The Economist Cyber Security

Case Study Competition 2016

VOTEX

A BLOCKCHAIN VOTING SYSTEM

Jonathan Homer | Jonathan Prutow | Reza Mehran-Nejad

George Mason University

2016

User Experience: In the near future, election day is approaching. Riley desires to be an

engaged citizen. While waiting to order food, Riley sees one of the many “VOTE!” posters. Riley

pulls out a smartphone and scans the QR code and registers to vote. On election day, Riley’s

phone displays a reminder that it’s voting day. Riley opens the voting app and in less than a

minute casts a vote. Later that day, Riley is notified that the vote was accepted and counted.

After the election concludes, the encryption keys are published, and independent news sites and

citizens alike are able to count the anonymous ballots for themselves, offering transparency and

validation of the official election results.

1.0 Introduction

Despite being one of the oldest modern democracies in the world , voter turnout in the 1

United States is lower than nearly all other developed countries. From 1984 to the present, the 2

voter turnout rate in the U.S. has been 51.7% to 61.6% for presidential elections and 35.9% to

1 Barksdale, Nate. “What is the world’s oldest democracy?” History.com. December 2, 2014. Accessed September 25, 2016. http://www.history.com/news/ask-history/what-is-the-worlds-oldest-democracy 2 Desilver, Drew. “U.S. voter turnout trails most developed countries.” Pew Research Center. August 2, 2016. Accessed September 25, 2016. http://www.pewresearch.org/fact-tank/2016/08/02/u-s-voter-turnout-trails-most-developed-countries/

PAGE 1

41.1% for midterm elections. Of particular concern, the participation of younger voters (ages 18 3

to 29) has been 16.3% to 48.4%, which is significantly lower than any other age group. 4

Reforms such as mail-in ballots and early voting have had some success in increasing

voter turnout, by making voting more convenient and accessible for everyone. 5

In this paper, we present VoteX – a digital voting solution, which makes participating in

elections much more convenient and is easily integrated into daily life. VoteX is more than just

technology, it is a method incorporating people, process and technologies to systematically

transition to a digital voting world to make civic engagement less onerous, accessible, secure,

and socially rewarding. Integral to our proposal is the execution plan, introducing changes to the

people, process, and technological components in a phased and secure manner. VoteX rolls out

in three phases allowing consideration for user adoption, mitigation of technical integration

issues, and configuration optimization before transitioning to the next phase. In each phase,

VoteX integrates with existing voting processes by introducing new elements in parallel -

thereby, maximizing impact from its adoption while maintaining public trust in the election

process. Earlier in the roll out, we focus on adoption amongst younger voters for two reasons: a)

validation of VoteX’s impact at increasing turnout, and 2) target group’s comfort with adoption

and trust in new technologies.

3 United States Elections Project. “National General Election VEP Turnout Rates, 1789-Present.” June 11, 2014. Accessed September 25, 2016. http://www.electproject.org/national-1789-present 4 United States Elections Project. “Voter Turnout Demographics.” Accessed September 25, 2016. http://www.electproject.org/home/voter-turnout/demographics 5 Lam, Lauren. “Voter Turnout: the Undemocratic Nature of Democracy.” Prospect. October 28, 2015. Accessed September 26, 2016. https://prospectjournal.org/2015/10/28/voter-turnout-the-undemocratic-nature-of-democracy/

PAGE 2

Figure 1. Voter Turnout by Age Group 6

1.1 VOTING PROCESS

Figure 2. Typical Democratic Elections Process

Figure 2 above shows the four key stages in typical elections process. Digital voting does

not change these fundamental requirements. A good solution must integrate with existing

systems such that the tools, training, and processes that are in place, enable VoteX to

complement the existing paper, digital, early, and absentee voting systems. For the purpose of

6 United States Elections Project. “Voter Turnout Demographics.” Accessed September 25, 2016. http://www.electproject.org/home/voter-turnout/demographics

PAGE 3

this proposal, we use U.S. laws and election process (Figure 3) to demonstrate how VoteX meets

case study requirements.

Figure 3. Existing System

In the United States, in most states voters must register before being permitted to vote.

