Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
The Economist Cyber Security
Case Study Competition 2016
VOTEX
A BLOCKCHAIN VOTING SYSTEM
Jonathan Homer | Jonathan Prutow | Reza Mehran-Nejad
George Mason University
2016
User Experience: In the near future, election day is approaching. Riley desires to be an
engaged citizen. While waiting to order food, Riley sees one of the many “VOTE!” posters. Riley
pulls out a smartphone and scans the QR code and registers to vote. On election day, Riley’s
phone displays a reminder that it’s voting day. Riley opens the voting app and in less than a
minute casts a vote. Later that day, Riley is notified that the vote was accepted and counted.
After the election concludes, the encryption keys are published, and independent news sites and
citizens alike are able to count the anonymous ballots for themselves, offering transparency and
validation of the official election results.
1.0 Introduction
Despite being one of the oldest modern democracies in the world , voter turnout in the 1
United States is lower than nearly all other developed countries. From 1984 to the present, the 2
voter turnout rate in the U.S. has been 51.7% to 61.6% for presidential elections and 35.9% to
1 Barksdale, Nate. “What is the world’s oldest democracy?” History.com. December 2, 2014. Accessed September 25, 2016. http://www.history.com/news/ask-history/what-is-the-worlds-oldest-democracy 2 Desilver, Drew. “U.S. voter turnout trails most developed countries.” Pew Research Center. August 2, 2016. Accessed September 25, 2016. http://www.pewresearch.org/fact-tank/2016/08/02/u-s-voter-turnout-trails-most-developed-countries/
PAGE 1
41.1% for midterm elections. Of particular concern, the participation of younger voters (ages 18 3
to 29) has been 16.3% to 48.4%, which is significantly lower than any other age group. 4
Reforms such as mail-in ballots and early voting have had some success in increasing
voter turnout, by making voting more convenient and accessible for everyone. 5
In this paper, we present VoteX – a digital voting solution, which makes participating in
elections much more convenient and is easily integrated into daily life. VoteX is more than just
technology, it is a method incorporating people, process and technologies to systematically
transition to a digital voting world to make civic engagement less onerous, accessible, secure,
and socially rewarding. Integral to our proposal is the execution plan, introducing changes to the
people, process, and technological components in a phased and secure manner. VoteX rolls out
in three phases allowing consideration for user adoption, mitigation of technical integration
issues, and configuration optimization before transitioning to the next phase. In each phase,
VoteX integrates with existing voting processes by introducing new elements in parallel -
thereby, maximizing impact from its adoption while maintaining public trust in the election
process. Earlier in the roll out, we focus on adoption amongst younger voters for two reasons: a)
validation of VoteX’s impact at increasing turnout, and 2) target group’s comfort with adoption
and trust in new technologies.
3 United States Elections Project. “National General Election VEP Turnout Rates, 1789-Present.” June 11, 2014. Accessed September 25, 2016. http://www.electproject.org/national-1789-present 4 United States Elections Project. “Voter Turnout Demographics.” Accessed September 25, 2016. http://www.electproject.org/home/voter-turnout/demographics 5 Lam, Lauren. “Voter Turnout: the Undemocratic Nature of Democracy.” Prospect. October 28, 2015. Accessed September 26, 2016. https://prospectjournal.org/2015/10/28/voter-turnout-the-undemocratic-nature-of-democracy/
PAGE 2
Figure 1. Voter Turnout by Age Group 6
1.1 VOTING PROCESS
Figure 2. Typical Democratic Elections Process
Figure 2 above shows the four key stages in typical elections process. Digital voting does
not change these fundamental requirements. A good solution must integrate with existing
systems such that the tools, training, and processes that are in place, enable VoteX to
complement the existing paper, digital, early, and absentee voting systems. For the purpose of
6 United States Elections Project. “Voter Turnout Demographics.” Accessed September 25, 2016. http://www.electproject.org/home/voter-turnout/demographics
PAGE 3
this proposal, we use U.S. laws and election process (Figure 3) to demonstrate how VoteX meets
case study requirements.
Figure 3. Existing System
In the United States, in most states voters must register before being permitted to vote.
