Is it possible to use blockchain or public ledgers for voting?

26

8

As a software developer, I routinely get asked this question and frequently see it being asked online too; it seemed like a great question to pose for the wonderful StackExchange community.

For a quick bit of context, the general idea of public ledgers is everybody can see anonymous information (the votes cast, in this case), and they can also be cryptographically validated so anyone can guarantee it's all correct too.

So, essentially, do you think it's possible to use a digital public ledger system (like, for example, Blockchain) in major democratic elections? Would it meet the requirements we expect a democratic election to satisfy?

On the face of it, it seems like it would be perfect for voting; after all, it should make the process far more transparent , faster, far less prone to corruption and may ultimately turn around those declining voter turnouts because you can vote from anywhere. Or does it?

2

Obligatory XKCD link, which as a programmer I have to say is sadly accurate: https://xkcd.com/2030/

– dsollen – 2020-11-19T16:10:22.820

"do you think it's possible?" is opinion-based and therefore off-topic. – user253751 – 2020-11-19T18:37:56.877

41

you could be given a randomly generated GUID which can identify your vote, but cannot be reversed engineered to identify you, unless you tell someone else what your vote GUID

This seems absurd to me, its trivial to steal or brute force that.

Brute force a GUID? No. Steal, yes, that's the problem: any ID of sufficient length will be impossible for most people to remember, and if you print it out or store it in any other way, that compromises the secrecy. Even if not, there's the problem of torturing (or bribing) people until they tell you their ID so you can check whether they voted the way you want.

Is it true that, "It is impossible to have a secret ballot AND traceability of the actual votes"?

At a fundamental level, if there is any way for a voter to trace their vote, they can be coerced into disclosing it, which harms secrecy.

But what encryption technology (possibly a blockchain but not necessarily) might make possible is to have "plausible deniability" where the system gives you not one but two (or multiple) IDs that resolve to confirm different options voted for, so that when someone coerces you to disclose your vote, you can tell them what they want to hear. Note that I wrote this might be possible, because I can't immediately see how this could be done in a way that the voter himself can still confirm that the vote he cast is actually the one that was counted, rather than one of the fake ones. There might be a clever scheme that makes this possible.

Ultimately, though, this is all technocratic masturbation with no real-world relevance: any such scheme, no matter how theoretically technically sound would be so complex that it could too easily have hidden weaknesses in its implementation, and (perhaps even more importantly) it would be completely impossible to understand for 99.99% of the population, which would undermine its legitimacy.

Paper ballots are and will remain the best choice for voting because anyone can understand and confirm how they work, and while in principle it is easy to commit fraud with them, in practice it is nearly impossible to do so at a scale that changes results without leaving easily discovered traces and/or witnesses.

18" while in principle it is easy to commit fraud with them". Its damn hard to do fraud with them, at least when in-person voting is used. You can watch how the empty urn is sealed, you can watch that only eligible voters put their ballots in, you can watch how the urn is unsealed and how votes are counted. The US puts a dent into this since urns are transported and you have no way of veryfiyng the transit, but when counting takes place in the voting station, and a citizen exercvises their right to watch, its damn hard to defraud. – Polygnome – 2020-11-10T11:04:19.130

18Compare that to electronic voting, where the average citizen can do exactly nothing to validate anything... – Polygnome – 2020-11-10T11:04:42.597

Is there a way to verifiably see that your vote was added to the total, without it being traceable by others? – endolith – 2020-11-10T20:29:49.203

1@Polygnome how is it possible to watch that only eligible voters put their ballots in, in cases where the voter's identity is not confirmed in any meaningful way (e.g. in many states in USA)? Plus, aren't the votes eventually being inserted into an electronic system, which, again, most voters don't understand? – Noctiphobia – 2020-11-10T21:45:59.047

1@endolith: that would be the GUID mentioned by OP. When you vote, you get a long, randomly-generated-on-the-spot number that is recorded with the vote you just cast but not anywhere else and in particular not connected in any way to you. After the election, the list of all such GUIDs and the votes cast with them is published. Anyone can check that their GUID matches the vote they cast and anyone can check that the total count is correct. As I wrote, the problem is that people can be coerced to disclose their GUID. – Michael Borgwardt – 2020-11-10T22:40:00.457

1@MichaelBorgwardt No, I mean something temporary that allows you to see your vote go into the total, but without anyone else seeing it or identifying who made the total go up. Each voter observes their own vote increasing the tally, and the total is compared with the total number of people who voted at that polling location, so each person can verify that their ballot was counted, and everyone can verify that no additional ballots were added, and everyone can assume that the tallies are correct since everyone verified their own vote, but no one else can connect a particular vote to a voter. – endolith – 2020-11-10T22:59:02.643

@MichaelBorgwardt I am not convinced that "if there is any way for a voter to trace their vote, they can be coerced into disclosing it". I only want to be able to prove that my vote was (1) received and (2) was used or (3) not used in the computation of the final tally. If I prove that my vote was used in the final tally, then you can infer that I voted for Trump, Biden, or Jorgenson. If a single voter can prove that their received vote was not used in the computation of the final tally, then the whole election must be thrown out and done over. – emory – 2020-11-10T23:05:48.587

@MichaelBorgwardt I have no idea if that is possible, but can you prove it is impossible? – emory – 2020-11-10T23:06:16.223

3@emory: I'd say that a voter being able to confirm that their vote was counted for the candidate they wanted is at least as important as whether it was counted at all. – Michael Borgwardt – 2020-11-11T06:57:19.947

3@endolith: If a voter observes their vote increasing the tally for their candidate in public it's not secret, and if they observe it in private they cannot know whether what they are shown is what is actually counted, especially given that most polling stations have multiple voters voting in parallel. – Michael Borgwardt – 2020-11-11T07:06:24.363

@MichaelBorgwardt You are right. In a perfect voting system you should be able to prove to yourself and others that your vote was received and used. You should be able to prove to yourself but not others that your vote went to the right candidate. Just describing the requirements is tricky - never mind implementing them. – emory – 2020-11-11T13:23:24.203

@MichaelBorgwardt Is it impossible to come up with a system in which a voter can observe their own vote increasing the total, without that information also being completely open to the public? – endolith – 2020-11-11T15:07:54.240

@endolith no - the GUID system does just that, with the mentioned drawbacks. In my answer I mention that cryptography could make it possible to eliminate those, but such a system would be far too complex for most people to understand, they'd just have to trust experts that it provides the claimed guarantees. – Michael Borgwardt – 2020-11-11T22:04:12.397

34

I don't see what blockchain has to do with GUIDs and there seems to be some context lost in the edits. In either case, I recommend taking a look at this voting software related XKCD. Most experts agree with that XKCD comic.

