Last updated a month ago
ElectionGuard is working end-to-end verifiable election software, but the authors don't think it needs a blockchain. They're wrong! This is a low-cost opportunity to build something extremely useful.
This is the total amount allocated to ElectionGuard + Cardano: provably fair traditional elections.
1/3
ElectionGuard components: run and verify elections locally
Cost: ₳ 18,300
Delivery: Month 3 - Apr 2025
2/3
Blockchain-related components: smart contracts, on-chain data, IPFS
Cost: ₳ 18,300
Delivery: Month 5 - Jun 2025
3/3
Putting it together: minimal complete election demo
Cost: ₳ 24,400
Delivery: Month 6 - Jul 2025
NB: Monthly reporting was deprecated from January 2024 and replaced fully by the Milestones Program framework. Learn more here
Minimal working demo of ElectionGuard posting hashes of all election artifacts on chain (including manifest, ballots, tally, certifications). IPFS for storage. Stats dashboard + voter app if time.
The core ElectionGuard software (current version in Python OR the new one being written in C++), as well as the reference implementation of the verifier (Rust).
Everything will be open sourced.
I'm open to any standard open source license but lean towards something MIT-like because most voting hardware + software is managed by companies contracting with public entities, and I want those companies to be able to use it.
Code + asciinema demos will be on Github (possibly also Gitlab). Development progress will be clearly visible in branches named by milestone. Videos will go on Youtube + somewhere else as a backup. The README will be well organized with links to everything.
There are two problems, the one for the world at large and the one for ADA holders. I’ll deal with the world at large here, and value for ADA holders specifically under the [IMPACT] heading below.
TL;DR
Problem
Currently, it’s impossible for a typical voter to verify that any nation-state election they might participate in is being conducted fairly. The opacity of the system allows 1) actual fraud, and 2) allegations of fraud that are hard to convincingly disprove. The best a voter can do is trust some authority—either the government, or a watchdog organization, or a third party. No one is able to personally watch all the votes being counted. This contributes to general distrust in and cynicism about democracy, and in some cases even to political instability and violence.
Since 2018, Microsoft has been funding an open-source project to shore up voting systems by building secure end-to-end verifiable voting software called ElectionGuard. It has already been tested in several small US local elections and was used by the US House of Representatives Democratic caucus to elect their leadership during COVID (see 2024 paper for details). It’s a surprisingly advanced, well-designed system that manages to achieve in practice most of the properties you would want! In particular, the "Benaloh challenge" (video, blog post) is a brilliant method of convincing a regular person that their vote is being encrypted honestly, while also maintaining ballot secrecy. On a large scale, it should also be able to convince people that all the votes are being encrypted properly. After the election, anyone can verify cryptographically that all votes were well-formed, and that their decrypted total matches the official tally. Each voter can also verify that their personal vote was included in the tally. No one can decrypt individual votes, unless the “guardians” (holders of the threshold decryption keys) agree to open some as part of an audit. It's a solid project with high standards, worth promoting.
So, ElectionGuard is pretty cool! What’s left to fix? It includes a component called the “public, append-only bulletin board” where the each voting machine posts ciphertexts of all the ballots in real time. I think that should clearly be implemented using a blockchain, but the ElectionGuard authors disagree. They have designed it instead to work with a centralized website. The election authority simply posts digitally signed records on the site, then provides them all as an archive after the election.
In my opinion, they don’t give any convincing reasons for not using a blockchain. It’s more like something they don’t want to focus on and that doesn’t add any essential property. They’re technically correct: the system works without a blockchain. And blockchains add complications, like spam attacks, that need to be taken into account at scale. But I think they misjudge where the future public will land on a spectrum of “trust authority” to “trust decentralized systems”. If the objective is to make elections trustworthy, there’s no good reason the immutable or potentially censorable parts shouldn’t go on chain as well as on the website.
A well designed blockchain system would have other advantages too.
First, a better user experience: to verify your vote you currently have to download it during the voting process, then come back and check after the election that it’s still included. If not, you can take the initial (digitally signed) version to the press as proof of fraud. But wouldn’t it be simpler to check once and know that immutability is guaranteed? Or to post the fraud proof on chain, which would only take a minute and can’t be censored?
Another area where a blockchain would be useful is incentives. First, for the guardians to act honestly. The authors admit that guardians are currently picked by an administrator and blindly follow directions most of the time. It would make more sense to have at least some of them be members of the public who have posted bonds to guarantee they will act honestly (not collude to decrypt individual votes, and not fail to decrypt the final tally). Ideally there should also be incentives for third parties to post independent verification of the final tally, and for anyone to post a fraud proof at any point. This MVP proposal doesn’t deal with incentives, but future versions probably should because they could dramatically improve the system.
Solution
ElectionGuard is reasonably modular and has well-defined APIs for connecting the various “roles”. Therefore I think it should be feasible to swap out the “public, append-only bulletin board” for the Cardano blockchain without changing the rest of the code very much. I propose building a minimal, inefficient demo version (this proposal) that simply posts a hash of every artifact (election manifest, ballot, final tally, etc) on a testnet and hosts the data (~1MB per ballot) on IPFS. The best route to scaling it can be decided later. (Some reasonable ideas would be to use a Hydra head, to post roots of Merkle trees rather than every ballot, and to pay guardians to serve the IPFS data) I’ll focus on making it correct, with good test coverage, and on explaining + demoing it well to Cardano community members who might be interested in working on something like this. The goal is to build some interest, get to know people, establish a track record of meeting deadlines, and de-risk asking for a larger budget with UI + marketing etc. next time.
