Ballot Verification

Ballot Verification

Objectives of Verification

At the moment a voter completes voting at ElectionsOnline, they have the opportunity to also retrieve and save digest information (explained below) for use later in verifying a ballot. A voter may then visit and use that data to:

  1. step through the process of verifying that their ballot has been recorded.
  2. verify the ballot has not been altered.
  3. ensure the ballot is included in the vote count.

Verification Steps

Step One—Verify version number

Ballots are stored inside an immutable system of record that can only perform append operations. This means when data like that collected by a voter making selections on a ballot is committed to this system, it does so as a block of data with a version identifier of zero assigned to it. Were that block of data to be modified or deleted at some later point in time, the append-only behavior means that the original data is not overwritten. Rather, a new entry is added and additionally hash-chained to the original data block thereby creating an auditable history of activity performed on that data where each new entry has a version identifier incremented by one. Because no ballot should ever be modified once it enters the system, no ballot should have a version identifier greater than zero. Therefore, the first step to ballot verification is to confirm that a given ballot is on version zero. Upon successfully completing version number verification, a user will be presented the oppoturnity to advance to retrieve the block address for a ballot.

Step Two—Get block address

Once it is established that a ballot is at version zero, further verification may be performed to ensure this one and only version has not been altered since the moment it was committed to the ledger. Steps two through four collect the data necessary to perform this verification and begins by retrieving the block address for the ballot which is as simple as proceeding to step two.

Step Three—Provide digest and digest tip address

At the moment a ballot enters the system, the voter has the option of also retrieving a digest and digest tip address for use later in verifying a ballot. Digest may be defined as:

A 256-bit hash value that uniquely represents a ledger’s entire history of document revisions as of a point in time. A digest hash is calculated from your journal's full hash chain as of the latest committed block in the journal at that time.

And the digest tip address is simply:

The latest block location covered by the digest that you requested.

Notice from the definitions above that the digest and digest tip address both make reference to time. When we perform verification, what we are really proving is that data has not been altered between the time the digest was generated and the verification is performed. That is the reason voters are provided the option of capturing and saving a digest immediately after submitting their ballot rather than to use a digest generated later during the verification process.

Step Four—Get a proof and verify the ballot

With all the data collected in the previous steps we now have all that is needed to retrieve a proof and perform verification. A proof may be defined as:

The ordered list of 256-bit hash values for a given digest and document revision. It consists of the hashes that are required by a Merkle tree model to chain the given revision hash to the digest hash. A proof enables you to verify the integrity of your revisions relative to the digest.

With this data the verification process is able to recalculate a hash for the digest. When this recalculated digest matches the expected digest hash, verification is successful. For a more detailed explanation, visit Data verification in Amazon QLDB.

Step Five—Ensuring ballot is included in vote count

All verification activity discussed above is performed against a system of record which is not used to support reporting and analysis of the election results. Therefore, once voters have verified that their ballot has been captured and is unaltered in this system of record, they may also confirm that one, and only one, exact duplicate of their ballot also exists in the reporting platform.

Viewing ballot

After a ballot has been verified, you may also proceed to view the ballot showing the selections made by the voter.

Related content…