A Blueprint for a Better Voting System

By /

Why Our Voting System Cannot Prove Its Own Integrity

Every democratic election depends on one simple rule:

Each eligible citizen may vote once — and only once — in each contest.

Our current voting system cannot prove that rule was followed.

Before an election even begins, there is no authoritative answer to a basic question:

Exactly how many people are eligible to vote in this election?

Eligibility information is scattered across agencies and states that operate independently. No single system produces a final, auditable count of eligible voters. As a result, voting begins without a fixed limit. Ballots are cast before the maximum number of legitimate votes is known.

What follows is a system built on procedures and trust:

  • voter rolls
  • signatures
  • audits
  • recounts
  • explanations after the fact

These methods can reduce error, but they cannot guarantee outcomes. They cannot mathematically prevent duplicate voting. They cannot make fake or excess votes impossible. They can only attempt to detect problems later — and ask the public to trust the result.

It is a design problem.

Traditional databases and oversight systems cannot fix this because they rely on administrators and policy decisions. Limits are enforced by rules people are expected to follow, not by math. Records can be altered. Audits require insider access. The public is never shown proof that violations could not occur.

Cryptographic shared ledgers exist for one reason:

To enforce strict limits in systems where trust alone is not enough.

They allow rules to be enforced automatically and visibly:

  • exactly N voting units can exist
  • each unit can be used once
  • no additional votes can be created
  • totals can be verified by anyone
  • individual votes remain secret

Voting is, at its core, the controlled issuance and use of voting power. Cryptographic shared ledgers are uniquely capable of enforcing that control — regardless of how uncomfortable or unfamiliar the technology may seem.

Avoiding this technology does not protect democracy.
It preserves a system that cannot prove its own legitimacy.

This paper presents a voting system that makes it mathematically impossible to exceed the number of eligible voters, to vote more than once, or to alter results without detection — while preserving ballot secrecy, accessibility, and state autonomy.

In simplest terms, think of “crypto”. Only a set number of coins are minted. Voters can only have one coin to send to one candidates wallet. Whatever candidate ends up with the most coins is unarguably the winner. The rules are verifiable and as secure as crypto itself.

It does not change who is allowed to vote.
It does not require online voting.
It does not ask the public to trust the system.

It just proves a better system.

Enforcing Democratic Limits with Cryptographic Shared Ledgers

Executive Summary

The United States voting system relies on procedures, institutional trust, and post-election reconciliation to ensure fair outcomes. While these methods have historically functioned, they suffer from a fundamental limitation: they cannot prove that only eligible voters voted, or that each voter voted only once.

This paper proposes a technically achievable solution that replaces procedural trust with verifiable limits, using cryptographic shared ledgers and fixed-issuance voting tokens. These mechanisms—already used to enforce strict limits in adversarial environments—make it possible to mathematically guarantee one-person-one-vote while preserving ballot secrecy, accessibility, and public auditability.

This proposal does not change who is eligible to vote, does not eliminate secret ballots, and does not require public online voting. It upgrades the enforcement model of elections from trust-based procedures to proof-based constraints.

1. The Fundamental Failure of the Current Voting System

Modern U.S. elections cannot conclusively answer three basic questions:

  1. How many people were eligible to vote in this election?
  2. How many votes could possibly exist?
  3. Did any individual vote more than once?

Current systems rely on voter rolls, poll books, signature verification, audits, and recounts. These are procedural controls. They reduce error, but they do not enforce hard limits.

In an environment of polarization and declining institutional trust, outcomes that rely on “trust us” explanations lose legitimacy. This is a limit-enforcement problem.

2. Why Traditional Databases and Audits Cannot Solve This

Traditional databases are controlled by administrators. Even with oversight:

  • records can be altered
  • limits are enforced by policy, not math
  • audits require insider access
  • the public cannot independently verify enforcement

A system that depends on trusted administrators cannot provide public proof that rules were never violated. To fix this, enforcement must be automatic, visible, and independent of institutional trust.

3. Why Cryptographic Shared Ledgers Are Necessary

Cryptographic shared ledgers (often called blockchains) were designed to answer one question:

How do you enforce strict rules and fixed limits without trusting a central authority?

They provide four properties no other system provides together:

  1. Fixed issuance — exactly N units can exist
  2. Single-use enforcement — units cannot be reused
  3. Public verification — anyone can audit totals
  4. Rule immutability — rules cannot be quietly changed

Voting is fundamentally the issuance, limitation, and consumption of voting authority. Cryptographic shared ledgers are uniquely suited to this task.

4. Problem #1 — Citizenship Matters

The problem

There is no authoritative nationwide answer to the question:

“Exactly how many people are eligible to vote in this election?”

Eligibility information is fragmented across agencies and states. Voter registration relies heavily on self-attestation, and disputes often occur after voting begins.

The solution

Create a narrowly scoped federal voter-eligibility authority whose sole function is to produce a final eligibility snapshot for federal elections.

Constraints:

  • it does not grant citizenship
  • it records determinations made by existing authorities
  • it provides notice, correction, and appeal
  • it is legally barred from unrelated uses

Why this fixes the problem

It produces a fixed, auditable number of eligible voters before voting begins, enabling all downstream enforcement.

5. Anti-Surveillance Guarantees (Critical Safeguard)

This system must not become surveillance infrastructure.

Mandatory guarantees:

  • Purpose limitation: eligibility determination for federal elections only
  • Data minimization: eligibility status and minimal identity binding only
  • Legal firewalls: explicit prohibition on use for law enforcement, immigration enforcement, taxation, benefits enforcement, or intelligence collection
  • Penalties: criminal penalties and civil liability for misuse
  • Transparency: public access logs, audit reports, and change records

The system makes vote limits public, not citizen behavior public.

