Skip to main content

Overview

The SEDA_HAQQ/ deployment is the international sovereign referenda deployment of shyware, operated under the Co-Mission DBA alongside Pop-u-list. It is designed for adversarial-consensus environments: sovereign nations, contested jurisdictions, or any polity where the operator cannot be assumed to be neutral. Core guarantees shared with Pop-u-list:
  • public anonymous canonical ballot state
  • off-chain managed receipt and recovery state
  • count-match enforcement at close
  • managed-HSM tally signing outside validator disk custody

Identity model

  • IDV provider: Didit (biometric)
  • Preferred embodiment: per-poll voter device keypair — identity_hash = SHA-256(voter_pub_key ‖ poll_id)
  • High-assurance option: ZK nullifier — identity_hash = MiMC(person_secret, poll_id)
  • Recovery: biometric re-authentication on any device (preferred); encrypted backup (ZK)
  • Tally signing: Shared managed-HSM signer (AWS KMS + Azure Managed HSM), no local tally PEM

Write-only hostile-state posture

For voters operating inside a hostile or sanctioned jurisdiction, the client exposes a write-only mode: ballot submission and public tally reads remain available; the rematch and receipt readback path is suppressed. In this posture the client generates a ballot-identifier export record — an anonymous CSV of ballot_id values (no vote direction, no identity) that the voter may retain outside the hostile context for independent post-election self-verification against the public canonical ledger. Device-seizure guarantee: in write-only posture, a seized device yields only the publicly visible ballot_id. The per-poll voter private key (sk_v) is ephemeral and discarded after signing. The ballot_nonce is not retained on device after submission. The off-chain receipt is hosted outside the hostile jurisdiction. The hostile authority receives no rematch surface from the seizure.

Jurisdictional gap as coercion decamping mechanism

The receipt store’s hosting jurisdiction is not incidental to the deployment strategy — it is the mechanism. The off-chain receipt store is hosted in a rule-of-law jurisdiction that discloses linkage records only in response to a valid court order from a court of competent jurisdiction. A hostile nation-state government cannot obtain such an order against a receipt store operator in a non-cooperative foreign jurisdiction. The receipt store’s rematch surface is structurally inaccessible to the hostile government through any legal mechanism available to it. This is not a policy commitment by the operator — it is a consequence of the jurisdictional gap. The voter’s receipt is recoverable once the voter exits the hostile jurisdiction and satisfies the gated recovery checks, because the recovery channel is operated under a legal regime the hostile state cannot reach.

OFAC and export classification

This same architectural property satisfies the anti-surveillance predicate required for deployment under humanitarian personal-communications authorizations such as 31 C.F.R. § 560.540: the system does not enable the government of the sanctioned jurisdiction to identify, locate, or retaliate against individual participants, because the canonical ledger exposes no participant identity and the receipt store responds only to lawful process in jurisdictions where that government has no standing. The export-classification framework of 15 C.F.R. § 734.7 is supported by the protocol’s design for no-cost distribution to end users and open publication of the full protocol stack under a license permitting unrestricted redistribution. The transport-layer protections (censorship-resistant relays, protocol obfuscation, timing randomization) operate independently of these data-architecture predicates and address the separate concern of concealing the act of participation from in-jurisdiction network observers. Transport layer protects submission metadata; the rule-of-law receipt store protects the rematch key.

TAP configuration

Vote method: yes_no, no_enabled: true Dimension source: Dynamic — each closed poll becomes one TAP dimension: 
"a_k_formula":         "1 if yes_votes > no_votes, else 0",
"magnitude_formula":   "0.5 + abs(yes - no) / (2 × total)",
"phi_k_formula":       "theta_k − a_k × PI/2"
The TAP shows how the current majority result compares to historical referenda outcomes — a popular-will tracking diagram, not a voter-politician alignment diagram.

Infrastructure

  • Consensus: CometBFT multi-validator cluster, jurisdictionally distributed
  • Tally signing: Managed HSM-backed ECDSA via the shared shyware signer
  • Frontend: React app with TapDiagram.jsx
  • Database: CockroachDB (receipt/verification runtime), LevelDB (ABCI state)
  • Threat model: SEDA_HAQQ/shyconfig/docs/threat-model.md