Depending on the state, voters register to vote in-person, by mail, or online. In a few states all 7
eligible voters are automatically registered to vote. Nearly all states allow registered voters 8
options of in-person voting on election day, in-person early voting, and absentee voting by mail. 9
In-person early voting and voting on election day is conducted using a paper ballot or some type
of electronic voting machine. Typically, votes are tallied at individual polling locations, and the 10
final tallies are then transmitted to a central location. 11
7 Watkins, Eli. “How to register and vote in every US state and territory.” CNN. August 16, 2016. Accessed September 26, 2016. http://www.cnn.com/2016/08/14/politics/how-to-register-to-vote-in-every-us-state-and-territory/ 8 Brennan Center for Justice. “Automatic Voter Registration.” September 22, 2016. Accessed September 25, 2016. https://www.brennancenter.org/analysis/automatic-voter-registration 9 National Conference of State Legislatures. “Absentee and Early Voting.” May 26, 2016. Accessed September 24, 2016. http://www.ncsl.org/research/elections-and-campaigns/absentee-and-early-voting.aspx 10 Verified Voting. “Voting Equipment in the United States.” Accessed September 24, 2016. https://www.verifiedvoting.org/resources/voting-equipment/ 11 ACE Electoral Knowledge Network. “Vote Counting.” Accessed September 24, 2016. http://aceproject.org/ace-en/topics/vc/vce/default
PAGE 4
2.0 VoteX
VoteX leverages existing blockchain networks and is accessed using current mobile
technologies. Through a complex implementation of encryption and one-way hashes, the privacy
of the voter is maintained while the identity and authenticity remains verified. Though this
enables votes to be cast and counted in real-time, VoteX masks the results from the public until
after the election. This system is fully auditable by any third party.
Figure 4. End Goals of VoteX
PAGE 5
2.1 LIMITED LAUNCH: EARLY VOTING
Figure 5. Limited Launch Phase
The first phase introduces critical components to the blockchain voting system. Here,
voters authenticate themselves via VoteX to receive a digital ballot on their phone. The scope of
this phase is limited to those who will be participating in early voting, and the final vote must be
cast at designated secure voting locations. The aim here is to test how voters adopt voting
through VoteX without disrupting the existing dynamic too dramatically. The ballots submitted
via the app are sent to the blockchain network as a test, but the official votes are transferred
directly to paper ballots for official processing. Not only does this allow measurement of
VoteX’s adoption by early voters, but this also allows verification of the functionality and
accuracy of the process.
Requirements:
● Blockchain utilization: Early voters cast their ballot on the ethereum blockchain network
after authenticating themselves and receiving a ballot code.
PAGE 6
● One vote per user: After authentication, early voters receive a unique ballot valid only
when submitted at secure voting location (i.e. polling station). The voter will be marked
as “voted” to ensure another completed ballot (paper/digital) cannot be submitted.
● Maintaining voter privacy: By utilizing both one-way hashes and traditional encryption, a
submitted ballot can only be linked to a specific voter using data stored in an offline
database, for audit purposes. All personal information is stored with a system which
could be accredited as FIPS 199 {High, High, High} compliant. 12
● Voting during a flexible timeframe: Even though secure voting locations close during off
hours, the early voter can complete their ballot anywhere and anytime before the early
vote deadline. Once the ballot is completed, they must submit the entry from a secure
voting location.
● Ensuring a secure count: The counting and auditing components are not leveraging
blockchain technology in this phase so every ballot cast by the early voter will be printed
and counted via paper ballot. This ensures the managing team can resolve deficiencies in
this proposed phase before implementing the official counting and auditing system.
● Availability of interim results: The utilization of a large number of randomized Salts
within the posted ballots makes public tallying implausible during the voting process.
● Verifying individual vote: After the vote has been counted, a confirmation is posted to
the blockchain which enables the user’s app to confirm the vote was recorded. This is
done in a manner which prevents others from discovering the vote being cast.
12 Clayton.edu. "FIPS199." 2016. Accessed: 29- Sep- 2016. http://www.clayton.edu/technology-infrastructure/Policies-and-Procedures/Information-Security-Plan/FIPS199.
PAGE 7
● Voting under duress: VoteX ballot is cast at same secure voting locations as traditional
early votes.
● Protection of undecided or abstaining voter: The authentication mechanism confirms the
identity of the individual casting the vote. The strength of this mitigation is proportionally
dictated by the requirements enforced by the election authority. New authentication
controls would be available with the technology being introduced.
The effectiveness of each phase can be measured using the following metrics:
● quantity of transactions (votes) recorded on the blockchain
● lack of confirmed privacy-related incidents
● lack of voter identity discrepancies
● lack of compromised votes
● confirmation that votes were properly counted
● lack of reported duress incidents
PAGE 8
2.2 EXPANSION
Figure 6. Expansion Phase
In this phase, we are extending the same functionality from Limited Launch but, to
enable online votes to be cast on election day, using the new voting app. This increases the
adoption of the VoteX for a bigger pool, with any registered voter now eligible to cast their
ballot using blockchain, while still leveraging secured voting locations. This phase also
introduces the opportunity for the voter to register themselves using their device. Additional
identity validation methods will be available as required by the appropriate election authority.
