Vitalik Buterin clarifies two misconceptions about blockchain voting: why is it underestimated?
Although there are issues with attempts to use blockchain for voting, the correct solution is not to abandon blockchain, but to combine it with other cryptographic technologies.This article is from Chain News, original title: "Vitalik: Why Do We Need Blockchain Voting?", author: Vitalik Buterin, co-founder of Ethereum, translated by Nan Feng, source: Unitimes.
Voting is a process that requires process integrity. The results of the vote must be correct, and there must be a transparent process to ensure this, so that everyone can trust that the result is accurate. There should be no possibility of successfully interfering with anyone's voting intentions or preventing their ballots from being counted.
Blockchain is a technology that provides guarantees for process integrity. If a process runs on a blockchain, it ensures that the process will execute according to some pre-agreed code and provide correct outputs. No one can stop its execution, no one can tamper with this execution, and no one can review and prevent any user's input from being processed.
So at first glance, blockchain seems to provide exactly what is needed for voting. I am not the only one with this idea; many major potential users are interested in it. But it turns out that some people have very different opinions…
Despite the apparent perfect match between the demand for voting and the technological benefits provided by blockchain, we often see alarming articles opposing the combination of the two. And it's not just one article: Scientific American published an article against blockchain voting [1]; CNet also released such an article [2]; and ArsTechnica published an article as well [3]. And it's not just tech journalists: Bruce Schneier (a well-known computer security expert) also opposes blockchain voting [4]; researchers from MIT wrote a whole paper [5] arguing that it is a bad idea. So what exactly is happening?
Overview
Critics of blockchain voting protocols typically raise two key criticisms:
- Blockchain is not a software tool designed for elections. The trust properties provided by blockchain do not match the properties needed for voting, and other types of software tools with different information flows and trust properties would be more useful.
- Software cannot generally be trusted to conduct elections, regardless of what software it is. The risks of undetected bugs in software and hardware are too high, no matter how the platform is organized.
This article will sequentially discuss these two viewpoints (using the term "refute" is too strong, but I absolutely disagree with both viewpoints). First, I will discuss the security issues of existing attempts to use blockchain for voting, and that the correct solution is not to abandon blockchain, but to combine it with other cryptographic technologies. Secondly, I will elaborate on the issue of whether software (and hardware) can be trusted. My answer is: computer security is actually getting better, and we can strive to continue this trend.
In the long run, sticking to paper-based voting will become a huge obstacle to improving voting. Voting every N years is a form of democracy that has been around for 250 years; if voting can be made more convenient and simpler, we can have better democracy, allowing us to vote more often.
Undoubtedly, this article is based on the premise that good blockchain scalability technology (such as sharding) is available. Of course, if blockchain cannot scale, none of this can happen. But so far, the development of this technology has been very rapid, and there is no reason to believe it won't happen.
Poor Blockchain Voting Protocols
Blockchain voting protocols are always under attack. Two years ago, the blockchain voting technology company Voatz was all the rage, and many people were very excited about it. But last year, some researchers from MIT discovered a series of critical security vulnerabilities on their platform [6]. Meanwhile, in Moscow, a blockchain voting system that was about to be used for elections was hacked [7], fortunately, the attack occurred a month before the election began.
These hacks are quite serious. Here is a table of the attack capabilities successfully identified by researchers analyzing Voatz:
This alone is not a reason to oppose the use of blockchain voting. However, blockchain voting software should be designed more cautiously and scaled gradually over time.
Privacy Protection & Anti-Coercion
But even blockchain voting protocols that are not technically compromised are often poor. To understand why, we need to delve deeper into what specific security properties blockchain provides and what specific security properties voting requires—and when we look closely, we will see a mismatch between the two.
Blockchain provides two key properties: correct execution and censorship resistance. Correct execution simply means that the blockchain accepts user inputs ("transactions"), processes them correctly according to some predefined rules, and returns the correct output (or adjusts the blockchain's "state" in the correct way); censorship resistance is also easy to understand: any user who wants to send a transaction and is willing to pay a sufficiently high fee can send a transaction and expect it to be quickly packaged onto the chain.
