The Internet voting system developed for the Moscow City Duma elections had a public testing during the month of July. Some of the system’s code was posted online [git19], and the organizers asked the public to test several attack scenarios [Pub19]. The system is poorly documented, but from the source code and brief descriptions of the system [Kri19], we know that it uses the Etherium blockchain and ElGamal encryption. In one of the attack scenarios, the organizers publish a challenge consisting of the public key and some encrypted messages.111https://github.com/moscow-technologies/blockchain-voting/blob/1d4f348681e961420a28e8a3a3d64719c4ddc628/encryption-keys/keys/public-key.json#L1-L5 and https://github.com/moscow-technologies/blockchain-voting/blob/1d4f348681e961420a28e8a3a3d64719c4ddc628/encryption-keys/data/encrypted-datums.csv#L1-L10
Recently Pierrick Gaudry [Gau19a] discovered that the implemented encryption system used a concatenation of three ElGamal encryptions each with a key of length 256 bits. Gaudry showed that since the keys were too short, each private key could be retrieved in minutes. Moreover, Gaudry provided a very short and beautiful script computing the secret keys from the public keys. In the same note, Gaudry remarked that the implemented version of ElGamal worked in groups of even order, which means that it leaked a bit of the message. Both of these issues have been fixed in the current version of the Internet voting system. Gaudry [Gau19b] acknowledged that these specific issues have been fixed, but he is still doubtful about the security of the system. (In particular, he says [Gau19b] that he cannot properly test the system due to the lack of documentation, and is concerned about potential flaws caused by the recent big changes fixing the key length issue.)
In this note we show that the new implementation of the encryption system also leaks a bit of the message. This is caused by the usage of ElGamal where the message is not mapped to the cyclic group under consideration. We show that this flaw potentially can be used for counting the number of votes cast for a candidate, which is illegal (until the end of the election period).
After the publication of this note, Pierrick Gaudry told us that he did warn the developers of the system that they should make sure that the system design does not allow attackers to encrypt elements outside of the group. As we show in this note, even the messages generated by the system (let alone an attacker) do not necessarily belong to the group.
The current implementation of the electronic voting system uses the ElGamal public key encryption scheme. The source code is available in [git19], and the encoding procedure is provided in Appendix A. Below we summarize the current implementation.
Let and be primes of length about bits, and let be the group of quadratic residues modulo . Note that . The system picks a generating . Let and be the public and secret key respectively, and . A message is encoded as a pair
where is a random number.
The problem with the current implementation is that is allowed to be any integer from which is naturally mapped to an element of . For semantic security (under the Decisional Diffie-Hellman assumption), the message should instead be hashed to one of the elements of the group generated by . In the case when is not necessarily picked from the group of quadratic residues, the Decisional Diffie-Hellman assumption does not hold. Moreover, such a system is not semantically secure.
If is a quadratic residue, then for every choice of randomness of the encryption algorithm , the second component of its encoding is a quadratic residue. Indeed, if , then for , which implies that
Similarly, if is not a quadratic residue, then is not a quadratic residue either.
Due to Euler’s criterion, there is an efficient way to distinguish the two cases: for a prime is a quadratic residue if and only if . Since this exponentiation can be performed in time , this gives an efficient distinguishing attack.
In order to see that the implemented code indeed applies ElGamal to elements outside of the group generated by , one can apply Euler’s criterion to the published encrypted messages. In Appendix B we provide Python code showing that exactly five out of the ten published messages are quadratic residues modulo .
Due to the lack of documentation and only some code available online, we cannot say for sure which parts of ballots are encrypted. The following lines of code suggest that only the “deputy id” field might be encrypted222See the following links for the code on github: https://github.com/moscow-technologies/blockchain-voting/blob/1d4f348681e961420a28e8a3a3d64719c4ddc628/voting-form/src/ballot/static/js/forms/mgik/election.js#L108-L123 and https://github.com/moscow-technologies/blockchain-voting/blob/1d4f348681e961420a28e8a3a3d64719c4ddc628/voting-form/src/ballot/common/module_tpl/election/default/show.tpl#L59 :
The “deputy id” field stores the id of the voter’s chosen candidate. While the attack distinguishes two identical ballots with different votes with high probability regardless of which parts of the ballot are encrypted, for simplicity in this example we will assume that only the “deputy id” field is encrypted. Also, for this example we take the currently published groupwhere
If the number of candidates is , and the deputy ids are integers from to , then the adversary can easily count the number of votes cast for candidate number 2. (In particular, if there are only two candidates, then the adversary can count the total number of votes for each of the candidates).