Giving a voter a unique, random GUID makes it impossible to identify a voter based on a GUID - that is, if you ignore other vectors. First, you have to look at where the GUID is generated. If a GUID is generated and mailed to a voter then, as the government agency sending those GUIDs, you can easily connect the GUID to the voter and find out how he voted. If the GUID is generated on the fly on the voting machine and the machine doesn't know who is currently voting, that could be avoided.

Then, let's say there is a website where voters can check if their vote was counted. A voter enters his GUID and sees the vote that was stored for him. Now that website has IP and GUID, which for e.g. a government agency can be enough to connect a voter to a vote.

Lastly, there might be external pressure. A boss might require someone to provide his GUID to make sure all his employees voted for his preferred candidate. With a simple paper ballot, you throw it in and all proof of your vote is inside the box. If someone requests to know how you voted, you can lie and no one can disprove it. That is one reason why some countries forbid taking photos inside the voting booth. You can't be coerced to vote a certain way - which is in fact a problem with mail-in voting where you are not in a protected environment while filling it out.

1The checking whether a vote was counted based on GUID could be done in a secrecy-preserving manner by simply publishing all GUIDs and their corresponding votes. Anyone can download the entire list (should compress really well, too). To make it more practical, you could cut it into chunks based on a small prefix or suffix. – Michael Borgwardt – 2020-11-10T07:42:25.007

@MichaelBorgwardt - Very true, but "identify voter by IP" is pretty shaky to begin with. Who says you're looking up your own vote, rather than an ID you coerced from someone (as per the last point)? Or that you're at a traceable IP, as opposed to some public hotspot or TOR/VPN? The other points in the answer are the real concerns. – Bobson – 2020-11-10T07:49:54.460

9@MichaelBorgwardt that would work for voters with technical knowledge. I shudder to think how my grandmother would try to validate her vote from a data dump. That would lead to websites providing a "validate your vote" service to non-technical voters, which would allow those websites to connect voters to their votes. With a bit of the usual Google Analytics on those third party websites, suddenly Google knows how you voted. – Morfildur – 2020-11-10T07:50:20.180

1Perhaps I'm naive/uninformed, but if you can't trace back to a voter, how do ever anyone adding extra votes? Maybe you compare to the # of people listed to have voted by precinct, but since you can't backtrace, it'd seem impossible to figure out where\when the invalid votes were entered? Or more importantly, even which of the votes were the elicit ones (without subsequently having every single person admit their votes and eliminating?)? So while it would allow an option for people to verify their own vote was counted privately, it would be as it is now in terms of questions of adding votes? – JeopardyTempest – 2020-11-10T09:00:19.817

3@JeopardyTempest That is called ballot stuffing. With physical ballot boxes, the election helpers watch the boxes. Usually they are from multiple parties, so it's in their interest to prevent it. Apart from that, there are sometimes international election observers who report on things like that. The impact of that is usually very low, because you can look at the number of eligible voters and only districts with low population will have single-party helpers. All districts with enough population to make it worth it will also be observed by both sides. (cont) – Morfildur – 2020-11-10T10:54:11.277

7@JeopardyTempest For online voting, that is a real problem that is difficult to address and I'm not sure how it could be solved without making the vote non-secret (by connecting the vote with the voter). – Morfildur – 2020-11-10T10:56:29.460

@Morfildur That depends on how it is implemented. have i been pwned does something similar without issue. My understanding is the client requests a subset of the database and does the final lookup itself. The server learns little. This even could be done with a web based client that downloads the entire database and does the lookup locally. – Matt – 2020-11-10T15:01:47.917

A website could be set up for people to anonymously check their votes using something like haveibeenpwnd's system. The client sends only a prefix of the GUID. Then, the server sends all the votes for guids with those prefixes. Finally, the client discards all votes but the one corresponding to their own GUID. Obviously there are still other issues with electronic voting. – Vaelus – 2020-11-11T00:58:37.917

1"I recommend taking a look at this voting software related XKCD" - the way I read that XKCD is that people are (possibly) unreasonably sceptical of computerised voting, given all the other things we've achieved with technology (which is the exact opposite of the intended message here). It also doesn't actually provide any concrete reasons why it's a bad idea (which is fair, given that it's just a webcomic, but that means it's not all that useful as a reference). – NotThatGuy – 2020-11-11T08:48:39.070

1@NotThatGuy as always on xkcd, the comics alt-text provides more context: "There are lots of very smart people doing fascinating work on cryptographic voting protocols. We should be funding and encouraging them, and doing all our elections with paper ballots until everyone currently working in that field has retired." which indicates that the comic is intended to be understood the way it is used here - in most techinical fields, engineers are reasonably confident the safety systems work. With electronic voting systems, that is just not the case. – Hulk – 2020-11-11T10:57:30.170

1Of course, one of the problems of the comic is that it compares safety systems to security systems, and well - both airplanes and elevators are vulnerable to malicious actors. – Hulk – 2020-11-11T11:01:06.330

@Morfildur Re: "That would lead to websites providing a "validate your vote" service to non-technical voters" - it is now technically feasible to host websites directly on a blockchain, without having to use a gateway service. You are probably right, that there will be fraudulent sites that try to steal information but it is perfectly possible to build a performant, user friendly website directly on blockchain. I'm not saying that blockhain voting is a good idea but that particular hurdle is not an issue any more. See e.g. https://mashable.com/article/linkedup-dfinity/

– Max Murphy – 2020-11-18T00:03:26.670

24

No, it's not possible.

At least, not without violating multiple fundamental principles of democracy or making it seriously vulnerable. This is primarily because of the authenticity vs. voter anonymity problem. Consider this:

• A voter must be a citizen (Authentic)
• Their voting choices must not be known, especially not on a public ledger (Anonymous)
• The vote they cast isn't tampered with (Valid)
• A voter shouldn't be able to prove who they voted for (Bribery)
• A public final count so multiple people can validate the system as a whole.

Ledger systems are supposed to guarantee validity - nobody can cook the numbers - but watch what happens when authenticity and anonymity are involved in this example voting system:

1. I create a cryptographic "key pair" - a private key that only I know and a public key that everybody can see. The Government signs my public key as proof that I'm a citizen using a Government private key.
2. I place my vote. I sign my choice using my private key and add it along with the Government signature to the public ledger for everybody to see.

It has these properties:

• Nobody knows the Government private key so they can't place non-authentic votes.
• Nobody should know my private key so they can't tamper with my vote either.
• The Government signature provides authenticity and no other information is on the ledger, so it's anonymous too.
• The final count is public because anybody can add together the votes.

