Download - 2016 [VOTE CHAIN: SECURE DEMOCRATIC VOTING]
2016
Rutgers Professional Science Master’s Program Christopher Dougherty Hammad Khan Jason Occidental
[VOTE CHAIN: SECURE DEMOCRATIC VOTING]
Economist Case Study Challenge
Contents 1. Introduction ....................................................................................................................................... 2
2. Vote Chain Overview........................................................................................................................ 3
3. Vote Chain System Architecture ....................................................................................................... 3
3a. Overview of Proof of Concept ........................................................................................................ 3
3b. Initialization .................................................................................................................................... 4
3c. Voter Registration ........................................................................................................................... 5
3d. Casting a Vote and the Availability to Check Votes ....................................................................... 5
3e. Tallying ........................................................................................................................................... 6
4. Registration and Verification ............................................................................................................ 6
5. Voting Under Duress ........................................................................................................................ 8
6. Abstention Voting / Undecided ......................................................................................................... 9
7. Voting Aftermath: Accounting for Privacy and the Availability of Interim Results ........................ 9
8. Security Concerns ........................................................................................................................... 10
9. Conclusion ...................................................................................................................................... 11
Appendix A – Functional Decomposition Diagram ................................................................................. 13
Appendix B – Registration and Voting Data Flow Diagram ..................................................................... 14
Appendix C – Voter Registration IDEF0 Diagrams................................................................................... 15
Appendix D - References ......................................................................................................................... 17
1. Introduction
Elections have the power to change the fate of the nations in addition to deeply influencing
the livelihood of its citizens. With the growing evolution of technology, it has become imperative
to use technology to solve ethical concerns as well as introduce transparency throughout the
voting process [8]. Although electronic voting machines are steadily becoming a norm around
the world, there are concerns attached to them. A voting system that addresses voter issues and
increases the legitimacy of the process has the potential to increase voter confidence and ensure
that the process is of the most democratic nature [8].
Many states in the United States use voting machines that are over a decade old and are
becoming expensive to maintain due to the volunteers and government buildings required to run
the voting booths [9]. The voting process in other countries can be worse. A voting system built
using block chains could solve some of these issues by eliminating the chances of more votes
than registered voters, thus tackling voter fraud, introducing audit reports that can be audited by
the masses and enhancing transparency.
Block chains act as public ledgers (distributed databases) that anyone can audit but no one
can truly control. The blocks in a blockchain system keep the database updated using rules and
consensus [11]. Any attempt to change the integrity of data in a block chain can be easily noticed
because any tampered with data won’t match the previously synchronized records in the
blockchain. Although its first major application was Bitcoin, it has gained traction since and
many companies are using blockchain methodology to develop new products. Recently,
Microsoft introduced Ethereum Blockchain as a Service (EBaaS) on their Azure platform [10].
Some companies like ―Follow My Vote‖ [13] and ―Blockchain Technologies Corp‖ [14]
have started to introduce the idea of voting with blockchains, although these don’t address
several of the goals outlined below. This is why we created Vote Chain, a system that harnesses
the security of blockchains but extended to meet the needs of a public democratic voting process.
2. Vote Chain Overview
The main goal of Vote Chain is to develop a national online electoral system using the
blockchain algorithm. Although they offer a lot in terms of information integrity, a blockchain
alone only deals with how the database is protected from malicious manipulation before the
results are posted. Areas for improvement include voter registration and verification, voting
under duress, voting undecided, and release of election results. Addressing these issues allows
our system, Vote Chain, to be adaptive to civil issues as well as ensuring data security.
3. Vote Chain System Architecture
3a. Overview of Proof of Concept
This section will provide a high-level technical overview of the Vote Chain system
architecture. Please see the appendices for functional and data flow diagrams. Specific concerns
and how they relate to our goals are addressed in the following sections. The system model that
we have designed can be implemented in many different ways. We have selected the Ethereum
network [15] as a suitable basis for our research and proof of concept, however a real
implementation of this system could use any blockchain protocol that is capable of these
functions.
The Vote Chain system contains four primary components –Voter, application server,
Verifier and Ballot Regulator. Each component has a private/public key pair that is used
throughout several steps in the voting process. The Voter runs a secure mobile or web
application that communicates with the voting application server. The Verifier’s job is to assess
the identity of each voter, and validate them against existing external government/voter
registration databases. The Ballot Regulator is a system running a node on the blockchain, and is
responsible for: ensuring voters have been validated by the Verifier; Voters receive the correct
ballot; and submitting the completed ballot to the blockchain.
