A Modular, Cast-as-intended Voter-Verifiable –QR code based– Electronic Voting System

A voting system focused on doing a simple installation on user-friendly hardware and providing Casting Correctness Verification to the voters.

Web under construction!

moca qr

General Overview of MoCa QR


I. Setup of the Election

  1. Keys Generation:
    • Authority Keys: for the encryption of the ballots, MoCa QR uses a Paillier Threshold scheme, in which we have a public key to encrypt all the votes, and the private key is divided among a certain number of ‘Authorities’. At the end of the election, just a fraction of those Authorities are necessary to reveal the final result of the election.
    • Voter Keys: each voter must sign her encrypted ballot before casting it, so prior the day of the election is necessary for the voter to generate a key pair to make this procedure. The public one is uploaded to a Bulletin Board and the private key is stored by each voter, in an application on their mobile phones called VoterApp.

II. Voter Interaction Modules

  1. Ballot Selection:

    Is this moment when the voter makes her selections on a simple user-friendly hardware (e.g. a tablet). This module interacts with the voter, accepting her selections, encrypting them with the values configured previously (public key of the authority), and then asking to the voter to sign it with VoterApp (configured previously). After the signature process, the module prints a ballot with three parts: the first one showing the selections made in plain human-readable text, the second showing in a QR code the encryption plus the signature made, and finally showing in a QR code the randomness used to encrypt the selections (this value will be necessary for the cast-as-intended verification).

  2. Ballot Verification.

    After printing the ballot, the voter can verify the correctness of the encrypted value, this is intended to check if the ballot selection machine really encodes the selections of the voter. The voter, in this independent module, has to scan both QR codes (the encryption and the randomness) present on the ballot, and with this values the module runs an algorithm to verify the encryption. It shows on screen the candidate that is encrypted. If it is the candidates that the voter intended to cast, the first machine did a good work and produced the correct encryption. If not, it is because the first machine wanted to “trick” the voter encrypting other candidates rather than the ones that she intended to cast, so the voter can go back and produce a new ballot. What to do if the problem continues? This is one of the questions still open in this project.

  3. Ballot Casting.

    After the verification (if successful) the voter needs to fold her ballot, hiding the first part with the name of the candidate written in human-readable text, and go to the polling station to cast her vote. The poll worker receive the ballot, detaches the thrid part (randomness) of the ballot and destroys it (if not, the voter could demonstrate how show voted to another person), then scans the encrypted ballot, where the computer verifies the signature made by the voter, if it’s correct, the encryption will be uploaded to the bulletin board. Finally the poll worker detaches the encryption from the first part of the ballot, the voter deposits this first part (human-readable text of the candidate selected) into an urn placed right there in the polling station, and can bring home the encryption with her.

III. Tallying the Election

  1. Ballots Multiplication.

    MoCa QR uses the homomorphic property of the Paillier encryption scheme. Because of that, at the end of the voting period, the election administrator has to multiply all the encrypted ballots stored in the bulletin board and write this new resulting value also in the bulletin board for the authorities to decrypt it afterwards.

  2. Generate Partial Decryptions.

    After the calculation of the multiplication of the ballots, the authorities need to use their share of the private key to generate the partial decryptions of the final result (homomorphic property of the scheme). When just a fraction of the authorities had already uploaded their partial decryption, the outcome of the election can be revealed. Each authority produces their partial decryption using AuthorityApp.

  3. Combine Partial Decryptions.

    Once there are enough partial decryptions, the election administrator, using a dummy share of the private key (this is necessary for how is implemented the Paillier library) can combine all the partial decryptions and reveal the final result of the election.

Bulletin Board (BB)

The BB is a server that stores public information regarding the actual election that is running on. The transparency of the process requires the publication of this information, making easier the process of retrieving this public information and use it in each module. An important note: there are some modules (Ballot Selection and Ballot Verification) that, for security reasons, can’t connect to Internet, so they can’t download the necessary public information from the BB. For that reason, the public information that they need (authority public key and list of candidates) must be configured “manually”, having both files inside their file systems, before their respective configuration. The values that need to be on the BB are:

  • Authority Public Key.
  • Voters Public Keys.
  • Candidates List.
  • Encrypted Ballots.
  • Ballots Multiplication.
  • Dummy Share of the Authority Private Key.
  • Partial Decryptions.

Installation of MoCa QR

For more information about the installation of each of the modules, please refer to the Github page of each of the repositories where the code of the applications is stored.


  1. Authority Keys Generation - Java Application
  2. Voter Keys Generation - Java Application
  3. Ballot Selection - Android Application
  4. Ballot Verification - Java Application
  5. Ballot Casting - Java Application
  6. Administrator App - Android Application
  7. Authority App - Android Application
  8. Voter App - Android Application
  9. Combine Partial Decryptions - Web Application - Currently not implemented

Bulletin Board

  1. Server Configuration:

    The BB needs to be configured as an API for each of the values that need to be stored in it. Each of the values must have an specific name and some necessary attributes for the interaction with each of the modules. These configurations have been tested creating an API with CouchDB.

