01 — The Architecture
Built to produce proof, not promises
"A system that cannot prove its own integrity will always invite doubt. CastLedger produces mathematical proof at every stage — verifiable by anyone, trusted by no one."
CastLedger is a prevention system, not a detection system. Rather than auditing outcomes after the fact, it produces cryptographic proof of integrity at every stage of the voting process — from voter identity verification through final tally publication.
The system has four integrated layers:
LAYER 01
Biometric Voter Verification
Each voter is verified at the terminal using facial biometric matching against government-issued ID records. Matching occurs at the edge — raw biometric data is not stored after the session ends. Identity is confirmed; anonymity of the vote is preserved.
LAYER 02
Encrypted Ballot Recording
Votes are encrypted at the terminal before recording. No vote is ever stored or transmitted in plaintext. Each voter receives a personal receipt key that allows them to confirm their encrypted ballot appears unchanged in the final tally.
LAYER 03
Permissioned Blockchain Ledger
Encrypted ballots are recorded to a permissioned blockchain distributed across geographic nodes. No single party — including CastLedger — can unilaterally alter the ledger. The distributed architecture eliminates a single point of failure or control.
LAYER 04
Homomorphic Tallying
The final tally is computed directly on encrypted ballots using homomorphic encryption — built on ElectionGuard, Microsoft Research's open-source cryptographic toolkit. Votes are never decrypted individually. The tally and its cryptographic proof of correctness are published publicly and verifiable by any independent party.
02 — Trust Without Faith
No one asks you to
take their word for it
The architecture is designed so that trust in CastLedger is unnecessary. Each claim the system makes about election integrity is independently verifiable by parties with no connection to CastLedger.
Distributed Key Generation Ceremony
Before each election, decryption keys are generated and split among multiple independent parties — jurisdiction officials, observers, and auditors — using a threshold cryptography protocol. CastLedger holds one share. No single party can decrypt anything alone. Collusion among a defined quorum of independent parties is required.
Public Tally Verification
The encrypted ballots and the cryptographic proof of correct tallying are published after each election. Any technically capable party can write their own independent verification implementation and confirm the outcome — without using any software written by CastLedger. The proofs either hold mathematically or they do not.
Personal Receipt Verification
Every voter receives a receipt key at the time of casting. After the election, any voter can independently verify that their encrypted ballot appears unchanged in the published tally — through CastLedger's web portal or any independent implementation. No trust in CastLedger is required to complete this verification.
Pre-Election Terminal Integrity Testing
Before every election, every terminal undergoes mandatory independent logic and accuracy testing with known test votes. Encrypted outputs are verified against known inputs. Testing parameters are randomized and conducted by parties independent of CastLedger, under conditions indistinguishable from live operation.
03 — Design Principles
Decisions made
on purpose
Every significant architectural choice in CastLedger reflects a deliberate tradeoff. These are not the only ways to build a verifiable voting system — they are the choices CastLedger has made and the reasoning behind them.
Terminal-Only. No Personal Devices.
Personal devices introduce an untrusted endpoint that no cryptographic protocol can fully secure. CastLedger owns, provisions, and operates every terminal. Voters never bring a device to the poll.
Security by Exclusion
Terminal hardware is purpose-built with no built-in screen, camera, microphone, speaker, or Bluetooth. Attack surface is minimized by removing capabilities that are not operationally necessary.
Open Cryptographic Foundation
The homomorphic tallying layer is built on ElectionGuard — open-source software developed by Microsoft Research. Independent verification requires no proprietary CastLedger tools.
Biometric Verification, Not Storage
Facial matching confirms voter identity at the terminal. Raw biometric data is discarded after the session. The system verifies identity without building a biometric database.
Permissioned Blockchain Over Signed Ledger
A permissioned blockchain distributes trust across nodes. A centrally signed ledger concentrates key management risk in a single party. Distributed architecture eliminates that single point of control.
Strict Political Neutrality
CastLedger is a nonprofit. The platform, its board, and its operational protocols are designed to be genuinely nonpartisan. Election integrity is not a partisan cause.
04 — The Model
Infrastructure as a service,
not equipment for sale
CastLedger operates on a service-contract model. Jurisdictions pay a per-election fee. CastLedger owns, deploys, operates, maintains, and recovers all hardware. No municipality purchases equipment, manages a technology lifecycle, or carries the operational burden of a system they did not build.
What Jurisdictions Get
A fully operated, end-to-end verifiable election — hardware, software, biometric verification, blockchain infrastructure, tally publication, and post-election audit support — for a fixed per-election fee with no capital expenditure.
What CastLedger Retains
Full ownership and operational control of all hardware. Responsibility for terminal integrity, deployment logistics, pre-election testing, and post-election audit publication. Accountability for the system's performance.
CastLedger is a California nonprofit public benefit corporation, currently in formation. The nonprofit structure is not incidental — it is a deliberate signal that this platform exists to serve democratic integrity, not to extract value from the jurisdictions that depend on it.
This is a hard problem.
We know that.
CastLedger is not finished. It is being built carefully, with scrutiny from people who understand where the hard problems live. If you are one of those people, we want to hear from you.
Get in Touch