This method is vulnerable to undetectable and large-scale hacks and would require a whole new election if the scanned ballot data or blockchain were hacked because no paper ballots would exist for a hand-count or otherwise.
PaperBallotchain
VOTING PROBLEMS: Paper ballots are essential to election security, but slow to count and prone to costly disputes, while electronic voting is fast to count, but vulnerable to hacking and risks compromising voter anonymity. What if we could have the best of both?
VOTING PROBLEMS: Paper ballots are essential to a secure voting system because they provide a tamper-evident trail and thwart large-scale ballot tampering, but the counting method (by hand or by scanner) is slow, prone to inaccuracies, vulnerable to manipulation, minimally transparent, unable to give voters confirmation that their ballot was included in the count, and often results in disputes, costly and time-consuming audits, court cases, and destabilizing delays in voting results; meanwhile electronic voting is fast to count, but risks compromising voter anonymity and is vulnerable to hacking that is large-scale and potentially undetectable.
VOTING SOLUTION: PaperBallotchain pairs paper ballots and blockchain technology to provide the first-ever cryptographically-verifiable, voter-verifiable, yet still anonymous, near-instant-count, paper-ballot voting system.
(Patent No. 12132827)
VOTING SOLUTION: PaperBallotchain pairs paper ballots and blockchain technology to provide the first-ever cryptographically-verifiable, voter-verifiable, yet still anonymous vote-casting system and the first-ever fully transparent, perfectly accurate, near instantaneous, and publicly-verifiable vote-counting system—solving the critical technical vulnerabilities of blockchain voting described by MIT and blockchain experts that have justifiably caused them to strenuously warn against blockchain voting.
(This system holds both the credibility and innovation of a patent: Patent No. 12132827)
Vote-Casting Problems
Solution: PaperBallotchain's vote-casting pairs paper ballots and blockchain technology with only open-source code that
This vote-casting
method includes
solutions to critical technical vulnerabilities of blockchain voting identified by MIT and blockchain experts.
Vote-Counting Problems
Solution: PaperBallotchain's vote-counting of all cryptographically verified ballots on the independent stakeholder blockchains is
This vote-counting method includes solutions to critical technical vulnerabilities of blockchain voting identified by MIT and blockchain experts.
(Blockchain: a specialized type of database—a cryptographically secure, transparent, immutable, tamper-evident, distributed, digital ledger.)
But in comparison to traditional paper-ballot voting (which is the second best-rated system after PaperBallotchain), PaperBallotchain brings 9 rating improvements (out of 15 categories) and no rating decreases or tradeoffs, shifting 9 categories from ‘weakness,’ ‘minor strength,’ or ‘strength,’ to 'strength' or 'major strength’
Additionally, in comparison to electronic-ballot-to-blockchain voting, PaperBallotchain makes only one trade-off on the speed/ease of vote casting, favoring security, while bringing 9 rating improvements (out of 15 categories), shifting 9 categories from 'major weakness’ or ‘weakness’ to 'strength' or 'major strength’
Moreover, “online voting may not increase turnout. Studies on online voting’s impact on voter turnout have ranged from finding no impact on turnout (e.g., Switzerland [1]) to finding that online voting slightly decreases turnout (e.g., Belgium [2]) to finding that online voting slightly increases turnout but is nonetheless “unlikely to solve the low turnout crisis” (e.g., Canada [3]).1[4] Studies of Estonian elections have also suggested that turnout changes due to online voting may favor higher-income and higher-education demographics [5]. Recent US studies demonstrate significant demographic disparities in smartphone ownership (e.g., in gender, income, and education) [6].” ( Source: Going from bad to worse: from Internet voting to blockchain voting | Journal of Cybersecurity)
On the surface, blockchain voting appears to be the optimal solution to voting-system problems because...
However, MIT and other blockchain experts have strenuously warned against blockchain voting, explaining...
For more details, see
Thus, if only we could transfer paper ballot data onto a blockchain securely, then the ballot data could be safely stored and counted on the blockchain, but how can we do that? A key problem is that a paper ballot would need to be scanned, and that scanned ballot data would be subject to the same vulnerabilities as the electronic ballot in its creation and on its path from the scanner to the blockchain. The PaperBallotchain patent solves that problem.
Solutions (Low-Tech & Non-Tech)
in New
Paper-Ballot-to-Blockchain Voting
This method is vulnerable to undetectable and large-scale hacks and would require a whole new election if the scanned ballot data or blockchain were hacked because no paper ballots would exist for a hand-count or otherwise.
