2016

Rutgers Professional Science Master’s Program Christopher Dougherty Hammad Khan Jason Occidental

[VOTE CHAIN: SECURE DEMOCRATIC VOTING]

Economist Case Study Challenge

Contents 1. Introduction ....................................................................................................................................... 2

2. Vote Chain Overview........................................................................................................................ 3

3. Vote Chain System Architecture ....................................................................................................... 3

3a. Overview of Proof of Concept ........................................................................................................ 3

3b. Initialization .................................................................................................................................... 4

3c. Voter Registration ........................................................................................................................... 5

3d. Casting a Vote and the Availability to Check Votes ....................................................................... 5

3e. Tallying ........................................................................................................................................... 6

4. Registration and Verification ............................................................................................................ 6

5. Voting Under Duress ........................................................................................................................ 8

6. Abstention Voting / Undecided ......................................................................................................... 9

7. Voting Aftermath: Accounting for Privacy and the Availability of Interim Results ........................ 9

8. Security Concerns ........................................................................................................................... 10

9. Conclusion ...................................................................................................................................... 11

Appendix A – Functional Decomposition Diagram ................................................................................. 13

Appendix B – Registration and Voting Data Flow Diagram ..................................................................... 14

Appendix C – Voter Registration IDEF0 Diagrams................................................................................... 15

Appendix D - References ......................................................................................................................... 17

1. Introduction

Elections have the power to change the fate of the nations in addition to deeply influencing

the livelihood of its citizens. With the growing evolution of technology, it has become imperative

to use technology to solve ethical concerns as well as introduce transparency throughout the

voting process [8]. Although electronic voting machines are steadily becoming a norm around

the world, there are concerns attached to them. A voting system that addresses voter issues and

increases the legitimacy of the process has the potential to increase voter confidence and ensure

that the process is of the most democratic nature [8].

Many states in the United States use voting machines that are over a decade old and are

becoming expensive to maintain due to the volunteers and government buildings required to run

the voting booths [9]. The voting process in other countries can be worse. A voting system built

using block chains could solve some of these issues by eliminating the chances of more votes

than registered voters, thus tackling voter fraud, introducing audit reports that can be audited by

the masses and enhancing transparency.

Block chains act as public ledgers (distributed databases) that anyone can audit but no one

can truly control. The blocks in a blockchain system keep the database updated using rules and

consensus [11]. Any attempt to change the integrity of data in a block chain can be easily noticed

because any tampered with data won’t match the previously synchronized records in the

blockchain. Although its first major application was Bitcoin, it has gained traction since and

many companies are using blockchain methodology to develop new products. Recently,

Microsoft introduced Ethereum Blockchain as a Service (EBaaS) on their Azure platform [10].

Some companies like ―Follow My Vote‖ [13] and ―Blockchain Technologies Corp‖ [14]

have started to introduce the idea of voting with blockchains, although these don’t address

several of the goals outlined below. This is why we created Vote Chain, a system that harnesses

the security of blockchains but extended to meet the needs of a public democratic voting process.

2. Vote Chain Overview

The main goal of Vote Chain is to develop a national online electoral system using the

blockchain algorithm. Although they offer a lot in terms of information integrity, a blockchain

alone only deals with how the database is protected from malicious manipulation before the

results are posted. Areas for improvement include voter registration and verification, voting

under duress, voting undecided, and release of election results. Addressing these issues allows

our system, Vote Chain, to be adaptive to civil issues as well as ensuring data security.

3. Vote Chain System Architecture

3a. Overview of Proof of Concept

This section will provide a high-level technical overview of the Vote Chain system

architecture. Please see the appendices for functional and data flow diagrams. Specific concerns

and how they relate to our goals are addressed in the following sections. The system model that

we have designed can be implemented in many different ways. We have selected the Ethereum

network [15] as a suitable basis for our research and proof of concept, however a real

implementation of this system could use any blockchain protocol that is capable of these

functions.

The Vote Chain system contains four primary components –Voter, application server,

Verifier and Ballot Regulator. Each component has a private/public key pair that is used

throughout several steps in the voting process. The Voter runs a secure mobile or web

application that communicates with the voting application server. The Verifier’s job is to assess

the identity of each voter, and validate them against existing external government/voter

registration databases. The Ballot Regulator is a system running a node on the blockchain, and is

responsible for: ensuring voters have been validated by the Verifier; Voters receive the correct

ballot; and submitting the completed ballot to the blockchain.

