Blockchain Voting for National Elections: Architecture of Sustainability
Azamat Safarov12 min read·Just now--
In August 2019, weeks before the elections to the Moscow City Duma, Pierrick Gaudry of INRIA (French National Institute for Research in Computer Science and Automation) published his analysis of the code underlying Moscow’s Remote Electronic Voting (REV) system. His conclusion was unequivocal: the encryption parameters were so weak that decrypting voters’ ballots in real time would take approximately twenty minutes on a standard laptop using publicly available software (Gaudry, Golovnev, 2019). He did not «hack» the system — he mathematically solved a problem that the developers apparently considered computationally infeasible within a reasonable timeframe. The encryption key was built on 256-bit ElGamal parameters: at this key size, the discrete logarithm problem can be solved in minutes on an ordinary laptop.
Gaudry published his findings, notified the developers, and specified the necessary fix: transition to parameters of at least 2048 bits, or preferably to elliptic curves offering equivalent security with smaller key sizes. The vulnerability was patched within hours. Yet the very existence of this flaw indicates not the error of a single engineer — parameters that any experienced cryptographer would identify as weak at first glance passed through every stage of design, development, and pre-launch testing of a national-scale system. At no point in the development and approval chain was there an independent verification step separate from the development team. Both vulnerabilities were discovered by external researchers acting on their own initiative, before voting began.
The context in which this occurred is critically important. The Edelman Trust Barometer has documented the same dynamic for the past decade: trust in government institutions, particularly politicians and civil servants, is declining in nearly every region of the world — simultaneously in democracies and authoritarian regimes. In 2025, governments remain the least trusted of the four key institutions, trailing business, NGOs, and media. In several countries with elections, trust in authorities is falling especially sharply, creating the impression that political institutions — from parliaments to ruling parties — no longer represent citizens’ interests. It is against this backdrop that blockchain poses its question: what if we could make the vote-counting architecture transparent, secure, and to some degree independent of the operator?
Between 2018 and 2021, eight nations deployed blockchain voting systems or conducted public experiments with them. By 2024, none had achieved the level of national parliamentary elections with independent mathematical verification. Examining why each stopped where it did reveals a pattern: across eight completely different contexts, failures occur at one of three levels — technical foundation, institutional conditions, or political readiness. These three levels — technical, institutional, and political — are traceable in all eight cases, in various combinations and with different consequences.
The Cryptographic Foundation
Democratic voting requires the simultaneous satisfaction of two properties that are mutually exclusive in classical database architecture.
Ballot secrecy — in its democratic interpretation — is not merely confidentiality. It is essential that the voter themselves cannot prove to a third party how they voted. This property is called receipt-freeness. A system lacking it is vulnerable to coercion. This is why physical voting booths are used: they protect not because they are reliably guarded, but because they structurally eliminate the very possibility of recording a voter’s choice.
Verification demands the opposite: every vote must be checkable. The voter must be assured that their ballot was included in the final count. Any observer must be able to reproduce the outcome independently — without access to the contents of individual votes.
Jean-Jacques Rousseau insisted that the sovereign will of the people is non-delegable — it must be expressed directly. Three centuries later, the very act of counting is delegated to servers and organizations whose proper functioning citizens can neither verify nor cryptographically challenge. Philip Pettit, in his theory of republican non-domination, defined freedom structurally: one is free who is not subject to arbitrary power — that which can be exercised, even if it currently is not. A state that technically can alter election results already possesses this power, regardless of whether it chooses to use it.
The mathematical solution to this paradox predates blockchain. In 1981, David Chaum published «Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms», introducing the definition:
«A digital pseudonym is a public key used to verify signatures made by the anonymous holder of the corresponding private key. A registry of such pseudonyms is maintained by an authoritative entity that decides whose applications to approve, but the entity itself cannot trace the pseudonyms in the final list.»
The following year, 1982, he developed the idea into a practical mechanism in «Blind Signatures for Untraceable Payments», explaining the principle of «blind signatures» through a precise analogy: «It is like a notary certifying a signature on a sealed envelope without knowing its contents» — the signer sees only a mathematical hash, not the message itself. This tandem of two papers — digital pseudonyms plus blind signatures — became the cryptographic foundation for all subsequent anonymous electronic systems: from DigiCash to end-to-end verifiable voting systems Punchscan and Scantegrity, where the voter receives confirmation that their vote was recorded without revealing their choice.
Modern implementations rely on two tools:
Zero-knowledge proof (ZKP). Proof of knowledge without disclosure: the voter proves that their encrypted ballot contains a valid value (0 or 1) without revealing which one. Imagine: you want to prove to the election commission that you cast exactly one vote — not zero, not two — but without revealing for whom. ZKP allows you to present mathematical proof of correctness: «this encrypted ballot contains exactly one choice.» The system accepts the proof and counts the vote. Who voted for whom is not revealed to any party.