This method is not vulnerable to undetectable or large-scale hacks and would not require a whole new election if the scanned ballot data or blockchains were hacked because paper ballots would exist in official custody for a hand-count or otherwise.
1. Jeopardizes ballot integrity (Critical Technical Vulnerability): “If vote-casting is entirely software-based, a malicious system could fool the voter about how the vote was actually recorded”—and that system would be prone to large-scale error and hacks that could overturn the election results in undetectable ways, or if detected, would require a whole new election. (Sources: 1) MIT experts: no, don’t use blockchain to vote | MIT CSAIL. 2) Would Voting Be Better On A Blockchain - YouTube.)
2. Jeopardizes voter anonymity (Critical Technical Vulnerability): The software required to simultaneously
1) verify voter identity,
2) ensure voter anonymity (remove voter identity when casting the ballot), and
3) remember voter identity to prevent voters from casting multiple ballots
—has not yet been developed/solved, and even if it were developed/solved—it would be prone to large-scale error and hacks that could compromise voter anonymity on a large scale and could enable casting of fraudulent ballots on a large scale that could overturn election results in undetectable ways, or if detected, would require a whole new election. (Source: Would Voting Be Better On A Blockchain - YouTube.)
If using coins to vote: “it does not provide a secret ballot: all votes are public, and users can prove to a third party how they voted, enabling coercion and vote-selling.”
If using zero- knowledge proofs:
3. New Blockchain Database Vulnerability (Critical Technical Vulnerability): New blockchain databases typically have a small number of computer node participants, which makes them inherently vulnerable to “51% attacks,” in which a bad actor gains control of the majority of the blockchain nodes/computers, enabling them to “create multiple versions of the blockchain to show different people, sowing discord.” Even though the hack would be detectible, it would require a whole new election. ( Source: Going from bad to worse: from Internet voting to blockchain voting | Journal of Cybersecurity | Oxford Academic.)
4. “If a user loses their private key, they can no longer vote, and if an attacker obtains a user’s private key they can now undetectably vote as that user.” (Source: Going from bad to worse: from Internet voting to blockchain voting | Journal of Cybersecurity | Oxford Academic.)
5. “If a user’s voting device (probably a mobile phone) is compromised, so could be their vote.” (Source: Going from bad to worse: from Internet voting to blockchain voting | Journal of Cybersecurity | Oxford Academic.)
6. Targeted ballot censoring:
(Source: Source: Going from bad to worse: from Internet voting to blockchain voting | Journal of Cybersecurity | Oxford Academic.)
7. Denial of service (DOS) attack—by overwhelming the blockchain with invalid ballots/transactions, causing cast-ballots to miss the cutoff time to add ballots to the blockchain. (Source: Going from bad to worse: from Internet voting to blockchain voting | Journal of Cybersecurity | Oxford Academic.)
8. Denial of service (DOS) attack—by influencing/disrupting network connectivity, causing ballots to miss the deadline to be added to the blockchain. (Source: Going from bad to worse: from Internet voting to blockchain voting | Journal of Cybersecurity | Oxford Academic.)
9. “the inadvisability of using new distributed consensus protocols or new cryptographic primitives for critical infrastructure until they have been well-tested in industry for many years” (Source: Going from bad to worse: from Internet voting to blockchain voting | Journal of Cybersecurity | Oxford Academic.)
10. “it takes more time and effort to deploy security fixes in a decentralized system than in a centralized one, and [so] “blockchain systems can be vulnerable for longer periods of time than centralized counterparts.” (Source: Going from bad to worse: from Internet voting to blockchain voting | Journal of Cybersecurity | Oxford Academic.)
11. “Elections are inherently centralized (with a central organization, the government, that is in charge of election procedures, the contests of the election, the eligibility of the candidates, and eligibility to vote),” so blockchain technology is not a good fit for voting. (Source: Going from bad to worse: from Internet voting to blockchain voting | Journal of Cybersecurity | Oxford Academic.)