Depending on the state, voters register to vote in-person, by mail, or online. In a few states all 7

eligible voters are automatically registered to vote. Nearly all states allow registered voters 8

options of in-person voting on election day, in-person early voting, and absentee voting by mail. 9

In-person early voting and voting on election day is conducted using a paper ballot or some type

of electronic voting machine. Typically, votes are tallied at individual polling locations, and the 10

final tallies are then transmitted to a central location. 11

7 Watkins, Eli. “How to register and vote in every US state and territory.” CNN. August 16, 2016. Accessed September 26, 2016. http://www.cnn.com/2016/08/14/politics/how-to-register-to-vote-in-every-us-state-and-territory/ 8 Brennan Center for Justice. “Automatic Voter Registration.” September 22, 2016. Accessed September 25, 2016. https://www.brennancenter.org/analysis/automatic-voter-registration 9 National Conference of State Legislatures. “Absentee and Early Voting.” May 26, 2016. Accessed September 24, 2016. http://www.ncsl.org/research/elections-and-campaigns/absentee-and-early-voting.aspx 10 Verified Voting. “Voting Equipment in the United States.” Accessed September 24, 2016. https://www.verifiedvoting.org/resources/voting-equipment/ 11 ACE Electoral Knowledge Network. “Vote Counting.” Accessed September 24, 2016. http://aceproject.org/ace-en/topics/vc/vce/default

PAGE 4

2.0 VoteX

VoteX leverages existing blockchain networks and is accessed using current mobile

technologies. Through a complex implementation of encryption and one-way hashes, the privacy

of the voter is maintained while the identity and authenticity remains verified. Though this

enables votes to be cast and counted in real-time, VoteX masks the results from the public until

after the election. This system is fully auditable by any third party.

Figure 4. End Goals of VoteX

PAGE 5

2.1 LIMITED LAUNCH: EARLY VOTING

Figure 5. Limited Launch Phase

The first phase introduces critical components to the blockchain voting system. Here,

voters authenticate themselves via VoteX to receive a digital ballot on their phone. The scope of

this phase is limited to those who will be participating in early voting, and the final vote must be

cast at designated secure voting locations. The aim here is to test how voters adopt voting

through VoteX without disrupting the existing dynamic too dramatically. The ballots submitted

via the app are sent to the blockchain network as a test, but the official votes are transferred

directly to paper ballots for official processing. Not only does this allow measurement of

VoteX’s adoption by early voters, but this also allows verification of the functionality and

accuracy of the process.

Requirements:

● Blockchain utilization: Early voters cast their ballot on the ethereum blockchain network

after authenticating themselves and receiving a ballot code.

PAGE 6

● One vote per user: After authentication, early voters receive a unique ballot valid only

when submitted at secure voting location (i.e. polling station). The voter will be marked

as “voted” to ensure another completed ballot (paper/digital) cannot be submitted.

● Maintaining voter privacy: By utilizing both one-way hashes and traditional encryption, a

submitted ballot can only be linked to a specific voter using data stored in an offline

database, for audit purposes. All personal information is stored with a system which

could be accredited as FIPS 199 {High, High, High} compliant. 12

● Voting during a flexible timeframe: Even though secure voting locations close during off

hours, the early voter can complete their ballot anywhere and anytime before the early

vote deadline. Once the ballot is completed, they must submit the entry from a secure

voting location.

● Ensuring a secure count: The counting and auditing components are not leveraging

blockchain technology in this phase so every ballot cast by the early voter will be printed

and counted via paper ballot. This ensures the managing team can resolve deficiencies in

this proposed phase before implementing the official counting and auditing system.

● Availability of interim results: The utilization of a large number of randomized Salts

within the posted ballots makes public tallying implausible during the voting process.

● Verifying individual vote: After the vote has been counted, a confirmation is posted to

the blockchain which enables the user’s app to confirm the vote was recorded. This is

done in a manner which prevents others from discovering the vote being cast.

12 Clayton.edu. "FIPS199." 2016. Accessed: 29- Sep- 2016. http://www.clayton.edu/technology-infrastructure/Policies-and-Procedures/Information-Security-Plan/FIPS199.

PAGE 7

● Voting under duress: VoteX ballot is cast at same secure voting locations as traditional

early votes.

● Protection of undecided or abstaining voter: The authentication mechanism confirms the

identity of the individual casting the vote. The strength of this mitigation is proportionally

dictated by the requirements enforced by the election authority. New authentication

controls would be available with the technology being introduced.

The effectiveness of each phase can be measured using the following metrics:

● quantity of transactions (votes) recorded on the blockchain

● lack of confirmed privacy-related incidents

● lack of voter identity discrepancies

● lack of compromised votes

● confirmation that votes were properly counted

● lack of reported duress incidents

PAGE 8

2.2 EXPANSION

Figure 6. Expansion Phase

In this phase, we are extending the same functionality from Limited Launch but, to

enable online votes to be cast on election day, using the new voting app. This increases the

adoption of the VoteX for a bigger pool, with any registered voter now eligible to cast their

ballot using blockchain, while still leveraging secured voting locations. This phase also

introduces the opportunity for the voter to register themselves using their device. Additional

identity validation methods will be available as required by the appropriate election authority.