The application server provides a scalable infrastructure for the voting applications. An

alternative approach would be to require every voter to run a full blockchain node in order to

participate. This is not feasible or advisable on many budget or mobile devices; the minimum

requirements listed for running a full Bitcoin node, for example, include 80 GB of disk space, an

unmetered internet connection, and minimum 6 hours a day running at full capacity [2]. Steep

requirements like these would leave many voters behind, and ultimately undermine the

advantages of this voting system. Lightweight node clients are under development, however

many of these must connect back to a full node anyway. Our approach utilizes existing and

known web/application server technology, reducing the need for extra specialized personnel and

developers. There is an existing precedent from hybrid web/blockchain applications like this, as

showcased by companies like BlockCypher [7].

3b. Initialization

When a voter first launches the voting application, the application will go through an

initialization stage. This important stage sets the voter up with their asymmetric key pair,

consisting of a private key and a public key. The public key is then hashed, and used as an

address. The address is an identifier used to uniquely identify the senders and recipients in any

blockchain transaction [1].

3c. Voter Registration

Next, the voter will create a profile in Vote Chain containing their personal identification

information. This information is sent as a request to the Verifier (via the application server). The

registration section contains more detailed information about what personal information is

required and how verification occurs. The Verifier then uses this information to positively

identify the requester as a registered voter; they may access an external government voter

registration database if necessary. The Verifier additionally fetches the appropriate regional

ballot information for the voter.

If a voter is positively verified, the Verifier saves their personal information as registered

(but not their address). The verifier then digitally signs and posts the voter’s address and ballot

information to Blockchain A (but no personal information). Blockchain A now contains

transactions signed by the verifier with data listing the addresses allowed to vote. This separation

of voter address and personal information is crucial to maintaining anonymity when casting a

vote.

3d. Casting a Vote and the Availability to Check Votes

When it comes time to cast a vote, the voter once again launches the application and logs

in to the previously registered account. The application requests a ballot from the Ballot

Regulator (via the application server). The Ballot Regulator checks Blockchain A for the

requesting voter’s address, and ensures it is signed by the Verifier. If the address does exist on

Blockchain A, then the Ballot Regulator sends the voter the appropriate regional ballot. The

voter marks their responses. Before submitting the ballot, the voting application encrypts the

vote using the Ballot Regulator’s Public Voting key. This is part of a special asymmetric key pair

that the regulator uses only for the votes, and only once per open voting period (e.g. election

cycle). The application sends the encrypted vote, digitally signed back to the Ballot Regulator.

The regulator then posts the vote to Blockchain B. (Side note: Blockchains A and B could be on

the same blockchain. We have named them separately for clarity in describing this model.) The

voter, or anyone worldwide running a node, may now verify that this signed and encrypted vote

is posted to Blockchain B. Only the regulator has the private key to decrypt each vote, but since

each voter encrypted their own they can check the hash vs. Blockchain B to ensure their vote

made it intact. No tallying at this point is possible since every vote is encrypted.

3e. Tallying

Once the voting period is closed, we must be able to tally the votes within Vote Chain.

To accomplish this, the Ballot Regulator now publicly releases the private voting key. It is

critical to note here that this voting key pair is not used for any server maintenance,

administration, communication or any function other than encrypting the votes from this specific

poll. With this private voting key released, anyone with access to Blockchain B can now decrypt

and tally the votes. The voting key pair is regenerated for every poll, and only the valid, signed

votes encrypted using that specific key is counted. Anything else added to the blockchain will be

ignored.

4. Registration and Verification

This section describes voters registering to vote in the election as well as the interactions

between the voter and the verification system. Registration can be completed directly within the

Vote Chain mobile or web application. Due to the lightweight nature of Vote Chain, it will be

easy to set up public systems for general use, and we recommend that schools, libraries, and

other public buildings be available for this use. This would include both notifying the public of

the change (through Public Service Announcements), as well as training personnel in those

facilities how to help the public.

Registration to vote using Vote Chain involves first providing enough identification

information to be verified as a registered voter, and secondly involves providing secure

multifactor authentication data points for logging back in when it’s time to vote. Initial

registration requires a minimum of name, address, date of birth and one of: SSN (or non-US

equivalent), government ID, or government mail showing both name and address. Registrants

then create a PIN, and have the option of setting up further methods of identification for logging

in when it’s time to vote. These options include keystroke dynamics, phone or SMS, a face

picture, or receiving a unique code via postal mail.

Verification of identity occurs similarly to existing online systems in the U.S., where the

entered personal information is automatically compared against existing government databases.

Our system takes it a step further, however with the availability of biometrics and readily

available cameras. For example, although not required, submitting a picture gives the verification

system an option to fall back to a real person for comparison.

Keystroke dynamics is a particularly good biometric method because it doesn’t require any

additional hardware beyond a traditional PC or laptop configuration. It also provides a high level

of consistency when dealing with regularly typed words by an individual [6]. For instance, the

voter doesn’t necessarily have to know that keystroke metrics are being collected – it happens

behind the scenes without further interaction from them. This could take place during a

traditional login form, or while entering personal information.