12. “Scalable attacks (SHOWSTOPPER CATEGORY): If the adversary’s cost to tamper with the election is much less than the defender’s cost to prevent such attacks, attempts to prevent, remediate, or even discover the failures may be impossible in practice. Scalable ‘wholesale’ attacks affecting election outcomes are much more dangerous than ‘retail’ attacks affecting only a few votes.” This is one of “two categories of ‘showstopper’ vulnerabilities that effectively eliminate election authorities’ ability to prevent or remediate serious failures.” Several of the previously discussed problems in electronic-ballot-to-blockchain voting are scalable attacks. (Source: Going from bad to worse: from Internet voting to blockchain voting | Journal of Cybersecurity | Oxford Academic.)
13. “Undetectable attacks (SHOWSTOPPER CATEGORY): If an attacker can alter the election outcome without any realistic risk of the modification being caught (by voters, election officials, or auditors), the attack becomes impossible to prevent or mitigate.” This is one of “two categories of ‘showstopper’ vulnerabilities that effectively eliminate election authorities’ ability to prevent or remediate serious failures.” Several of the previously discussed problems in electronic-ballot-to-blockchain voting are undetectable attacks. (Source: Going from bad to worse: from Internet voting to blockchain voting | Journal of Cybersecurity | Oxford Academic.)
1. Low-tech solution: 1) Print the following on a folded, sealed, tamper-evident paper ballot:
2) Then scan a voter-marked paper ballot using a scanner-set assembly containing multiple independent-stakeholder scanners (each with a unidirectional data diode) that can each separately create and apply a stakeholder-scanner digital signature to a scanned-ballot datafile that can be verified by the public and a blockchain using a corresponding pre-election-published Stakeholder Scanner Public Key.
Those two steps are the foundation of a paper-ballot-to-blockchain voting system that:
2. Non-tech solution: The voting system software never knows the voter’s identity. After election officials verify voter identity in whichever manner they choose, they provide a folded, sealed, tamper-evident paper ballot to the voter that
Optional use of Ballot Vending Machines: Instead of election officials selecting which folded, sealed, tamper-evident paper ballot to give to each voter, each voter can select a ballot from a Ballot Vending Machine, so election officials won’t know which ballot the voter will get.
Additionally, the voter has plausible deniability about which Ballot ID# they cast because the voter can claim that their Ballot ID# is any Ballot ID# cast onto the blockchain around the same time as theirs from the same polling station, which would obfuscate bad actor efforts to verify which ballots were cast by which voters when seeking to buy or coerce votes.
3. Low-tech solution: The scanned-ballot datafile is stored in multiple competing independent-stakeholder ballot blockchains (each redundantly backed up) that stakeholders centrally build/control (but are duplicated & validated in many places by members of the public to reveal any tampering), so there’s no possibility of a 51% attack. This system instead uses the competitive nature of the stakeholders; comparison of their blockchains; and public and stakeholder validator computers (running opensource blockchain building software) to duplicate and check the integrity of the information on the blockchains.
Alternatively, the scanned-ballot datafile is stored with a third party blockchain database service that saves the scanned-ballot datafile itself or a link to the scanned-ballot datafile as a non-fungible token (NFT)—in either a layer-2 sidechain database of the Bitcoin blockchain database or a different third party Blockchain Database—that is already essentially invulnerable to a 51% attack due to many blockchain computer node participants that store copies of the blockchain. The Bitcoin Blockchain database is currently the most secure blockchain database in the world because it has the greatest number of nodes in the world and has maintained its data integrity despite more than a decade of hack attacks since its inception.
4. Private keys are not assigned to users.
5. Personal devices are not used in the system.
6. Defense against targeted ballot censoring:
7. Defense against DOS transaction flooding:
8. Defense against DOS connectivity disruption:
9. The system does not require distributed consensus protocols, and it can use old, basic, battle-tested (rather than new, novel) cryptographic primitives because the system uses centrally controlled blockchains (each controlled by an independent stakeholder), where each blockchain uses the same validation protocol.
10. Rather than decentralized blockchains, the system uses multiple centrally-controlled blockchains (each managed by an independent stakeholder), so fixes can be deployed quickly.
11. The system uses centrally controlled vote casting and counting methods that are consistent with the centralized nature of elections, while also employing blockchain technology in a novel yet basic way to provide the security, transparency, and counting speed that is required and desired in elections.
12. An adversary would need to corrupt multiple independent groups of stakeholders (without being detected) to accomplish a large-scale attack:
Even if a scanner was running malware that was altering scanned-ballot datafiles, each voter would have an opportunity to see and report it after they cast their ballot, which would cause that scanner to be taken offline.
13. Each of the following are detectible and publicly evident throughout the PaperBallotchain voting process.
Ballot censorship is evident.
