 Hi guys, my name is Patrick McCory. I'm a researcher at UCL and I'm going to talk to you about some work I did last summer while I was doing my PhD at Newcastle. I did it in collaboration with my colleagues Fong Hao and CMAC. So this talk's going to be about e-voting, but before I really get into it I'd like to highlight what researchers tend to think about when we say e-voting. So we normally think about end-to-end verifiable systems and to break that down the idea is that when I go to a polling station and I cast my vote I did have confidence that my vote has been cast as intended. When I leave the polling station I should be able to look at this public bulletin board and verify that my vote has been included in the tally or not in the tally. My vote has been cast and then after the election I should be able to verify that my vote was indeed included in the tally. So that is an end-to-end verifiable system. And to achieve this system we normally assume the existence of this public bulletin board that everybody can see. But for the past, I guess, 30 years we've not really been able to achieve a practical public bulletin board. The best we have is a single web server where I contact the web server, I download data and I have to try to detect that that web server is cheating me. So that's not really good enough. So now people are thinking, okay, how may use the blockchain for e-voting? Does this pervade the consistency property that we want? And I'm going to argue potentially and I'm going to say it's probably very useful for small-scale actions like board room voting because it does pervade this consistency property where anybody who downloads the blockchain, you can download the Genesis block and you can verify the entire history of that blockchain. So like every Bitcoin transaction and every Ethereum transaction. And I don't need to trust anyone to get there to ensure that I have a consistent view of everybody else. So it's sort of like this ideal world. And I'm not the first person to notice this. So last year I did a Google search and lots of people were getting excited about the blockchain and e-voting. So now we needed to say it, okay, what blockchain are we going to use? What about Bitcoin? Should we use Bitcoin for e-voting? And I'm going to summarize and say no, I don't think Bitcoin is a very good place to do this because we can only store 80 bytes of arbitrary data. Bitcoin can only store the information. It cannot verify that our protocol was correctly executed. So then I'm going to go, okay, what about Ethereum? And I don't really need a priest to the choir here, do I? I think everybody in this room understands that Ethereum is going to be amazing. And when I made this slide, Ethereum was worth 20 billion dollars. It's worth more now. I don't really know how much it's worth now. But the point of Ethereum is that we can run expressive but bounded programs, i.e. the gas metric. And it's a bit like a computer from the 1970s that everybody has access to. It's slow and it's expensive. But we're going to get away and we're going to do some e-voting on it. And of course, as I said, this vote's about voting and not necessary blockchains. So last, so there's actually, so it's a bit of a story behind this here, okay? So two years ago I attended a conference and everybody was really excited about Ethereum and smart contracts. And I was drinking a pina colada and then I got really excited about it. So when I go back to England, I went on the Solidity online compiler and I noticed they had this voting program. This was like the sample code that I'm sure most people in this room have already seen it. But the idea is that there's a list of proposals and when I want to cast my vote, I call the vote function and I say I want to vote for this proposal. Now the guarantee voter privacy in this program, the assumption is that we cannot link a voter's real world identity to their Ethereum account because if you can, then you can see how somebody voted because the vote is in plain text. So I wanted to see if we can do something better. Can we build a smart contract that can guarantee voter privacy? And there's two different ways they approach this. One is blame signatures. And the other one is where I can encrypt my vote under a well-known public key. I could store that on the blockchain and then I could trust some, then there could be an Italian authority who after the election will decrypt the votes and reveal the tally. But both of those approaches rely on some type of authority. And I wanted to follow the example of cryptocurrencies. Can we remove the need for any Italian authority in an election? And can we do it in such a way where a voter is in control of their own privacy? And this brought me to self-tallying elections, which was first made back in 2002 and these elections have three different properties. First is perfect ballot secrecy. A voter's privacy can only be breached by a full collusion of all other voters. And it's also self-tallying. So after the election, anybody can count the votes. We don't have to rely on anybody to do that for us. Honest dispute free. As then, if you give me the election transcript, I can verify myself that the election was run correctly, or