (x)CL = { C n, ..., C , 0, C , ..., C n} .

A.3.SomepropertiesofFTVmodel

Now we will discuss some properties of the AV model, that wed liketobetrue(atleast
with some modification) for the FTV model. First we give some basic properties ofthe AV
modelandwillshow,usingcounterexample,thatthispropertiesdonotrunfortheFTVmodel.
Then we will state some other properties, which may be considered, in some sense, as
analogsoftheAVmodelproperties,andwillprovethesepropertiesholdfortheFTVmodel.
Firstweneedsomemoredefinitionsfrom[12].

Definition2.1.F oranyvoteri withpreferenceui ,wesaythattheballotB i (w

eakly)
dominatestheballotB ifandonlyif
i

ui (W (B i , B i ))ui (W (Bi, B i ))
forallB i and
ui (W (B i , B i )) > ui (W (Bi, B i ))
forsomeB i .
Aballotisu ndominatedifandonlyifitisdominatedbynoballot.Following[13],we
alsocallundominatedballotsa dmissibleanduseeitherword.
ThefollowingpropositioncharacterizesadmissibleballotsfortheAVmodel.

Proposition2.1[12].
I. Ifui isnullthenallballotsareadmissibleforthevoteri .
II. Let the number of voters be at least three. If ui is not null then the ballot B i is
admissible for the voter i if and only if B i contains every candidate who is high
inui andnocandidatewhoislowinui .

Thepart(I)istrivialandfollowsdirectlyfromthedefinition.
The part (II) is of great interest. Roughly speaking,itclaimsthatitsbetterfor avoterto
vote sincerely, or according to her preferences, at least for the most preferable and for the
leastpreferableprojects.
Nowweshowthatthepart(ii),generallyspeaking,doesntholdfortheFTVmodel.

Counterexample2.1.
Let the set of voters I = {1, ..., 10} , the set of projects X = {x1 , ..., x7 , y } ,
L = { 2, 1, 0, 1, 2} ,andiI :ui (x)L .
DefinethecommonbudgetasM = 7 andtheprojectsbudgetsas
m(xi ) = 1 ,i = 1, 7 m(y) = 3 .
LetthepreferencesofthefirstvoterbedistributedaccordingtotheTableA.1:

TableA.1Preferencesofthefirstvoter
Project,xi x1 x2 x3 x4 x5 x6 x7 y
u1 (xi ) 0 0 0 0 1 1 1 2

Below we consider two options of voting for the first voter. In the first option she votes
sincerely for the mostpreferableproject y withtheballot B ,i.e.theproject y hasthehigher
1

rating in B1 (though it doesnt matter, but without loss of generality we may assume that she
also votes sincerely for other projects). In the second option she votes in an opposite manner
with the ballot B , where all projects except y have the same rating as in ballot B , and the
1 1
projecty hasthesmallestrating.AndwewillshowthatforsomeB 1 :
u (W (B , B )) > u (W (B , B )) .
1 1 1 1 1 1
Option1:votervotesfory accordingtoherpreferences.
(2)
ForballotB ,y H .
1 1

Let the other votes form the profile B 1 be such that in profile B = (B1, B 1 ) thescores
ofprojectsaredistributedaccordingtotheTableA.2.

TableA.2ScoresofprojectsundertheprofileB = (B , B ) 1 1
Project,xi x1 x2 x3 x4 y x5 x6 x7
s(xi , B) 8 7 6 5 4 3 2 1

InthiscaseW (B) = {x , ..., x , y } andu (W (B))
=2= 14
.
1 4 1 5 35
Option2:v otervotesfory againstherpreferences.
(2)
ForballotB 1 ,y H 1 .
Let the other voters vote as in the option 1 and their votes form the same profile B 1 .
Then in the profile B = (B 1 , B 1 ) the scores of projects are distributed according to the Table
A.3.

TableA.3ScoresofprojectsundertheprofileB = (B 1 , B 1 )
Project,xi x1 x2 x3 x4 x5 x6 x7 y
s(xi , B ) 8 7 6 5 3 2 1 0

InthiscaseW (B) = {x1 , ..., x7 } andu1 (W (B)) = 3
= 15
,i.e.u1 (W (B)) > .
u1 (W (B))
7 35
After this example one may conclude that, roughly speaking, sincerity isnt the best
strategy in this model. But below we will see that, nevertheless, there exists some sense tovote
sincerely.
Now we prove some statements for the FTV model that are particularly similar to the
propertiesoftheAVmodelprovedinProposition2.1.

Proposition2.2.
 I. (i)Ifui isnullthenallballotsareadmissibleforthevoteri .
II. (ii)IfforsomevoteriI andsomeprojecty X theutilityfunctionui
satisfiestheinequality

ui (y) ui (x) ,
xX{y}
(n)
thentheballotB i isadmissibleforvoteri onlyify H i .
III. (iii) If for some voter iI and some project y X utility function ui satisfies
theinequality

ui (y) ui (x) ,
xX{y}
(n)
thentheballotB i isadmissibleforthevoteri onlyify H i .

Proof.
(I)
Thepart(i)followsdirectlyfromthedefinition.

(II)
( n) (n) (n)
Consider a ballot B i = {H i , ..., H i } for which y H i . It means that for the ballot
(v)
B i , y H i for some nvn 1 . Let Bi be the ballot for which H i = H i {y} ,
(v) (v)

(n) (j)
H i = H i {y} andH i = H i forallj L{v, n} .WewillprovethatBi dominatesB i .
(n) (j)

Given any B i , all candidates except y have the same scores at (B i , B i ) and (Bi, B i )
while the score of y is raised by n v units at the latterballotprofile.Therefore,regardingthe
sets of winning projects Y = W (B , B ) and Y = W (B , B ) , the following three cases are
i i i i
exhaustive:
1)y Y ,y Y
2)y Y ,y Y
3)y Y ,y Y .
InthefirsttwocasesY = Y soui (Y ) = ui (Y ) .
Inthethirdcase,letY = {x1 , ..., xt } ,thenY = {x1 , ..., y , ..., xtl } forsome0 < lt 1 .
Weshowthatinthiscaseui (Y ) > ui (Y ) .Itssufficienttoshowthatforanyl ,0 < lt 1 ,
t tl
ui (xj ) ui (xj )+ui (y)
j=1 j=1
t
tl+1
. (9)
Define
 tl t t
1 = ui (xj ) ,2 = ui (xj ) , = ui (xj ) = 1 + 2 .
j=1 j=tl+1 j=1