The official ballots continue to be printed at the polls and counted with the other paper ballots,

enabling additional testing and validation of the blockchain process.

By leveraging the same metrics used in the Limited Launch phase, and also considering

the number of online registrations, the overall system can be proven in it’s effectiveness and

PAGE 9

security without placing the integrity of the election at risk. This is a critical step towards

ensuring voter privacy and is a precursor to allowing the official counting and auditing of votes

on the blockchain network.

2.3 FULL IMPLEMENTATION

Figure 7. Full Implementation Phase

In the Full Implementation phase, the final components are introduced. First, all

registered voters are allowed to cast their ballot at an unsecure location, removing the need for

the vote to be cast at a designated secure voting location. The previous phases validated the

PAGE 10

effectiveness of the blockchain app and associated ethereum blockchain network. The second

component is leveraging the network to officially count and audit cast ballots.

The satisfaction of requirements continue from Limited Launch and Expansion phases. In

addition, the following controls are introduced during Full Implementation:

● Blockchain utilization: The blockchain network is now the authoritative source for

transactions (ballots) received from user devices and authenticated tokens. Submitted

transactions are attached to the next block, which are collected and counted by the

election office.

● One vote per user: The digital fingerprint allows only one vote per user in the form of a

validated ballot to be mined and available to be counted.

● Voting during a flexible timeframe: The voter can enjoy the convenience of voting at any

time (as permitted by law) and in any location to cast their ballot on the blockchain

network.

● Ensuring a secure count: Now that votes are cast through an unsecure blockchain peer to

peer network, there is the potential for fake votes to be submitted in addition to actual

votes. To resolve this, when a ballot is cast, the Policy Server matches authenticators with

digital fingerprints to validate authentic votes as per Figure 13. Voting Process Objects.

The Policy Server also sends the validated ballot to the ethereum network to be ultimately

counted by the election authority (see voting process sequence diagram). Any alterations

to the validated ballot will require 51% or more of all the nodes on the blockchain

PAGE 11

network’s computing power plus a correct digital fingerprint to overwrite an existing

block. 13

3.0 Technical Process

3.1 STEP 1: VOTER REGISTRATION

Voter registration will continue to be based on organization-maintained datasets.

Beginning with phase 2, voters will be able to register through the app, resulting in their addition

to the dataset.

Figure 8. Voter Registration Process Sequence Diagram

13 Refer to proof of work transaction proofing in Appendix B: Technologies Leveraged PAGE 12

Figure 9. Voter Registration Process Objects

Each user provides identification artifacts using the app. These can include keyboard

input entries as well as the potential for document capture and/or facial biometrics using camera

input. These artifacts are transmitted directly to the election authority using SSL VPN tunnels,

where they are reviewed and approved with confirmation sent back to the user.

3.2 STEP 2: AUTHENTICATION

Prior to each election, voters need to obtain a new authentication token. This process

verifies the identity of the user and unlocks the device to cast one ballot for that election. Note

that in Limited Launch and Expansion phases, the voter must physically enter a polling place in

order to obtain a critical piece of the authentication to cast a vote.

PAGE 13

Figure 10. Voter Authentication Process Sequence Diagram

PAGE 14

Figure 11. Voter Authentication Process Objects

PAGE 15

After downloading the app, a user verifies their identity by uploading any identification

that may be required by the election authority. This could be as simple as providing a copy of a

driver’s license or identification card or as complex as facial recognition biometrics or an

out-of-band one-time authenticator. At this time, users select a simple PIN using an on-screen

input (to avoid keyloggers) and choose a picture from a randomized preset selection. This

provides an easier identify validation at the time of voting.

The app establishes an SSL VPN connection to the Policy Server, which acts as a

trusted-but-independent service between the user and the election authority. This server passes

the identification artifacts and a hash of the user’s pin (known as the PinHash) to the election

authority through a site-to-site VPN tunnel.

The election authority validates the information provided and generates a “Coupon”

unique to the user’s vote. This Coupon is a preshared secret key, generated as a hash of the

output from a cryptographically secure pseudorandom number generator. The election authority

also selects a random “Salt” from a precompiled list of at least 10,000 unique Salts used

exclusively for this election. The Coupon, the Salt, and the election ID are provided to the Policy

Server. The election authority then generates a set of temporary hashes of the Salt combined with

each possible candidate, known as “Candidate Hashes.” “Nominations” are generated by hashing

the coupon with each Candidate Hash. The election authority records all possible Nominations

with the associated Candidate, election ID, and PinHash, but does not retain the Coupon, the

Salt, the associated Candidate Hashes, or any association with the user’s information.