Ballot tampering is evident.
Ballot counterfeiting is evident.
Ballot and vote miscounting is evident.
The electronic-ballot-to-blockchian voting method is vulnerable to undetectable and large-scale hacks and would require a whole new election if the scanned ballot data or blockchain were hacked because no paper ballots would exist for a hand-count or otherwise.
The paper-ballot-to-blockchian voting method is not vulnerable to undetectable or large-scale hacks and would not require a whole new election if the scanned ballot data or blockchains were hacked because paper ballots would exist in official custody for a hand-count or otherwise.
After election officials verify voter eligibility via whichever method they choose, they dispense, via whichever method they choose, a folded, sealed, tamper-evident paper ballot (containing a hidden printed Ballot ID# and a hidden Ballot Private Key QR Code) to the voter.
The voter enters a private space or voting booth to open and fill out the paper ballot.
At a polling station, the voter (or an election official) feeds the marked paper ballot into a Ballot-Casting Automated Teller Machine (ATM), which contains a Ballot-Scanner-Set Assembly with multiple independent-stakeholder scanners (each with a unidirectional data diode) that can each separately apply a stakeholder-scanner digital signature to each scanned-ballot datafile as well as a paper ballot digital signature (that can each be verified by the public using the corresponding pre-election-published Stakeholder Scanner Public Key and Paper Ballot Public Key).
Each independent-stakeholder scanner (within the Scanner-Set Assembly inside the Ballot-Casting ATM) independently transmits the scanned-ballot datafile with a digital signature from the Ballot Private Key, a digital signature from the stakeholder Scanner Private Key, and a scanner-generated Cryptographic Puzzle to all participating independent-stakeholder Ballot Blockchains, which are each independently centrally controlled by a stakeholder.
A shredder (within the Scanner-Set Assembly inside the ATM) shreds the Ballot Private Key off the paper ballot.
Doing so makes it impossible to re-cast an altered or unaltered marked-paper ballot onto the blockchains because the blockchains will reject any datafile that lacks a valid ballot digital signature (and a valid scanner digital signature) if the blockchains are running valid blockchain builder/validator software.
Each independent-stakeholder Ballot Blockchain uses the same validation protocol to add a scanned-ballot datafile to its blockchain.
(A member of the public can use the same validation protocol to build a duplicate ballot blockchain and then compare it against the stakeholder ballot blockchains using a blockchain explorer designed to compare them.)
The validation protocol used to add a new scanned-ballot datafile to a ballot blockchain requires that the scanned-ballot datafile:
Each stakeholder blockchain likely stores the scanned-ballot datafiles in different sequences (based on their differing travel paths and speed over the internet from the scanners to the stakeholder blockchains), but the count of scanned-ballot datafiles on the blockchains will be identical if all the blockchains store all the scanned-ballot datafiles.
If a stakeholder tries to censor opposing ballots by not transmitting them (from their scanners or from internet nodes on the internet paths of the ballot datafiles) to the blockchains) or by not publishing/adding them on their own blockchain, that is likely a futile effort for the following reasons:
The Ballot-Casting ATM flashes a green light if it received confirmation that the scanned-ballot datafile was added to a stakeholder blockchain or a red light if not, and then drops the paper ballot into a corresponding transparent green or red plastic box inside the clear plastic ATM machine.
The voter can use their privately viewed Ballot ID# (optionally written down inside their private voting space) and a blockchain explorer on a government computer or a personal mobile device to lookup their ballot data on the Stakeholder Ballot Blockchains.
Meanwhile, bad actors seeking to buy or coerce votes can’t verify which ballot the voter cast because the voter's Ballot ID# could be any Ballot ID# cast onto the blockchain around the same time at the same polling station.
If voters are unable to find their ballot data on the blockchains or they find their ballot data has been altered, then voters can verbally inform an election official who keeps a paper tally of such reports (that doesn’t identify the voter).
If the total number of such reports exceeds the number of votes required to overturn the election results, then a hand count and audit of paper ballots is conducted.
A blockchain explorer provides a live report (throughout the vote casting and counting process) with the following information pulled from all the stakeholder blockchains:
1) Tallies of votes for each candidate (from all the validated, blockchain-posted scanned-ballot datafiles for a given Ballot ID# that have unanimous agreement on their data across all stakeholder blockchains).
2) The total number of ballots that would be required to overturn the election results.