The application server provides a scalable infrastructure for the voting applications. An
alternative approach would be to require every voter to run a full blockchain node in order to
participate. This is not feasible or advisable on many budget or mobile devices; the minimum
requirements listed for running a full Bitcoin node, for example, include 80 GB of disk space, an
unmetered internet connection, and minimum 6 hours a day running at full capacity [2]. Steep
requirements like these would leave many voters behind, and ultimately undermine the
advantages of this voting system. Lightweight node clients are under development, however
many of these must connect back to a full node anyway. Our approach utilizes existing and
known web/application server technology, reducing the need for extra specialized personnel and
developers. There is an existing precedent from hybrid web/blockchain applications like this, as
showcased by companies like BlockCypher [7].
3b. Initialization
When a voter first launches the voting application, the application will go through an
initialization stage. This important stage sets the voter up with their asymmetric key pair,
consisting of a private key and a public key. The public key is then hashed, and used as an
address. The address is an identifier used to uniquely identify the senders and recipients in any
blockchain transaction [1].
3c. Voter Registration
Next, the voter will create a profile in Vote Chain containing their personal identification
information. This information is sent as a request to the Verifier (via the application server). The
registration section contains more detailed information about what personal information is
required and how verification occurs. The Verifier then uses this information to positively
identify the requester as a registered voter; they may access an external government voter
registration database if necessary. The Verifier additionally fetches the appropriate regional
ballot information for the voter.
If a voter is positively verified, the Verifier saves their personal information as registered
(but not their address). The verifier then digitally signs and posts the voter’s address and ballot
information to Blockchain A (but no personal information). Blockchain A now contains
transactions signed by the verifier with data listing the addresses allowed to vote. This separation
of voter address and personal information is crucial to maintaining anonymity when casting a
vote.
3d. Casting a Vote and the Availability to Check Votes
When it comes time to cast a vote, the voter once again launches the application and logs
in to the previously registered account. The application requests a ballot from the Ballot
Regulator (via the application server). The Ballot Regulator checks Blockchain A for the
requesting voter’s address, and ensures it is signed by the Verifier. If the address does exist on
Blockchain A, then the Ballot Regulator sends the voter the appropriate regional ballot. The
voter marks their responses. Before submitting the ballot, the voting application encrypts the
vote using the Ballot Regulator’s Public Voting key. This is part of a special asymmetric key pair
that the regulator uses only for the votes, and only once per open voting period (e.g. election
cycle). The application sends the encrypted vote, digitally signed back to the Ballot Regulator.
The regulator then posts the vote to Blockchain B. (Side note: Blockchains A and B could be on
the same blockchain. We have named them separately for clarity in describing this model.) The
voter, or anyone worldwide running a node, may now verify that this signed and encrypted vote
is posted to Blockchain B. Only the regulator has the private key to decrypt each vote, but since
each voter encrypted their own they can check the hash vs. Blockchain B to ensure their vote
made it intact. No tallying at this point is possible since every vote is encrypted.
3e. Tallying
Once the voting period is closed, we must be able to tally the votes within Vote Chain.
To accomplish this, the Ballot Regulator now publicly releases the private voting key. It is
critical to note here that this voting key pair is not used for any server maintenance,
administration, communication or any function other than encrypting the votes from this specific
poll. With this private voting key released, anyone with access to Blockchain B can now decrypt
and tally the votes. The voting key pair is regenerated for every poll, and only the valid, signed
votes encrypted using that specific key is counted. Anything else added to the blockchain will be
ignored.
4. Registration and Verification
This section describes voters registering to vote in the election as well as the interactions
between the voter and the verification system. Registration can be completed directly within the
Vote Chain mobile or web application. Due to the lightweight nature of Vote Chain, it will be
easy to set up public systems for general use, and we recommend that schools, libraries, and
other public buildings be available for this use. This would include both notifying the public of
the change (through Public Service Announcements), as well as training personnel in those
facilities how to help the public.
Registration to vote using Vote Chain involves first providing enough identification
information to be verified as a registered voter, and secondly involves providing secure
multifactor authentication data points for logging back in when it’s time to vote. Initial
registration requires a minimum of name, address, date of birth and one of: SSN (or non-US
equivalent), government ID, or government mail showing both name and address. Registrants
then create a PIN, and have the option of setting up further methods of identification for logging
in when it’s time to vote. These options include keystroke dynamics, phone or SMS, a face
picture, or receiving a unique code via postal mail.
Verification of identity occurs similarly to existing online systems in the U.S., where the
entered personal information is automatically compared against existing government databases.
Our system takes it a step further, however with the availability of biometrics and readily
available cameras. For example, although not required, submitting a picture gives the verification
system an option to fall back to a real person for comparison.
