The VOLT Project: Voting On Ledger Technology
Professor Steve Schneider
Surrey Centre for Cyber Security
University of Surrey
Newton Institute
November 6th 2019
1 University of Surrey DLT Testbed
Surrey Blockchain
Project VOLT: Voting on Ledger Technologies
Verifiable online elections for organisations - using DLT for verifiability - vote secrecy - verifiable integrity of the ballot
Corporate governance: managing voting rights - equity crowdfunding - smart contracts and DLT - management of shares and associated voting rights (which can be complex) - integrity and trust
A mix of technical and sociological questions
- Team includes Computer Scientists and Political Economists
2
September 2017 – May 2020
Requirements on (e)-voting systems
Secrecy of the ballot: vote privacy, fairness
(this is not always a requirement…)
Integrity of the result
(this is always a requirement)
Coercion-resistance
Security?
Verifiability?
Auditability?
Where might e-voting be used?
Political/Statutory ballots
[Not within the scope of VOLT, though longer term…]
Shareholders
Industrial action ballots
Professional societies
Building societies
Student unions
Political organisations
Proposed benefits of electronic voting
Convenience
Accessibility for visually and mobility impaired voters
Prevent or reduce accidental invalid votes (e.g. in preferential voting)
Easier for remote and inaccessible voters
Managing complexity and dynamics of elections (e.g. voting rights)
Reduces costs (perhaps…)
Increases turnout (perhaps…)
It’s the 21st Century! Who uses pencils these days?
We do everything else online (banking, dating…)
Electronic voting – what’s the problem?
11/11/2019 7
Electronic voting – what’s the problem?
11/11/2019 8
Trust in the integrity of the election is critical
How do we know the result is correct?
How can we persuade others that the result is correct?
Electronic voting – what’s the problem? Cyber security
11/11/2019 9
Malware or bugs on voter devices or the election servers might tamper with votes
Electronic voting – what’s the problem? Cyber Security
11/11/2019 10
Adversaries or insiders interfering with votes in transit or on the server
Attacks at scale easier than for physical paper-based systems
Possibility of powerful and well-resourced hostile actors
“We bank online, so why not vote online?”
If we did online banking like we do online voting:
– No receipts or records of transactions
– Transaction secret from bank, but bank still needs to manage accounts
– No bank statements
– Hard to detect, and no way of challenging mistakes (or fraud)
– You would pay the cost of any fraud on your account
– No way to change your bank if you don’t trust it (honesty or competence)
Converse: we don’t vote online so why bank online?
– Trust mechanisms; verifiability; auditability; liabilities on the bank for when things go wrong.
– Financial institutions lose money but accept it as the cost of doing business – what’s the equivalent for voting systems?
Verifiability
End to end verifiability
– Individual verifiability – the voter confirms their vote is correctly in the system
• The voter can check the record and see that their vote is correctly recorded
– Universal verifiability – the processing and tally of the votes can be independently checked
• The votes that have been recorded are correctly counted
– Needs an independent trusted tamper-proof election record – DLT
Individual verifiability Universal
verifiability
VOLT project objectives
Using DLT to put end-to-end verifiability into practice
A trusted foundation for evidence to underpin election integrity
Management of voting rights and shareholding rights more generally
New voting systems and corporate governance possibilities
Understand positives and negatives in state of the art online/blockchain voting
Working with Electoral Reform Services Ltd to include verifiability in online voting systems
Initial prototype system April 2019 based on the Selene design - now trailled in two pilot votes and two real elections
11/11/2019 13
Voter experience (for the “Verify My Vote” VMV project demonstrator)
1. Voter receives login credentials, and also a commitment
2. Voter logs into the ballot system and votes in the normal way
3. After polling has closed, voter receives information to open the commitment to check their vote
4. On opening the commitment, the voter can confirm correctness of the vote that the system has recorded for them
Verifiability
The system uses cryptographic mechanisms to provide the end-to-end verifiability while preserving ballot secrecy
All verifiability evidence is posted on the DLT. This means that it can be independently checked
The design of the system rests on cryptographic commitments
Current status of VOLT project
2018: Design of VMV, for adding to ERS system April 2019: User testing of VMV, with ERS May – November 2019: Voter trials (in real ballots) and voter feedback
16
How it looks in VMV: commitments on the DLT (https://vmv.surrey.ac.uk)
17 Encrypted
Tracker Commitment Credentials
Checking the vote in VMV
18
Complete list of votes on the DLT (result can also be checked)
19
The Distributed Ledger is a crucial component in VMV (The voting literature calls this a Web Bulletin Board)
DLT solves a real problem in verifiable voting: how to make trusted commitments and how to publish verifiability evidence DLT holds verifiability evidence for independent checking DLT enables commitments ahead of the election. Voters checking need to know commitments to trackers were unchanged from the beginning Consensus: everyone knows that they all see the same information including decrypted votes (i.e. different voters can’t be given different views)
20
How does DLT help?
