Verifiable elections

2020 November 5

When all you have is a hammer, everything looks like a nail. Working on blockchain has got me thinking about how cryptography can be applied to design a better voting system. One that can be independently audited by as many people as possible, to give people confidence in its legitimacy, without sacrificing anonymity.

This idea may have some latent problems, but I don't want to keep it in hiding until it is perfect. I want to share it early in case someone else can help refine it.

The System

Cryptographically hash this information into a random unique identifier:

  • Voter identifying information: name, date of birth, address, and everything else that is on the voter roll
  • Election race identifying information: date, office, primary / general / runoff
  • Random secret (e.g. a passphrase chosen from a dictionary of common words)

Call this the Vote Identifier (VID). It uniquely and anonymously identifies each voter in each race, but it is infeasible to associate a VID back to a voter without knowing the secret. Thus, it can be shared publicly while preserving anonymity.

The random secret may be generated by the voting machine, or chosen by the voter if they do not trust the machine's source of randomness. On an absentee ballot, it can be printed with a box to let the voter fill in their own. To protect the anonymity of the voter, it should be known only to the voter and to the state. If it is ever leaked or guessed, the only risk is to the anonymity of the voter, not to the legitimacy of their vote.

When a voter votes in person, give them a receipt printed on security paper spelling out all of the VID inputs, with a table associating each VID to their vote for that race, stamped and signed by an election official. This receipt can be used to prove with some confidence that a voter voted in an election, should the record of their vote be lost somehow. While not immune to forgery, it is good enough for other official documents like birth certificates. Absentee voters will have to rely on a photograph of their absentee ballot.

A voter can even pre-fill their ballot at home and take it to a polling location just to get it stamped, signed, and recorded, skipping a voting machine. That means less time at the polling location, which means shorter lines.

For each race, publicly post results associating each VID with its vote in that race. Separately, publicly post the list of voters voting in that race.

The Benefits

Every voter can look up their vote by VID and check that it was recorded correctly.

Everyone can independently:

  • count votes
  • verify that no VID has more than one vote
  • verify that the number of voters in each race matches the number of votes in that race
  • verify that the voters are all unique (meaning no voter was issued more than one VID)
  • verify that each voter is eligible to vote (depending on how much voter identifying information is included)

No one can:

  • associate a VID back to a voter without knowing their salt
  • associate votes in different races to the same voter

Votes can even be posted immediately to let voters verify that their vote was recorded[1] before they leave the polling place. There is no technical limitation to this, but there may be a political one. Some jurisdictions prohibit the counting of votes until after polls have closed on Election Day.

If you want to prove that your vote is missing or was counted incorrectly, you can present your receipt to officials. They can verify that the stamp, signature, and security paper are legitimate. In today's elections with electronic voting machines, there is no way for an individual voter to prove that their vote was lost or counted incorrectly. If we introduce this capability, then we need to think about how to handle the possibility. Perhaps we use the existing judicial process for challenging results of an election, and permit a receipt to be presented as evidence in a courtroom. With other supporting evidence, e.g. a selfie with the election official while holding up the receipt, it should be enough to convince a judge or jury.

Footnotes

  1. Whether a recorded vote is eventually counted depends on whether the voter was eligible, e.g. whether they had voted once already. ↩︎