THE PEOPLE S CHOICE. Abstract. system. Team: FireDragon. Team Members: Shoufu Luo*, Jeremy D. Seideman*, Gary Tsai

The Economist Challenge THE PEOPLE S CHOICE A accountable distributed blockchain-based digital voting system Abstract With the advent of Bitcoin and related cryptocurrencies, the blockchain was introduced as a publically viewable ledger in more common use. Since then, blockchain-based consensus systems have been proposed, such as Helios, FollowMyVote and BitCongress etc., as the blockchain technique opens the possibility to a secure and tamper-resistant digital voting system. However, existing digital voting systems have different focus and therefore also shortcomings. In this paper, to the specific concerns cast by the Economist Challenge, we propose a distributed blockchain-based digital voting system with desired properties, namely, The People s Choice. We utilize mixing techniques to protect voter privacy, propose to use public-key encryption to prevent access to interim results etc. Finally, we provide a theoretical analysis of the resulting system. Team: FireDragon Team Members: Shoufu Luo*, Jeremy D. Seideman*, Gary Tsai The Graduate Center*, John Jay College of Criminal Justice, City University of New York Advisor: Dr. Sven Dietrich City University of New York, John Jay College of Criminal Justice & The Graduate Center

September 29, 2016 Table of Contents Abstract Introduction Digital Voting Systems Blockchain Technology Proof-of-Work Proof-of-Stake Delegated proof-of-stake Proposal The People s Choice The People The Rights The Genesis Block The Voting The Blockchain The Authority The Ballots Analysis: Counting (the ability to count) Privacy Potential Leakage and Accountability The Mixer and the Shadow Public Key Uniqueness Double-voting Interim Results Undecided Voters Aftermath Conclusion Appendix

Introduction Ever since humankind came together and lived as a society, the need for there to be some sort of consensus among the people has existed. Whether this means that people had to decide upon a leader or a course of action, there had to be a way to express that opinion. Over the years, there have been many ways to do that. At its simplest, voting has been just by voice -- the so-called yay/nay vote (Robert, 2011). That is, by no means, the only way that people can vote. Secret societies often use the black ball vote, where members place a token of one color or another into a box, so that when counting the votes it is obvious to see which side won the election. Digital Voting Systems With the advent of cryptocurrency, Bitcoin, the blockchain was introduced as a publically viewable ledger. Since then, blockchain-based digital voting systems have been proposed such as FollowMyVote and BitCongress etc., as the blockchain technique opens the possibility to a secure and tamper-resistant digital voting system. However, having a blockchain-based system does not insulate the users from some of the problems that the voting may carry. There is still a need to design a safe, anonymous system with the proper integrity and privacy controls. A prime

example of this is the Helios system (Adida, 2008). It is well designed but still there are several threats to the operation of this system, namely whether or not the decryption operation is performed properly, whether a voter is who they say they are or if they are impersonating someone else. By contrast, the pret-a-voter (PAV) system (Ryan, 2009) is an end-to-end auditable voting system and most PAV implementations also provide vote auditability. Admittedly, there are several vulnerabilities, most notably that it is possible to copy a ballot and distribute it to many voters to use it, and voters can take the candidate list with them to prove their vote was cast to satisfy a coercive party. Besides, FollowMyVote, which allows users to verify the interim result before the election official ends. Digital voting system with homomorphic sharing secrecy ( Schoenmakers, 1999) provides a very elegant solution in terms of privacy protection and interim results using homomorphic encryption with Shamir sharing secrecy but it fails to provide accountability, fraud prevention and undecided voters. In this paper, we propose an accountable blockchain-based system that inherits the merits of blockchain technique but also incorporates several improvements to create a platform for better privacy control and interim results prevention. Blockchain Technology The Blockchain is a public ledger with each block in the block chain formed by a number of transactions. A transaction will be validated by nodes of the peer-to-peer network and added to a new block which will be later attached to the chain following certain protocol, e.g. by the miner if the proof-of-work protocol is used. A new block of transactions will continuously

attach to the network of blocks as a link in a chain as time goes on, hence the term Blockchain. The chain acts as audit trail for a database which is managed by the network where no single computer is responsible for storing or maintaining the database, and any computer may enter or leave this network at any time without jeopardizing the integrity or availability of the database (Hourt, 2016). Since there is no centralization in Blockchain protocol, the problem of single point of failure is avoided. Proof-of-Work This technique was first introduced by Dwork (Dwork, 1993) to combat junk email. The idea is to force the email sender to perform amount of computational work (proof-of-work) before sending the email, which introduces negligible work for a regular email sender, however, significant work for a spammer who intends to send hundreds and thousands of spam emails. Proof-of-work is used to prevent any arbitrary node to valid a transaction and add to a block at the same time, i.e. the double-spending problem. Proof-of-Stake Proof of stake is a new strategy for the substitution of proof-of-work as its vulnerability to 51% attack. The main difference in proof-of-stake is in order to become a miner, they need to prove the amount of stake they have in their balance ( Kiayias et al, 2016 ).

