
Moscow's blockchain voting system cracked a month before election - svenfaw
https://www.zdnet.com/article/moscows-blockchain-voting-system-cracked-a-month-before-election/
======
aazaa
The paper notes another, distinct, attack possibility:

> Before going to this, we mention quickly another mistake in the design that
> could in itself have led to devastating attacks. The generators that are
> given in public- key.json are generators of the whole multiplicative group.
> However, due to the Chinese remainder theorem, it is a good practice to use
> a generator of prime order. In the present case, the generators will have
> their order divisible by 2, and therefore there is a huge risk that one bit
> of information leaks from a ciphertext. In a context like e-voting where a
> ballot can have a very simple form, this bit of information could reveal a
> lot of the vote (or even all of it in the case of a yes/no question). In
> principle, we would have had to investigate more in this direction. But due
> to the main attack that is much easier and far more powerful, we keep this
> as a remark.

[https://arxiv.org/pdf/1908.05127.pdf](https://arxiv.org/pdf/1908.05127.pdf)

This still leaves the question why the developer(s) decided to roll his/her
own crypto in this way:

> A possible explanation is a confusion with the key size that can be used
> when using elliptic curves for which the Number Field Sieve algorithm does
> not apply.

This is such an obvious mistake that the entire protocol (whether or not it's
ever documented) might be vulnerable.

> Another less excusable but still possible explanation might be related to
> the use of the Ethereum blockchain. In the Solidity programming language
> that is used to write smart contracts, the bit size of the largest supported
> integers is 256. Maybe the authors did not want to write a multiprecision
> arithmetic library that would have been required to deal with larger key
> sizes. This hypothesis is supported by frequent tests in the source code,
> checking that the big integers they manipulate are not bigger than
> SOLIDITY_MAX_INT.

This seems more likely. However, that last sentence checking for overflow
sounds like another trove of vulnerabilities.

Moreover, the claim by the developer in the ZDnet article that a patch is
forthcoming seems suspect given that it will need to also include
multiprecision arithmetic functionality, where there are still more
opportunities for snafu.

~~~
CENGaverK
It seems they covered the other attack possibility with the new update as well
but another researcher from Harvard was able to break the system so he could
count the votes before the election was over. Plus, now there is a new big
update and writing code for numerical methods in such a short period is never
bug-free. Let's see how it plays.

------
lovasoa
Here is the original blog post by the french researcher (in english) [1]. In
an update, he says the updated system with a 1024-bit key was also
compromised, on august the 24th [2].

[1]:
[https://members.loria.fr/PGaudry/moscow/](https://members.loria.fr/PGaudry/moscow/)
[2]:
[https://golovnev.org/papers/election.pdf](https://golovnev.org/papers/election.pdf)

------
eukgoekoko
Is this the key? [https://github.com/moscow-technologies/blockchain-
voting/blo...](https://github.com/moscow-technologies/blockchain-
voting/blob/master/encryption-keys/keys/private-key.json)

~~~
li4ick
Ok. What's going on here? There's just no way this is real.

~~~
Dolores12
It's intentional. They post public key, let people crack it for 12 hours, then
post private key at the end of the day.

------
sorenso
I'm not surprised.

But this sure surprised me:Pierrick Gaudry, from Lorraine University, was able
to break the Ethereum-based smart contract encryption in only 20 minutes using
nothing more than an average desktop computer and free, publicly available
software. Gaudry estimates more modern equipment and sophisticated techniques
could crack the encryption in only 10 minutes."

~~~
dmix
Poor programming and cryptography by the contract developers is always going
to be the biggest weakness of smart contracts. This one was developed by a
government entity so the quality issue is not really surprising...

> It was developed in-house by the Moscow Department of Information Technology

The developers claim [1] they were only using a weak private key during a
"trial period" which doesn't really make sense. Who releases a different
public/private key scheme before launching into production?