These two properties are very important for voting: you want the voting result to be the sum of the votes for each candidate, selecting the candidate with the most votes, and you certainly want any eligible voter to be able to participate in the voting, even if some powerful individuals try to prevent them from doing so. But voting also requires some key properties that blockchain does not provide:
*Privacy**: You should not know which specific individuals voted for which candidates, or even whether they voted at all;
*Anti-Coercion**: You should not be able to prove to others how you voted, even if you want to do so.
The necessity of the first requirement (i.e., privacy) is obvious: you want people to vote based on their personal feelings without considering how those around them, their employers, the police, or random thugs on the street feel about their voting choices.
The second requirement (i.e., anti-coercion) is necessary to prevent the issue of "vote selling": if you can prove how you voted (i.e., prove who you voted for), then selling your vote becomes very easy. The provability of votes can also make forms of coercion possible, where the coercer demands to see some proof that the coerced person (the voter) voted for a certain candidate. Most people, even those who understand the first requirement, do not consider the second requirement. But the second requirement is also necessary, and it is technically important to provide this requirement. Undoubtedly, the general "blockchain voting systems" you see out there will not even attempt to provide the second property, and they often cannot provide the first property either.
Secure Electronic Voting Without Blockchain
The concept of securely executing social mechanisms cryptographically is not something that blockchain enthusiasts invented; it has actually existed long before us. Outside the blockchain space, there has been a 20-year tradition of cryptographers dedicated to researching secure electronic voting, and the good news is that solutions already exist. The paper titled "Coercion-Resistant Electronic Elections" by Juels, Catalano, and Jakobsson, published in 2002, has been cited in many papers over the past 20 years:
Since then, this concept has undergone multiple iterations; Civitas [9] is a prominent example, although there are many other examples. These protocols use a similar set of core technologies: there is a group of agreed-upon "talliers," and a trust assumption that most talliers are honest. Each tallier possesses a "part" of a private key, and the corresponding public key is published. Voters encrypt their votes using the talliers' public keys and publish the encrypted votes; the talliers use a secure multi-party computation (MPC) protocol [10] to decrypt, verify the votes, and tally the results. The tallying is done "within the MPC": the talliers never know their private keys from start to finish, and when calculating the final result, they do not know any information about individual votes, except for what can be inferred from the final result itself.
Encrypting votes provides privacy, and additional infrastructure (such as mixing networks) can enhance this privacy. Meanwhile, to provide anti-coercion, one of the following two techniques can be used:
The first option is that during the registration phase (when talliers learn each registered voter's public key), voters generate or receive a key. The corresponding public key is shared among the talliers, and the talliers' MPC will only compute a vote if that vote is signed with the key. Voters cannot prove to third parties what their key is, so if they are bribed or coerced, they can simply present a false key and use the false key to sign the vote. Alternatively, voters can send a message to change their key, and they cannot prove to third parties that they did not send such a message, so the vote remains the same.
The second option is a technique that allows voters to cast multiple votes, with the later vote overriding the previous one. If a voter is bribed or coerced, they can first vote for a candidate as per the briber/coercer's request, but later send another vote to override the previous one.
Empowering voters to override previous votes with subsequent votes is the key to the anti-coercion mechanism of this 2015 protocol.
Now, let's look at an important nuance in all these protocols. They all rely on an external primitive to complete their security guarantees: the electronic bulletin board (BB in the image above). The bulletin board is a place where any voter can send messages, and it guarantees: (1) anyone can read the bulletin board, (2) anyone can send messages to the accepted bulletin board. Most anti-coercion voting documents will casually mention the existence of the bulletin board, but very few papers discuss how this bulletin board can actually be implemented. In this article, you can see my intention: the safest way to implement a bulletin board is to use an existing blockchain!
Secure Electronic Voting Using Blockchain
Of course, long before blockchain, many people tried to create an electronic bulletin board. This 2008 paper [12] is such an attempt, with a trust model that is a standard requirement: "at least k out of n servers must be honest" (commonly k = n/2). For example, this 2021 literature review [13] covers some attempts to implement bulletin boards before blockchain and explores the use of blockchain in this context, while these pre-blockchain solutions also relied on the k-of-n trust model.