Nice, right? Nope! It actually scores 1/5:

• The Government can use the signature to identify me and my vote. After all, the signature originated from them when they verified me as a citizen and it's also right there on the ledger next to my choices.
• The Government can create as many "citizens" as they want, completely undermining both authenticity and validity. Anybody looking at the ledger won't be able to notice anything.
• Verifying a signature gives a cryptographic guarantee of exactly who I voted for; it's valid, sure, but it also opens up easy ways for people to bribe me.

So, anonymity is in contention with authenticity and validity is at odds with the ability to be bribed. Yikes.

However, notice that two signatures are involved. This can define a "chain of trust" between the Government and my vote. Maybe adding a few extra 'links' in the chain would at least separate the Government from being able to interfere quite that much? Unfortunately, this too is flawed - you can make the chain infinitely long and some entity along that chain will always be able to identify the voter and their vote. At some point, authenticity has to swap for anonymity. At the swap point, both your vote and identity are available.

Why is a public final count important?

Firstly, a quick side track: As mentioned in Hopelessn00b's answer, it is possible if you have a secret final count. The public ledger contains encrypted data effectively becoming a little useless to anybody but the Government. Estonia's e-Voting system currently has a secret final count - it's not a public ledger but the principle is the same. A public count is particularly important if, as seen in Estonia, the final vote counter is a single server that has been shown to be compromisable remotely. This means their entire democracy depends on a tiny group of people who make a series of rookie mistakes.

What about some kind of hybrid? Surely we can use something?

Don't get me wrong here; I'd love to see a system like this. Maybe someday a breakthrough will happen. A great digital boost to democracy everywhere - democracy so personal that it enters our homes. Let's just entertain the idea with a mixture of physical voting and see what happens.

So, we need to break the link between authenticity and anonymity and we can do that by flipping the voting process around - instead of dropping off your vote into a randomising pile, you pick up something from a randomising pile. Specifically, you pick up a pre-signed citizen ID. Next, in order to make it usable, you build a chain of trust relative to other citizens - for example, your parents could sign your new ID.

We're building trust chains of citizens here. It's still completely flawed however - the Government can still create as many fake citizens as it secretly wants and it'll always be easy to bribe, but at least it requires multiple people (2..) to pull off.

Summary

In order to list out votes in a public ledger, so anyone can count them up to conclude the results and confirm their vote was included, we have to give up the secret ballot. Alternatively we give up the public count but in doing so we make the public ledger useless. We also make ourselves vulnerable to fake citizens being created by the Government with ease, major digital security threats and admin failures due to the layers of complexity. Note that many of these also apply to e-voting in general.

It makes for an interesting concept none the less, but it doesn't come close to beating the simplicity and effectiveness of paper.

3Of course most of these objections apply to existing paper based systems, with the important proviso that it's more expensive and involves more people to hijack the system. – origimbo – 2016-11-18T15:39:03.870

3@origimbo Exactly - postal voting violates anonymity, but at least being bribed is harder because they can't be verified. Flooding the system with lots of fake paper ballots would be tricky if not outright obvious due to the large amounts of people involved. – Luke Briggs – 2016-11-18T15:51:47.333

What happens if everyone eligible to vote is required to vote? -- for the sake of discussion, assume this is a realistic possibility. Could that eliminate/reduce the "zombie hoard" concern? My intuition says no... – BurnsBA – 2016-11-18T17:56:11.470

@tolos Interesting thought; I'm leaning towards agreeing that it doesn't reduce it too much; mostly on the basis that there are large portions of the population that are unable to vote (physically incapable etc) - the gap between population and electorate provides a nice space for zombies to fit right in unnoticed! – Luke Briggs – 2016-11-18T18:09:13.643

I'm not too sure about "Nobody knows my private key so they can't tamper with my vote either". I don't need to know my wife's private key. All I need is access to the device she'll be using. – Michael J. – 2016-11-18T20:05:00.970

@MichaelJ. It's a relatively abstract overview but I've edited it to say "Nobody should know" instead - thanks. – Luke Briggs – 2016-11-18T20:35:23.393

1Note that your critique applies to blockchain models which rely on a public ledger syetem that is not anonymized. Some newer cryptocurrenies, such as Monero, are designed to anonymize transactions and could, in theory, be adapted for voting purposes as a result of this design consideration. – HopelessN00b – 2016-11-18T22:13:14.873

@HopelessN00b I think you might've read it wrong there - it applies to all public ledger systems as the ledgers support for anonymity isn't strictly what this is about; rather it's more related to the democratic requirement for anonymity and how that fails to work together with authenticity when the vote info is public. As a bit of an aside note I also worked on a design for a public ledger in financial systems. – Luke Briggs – 2016-11-18T22:17:45.850

2Your claim is valid only if we assume that nobody can be trusted. However it would be possible to use something like a threshold encryption scheme which guarantees validity+anonymity as far as no more than k entities are corrupted (and you could choose k as big as you like...). – Bakuriu – 2016-11-18T22:53:56.070

@LukeBriggs Ring-signature cryptography. (Monero.)

– HopelessN00b – 2016-11-18T23:01:44.127

Could allowing a number of tickets to each county/district based on census data & voter registration information prevent the government from creating "fake citizens?" – RedOculus – 2017-09-22T21:26:42.390

2@RedOculus I think that would only work out if everywhere had high voter turnouts - there are always large chunks of the population who simply don't bother voting, so that gives a nice large margin to fit fake voters. E.g. a 1% swing in the US election - likely enough to flip the outcome - would make a 55% turnout appear to have been 56-57% instead. – Luke Briggs – 2017-09-22T22:04:21.123

19

The security issues in electronic voting are completely unlike any security issues anywhere else.

You have to provide assurance that every legal vote has been correctly recorded and added to the total of the candidate for whom it was cast, but at the same time prevent any voter from proving to a third party which way they voted. These two are fundamentally in opposition because if the voter can check that their vote is correctly recorded in the list of ballots then they can also do that in front of a third party who can then either pay them or beat them up accordingly.

Blockchain and its relatives do nothing to resolve this fundamental problem. Its possible that something might be done with homomorphic encryption (i.e. being able to run certain computations on a block of votes without decrypting it) but I'm not enough of a cryptographer to comment on that.