If the development team doesn't hire outside security testing or request
public review - to test the real software - then it's pretty useless. Their
response notes a meetup in Moscow in Sept (which is the same month as the
election?) which seems like a strange requirement if they were expecting solid
public feedback.

1\. [https://medium.com/@unassuming_teal_crab_127/dear-
julia-7bac...](https://medium.com/@unassuming_teal_crab_127/dear-
julia-7bac3612b178)

------
golergka
OK, so I think a little political context about this would be useful.

On September 8th, Russia has "universal voting day", with elections to
different regional parliaments, heads of some regions and even additional
members of parliament. This year, the campaign have been very political
because of Moscow parliament - which was for years treated as a completely
uninteresting event with very low news coverage and turnout. This year,
however, in response to opposition candidates getting a serious momentum, many
have been disallowed to run, triggering escalating protests - some legal, some
illegal, with sometimes brutal reaction to the police, which, in turn, led
even more people to take part in the protest. This amount of people in the
street haven't been seen since 2011 protests.

So, after the trust in the elections, rule of law and democracy process have
been eroded this much, I'm genuinely surprised that they even bothered to
build a buzzword-fueled voting system.

~~~
chupasaurus
They were making this voting system since the last year.

------
codedokode
Researchers overlook more important issue. As the government controls the
servers, it can impersonate any number of users.

Users submit an application to vote remotely through a government-controlled
site and confirm it by receiving a SMS with code. It is obvious that
government is able to submit such an application to its own server without
bothering the real user.

The users vote remotely and confirm their identity by providing a code from
SMS (again) and the government can just look at the code on the server. It
isn't important what cryptography is used there. You don't need to guess
random numbers when you have root access to the server.

The observers are supposed to see a tape where some hashes will be printed
when someone votes. Maybe they will be allowed to see the registry of voters
who chose to vote remotely, maybe they will not be allowed.

I cannot prove this, and this is my personal opinion, so you shouldn't believe
me, but I think the government wants an opaque procedure to produce legitimate
looking election results with desired outcome. With paper voting, there are
too many points of failure: it is difficult to throw the ballots in the box
when there is a vigilant observer. Remote voting doesn't have such flaws.

If there was a fraud, it would be difficult to explain to a non-programmer.
They don't understand anything, they just see how the program says "hash
doesn't match". But maybe it is just a program written by foreign agents (and
stored on foreign "Github" servers) producing fake results. For comparison,
with paper voting anyone can understand that there is a fraud if you show them
the video.

Also, the government party is slowly losing its rating and starts losing
regional elections. Remote voting might be a cure for this undesired
situation.

And probably any other government (for example Estonian) that implements such
an opaque system has similar aims.

~~~
nbabitskiy
Excuse me, please, are you living here? Do you really think there is a
possibility the majority (or even 10%) of voters will vote digitally? It's so
out of character of Russian voters, that I honestly suppose you're a
Prigozhin's troll.

~~~
maxander
I’ve never been to Russia and don’t know the Russian attitude towards tech or
voting. But I’m confident that if the US had a system like this and made a
reasonably usable phone app to be the front end, almost no one under the age
of 60 would bother to wait in line for a physical voting booth ever again.

~~~
mrlala
>would bother to wait in line for a physical voting booth ever again

As someone living in a state with mail-in ballots, it still boggles my mind
waiting in line for physical voting is a thing. Mail-in ballots seem to be the
best of all worlds. It's easy. I have time to do the research for who I want
to choose. It's all backed by USPS so it's pretty damn secure- as secure as
everything else we trust in the mail.

~~~
NotSammyHagar
Yeah. Washington state is all mail-in ballots, once you try it, other ways
just seem stupid.

~~~
codedokode
Aren't mail-in ballots too easy to falsify? You take a database of voters and
send mail under their names.

~~~
NotSammyHagar
They have proven not to be. Here you sign them and add phone number or email.
An advanced state could copy my signature but they verify I am a voter so
double voting would be detected.

