E-voting on the Tangle — a cryptographic e-voting protocol based on blind signatures

Traditional voting systems have been around for a very long time. The idea is simple, you have some people that stay near the urns, people vote and at the end those persons have to count everything and see the turnout of that vote. There’s also mail based voting, which means you receive an envelope, vote and then you send it back. But both systems can be influenced by third parties, and are not reliable. Votes can easily be altered or eliminated behind closed doors. Not only that, also the transport of votes isn’t safe, as someone can get access to them or some of them can be lost. Moreover, people have to travel and waste time just to go and vote. A lot of them don’t do that, which is why the voting percentages are pretty low nowadays, at least when compared to a decade or two ago. And on top of that, the traditional voting system is expensive. It requires a lot of money invested in the infrastructure.

Electronic voting (e-voting) is intended to facilitate the process while ensuring security and privacy. It allows people to vote at any time and from anywhere in the world. This encourages people to state their opinion and thus increases the participation rate. In addition, it eliminates the costs for physical infrastructure.

The development of a secure voting protocol is not trivial. The following work makes use of the immutable and feeless nature of the Tangle. In addition, Masked Authenticated Messaging, one of IOTA’s most powerful modules, provides the foundation for secure data transmission [1].


An e-voting protocol is acceptable if following requirements are met [2]:


The voter’s ballot must be treated confidentially. No one, not even the electoral authorities may link a ballot to the voter who casts it. In addition, a voting system shall be coercion-resistant and not allow anyone to prove that it was voted in a particular manner.


To achieve integrity, it must be impossible for a vote to be altered or eliminated. Besides that, it must be ensured that only valid votes are included in the tally.


The protocol must provide an authentication mechanism to ensure only eligible voters are allowed to vote. Therefore, a voter must be given some form of legitimacy to authenticate during the vote. In addition, the idea of “one voter, one vote” must be preserved.


There are two categories of verifiability: individual and universal.
Individual verifiability, as the name indicates, allows an individual to verify that the vote has been properly received and is part of the final tally. Universal verifiability means anyone can verify that the election was properly performed and all votes have been counted correctly. To achieve universal verifiability, the results and collected ballots are published for public viewing.

Some requirements seem to contradict others, but it’s possible to create a system that satisfies every aspect. There are different cryptographic techniques to meet the requirements. They can be grouped into three types:

  • homomorphic encryption
  • mix-nets
  • blind signatures

In homomorphic encryption, certain mathematical operations (e.g. addition) can be performed directly on ciphertexts. For security reasons, zero-knowledge proofs are required.

In the mix-net model, votes are shuffled in order to hide the relation between the voter and his vote. Since there are n mixes, it produces much overhead for the system.

This work focuses on blind signatures.

Blind signatures

A digital signature is a cryptographic scheme used to verify the credibility of data. It enables anyone to verify the authorship and integrity of a message using the public verification key. With digital signatures, it should be practically impossible to forge or falsify a signature, or to generate a second message for which this signature is also valid. This presupposes that the private key cannot be calculated from the signature nor the public key. Another important characteristic is the non-repudiation of the signature. If a signature was verified with a public key, this should prove that the signature was generated with the corresponding private key.

A blind signature, first introduced by David Chaum, is a form of digital signature in which the message is blinded before it is signed. Therefore, the signer does not see what he is signing. Blind signatures were and are widely used in the fields of e-cash.

The protocol makes use of RSA. It’s an asymmetric cryptographic algorithm that can be used for both encryption and digital signing. It uses a key pair consisting of a private key used to decrypt or sign data and a public key used to encrypt or verify signatures. The private key is kept secret and cannot be calculated from the public key.

Each participant in the system, owns a key pair and therefore both a private and a public key.

Let’s imagine Alice would like to have a blind signature from Bob.
The procedure would be as follows:

  1. Alice prepares a message m and encodes it using a random
    value, the blinding factor r. This leads to an encoded message m′.
  2. Bob receives m′. After successful authorization, Bob is willing to sign m′ for Alice. This results in signature s′.
  3. Alice receives s′ and removes the random value r. The result is s, a signature for message m, signed by Bob.

The voting procedure

The voting institution has data of all voters. This data contains personal information as well as the public key representing the user. This is for the authentication mechanism to ensure only eligible voters are able to vote. The required registration process should be initiated by the voter with the delivery of legal documents and the appropriate public key.

To prevent fraud within the institution, signed votes are only valid if they were signed by n signers, n > 1. In other words: only one signer of the set has to be honest in order for the fraud to be noticed.

Imagine Alice wants to vote. The procedure would be as follows:

  1. Alice prepares her ballot b. b contains her vote and a random, secure identifier i. This additional identifier is required to recognize double votes in the tally. She encodes b using a random value, the blinding factor r. This leads to an encoded message b′.
  2. The voting institution receives b′. All signers verify if the voter is eligible to vote. After successful authorization, each signer will sign b′ . This results in signatures sn′ where n stands for the respective signer.
  3. Alice receives sn′ and removes the random value r. The result is sn, a signature for b, signed by n.
  4. Alice prepares her message containig b and sn. To prevent anyone from reading the vote before the election ends, the message must be encrypted. Using the public keys of the signers, Alice encapsulates the message in n layers of encryption, analogous to layers of an onion. Only with the help of all n signers a message could be decrypted prematurely.
    After encryption, Alice publishes the message in the MAM channel provided by the voting institution.
  5. The election ends when the voting institution publishes the final signal. Again, this message must be signed by n signers to prevent premature termination. In addition, all signers private keys will be leaked.

To reduce the risk of coercion or bribery, additional randomization in the signature scheme could be used [3]. Besides that, services such as TOR or VPNs should be used to disguise the voter’s IP address. To maximize security, a cascade of privacy-enhancing technologies would be appropriate e.g. VPN over TOR. In the event the TOR exit node is malicious, packets are still encrypted.

The immutable nature of the Tangle makes universal verifiability possible. Everyone who has access to the voting stream can follow it and compute the tally. The required algorithm in pseudocode:

let C be the election channel
let K be the hash set containing the public keys of all signers
let m be a message containing the identifier, vote and signatures
let H be the hash set containing all seen identifiers
let v be the vote count for candiate
let validate(m,pk) be the message validation, where pk stands for the public key of signer
let terminate(m) mark the ending of the election
for each m in C do
valid ← true
for each k in K do
if not
valid ← false
if not valid
return vᵪ
if m ∉ H
H ← H ⊎ m
vᵪ ← vᵪ + 1


The repository can be found here on GitHub for Java. The blind signature scheme is already implemented. Besides that, MAML streams [4] are already operable and will be used for secure data transmission. If desired, this can later be changed to MAM. The next step is to combine the blind signature scheme with MAML streams.

Closing words

With sufficient mathematics thrown at the problem, it is possible to create a system that satisfies every aspect of a voting protocol. Thanks to the immutable nature of the Tangle, true verifiability can be achieved.

If you have any questions, I’m happy to answer them. You can send me an email (samuel.rufinatscha@gmail.com) or find me on Discord (Samuel Rufinatscha#2769).

If you want to show some love, appreciate it.