Paper ballots in the UK solve this problem by having each ballot paper stamped with a number, which is then recorded next to the voter's name, also on paper. In theory you could look through a stack of ballots and pair the ballot number against a voter. In practice this requires physical access to the ballots, and doing so for all ballots would be a large operation requiring lots of staff. So this is easy to prevent, but allows spot checks in case of allegations of widespread ballot stuffing.

re: every vote counted / 2nd paragraph. I'm not sure you're really highlighting the right issue. It's common to be able to use the internet to check the status of (e.g.) absentee ballots without gaining any information about which votes were cast on that ballot. – BurnsBA – 2020-11-11T13:14:21.963

@BurnsBA Yes you can check your ballot is in a database, but that doesn't provide any assurance that it was correctly included in the reported totals. For that you have to trust the counting system (which is pretty robust, let it be said). It also doesn't protect against ballot stuffing. – Paul Johnson – 2020-11-11T13:19:39.977

I think there's just some language confusion. It sounds like "You have to provide assurance that every legal vote has been counted" isn't referring to the vote count, it actually means "You have to provide a way for a person to verify that what is officially recorded is the same as how they voted." – BurnsBA – 2020-11-11T13:32:33.933

1@BurnsBA Yes, that is what I meant. I'll fix the answer. – Paul Johnson – 2020-11-11T14:14:31.953

11

The whole field of electronic voting is rather dubious in general. Many places outperform US vote counting speed using paper ballots and without the added concern, whether justified or only perceived, about hacking that arise with electronic voting. All the more since USA software vendors in that space aren't typically known for their transparency and security focus.

Some of the core issues of this election, such as voter suppression, are less about about whiz-bang technology for the sake of it, rather than common sense legal reform to allow eligible voters to vote. Rules forbidding local politicians to manipulate the process for partisan reason, for example.

Still, I want to specifically single out "blockchain". That is, to be sure, an interesting new technology. But it's also often perceived as a solution in search of a problem. Its one big "success story" to date has been Bitcoin and ever since blockchain has been the darling of the investor community and has become the IT buzzword-du-jour. Its failure rate has also gotten to be the butt of many jokes, to the point where "but... but... blockchain!" is a running joke for much of the IT community.

At best I would be skeptical about fixing this type of mess with e-Voting. But specifically, I am doubly skeptical about sprinkling "blockchain pixie dust" on any problem, unless there is a very clear case for it. A few vocal activists chattering about it do not make that case.

Looking at the fraud, energy wastage, criminal activity and general lack of transparency about its main use case, blockchain currencies, and I'd argue that's precisely the type of technology I wouldn't touch with a 30' pole for voting.

Even if you assume that my pointing out flaws in one domain, currencies, doesn't carry over into another domain, voting, you're still left with a problem of public perception. Would the public trust a technology in one critical field, voting, that is associated with fraud in another? Why? And, as we're see ing right now, the perception is an important aspect of voting systems - the current US one is reasonably secure and transparent, but that still leaves it with a deficit of trust.

10

Traceability at an individual vote cast level is basically a useless feature.

The reason you want some means to audit whether a vote has been recorded properly is to determine if a vote total is accurate. But if only individuals can trace how their vote was calculated, then unless everyone waived secrecy in order to trace how their vote was recorded and then cooperate to share the results collectively, tracing one, or even a significant share of votes cast doesn't tell you if the total is accurate.

This is particularly true when you consider that traceability is a feature which exists, more or less entirely, in an effort to counter deliberate or systemic miscounting of votes cast, a level of fraud that can easily intervene between the recording of individual votes and the tabulation of the total number of votes, or by slipping fake votes into the tabulation.

The old school technology of marking a choice on paper and dropping it into a secure box, and then auditing the pieces of paper in the secure box, is a far more reliable and far less costly way to achieve certainty of outcome.

Traceability could be a way to make it possible to undo specific ballots cast that are determined to have been cast by ineligible voters after they are included in an aggregate pool of votes, which is not possible with a piece of paper dropped into a secure box method. But historically, the number of contests of this type are dozens or less for an entire state in any given election and the number of elections that are that close is few indeed.

Many states, such as Colorado, provide a tracking code similar to one used to track letters and packages in the mail or courier systems, that allow a voter to confirm if a vote dispatched to an election administrator was actually received, but without attaching information about what the ballot said.

This is more useful, because it allows a voter who is suspicious that their vote was not delivered to intervene and cast a replacement ballot when, for example, the mail truck delivering their ballot gets into an accident and destroyed the ballots inside in a Hollywood style explosion (something similar happened to about 150 mail in ballots intentionally destroyed in a single box by a mentally ill man in Boston this year). This is a much lower tech system that provides a much greater benefit.

Simply put, there is almost no circumstance in which blockchain technology meaningfully improves election security.

7

Possibly

It all depends on the protocol. Luke Briggs' answer does a great job of stating the requirements for such a protocol and shows a protocol that wouldn't work. The question is whether there is a protocol that could meet the requirements.

I don't believe one has been found but one can get quite close by adding indirection. Below is a protocol that I've just thought up (I doubt it is original) which comes quite close but fails on one stage. Can this failure be closed? I'm not sure but one can do very interesting things with cryptography, such as zero knowledge proofs, so I am hopeful.

Example protocol

Every registered voter has a private/public key pair (only they know the private key) as does the government.

For each vote, the voter generates a private/public key pair and sends the generated public key to the government signed with their personal private key (they send their personal public key too). They encrypt the message using the governments public key.

The government decrypts the message, verifies the signature and checks that the person hasn't previously sent a key for this election. It does this by maintaining a list of registered voter's personal public keys with a boolean flag that it flips when it has received a verified key.

The government then publishes the generated key on a public blockchain ledger signed by the government. The published key may include metdata e.g. state, county, to help with statistics, questionable over/under voting etc. Note, the government does not store or publish the relationship between the personal and generated keys.

Once the generated public key is published, the voter votes by creating an entry on a public ledger with the vote and the generated public key both signed by the generated private key.

The votes can then be checked by anyone by a) confirming that the vote was indeed signed by the respective key and b) that no-one has voted already with that key.

Once validated, the voter then throws away their generated private key.

1. Only registered voters can vote and only once
2. The voting portion of the scheme is fully public and publicly verifiable
3. The voting part cannot be tied back to an individual voter
4. It's public how many voters will vote

1. An unscrupulous government can know the relationship between the voter and their vote by storing the relationship between the personal and generated public keys.
2. An unscrupulous government can "create voters" by adding generated keys that aren't tied to voters and votring with them. This can be mitigated with metadata as described or publshing the (voter, flag) list which has other issues.