~~~
NotSammyHagar
Also paper ballots make it possible to recount or verify something if the race
was really close.

------
spuz
I'm definitely missing something here. The standard size of both Ethereum and
Bitcoin private keys is a 256bit secp256k1 key. If a 256bit key is guessable
within 20 mins then the entire Blockchain is also broken.

~~~
cyphar
The article doesn't mention this, but if you look at the paper[1] it turns out
they aren't using ElGamal with elliptic curve fields -- instead they're using
prime fields. In that case, you'd want similar key sizes to RSA. (The "less
than 256 bit" part is a red herring, the problem is that they are using key
sizes that would only be safe if they were using elliptic curves.)

[1]:
[https://arxiv.org/pdf/1908.05127.pdf](https://arxiv.org/pdf/1908.05127.pdf)

~~~
dboreham
Wow. Even I know this. It's mentioned in every entry level text on EC
cryptography.

~~~
tr3ndyBEAR
Haha same. You know it's bad when someone with only an introductory course in
cryptography understands what the problem is

------
m0zg
There's just no way any elections in Russia would produce the results not
approved by the government. Government controls the entire chain of custody,
from ballot counting to final vote tallies, and has been routinely falsifying
the results at all levels. It often doesn't even need to tell those in charge
to do anything: they "know" who should win and they make sure it happens. They
also know they will have significant issues, career, legal, and otherwise, if
it doesn't happen.

Funniest thing is, they don't even need to do this. Because nearly all of the
mass media is under government control, the incumbents have overwhelming
support of the people as it is.

~~~
CENGaverK
How do you know that, though? Are you a citizen of Russia? Because if you are
not, I'm suspicious.

I live in an undemocratic country but even then, we have a fairly good
opposition and kind of a free media thanks to the journalists taking the risk
of prison and social media so I was really surprised to find out there is no
powerful opposition in my country, all of the media belongs to him and we
citizens are just dumb people who wouldn't know our country better than
outsiders.

The thing is, a leader can't hold that much power. If he lost the election,
s/he can play dirty, fight etc. but wouldn't be able to do as s/he pleases
with the results. There is always a balance they need to be careful about and
not everything is black and white.

~~~
m0zg
Yes I am, in fact, a citizen of Russia. I'm also a US citizen. I know this
because there's been both video and statistical evidence, as well as numerous
reports of electoral district vote counters simply falsifying final vote
tallies, people being bused around to vote in multiple districts, etc, etc.
Statistical evidence of vote count manipulation is actually pretty damning. If
you calculate the distribution of vote count _percentages_ across all
electoral districts, you will see that there are spikes around multiples of 5
and 10%. That means the vote for the "right" candidate was rounded up to an
even number on a statistically significant number of them.

