VoteChain Assurance

The building-inspection version:

What are these documents?

Imagine a brand-new building is about to open. Before anyone walks through the doors, inspectors check everything — the fire alarms, the plumbing, the locks, the wheelchair ramps, the emergency exits. These 14 playbooks are the inspection checklists for VoteChain. Each one covers a different kind of check.

Why publish them?

Because when the checklists are public, anyone can look at them and say "hey, you forgot to check the sprinklers on the third floor." That's the whole point — invite the sharpest critics to find what was missed before opening day, not after.

What gets inspected?

• Can bad guys break in? Several playbooks imagine every kind of troublemaker — hackers, insiders, tricksters — and plan how to stop them. Think of it like testing whether every door locks, even from the inside.
• Does the math check out? The system uses special math (cryptography) to keep things private and tamper-proof. One whole playbook is just about making sure that math is done right — like double-checking every weld on a bridge.
• What if something breaks? Some playbooks test what happens when things go wrong on purpose — power failures, traffic overloads, servers going down. The building still has to stay safe even if the elevator stops working.
• Is it fair for everyone? One playbook specifically checks that the system works equally well for people with disabilities, people without smartphones, people in rural areas, and people who speak different languages. If the wheelchair ramp is steeper than the stairs, you failed.
• Does it keep secrets? A privacy inspection makes sure the system never accidentally learns who you are or how you voted — only that you were allowed to vote.
• Can anyone cheat and get away with it? A special team pretends to be the bad guys (a "red team") and tries to break the system on purpose. If they succeed, that's a good thing — it means the flaw was found before a real bad guy found it.

Some quick numbers:

• 14 separate inspection playbooks
• Covers 6 domains: security, cryptography, operations, privacy, usability, and fairness
• Written for the internal team first, then published for everyone to read
• Designed to run before outside auditors arrive — so the outside check starts from a higher bar

The idea is simple: don't wait for someone else to find what's broken. Find it yourself, fix it, prove you fixed it, then let the outside inspectors verify you didn't miss anything.

Want more detail? Slide the bar to the right. Or close this and browse the 14 individual playbooks below.

Technical summary of the assurance surface:

14 internal playbooks covering the full assurance lifecycle for VoteChain (permissioned voter verification chain) and EWP (Election Web Protocol). Designed to be executed pre-3P audit/red-team to raise the baseline before external engagement. Published for public methodology review.

Threat Analysis & Attack Surface

• Threat Modeling: STRIDE-derived methodology adapted for election systems. Asset inventory (enrollment keys, gateway signing keys, BB STH keys, trustee threshold shares, chaincode governance keys). Trust-boundary decomposition across voter client, poll device, enrollment authority, gateway, bulletin board, chain nodes, monitors, and oversight portal. Attacker profiles: network-only, physical, privileged insider, supply-chain, coercer. Claim-to-mechanism matrix mapping each PRD security property to its enforcement mechanism, assumptions, detection strategy, and recovery path. Output: risk register driving red-team and audit focus.
• Attack Case Library: Cataloged adversarial test cases (safe negative tests) with expected defense behavior and patch patterns. Categories: credential forgery, enrollment replay, nullifier collision injection, gateway impersonation, BB fork/equivocation, threshold ceremony disruption, device attestation bypass, cross-jurisdiction replay. Each case includes preconditions, attack steps (without full exploit chain), expected system response, and regression test anchor.
• Penetration Testing: Internal staging pentest scoped to verification chain invariants, BB API surface, gateway authentication, node configuration drift, and degraded-mode edge cases. Focus on broken assumptions rather than generic OWASP findings. Scope excludes ballot-casting (separate system). Output: findings mapped to risk register entries with severity, exploitability, and remediation SLA.

Cryptographic & Protocol Assurance

• Crypto + Protocol Review: Audit-readiness preparation for external cryptographic review. Covers: binding verification (every signature/ZKP binds election_id, jurisdiction_id, manifest_id, challenge nonce, nullifier), domain separation for all hash functions, privacy leakage matrix (time/location metadata correlation, IP-to-voter mapping in Mode 3, receipt-freeness under coercion), non-equivocation proof semantics (BB consistency proofs, monitor gossip, anchor linkage), key ceremony review (generation, distribution, rotation, revocation for HSM-backed and threshold keys), and ZK circuit review (constraint system completeness, soundness assumptions, trusted setup ceremony if Groth16, or transparent setup if PLONK/STARKs).
• EWP Conformance Testing: Defines the EWP conformance surface: the set of protocol behaviors any compliant implementation must exhibit across deployment modes (Mode 1/2/3). Test vector format: deterministic inputs with expected outputs for credential issuance, ZKP generation/verification, nullifier derivation, BB inclusion/consistency proofs, receipt generation, and cross-node consensus. Invariant tests: properties that must hold regardless of implementation (e.g., nullifier uniqueness, proof non-malleability, receipt non-coercibility). Interoperability matrix across reference implementations.