Theinequality(9)isequivalenttotheinequality
(tl+1) 1 (tl+1) t 2 (tl+1)1 (l1)
ui (y) t 1 = t = t . (10)
Weestimatetherighthandpartofinequality(10):
2 (tl+1)1 (l1)
t

(tl+1) ui (x)+(l1) ui (x)
(tl+1)+1 (l1) xX{y} xX{y}
2 t t =

= ui (x)ui (y) ,
xX{y}

where thelatterinequalityholdsaccordingtotheconditionsofthetheorem.Soinequality
(10)holdsandsodoes(9).
NowwehavetoshowthatthereexistssomeprofileB i that
u (W (B , B )) > u (W (B , B )) .
i i i i i i
Let profile B i be such that exactly 0.1#I v 1 voters vote with y H 1 and
z H 0 for any z X{y} . All the remaining voters vote z H 0 for any z X . Then for
B = (B i , B i ) :
s(y, B ) = 0.1#I v 1 + v = 0.1#I 1
s(z, B ) = 0 ,foranyz X{y} ,
soW (B) = andui (W (B)) = 0 .
Atthesametime,forprofileB = (B , B ) :
i i
s(y, B) = 0.1#I v 1 + n0.1#I becausenv 1
s(z, B ) = 0 ,foranyz X{y} ,
= {y} andu (W (B))
soW (B) = u (y) .
i i

ThenunderprofileB ,u (W (B , B )) > u (W (B , B )) .Part(II)isproved.

i i i i i i i

(III)
( n) (n) (n)
Consider a ballot B i = {H i , ..., H i } for which y H i . It means that for the ballot
(v)
B i , y H i for some (n 1)vn . Let Bi be the ballot for which H i = H i {y} ,
(v) (v)

( n)
(j)
H i = H i {y} andH i = H i forallj L{v, n} .WewillprovethatBi dominatesB i .
( n) (j)

Given any B i , all candidates except y have the same score at (B i , B i ) and (Bi, B i )
while the score of y is decreased by n + v units at thelatterballotprofile.Therefore,regarding
the sets of winning projects Y = W (B , B ) and Y = W (B , B ) , the following three cases are
i i i i
exhaustive:
 1)y Y ,y Y
2)y Y ,y Y
3)y Y ,y Y .
InthefirsttwocasesY = Y soui (Y ) = ui (Y ) .
In the third case, let Y = {x1 , ..., xt } , then Y = {x1 , ..., y , ..., xtl } for some 0 < lt 1 .
Showthatinthiscaseu (Y )u (Y ) .Itsenoughtoshowthatforanyl ,0 < lt 1 ,
i i
t tl
ui (xj ) ui (xj )+ui (y)
j=1 j=1
t
tl+1
.(11)
Define
tl t t
1 = ui (xj ) ,2 = ui (xj ) , = ui (xj ) = 1 + 2 .
j=1 j=tl+1 j=1

Theinequality(11)isequivalenttoinequality
(tl+1) (tl+1)1 t 2 (tl+1)1 (l1)
ui (y) t 1 = t = t . (12)
Estimatetherightpartofinequality(12):
2 (tl+1)1 (l1)
t

(tl+1) ui (x)(l1) ui (x)
(tl+1)1 (l1) xX{y} xX{y}
2 t t =

= ui (x)ui (y) ,
xX{y}

wherethelastinequalityholdsaccordingtotheconditionsofthetheorem.
Soinequalities(11),(12)hold.
NowwehavetoshowthatthereexistssomeprofileB i that
u (W (B , B )) > u (W (B , B )) .
i i i i i i
Let profile B i be such that exactly 0.1#I + n 1 voters vote with y H 1 and
z H 0 foranyz X{y} .Alltheremainingvotersvotez H 0 foranyz X .
= andu (W (B))
ItiseasytoseethatinthiscaseW (B) = 0 .
i
Atthesametime,W (B) = {y} andui (W (B)) = ui (y) ,so
u (W (B , B )) > u (W (B , B ))
i i i i i i
andpart(III)isproved.

Proposition2.3.
Let ui be not null. Let for some x, y X with ui (x) > ui (y) the voter i vote sincerely
withtheballotB i suchthatsi (x) > si (y) .Then:
1) if ui (x) > 0 , then there exists a profile B i such that for any ballot Bi with
si (x) < si (y) :
 ui (W (B i , B i )) > ui (W (Bi, B i )) (13)
2) if ui (x)0 , then there exists a profile B i such that for any ballot Bi with
si (x) < si (y) :
u (W (B , B ))u (W (B , B )) ,(14)
i i i i i i
andforsomeBi withsi (x) < si (y) :
ui (W (B i , B i )) > ui (W (Bi, B i )) .(15)

Proof.
LetintheballotB i :si (x) = a ,si (y) = b (a > b) .
Considerthecasewhenui (x) > 0 .
LetprofileB i besuchthatexactly0.1#I a votersvotewithx, y H 1 andz H 0
foranyz X{x, y } .Alltheremainingvotersvotez H 0 foranyz X .
ThenforB = (B i , B i ) :
s(x, B ) = 0.1#I a + a = 0.1#I
s(y, B ) = 0.1#I a + b < 0.1#I ,
so
W (B) = {x}
and
ui (W (B)) = ui (x) .
Let now B be any other ballot with s (x) < s (y) . Let s (x) = c , s (y) = d . Define
i i i i i

B = (Bi, B i ) .
Then:
W (B) = {{x, y }, if ca {y}, if c < aandda {}, if d < a}. (16)
In all cases from (16), ui (W (B)) < u (W (B)) , because of conditions u (x) > 0 and
i i
ui (x) > ui (y) (wesetui () = 0 ),andinequality(13)isproven.