~~~
ummonk
Don’t those spikes happen in small districts though, where you’re likely to
have 1,2,4,5,10,or20 votes which would all guarantee a result with a multiple
of 5 or 10%?

~~~
codedokode
I don't have those graphs with spikes at the moment, but there are more
interesting ones.

Here is an article in Russian with graphs [1]. This [2] is a graph where axis
X contains a turnout percent (how many voters took part in voting at a polling
station) and axis Y contains a number of polling stations with that value of
turnout.

Here is another graph [3]: axis X contains turnout percent, axis Y contains
number of people registered at the polling stations and each point is a
station (there are about 90 000 total in Russia). You can see that there are
large polling stations with turnout above 90% and number of voters above 2000.
You can also see that elections seem to be very popular as majority of the
points lie in the right part of the graph.

This graph [4] is built by the same rules, but contains data only on polling
stations from one southern region - Ingushetia. You can see how neatly points
align along the line at 80% turnout. People of Ingushetia are very active.

These graphs [5] are built by the same rules, but for other region - Chechnya
and for 4 different elections in 2011, 2012, 2016 and 2018. The perfect line
in 2011 becomes diffused by 2018 and slightly shifts to the left. On the graph
for year 2018 one can see that there are "atypical" polling stations who have
suspiciously low turnout. One of possible explanations for this could be that
in 2018 several dozens of brave volunteers decided to take a risk to go to
Chechnya as observers.

[1] [https://habr.com/ru/post/352424/](https://habr.com/ru/post/352424/)

[2]
[https://hsto.org/webt/2y/xh/wf/2yxhwffbr7oy0escvp1ecvmcjdc.p...](https://hsto.org/webt/2y/xh/wf/2yxhwffbr7oy0escvp1ecvmcjdc.png)

[3]
[https://hsto.org/webt/4h/3e/ko/4h3ekola6f-to10zgpvlbg9bd1g.p...](https://hsto.org/webt/4h/3e/ko/4h3ekola6f-to10zgpvlbg9bd1g.png)

[4]
[https://hsto.org/webt/ri/c6/ul/ric6ulcyzuefrxvnjm7n6g7qcz8.p...](https://hsto.org/webt/ri/c6/ul/ric6ulcyzuefrxvnjm7n6g7qcz8.png)

[5]
[https://hsto.org/webt/dw/j2/bl/dwj2blnsrah7_fwkzbqk4eyucga.p...](https://hsto.org/webt/dw/j2/bl/dwj2blnsrah7_fwkzbqk4eyucga.png)

------
chrisperkins
Can someone explain what the GitHub org and GitHub repo for
[https://github.com/moscow-technologies/blockchain-
voting](https://github.com/moscow-technologies/blockchain-voting) is about?

If this was about to be used for elections, shouldn't such a critical piece of
software have more developers working on it? Why is there only one contributor
to the whole project? Why does it have only 37 stars? Is this project well
known among the citizens?

~~~
nlitened
This is a small pilot project, it will be run in just a few districts of
Moscow for municipal elections this September. Also, as of now, only about 1%
of the population of those districts have registered for online voting, around
500 people.

So it's more like a proof of concept, and a first step in making larger-scale
electronic elections possible in the future (from technological, political,
organizational, and public trust standpoints).

------
hardwaresofton
Electronic voting should be used to forecast votes and offer confirmation/more
data points, and nothing more. It's just too hard to secure currently, and the
influence problems (lack of anonymity, possibility of election tampering)
isn't worth the risk currently.

Electronic voting could _also_ be used simply as a way to save and fast-track
the voting process, making it more convenient. Confirm your votes on the app,
get to upload them in-bulk to the machine (via QR code or something), and all
you have to do is confirm. Lots more time to _think_ about the vote, but you
still have t confirm in person.

Longer, more casual access to voting booths and mandatory paid time off is the
best thing most democratic/semi-democratic systems could do to help voting
these days.

------
DINKDINK
The only benefit a "Blockchain" can provide is decentralized time ordering.

All other properties must be verified by the client, don't require a
blockchain, and are typically some other cryptographic proof.

There are many properties of a blockchain that are an anti-feature of voting.

~~~
fnord77
> There are many properties of a blockchain that are an anti-feature of
> voting.

I don't know much of anything about blockchains and voting. What properties do
you consider antifeatures?

~~~
codedokode
Blockchain is used in cryptocurrencies to have a shared registry modified and
verified by independent nodes who don't trust each other. Using it, you can
prove to anyone that you have X bitcoins, and anyone who received them from
you can prove this too.

In case of voting, there are no independent nodes, all modifications to the
registry are done by the election committee (or authorised by them) and users
can only verify the transaction list. So it would be easier to just present
election events as a Merkle tree (voter X has submitted an encrypted ballot Y,
and the hash of the registry before this was Z).

But in this case there would be no "blockchain" and no feeling of reliability
and security.

If I made a mistake here, I would be happy if someone would point at it.

