Skip to main content

Overview

Pop-u-list is the primary U.S. civic shyvoting deployment. It applies the shared shyware two-list voting contract to advisory referenda, comparative legislative analysis, and TAP-based voter-to-cohort views. The civic surface is product-specific. The core guarantees are shared with Seda Haqq:
  • public anonymous canonical ballot state
  • off-chain managed receipt and recovery state
  • count-match enforcement at close
  • managed-HSM tally signing outside validator disk custody

Identity model

  • Identity verification: Didit (biometric)
  • Identity mechanism: per-poll voter Ed25519 device keypair identity_hash = SHA-256(voter_pub_key ‖ poll_id)
  • Oracle prevention: IDV provider attests the ephemeral device public key; sk_v is generated on device and discarded after signing — IDV never holds it
  • Recovery: biometric re-authentication with Didit on any device; no password, no recovery phrase, no device continuity required
  • Receipt store: CockroachDB-backed off-chain receipt runtime; operator read-only for reconciliation; linkage to canonical state available only under lawful process

Write-only posture

In sanctioned regions or elevated-risk contexts, runtime trust signals (device attestation status, network-risk classification) may suppress the receipt-readback and rematch path. The voter retains full ballot submission and public tally read access. In write-only posture the client also generates a ballot-identifier export record — an anonymous CSV of ballot_id values with no vote direction and no identity encoding — which the voter may carry outside a hostile context for self-verification against the public canonical ledger.

TAP layer

Pop-u-list adds civic comparison and TAP projection on top of the shyware voting base layer. Representative and cohort analysis live above canonical anonymous vote state:
  • public canonical state determines participation and tally truth
  • TAP projects agreement geometry and comparative views
  • no TAP view becomes the canonical vote record

Runtime posture

  • Canonical chain path: shyware voting state machine
  • Receipt / recovery runtime: off-chain CockroachDB-backed service
  • Signing boundary: AWS KMS + Azure Managed HSM
  • Hosting: Hetzner for public splash roots only; Verne Global for sensitive/private/canonical services; Cloudflare as front door

Why this deployment exists

Pop-u-list is the civic counterpart to Seda Haqq:
  • Seda Haqq emphasizes hostile-network election contexts and adversarial consensus
  • Pop-u-list emphasizes domestic civic participation and representative comparison
Both are shyvoting deployments. The embodiment changes the product flow, not the underlying anonymous audit contract.