at least a protocol. But my disclaimer is that this protocol is not end-to-end verifiable, as I mentioned at the very beginning. Because in an end-to-end verifiable system, we also assume the voting machine cannot be trusted. But this is a fully decentralized voting protocol. We have no central authority to provide hardware for us. So we have to assume the voting machine is trustworthy. And I think that's a reasonable assumption because if you hack my machine, you're probably going to steal all my coins. So I have an incentive that do my best to keep my machine somewhat trustworthy. But these protocols have had a short-lived history. There has never been a practical implementation of a self-tallying election. Because one, it requires an authenticated broadcast channel where everybody can communicate. And it's also very beneficial to have a public bulletin board to store the election transcript. And these protocols also have two other issues. A single voter can stop the entire election. So if they don't cast their vote, we don't get the tally. They also have an adaptive issue, where the final voter can view the tally before everybody else. But now I thought, OK, can we combine these self-tallying elections with the blockchain? So I built the voting protocol as a smart contract. And as I mentioned, what's beautiful about Ethereum is that it can enforce the voting protocol's correct execution. And we can also have this incentive, sort of the crypto-economic security engineering philosophy, where when you register for the election, you leave a deposit. And when you cast your vote, you get your deposit back. So now we can actually have some type of incentive for people to participate. And there's three different self-tallying protocols we could have chosen. And my disclaimer is that we chose the one by my advisor. But we didn't do it because it's his protocol. We did it because it was the most efficient in the literature. It requires two rounds, and there's only two zero knowledge proofs per voter. So it's highly efficient as a protocol. So now I'm going to explain how the open vote network over Ethereum works. We do have an election administrator, and his only job is one authenticated voters with their Ethereum account. And then update the smart contract with that whitelist. So we can at least know who's going to vote in this election. And then his other job is to poke Ethereum to transition to the next stage, although anyone could really do that. Next, he sets the whitelist of eligible voters. He will set the voting question, and then he'll notify Ethereum to move on to the sign-up stage. And any voter can look at the question and then register for the election. To register, the voter has to compute a public-private key pair. And this is their voting key. And then alongside their voting key, they create a zero knowledge proof, which pretty much says that they know the private key that corresponds to the public key, i.e. they're the owner of that voting key. And now what they do is that they create an Ethereum transaction. They include the voting key, this proof that they own this voting key, and a very small deposit. And every voter will send us to Ethereum, and Ethereum can verify the proof. It will verify the proof, store their deposit, and store the encrypted vote. And once enough voters have done this, the election administrator can poke Ethereum to move on to the voting stage. And during this transition, from the sign-up to the voting stage, Ethereum will compute a second key for every single voter. And we call this the reconstructed key, and this is where all the magic happens in terms of the cartography. So I've got this really ugly formula, and that means nothing to anybody in this room. So I'm going to explain it using a little robot. So if I'm voter three, the way I compute my reconstructed key is that I get the voting key of voter one and two, and I multiply them together. I get the voting key of four and five, and I multiply them together. I divide those two results, and then I end up with my own voting key. And we do this for every single voter. In fact, Ethereum does that for every single voter. And then after that we've transitioned, and once we reach the voting stage, every single voter has a voting key and a reconstructed key. Now to cast our vote, we have to do an El Gamal encryption of the vote. And that is essentially this little formula. So it takes in the voting key, the reconstructed key, and then the vote is either g to the power of zero or g to the power of one. And that pretty much is a yes or no vote. And then what we do is we construct a one out of two, zero knowledge proof. And this pretty much says that I prove to you that my encrypted vote is either yes or no. And that means the vote is well formed, and I reveal nothing else about my vote. And then I create an Ethereum transaction that includes my El Gamal encrypted vote, my one out of two, zero knowledge proof, and I send that to the contract. The contract will verify that my vote is well formed and then store it. And then it will release the deposit and give me my money back. And every single voter will do this. And once the final vote has been cast, the election is over. And anybody