Considernowthecasewhenui (x)0 .
Let profile B i be such that exactly 0.1#I a 1 voters vote with x, y H 1 and
z H 0 foranyz X{x, y } .Alltherestvotersvotez H 0 foranyz X .
ThenforB = (B i , B i ) :
s(x, B ) = 0.1#I a 1 + a < 0.1#I
s(y, B ) = 0.1#I a 1 + b < 0.1#I ,
so
W (B) =
and
ui (W (B)) = 0 .
 LetnowBi beanyotherballotwithsi (x) < si (y) andsi (x) = c ,si (y) = d .Thenfor
profileB = (B , B ) thereexistthefollowingoptions:
i i
= {{x, y }, if c > a {y}, if caandd > a {}, if da}. (17)
W (B)
In the first two cases from (17), u (W (B)) < u (W (B)) , and in the third case
i i
= u (W (B)) .Theinequalities(14),(15)areproven.
ui (W (B)) i

A.4.Thenecessityofsecretballots

Now let us see how significant is to keep the results of the voting secret till the end of
voting procedure. Belowwedescribethesituationwhenthevoter i ,whovotesthelast,canfully
change the set of winners, especially knowing the profile B i with all other votes. One can
constructalotofmorecomplicatedexamplesthatinvolvethesameresult.
In whatfollowsforsome xX wewilldenote s(x, B i ) thescoreofproject x underthe
profile B i and W (B i ) the set of winners under profile B i , i.e. the set of projects that won
accordingtothevotingprocedure(3)whentheirscoresares(x, B i ) .

Proposition3.1.
There exists such profile B i , such ballot B i and such budgets distribution
m = {m(xi ), iI} ,that
W (B i ) W (B i , B i ) =
(i.e.avoteri ,votingwithB i ,cancompletelychangethesetofwinners).

Proof.
Toprovethestatementitssufficientgivetherelevantexample.
Let l = 1 and under profile B i the sequencesofprojects(indescendingorderbyscore)
be
x1 , ..., xn
andthebudgetsdistributionbe:
m(x1 ) = 0, 5 M , m(x2 ) = M , m(x3 ) + ... + m(xk ) = 0, 5 M forsomekn .
Then under the assumption that all candidates x1 , ..., xk are acceptable and under the
profileB i thesetofwinnersis
W 1 = W (B i ) = {x1 , x3 , ..., xk } .
(1) ( 1) (0)
Assume that theballot B i issuchthat H i = {x2 } , H i = {x1 } and H i = X {x1 , x2 } .
ThenW 2 = W (B i , B i ) = {x2 } .
These two sets of winners W 1 and W 2 arecompletelydifferentthat W 1 W 2 = and
thestatementisproved.
 So even only one voter (which knows all other ballots) can cardinally change the set of
winners. Of course its much more easier to do this when she knows the rest of the voters
ballots.

A.5.Conclusions

We gave a formal description of the used voting system in ECTS as well as initial
analysis of its properties. We call this system Fuzzy Threshold Voting. The main results are the
following:
1. We presented mathematical modelfortheFTVvotingsystem.Themaindifferenceof
this system from the YesNoAbstain voting system is that the voting procedure
depends not only on the scoreofcandidatesbutalsoonsomeotherfactor.Inourcase
thisfactorisanamountofmoneyrequestedbyeachproposal.
2. We demonstrated that the presented FTV system satisfies one of the most important
propertiesforthevotingsystemstheCondorcetcriterion.
3. Weprovedseveralstatementsregardingpossiblevotingstrategies.
4. We analyzed the importance of secret voting and demonstrated that even a single
voter can completely change the set of winners if she knows voting ballots of other
voters.

A.6.References

[1]E.Duffield,D.Diaz.Dash:APrivacyCentricCryptoCurrency.Whitepaper.
https://www.dash.org/wpcontent/uploads/2015/04/DashWhitepaperV1.pdf
[2]A.Gibbard.ManipulationofVotingSchemes:AGeneralResult.
http://courses.math.tufts.edu/math19/duchin/gibbard.pdf
[3] Brams, Fisburn. Going from Theory to Practice: The Mixed Success of Approval
Voting.
http://www.nyu.edu/gsas/dept/politics/faculty/brams/theory_to_practice.pdf
[4] J. Laslier. Strategic Voting in MultiWinner Elections with Approval Balloting: A
Theory for Large Electorates.
http://www.barcelonaipeg.eu/wpcontent/uploads/2015/09/rationalcommitteeapproval_v2_2016
_04_13.pdf
[5] Niemi, R. (1984). The Problem of Strategic Behavior under Approval Voting. The
AmericanPoliticalScienceReview,78(4),952958.doi:10.2307/1955800
[6] Ottewell, Guy (2004) [1987]. "ArithmeticofVoting".UniversalWorkshop.Retrieved
20100508.
http://www.universalworkshop.com/ARVOfull.htm
 [7]RemziSanver,JeanFrancoisLaslier.Thebasicapprovalvotinggame.
https://halshs.archivesouvertes.fr/hal00445835/document
[8]D.Baumeisteret.al.ComputationalAspectsofApprovalVoting.
ftp://ftp.cs.rochester.edu/pub/papers/theory/09.tr944.Computational_Aspects_of_Approv
al_Voting.pdf
[9]E.Erdmann.StrengthsandDrawbacksofVotingMethodsforPoliticalElections.
http://www.d.umn.edu/math/Technical%20Reports/Technical%20Reports%202007/TR
%202011/TR_2011_4.pdf
[10] S. Park, R. Rivest. Towards Secure Quadratic Voting.
https://eprint.iacr.org/2016/400.pdf
[11]F.Maniquet,P.Mongin.ApprovalVotingandArrowsImpossibilityTheorem.
http://www.isid.ac.in/~pu/seminar/30_11_2011_Paper.pdf
[12] JeanFranois Laslier, M. Remzi Sanver (2010) The Basic Approval Voting Game.
Palaiseau,France
[13]Brams,SJandPC.Fishburn(1983)ApprovalVoting.Boston:Birkhuser.
[14] Brams,S.J.,&Kilgour,D.M.(2014).Satisfactionapprovalvoting.InVotingPower
andProcedures(pp.323346).SpringerInternationalPublishing.
[15]https://arxiv.org/ftp/arxiv/papers/1602/1602.05248.pdf

AppendixB.Dashvotingstatistics

The purposeofthisanalysisistoclarifysomestatisticsonmasternodesparticipationina
votingprocess.Themainideaistogetvotingparticipationrate.
As far as proposals data are not included into the blockchain, we found it appropriate to
use https://www.dashninja.pl [1] since it is mentioned on the Dash official website as a source
thatprovidesbudgetinformation.