The official ballots continue to be printed at the polls and counted with the other paper ballots,
enabling additional testing and validation of the blockchain process.
By leveraging the same metrics used in the Limited Launch phase, and also considering
the number of online registrations, the overall system can be proven in it’s effectiveness and
PAGE 9
security without placing the integrity of the election at risk. This is a critical step towards
ensuring voter privacy and is a precursor to allowing the official counting and auditing of votes
on the blockchain network.
2.3 FULL IMPLEMENTATION
Figure 7. Full Implementation Phase
In the Full Implementation phase, the final components are introduced. First, all
registered voters are allowed to cast their ballot at an unsecure location, removing the need for
the vote to be cast at a designated secure voting location. The previous phases validated the
PAGE 10
effectiveness of the blockchain app and associated ethereum blockchain network. The second
component is leveraging the network to officially count and audit cast ballots.
The satisfaction of requirements continue from Limited Launch and Expansion phases. In
addition, the following controls are introduced during Full Implementation:
● Blockchain utilization: The blockchain network is now the authoritative source for
transactions (ballots) received from user devices and authenticated tokens. Submitted
transactions are attached to the next block, which are collected and counted by the
election office.
● One vote per user: The digital fingerprint allows only one vote per user in the form of a
validated ballot to be mined and available to be counted.
● Voting during a flexible timeframe: The voter can enjoy the convenience of voting at any
time (as permitted by law) and in any location to cast their ballot on the blockchain
network.
● Ensuring a secure count: Now that votes are cast through an unsecure blockchain peer to
peer network, there is the potential for fake votes to be submitted in addition to actual
votes. To resolve this, when a ballot is cast, the Policy Server matches authenticators with
digital fingerprints to validate authentic votes as per Figure 13. Voting Process Objects.
The Policy Server also sends the validated ballot to the ethereum network to be ultimately
counted by the election authority (see voting process sequence diagram). Any alterations
to the validated ballot will require 51% or more of all the nodes on the blockchain
PAGE 11
network’s computing power plus a correct digital fingerprint to overwrite an existing
block. 13
3.0 Technical Process
3.1 STEP 1: VOTER REGISTRATION
Voter registration will continue to be based on organization-maintained datasets.
Beginning with phase 2, voters will be able to register through the app, resulting in their addition
to the dataset.
Figure 8. Voter Registration Process Sequence Diagram
13 Refer to proof of work transaction proofing in Appendix B: Technologies Leveraged PAGE 12
Figure 9. Voter Registration Process Objects
Each user provides identification artifacts using the app. These can include keyboard
input entries as well as the potential for document capture and/or facial biometrics using camera
input. These artifacts are transmitted directly to the election authority using SSL VPN tunnels,
where they are reviewed and approved with confirmation sent back to the user.
3.2 STEP 2: AUTHENTICATION
Prior to each election, voters need to obtain a new authentication token. This process
verifies the identity of the user and unlocks the device to cast one ballot for that election. Note
that in Limited Launch and Expansion phases, the voter must physically enter a polling place in
order to obtain a critical piece of the authentication to cast a vote.
PAGE 13
Figure 10. Voter Authentication Process Sequence Diagram
PAGE 14
Figure 11. Voter Authentication Process Objects
PAGE 15
After downloading the app, a user verifies their identity by uploading any identification
that may be required by the election authority. This could be as simple as providing a copy of a
driver’s license or identification card or as complex as facial recognition biometrics or an
out-of-band one-time authenticator. At this time, users select a simple PIN using an on-screen
input (to avoid keyloggers) and choose a picture from a randomized preset selection. This
provides an easier identify validation at the time of voting.
The app establishes an SSL VPN connection to the Policy Server, which acts as a
trusted-but-independent service between the user and the election authority. This server passes
the identification artifacts and a hash of the user’s pin (known as the PinHash) to the election
authority through a site-to-site VPN tunnel.
The election authority validates the information provided and generates a “Coupon”
unique to the user’s vote. This Coupon is a preshared secret key, generated as a hash of the
output from a cryptographically secure pseudorandom number generator. The election authority
also selects a random “Salt” from a precompiled list of at least 10,000 unique Salts used
exclusively for this election. The Coupon, the Salt, and the election ID are provided to the Policy
Server. The election authority then generates a set of temporary hashes of the Salt combined with
each possible candidate, known as “Candidate Hashes.” “Nominations” are generated by hashing
the coupon with each Candidate Hash. The election authority records all possible Nominations
with the associated Candidate, election ID, and PinHash, but does not retain the Coupon, the
Salt, the associated Candidate Hashes, or any association with the user’s information.