3Unfortunately this one is the "chain of trust" approach (or at least it appears to be!) where you've got Gov - Person - Vote. In general, if the Government can store something, assume they probably will. The hard part is the Government can hit a "generate zombie hoard" button and create as many signed "citizens" as they want - that's still possible here too. – Luke Briggs – 2016-11-18T13:39:11.943

1@LukeBriggs I do not get the "generate zombie hoard" claim, because from what I understood from both answers you could just mandate that each key pair must be linked to a particular individual in the polling rolls, making it easy to spot "zombies". Anyway, the lack of anonymity is not a "disadvantage", it is a fatal flaw because it negates a basic principle that ensures that voters are free to cast their ballot. – SJuan76 – 2016-11-18T13:46:21.267

@Luke Briggs I agree with you on the first part and I mention this as the main limitation. Less so on the second part. As the keys are published, especially if they're published with some metadata, gross count issues will be more difficult to hide, much more than today. – Alex – 2016-11-18T13:49:02.750

@SJuan76 The "zombie hoard" problem comes about if you can't, independently, tie a vote directly to a person, which you can't (deliberately) in my scheme. So an unscrupulous government could generate a bunch of keys and vote with them. In Luke's scheme this is much harder as you can tie the vote directly to the voter (so they would need to fake the voter register) but, well, it means everyone knows who you voted for. – Alex – 2016-11-18T13:54:17.500

@SJuan76 key pairs are easy to create so creating lots of digital citizens (as Estonia has) and then voting with them is easy and fast. Votes are typically so tight that it only takes a relative few to swing it. Similarly to Alex's note, metadata does help - i.e. publically identify an actual person as much as possible - but it starts getting very close to violating anonymity (i.e. where's the boundary) because it's just so easy to relate the public data. – Luke Briggs – 2016-11-18T13:54:28.440

I've added the "zombie hoard" problem as a disadvantage. I also mention a "solution" which is to publish the list of voters and whether they have a published key. That would prevent the hoard but would show the world who did/didn't vote (though the public can't trace the voters to votes). Whether or not you think publishing who voted is acceptable is, of course, a different question. – Alex – 2016-11-18T14:03:12.713

1As long we're talking about zombies, it's probably worth being pedantic and talking about a zombie horde. – BrenBarn – 2016-11-19T07:44:07.340

This scenario is vulnerable to bribery as well, since the voter can keep their private key and hand it to others to confirm their vote on the public ledger. Or be coerced to keep it, hand it off before voting, etc. – Cyrus – 2017-05-03T18:52:40.580

2

Not in the US, because it inherently requires voter ID.

In the modern US, voter ID is a politicised topic that is the subject of active debate, with one party being vehemently opposed to it as they consider it a form of voter suppression, and the other party advocating for it in order to reduce voter fraud.

As a result, a scheme that requires all voters to possess a fancy electronic ID is basically a non-starter.

3Since the question is not tagged as US-specific, this answer is irrelevant. Most countries in the world, except for UK and a couple of its former colonies require some form of ID for voting. – Gnudiff – 2020-11-11T08:16:27.773

@Gnidiff Ok editted post. Better? – nick012000 – 2020-11-11T09:48:12.650

2

In addition to the above answers, blockchain and public ledgers can be combined with mail-in voting to create a better mail-in voting system. The USPS is filing a patent for a blockchain system that could help with mail-in-voting to add more security and make said votes easier to count. According to the patent itself, the system works when “a registered voter receives a computer readable code in the mail and confirms identity and confirms correct ballot information in an election. The system separates voter identification and votes to ensure vote anonymity, and stores votes on a distributed ledger in a blockchain.”.

2

Blockchains or public ledgers are (perhaps) half of a solution. Blockchains are a technology, and technology by itself cannot solve social problems, any more than construction equipment by itself can build a city. The social problem implicit in the franchise is the tension between accountability and secrecy, and while blockchains help to ensure secrecy, they are not particularly good at ensuring accountability.

Secrecy is an essential part of the franchise in order to prevent intimidation or retribution against citizens over their vote choices. Contrary to some of the other answers given, block chains would be quite effective at providing this. Yes, there is a traceable path back to the voting citizen so long as one can secure cryptographic details, and in principle that could lead to harassment, threats, or punitive measures. But in practice, that kind of intimidation isn't scaleable. Voter intimidation is only meaningful when voters can be intimidated in large numbers from a position of relative anonymity: e.g., when an industrialist makes it known that employees who vote the 'wrong' way might find themselves out of a job, or when unknown groups post flyers in minority neighborhoods warning of unspecified attacks if those people go to the polls (both of these, incidentally, are or were common practices). But blockchains would guarantee that any potential intimidators would have to reach out to individual citizens directly (in order to gain access to their cryptographic information) which dramatically increases the risk of public exposure while simultaneously decreasing the 'footprint' of their intimidation efforts. In simpler terms, it's easy to visualize a boss making it known (through some casual comment) that he will view all employees who vote for the other guy unfavorably, but it's laughable to imagine political operatives going door to intimidate voters one by one by one.

The problem of accountability is harder to address. Yes, a voter can ostensibly use his cryptographically secured information to check that his own vote was recorded properly, but this technology opens the possibility of double accounting: e.g., having one list which reports the citizen's vote back to the citizen as he cast it, and another list that is used for compiling totals in which some citizens' votes are recorded differently. This is extremely difficult to do with low-tech paper ballot voting, because huge numbers of people involved in the counting would need to be complicit in the act. But digitizing and encrypting the ballot information places more and more information in the hands of fewer and fewer people: it limits accountability and increases the potential for malfeasance.

The accountability problem could be resolved through a classic check and balance system. In such a system, the encrypted vote data would not go to one central location to be tallied. Instead, each political party — as well as interested organizations like newspapers — would get its own clone of the central vote data. Any discrepancies in vote-count between these interests could be traced back to individual ballots which show differences across clones of the data, and individual voters could check multiple sources to make sure the their vote wasn't hijacked by one group or another. The more groups the voting tallies are spread over, the less likely that any one group can massage ballots to their own advantage.

Do you have a reference for the 'double accounting' claim? I'm not an expert on blockchain, but it seems to me that the entire selling point is auditability. – JJJ – 2020-11-17T20:42:47.670

@JJJ: I'm not an expert on blockchain either. But I do know that the weakness of technological systems is technological attacks. if it isn't double accounting of this (admittedly) simplistic sort, we can be damned sure that lots and lots of people will be looking for loopholes, backdoors, and gambits to exploit. The only solution to that nonsense is to render the system itself transparent and distributed, so that all the cheaters will be shown up to each other. Nothing stops a thief quite as effectively as other thieves after the same prize. If you think that's cynical, blame Madison... – Ted Wrigley – 2020-11-17T22:34:17.890

1

It is possible to have both voter privacy & traceability. Here is just one academic article (among many) describing how you can use bisimulation & graph theory to mathematically prove the correctness of privacy properties of electronic voting protocols is here.

The cryptography behind the scenes is quite complex. The protocols can provide plausible deniability. It is not decentralized, voters need to have a special token (e.g. an electronic card or something) emitted by a central authority (which we assume you can trust).