Fig.B.1Proposalssortedbyvotingparticipation

Fig.B.1:thevaluesonthexaxisshowthepercentageofstakeholderswhichtookpartin
voting. On the Yaxis is the number of projects which havethecorrespondingparticipationrate.
It can be seen that the average participation rate is around 15% which isclosetotheacceptance
barrierof10%.


 Fig.B.2Acceptancerate

Fig. B.2 shows statistics regarding the acceptance rate.OntheXaxisthereistheratioof
Yes votes to the total number of votes for the project ( #Y #Y es
es+#N o
). Yaxis showsthenumberof
projects which have the corresponding acceptance rate. It can be seenthatmostoftheproposals
haveunanimoussupportamongvoters.

References

1. https://www.dashninja.pl/budgets.html
2. https://www.dashcentral.org/

AppendixC.EVotingprotocols

Electronic voting systems in terms of existence of trusted authorities can bedividedinto

two classes: centralized and decentralized systems. In decentralized systems the votingprotocol
is run by voters themselves, while in centralized systems the trusted authorities are involved in
administrationofthevotingprocess[1].
Existence of trusted third parties significantly facilitates computational complexity of a
protocol, but decreases its security level [2]. In decentralized systems, such as blockchain,
absence of trusted parties seems to be especially desirable, because otherwise it leads to some
kindofcentralization.
Regardless the voting system class, there are specific properties which are known to be
desirableforanyvotingsystem[1,3].Themainonesare:
Eligibility:o nlylegitimatevoterscanvote,andonlyonce
Fairness:n oearlyresultscanbeobtainedwhichcouldinfluencetheremaining
voters
Individualverifiability:avotercanverifythathervotewasreallycounted
Universalverifiability:thepublishedoutcomereallyisthesumofallthevotes
Voteprivacy: the fact that a particular voter voted in a particular way is notrevealedto
anyone
Receiptfreeness: a voter does not gain any information(areceipt)whichcanbeusedto
provetoacoercerthatshevotedinacertainway
Coercionresistance: a voter cannot cooperate with a coercer to prove to him that she
votedinacertainway
Robustness: ensures that the voting system can tolerate a certain number of faulty
participants.

Inadditiontotheaboveproperties,threeadditionalonesweredefinedin[1]:
DisputeFreeness: the fact that participants follow the protocol at any phase can be
publiclyverifiedbyanycasualthirdparty,thusnodisputesbetweenplayerscanarise
SelfTallying: the postballotcasting phase can be performed by any interested third
party
Perfect Ballot Secrecy: ensures that knowledge of the partial tally oftheballotsofaset
of voters (beyond what is known andcomputedtriviallybymerelyhavingthefinaltally)
isonlyaccessibletothecoalitionofallremainingvoters.

Accordingto[4,5,6],themostwellknowndecentralizedvotingprotocolsare:
KiayiasYungprotocol[1]
Grothsprotocol[4]
 HaoRyanZielinskiprotocol[5]
KhaderSmythRyanHaoprotocol[6].
Each of these protocols uses the homomorphic cryptosystem, whose securityisbasedon
theDecisionalDiffieHellman(DDH)assumption.

The Kiayias and Yung (KY) protocol has the following features: it is selftallying it
provides the maximum protection of the voters privacy it is disputefree it has only 3 rounds.
The downside of this protocol, is the heavy computational load for each voter which increases
linearlywiththenumberofvoters[5].

The Groths protocol has a reduced computational loadpervoterincomparisonwithKY
protocol. The computational load for each voter is small enough and remains constant
irrespective of the number of voters. But Groths protocol design trades off roundefficiencyfor
less computation, and it requires n + 1 rounds, where n is the total number of voters [5]. This
seemstobeworsethantheconstantnumberofthreeroundsintheKYprotocol.

The Hao, Ryan & Zielinski (HRZ) protocol has the same features which werelistedfor
KY protocol. Moreover, it has even smaller number of rounds, which is 2. Additionally it hasa
small computational complexity per voter similarly to the Groths protocol. However, this
scheme is neither robust nor fair. In particular,asinglevotercanpreventtheelectionresultfrom
being announced, and the last voter can cast her vote with full knowledge of the election result
[6].

The KhaderSmythRyanHao protocol (KSRH) is based on the HRZ protocol,butithas
a recovery round, similarly to the KY protocol. This round enables the election result to be
announced if some subset of voters abort, thus providing robustness.Besidesthis,anadditional,
commitment,roundwasaddedtoensurefairness[6].

Each of the given protocols supports almost all desired properties listed above (it had
been proved by authors of these protocols [1, 4, 5, 6]) except for the coercionresistance and
contradictory robustness and perfect ballot secrecy (PBS) properties. The lack of
coercionresistance seems to be specific for all evoting protocols without trusted authorities
(such conclusion can be derived from [3]). As to robustness and PBS, according to [1], a
selftallyingschemecannotberobustandsupportprivacy(insenseofPBS)atthesametime.

Groths and HRZ protocolsbothsatisfythePBSproperty,buttheydonothaveanyphase
similar to the corrective fault tolerance round in the KY protocol, or the recovery round in the
KSRH protocol. Hence, Groths and HRZ protocols are not robust, because they only are to be
restarted if at leastoneregisteredvoterdidn'tcastherballot.Withoutafullsetofballotsfromall
registeredvotersanelectionoutcomecan'tbetallied,andthisiswhatthePBSpropertyabout.
Thus, the recovery rounds, supported by KY and KSRH protocols, provides robustness
together with PBS property. Authors of the KSRH protocol noticed, that if a voter decides that
some set of voters is too small to maintain privacy, then she can decide not to jointherecovery
round and abort in this case, the voter obtains an assurance of ballot secrecy (under the DDH
assumption), but her vote is not included in the tallying procedure, that is, her vote isdiscarded
[6].
The main distinction (from the application viewpoint) between KY andKSRHprotocols
consists in their computational load, as it can be seen from Table C.1 (n is a total number of
voters)[5,6].