Blockchain is also a k-of-n trust model, requiring that at least half of the miners or PoS validators follow the protocol; if this assumption fails, it usually leads to a "51% attack." So, why is blockchain better than a special-purpose electronic bulletin board? The answer is: establishing a truly trustworthy k-of-n system is difficult, and blockchain is the only system that has already solved this problem on a large scale. Suppose a government announces that it is establishing a voting system and provides a list of 15 local organizations and universities that will run a special-purpose bulletin board. As an external observer, how do you know that the government did not choose these 15 organizations from 1000 based on its desire to collude with some intelligence agency?
On the other hand, public chains have a permissionless economic consensus mechanism (PoW or PoS) that anyone can participate in, along with a diverse and highly incentivized infrastructure composed of block explorers, exchanges, and other monitoring nodes to continuously verify in real-time that nothing bad is happening.
These more complex voting systems do not just use blockchain; they also rely on cryptography such as zero-knowledge proofs to ensure correctness and on multi-party computation to ensure anti-coercion. Thus, they avoid the weaknesses of those more "naive" voting systems that simply "cast votes directly onto the blockchain" while ignoring the resulting privacy and anti-coercion issues. But the blockchain bulletin board remains a key part of the security model of the entire design: if the committee is compromised but the blockchain is not, the anti-coercion properties will disappear, even though all other guarantees surrounding the voting process remain.
MACI: Anti-Coercion Blockchain Voting on Ethereum
The Ethereum ecosystem is currently experimenting with a system called MACI [14], which combines blockchain, ZK-SNARKs, and a central participant that ensures anti-coercion (but has no ability to undermine any properties beyond ensuring anti-coercion). MACI is not technically difficult. Users can participate by signing messages with their private keys, then encrypting the signed messages using the public key published by the central server, and publishing the encrypted signed messages to the blockchain. The server downloads these messages from the blockchain, decrypts and processes them, and outputs a result along with a ZK-SNARK proof to ensure the computation was done correctly.
Users cannot prove how they participated because they can send a "change key" message to deceive anyone trying to audit them: they can first send a message to change their key from A to B, then send a "fake message" signed with A. The server will reject this fake message, but others have no way of knowing that the change key message was sent. There is a trust requirement on the server, albeit only to achieve privacy and anti-coercion; the server cannot publish incorrect results through incorrect computations or by censoring messages. In the long run, multi-party computation can be used to decentralize the server to some extent, thereby enhancing the guarantees of privacy and anti-coercion.
This solution has a demonstration at clr.fund [15], which is used for quadratic funding. By using the Ethereum blockchain to ensure the anti-censorship of voting, it provides a much higher level of anti-censorship than relying on a committee.
Summary
The voting process has four important security requirements that must be met: correctness, censorship resistance, privacy, and anti-coercion.
Blockchain excels at the first two but does not excel at the latter two.
Putting voting encryption on the blockchain can enhance privacy. Zero-knowledge proofs can provide correctness, while external observers cannot directly tally votes because they are encrypted.
Multi-party computation can provide anti-coercion properties, provided it is combined with mechanisms that allow users to interact with the system multiple times: either the previous vote invalidates the subsequent vote or vice versa.
Using blockchain ensures you have very high security against censorship, and even if the committee colludes to break anti-coercion, you will still maintain this anti-censorship. Introducing blockchain can significantly enhance the security of the system.
But Can We Trust the Technology?
Now let's return to the second deeper criticism of any type of electronic voting (whether using blockchain or not): the technology itself is too insecure and should not be trusted.
A recent paper from MIT [16] criticized blockchain voting, including the table below, which describes how any form of paperless voting is fundamentally too difficult to ensure security:
The key property the authors of this paper focus on is software independence, which they define as "a property that undetected changes or bugs in the system software cannot cause undetectable changes to the election results." Essentially, this means that a bug in the code should not accidentally make Prezzy McPresidentface the new president of a country (or more realistically, a maliciously embedded bug should not be able to increase a candidate's vote share from 42% to 52%).