Keystroke dynamics is a particularly good biometric method because it doesn’t require any
additional hardware beyond a traditional PC or laptop configuration. It also provides a high level
of consistency when dealing with regularly typed words by an individual [6]. For instance, the
voter doesn’t necessarily have to know that keystroke metrics are being collected – it happens
behind the scenes without further interaction from them. This could take place during a
traditional login form, or while entering personal information.
5. Voting Under Duress
The electoral process lets individuals practice the freedom to make important choices.
Freedom referred to here is more than just the chance to cast a vote; it is the expression of
personal choice. No one is allowed to force an individual to vote against his/her will. In making
the electoral process online, voters become vulnerable to coercion and manipulation once they
are asked to fill in their ballots. This is because of the ability to vote almost anywhere, there are
no physical security measures similar to a polling precinct that protects people from voting under
duress.
As a resolution to this issue, a panic password is included in the voting system. Panic
passwords gained traction as a safety measure for ATM transactions. Like the ATM system,
developers and designers have focused on making the system secure from unauthorized access
from malicious parties. However, these mechanisms do not help threats from stress
authentication, when armed thieves put a person using an ATM under serious physical danger.
Thus, panic passwords are used. It is a special password or set of actions which can be used to
trigger the server and authorities that the user is under duress.
The system proposes a panic password scheme based on a system called SafePass [3].
This scheme does not require a user to have and remember two sets of passwords: the real
password and the panic password. SafePass only requires the user to have one four digit numeric
PIN as their password (p = d1d2d3d4). In order for the user to trigger the panic PIN p*, the fourth
digit of the regular PIN d4 is changed (p* = d1d2d3d4*). The voter is required to enter the PIN
twice to avoid false alarms from simple typos.
When voting under duress, the user enters the panic PIN p* when casting a vote. This
signals the system that this user is voting under duress and their vote should be invalidated. In
order to avoid making the attacker suspicious during the event of triggering the panic PIN, the
voting process proceeds and a prompt informing that the vote was transmitted and casted will
appear. In the back end, the vote casted by the user will be tagged invalid and will not be counted
towards the overall results.
6. Abstention Voting / Undecided
Undecided voters will still be given the opportunity to practice their right to suffrage.
Vote Chain chooses to implement the choice of abstention for voters. A vote to abstain is to be
counted as a non-vote [4]. The act of voting to abstain still provides opportunity to participate in
the electoral process rather than allowing these voters to be part of the ambiguous opinion by
those who didn’t vote at all [5].
Furthermore, having the option to abstain in the ballot gives the opportunity for voters to
still vote in positions which they have a candidate to choose. For example, users can vote for a
candidate in the US Congress while abstaining for a candidate in the Presidency.
7. Voting Aftermath: Accounting for Privacy and the Availability of Interim Results
An important part of controlling the aftermath of a high-tech new voting system is managing
the public’s expectations from the start. There will need to be some Public Service
Announcements as well as marketing campaigns showcasing how the new system is needed,
easier and more trustworthy for the average voter. For the more technical or security-minded,
detailed instructions on how to participate in the blockchain by running a full node will be
provided (as opposed to just running the hybrid voting application). Clear instructions on how
anyone can verify their vote will also need to be published.
When the polls close, it will be time to release the private voting key and tally the votes. The
key will be pushed to all connected applications, as well as published through multiple public
channels. Instructions as well as Open Source Software applications will be available allowing
anyone to independently count the vote; advanced users running nodes can optionally do this
themselves, as counting the decrypted votes in the blockchain database is trivial.
Many countries have voting regulations that require some form of tallying over just a simple
―popular vote,‖ as seen in regional systems like the United States’ Electoral College. This is
handled quite easily in this system, and is adaptable to many countries’ differing requirements.
When the Verifier adds the voter’s blockchain address to Blockchain A, it additionally adds
relevant regional ballot information. This could include location information like a municipality,
or more structured information like ―Ballot B2.‖ When the Ballot Regulator goes to give the
voter their ballot, it will be able to ensure it is sending the regionally correct one. This still
preserves anonymity as the voter’s true identity is obscured, saving only the blockchain address.
8. Security Concerns
There are many additional security concerns in creating a large, public system such as this.
Following the guidelines of security frameworks such as ITU-T X.805 and ISO/IEC 27001 is a
crucial step in securing such a system. Although fully defining compliance with these systems is
outside the scope of this document, we will highlight several key points.
One such point is the X.805 management security plane. All security layers (infrastructure,
services, applications) within will need protection from both internal and external threats. Certain
employees will need access to complete management tasks such as software updates and
hardware provisioning. The system should employ at a minimum access control lists (ACL), two
factor authentication (2FA) and nonrepudiation techniques to help mitigate these threats.
Figure 1 – X.805 Management Plane
A separate but related point is ISO 27001 clause 5.2.2: Training, awareness and competence.