TableC.1Protocolscomparisonbycomputationalloadpervoter
KY Groth's HRZ KSRH

Rounds 3 n+1 2 3

Exponentiations 2n+2 4 2 2

Multiplications n+1 n+3 n+1 n+1

ZKPfordiscretelog n+1 2 1 1

ZKPforequalityofdiscretelogs n 1 0 0

ZKPfor1ofkdiscretelogs 1 1 1 1

It is obvious, that KSRH protocol has much smaller computational load per voter, than
KY protocol. Complexity of HRZ and KSRH protocols can be evaluated as O(n) due to the
number of multiplications in finite field. But it is known, that the computational cost of
multiplications is usually negligible in contrast to exponentiations [7]. So, for relatively
smallscaled elections, where the number of multiplications is also small, the complexity is
almostconstantforbothprotocols.
The complexity of the recovery round is equal in KY and KSRH protocols, and is
proportional to the number of absentees: O(a) computations per voter are required for the a
absent voters. Table C.2 demonstrates a computational load per voter during recovery round of
KYandKSRHprotocols.

TableC.2Recoveryroundscomparisonbycomputationalloadpervoter
 KY KSRH

Exponentiations 1 1

Multiplications a a

ZKPforequalityofdiscretelogs 1 1

Each of described protocols has an assumption of existence of a oneway authenticated

broadcast channel with memory. This assumption was made for tworeasons:todetectanyvoter
casting more than one vote and to ensure that only eligible voters can vote [6]. Concerning the
blockchainbaseddecentralizedsystems,theblockchainitselfcanbeusedassuchachannel.

Conclusion

Summarizing the review of decentralized voting protocols, it can be said, that according
to the described properties the KSRH protocol looks like the mostsuitableforblockchainbased
decentralizedsystems.
While supporting main security properties, which are desirable for voting systems, the
KSRH protocol is also robust due to presence of the recovery round. This round enables
remaining voters to tally the election outcome, when some subset of voters aborted protocol
execution on the halfway. A similar round is presentintheKYprotocol.Butthemaindrawback
of the KY protocol is its high computational load per voter, which grows linearly with the
numberofvoters.
Among protocols considered the KSRH has the lightest computational load per voter
(except for the HRZ protocol, which has only 2 rounds 3rd roundforcommitmentswasadded
to the KSRH protocol to satisfy fairness property, which the HRZ protocol doesntsatisfy).The
only computation, which depends on the number of voters, is multiplication of elements in a
finite field, which, in turn, has the smallest computational cost comparing to other operations
used in protocols. The 106 of multiplicationscantakeaboutfewsecondsonmodernCPU,sothe
number of voters can be quite large. The main limiting factor here can be a throughput of
decentralized network, which must be necessarily considered during estimation of the maximal
numberofvoterssupportedbythevotingsystem.
Considering the proposed treasury system, none of existing evoting protocols can be
used. Any such protocol satisfies the voteprivacy property, whilecurrent,commitrevealbased,
voting scheme in the proposed treasury system utilizes the public voting advantages (according
tothe[8]).

References
1. Aggelos Kiayias and Moti Yung. Selftallying elections and perfect ballot secrecy. In
David Naccache and Pascal Paillier, editors, PKC 2002: 5th International Workshop on
Theory and Practice in Public Key Cryptography, volume 2274 of Lecture Notes in
ComputerScience,pages141158.Springer,February2002.
2. Anderson R. J.: Security engineering : a guide to building dependable distributed
systems(Wiley,NewYork,2008,2ndedn.)
3. Stephanie Delaune, Steve Kremer, and Mark Ryan. Verifying privacytype properties of
electronicvotingprotocols.JournalofComputerSecurity,17(4):435487,2009.
4. Jens Groth. Efficient maximal privacyinboardroomvotingandanonymousbroadcast.In
InternationalConferenceonFinancialCryptography,pages90104.Springer,2004.
5. Feng Hao, Peter Y. A. Ryan,andPiotrZielinski.Anonymousvotingbytworoundpublic
discussion.IETInformationSecurity,4(2):6267,2010.
6. Dalia Khader, Ben Smyth, Peter Y. A. Ryan, and Feng Hao. A fair and robust voting
system by broadcast. In 5th International Conference on Electronic Voting 2012,
(EVOTE 2012),CoorganizedbytheCouncilofEurope,GesellschaftfurInformatikand
EVoting.CC,July1114,2012,CastleHofen,Bregenz,Austria,pages285299,2012.
7. Felix Brandt. Efficient cryptographic protocol design based on distributed El Gamal
encryption. In Dongho Won and Seungjoo Kim, editors, ICISC, volume 3935ofLecture
NotesinComputerScience,pages3247.Springer,2005.
8. Morton, Rebecca and Kai Ou. 2013. The Secret Ballot and Ethical Voting. Working
Paper.


Appendix D. Threshold Cryptography and its Application to
SecureVoting

D.1.ThresholdCryptosystems.BasicIdeas

A threshold cryptosystem allows any t < n participants from a group of n users tosign
(decrypt) a message. In threshold schemesthesecretkeyisdistributedamong n partieswiththe
helpofatrusteddealerorwithoutitbyrunningasecretsharingprotocolamongallparties.
A threshold signature means that to sign a message M any subset of at least t parties
can use their shares of the secret and execute a signature generation protocol. The protocol
output is a signature of M that can be verified by anybody using the unique fixed public key.
There is a number of thresholdsignatureschemesdescribedintheliterature,themostknownare
the threshold signatures based on RSA [1], DSS [2], elliptic curves [3,4] and bilinear pairings
[5]. These threshold schemes are robust, i.e. there is an assumption that t participants could
create a valid signature in presence of maliciousparties[6].Thegoalistoallowanysubsetofat
least t parties to jointly reconstruct a secret and perform the computation while preserving
security even in the presence of an active adversary which can corrupt up to t (a threshold)
parties[6].
Threshold encryption means that to decrypt a message C anysubsetofatleast t parties
can use their shares of the secret and execute a decryption protocol. The fixed public key is
available to all users and any user can encrypt a message M using the public key. The most
knownthresholdencryptionsschemesbasedonRSA[7]andElGamal[8]encryption.
An important property of threshold schemes is robustness, which requires that even t
malicious parties that deviate from the protocol cannot prevent it from generating a valid
signature(decryptamessage).
Choosing a threshold scheme that can be used in a cryptocurrency treasury system we
assume it provides distributedsecretsharingandissufficientlyeffectiveforaquitelargenumber
ofparticipants.