PAGE 16
If the user is on their private device (or has re-authenticated on election day), the policy
server generates the “Token,” an additional secret key which authorizes a vote to be placed by
the user. The Policy Server then hashes both the token and the user-provided pin to generate a
“Digital Fingerprint” that is later used for validation purposes. The Policy Server then generates
a hash of the the token, the pin, and the user-selected image that will be used to validate the
user’s identity on the end device. This is known as the “Identity Check Hash”.
The Policy Server sends the Token, the Identity Check Hash, the Salt, and the election ID
to the user device. The Policy Server stores the Coupon and the Digital Fingerprint in a secure,
online database. The Policy Server also records the Coupon, Digital Fingerprint, election ID, and
the user’s unique identifier to an offline storage in case of a future audit. The Policy Server does
not store the Token, the Identity Check Hash, the user Pin, the PinHash, or the image selected,
and the user is never given the Coupon.
3.3 STEP 3: CASTING A VOTE
Casting a vote is the process of the user selecting a candidate, followed by posting the
selection and proof of authenticity to the blockchain network. The Policy Server validates the
vote and posts a confirmation to the blockchain. The election authority, seeing both the original
post and the confirmation, validates the authenticity of the verification and records the vote. The
connection between the vote cast and the voter’s identity remains in an offline database at the
Policy Server.
PAGE 17
Figure 12. Voting Process Sequence Diagram
PAGE 18
Figure 13. Voting Process Objects
When ready to vote, the user enters their pin and selected image. If the hash of the token
(resident on the device), pin, and image selected matches the identity check hash, the authenticity
of the user is verified. The user makes their selection and confirms the submission. The app
hashes the token and the pin to generate an “Authenticator” and also forms a “Ballot” by hashing
the candidate selected and the Salt. The Authenticator, Ballot, and election ID are submitted as
an array to the Ethereum blockchain network ledger. The Ethereum network processes the ledger
PAGE 19
and adds these as a block onto the chain. This information becomes publicly readable, but
undecipherable due to the hashing. The app also stores the candidate which received the vote.
The Policy Server monitors Ethereum for entries containing the election ID. When a
transaction is identified, the Authenticator is compared to the Digital Fingerprints on file. If no
match is found, the Ballot is considered invalid and is ignored. When a match is identified, the
Policy Server hashes the Coupon with the Ballot, to become the “Validated Ballot,” and posts the
Authenticator, the Validated Ballot and the election ID to Ethereum. The Policy Server marks the
Digital Fingerprint used, no longer valid for comparison.
The election authority is also monitoring Ethereum and compares posted Validated
Ballots with Nominations on file. If no match is found, the verified ballot is considered forged.
When a match is found, it references the candidate associated with the Nomination, and adds a
vote to the appropriate tally.
The election authority hashes the Authenticator with the PinHash and posts the resulting
hash, labeled a “Ballot Validation,” back to Ethereum. This can then be read by the user device
and used to verify the vote was counted.
3.4 STEP 4: VALIDATE AND AUDIT
After the election concludes, the election authority releases the full list of Salts. With this
information, it becomes possible to easily generate all the combinations of hashes and determine
which ballots were cast for which candidates.
PAGE 20
Should it become necessary to associate a specific ballot with a specific user, the Policy Server
offline database can provide the connection between the coupon and the digital fingerprint,
enabling a one-by-one association to be connected.
Figure 14. Vote Validation and Audit Process Sequence Diagram
PAGE 21
Figure 15. Vote Validation and Audit Process Objects
In the event of an audit, the data available in the offline database within the Policy Server
enables the Authenticator to be linked to the Digital Fingerprint. This can then be used with the
data stored in Ethereum to reconstruct the entire vote pattern from user to vote count.
4.0 Summary
Online voting has tremendous potential to increase voter turnout by making voting more
convenient and accessible, especially among younger voters. VoteX can be used for any type of
election, including federal, state, and local elections; elections in the United States and in other
countries; and elections for private clubs, condo associations, parent teacher associations, and
PAGE 22
other organizations, and can easily be integrated with any existing voting mechanisms. Also, the
use of a public network voting system works to increase transparency and public trust in
elections.
PAGE 23