Anyone who works on this system should be properly trained and deemed to be competent to
perform their duties. Furthermore, the training and competency of each person needs to be
recorded and evaluated for efficacy.
All systems also use asymmetric encryption keys for secure communication. The private
voting key that is to be released from the Ballot Regulator is not to be used for any function
whatsoever other than decrypting the votes after the election process.
9. Conclusion
There are a lot of issues, both technical and social, to consider when planning a public voting
system like this. This early model has attempted to tackle some of the biggest, while still keeping
in sight that it needs to be usable and accessible to the general public. We can be sure that only
persons who are verified to vote have access, as only the Verifier can sign and add them to the
blockchain. Voters will be voting anonymously, as only their blockchain address is on the
verified voters list. Voters can check their vote by comparing encryption hashes computed on
their own devices vs. what is published on the blockchain; while this encryption also prevents
Infrastructure
Layer
Services Layer
Applications Layer
Management Plane Module
OneModule Four Module Seven
Control/ Signaling Plane
Module Two
Module Five Module Eight
User Plane Module Three
Module Six Module Nine
interim tallying. Panic PINs help voters under duress nullify their vote, while undecideds will
either not be in the system at all or have the option to cast an undecided ballot. When all voting
is complete, anyone in the world will have the ability to independently check and tally each
vote’s authenticity. We can be sure that there is more research and development to be done
before a system like this can be fully put into place, but solving these issues undoubtedly gets us
closer in making secure, fair and democratic digital voting a reality.
Appendix A – Functional Decomposition Diagram
Vote Chain Functional Decomposition diagram
Appendix B – Registration and Voting Data Flow Diagram
Data Flow Diagram (DFD) for Functions 1 & 2: Registration and Voting
Appendix C – Voter Registration IDEF0 Diagrams
This section provides selected IDEF0 diagrams for Function 1 – Voter Registration.
Figure 1: System Level IDEF0 A0 of Function 1 – Voter Registration
Figure 2 System level IDEF0 of Function 1 – Voter Registration
Figure 3: Function 1 IDEF0
Appendix D - References
[1] What's the difference between a wallet and an address? Retrieved September 29, 2016, from
http://bitcoin.stackexchange.com/questions/13059/whats-the-difference-between-a-wallet-and-
an-address
[2] Running A Full Node. Retrieved September 29, 2016, from https://bitcoin.org/en/full-
node#what-is-a-full-node
[3] S. Hameed, S. A. Hussain and S. H. Ali, "SafePass: Authentication under duress for ATM
transactions," Information Assurance (NCIA), 2013 2nd National Conference on, Rawalpindi,
2013, pp. 1-5. doi: 10.1109/NCIA.2013.6725317
[4] Yes No Abstain Voting. Retrieved September 26, 2016, from
http://c2.com/cgi/wiki?YesNoAbstainVoting
[5] Glassman, S., & Vanitzian, D. (2004, December 05). Abstaining isn't same as voting 'no'
Retrieved September 27, 2016, from http://articles.latimes.com/2004/dec/05/realestate/re-
associations5
[6] Keystroke Dynamics for User Authentication. (n.d.). Retrieved September 27, 2016, from
http://www.cse.msu.edu/rgroups/biometrics/Publications/SoftBiometrics/ZhongDengJain_Keystr
okeDynamicsUserAuthentication_CVPR12biometricworkshop.pdf
[7] BlockCypher. Retrieved September 29, 2016, from https://dev.blockcypher.com/eth/
[8] Electronic Voting - Arguments in Favor. (n.d.). Retrieved September 27, 2016, from
https://cs.stanford.edu/people/eroberts/cs181/projects/2006-07/electronic-
voting/index_files/page0001.html
[9] Voting Equipment in the United States. (2015). Retrieved September 28, 2016, from
https://www.verifiedvoting.org/resources/voting-equipment/
[10] Ethereum Blockchain as a Service now on Azure. (n.d.). Retrieved September 28, 2016,
from https://azure.microsoft.com/en-us/blog/ethereum-blockchain-as-a-service-now-on-azure/
[11] The trust machine. (2015). Retrieved September 28, 2016, from
http://www.economist.com/news/leaders/21677198-technology-behind-bitcoin-could-transform-
how-economy-works-trust-machine
[12] ISO/IEC FDIS 27001:Information technology — Security techniques — Information
security management systems — Requirements
[13] The Online Voting Platform of The Future - Follow My Vote. (n.d.). Retrieved September
29, 2016, from https://followmyvote.com/
[14] Cutting Edge Blockchain App Development. (n.d.). Retrieved September 29, 2016, from
http://blockchaintechcorp.com/
[15] Ethereum Project. (n.d.). Retrieved September 29, 2016, from https://www.ethereum.org/