D.2.DistributedKeyGenerationProtocols

In discretelog based schemes, a distributed key generation consists in generation of the

common secret key x (using secret sharing scheme) and obtaining of the common public key
y = g x . In[9]authorsrefertosuchprotocolasDKG.
 A DKG protocol may be run in the presence of a malicious adversary who corrupts a
fraction(orthreshold)oftheplayersandforcesthemtofollowanarbitraryprotocolofherchoice
[9]. There is a number of solutions for the shared generation of private keys for discretelog
based threshold cryptosystems. The first DKGschemewasproposedbyPedersenin[10].Itthen
appeared,withvariousmodifications,inseveralpapersonthresholdcryptography.

D.2.1.PedersensDKG(JointFeldman)Protocol

The Pedersens DKG protocol is the first keygenerationprotocolwithoutatrustedparty.

In [11] Feldman proposed his verifiable secret sharing (VSS) protocol which allows to share a
secret key x among n parties with the help of atrusteddealer.ThebasicideaofthePedersens
protocol [10] is to have n parallel executions of Feldmans verifiable secret sharing (VSS)
protocol [11] in which each player P i acts as adealerofarandomsecretthatshepicks[9].The
secretvaluex istakentobethesumoftheproperlysharedvalues.
A simplified version of the Pedersens DKG protocol is described in [9] and its called
theJointFeldmanprotocol.ThedescriptionoftheJointFeldmanprotocolispresentedbelow.
1.EachplayerP i choosesarandompolynomialf i (z) overZ q ofdegreet :
f i (z) = ai0 + ai1z + ... + aitzt .
P i broadcastsAik = g aik modp fork = 0, ..., t. Denoteai0 byz i andAi0 byy i .
Each P i computes the shares sij = f i (j)modq for j = 1, ..., n and sends sij secretly to
playerP j .
2. Each P j verifies the shares she received from the other players by checking for
i = 1, ..., n :
t
jk
g sij = (Aik ) modp. (1)
k=0
Ifthecheckfailsforanindexi, P j broadcastsacomplaintagainstP i .
3. If more than t players complain against a player P i , that player is clearly faulty and
she is disqualified. Otherwise P i reveals the share sij matching Eq. 1 for each complaining
player P j . Ifanyoftherevealedsharesdoesnotsatisfythisequation, P j isdisqualified.Theset
QU AL isdefinedtobethesetofnondisqualifiedplayers.

4.Thepublicvaluey iscomputedasy = y i modp.
iQU AL

ThepublicverificationvaluesarecomputedasAk = Aik modp fork = 1, ..., t.
iQU AL

EachplayerP j setshershareofthesecretasxj = sij modq.
jQU AL

The secret shared value x is not computed by any party, but it is equal to

x= z i modq.
iQU AL

This protocol was widely used for a long time until Gennaro et al. [7] showed that it
cannot guarantee the correctness of the output distribution in the presence of an adversary.
Moreover, there is a strategy for an adversary to manipulate the distribution of the resulting
secretx tosomethingquitedifferentfromtheuniformdistribution.

D.2.2.SecureDKGProtocol

Gennaro et al. [9] not just showed insecurity of the JointFeldman protocol but also
proposed its modified secure version. The solution is based on ideas similar to the Pedersens
DKG (it also usesFeldmansVSSasamaincomponent),butauthorsarecarefulaboutdesigning
an initial commitment phase where each player commits to its initial choice in a way that
prevents the attacker from later biasing the output distribution of the protocol [9]. For this
commitment phase another protocol of Pedersen is used, i.e., Pedersens VSS protocol as
presentedin[12].
The new protocol provides security for any number t < n/2. The description of new
secureDKGprotocolispresentedbelow[9].
Generatingx :
1.EachplayerP i performsaPedersenVSSofarandomz i asadealer:
a)P i choosestworandompolynomialsf i (z), f i(z) overZ q ofdegreet :
f i (z) = ai0 + ai1z + ... + aitzt ,
f i(z) = b + bi1z + ... + bitzt .
Letz i = ai0 = f i (0).
b
P i broadcastsC ik = g aik h ik modp fork = 0, ..., t.
P i computes the shares sij = f i (j)modq, sij = f i(z)modq for j = 1, ..., n and sends
sij , sij secretlytoplayerP j .
b) Each P j verifies the shares she received from other players by checking for
i = 1, ..., n :
t
jk
g sij g sij = (C ik ) modp. (2)
k=0
Ifthecheckfailsforanindexi, P j broadcastsacomplaintagainstP i .
 c) Each player P i who, as a dealer, received a complaintfromplayer P j broadcaststhe
valuessij , sij thatsatisfyEq.2.
d)Eachplayermarksasdisqualifiedanyplayerwho
receivedmorethant complaintsinStep(1b)or
answeredtoacomplaintinStep(1c)withvaluesthatfalsifyEq.2.
3.EachplayerbuildsthesetofnondisqualifiedplayersQU AL.