------
arisAlexis
It has nothing to do with the blockchain though, they just used weak
cryptography

------
trhway
My old country as always at its best when it comes to propaganda. This
elections will be noted in history for the first usage of blockchain instead
of for the brutal suppression of opposition
[https://www.cnn.com/2019/08/14/europe/russia-protests-
arrest...](https://www.cnn.com/2019/08/14/europe/russia-protests-arrest-gbr-
intl/index.html) (note the helmeted Russian storm-troopers don't have any ID
on their uniform, so they are practically unpunisheable for their actions - I
mean there is even no guarantee that it is actual law enforcement and not just
some dressed up guys who enjoy beating people )

------
specialist
Meta: Where's the manual for administrating Moscow's elections? What portion
of election administration was this applied to?

Thru recurring embarrassment, I've learned that you start with the
jurisdiction's laws, rules, procedures, manuals.

Update: Julia Krivonosova, cited by this OC paper, appears to be doing
excellent work, and does cover some of the context, assumptions. She'd
definitely a better election integrity advocate than I ever was.

Internet voting in Russia. How?
[https://medium.com/@juliakrivonosova/internet-voting-in-
russ...](https://medium.com/@juliakrivonosova/internet-voting-in-russia-
how-9382db4da71f)

The Dizzying Whimsy of Russia’s Electoral Laws
[https://medium.com/@juliakrivonosova/the-dizzying-whimsy-
of-...](https://medium.com/@juliakrivonosova/the-dizzying-whimsy-of-russias-
election-laws-761449a7495a) [https://www.ridl.io/en/the-dizzying-whimsy-of-
russias-electi...](https://www.ridl.io/en/the-dizzying-whimsy-of-russias-
election-laws/)

\--

It's _possible_ (however unlikely) that a voting system built on top of
Etherium is perfectly reasonable for Moscow, Russia, where ever.

Even in the USA, where the Australian Ballot (private voting, public counting)
is the gold standard, there are many, many exceptions (compromises made). For
very good reasons. For instance, postal balloting. Originally implemented to
enfranchise soldiers kept away from their homes for long durations.

Further, even in the USA, YMMV. Local variations impact election
administration. For instance, how "voter intent" is adjudicated (when a
mistake is made by the voter).

If we don't start with the context and assumptions, we end up talking past
each other, and getting no where.

\--

Though I am a blockchain skeptic, for voting and tabulation, there are other
exciting potential applications. Election administration is a big, complicated
problem. While tabulation is the most important step, it's also relatively
minor.

Since blockchain is just a shared ledger, it could help with pretty much every
other step: candidate filing, political boundaries (GIS), voter registration
(eligibility), reporting campaign contributions and expenses, publishing
reports (certification), audit of material handling. Etc.

------
dzamo_norton
How can a blockchain-based voting system be a good idea if it invites an
attacker who can afford lots of ASICs, e.g. a hostile nation who like to
interfere, to launch a 51% attack?

------
simosx
But why ElGamal?

~~~
randaouser
Probably for its homomorphic encryption properties. Used in the correct
setting with the appropriate Generator ( ElGamal on Elliptic Curve Fields) it
is very secure but limited in use beyond Set Intersection as the results
cannot be decrypted.

------
calewis
It’s shame that this wasn't used in production and then nefariously used
against Putin.

~~~
hutzlibu
Ah yes, the best way to deal with semi-autocrats, if people still vote them,
you manipulate the election - but of course for democracy!

Seriously?

~~~
Grue3
This election is already a sham since some opposition candidates were
illegally prevented from participating in it.

~~~
equalunique
>some opposition candidates were illegally prevented from participating in it

Can you provide a source for that?

~~~
metamet
[https://www.washingtonpost.com/opinions/2019/07/22/protests-...](https://www.washingtonpost.com/opinions/2019/07/22/protests-
return-moscow-opposition-candidates-are-banned-crucial-election/)

------
spodek
> _the voting system 's protocols weren't yet available in English, so Gaudry
> couldn't investigate further._

What's the relevance to a French researcher of publishing Russian protocols in
English?

~~~
zamadatix
Presumably they weren't available in French either but Gaudry knew English.