    • Authority Public Key.
      • name= “/authority_public_key”
      • parameters= “value”:number, “threshold”:number
    • Voters Public Keys.
      • name= “/voters_public_keys”
      • parameters= “voter_id”:string, “value”:number
    • Candidates List.
      • name= “/candidates_list”
      • parameters= “question”:string, “number_of_candidates”:number, “candidates”:”id”:number, “name”:string, …
    • Encrypted Ballots.
      • name= “/ballots”
      • parameters= “encrypted_vote”:number, “signature”:number
    • Ballots Multiplication.
      • name= “/multiplied_ballots”
      • parameters= “value”:number
    • Dummy Share.
      • name= “/dummy_share”
      • parameters= “value”:number
    • Partial Decryptions.
      • name= “/partial_decryptions”
      • parameters= “auth_id”:number, “value”:number

How to use MoCa QR on an election

We will explain the use of each of the applications separated in the three actors that are present at the moment of running an election: administrators, authorities and voters.

Election Administrators - Administrator App

  1. Bulletin Board configuration: the BB needs to be configured in the way is described above, so all the applications can download and upload the public values with no problems.

  2. Candidates List: the administrators need to establish the list of the candidates that will run on this election. This functionality will be present at Administrator App. For now the candidates list file needs to be edited separately.

  3. Run Authority Key Generation: before the election, is necessary that the administrators run this application, with the authorities present. With this, the public key will be uploaded to the BB and each authority will store their private key on their mobile phones.

  4. Run Voter Key Generation: also before the election, is necessary that all the persons that are entitled to vote, had to generate their key pair for the signature of the encrypted ballot. The idea is to run this generation of keys before the election, so the voters can do it with time. Every time a voter generates their key pair, the public value is uploaded to the BB and the private is stored on their mobile phones using Voter App.

  5. Deliver public values to machines with no access to BB: there are some machines that are not allowed to have connection to the BB for security issues. This machines are Ballot Selection and Ballot Verification. The administrators need to make sure that each of the machines will have access to some public values (authority public key and candidates list) in their file system, so they can be configured to use this values.

  6. Configure all machines: all the machines need to be configured with, at least, the address of the BB, so they can download all the public information necessary to run their specific function on the election.

  7. Generate ballots multiplication value: at the end of the election, is necessary to generate the multiplication of all the ballots (to use Paillier’s homomorphic property). This task could be done by any person, because all the values are public and is just a simple operation with all the encrypted ballots present on the BB. To make sure this value will be calculated, the administrators need to do it. For more transparency, there could be more persons calculating this value. This functionality will be present at Administrator App.

  8. Combine Partial Decryptions: when all the partial decryptions (or at least the necessary to reach the threshold) are present on the BB, is necessary to combine them to decrypt the final result of the election. Once again this could be done by any person, because the values are all public and also the application to do it. With this the final outcome is revealed and the election is over. A Web Application is being developed right now to perform this task.

Election Authorities - Authority App

  1. Store their share of the private key: at the moment of the key pair generator of the authorities, each of them needs to store their share of the private key (threshold system) in their mobile phones. This is done right now storing the file on an external storage (e.g. SD card), and then configuring AuthorityApp to use that file as the share to decrypt the value at the end of the election.

  2. Decrypt the multiplication of the ballots: at the end of the election, when the multiplication of the ballots is calculated, each of the authorities need to use their AuthorityApp to decrypt this value, and generate their partial decryption. This partial decryption is uploaded to the BB while waiting to gather enough of them (threshold) for the administrators to combine them and reveal the outcome of the election.

Voters - Voter App

  1. Store their private key: in order to sign the encryption, the voters need to go to generate their key pair, and then store their private key using VoterApp. This process consists on scanning the QR code generated by Voter Keys Generation and is stored automatically within the application.

  2. Operate with Ballot Selection: when arriving to the polling station, the voter needs to go to the voting booth and operate with the Ballot Selection machine (tablet). With this application, the voter selects her candidates, and then needs to sign the encryption generated. For this,needs to use VoterApp, and exchange QR codes with the tablet, using the camera (this process becomes clearer in the video presented below). After this, the machine prints the ballot with the three parts.

  3. Verify the encryption: after priting the ballot, within the same voting booth, the voter needs to verify the encryption produced. For this, the voter needs to use Ballot Verification and scan both QR codes printed in the ballot. If the machine answers that the encrypted candidate is the same that the voter intended to vote, she has to fold the first part of the ballot to hide the human-readable part and leave out the voting booth. If is not the same candidate, she can go back to Ballot Selection and print a new ballot.

  4. Cast her ballot: after leaving the voting booth, she must hand out the ballot to the poll worker, who destroys the third part of the ballot (QR code containing the randomness), then scans the second QR code (encryption) using Ballot Casting, the system uploads this value to the BB (after the verification of the signature), and the poll worker detaches the first part of the ballot handing it back to the voter. She deposits this part in an urn, and can go home with the second part of the ballot.

  5. Verify that her vote will be or was counted: the voter can check if her vote is present on the BB using the part of the ballot that carried home. This can be done before the end of the election, or even days after the election has passed, since it contains public information and it must be available for everyone. This functionality will be present at Voter App.

video example

A video example showing the steps that the voter must go through to cast a valid vote.

MoCa QR - Usage Example


Documentation of MoCa QR

Coming soon!

the team

The Team

MoCa QR is being developed right now at CLCERT - Universidad de Chile.

Thanks to the following former collaborators:

  • Diego Madariaga
  • Stefano Gioia
  • María José Vilches
  • Diego Díaz