Additive homomorphic encryption (ElGamal). Imagine: each voter has a sealed envelope containing a number inside — 1 for one candidate, 0 for another. The ElGamal scheme (1985) allows adding the numbers in all envelopes into one final number without ever opening any individual envelope. Everyone sees the result — 847 votes for A, 653 for B. Yet no individual’s specific choice is revealed. This mathematics underlies verifiable secret voting. And it collapses when parameters are chosen incorrectly: Gaudry demonstrated that with a 256-bit key, «opening» each envelope takes twenty minutes on a standard laptop.
In this architecture, blockchain serves one function: it acts as a public registry to which nothing can be added or altered after voting closes. Appending votes retroactively is a classic attack vector on centralized systems. Academic systems Helios and Belenios addressed this through a trusted server. Blockchain eliminates the very concept of «trusted»: the rules for maintaining the registry are embedded in the protocol, not in the operator’s good faith.
From Zug to REV: Global Experience
Level One: Technical Foundation
Moscow REV. The Remote Electronic Voting system launched for the 2019 Moscow City Duma elections initially addressed a pragmatic task: reducing the load on polling stations and enabling those unable to attend in person to vote. A permissioned blockchain was chosen — a closed network under government management, where participation as an independent node was impossible. However, the system code was published on GitHub weeks before the election: anyone could examine the implementation and receive rewards for discovered vulnerabilities. It was through this public repository that Gaudry gained access to the code.
The ElGamal scheme was proposed by Taher ElGamal in 1985 for the computational capabilities of that era. By 2019, parameters considered acceptable forty years earlier had long been recognized as insufficient: NIST recommends a minimum of 2048 bits for discrete logarithm schemes. The Moscow system used 256-bit parameters — a security level that by modern standards can be broken in minutes.
Gaudry reported the problem and proposed a specific minimum: no less than 2048 bits, or a transition to elliptic curves (Curve25519), where comparable security is achieved with significantly smaller key sizes. The developers raised the parameters to 1024 bits. Subsequently, Harvard mathematician Alexander Golovnev discovered a second vulnerability in the patched version: from the encrypted ballots, published in real time, one bit of data was leaking, allowing tracking of the intermediate count by candidate. Both vulnerabilities were eliminated before voting began.
Voatz (West Virginia / Denver, 2018–2020). A mobile application for overseas military voting. MIT researchers discovered a fundamental architectural problem: voter identity could be established and linked to their specific choice through the company’s servers. Identity verification and ballot registration passed through a single node under Voatz’s control — a traceable link between the voter and their choice was preserved. The application code was closed prior to launch. Audit logs were stored with the operator. Blockchain was present, but only for storing transaction hashes: it recorded the fact of vote receipt, not the protection of their contents. Cryptographic protection of ballot secrecy at the application level simply did not exist.
Helios (2008 → present). Ben Adida’s system has operated in real elections since 2008 — Catholic University of Leuven, the International Association for Cryptologic Research (IACR), and various universities worldwide. Full implementation of ZKP + homomorphic encryption: the voter verifies that their ballot was included in the public bulletin board; any observer verifies the correctness of the final summation. However, Helios uses a trusted web server as the registry — not a public blockchain. For small organizations, this is acceptable: the stakes are low, institutional trust in the university is sufficient.
Level Two: Institutional Conditions
Agora / Sierra Leone (2018). The company conducted a parallel count during parliamentary elections without authorization from the electoral commission. The results matched the official count and were recorded on a blockchain. Technically — apparently correct. The Sierra Leone Electoral Commission responded harshly: Agora was not an authorized participant in the process; the data had no legal force; claims of «the first blockchain election» were misleading. The technology worked. But elections are not merely correct counting. They are an act with legal consequences, whose participants can only become so by decision of the appropriate institution. Reproducing electoral procedure from the outside means conducting a different procedure, even if the mathematics is identical.
Tsukuba, Japan (2018). The first case where a national ID system — Japan’s My Number — was used for authorization in blockchain voting on municipal development issues. Full institutional authorization by the municipality, existing legal framework. The pilot demonstrated the viability of integrating digital identification with blockchain. The limitation that immediately emerged was not technical: My Number did not cover the entire population, and some citizens were structurally excluded from voting. A solution exists and is applied in other contexts: a phased transition where the digital system supplements traditional voting for those included in it, without replacing it for everyone else. Tsukuba showed that integrating a national ID system with a blockchain registry technically works — coverage is a question of inclusion policy, not platform capability.
Voatz (continued). The same system reveals a second type of failure: not lack of authorization, but lack of independent audit as a mandatory requirement. The United States has no unified federal standard for remote electronic voting. West Virginia granted Voatz access to real voting in 2018 without prior independent verification. The MIT analysis only became possible in 2020 — not at the regulator’s demand, but at the public’s request. Voatz demonstrates that technical and institutional levels do not substitute for each other: formal authorization does not protect against architectural vulnerability, and even correct architecture cannot compensate for the absence of mandatory audit. Both violations are independent — and either is sufficient to compromise the system.