4. Each player P i sets her share of the secret as xi = sij modq and the value
jQU AL


xi = sij modq
jQU AL

The distributed secret shared value x is not explicitly computed by any party, but it is

equaltox = z i modq.
iQU AL

Extractingy = g x modp :
4.EachplayeriQU AL exposesy i = g zi modp viaFeldmanVSS:
a)EachplayerP i , iQU AL, broadcastsAik = g aik modp fork = 0, ..., t.
b) Each P j verifies the values broadcast by the other playersin QU AL bycheckingfor
eachiQU AL if
t
jk
g sij = (Aik ) modp. (3)
k=0
If the check fails for an index i, P j complaints against P i by broadcasting the values
sij , sij thatsatisfyEq.2butdonotsatisfyEq.3.
c) For players P i who receive at least one valid complaint the other players run the
reconstructionphaseofPedersenVSStocomputez i , f i (z), Aik fork = 0, ..., t intheclear.
ForallplayersinQU AL, sety i = Ai0 = g zi modp.

Computey = y i modp.
iQU AL

Todate,thisprotocolisconsideredtobethebestamongDKGprotocols.

D.2.3.DKGonEllipticCurves

The paper [3] presents a new DKG protocol on EC (ECVSS) which is different from
PedersensandFeldmansonesandismoreefficientforECbasedschemes.
The protocol has the following steps.The players agree on anellipticcurve E ,theprime
p , the base point GE(Z p ) of order r . Given a threshold t and the total number of players
n = 2t + 1, eachplayerP i do:
1. Select a random polynomial f i (x) of degree t subject to her chosen secret a(i)
0
as its
freeterm.
2.Secretlysendsf i (j) toplayerP j j = {1, ..., n}.
3.Broadcastsak(i) Gk = {0, ..., t}.
4.Broadcastsf i (j)Gj = {1, ..., n}.
t
k
5.EachP i=j/ verifiesthat j ak(i) G = f i (j) andthatf i (j)G isconsistentwithhershare.
k=0
6. Each P i=j/ verifies that her share is consistent with other shares, i.e.

a(i)
0
G = bj f i (j)G.
jB

7. The decision on the guilty player is made according to the majority voting. Once the
n
aboveprotocoliscompleted,eachplayerP i safelycalculateshershareas f i (j)modr.
j=1

The motivationbehindconstructingofsuchnewprotocolonECisthattheFeldman'sand
the Pedersen's schemes become risky and inefficientiftheyareusedtoprotectsecretkeysofthe
ECC[3].

D.3.ThresholdCryptosystems.Examples

D.3.1.ThresholdBLSSignature

The BLS signature [5] is a scheme basedonbilinearpairings.Itwasdesignedinorderto

construct a short signature (minimal signature length is approximately 16 bytes). Actually, the
length is themainadvantageoftheBLSincomparisontosignaturesbasedonellipticcurves(the
BLS scheme does not have any advantage in security over EC schemes). Moreover, it seems
BLSisslowerconsiderablythan,forexample,asignaturebasedonEdwardscurves(Ed25519).
The threshold version of BLS signature was introduced in [6]. Before starting the
description of the algorithm, let us present some definitions and properties of bilinear pairings
[13].
 Let G1 , G2 be groups of the same prime order q ( G1 is additive and G2 is
multiplicative, in the literature sometimes both G1 and G2 are multiplicative groups). Assume
discretelogarithmproblem(DLP)tobehardinbothgroups.
Definition1.Amappinge:G1 G1 G2 iscalledabilinearmapif:
ab
1.Bilinearity:P , QG1 ,a, bZ q* ,e(aP , bQ) = e(P , Q) .
2.Nondegeneracy:P =/ 0 e(P , P ) =/ 1.
3.Computableinpolynomialtime.
NotethatG1 isaGapDiffieHellman(GDH)groupwhichhasthefollowingproperties:
the Decisional DiffieHellman (DDH) problem is easy to solve in G1 : given a
quadruple(P , aP , bP , cP ) ,testwhethere(P , cP ) = e(aP , bP ) .Equalityholdsifab = c.
the Computational DiffieHellman (CDH) problem is hard to solve in G1 : given a
quadruple(P , a1P , a2P , a3P ) ,tocomputee(P , P )a1a2a3 .
ThethresholdBLSsignaturehasthefollowingsteps[13].

Initialization. The master secret x = xi Li , where xi a secret key of i th participant,
i
Li theLagrangecoefficients,whichdependsonwhicht valuesofi youhave:

j i
Li = j .
/
i=j
x
theindividualpublickeysy i = g xi .
Themasterpublickeyisy = g , and
Signature. Each of t signers creates her share of the signature: i = H(m)xi . Note that
everyone can check the validity of i by checking e(g, i ) = e(y i , H (m)) . The signature

= i Li fort valuesofi .
i
Verification.Acceptiffe(g, ) = e(y, H (m)) .
AsagenerationprotocolisproposedtousesecureDKGprotocoldescribedabove.
The presented threshold version of the BLS signature scheme is robust, can tolerate any
t < n/2 malicious parties and does not require a trusted dealer [6]. The structure of the base
scheme permits to avoid many difficulties one needs to overcome while making threshold
versionsofmanystandardsignatureschemes,suchasRSA,DSSetc/[6].

D.3.2.ThresholdSignaturesonEllipticCurves

Some thresholdschemesonECwithoutacentralauthorityarepresentedin[3]and[4].In
[3] a robust threshold ECDSA signature which tolerates n/4 malicious adversary is presented.
ThepaperisalsopresentedanewDKGprotocolonEC(ECVSS)alreadydescribedabove.
 The paper [4] presents a thresholdsignaturebasedonNybergRueppelschemewithown
DKGprotocol.However,thepaperdoesnotcontainanyevaluationofthesystemrobustness,just
saysthesecurityisbasedonECDLP.