Also, the protocol assumes the use of voting booths, so there is no remote voting. The act of casting the actual vote is done securely and hidden from malicious eyes.

When the election completes, all the votes & protocol messages are made public, not just the tally. Any voter can then verify that their vote is present and correct. They can prove whether it is missing or incorrect using their token.

(Right now I don't have time for a more elaborate answer. I suggest you take a look into the link article for the details for now).

1Out of curiosity what is the advantage of a digital solution like this if you still have to do it in person in a voting booth? – Kevin Wells – 2020-11-10T17:25:36.030

@KevinWells 1. Instant results, regardless of the complexity of the ballot. 2. Verifiable counting; anyone can run the count themselves. – Paul Johnson – 2020-11-10T17:58:01.393

Privacy is not enough. Traceability by itself undermines voting secrecy, and enables coercion and vote buying as per accepted answer. – Gnudiff – 2020-11-11T07:53:49.363

I appreciate you don't have time for a more elaborate answer but as it stands, too many critical details are missing to clarify how it has both privacy & traceability. – gerrit – 2020-11-11T09:16:59.770

0

Yes.

First off, in simplest implementation, there is no reason that even a public ledger system would be unsuitable to replace paper ballots or current e-voting systems. The general flow of voting under current systems involves a voter showing up to a polling place, the officials at the polling place verifying their eligibility to vote, and then the voter being permitted to cast their vote on a ballot or computer voting system. Paper ballots and/or usage of e-voting machines in this scenario could easily be replaced by a single-use blockchain address, and a person would not be any more easily linked to their vote than under the current system. Instead of picking up a paper ballot that you insert into a mechanical voting machine, you could pick up a smartcard that you insert into blockchain-linked voting machine, or instead of making selections from a touch screen on an e-voting machine that records a vote onto a local database, you could make selections from a touch screen on an e-voing machine that records votes to a blockchain.

Additionally, not all blockchains are the same, or even similar.

The oldest and currently most popular crypto currencies (such as BitCoin) use a relatively simple blockchain design that is essentially a public ledger. The self-answer to this question does a good job of laying out why this type of system is problematic to voting in elections, but this is not the only type of blockchain in existence.

For example, Etherium uses a slightly different model which allows voting and certain types of contract enforcement, and is, in fact, being trialed for certain types of elections and voting by the Ukrainian government.

There are also cryptocurrencies utilizing blockchain technologies and featuring anonymous transactions, Monero being the prime example.

Using a blockchain based on ring-signature cryptography could, in theory, allow people to have a re-usable voting blockchain address that could be authenticated, with the transactions/votes being anonymous, but also verifiable, fulfilling all the the basic requirements of a voting system, and we know it's possible to include voting mechanisms into a blockchain because Etherium does it. We're a long ways off from actually seeing something like this in practice, but it is at least, theoretically possible.

3There's actually major flaws with this kind of setup - all the surrounding infrastructure is extremely vulnerable (a voting machine which isn't actually doing what its interface says, for example). The final count is only possible in secret too, which ultimately undermines the added complexity. – Luke Briggs – 2016-11-18T23:10:17.993

2@LukeBriggs That's a problem with but analog voting systems, and the current implementations of digital voting too, so I don't see why it's relevant to the discussion of using blockchains for voting. The question you asked isn't whether blockchains are a silver bullet to allow perfect voting systems, but whether or not they can be used for the purpose of public voting. They can (and in fact, even are). – HopelessN00b – 2016-11-18T23:16:53.857

E-voting is a lot more vulnerable though, simply because of how widespread a small software change can get. Currently though they're not being used for public voting; researched yes - e-vox is essentially a smart contract system which doesn't seem to currently have a solution for a wider general election. Chamber voting of course has very different requirements. – Luke Briggs – 2016-11-18T23:30:54.620

1@LukeBriggs I'm well aware. Those vulnerabilities (and the costs of a public, remote voting system) are answers to the question of why no one's built such a system yet, but not answers to the question you posed, which is whether or not it's possible to build such a system using blockchain or public ledger technologies. – HopelessN00b – 2016-11-18T23:35:22.320

Very true; I would still argue that it "Isn't possible without violating fundamentals" however on the basis of the secret final count; I'll update my answer to address that one. – Luke Briggs – 2016-11-18T23:47:49.763

0

tl;dr Yes, you can get basically whatever you want with crypto. Crypto can enable both privacy (by hiding information) and publicity (by providing verifiable statements of truth that can be reliably fact-checked by third-parties). There may be some social-engineering work to be done, but the technology would be relatively straightforward.

Crypto concepts.

The main workhorse is an asymmetric key pair, which has two parts:

1. a public-key, which is basically a new identity (like an email address or phone number) that you control;

2. a private-key, which is like your secret password to the public-key.

People can publish their public-keys for everyone in the world to see, but private-keys should never be shared.

This enables a lot of cool stuff:

1. Anyone can encrypt a message in your public-key (assuming they know it), but only you can decrypt the message.

2. You can prove your identity by demonstrating your ability to decrypt random data.

3. You can electronically sign data by using your private-key to generate the signature. People with your public-key can verify that a signature matches the thing you signed, proving that you signed it.

Once we have this basic set of tricks, we can make awesome stuff with it.

1. Everything has its own asymmetric key pair. For example, every voter, voting machine, poll worker, etc., should have at least one key-pair.

2. Whenever you do something like vote, you always get a receipt and immediately verify that the receipt is correct.

• A correct receipt can be used to prove that the other party saw the content of the receipt and signed it with their private-key.

• An incorrect receipt is useless. If you get one from a voting-machine, then you basically act the same way you would if the voting-machine gave you an out-of-order error message.

3. Use redundancy to protect against conspiratorial fraud. For example, the votes should all be electronically shared with the US government, the Republican party, the Democratic party, and whoever else – everyone can do their own count (super fast-and-easy, since it's electronic), and everyone should arrive at the exact same result without any errors. If anyone disagrees, everyone can show signed receipts to prove the truth; lies are easily and provably exposed.

4. Use chain-signed certificates to establish subordinate identities. For example, an official US voting-machine needs to prove that it's official, but it shouldn't have the US's main private-key (as that'd be a huge security liability). So instead, the voting-machine should have its own private-key, and then the US signs a receipt with the official private-key stating that the voting-machine's legitimate. Then the voting-machine can prove that it's legitimate by showing people the officially-signed receipt saying so.

5. Implementation needs to be automated, open-source, and auditable.

• Automation keeps all of this simple and easy-to-use. Sorta like how computers are complex, but most folks don't need to know how they work to watch Netflix.