PAGE 16

If the user is on their private device (or has re-authenticated on election day), the policy

server generates the “Token,” an additional secret key which authorizes a vote to be placed by

the user. The Policy Server then hashes both the token and the user-provided pin to generate a

“Digital Fingerprint” that is later used for validation purposes. The Policy Server then generates

a hash of the the token, the pin, and the user-selected image that will be used to validate the

user’s identity on the end device. This is known as the “Identity Check Hash”.

The Policy Server sends the Token, the Identity Check Hash, the Salt, and the election ID

to the user device. The Policy Server stores the Coupon and the Digital Fingerprint in a secure,

online database. The Policy Server also records the Coupon, Digital Fingerprint, election ID, and

the user’s unique identifier to an offline storage in case of a future audit. The Policy Server does

not store the Token, the Identity Check Hash, the user Pin, the PinHash, or the image selected,

and the user is never given the Coupon.

3.3 STEP 3: CASTING A VOTE

Casting a vote is the process of the user selecting a candidate, followed by posting the

selection and proof of authenticity to the blockchain network. The Policy Server validates the

vote and posts a confirmation to the blockchain. The election authority, seeing both the original

post and the confirmation, validates the authenticity of the verification and records the vote. The

connection between the vote cast and the voter’s identity remains in an offline database at the

Policy Server.

PAGE 17

Figure 12. Voting Process Sequence Diagram

PAGE 18

Figure 13. Voting Process Objects

When ready to vote, the user enters their pin and selected image. If the hash of the token

(resident on the device), pin, and image selected matches the identity check hash, the authenticity

of the user is verified. The user makes their selection and confirms the submission. The app

hashes the token and the pin to generate an “Authenticator” and also forms a “Ballot” by hashing

the candidate selected and the Salt. The Authenticator, Ballot, and election ID are submitted as

an array to the Ethereum blockchain network ledger. The Ethereum network processes the ledger

PAGE 19

and adds these as a block onto the chain. This information becomes publicly readable, but

undecipherable due to the hashing. The app also stores the candidate which received the vote.

The Policy Server monitors Ethereum for entries containing the election ID. When a

transaction is identified, the Authenticator is compared to the Digital Fingerprints on file. If no

match is found, the Ballot is considered invalid and is ignored. When a match is identified, the

Policy Server hashes the Coupon with the Ballot, to become the “Validated Ballot,” and posts the

Authenticator, the Validated Ballot and the election ID to Ethereum. The Policy Server marks the

Digital Fingerprint used, no longer valid for comparison.

The election authority is also monitoring Ethereum and compares posted Validated

Ballots with Nominations on file. If no match is found, the verified ballot is considered forged.

When a match is found, it references the candidate associated with the Nomination, and adds a

vote to the appropriate tally.

The election authority hashes the Authenticator with the PinHash and posts the resulting

hash, labeled a “Ballot Validation,” back to Ethereum. This can then be read by the user device

and used to verify the vote was counted.

3.4 STEP 4: VALIDATE AND AUDIT

After the election concludes, the election authority releases the full list of Salts. With this

information, it becomes possible to easily generate all the combinations of hashes and determine

which ballots were cast for which candidates.

PAGE 20

Should it become necessary to associate a specific ballot with a specific user, the Policy Server

offline database can provide the connection between the coupon and the digital fingerprint,

enabling a one-by-one association to be connected.

Figure 14. Vote Validation and Audit Process Sequence Diagram

PAGE 21

Figure 15. Vote Validation and Audit Process Objects

In the event of an audit, the data available in the offline database within the Policy Server

enables the Authenticator to be linked to the Digital Fingerprint. This can then be used with the

data stored in Ethereum to reconstruct the entire vote pattern from user to vote count.

4.0 Summary

Online voting has tremendous potential to increase voter turnout by making voting more

convenient and accessible, especially among younger voters. VoteX can be used for any type of

election, including federal, state, and local elections; elections in the United States and in other

countries; and elections for private clubs, condo associations, parent teacher associations, and

PAGE 22

other organizations, and can easily be integrated with any existing voting mechanisms. Also, the

use of a public network voting system works to increase transparency and public trust in

elections.

PAGE 23