ElectionGuard + Cardano: provably fair traditional elections

[GENERAL] Name and surname of main applicant

Jeff Johnson

[GENERAL] Are you delivering this project as an individual or as an entity (whether formally incorporated or not)

Individual

[GENERAL] Please specify how many months you expect your project to last (from 2-12 months)

6

[GENERAL] Please indicate if your proposal has been auto-translated into English from another language

No

[GENERAL] Summarize your solution to the problem (200-character limit including spaces)

Minimal working demo of ElectionGuard posting hashes of all election artifacts on chain (including manifest, ballots, tally, certifications). IPFS for storage. Stats dashboard + voter app if time.

[GENERAL] Does your project have any dependencies on other organizations, technical or otherwise?

Yes

[GENERAL] If YES, please describe what the dependency is and why you believe it is essential for your project’s delivery. If NO, please write “No dependencies.”

The core ElectionGuard software (current version in Python OR the new one being written in C++), as well as the reference implementation of the verifier (Rust).

[GENERAL] Will your project’s output/s be fully open source?

Yes

[GENERAL] Please provide here more information on the open source status of your project outputs

Everything will be open sourced.

I'm open to any standard open source license but lean towards something MIT-like because most voting hardware + software is managed by companies contracting with public entities, and I want those companies to be able to use it.

Code + asciinema demos will be on Github (possibly also Gitlab). Development progress will be clearly visible in branches named by milestone. Videos will go on Youtube + somewhere else as a backup. The README will be well organized with links to everything.

[METADATA] Horizons

Governance

[SOLUTION] Please describe your proposed solution

There are two problems, the one for the world at large and the one for ADA holders. I’ll deal with the world at large here, and value for ADA holders specifically under the [IMPACT] heading below.

TL;DR

• An existing open-source project has done most of the hard work to make secure elections a reality
• They don't want to connect it to a blockchain, but I think they should
• Because most of the work is done, we have an opportunity to build the first viable blockchain election system for a surprisingly small investment of capital
• That's something of an extraordinary claim, so to further de-risk it I'm only asking for enough to build a minimal demo at this point

Problem

Currently, it’s impossible for a typical voter to verify that any nation-state election they might participate in is being conducted fairly. The opacity of the system allows 1) actual fraud, and 2) allegations of fraud that are hard to convincingly disprove. The best a voter can do is trust some authority—either the government, or a watchdog organization, or a third party. No one is able to personally watch all the votes being counted. This contributes to general distrust in and cynicism about democracy, and in some cases even to political instability and violence.

Since 2018, Microsoft has been funding an open-source project to shore up voting systems by building secure end-to-end verifiable voting software called ElectionGuard. It has already been tested in several small US local elections and was used by the US House of Representatives Democratic caucus to elect their leadership during COVID (see 2024 paper for details). It’s a surprisingly advanced, well-designed system that manages to achieve in practice most of the properties you would want! In particular, the "Benaloh challenge" (video, blog post) is a brilliant method of convincing a regular person that their vote is being encrypted honestly, while also maintaining ballot secrecy. On a large scale, it should also be able to convince people that all the votes are being encrypted properly. After the election, anyone can verify cryptographically that all votes were well-formed, and that their decrypted total matches the official tally. Each voter can also verify that their personal vote was included in the tally. No one can decrypt individual votes, unless the “guardians” (holders of the threshold decryption keys) agree to open some as part of an audit. It's a solid project with high standards, worth promoting.

So, ElectionGuard is pretty cool! What’s left to fix? It includes a component called the “public, append-only bulletin board” where the each voting machine posts ciphertexts of all the ballots in real time. I think that should clearly be implemented using a blockchain, but the ElectionGuard authors disagree. They have designed it instead to work with a centralized website. The election authority simply posts digitally signed records on the site, then provides them all as an archive after the election.

In my opinion, they don’t give any convincing reasons for not using a blockchain. It’s more like something they don’t want to focus on and that doesn’t add any essential property. They’re technically correct: the system works without a blockchain. And blockchains add complications, like spam attacks, that need to be taken into account at scale. But I think they misjudge where the future public will land on a spectrum of “trust authority” to “trust decentralized systems”. If the objective is to make elections trustworthy, there’s no good reason the immutable or potentially censorable parts shouldn’t go on chain as well as on the website.

A well designed blockchain system would have other advantages too.