Delegated proof-of-stake Delegated proof-of-stake protocol is introduced by Bitshares 2.0. The word "Delegate" means witness in this technique (Schuh & Larimer, 2015). The only role of the witness is to validate block of transactions to the blockchain network. This protocol is taking a more democratic approach to validate transaction as it also allows any node in the network to become a witness. Proof of Work is used by Bitcoin and Ethereum, i.e. BitCongress, while Peercoin, another peer-to-peer cryptocurrency, adopts Proof-of-Stake (Hourt, 2016). Zerocoin Zerocoin ( Miers, 2013) and its successor Zerocash (Sasson, 2014) proposed an elegant mathematical solution for solving anonymity issue of Bitcoin, however, we found not necessary for a digital voting system as the intrinsic differences between the digital voting and digital currency, which we will discuss in detailed in the privacy analysis of our proposal. Proposal The People s Choice We propose a distributed digital voting system, The People s Choice. It consists of two components: registration and voting, as shown below in the figure separated by the dash line. There are seven major phases as illustrated below.

1. The People The Registrar Office (RO) generates two pairs of private key and public key, while each voter generates a pair of private key and public key. The pair (K, K ) is designed to prevent tallying interim results. K is kept secret during the election and will be eventually public as used to decipher all encrypted votes (by K) for final tally. The pair of (Q, Q ), however, serves for the authority, i.e. signature/verification, as Q used by the people to verify any message authorized by the Registrar Office, i.e. signed using Q. Voter s public key will serve as a legal reference of their voting rights once their eligibility is verified and a reference transaction is added to the genesis block.

2. The Rights Voters register themselves to the Registrar Office to prove the eligibility of voting. There are mainly two parts: Voters show their authorized ID or necessary materials and also a public key The Registrar Office validates voter's eligibility and gives a copy of Q. Note: the security concern in this verification process, e.g. ID fraud, is out of scope in this proposal. The key point is every eligible voter gets their public keys accepted as a legal reference of their voting rights, later executed by their private key. 3. The Genesis Block Once the voter is verified to be eligible, the Registrar Office keeps a record of this voter and the public key submitted The Registrar Office generates the first block of the chain, i.e. the genesis block. The genesis block or block 0 will include (Each transaction is signed with the Registrar Office s private key Q ): Reference transactions with each of which contains a voter s public key An extra transaction records other essential information about this election, such as the start and end date, the tally policy, the candidate list, the encryption key K, etc. 4. The Voting When voting, the voter first looks up the genesis block for the election encryption key K and the candidate list, also other additional information if necessary (Note: this can be done automatically by an authorized voting client. For the security of the voting client, the software can be

distributed securely offline such as in the registration time or online by signing with the Registrar Office s private key Q.). A vote generates a transaction which contains The reference transaction by specifying their public key A timestamp this vote is cast Encrypt their choice of candidate, by name or code, i.e. the vote Voter s Signature 5. The Blockchain The voting transaction is broadcasted to the peer-to-peer network. Anyone listening to the network will receive it, validate the transaction and build into a new block: Is the transaction valid, i.e. is the signature valid? By checking the signature using the attached the public key. Is the public key already referred by any accepted transaction in the block chain? If yes, reject; otherwise, pass. Note: we will discuss the block production in the following analysis section. 6. The Authority When the election ends, the Registrar Office publishes the decryption key K to the network, so that anyone in the network can use this Key to decrypt all encrypted votes in the blockchain. To avoid a single point of failure, e.g. corrupted RO, the decryption key K can be a share secrecy among several authorities, instead of just one, i.e. RO. Shamir s sharing secrecy using polynomial can be used with verifiable sharing secrecy

(VSS). At the end of election, if and only if, all parties publish their pieces, the decryption key can be reconstructed. 7. The Ballots Once the decryption K is published, anyone in the network can tally the election results. The authority may complete tally the blockchain or rely on other organization s partial results to conclude the final results. Since everyone can redo the counting of any block, it is not wise for anyone to post false results. Terms we use: Reference transaction: a transaction containing a voter s public key, published and signed by the Registrar Office, and used as a reference of legal right of voting Voting transaction: a transaction containing a vote, published and signed by a voter Analysis: Counting (the ability to count) All the purpose of election is to count. In our proposal, once the decryption key K is published, anyone can decrypt all votes and count the votes for each candidate. This is not a problem, although the counting procedure may depend on the election counting policy published in the genesis block, e.g. if a vote cates a candidate whose name or code does not match the one published in the genesis block, it might be considered as a void vote.