• Open-source and auditable so people can have trusted experts verify stuff for them. For example, US Republicans would probably feel more secure if the Republican party independently verified that their voting credentials were good, and people who don't trust a single party could ask multiple parties to all verify correctness.

Complications.

The potential complications are:

1. Initial lack of trust.
I think people who get this sort of system would love it and much prefer/trust it over any alternative. But in the short-term, when much of the population is unfamiliar with these concepts, the public would probably need assurances from trusted voices to spur initial acceptance.

2. Too much trust.
People with vote-receipts can prove who they voted for. Some have expressed concern that giving people this ability could help them to sell their vote, or have a controller check that they voted as instructed.

3. Need for public education.
People would need to learn how all of this works, so there could be a learning-curve there. That said, technology like this seems likely to become central to future lifestyles anyway, so promoting public education on the topic could be a pretty good thing.

Discussion.

I expect system like this to be the future. It'd definitely make things a lot easier, faster, and more reliable.

Initial adoption and social ails are the complicated hurdle. It's easy to under-/over-estimate how bad they might be, or misjudge how they might play out, so I'm hesitant to assume too much.

Terminology: "Web of trust".

Most of what was sketched above is more web-of-trust than block-chain. Block-chain elements could be added in if appropriate, but for reasons that seem silly to worry about discussing here, I doubt that'd make sense in this application.

1I think "there could be a learning-curve there" is a huge, elephant-in-the-room, understatement. The number of people who would understand what was happening enough to meaningfully audit a) the system, and b) the results would be a miniscule fraction of the people voting. For everyone else, it would be "enter you voter ID in this slot when you vote, and this slot when you want to verify", with everything else being taken on blind trust. Compare that to a pile of paper ballots, where literally anyone can watch the ballot box being unsealed and the pieces of paper counted into piles. – IMSoP – 2020-11-11T13:10:25.730

@IMSoP: A good solution would probably end up being an alternative mode of voting, rather than a compulsory substitution, that'd end up allowing people to use virtual credentials in a manner analogous to online banking, with physical credentials and physical evidence available at physical locations for backwards compatibility with folks who don't get it. We could even have everything be done with paper print-outs, even printing out copies of electronic votes, just to have a paper trail if that makes some more comfortable. – Nat – 2020-11-12T16:34:15.820

@IMSoP: Practically speaking, I suspect that the deciding factor'll be if it's obviously worthwhile. I mean, the current system seems to work well enough, so even if a newer system would work much better, there'd only be so much profit to be had in that. The major factor'd probably be if something like Trump comes along to further stir up public mistrust; if the current system comes under significant doubt, then there could be profit in transitioning to something better. Otherwise, the transition to a system like this could probably wait until environmental factors render it easy. – Nat – 2020-11-12T16:36:55.593

@IMSoP: I kinda like the learning-curve issue, though. I mean, society's almost necessarily going to have to change to better incorporate elements of trust/evidence like this, and our world ought to be a better place for it. – Nat – 2020-11-12T16:47:21.443

Yeah, the benefit definitely needs to be there; the case is slightly easier to make in the USA, where you already have complex machine-assisted voting. In most UK elections, we're choosing one candidate in one contest, so writing "X" on a piece of paper and depositing in a box is pretty hard to beat; occasionally we have two contests at once (for different tiers of local representation), and just use separate pieces of paper. – IMSoP – 2020-11-12T16:47:26.690

0

Blockchain is already used for minor votes in some parts of Switzerland. See e.g. https://www.swissinfo.ch/eng/crypto-valley-_-switzerland-s-first-municipal-blockchain-vote-hailed-a-success/44230928 Internet-voting is used in major elections in Estonia: https://e-estonia.com/solutions/e-governance/i-voting/ Despite what is suggested in some comments below it is perfectly possible to host the counting server on blockchain. So it is possible. That said, there are a number of technical, social and ethical issues that need to be addressed before blockchain voting can be used more widely.

I would like to comment on one particular aspect: The desire for votes to be forgotten after some time. There is the conception that a blockchain must hold all its data for all of history and that this puts the right to be forgotten at risk.

First off, a blockchain does not necessarily hold all of history forever; storing data forever is expensive and any blockchain that guarantees to store data forever is going to be awfully expensive in the long run if it handles significant quantities of data. A blockchain doesn't need to store all data though to be useful for validating historic data. A typical blockchain is a Merkle tree, a tree of hashes of hashes of hashes of hashes and way down the bottom you have the leaves of the tree with data. If you hold just the hash of the root, some 64 bytes of data, you already hold enough info to verify an assertion that a certain leaf has a certain value. The intermediate hashes need to be provided as proof, then your task as validator is simple. Thus it is possible to delete info from the blockchain but still have strong proofs of historic outcomes. So called transparency logs use this to verify DNS records in your browser right now.

Secondly there is the idea that all data on a blockchain is public, so all votes would have to be public. This is not the case. A blockchain guarantees replicated state, so all the machines perform a computation and agree on the output. That computation could be as simple as adding a signature to an normal array in which case all votes would be public, visible for anyone, however the blockchain could count the vote and store the voter ID, stripped of the vote, to prevent repeat voting. That simple solution isn't enough to provide good security, however it is enough to illustrate the point that blockchain does not imply that all data is public.

-1

This doesn't seem too difficult, and I don't really see how block-chain would contribute meaningfully. It should be possible to provide a solution at least as secure as paper voting, though it requires a similar level of trust in the organizations running it.

First, you have a gatekeeper website. This is physically and operationally separate from the vote tally. You log in here and provide whatever credentials are required to prove you are who you say you are. Your browser then runs a JavaScript application locally that collects your vote, but before sending it to the gatekeeper, it is encrypted by a public key for a third party - the tabulator.

Once the gatekeeper has received your encrypted vote, it marks on the registry that you have voted. This is similar to the poll worker at a paper voting station - they know who you are and that you have voted, and they are in possession of your ballot, but can't see what your vote actually is because it is locked in a box (or encrypted with a key they do not have in this case). The gatekeeper, just like the poll workers manning an in person voting location, is responsible for transmitting your vote to the central location.

Key to trust here is that the JavaScript run on the client is audit-able (since JavaScript is interpreted the source is provided to the client - obfuscation would be prohibited in order to maintain its readability). Also, the same organizations that are responsible for ensuring election safety would be able to observe the gatekeepers - the source code for the server would be open source and whatever means is required to confirm that the gatekeeper does not have access to the decryption key and that it is properly forwarding votes to the tabulator would be provided, with the option for public observation via some means (a dashboard that displays relevant data perhaps). Experts (IT professionals, both non-partisan and bi-partisan) would observe the set up and installation of the servers to ensure that the open source code (again, audited by all parties) is the only thing installed and that it is installed unmodified. Volunteers and paid experts can physically observe that the server is unmolested while operating and throughout the election. Proper intrusion detection measures would help ensure that the servers are not hacked or otherwise altered remotely. The electronic safeguards are pretty standard, and the allowance for observers is pretty similar to what is done today for ballot counting.