First, a better user experience: to verify your vote you currently have to download it during the voting process, then come back and check after the election that it’s still included. If not, you can take the initial (digitally signed) version to the press as proof of fraud. But wouldn’t it be simpler to check once and know that immutability is guaranteed? Or to post the fraud proof on chain, which would only take a minute and can’t be censored?

Another area where a blockchain would be useful is incentives. First, for the guardians to act honestly. The authors admit that guardians are currently picked by an administrator and blindly follow directions most of the time. It would make more sense to have at least some of them be members of the public who have posted bonds to guarantee they will act honestly (not collude to decrypt individual votes, and not fail to decrypt the final tally). Ideally there should also be incentives for third parties to post independent verification of the final tally, and for anyone to post a fraud proof at any point. This MVP proposal doesn’t deal with incentives, but future versions probably should because they could dramatically improve the system.

Solution

ElectionGuard is reasonably modular and has well-defined APIs for connecting the various “roles”. Therefore I think it should be feasible to swap out the “public, append-only bulletin board” for the Cardano blockchain without changing the rest of the code very much. I propose building a minimal, inefficient demo version (this proposal) that simply posts a hash of every artifact (election manifest, ballot, final tally, etc) on a testnet and hosts the data (~1MB per ballot) on IPFS. The best route to scaling it can be decided later. (Some reasonable ideas would be to use a Hydra head, to post roots of Merkle trees rather than every ballot, and to pay guardians to serve the IPFS data) I’ll focus on making it correct, with good test coverage, and on explaining + demoing it well to Cardano community members who might be interested in working on something like this. The goal is to build some interest, get to know people, establish a track record of meeting deadlines, and de-risk asking for a larger budget with UI + marketing etc. next time.

[IMPACT] Please define the positive impact your project will have on the wider Cardano community

This is admittedly very difficult to quantify. I believe it will make a long term positive difference in sentiment towards Cardano from the general public, as well as “tradgov” policymakers, if they see a blockchain project building something that elegantly solves such an important real-world use case. It will also fit nicely with the brand image (I think) we want to promote: we’re positive, pro-social builders; the go-to chain for ambitious governance experiments; not crypto bros or gamblers.

The value to ADA holders might be best modeled as a kind of slow burn “honest advertising”: The goal isn’t to get a lot of news coverage quickly and pump the price, but to be repeatedly seen living up to our ideals over a period of years. We want to be noticed—perhaps for something like running a county election—then noticed again later, and so on. Consistency through ups and downs impresses people more than something flashy and new.

This proposal is only for an initial MVP, and won’t create much value on its own. The idea is to demonstrate feasibility; assuming it goes well I want to come back in the next funding round and recruit a team to help flesh everything out: improve the incentives, make the smart contracts efficient, build good interfaces, work with meetups and perhaps local governments and other orgs to run small test elections, and do a lot more promotion. At that point we can start to measure the impact of the promotion by standard metrics like views, retweets, news articles, in person headcounts, etc.

Ultimately, the effect of any Catalyst project is hard to judge because the market will do so many other things at the same time, and because everyone builds on each others’ work. The best we can ask for is long term positive sentiment, inside and outside the community. And in that respect this is a uniquely useful idea, because securing elections will appeal specifically to lawmakers. If they can start to see us as agents of order rather than chaos, we’ll be more likely to get crypto-friendly laws, and that may have a large positive impact.

One other tangible side benefit is that we could use it for voting in Cardano-related orgs. It probably can’t be adapted for direct use in our core governance because I don’t think it would be compatible with stake weighting. But it could be used in one-person-one-vote situations, especially at in-person events similar to the recent constitutional representative elections.

[CAPABILITY & FEASIBILITY] What is your capability to deliver your project with high levels of trust and accountability? How do you intend to validate if your approach is feasible?

At a high level, structuring the project this way—starting with only an MVP—de-risks it and keeps it scoped to my coding skillset for now. I’m not necessarily the best person to do the later UI, marketing, or business functions.

I also don't claim to be the best or only person suited to deliver an MVP. If anyone else is interested, I would be happy to join forces!

