The DECENT Solution

When designing a solution, the first consideration is: "What is the specific problem"? The answer comes in two parts:

1. How do I know my ballot was counted the way it was cast?

For the most part, when we cast our ballots we're dropping them into a black hole. That's the last time we'll ever see them, and they're instantly severed from us. Did someone bubble-in that contest that was left blank? Did someone throw the ballot out? When the ballot was digitized, did someone edit it to swap the votes? There's no way to know. If the process was trustworthy, a recount would exactly match the initial result. But recounts never do.

2. How do I know illegal ballots haven't been added?

Phrased differently, how do I know the box hasn't been stuffed? When elections still used ballot boxes, the answer was simple: watch the box. But modern elections don't have one box- or really any boxes anymore. An observer might watch a box in one precinct, but the votes aren't counted out of the box. They're fed through an optical scanner which digitizes them and performs some sort of calculation to determine how the ballot was cast. Those calculations are by definition proprietary. Even if the code is open-source, there's no guarantee the open-source code is what is running. That can only be verified with administrator access.

The first part of the problem can be solved by not severing the ballot from the elector. Instead, the elector is given an anonymous way to check on the status and content of their ballot at any time. In doing so, there is an additional problem of "What if the server just remembered my vote, but isn't counting it toward the results?". The solution to that is decentralization. At the close of the election, the election authority who runs the ballot server publishes a database of anonymized ballots. This allows any interested party to download a copy of the vote database and compute election results themselves. This further allows auditors to run ballot checking services. An elector can submit an anonymized ballot ID to multiple auditing services to ensure their ballot is represented in all copies. It is independent verification that the elector's ballot is present in the final vote tally and counted the way it was cast.

While we're making progress towards a decent system, there are still issues. How does the elector know their ID was uniquely assigned? How would an individual elector know if someone else's ballot was changed? If illegal votes were added? Clearly the method needs to be more complex.

The issues above can be solved with asymmetric cryptography. The elector's ballot ID becomes a public signing key (the private key being held solely by the elector). Generating this before the elector completes their ballot proves it was uniquely assigned. Signing the completed ballot with the private key results in a hash that can be used to detect if the ballot has been changed. Access to the private key is not required for verification. This allows any individual to not only verify their own vote is unchanged, but to verify that all votes remain unchanged from how they were cast. But what if the election authority just changed the keys and signature? What if the ballot was deleted in its entirety?

The server needs to return a receipt of each elector's ballot. By signing the elector's ballot signature with the election authority's signing key, the elector is provided with hard evidence that there must be a ballot in the released database that matches the elector-signed ballot. If an elector searches the database for their vote and it was changed or deleted, the elector will be capable of mathematically proving that fact. By allowing electors to submit anonymized ballot receipts to auditing services, the vote counting and audit processes can be crowd-sourced to ensure even non-programmers have an audit performed on their individual vote. By open-sourcing the algorithms, vote counts and audits are decentralized, allowing many people to audit each election in a short time at negligible cost, and come to the exact same answer every time.

And finally: what about illegal ballots? Surely it's trivial for the election authority to insert ballots last-minute for everyone who hasn't yet voted. That is why our patent-pending method uses Trusted Platform Modules (TPMs) to additionally sign ballots before they are received by the election authority. A ballot that wasn't also signed by a white-listed TPM (the list released before the election) is by definition invalid. These designated TPMs can only be found deployed to precincts- the list of which machines are where also being released before the election such that electors may observe that no machines are missing or misplaced. Valid ballots must be cast from a public setting where observers may be present. This cripples the ability for any one person to "stuff the box" with multiple, illegal ballots. One might inquire about the status of mail-in ballots- for which Decent Elections is currently researching a solution. In the interim, a statistical comparison can be made between in-person voting and mail-in ballots; a significant departure of which may be evidence of fraud. But let's not allow perfect to be the enemy of better.

Methodological Basics

DECENT systems are designed from the ground-up to provide mathematical proof of every vote in the electoral process. A simplification of the method is as follows:

An elector uses a voting machine to fill out a ballot. Once their ballot is complete, the machine generates a signing key for the elector. The machine uses the key to sign the elector's ballot. The ballot's signature is then signed by a TPM embedded in the voting machine.
The elector's ballot, ballot signature, public signing key, and TPM signature is sent over an encrypted network to an authentication server run by the election authority.
The server checks that the signatures are all valid, then stores the ballot and signs the ballot signature with an election authority signing key. This double-signed ballot becomes what is known as the elector's receipt.
The receipt is returned to the voting machine, which checks that the signature is valid for the ballot which was sent.
The voting machine presents the receipt to the elector along with the private key of the elector's keypair generated in step 1.
The elector has the opportunity to save the receipt and key to their smartphone, or print a physical paper copy of the receipt and key.

The receipt can be used by the elector to verify their ballot hasn't been altered or deleted and is accurately contributing towards the results of the election as intended. The elector can use their computer or an app on their smartphone to connect to the election auditing services of their choice. This could be a government organization such as the elector's county, a non-profit interested in electoral integrity, an academic institution such as a community college or state university, or even a service run by a political party. At the close of the election, the ballot database is anonymized and published openly. This allows any interested party to share and audit the ballots. Anonymously providing a ballot receipt to an auditing service allows that service to find the elector's ballot, verify the ballot originated from a certified machine, verify the ballot is unaltered, and return the ballot contents to the elector for inspection. Further, any individual possessing the database can perform a full audit of that database without needing the receipts for any votes. All of the signatures required to verify the vote exist in the released database. The vote counting and auditing processes have been decentralized entirely. Election audits are now essentially free, occur nearly instantaneously, and can be performed by anyone capable of running the required code.

DECENT machines are designed around Linux with secure boot leveraging embedded TPMs. At the close of an election, an unlock code is published by the election authority. This allows any public observer to log in to a read-only account on any machine and review the code running on the selected machine. The vast majority of the code handling ballots is written in scripting languages, allowing a plain-text review of the code on any machine. There are no more black boxes. The entire process is exposed to sunlight.

How do we launch this?

Warrant Canaries