But there are other ways to handle bugs. For example, any blockchain-based voting system using publicly verifiable zero-knowledge proofs can be independently verified. Someone can write their own implementation of the proof verifier and verify the ZK-SNARK themselves. They could even write their own voting software. Of course, the technical complexity of actually doing this exceeds that of 99.99% of any practical voter base, but if thousands of independent experts are capable of doing this and verifying that the software works, that would be practically excellent.
However, for the authors at MIT, this is not enough:
Therefore, any system that uses only electronic means, even if it is end-to-end verifiable, seems unsuitable for foreseeable political elections. The U.S. Voting Foundation has noted the promise of E2E-V methods to improve the security of online voting but has released a detailed report recommending avoiding their use for online voting until and unless the technology matures further and is thoroughly tested in voting.
Others have extended these ideas. For example, the proposals by Juels et al. emphasize using cryptography to provide various forms of "anti-coercion." The Civitas proposal by Clarkson et al. implements additional mechanisms for anti-coercion, which Iovino et al. further incorporated and refined into their Selene system. From our perspective, these proposals are innovative but unrealistic: they are quite complex, and most seriously, their security relies on the voter's device not being compromised and functioning as expected, which is an unrealistic assumption.
The concerns of these MIT authors are not about the hardware security of voting systems; this risk can actually be mitigated when using zero-knowledge proofs. Rather, they are focused on a different security issue: whether the user's device is secure in principle?
Given the long history of various exploits and hacks on consumer devices, there is reason to believe the answer is "not secure." The following quotes are from an article I wrote in 2013 about Bitcoin wallet security:
Last night around 9 PM, I clicked on a link to CoinChat[.]freetzi[.]com -- I was prompted to run Java. I did so (I thought it was a legitimate chat room), but nothing happened. I closed that window and didn't think much of it. About 14 minutes later, when I opened my bitcoin-qt wallet, I saw a transaction I had not authorized, which sent almost all the funds in my wallet (2.07 BTC) to this address:
1Es3QVvKN1qA2p6me7jLCVMZpQXVXWPNTC
And:
In June 2011, a Bitcointalk member "allinvain" had their computer directly hacked by an unknown intruder, losing 25,000 BTC (worth $500,000 at the time). The attacker was able to access allinvain's wallet.dat file and quickly drained the wallet—either by sending transactions from allinvain's computer or by uploading the wallet.dat file and then draining the wallet on their own computer.
But these disasters overshadow a larger fact: computer security has actually been slowly and steadily improving over the past twenty years [17]. Attacks are now harder to execute, often requiring attackers to find vulnerabilities across multiple subsystems rather than searching for a single vulnerability in a large, complex codebase. Now, high-profile incidents are more common than ever, but this is not a sign that everything has become more insecure; rather, it is just a sign that we are increasingly reliant on the internet.
Trusted hardware [18] is a very important source of recent improvements. Some new "blockchain phones" (such as a model from HTC [19]) have gone quite far in this technology, installing a security-focused minimalist operating system on a trusted hardware chip, allowing high-security applications (such as cryptocurrency wallets) to remain separate from other applications. Samsung has begun producing phones using similar technology. Even those devices that have never been advertised as "blockchain devices" (like the iPhone) often have some form of trusted hardware.
Cryptocurrency hardware wallets are essentially the same thing, except that this trusted hardware module is physically located outside the computer rather than inside. But trusted hardware (deservedly!) often receives bad press in security circles, especially in the blockchain community, because it has been repeatedly compromised [20]. Indeed, you certainly do not want to use it as a substitute for your security. But as an enhancement technology, it is a huge step forward.
Finally, single applications, such as cryptocurrency wallets and voting systems, are much simpler than entire consumer operating systems, leaving less room for error—even if you have to integrate support for quadratic voting, lotteries, quadratic selection, and so on. The benefit of tools like trusted hardware is that they can isolate simple things from complex and potentially compromised ones, and these tools are achieving some success.