Level Three: Political Readiness
Zug, Switzerland (2018). A canton with a tradition of direct democracy and consultative voting at the municipal level. The first vote on the public Ethereum blockchain was not a technological experiment layered atop existing practice — it was its continuation. The smart contract was deployed on a public network: the contract rules, once published, could not be altered by anyone, including the canton. Adding a vote after the ballot closed was impossible by network protocol. Zug is the only case where all three levels were satisfied, at least at the municipal scale: correct cryptography, full institutional authorization, and political readiness to accept the result.
Seoul, S-Coin (2019). A platform for citizen participation in district budget allocation. Blockchain for transparent vote accounting on urban development issues. The system operates to this day — specifically because the stakes are manageable and the institutional corridor is predetermined: S-Coin does not claim to replace representative elections. Where political consequences are predictable and limited, accepting an uncorrected result is significantly easier.
Three Levels: Designing a Resilient System
The eight cases describe the same structure from different angles. From it emerges a common architecture:
Technical Foundation — specific engineering solutions, independently verifiable before launch.
- Cryptographic minimum: ZKP for validating each vote without revealing contents; additive homomorphic encryption for counting without decryption; parameters meeting current security standards. Gaudry’s recommendation is specific: for classical ElGamal — no less than 2048 bits; for modern implementations — elliptic curves (Curve25519, P-256), where 256 bits provide sufficient security with significantly lower computational overhead.
- Architectural minimum: voter identity verification and ballot encryption must be two independent steps with a cryptographic break between them. The link between a specific person and a specific vote must not exist in any system node after the vote is encrypted. Voatz violated this principle — and this is what made deanonymization possible.
- Openness of code and parameters before deployment — not a transparency signal for PR, but a condition for independent verification. Closed code with an open blockchain creates an illusion of checkability.
Institutional Conditions — the structure making independent verification mandatory, not optional.
- Legal authorization of the system as an official voting instrument is a necessary condition for the legal significance of the result. Agora demonstrated this by counterexample: a mathematically correct result without authorization does not exist as an electoral act.
- Mandatory independent audit before launch — conducted by an organization with no financial or institutional ties to the operator — is a systemic requirement, not an option. Its absence from the approval chain is what allowed 256-bit parameters to pass all development stages unnoticed. If such audit is not mandatory under the regulatory framework, it will not be conducted — this is demonstrated by both cases with critical vulnerabilities.
- Public blockchain, not private under operator control: consensus rules are independent of any single participant. This is a fundamental choice — not of technical architecture, but of purpose. A permissioned blockchain under government management addresses the task of protecting against external attacks. It does not address the task of independent verification — because the operator still controls the rules.
Political Readiness — a level that cannot be engineered technically.
Zug works not only because it has correct cryptography. It works because the cantonal political culture — a tradition of direct democracy, consultative referendums, horizontal self-governance — created an environment where accepting an uncorrected result is the norm, not a sacrifice. S-Coin in Seoul is resilient because it operates in a predetermined limited space: the stakes are manageable, and political will is sufficient for this scale.
What Comprises a Working System and Why It Does Not Yet Exist
The matrix shows not only where each system stopped — it shows where each came closest to a solution. Zug satisfied the political and institutional levels, but operates at municipal scale. Helios and Belenios closed the cryptographic level and proved its viability in real elections. Tsukuba showed how a national ID system can be integrated with a blockchain registry at the authorization level. S-Coin showed how to scale gradually without immediately risking high political stakes.
None of these systems combined these building blocks — not because it is architecturally impossible, but because in each case one level remained unclosed. Moscow REV hit the absence of independent audit: 1985 parameters passed all approvals unnoticed. Voatz — hit the absence of both audit and correct identification architecture. Agora — hit the absence of institutional recognition. All three levels are independent, and failure at any one is sufficient.
A hypothetical system closing all three levels would look like this. The cryptographic stack of Helios or Belenios — ZKP plus additive homomorphic encryption with correct parameters — deployed atop a public blockchain: not a permissioned government network, but an open registry whose rules are independent of the operator. Identity verification organized through national ID infrastructure following the Tsukuba model, with phased inclusion and parallel preservation of traditional voting for those not yet covered by the digital system. Before launch — mandatory public crypto-audit with open code and parameters. After — the ability for anyone to independently reproduce the final count.
Thus, implementing blockchain voting at the national, parliamentary level is not a technical but an institutional task: a legal framework is needed, public audit, and political readiness to accept results that cannot be altered retroactively. The first step toward this may be a resilient municipal or regional pilot following the Zug or Helios model, where open architecture and verifiability create a foundation for trust in elections not as an institution, but as a process.