6. Problem #2 — One Person, One Vote

The problem

Current systems cannot mathematically prevent double voting. They rely on procedures and detection after the fact.

The solution

Replace procedural enforcement with fixed issuance of voting authority.

For each election:

  1. Take the eligibility snapshot (N voters)
  2. Issue exactly N voting tokens
  3. Enforce by ledger rules:
    • no additional tokens can exist
    • each token can be used once

Why this fixes the problem

It becomes mathematically impossible to cast more votes than eligible voters or to vote more than once.

7. Problem #3 — Real Elections Have Multiple Contests

The problem

Elections involve many independent decisions.

The solution

Use contest-scoped voting tokens.

For each contest:

  • issue one token per eligible voter
  • cryptographically bind the token to that contest
  • allow it to be used once
  • expire it after the election

Why this fixes the problem

It enforces one-person-one-vote per contest, mirrors real ballots, and simplifies auditing.

8. Federal-Only Baseline and State Autonomy

This proposal applies to federal elections only.

  • States retain control over election administration
  • States retain residency and registration rules
  • States may opt in for state or local contests
  • Federal funding supports federal standards without coercion

This is a verification layer, not a federal takeover.

9. Problem #4 — Secure Distribution of Voting Power

The problem

Voting fails if credentials are lost, stolen, or unrecoverable.

The solution

Separate voting power from voting access.

  • Voting power exists as tokens in a ledger-backed wallet
  • Access is provided via:
    • voter card
    • in-person terminal
    • optional digital access

Lost access can be revoked and reissued without increasing voting power.

10. How Voting Works in Practice: Machines, Cards, and Digital Access

Voting is intentionally familiar.

In-person terminals

  • Hardened, single-purpose devices (similar to ATMs or ballot-marking devices)
  • Display only eligible contests
  • Accept selections and submit voting tokens
  • Can operate offline and settle later

Voter cards

  • Authenticate voters and sign actions
  • Do not store votes
  • Do not expose private keys
  • Can be revoked and replaced safely

Digital access (optional)

  • Uses the same ledger rules
  • Requires stronger authentication
  • Not required for participation

No voter sees tokens or cryptography. The ledger enforces limits invisibly.

11. Can Voting Machines Be Manipulated?

Yes.
And that is precisely why this system does not trust machines with enforcement.

The key design assumption

Voting machines are assumed to be imperfect and potentially compromised.

The system is designed so that machine failure cannot break election integrity.

What a compromised machine cannot do

A compromised machine cannot:

  • create extra votes
  • allow someone to vote twice
  • exceed the number of issued voting tokens
  • silently change totals without detection

Why?
Because every vote requires a valid, unused, contest-scoped voting token, and the ledger enforces those limits independently of the machine.

What a compromised machine could try to do

A compromised machine might attempt to:

  • mis-display choices
  • disrupt voting locally
  • cause inconvenience or denial of service

These are serious issues—but they are localized, detectable, and recoverable, not systemic.

They do not allow:

  • mass ballot stuffing
  • invisible double voting
  • outcome manipulation at scale

Detection, containment, and recovery

If a machine is compromised:

  • anomalies appear as rejected or mismatched tokens
  • damage is limited to that machine or location
  • affected votes can be reviewed or re-cast
  • the ledger’s public record exposes inconsistencies

This turns machine attacks into operational incidents, not election-breaking events.

Why this is safer than current systems

Today:

  • machines both record votes and enforce limits
  • if you distrust machines, you distrust the election

Here:

  • machines are interfaces
  • the ledger enforces limits
  • trust is placed in math and public verification

This is the same model used in modern financial systems.

12. Problem #5 — Transparency Without Surveillance

Anyone can verify:

  • how many tokens were issued
  • how many were used
  • final tallies

No one can see:

  • who voted
  • how any individual voted

Transparency applies to limits and totals, not identities.

13. Problem #6 — Coercion and Vote Buying

To prevent coercion:

  • voting tokens are consumed on use
  • no receipt proves a specific choice
  • optional revote models allow correction before close

Without proof, vote buying and coercion become unenforceable.

14. Accessibility and Recovery Guarantees

This system must not disenfranchise.

Minimum guarantees:

  • no smartphone requirement
  • multiple voting channels
  • same-day local credential recovery
  • emergency provisional pathways
  • assistive voting without revealing choices

A system that cannot recover voters at scale is not a voting system.

15. Governance, Upgrades, and Abuse Resistance

  • No single operator or vendor controls the system
  • Validators are multi-institutional and multi-branch
  • Election rules are frozen before voting begins
  • Upgrades occur only between elections
  • Changes require public notice, audits, and approval

No rules may change during an election.

16. Operational Resilience and Continuity

The system must tolerate failure.

  • offline-capable precinct voting
  • delayed settlement to the ledger
  • redundant communication paths
  • controlled paper fallback for extreme scenarios
  • public incident reporting and after-action reviews

Failure must not create extra votes or invalidate limits.

17. What This System Does Not Do

It does not:

  • change who may vote
  • eliminate state administration
  • require online voting
  • reveal individual votes
  • tie voting to money or speculation

Conclusion

Democracy’s core rule is simple:

Each eligible person may vote once, and only once, in each contest.

That rule cannot be enforced by procedures alone.
It can be enforced by cryptographic shared ledgers with fixed-issuance voting tokens.

This system assumes machines can fail—and ensures failure cannot break democracy.

It replaces “trust us” with proof.

Matthew Hunt
Founder & Systems Architect
Square Right, Inc.

Read more Posts. Learn more at our Home Page.
Support us by buying a sticker.

Scroll to Top