This is admittedly very difficult to quantify. I believe it will make a long term positive difference in sentiment towards Cardano from the general public, as well as “tradgov” policymakers, if they see a blockchain project building something that elegantly solves such an important real-world use case. It will also fit nicely with the brand image (I think) we want to promote: we’re positive, pro-social builders; the go-to chain for ambitious governance experiments; not crypto bros or gamblers.
The value to ADA holders might be best modeled as a kind of slow burn “honest advertising”: The goal isn’t to get a lot of news coverage quickly and pump the price, but to be repeatedly seen living up to our ideals over a period of years. We want to be noticed—perhaps for something like running a county election—then noticed again later, and so on. Consistency through ups and downs impresses people more than something flashy and new.
This proposal is only for an initial MVP, and won’t create much value on its own. The idea is to demonstrate feasibility; assuming it goes well I want to come back in the next funding round and recruit a team to help flesh everything out: improve the incentives, make the smart contracts efficient, build good interfaces, work with meetups and perhaps local governments and other orgs to run small test elections, and do a lot more promotion. At that point we can start to measure the impact of the promotion by standard metrics like views, retweets, news articles, in person headcounts, etc.
Ultimately, the effect of any Catalyst project is hard to judge because the market will do so many other things at the same time, and because everyone builds on each others’ work. The best we can ask for is long term positive sentiment, inside and outside the community. And in that respect this is a uniquely useful idea, because securing elections will appeal specifically to lawmakers. If they can start to see us as agents of order rather than chaos, we’ll be more likely to get crypto-friendly laws, and that may have a large positive impact.
One other tangible side benefit is that we could use it for voting in Cardano-related orgs. It probably can’t be adapted for direct use in our core governance because I don’t think it would be compatible with stake weighting. But it could be used in one-person-one-vote situations, especially at in-person events similar to the recent constitutional representative elections.
At a high level, structuring the project this way—starting with only an MVP—de-risks it and keeps it scoped to my coding skillset for now. I’m not necessarily the best person to do the later UI, marketing, or business functions.
I also don't claim to be the best or only person suited to deliver an MVP. If anyone else is interested, I would be happy to join forces!
For this stage though, I do think I have a reasonable skillset to accomplish everything:
I've been interested in the topic for a while, and have an old Github repo where I started working on it before getting sidetracked by a job. It shows that I can at least do basic Haskell and script Docker images.
As far as managing funds, I think 5-6 milestones over 6 months should be enough structure for one person working mainly alone. I would be comfortable being paid in a tranche per milestone. Each one includes explaining the work and making a video demo. I expect milestone 3 (moving the data on chain) will be the most difficult, so I’ll start on it immediately in parallel with the others. The only other obvious decision so far is how to split the funds between personal expenses and cloud resources. I would have made a budget category for cloud, except I suspect it may not be needed at all: running a series of test elections on my laptop overnight might turn out to be plenty of compute. If not, I can pay for some out of the general fund.
Run a single election locally in “God mode” (controlling everything, recording inputs + outputs) using Docker, Podman, Arion, or similar. Should be able to choose some parameters in a config file (number of guardians, decryption threshold, number of voters and their votes, etc), run it, and obtain a set of election artifacts and a matching final decrypted tally. Verification by code on Github along with a blog post, asciinema demo, and video.
Build a test harness that runs arbitrary elections (using QuickCheck or a similar library) and confirms that their tallies are still reported correctly. Verification by code on Github along with a blog post, asciinema demo, and video.
Swap out the “public append-only bulletin board” module for a version that posts all communications to Cardano, using either a local or public testnet. Tests should continue to pass, and hashes of the data should be on chain. Verification by code on Github along with a blog post, asciinema demo, and video.
Separate voter code from Admin + Guardian code and run mock elections on a public testnet. The voting interface will be very basic (probably command-line via Docker). Should be able to administer the election on one computer while voting from another. Verification by code on Github along with a blog post, asciinema demo, and video.
Bonus if time: user interfaces. A dashboard showing election progress as read from the blockchain, and a web UI for a voter to confirm that their vote hash is included in the latest state root. Verification by code on Github along with a blog post and video demo.
Final video walkthrough(s), blog post(s), in person demo with at least one local meetup (probably in Western USA/Canada). Others should be able to run elections using the code on Github and the docs/blog posts/videos without additional help.
So far I'm the entire team. I'm confident I have the software experience to build an MVP and do basic demos, but recognize that a large part of the value of the project will eventually come from evangelizing it to non-technical audiences. I'm very happy to attempt that too, but it might be done more efficiently by someone who already has some experience producing video content. Therefore I wrote this proposal to include only the initial technical deliverables. Assuming those go well, I expect to come back and organize a larger effort with more team members in a future funding round.
The budget is simple: it's just the ballpark amount that I think would enable me to focus on this for ~6 months without finding a "real job" and doing it on the side, along with a small portion for cloud compute costs (running test elections). The cloud compute is probably negligible.
The proposed budget of 50K 61K ADA is currently ~20K USD, or 3333/month over 6 months. It's much lower than an average developer salary in the USA, which various sites estimate at 100K+ USD per year, or 50K+ per 6 months. It's also a reasonable cost of living for one person in Seattle considering rent, healthcare, food, transport, misc. For context, Numbeo estimates $1800 for a one-bedroom apt outside city center + $1200 other costs = $3000 per month. I think slightly higher makes sense here to hedge against the possiblity that ADA will lose value vs USD, and for possible cloud compute.
More importantly though, we have a unique opportunity to deliver one of the classic promises of blockchains--secure elections that can scale to a nation state level--for very little money overall. Even if the costs were an order of magnitude higher it might still be considered a good deal. The hard cryptographic research has already been funded by Microsoft, published, open-sourced, and tested in the real world; all we have to do is integrate it with Cardano. The potential benefits are out of proportion with the risks, in a good way!