For this stage though, I do think I have a reasonable skillset to accomplish everything:

• 15+ years experience with Linux
• 10+ years experience with Haskell
• 10+ years experience with Nix
• ~5 years experience with various devops, cloud, and build systems
• ~2 years experience with Javascript and Typescript
• Basic Plutus (did the Pioneers course, haven’t built anything non-trivial yet)
• An unrelated PhD (microbiology), which is only relevant because it suggests I should be able to learn a new body of research (election-related cryptography) to a reasonable standard in order to compare designs and make sure I'm using the API in valid ways

I've been interested in the topic for a while, and have an old Github repo where I started working on it before getting sidetracked by a job. It shows that I can at least do basic Haskell and script Docker images.

As far as managing funds, I think 5-6 milestones over 6 months should be enough structure for one person working mainly alone. I would be comfortable being paid in a tranche per milestone. Each one includes explaining the work and making a video demo. I expect milestone 3 (moving the data on chain) will be the most difficult, so I’ll start on it immediately in parallel with the others. The only other obvious decision so far is how to split the funds between personal expenses and cloud resources. I would have made a budget category for cloud, except I suspect it may not be needed at all: running a series of test elections on my laptop overnight might turn out to be plenty of compute. If not, I can pay for some out of the general fund.

[PROJECT MILESTONES] What are the key milestones you need to achieve in order to complete your project successfully?

Run a single election locally in “God mode” (controlling everything, recording inputs + outputs) using Docker, Podman, Arion, or similar. Should be able to choose some parameters in a config file (number of guardians, decryption threshold, number of voters and their votes, etc), run it, and obtain a set of election artifacts and a matching final decrypted tally. Verification by code on Github along with a blog post, asciinema demo, and video.

Build a test harness that runs arbitrary elections (using QuickCheck or a similar library) and confirms that their tallies are still reported correctly. Verification by code on Github along with a blog post, asciinema demo, and video.

Swap out the “public append-only bulletin board” module for a version that posts all communications to Cardano, using either a local or public testnet. Tests should continue to pass, and hashes of the data should be on chain. Verification by code on Github along with a blog post, asciinema demo, and video.

Separate voter code from Admin + Guardian code and run mock elections on a public testnet. The voting interface will be very basic (probably command-line via Docker). Should be able to administer the election on one computer while voting from another. Verification by code on Github along with a blog post, asciinema demo, and video.

Bonus if time: user interfaces. A dashboard showing election progress as read from the blockchain, and a web UI for a voter to confirm that their vote hash is included in the latest state root. Verification by code on Github along with a blog post and video demo.

Final video walkthrough(s), blog post(s), in person demo with at least one local meetup (probably in Western USA/Canada). Others should be able to run elections using the code on Github and the docs/blog posts/videos without additional help.

[RESOURCES] Who is in the project team and what are their roles?

So far I'm the entire team. I'm confident I have the software experience to build an MVP and do basic demos, but recognize that a large part of the value of the project will eventually come from evangelizing it to non-technical audiences. I'm very happy to attempt that too, but it might be done more efficiently by someone who already has some experience producing video content. Therefore I wrote this proposal to include only the initial technical deliverables. Assuming those go well, I expect to come back and organize a larger effort with more team members in a future funding round.

[BUDGET & COSTS] Please provide a cost breakdown of the proposed work and resources

The budget is simple: it's just the ballpark amount that I think would enable me to focus on this for ~6 months without finding a "real job" and doing it on the side, along with a small portion for cloud compute costs (running test elections). The cloud compute is probably negligible.

[VALUE FOR MONEY] How does the cost of the project represent value for money for the Cardano ecosystem?

The proposed budget of 50K 61K ADA is currently ~20K USD, or 3333/month over 6 months. It's much lower than an average developer salary in the USA, which various sites estimate at 100K+ USD per year, or 50K+ per 6 months. It's also a reasonable cost of living for one person in Seattle considering rent, healthcare, food, transport, misc. For context, Numbeo estimates $1800 for a one-bedroom apt outside city center + $1200 other costs = $3000 per month. I think slightly higher makes sense here to hedge against the possiblity that ADA will lose value vs USD, and for possible cloud compute.

More importantly though, we have a unique opportunity to deliver one of the classic promises of blockchains--secure elections that can scale to a nation state level--for very little money overall. Even if the costs were an order of magnitude higher it might still be considered a good deal. The hard cryptographic research has already been funded by Microsoft, published, open-sourced, and tested in the real world; all we have to do is integrate it with Cardano. The potential benefits are out of proportion with the risks, in a good way!