Blockchain and Voting

Blockchain and Bitcoin may prove to be amazing innovations that change our daily lives, but I doubt they will materially impact how we vote. Here’s why.

What Blockchain Is and Isn’t

The common way to describe Blockchain is something like: it’s a database, only instead of being run by one central computer you have to trust, it’s run by many different computers around the world. Alternatively, it’s a distributed ledger. One linear set of events/transactions managed by a distributed set of computers.

These descriptions are true, but they’re also misleading in their oversimplification. It’s that oversimplification that leads some to think the Blockchain will solve all of our problems. Because … decentralized!

OK, but distributed databases are not new. We’ve known for a while how to replicate a database with a sprinkle of cryptography to distribute the trust. The Merkle tree, a key component of Blockchain that lets you verify consistency of a large dataset quickly, was invented in 1979. The Hash chain, another key component of Blockchain that lets you create a tamper-proof chronology of events, was invented in 1981 (it’s used in things like git). You can build a distributed ledger with Merkle trees and hash chains. We’ve been able to do this since the 80s. So … what’s new?

Blockchain isn’t just a distributed database, it’s a very specific kind of distributed database where

  • the database maintainers aren’t authenticated: anyone can be a blockchain maintainer without revealing who they are or having any kind of privileged relationship with other maintainers.
  • the set of maintainers changes over time. New maintainers come in, existing maintainers leave, without central planning or predictability. The maintainers of the Bitcoin blockchain 5 years ago are very different from the maintainers today.

In other words: anyone can become a maintainer of the Bitcoin blockchain at any time, without asking for permission, with nothing more than computing power. Just start up the software and join the club. This is pretty amazing stuff. It wasn’t obvious, before Blockchain, that it would be possible to design such a distributed database with an amorphous untrusted set of maintainers where you just need half good guys.

(There’s another really cool trick in Bitcoin, which is the incentive system for database maintainers: they get rewarded in Bitcoin for doing their database maintenance part, which makes the whole system self-sustaining. Super cool, but off topic for today.)

It’s important to realize that the true Bitcoin/Blockchain innovation is actually in this very specific trust setting of a dynamically changing set of database maintainers. If your use case doesn’t call for that, if you can designate the maintainers at the start of your protocol and have them authenticate to each other, then you don’t need the full Blockchain toolkit. You need only fairly standard cryptography and your use case was achievable 20 years ago.

What We Need to Vote Securely

In a typical election setting with secret ballots, we need:

  1. enforced secrecy: a way for each voter to cast a ballot secretly and no way to prove how they voted (lest they be unduly influenced)
  2. individual verifiability: a way for each voter to gain confidence that their own vote was correctly recorded and counted.
  3. global verifiability: a way for everyone to gain confidence that all votes were correctly counted and that only eligible voters cast a ballot.

Let’s say we have a Blockchain-style distributed database. How far does that get us to meeting these needs?

A distributed database of all cast votes, where everyone sees the same state of the world, would certainly be useful for (3) global verifiability and to some degree for (2) personal verifiability. That said, it won’t get us all the way there on those, and it won’t get us anywhere on (1) enforced secrecy.

Specifically, to combine personal verifiability with enforced secrecy, we need some mechanism that gives each voter enough confidence that their vote made it all the way to the tally, but not so much that they can sell their vote to a buyer/coercer. A public ledger of plain votes is a terrible idea, since that makes vote selling trivial. A public ledger of vote tracking numbers of sorts is better for privacy, though it doesn’t really provide actual verifiability that the contents of the ballot weren’t tampered with. Clearly, we need something more, and that something simply isn’t provided by a distributed ledger.

Then there’s the need to check voter eligibility, a critical piece of global verifiability. No matter what technology we use, we need a clear list of eligible voters, and each voter should get to vote only once. Ultimately, the list of eligible voters is set in a centralized way: it’s produced by the State. There’s nothing distributed about voter eligibility. Even when there is federation / delegation to individual counties, like in the US, there is a centralized effort to cross-check that a voter isn’t registered in multiple counties.

In real-world elections today, we get personal verifiability with in-person paper ballots that voters can verify and cast directly, followed by risk-limiting audits where all political parties play a role to ensure integrity at each voting precinct. Combined with publicly auditable voter eligibility lists, this process, verified by all parties, is also how we get global verifiability. There are end-to-end voting verifiability techniques (zero-knowledge proofs) that have been around in various forms for 20-30 years that can provide an even stronger sense of personal and global verifiability, though these aren’t implemented in anything more than the occasional pilot.

Bottom line: Blockchain can help a bit with voting, but it’s not doing the most important part of the work. It doesn’t help tally secret ballots in a publicly verifiable way. It doesn’t provide individual verifiability that a ballot was correctly encoded. And it’s not useful for voting eligibility, since that’s all about human authentication and a centrally produced voter list. At best, in voting, Blockchain can be a ledger that helps us track the voting metadata.

And here’s the rub: to track voting metadata, it’s questionable whether you need a full Blockchain. Ultimately, a distributed database run by all political parties, where the maintainers are known and authenticated well ahead of time, is plenty sufficient. We don’t need the power of Blockchain. We just need Merkle trees and hash chains. And we’ve had those for 30 years.

To sum it up, using Blockchain for voting solves a small part of the problem with an unnecessarily big hammer.

A Marketing Sidebar

It’s very possible that, though we’ve had the parts of Blockchain technology we could use in voting for a while, that Blockchain tech and the hype around it helps this technology “break through” to the voting universe. It’s possible we use just simple Merkle trees and hash chains, but we call them Blockchain, and Blockchain scores a win. Maybe this is about marketing, after all. I’m dubious — because Blockchain doesn’t begin to solve the most important parts of voting — but it’s possible.