5. Voting Under Duress

The electoral process lets individuals practice the freedom to make important choices.

Freedom referred to here is more than just the chance to cast a vote; it is the expression of

personal choice. No one is allowed to force an individual to vote against his/her will. In making

the electoral process online, voters become vulnerable to coercion and manipulation once they

are asked to fill in their ballots. This is because of the ability to vote almost anywhere, there are

no physical security measures similar to a polling precinct that protects people from voting under

duress.

As a resolution to this issue, a panic password is included in the voting system. Panic

passwords gained traction as a safety measure for ATM transactions. Like the ATM system,

developers and designers have focused on making the system secure from unauthorized access

from malicious parties. However, these mechanisms do not help threats from stress

authentication, when armed thieves put a person using an ATM under serious physical danger.

Thus, panic passwords are used. It is a special password or set of actions which can be used to

trigger the server and authorities that the user is under duress.

The system proposes a panic password scheme based on a system called SafePass [3].

This scheme does not require a user to have and remember two sets of passwords: the real

password and the panic password. SafePass only requires the user to have one four digit numeric

PIN as their password (p = d1d2d3d4). In order for the user to trigger the panic PIN p*, the fourth

digit of the regular PIN d4 is changed (p* = d1d2d3d4*). The voter is required to enter the PIN

twice to avoid false alarms from simple typos.

When voting under duress, the user enters the panic PIN p* when casting a vote. This

signals the system that this user is voting under duress and their vote should be invalidated. In

order to avoid making the attacker suspicious during the event of triggering the panic PIN, the

voting process proceeds and a prompt informing that the vote was transmitted and casted will

appear. In the back end, the vote casted by the user will be tagged invalid and will not be counted

towards the overall results.

6. Abstention Voting / Undecided

Undecided voters will still be given the opportunity to practice their right to suffrage.

Vote Chain chooses to implement the choice of abstention for voters. A vote to abstain is to be

counted as a non-vote [4]. The act of voting to abstain still provides opportunity to participate in

the electoral process rather than allowing these voters to be part of the ambiguous opinion by

those who didn’t vote at all [5].

Furthermore, having the option to abstain in the ballot gives the opportunity for voters to

still vote in positions which they have a candidate to choose. For example, users can vote for a

candidate in the US Congress while abstaining for a candidate in the Presidency.

7. Voting Aftermath: Accounting for Privacy and the Availability of Interim Results

An important part of controlling the aftermath of a high-tech new voting system is managing

the public’s expectations from the start. There will need to be some Public Service

Announcements as well as marketing campaigns showcasing how the new system is needed,

easier and more trustworthy for the average voter. For the more technical or security-minded,

detailed instructions on how to participate in the blockchain by running a full node will be

provided (as opposed to just running the hybrid voting application). Clear instructions on how

anyone can verify their vote will also need to be published.

When the polls close, it will be time to release the private voting key and tally the votes. The

key will be pushed to all connected applications, as well as published through multiple public

channels. Instructions as well as Open Source Software applications will be available allowing

anyone to independently count the vote; advanced users running nodes can optionally do this

themselves, as counting the decrypted votes in the blockchain database is trivial.

Many countries have voting regulations that require some form of tallying over just a simple

―popular vote,‖ as seen in regional systems like the United States’ Electoral College. This is

handled quite easily in this system, and is adaptable to many countries’ differing requirements.

When the Verifier adds the voter’s blockchain address to Blockchain A, it additionally adds

relevant regional ballot information. This could include location information like a municipality,

or more structured information like ―Ballot B2.‖ When the Ballot Regulator goes to give the

voter their ballot, it will be able to ensure it is sending the regionally correct one. This still

preserves anonymity as the voter’s true identity is obscured, saving only the blockchain address.

8. Security Concerns

There are many additional security concerns in creating a large, public system such as this.

Following the guidelines of security frameworks such as ITU-T X.805 and ISO/IEC 27001 is a

crucial step in securing such a system. Although fully defining compliance with these systems is

outside the scope of this document, we will highlight several key points.

One such point is the X.805 management security plane. All security layers (infrastructure,

services, applications) within will need protection from both internal and external threats. Certain

employees will need access to complete management tasks such as software updates and

hardware provisioning. The system should employ at a minimum access control lists (ACL), two

factor authentication (2FA) and nonrepudiation techniques to help mitigate these threats.

Figure 1 – X.805 Management Plane

A separate but related point is ISO 27001 clause 5.2.2: Training, awareness and competence.

