Blockchain voting risks undetectable nation-scale failures: MIT researchers

A key goal of an election is to prove to the losing party that they did, in fact, lose, but that's a really hard problem to solve electronically.


Image: Element5 Digital

Claims that "voting on the blockchain" would increase election security have been found wanting and even dubbed "misleading" by researchers from Massachusetts Institute of Technology (MIT).

In their paper Going from Bad to Worse: From Internet Voting to Blockchain Voting [PDF] published on Monday, they wrote that internet and blockchain-based voting would "greatly increase the risk of undetectable, nation-scale election failures".

"I haven't yet seen a blockchain system that I would trust with a county-fair jellybean count, much less a presidential election," said the senior author, Institute Professor Ron Rivest of MIT's renowned Computer Science and Artificial Intelligence Laboratory.

Rivest is best known as the "R" in the RSA encryption algorithm.

The paper analyses and systematises previous research on the security risks of voting systems, both online and offline, and comes to a clear conclusion.

Blockchain technology doesn't solve the fundamental security problems suffered by all electronic voting systems, and may introduce even more problems, the researchers wrote.

Blockchain solutions are "ripe" for what they call "serious failures". These are situations where election results might have been changed, either through error or by an attacker. The change might be undetectable, or even if it's detected, the only solution would be to run a whole new election.

"Exposing our election systems to such serious failures is too high a price to pay for the convenience of voting from our phones," they wrote.

"What good is it to vote conveniently on your phone if you obtain little or no assurance that your vote will be counted correctly, or at all?"

In any event, electronic systems of any kind, blockchain or not, are more susceptible to large-scale attacks because exploiting a single vulnerability could impact every ballot at once.

The physical nature of mail-in ballots or in-person voting is much harder to exploit.

The researchers proposed five minimal election security requirements: Ballot secrecy, to help prevent intimidation or vote-buying; software independence, so the result can be verified with something like a paper trail; voter-verifiable ballots, where the voters themselves can see that their vote has been correctly recorded; contestability, where someone who detects an error can convince others that the error is real; and some sort of auditing process.

At this point in time, the researchers argued, only paper ballots allow voters to directly verify that their ballot accurately represents their intended vote.

The paper also lists more that 40 "critical questions" which need to be asked about any proposed voting systems when assessing their security.

These range from understanding roles and capabilities of stakeholders and adversaries, to how many people would have to be corrupted to steal an election, to the fine-grained operational details of privacy protection, transparency, and legal constraints.

One of the researchers' core concepts is evidence-based elections.

"A key goal of an election is to prove to the losing party that they did, in fact, lose," they wrote. 

"An election system must therefore provide convincing evidence to all parties that the election result is correct, even in the face of intense scrutiny."

According to Dr Vanessa Teague, an Australian cryptographer with a particular interest in voting system security, evidence is "critically important" and "building evidence remotely is really, really hard".

"The more we study this problem, the more we learn that one little thing on a list of 50 questions might actually turn out to be really, really hard to solve," she told ZDNet.

Teague and her various colleagues have repeatedly found flaws in election systems used in Switzerland, the US, Australia, and elsewhere.

"Many, many things can go badly wrong, even in carefully-designed systems implemented by people who know what they're doing," she said.

"The systems being used in practice that I've seen are generally neither."

As your correspondent detailed four years ago, electronic voting of any kind is still the wrong answer to the wrong question.

Persistent calls to adopt electronic voting focus on speedy results and a perception of modernity, rather than the democratic fundamentals of national elections.

Trustworthy electronic voting means solving subtle issues of trustworthy software, trustworthy hardware, and trustworthy human-run processes.

As this new MIT paper shows, adding blockchain solves none of these problems.

Related Coverage