can compute the tally. And in fact, so can Ethereum. So the election administrator can poke Ethereum to finally compute the tally. Ethereum does this, and the way we compute the tally is really straightforward. We just have the odd, all the encrypted votes together. And once you add the final encrypted vote, based on how that El Gamal encryption was set up, all the random factors are canceled out. And all we're left with is g to the power of yes votes. That's a very small discrete log that can be brute-forced by the smart contract, which it does. And then once we have the number of yes votes, it's really straightforward to get the number of no votes. Now, before, I did this last summer, before the Byzantium hard fork. And the problem was that elliptic arithmetic was not natively supported by Ethereum. So these are some of the gas costs of trying to do elliptic arithmetic back then. So the cost of vote was 2.5 million gas. So that means today you'd be able to fit three votes in a block. And it was $2. And the register for the election was about 60 cents. Now, unfortunately, I haven't managed to get the new op codes to work yet. So I really wanted to have exactly the new gas costs. But what I did this morning was I worked it roughly how much it would be using the new hard forked op codes. Because now Ethereum supports elliptic arithmetic mathematics. So the cost and encrypted vote with the one out of two zero knowledge proofs, it goes from $2 to 60 cents. And we save 1.7 million gas. So maybe we should have a big clap for how cheap this is actually got. That makes me really happy. Thank you. Yeah, so it's still 700,000 gas, but that's a very expensive zero knowledge proof. And now we can fit, what, nearly 10 of them inside a block. So that's much better than we could do before. So that's basically, you know, the new cost to run this protocol roughly. And now I have some time to show a video. That's fantastic. I tried my best to see if some time. So I'll quickly play the video. That was the code I was looking at this morning to get the stops. And this is how, so I actually built it as a website and I spoke to someone last night and apparently it gets really easy integrated in the midst. So I love to see that happen. But essentially this is the election administrator screen. He's logging in and he's going to set up the election. He sets the list of eligible voters. I'll have hard coded it because I'm lazy and really struggled with it as well. We send that off to the contract and now the list of eligible voters is set up. We set a bunch of timers for the election. So that way the election runs in a timely manner. We set the voting question. I issue Satoshi Nakamoto, reveal his real world identity. Hopefully everybody says no and then we start the election. And now all the voters, they upload their voting codes, although that's more of an implementation than necessary. They log into their theorem account and then they can look at the question and register for the election. Now in this example I'm going to show you, there's actually three stages to the protocol because there's a third round you can add. They get around that adaptive issue. So I mentioned the final voter can see the vote, the tally before everybody else. So what you can do is that everybody can register. Everybody can commit to their encrypted vote. And then once everyone actually causes their vote, you can't change your mind if you can compute the tally. So it really depends if you think that's a big issue. It was a big issue that the final voter can compute the tally before everybody else. You add that out third round. If you don't think that's a big issue, you keep the two rounds, you know, you vote and you register. So now every voter is, you know, they're registering for the election. Yep, and then eventually, yeah, neither basically causing their vote. Well, they're committing to their vote. So they're saying yes, no, and yes. So these guys are going to say yes, Satoshi Nakamoto should reveal his real world identity and now they're going to cast their vote. And I know the design is horrible. I'm not really a good designer. Graphic design was never my forte, but now that all the votes have been cast anyway, we will eventually be able to see the tally. So the election administrator will eventually pop up and he'll say, OK, I want you to compute the tally, Ethereum, so he does it. And I should hopefully say, yep, two yes votes and one no vote. And there's actually a live feed page as well where we can actually watch the election in real time, because what's really cool about this system is that you can actually register it where you can see that Patrick has cast his vote so you can actually see what Ethereum accounts have voted, but you can't see their vote. And that is the end of my video. And I just want the end to say that it is on GitHub and I've been really lucky to say that it now has 113 stars, which for me was amazing. Because when I did this last summer, I was finishing my PhD and I wanted to build something that people could use in the community. And it looks like the people have actually picked it up and they're trying to do cool things of it. So thank you very much, guys, for enjoying the project.