3) A tally and list of every Ballot ID# that lacks unanimous agreement among its stakeholder-scanner-singed, blockchain-posted, validated scanned-ballot datafiles (and are thus excluded from the automatic vote tallies).
4) A tally and list of every Ballot ID# that has unanimous agreement among its stakeholder-scanner-singed, blockchain-posted, validated scanned-ballot datafiles (and are thus included in the automatic vote tallies).
5) A tally and list of every Ballot ID# that is missing from each blockchain.
6) A tally and sequential list of all Ballot ID#s and their corresponding validated stakeholder-scanned-ballot datafiles that are published on each Stakeholder Ballot Blockchain
7) A tally and sequential list of which Ballot ID#s were cast from which geographic locations based on their scanner digital signatures and the pre-election published list of stakeholder scanners, their Scanner Public Keys, and their assigned locations.
1. Folded, sealed, tamper-evident paper ballots, containing a hidden Ballot ID# and a hidden Ballot Private Key QR Code (printed in invisible ink that is readable by the scanner device).
There’s no software linking a voter to a ballot, and election officials can’t see the Ballot ID#s or track which voters get which Ballot ID#s—as long as the seal on the folded, sealed, tamper-evident paper ballot has not been broken.
Additionally, the voter has plausible deniability about which Ballot ID# they cast because the voter can claim that their Ballot ID# is any Ballot ID# cast onto the blockchain around the same time as theirs from the same polling station, which would obfuscate bad actor efforts to verify which ballots were cast by which voters when seeking to buy or coerce votes.
2. Optional use of Ballot Vending Machines
Instead of an election official selecting which folded, sealed, tamper-evident paper ballot to give to a voter, the voter selects a ballot from one of multiple Ballot Vending Machines, so election officials can’t know which ballot the voter will get.
3. Public display of all cast scanned-ballot datafiles on the independent stakeholder blockchains.
Security Layers that Protect Ballot Integrity and Authenticity
Note: "Integrity" means the data has not been altered.
Note: "Authenticity" means the data can be verified as coming from an expected source
(in this case, verified cryptographically by 1) a Ballot Public Key that determines whether the ballot digital signature (created from the Ballot Private Key) is valid and 2) a Scanner Public Key that determines whether the scanner digital signature (created from the stakeholder Scanner Private Key) is valid).
4. A hidden Ballot ID# and a hidden Ballot Private Key QR Code (printed in invisible ink that is readable by the scanner device) inside a folded, sealed, tamper-evident paper ballot.
The paper ballot provides a tamper-evident auditable trail.
The hidden Ballot ID# enables each voter to verify the integrity of their cast scanned-ballot datafile by using a blockchain explorer (search engine) and their Ballot ID# to look up their scanned-ballot datafile on the stakeholder blockchains.
The hidden Ballot Private Key QR Code (printed in invisible ink that is readable by the scanner device) guards against unauthorized use of the Ballot Private Key to cast a counterfeit ballot(s).
5. Ballot Private Key (part of a public-private key pair)—printed as a QR Code in invisible ink (readable by the scanner device) and hidden in a folded, sealed, tamper-evident paper ballot.
6. Stakeholder-Scanner Private Key (part of a public-private key pair)—on a stakeholder scanner.
7. Cryptographic Puzzle—from a stakeholder scanner.
8. Multiple Independent-Stakeholder Scanners—in a Scanner Set Assembly.
9. Shredder—in the Scanner Set Assembly.
10. Multiple Independent-Stakeholder Blockchains—in the network of cooperating blockchains.
Store cryptographically verified copies of all scanned-ballot datafiles from all the independent-stakeholder scanners.
Each stakeholder blockchain likely stores the scanned-ballot datafiles in different sequences (based on their differing travel paths and speed over the internet from the scanners to the stakeholder blockchains), but the count of scanned-ballot datafiles on the blockchains will be identical if all the blockchains store all the scanned-ballot datafiles.
If multiple Stakeholder Operated Blockchains were not used, then bad actors could censor or alter scanned-ballot datafiles via a 51% attack on the single blockchain, and although the tampering would be detectible (via comparison to previous versions of the blockchain), the tampering could be used to sow discord and force a manual count of paper ballots.
Live PaperBallotchain Vote Tallies Report
produced by open-source blockchain explorer designed to display consolidated results
from all the independent stakeholder blockchains storing the Stakeholder-Scanned-Ballot Datafiles