The gatekeeper signs the vote with its private key before sending it on to the tabulator so that all votes received by the tabulator can be confirmed to have come from a gatekeeper, reducing the likelihood of fake votes. The tabulator would also, of course, only accept votes over encrypted connections from known gatekeeper IP addresses. Any other best practice to ensure trust would also be taken, of course.

Once the vote is sent to the counting facility to be counted, this proceeds not much differently than current electronic voting. The vote is decrypted and tallied via software, though unlike current electronic voting machines, the code would be fully open source. Again, non- and bi-partisan observers would be allowed to validate that the process is proceeding honestly - with experts overseeing the setup, configuration and installation, as well as the operation, of the computer equipment.

So, you have to trust the people validating the hardware and software and those auditing the code - which, remember, are both non-partisan and bi-partisan to ensure fairness - much as you have to trust the poll workers and the vote counters in current paper elections. Is it fool-proof? No, but it is at least as fool-proof as paper or mail-in ballots.

There could be multiple gatekeepers and which one you use could be based on your district or other factors. The gatekeepers would have to delay transmission of a vote to the central authority until it can confirm that that voter hasn't voted (say at another gateway or in person), so regular updates to the voter rolls would have to be maintained, again, not much different than current. Standard transaction queuing software/algorithms could be used to ensure that service disruptions don't lose any votes, similar to how banks ensure the safety of transactions.

Once you vote, you could print out a confirmation page, but the information it showed would be minimal - maybe a transaction ID and a date/time, but even that might be too specific - say if the tabulator received a vote from a specific gatekeeper at that specific time (or, more accurately, a small batch of queued votes shortly after that once the gatekeeper had confirmed the uniqueness of your vote after a frequent voter roll sync). The information here is adjustable. Considering that you don't get anything other than an "I voted" sticker from a regular polling location, this could simply be a simple "we've received your vote!" message.

For redundancy, the gatekeepers could keep local copies of the votes they received, simply dissociated from any identifying info (including IP addresses stored in web-server logs). This is optional, but could be useful in double checking vote counts. I should state, here, that this is not a fully formed idea, and so some of the details will need refining by experts in such things, hence why this is an optional item as well as why some of the details of the audits are not explicit.

Further, I am concerned that there is some flaw in this plan that I am missing - experts have spent way more time on this problem than I have and have mostly decided that secure and anonymous voting is not possible outside of paper ballots, so I am likely falling into the old security trap of "I don't see a flaw, so it must be fool-proof!". But, I humbly post it here anyway as I haven't found a similar plan proposed and am curious to see what flaws there are.

Lastly, concerning the argument that "people don't understand the technology and so won't trust it", I don't recognize that as valid because people use technology they don't understand all the time. Most folks don't understand public key encryption, and yet they bank online and purchase online using it every day. Current elections use fancy machines to count and tabulate votes and no one really blinks at that because it is safely buried behind the scenes (where they can ignorantly assume that every vote is counted by hand). With the vetted by trusted experts (regardless of your political leanings), this should be no different.

3I'm not sure which part of this answer I should be most concerned about. "Your browser then runs a JavaScript application locally that collects your vote" this is just begging for a XSS attack. "The JavaScript run on the client is audit-able" no it isn't, you don't know which version of the script some random person is running, or if they are even running that script rather than something else. "Confirm that the gatekeeper does not have access to the decryption key", how exactly could that be done? How can we make sure that data from the gatekeeper can't later be loaded onto the tabulator... – Kevin Wells – 2020-11-10T22:53:56.567

2... and decrypted there? "The source code for the server would be open source", how would you confirm beyond a shadow of a doubt that the provided code was the code that is actually running on the server? If a bunch of people have access to the server (as you suggest), how can you tell if they changed the code to do something nefarious? "Once you vote, you could print out a confirmation page", if something went wrong (on the server or in the javascript) and your vote wasn't being counted correctly how would you ever know?... – Kevin Wells – 2020-11-10T23:04:56.397

1Simply being a JavaScript app doesn't make it insecure against XSS, especially since most browsers have robust protections against such attacks. As I mentioned, best practices are mandated and ensured by third party observers. The client code is audit-able in that any citizen with the know-how can connect to the server and check that the code the server distributes is what is expected. Lastly, third party observers from both sides of the political divide validate the gatekeeper. After the vote is cast, even the gatekeeper can't match a vote to an ID, to that is how we make sure. – cpcodes – 2020-11-10T23:06:53.193

2... "The gatekeepers could keep local copies" once they are anonymized how would you prevent someone from maliciously adding fake votes to that backup to throw off a recount? Aside from all of these potential concerns this system would be ripe for phishing attacks. Think about how many people fall for scam emails and pop up ads and then ask yourself how you are going to stop phishers from getting people to vote through a fake voting website where you can collect people's identifying information, how they intended to vote, and then vote for them however the attacker wants – Kevin Wells – 2020-11-10T23:07:39.483

1The people that have "access to the server" are observers. They are not part of the installation process, they merely ensure that the installation process is properly followed and validate that it is not compromised or something nefarious was not done. If you vote at a physical site and the poll worker loses your ballot, how would you know? Again, we're not aiming for perfect, just parity with what we have now. – cpcodes – 2020-11-10T23:09:36.317

1If you vote in a normal system you can check the voter rolls to see if you show up as having voted, and if not you can go and cast a provisional ballot. Someone has access to install the software, so how do you confirm that they have actually installed the software you think they did? It's not impossible, but it is an extra complication and vulnerability. The problem with switching away from paper ballots is that paper voting has had hundreds of years of stress testing to work out many of the flaws, any new system is a complete unknown, and elections are far too important to risk. – Kevin Wells – 2020-11-10T23:15:14.840

You would prevent malicious votes being added by a) having the observers present throughout the process and b) by requiring the anonymized votes to be signed by the gatekeeper system, meaning that so long as the private key for the gatekeeper is properly protected (again - best practice and third party observers) the only way to generate false votes would be using the gatekeeper server, which is watched by observers and generally protected, physically and virtually. Again, like paper voting, a certain level of trust is required, and observers are placed in all places where it is reasonable. – cpcodes – 2020-11-10T23:15:14.920

– Kevin Wells – 2020-11-10T23:15:51.537

-2

Ronald L. Rivest has written something suitable. The time spent here is spent good.

This man is the R in RSA.

https://people.csail.mit.edu/rivest/pubs/PSNR20.pdf