Adversarial Exercises

• Red Team Exercises: Full-scope adversarial engagement framework. Scenario library covering technical (chain-level attacks, ZKP forgery attempts, BB fork injection), human (social engineering of operators, phishing poll workers), and operational (insider key compromise, supply-chain substitution) attack paths. Exercise types: announced purple-team drills (collaborative), blind red-team engagements (defenders unaware), and tabletop exercises for scenarios too dangerous to simulate live. Measurable outcomes: time-to-detect, time-to-contain, coverage gaps, and patch-loop closure verification.
• VDP / Bug Bounty Readiness: Pre-launch vulnerability disclosure program preparation. Intake pipeline: submission form, triage SLA (24h acknowledge, 72h severity assessment), severity classification (CVSS + election-context modifiers), safe-harbor legal language, reward structure (up to $500K for critical chain-level findings). Internal dry runs: planted vulnerabilities processed through the full pipeline to validate triage accuracy, communication templates, and payout mechanics before public launch.

Implementation & Operations

• Secure Code Review: Line-level implementation checklist. Protocol correctness (does the code match the spec?), input parsing (malformed payloads, boundary values, encoding edge cases), key material handling (in-memory exposure, zeroization, HSM offload), logging hygiene (no PII in logs, structured audit events, tamper-evident log chains), dependency audit (supply-chain risk for cryptographic libraries, pinned versions, reproducible builds).
• Operational Audit: Non-code assurance surface. Key ceremony procedures (multi-party generation, secure transport, rotation schedules, emergency revocation). Change control (chaincode upgrades require multi-party approval + 30-day public comment). Incident response (runbooks, communication templates, evidence preservation chain-of-custody, post-mortem publication SLA). Operator access controls (principle of least privilege, session recording, break-glass procedures with mandatory post-incident review).
• Monitoring + Non-Equivocation: BB transparency validation. Monitor responsibilities: STH polling, anchor verification against VoteChain, consistency proof verification, cross-monitor gossip. Controlled equivocation simulations: deliberately inject inconsistent STH views and verify detection latency, alert propagation, and public disclosure timeline. Alert thresholds: missing consistency proof = high severity, STH divergence = critical, monitor downtime > N minutes = escalation. Evidence capture for all detected anomalies.

Privacy & Usability

• Privacy Audit: Privacy impact assessment methodology. Data-flow tracing across enrollment, verification, casting, fraud-case evidence, and monitoring paths. Field inventory: every data field across on-chain events, BB leaves/STHs, receipts, logs, metrics, and support systems — tagged with necessity, retention, access control, and correlation risk rating. Correlation risk testing: time/location linkage precision, network identifier leakage (IP-to-voter in Mode 3 gateways), operational log pseudonymity validation, recovery-flow centralization risks. Receipt-freeness review: can a receipt be used to prove vote content to a coercer?
• Usability: Phishing Defense: User testing protocol for gateway authenticity signals and manifest verification UX. Simulated phishing campaigns against test cohorts measuring click-through rates, credential-entry rates, and time-to-recognition. Evaluation of visual trust indicators, certificate pinning UX, and out-of-band verification flows. Acceptance criteria: phishing success rate below defined threshold before public deployment.

Equity & Resilience

• Equity and Access Testing: Parity measurement across demographic cohorts, device classes (low-end phones, assistive tech, no-smartphone path), network conditions (offline, intermittent, high-latency), and enrollment channels (assisted, mobile unit, in-office). Key metrics: verification time distribution (median, p95), failure/escalation rates, provisional ballot rates, support burden per 1K voters. Threshold rules: if any cohort metric exceeds the baseline by more than a defined percentage, the test fails. Includes end-to-end exercises with representative users covering disability access, low digital literacy, and non-English speakers.
• Load + Failover Drills: Stress testing at 2x peak projected load. Scenarios: node failure (single, multi, partition), network degradation (latency injection, packet loss), geographic isolation, and cascading failure chains. Validation targets: rate limiting fairness (no demographic skew under load), continuity objectives (RTO/RPO per component), degraded-mode voter experience (provisional path remains functional), and data integrity under partial-write scenarios. Output: capacity model with headroom recommendations and failover runbook validation.

Cross-cutting methodology:

Every playbook follows the same structure: inputs (what you need before starting), steps (what to do), expected outputs (deliverables with pass/fail criteria), and patch loop (how findings feed back into the risk register and re-test cycle). The intent is that internal execution raises the baseline high enough that external audit time is spent on novel findings rather than known gaps.

Each playbook below contains the full checklist, expected outputs, and acceptance criteria. Browse individually or read sequentially.