D.3.3.ThresholdEncryptionSchemeonElGamalcryptosystem

We describe here an example of the threshold encryption a robustthresholdencryption

schemebasedontheElGamalcryptosystem[8].
Key generation. A distribution key generation isimplementedbythePedersenprotocol.
As a result,eachplayer P j possessesashare sj Z q ofasecret s .Theplayersarecommittedto
these shares as the values hj = g sj are made public. Theshares sj aresuchthatthesecret s can
be reconstructed from any set of t shares using appropriate Lagrange coefficients (like in
BLS):

s = sj j, , (4)
j

wherej, theLagrangecoefficient.
Thepublickeyh = g s isannouncedtoallparticipantsinthesystem.
Decryption. To decrypt a ciphertext (x, y ) = (g , h m) without reconstruction of the
secrets ,theplayersexecutethefollowingprotocol:
1.EachplayerAj broadcastswj = xsj andprovesinzeroknowledgethat
log g hj = log x wj .
To proof a zeroknowledge one of theprotocolthatshowsequalityofdiscretelogarithms
can be used. Authors propose to use an interactive Chaum and Pedersens protocol butitcanbe
easilytransformedtoanoninteractiveone.
2. Let denote any subset of t players who passed the zeroknowledge proof. By
raisingx tobothsidesofequation(4),itfollowsthattheplaintextcanberecoveredas

m = y / wj j, .
j

The described scheme is robust, so step 2 assures that the decryption is correct and
successfulevenifupton t playersaremaliciousorfailtoexecutetheprotocol.
It seems the described scheme can be further modified and transformed to the threshold
encryptionbasedonEC.
There are also some threshold encryption schemes based on EC andpairings[14,15]but
theyrequireatrusteddealer.

D.4.PossibleApplicationtoCryptocurrencyTreasurySystem

 A cryptocurrency which applies the threshold cryptography is Dfinity [16]. Dfinity uses
threshold BLS signature to generate randomness. As a DKG protocol JointFeldman protocol is
used.
In our treasury system a threshold encryption issupposedtobeusedforsecurevoting.A
secure multiauthorityelectionschemebasedonthresholdElGamalencryptionwasproposedby
Cramer, Gennaro and Schoenmakers in [8]. The main feature of the proposed scheme is that
value decrypted by t from n players allows obtaining the final voting result which is may be
verified by any party and there is no possibility to know how the certain players voted.
However, such scheme is not suitable for the ETC treasury system which design involves votes
openingintheendofthevotingepoch.
To implement the secure voting protocol for the treasury system using threshold
encryptionwesupposetomakethefollowingsteps.
1. To modify ElGamal threshold encryption scheme described above and make the
similaronebasedonEC.
2. To implement the modified scheme, so that the elections result will be available to
everyoneintheendoftheepoch.
Someotherpossiblecomponentsofthesolution:
SecureDKGprotocolapplicationforkeygeneration
Threshold BLS signature application for randomness generation which will be needed
todivideusersongroups.Thethresholdencryptionwillgoonbygroups.
These are the initial thoughts on cryptographic voting implementation obtained after the
analysisofexistingliterature,thedetaileddevelopmentisunderthefurthersteps.

D.5.References

1. Shoup, V. (2000, May). Practical threshold signatures. In International Conference on the

Theory and Applications of Cryptographic Techniques (pp. 207220). Springer Berlin
Heidelberg.
2. Gennaro, R., Jarecki, S., Krawczyk, H., & Rabin, T. (1996, May). Robust threshold DSS
signatures. In International Conference on the Theory and Applications of Cryptographic
Techniques(pp.354371).SpringerBerlinHeidelberg.
3. Ibrahim, M. H., Ali, I. A., Ibrahim, I. I., & ElSawi, A. H. (2003, December). A robust
threshold elliptic curve digital signature providinganewverifiablesecretsharingscheme.In
CircuitsandSystems,2003IEEE46thMidwestSymposiumon(Vol.1,pp.276280).IEEE.
4. Chang, T. Y., Yang, C. C., & Hwang, M. S. (2004). A threshold signature scheme forgroup
communications without a shared distribution center. Future Generation Computer Systems,
20(6),10131021.
5. Boneh, D., Lynn, B., & Shacham, H. (2001, December). Short signatures from the Weil
pairing. In International Conference on the Theory and Application of Cryptology and
InformationSecurity(pp.514532).SpringerBerlinHeidelberg.
6. Boldyreva, A. (2003, January). Threshold signatures, multisignatures and blind signatures
based on the gapDiffieHellmangroup signature scheme. In International Workshop on
PublicKeyCryptography(pp.3146).SpringerBerlinHeidelberg.
7. Cramer, R., Damgrd, I., & Nielsen, J. B. (2001, May). Multiparty computation from
threshold homomorphic encryption. In International Conference on the Theory and
ApplicationsofCryptographicTechniques(pp.280300).SpringerBerlinHeidelberg.
8. Cramer, R., Gennaro, R., & Schoenmakers, B. (1997). A secure and optimally efficient
multiauthority election scheme. Transactions on Emerging Telecommunications
Technologies,8(5),481490.
9. Gennaro, R., Jarecki, S., Krawczyk, H., & Rabin, T. (1999, May). Secure distributed key
generation for discretelog based cryptosystems. In International Conference on the Theory
andApplicationsofCryptographicTechniques(pp.295310).SpringerBerlinHeidelberg.
10. Pedersen, T. P. (1991, April). A threshold cryptosystem without atrustedparty.InWorkshop
on the Theory and Application of of Cryptographic Techniques (pp. 522526). Springer
BerlinHeidelberg.
11. Feldman, P. (1987,October).Apracticalschemefornoninteractiveverifiablesecretsharing.
In Foundations of Computer Science, 1987., 28th Annual Symposium on (pp. 427438).
IEEE.
12. Pedersen, T. P. (1991, August). Noninteractive and informationtheoretic secure verifiable
secret sharing. In Annual International Cryptology Conference (pp. 129140). Springer
BerlinHeidelberg.
13. SelectedTopicsinCryptography,Lecture26:
https://ocw.mit.edu/courses/electricalengineeringandcomputerscience/6897selectedtopi
csincryptographyspring2004/lecturenotes/l26.pdf.
14. Shang, Y. L., Song, W. L., Jia, W. Y., & Zhang, Z. C. (2016, October). A general threshold
scheme based on elliptic curve cryptosystem. In Computer Science, Technology and
Application: Proceedings of the 2016 International Conference on Computer Science,
TechnologyandApplication(CSTA2016)(p.199).WorldScientific.
15. Binu, V. P., & Sreekumar, A. (2016). Threshold Multi Secret Sharing Using Elliptic Curve
andPairing.a rXivpreprintarXiv:1603.09524.
16. D.Williams.TheDFINITYBlockchainnervoussystem.