Indeed, since and are quadratic residues modulo , and is not, it suffices to raise the encrypted message to the power to check whether the vote is cast for candidate number . In Appendix C we give Python code emulating the implemented encryption system, and give an example of how to count the number of encryptions of the message among encryptions of messages from to .
We emphasize that this attack will distinguish (with high probability) two messages that differ only in their vote, regardless of the values of the deputy ids and which fields of the ballots are encrypted. Let be the number of candidates. Note that exactly half of the elements of
are quadratic residues. Assuming the uniform distribution of the plain messages we have that the probability of distinguishing a vote for one candidate from the votes for other candidates isfor , and is for .
4 Suggested Fix
The described security vulnerability is a major issue of the implemented cryptographic scheme. We note that the provided attack does not recover the secret key as required by the public testing scenario [Pub19], but rather breaks the system without recovering the secret key.
On the other hand, we believe that there might be an easy way to fix this issue. Since the current implementation already assumes that the message (see line 13 in the code block in Appendix A), one can use a trivial hashing procedure to map each such message to the group of quadratic residues.
In the encoding procedure, we suggest to check whether . If the equality holds, then is not a quadratic residue, but is. Therefore, one can set and continue the encoding procedure.
In the decoding procedure, an analogous step will be required. If the decoded message , then it also should be negated ().
I would like to thank Pierrick Gaudry and Noah Stephens-Davidowitz for their comments on an earlier version of this note.
- [Gau19a] Pierrick Gaudry. Breaking the encryption scheme of the Moscow internet voting system. arXiv preprint arXiv:1908.05127, 2019.
- [Gau19b] Pierrick Gaudry. Breaking the encryption scheme of the Moscow internet voting system. https://members.loria.fr/PGaudry/moscow/, 2019.
- [git19] Public source code of the Moscow internet voting system. https://github.com/moscow-technologies/blockchain-voting, 2019.
- [Kri19] Julia Krivonosova. Internet voting in Russia: how? https://medium.com/@juliakrivonosova/internet-voting-in-russia-how-9382db4da71f, 2019.
- [Pub19] Public testing of the Internet voting system. https://www.mos.ru/upload/documents/files/5381/Formal_Offer.pdf, 2019.
Appendix A Current Implementation of ElGamal
Below we provide the current implementation of the ElGamal encryption in the Internet voting system.333https://github.com/moscow-technologies/blockchain-voting/blob/1d4f348681e961420a28e8a3a3d64719c4ddc628/smart-contracts/packages/crypto-lib/src/elGamal.js#L84-L125
Appendix B Published Encrypted Messages are Not Quadratic Residues
In this Appendix we use the provided public key and encrypted messages444https://github.com/moscow-technologies/blockchain-voting/blob/1d4f348681e961420a28e8a3a3d64719c4ddc628/encryption-keys/keys/public-key.json#L1-L5 and https://github.com/moscow-technologies/blockchain-voting/blob/1d4f348681e961420a28e8a3a3d64719c4ddc628/encryption-keys/data/encrypted-datums.csv#L1-L10 to show that not all messages are quadratic residues in . Here is the set of the second components of the encrypted messages (that is, each element of the set is where is some plain message, is the public key, and is a random number). The code shows that only five out of ten elements are quadratic residues (give 1 when raised to the power ).
Appendix C Example
Here we show that with high probability one can distinguish encryptions of one message from the encryptions of other messages. In this example we use the currently provided public key for the ElGamal system.555https://github.com/moscow-technologies/blockchain-voting/blob/1d4f348681e961420a28e8a3a3d64719c4ddc628/encryption-keys/keys/public-key.json#L1-L5 We generate a hundred of random encryptions of the messages from to . Then without the knowledge of the secret key, we correctly recover the number of encryptions of the message .