So Over Time, Risks May Decrease
But what are the benefits?
The improvements in these security technologies suggest that consumer hardware may be more trusted in the future than it is now. The investments made in this area over the past few years are likely to continue to pay off over the next decade, and we can expect further significant improvements. But what are the benefits of digitizing voting (whether based on blockchain or otherwise) that make it worth exploring this entire field?
My answer is simple: voting will become more efficient, allowing us to vote more often. Currently, formal democratic engagement with organizations (governments or corporations) is often limited to voting once every 1-6 years. Perhaps largely for this reason, decentralized decision-making in our society is severely polarized into two extremes: pure democracy and pure market. Democracy is either very inefficient (corporate and government voting) or very insecure (social media likes/shares). The market is technically much more efficient than social media and much safer, but its fundamental economic logic makes it unsuitable for many types of decision-making problems, especially those related to public goods.
Yes, I know this is yet another triangle, and I am really, really sorry to have to use it. But please forgive me this time… (Okay, I’m sure I will make more triangles in the future; bear with me.)
If we can establish more systems that lie between democracy and the market, benefiting from the egalitarianism of the former, the technological efficiency of the latter, and the economic properties of both, we can accomplish a lot. Quadratic funding is a great example; liquid democracy is another excellent example. Even if we do not introduce novel delegation mechanisms or quadratic mathematics, we can still do a lot by making voting more adaptable to the information each voter can access through more frequent voting on a smaller scale. The challenge of all these ideas is that for a scheme to sustain any degree of democracy over the long term, you need some form of anti-witch-hunt and reduced vote-buying: this is precisely what these promising ZK-SNARK + MPC + blockchain voting schemes are trying to address.
The Crypto Space Can Help
One underrated benefit of the cryptocurrency space is that it serves as an excellent "virtual economic zone" to test economic and cryptographic ideas in a highly adversarial environment. Whatever you build and release, once its controlled economic power exceeds a certain scale, a wide variety of participants (sometimes altruistic, sometimes self-interested, and sometimes malicious, many of whom are completely anonymous) will suddenly come to this system and try to distort its economic power for their own various goals.
The motivation for attackers is high: if an attacker steals $100 from your crypto-economic tool, they typically receive the full $100 reward, and they usually escape punishment. But the motivation for defenders is also high: if you develop a tool that helps users avoid losing funds, you can (at least sometimes) turn it into a tool and earn millions of dollars. Cryptocurrency is the ultimate training ground: if you can build something that can survive at scale in this environment, it may also survive in the larger world.
This applies to quadratic funding [21], to multisig [22], to social recovery wallets [23], and to voting systems. The blockchain space has already helped drive the rise of important security technologies:
Hardware wallets;
Efficient general-purpose zero-knowledge proofs;
Formal verification tools;
"Blockchain phones" equipped with trusted hardware chips;
Anti-witch-hunt mechanisms, such as Proof of Humanity [24].
In all these cases, some version of the technology existed before the advent of blockchain. But it is hard to deny that blockchain has had a significant impact on driving this work, and the inherent incentives in the blockchain space have played a key role in the real-world implementation of technological advancements.
Conclusion
In the short term, any form of blockchain voting should be limited to small experiments, whether for more mainstream applications or small-scale experiments within the blockchain space itself. Current security is clearly not good enough to rely entirely on computers. But this is improving, and if I am wrong and security does not improve, then not only blockchain voting but the entire cryptocurrency space will struggle to succeed. Therefore, there is a strong motivation for this technology to continue to improve.
We should all continue to pay attention to this technology and the efforts being made around the world to improve security, and gradually use technology more comfortably in very important social processes. Technology is already key to our financial markets, and encrypting a large part of the economy will hand over a larger part of the economy to our cryptographic algorithms and the hardware running these algorithms. We should carefully observe and support this process, and over time leverage its benefits to bring our governance technology into the 21st century.
Special thanks to Karl Floersch, Albert Ni, Mr. Silly, and others for their feedback and discussions.