Privacy In this setting, privacy refers to the choice of a candidate, more specifically, the voter expects his/her vote should not be associated to his/her identity for all reasons. In another word, voters have the right of voting anonymity. Using public key, Bitcoin provides pseudonymity to some degree, but unfortunately as shown by research community, it fails to protect user s privacy. Our voting system follows in general the way of bitcoin using blockchain, e.g. each owner/voter owns a pair of public key and private key, and uses the public key as the interface between them and the system. However, it looks similar but actually very different for the following reasons. In the case of bitcoin, for various reasons, people whose identity is known will publish their public key to the public, for example, charity organizations calling for donations, commercial merchants for collecting payments, or individuals asking for giving etc. More importantly, transactions in the bitcoin are highly correlated and linked as they are traceable through the chain. Given these two prerequisites, the fact that all transaction details are transparent provides the possibility of tremendous information can be learned from available transaction flows. In the case of digital voting, people do not have the motivation to declare the ownership of a public key. Moreover, there is little information one could infer about one public key

from another because each voting transaction is independent, unlike bitcoin that transactions are highly related and connected because of the nature of spending coins. To the end, only the one who declares his/her public key is the victim of privacy violation, the voting choice. In short, as the voting part from the figure (i.e. below the dash line), the information one can at most learn is that there someone owns a public key, k, voted to a candidate c, and there little information can be used to infer who actually owns the public key in all means. On the other hand, there research work suggests that privacy might be also violated by simply mining blockchain logs for IPs (Koshy, 2014). This is similar to the aforementioned problem, a trustable voting client. The voter should only cast a vote in a secure software environment. Online services like Tor network or VPN can be used to bypass IP tracing for example. Potential Leakage and Accountability In this proposal, we may assume the Registrar Office is trusted. By saying that, we mean the Registrar Office will make every effort to follow the protocol to keep data safe for any security and privacy concerns. However, one may still ask, what if the database leaked for any reason, (e.g. data breach) or corrupted RO (e.g. insider leaks the data)? Indeed, data breach is not infrequent thing nowadays and people have political motivations to steal such essential data. And not maintaining it at very beginning is also not a legitimate option for accountability purposes. In fact, legitimate vote records must be recorded precisely and public accessible. For example,

without such records, what if the Registrar Office or insiders in charge misconducts and falsely uses unregistered voters identities (i.e. ghost voter). The Mixer and the Shadow Public Key For such a consideration, our proposal introduces an additional step of obfuscation before the registration process so that the legitimate vote table is public accessible but won t cause privacy concern. As noted, each voter will generate a pair of private key and public key. However, instead of submitting his/her own public key, voters go to a third-party mixer pool to exchange their public keys and get a shadow public key which will be submitted to RO. For example, in the diagram below, voter i submit public key i and get assigned a public key of voter k. Then, voters submit the assigned public key during their registration. In this way, after exchanging public keys (and only public keys), as a voter s public key will be submitted by other voter into the election pool, i.e. the genesis block, a voter can still vote using his/her private key. The public key in record is however no longer his/hers, therefore, the vote associated to that public key is not what he/she votes. To ensure the anonymity efficiency, the mixer should be large enough, e.g. at least k for k-anonymity. To ensure the security, this mixing can happen among a group of trusted voters. In the case of untrusted voters, the mixer may run pre-screening of participants eligibility when

accepting public keys, but without keeping records because accounting is not wanted here. Fraud behavior is easy to detect in this setting as those legitimate voters can find out whether their public keys are not listed in the genesis block. To prevent fraud, RO should be able to provide services to let voters to revoke the public key and submit a new one also. Uniqueness Voter uniqueness is guaranteed by the registration process, i.e. every legitimate voter can submit one public key and only one as a reference of legitimacy. But it is noted in the previous section, to ensure the security of the mixing, including the uniqueness issue, the mixer should take appropriate steps to protect against frauds. Double-voting Double-voting can be prevented if (1) uniqueness is guaranteed and (2) the block produced only includes valid transactions, i.e. checking if a reference transaction is referred by any existing voting transaction. For (2), despite of known issues of proof-of-work, we argue that it can be a solution. Different from bitcoin, in our proposal, there is no direct reward for mining, but we believe there are political incentives that individuals, organizations or governments would commit computational resources for proof-of-work and produce blocks. Other alternatives may be also applicable to our system, such as delegated proof-of-stake, for example.