11/11/2019 21
• Verifiability on trusted information
DLT
Verifiability
Summary
Verifiable voting - voters can check inclusion of their vote as cast, and can challenge the election if not. Verify the evidence, not the system Proofs of correct processing of the votes Integrity of the election can therefore be verified
Some outstanding issues: Voter comprehensibility Verifiability tools (verification in practice) Management of voter credentials Future-proofing privacy (cf everlasting privacy) – on chain vs off chain information
22
Commitments
Commitments for voters
Each voter has a secret key
The system creates a commitment to a tracker number for the voter. Think of this as the tracker number inside a box with a door that can only be opened with the secret key
The tracker number is not visible when the box is closed
64
Door image courtesy of www.clipart.email
Commitments for voters
The tracker number is not visible until the box is opened
64
Commitments for voters
The box and the door can be separated
The box without the door is completely sealed
Making a commitment
The box is given to the voter before the election starts (and posted on the DLT)
So the system cannot change the tracker number: it is committed to use that tracker number for that voter.
But the door will not be provided until after the election
So the voter cannot find out the tracker number at the beginning
Voting envelopes
Voting envelope
A different voting envelope is prepared for each voter
It contains the tracker number for that voter
The tracker number is not visible externally
Only the election authorities have the key to open the envelope 64
Running the election
Before the election: Election setup
The following information is committed before the election begins: • The election public key
• List of tracker numbers (e.g. 1, 12, 37, 64, 85)
• And for each voter (but anonymously):
• Voter’s cryptographic credentials
• Voting envelope
• Commitment box given to the voter (door not given out yet)
• Proofs of correctness (e.g. that the envelope matches the commitment)
64
DLT Contents on Setup
33
Voter Credentials Voting Envelope Commitment Vote
How it looks in VMV: contents of the DLT (https://vmv.surrey.ac.uk)
34 Voting
Envelope Commitment Credentials
Voting
When the voter casts their vote it is added to the contents of their envelope
The vote is not visible externally
Bob
64
During the election
Votes are cast: included into the voting envelopes
12
64
85 37
1
Ann
Ann Ann
Bob
Bob
DLT Contents after votes have been cast
37
Voter Credentials Voting Envelope Commitment Vote
1
1
1
1
1
After the election: results published with trackers
The envelopes are shuffled, opened with the election key, and the votes and tracker numbers are obtained and published
Shuffling breaks the link between decrypted votes and the votes in the voting envelopes. This gives anonymity
Tracker Vote
1 Ann
12 Ann
37 Bob
64 Bob
85 Ann
After the election
Voters are sent their doors to open their commitments
64
64
+
Vote checking
The voter can check that the vote they cast matches the vote against their tracker number in the published table
64
Tracker Vote
1 Ann
12 Ann
37 Bob
64 Bob
85 Ann
Checking the vote in VMV
41
Complete list of votes on the DLT (result can also be checked)
42