Anyone who works on this system should be properly trained and deemed to be competent to

perform their duties. Furthermore, the training and competency of each person needs to be

recorded and evaluated for efficacy.

All systems also use asymmetric encryption keys for secure communication. The private

voting key that is to be released from the Ballot Regulator is not to be used for any function

whatsoever other than decrypting the votes after the election process.

9. Conclusion

There are a lot of issues, both technical and social, to consider when planning a public voting

system like this. This early model has attempted to tackle some of the biggest, while still keeping

in sight that it needs to be usable and accessible to the general public. We can be sure that only

persons who are verified to vote have access, as only the Verifier can sign and add them to the

blockchain. Voters will be voting anonymously, as only their blockchain address is on the

verified voters list. Voters can check their vote by comparing encryption hashes computed on

their own devices vs. what is published on the blockchain; while this encryption also prevents

Infrastructure

Layer

Services Layer

Applications Layer

Management Plane Module

OneModule Four Module Seven

Control/ Signaling Plane

Module Two

Module Five Module Eight

User Plane Module Three

Module Six Module Nine

interim tallying. Panic PINs help voters under duress nullify their vote, while undecideds will

either not be in the system at all or have the option to cast an undecided ballot. When all voting

is complete, anyone in the world will have the ability to independently check and tally each

vote’s authenticity. We can be sure that there is more research and development to be done

before a system like this can be fully put into place, but solving these issues undoubtedly gets us

closer in making secure, fair and democratic digital voting a reality.

Appendix A – Functional Decomposition Diagram

Vote Chain Functional Decomposition diagram

Appendix B – Registration and Voting Data Flow Diagram

Data Flow Diagram (DFD) for Functions 1 & 2: Registration and Voting

Appendix C – Voter Registration IDEF0 Diagrams

This section provides selected IDEF0 diagrams for Function 1 – Voter Registration.

Figure 1: System Level IDEF0 A0 of Function 1 – Voter Registration

Figure 2 System level IDEF0 of Function 1 – Voter Registration

Figure 3: Function 1 IDEF0

Appendix D - References

[1] What's the difference between a wallet and an address? Retrieved September 29, 2016, from

http://bitcoin.stackexchange.com/questions/13059/whats-the-difference-between-a-wallet-and-

an-address

[2] Running A Full Node. Retrieved September 29, 2016, from https://bitcoin.org/en/full-

node#what-is-a-full-node

[3] S. Hameed, S. A. Hussain and S. H. Ali, "SafePass: Authentication under duress for ATM

transactions," Information Assurance (NCIA), 2013 2nd National Conference on, Rawalpindi,

2013, pp. 1-5. doi: 10.1109/NCIA.2013.6725317

[4] Yes No Abstain Voting. Retrieved September 26, 2016, from

http://c2.com/cgi/wiki?YesNoAbstainVoting

[5] Glassman, S., & Vanitzian, D. (2004, December 05). Abstaining isn't same as voting 'no'

Retrieved September 27, 2016, from http://articles.latimes.com/2004/dec/05/realestate/re-

associations5

[6] Keystroke Dynamics for User Authentication. (n.d.). Retrieved September 27, 2016, from

http://www.cse.msu.edu/rgroups/biometrics/Publications/SoftBiometrics/ZhongDengJain_Keystr

okeDynamicsUserAuthentication_CVPR12biometricworkshop.pdf

[7] BlockCypher. Retrieved September 29, 2016, from https://dev.blockcypher.com/eth/

[8] Electronic Voting - Arguments in Favor. (n.d.). Retrieved September 27, 2016, from

https://cs.stanford.edu/people/eroberts/cs181/projects/2006-07/electronic-

voting/index_files/page0001.html

[9] Voting Equipment in the United States. (2015). Retrieved September 28, 2016, from

https://www.verifiedvoting.org/resources/voting-equipment/

[10] Ethereum Blockchain as a Service now on Azure. (n.d.). Retrieved September 28, 2016,

from https://azure.microsoft.com/en-us/blog/ethereum-blockchain-as-a-service-now-on-azure/

[11] The trust machine. (2015). Retrieved September 28, 2016, from

http://www.economist.com/news/leaders/21677198-technology-behind-bitcoin-could-transform-

how-economy-works-trust-machine

[12] ISO/IEC FDIS 27001:Information technology — Security techniques — Information

security management systems — Requirements

[13] The Online Voting Platform of The Future - Follow My Vote. (n.d.). Retrieved September

29, 2016, from https://followmyvote.com/

[14] Cutting Edge Blockchain App Development. (n.d.). Retrieved September 29, 2016, from

http://blockchaintechcorp.com/

[15] Ethereum Project. (n.d.). Retrieved September 29, 2016, from https://www.ethereum.org/