Interim Results As illustrated, voters use the encryption key K to encrypt t heir votes, no one can actually tall those votes until the decryption K published at the end of the election. Secret sharing can be used to effectively prevent a single point of failure such as the RO as it is unlikely for several authorities to accomplice to reconstruct the key for interim results during the election. Undecided Voters If we interpret voters as eligible potential citizens, there are two types of undecided voters: either not registered or registered but undecided which candidate to vote. As aforementioned that the RO is obliged to publish the legitimate vote table, it is accountable to find every vote in the election pool comes from a legitimate registered voter, i.e. there should not be any ghost voter. For those undecided which candidate to vote, they can easily check whether any voting transaction in the block chain refer to the reference transaction which belongs to him/her as guaranteed by the blockchain technique, every voting transaction should be traceable to the reference transaction by once and exactly once. It is very also unlikely given the assumption that the public key scheme is strong enough, e.g. RSA. Aftermath Two fundamental keys ensure our proposal accountable for aftermath investigation: the traceability and the integrity of all votes. The traceability is provided by an accountable registration process and the blockchain, which enables each every ballot can be traced back to a legitimate vote. Also, by this, undecided votes are under monitoring so that they are not falsely

used to support a candidate. While, without integrity, the traceability is meaningless for any investigation. As well known, blockchain itself provides certain protection against altering the ledger. In addition, each voting transaction is also signed by each voter to guarantee that its integrity. There some particular security concerns have been addressed in the proposal design section, for example, the secure voting environment and potential fraud prevention. Conclusion In this paper, we propose a digital voting system, The People s Choice, addressed concerns cast in the challenge. It utilizes the blockchain techniques, the public key, the mixing net and etc. It inherits a similar framework of the blockchain used in Bitcoin but novelized in the transaction forming for the voting purpose, privacy protection and interim results prevention in particular. There is still room for improvement, e.g. the secrecy of the decryption key K during the election period. Shamir s secret sharing is still vulnerable to a single point of failure in terms of preventing interim results even with verifiable secret sharing, which we leave for further work. Appendix Adida, Ben. "Helios: Web-based Open-Audit Voting." USENIX Security Symposium. Vol. 17. 2008. Kiayias, Aggelos, et al. "A Provably Secure Proof-of-Stake Blockchain Protocol." (2016). Buterin, Vatalik. "What Is Ethereum?" What Is Ethereum? N.p., 9 Mar. 2016. Web. 25 Sept. 2016.

Hourt, Nathan. "Blockchain Technology in Online Voting - Follow My Vote." Follow My Vote. N.p., n.d. Web. 28 Sept. 2016. (ICFAI), Prableen Bajpai CFA. "Blockchain." Investopedia. N.p., 02 Jan. 2014. Web. 28 Sept. 2016. Norton, Steven. "CIO Explainer: What Is Blockchain?" WSJ. Wsj.com, 02 Feb. 2016. Web. 28 Sept. 2016. Johnston, Roger and Suzanne LaBarre. How I Hacked an Electronic Voting Machine. Popular Science, Nov 5, 2012. Robert, Henry M.; et al. (2011). Robert's Rules of Order Newly Revised (11th ed.). Philadelphia, PA: Da Capo Press. ISBN 978-0-306-82021-2 (hardcover), ISBN 978-0-306-82020-5 (paperback),isbn 978-0-306-82022-9 (leatherbound) Ryan, Peter YA, et al. "Prêt à voter: a voter-verifiable voting system." IEEE transactions on information forensics and security 4.4 (2009): 662-673. Schuh, Fabian, and Daniel Larimer. "BIT S HARES 2.0: GENERAL OVERVIEW.": n. pag. BitShares, 15 Dec. 2015. Web. Koshy, Philip, Diana Koshy, and Patrick McDaniel. "An analysis of anonymity in bitcoin using p2p network traffic." International Conference on Financial Cryptography and Data Security. Springer Berlin Heidelberg, 2014. Schoenmakers Berry, A simple publicly verifiable secret sharing scheme and its application to electronic voting, Springer-Verlag, In CRYPTO, 1999 Dwork, Cynthia; Naor, Moni (1993). "Pricing via Processing, Or, Combatting Junk Mail, Advances in Cryptology". CRYPTO 92: Lecture Notes in Computer Science No. 740. Springer: 139 147. Miers, Ian, et al. "Zerocoin: Anonymous distributed e-cash from bitcoin." Security and Privacy (SP), 2013 IEEE Symposium on. IEEE, 2013. Sasson, Eli Ben, et al. "Zerocash: Decentralized anonymous payments from bitcoin." 2014 IEEE Symposium on Security and Privacy. IEEE, 2014. Nakamoto, Satoshi. "Bitcoin: A peer-to-peer electronic cash system." (2008). FollowMyVote, www.followmyvote.com BitCongress, https://forum.ethereum.org/discussion/110/bitcongress-blockchain-based-voting-system