An Attack on the the Encryption Scheme of the Moscow Internet Voting System

1 Introduction

The Internet voting system developed for the Moscow City Duma elections had a public testing during the month of July. Some of the system’s code was posted online [git19], and the organizers asked the public to test several attack scenarios [Pub19]. The system is poorly documented, but from the source code and brief descriptions of the system [Kri19], we know that it uses the Etherium blockchain and ElGamal encryption. In one of the attack scenarios, the organizers publish a challenge consisting of the public key and some encrypted messages.¹¹1https://github.com/moscow-technologies/blockchain-voting/blob/1d4f348681e961420a28e8a3a3d64719c4ddc628/encryption-keys/keys/public-key.json#L1-L5 and https://github.com/moscow-technologies/blockchain-voting/blob/1d4f348681e961420a28e8a3a3d64719c4ddc628/encryption-keys/data/encrypted-datums.csv#L1-L10

Recently Pierrick Gaudry [Gau19a] discovered that the implemented encryption system used a concatenation of three ElGamal encryptions each with a key of length 256 bits. Gaudry showed that since the keys were too short, each private key could be retrieved in minutes. Moreover, Gaudry provided a very short and beautiful script computing the secret keys from the public keys. In the same note, Gaudry remarked that the implemented version of ElGamal worked in groups of even order, which means that it leaked a bit of the message. Both of these issues have been fixed in the current version of the Internet voting system. Gaudry [Gau19b] acknowledged that these specific issues have been fixed, but he is still doubtful about the security of the system. (In particular, he says [Gau19b] that he cannot properly test the system due to the lack of documentation, and is concerned about potential flaws caused by the recent big changes fixing the key length issue.)

In this note we show that the new implementation of the encryption system also leaks a bit of the message. This is caused by the usage of ElGamal where the message is not mapped to the cyclic group under consideration. We show that this flaw potentially can be used for counting the number of votes cast for a candidate, which is illegal (until the end of the election period).

After the publication of this note, Pierrick Gaudry told us that he did warn the developers of the system that they should make sure that the system design does not allow attackers to encrypt elements outside of the group. As we show in this note, even the messages generated by the system (let alone an attacker) do not necessarily belong to the group.

2 Attack

The current implementation of the electronic voting system uses the ElGamal public key encryption scheme. The source code is available in [git19], and the encoding procedure is provided in Appendix A. Below we summarize the current implementation.

Let $p = 2 q + 1$ and $q$ be primes of length about $1024$ bits, and let $Q_{p}$ be the group of quadratic residues modulo $p$ . Note that $| Q_{p} | = (p - 1) / 2 = q$ . The system picks a $g \in Q_{p}$ generating $Q_{p}$ . Let $p k \in Q_{p}$ and $s k \in {1, \dots, q}$ be the public and secret key respectively, and $p k = g^{s k}$ . A message $m \in Z_{p}^{*}$ is encoded as a pair

E_{p k, s k} (m) = (g^{r}, {p k}^{r} \cdot m),

where $r \in {1, \dots, q}$ is a random number.

The problem with the current implementation is that $m$ is allowed to be any integer from ${1, \dots, q - 1}$ which is naturally mapped to an element of $Z_{p}^{*}$ . For semantic security (under the Decisional Diffie-Hellman assumption), the message $m$ should instead be hashed to one of the $q$ elements of the group $Q_{p}$ generated by $g$ . In the case when $m$ is not necessarily picked from the group of quadratic residues, the Decisional Diffie-Hellman assumption does not hold. Moreover, such a system is not semantically secure.

If $m \in Q_{p}$ is a quadratic residue, then for every choice of randomness of the encryption algorithm $E_{p k, s k} (m) = (c_{1}, c_{2})$ , the second component of its encoding $c_{2}$ is a quadratic residue. Indeed, if $g, m \in Q_{p}$ , then $g = x^{2}, m = y^{2}$ for $x, y \in Z_{p}^{*}$ , which implies that

c_{2} = {p k}^{r} \cdot m = g^{r \cdot s k} \cdot y^{2} = (x^{r \cdot s k} y)^{2} \in Q_{p} .

Similarly, if $m$ is not a quadratic residue, then ${p k}^{r} \cdot m$ is not a quadratic residue either.

Due to Euler’s criterion, there is an efficient way to distinguish the two cases: $x \in Z_{p}^{*}$ for a prime $p > 2$ is a quadratic residue if and only if $x^{(p - 1) / 2} = 1$ . Since this exponentiation can be performed in time $p o l y (log p)$ , this gives an efficient distinguishing attack.

In order to see that the implemented code indeed applies ElGamal to elements outside of the group generated by $g$ , one can apply Euler’s criterion to the published encrypted messages. In Appendix B we provide Python code showing that exactly five out of the ten published messages are quadratic residues modulo $p$ .

3 Example

Due to the lack of documentation and only some code available online, we cannot say for sure which parts of ballots are encrypted. The following lines of code suggest that only the “deputy id” field might be encrypted²²2See the following links for the code on github: https://github.com/moscow-technologies/blockchain-voting/blob/1d4f348681e961420a28e8a3a3d64719c4ddc628/voting-form/src/ballot/static/js/forms/mgik/election.js#L108-L123 and https://github.com/moscow-technologies/blockchain-voting/blob/1d4f348681e961420a28e8a3a3d64719c4ddc628/voting-form/src/ballot/common/module_tpl/election/default/show.tpl#L59 :

⬇

var dataToEncrypt = parseInt($(this).data(’value’));

...

return signer.getSignedTransaction(votingId, dataToEncrypt, entropy, encryptor);

and

⬇

The “deputy id” field stores the id of the voter’s chosen candidate. While the attack distinguishes two identical ballots with different votes with high probability regardless of which parts of the ballot are encrypted, for simplicity in this example we will assume that only the “deputy id” field is encrypted. Also, for this example we take the currently published group

Z_{p}^{*}

where

	$p =$	$10062759081450625618037903678618826196600591242500860802791085970455088$
		$29615914188038720723057459046019130152450978128758867982127126946624453$
		$23678201384359740027439588690880234391145675099291004487668846511981135$
		$30933109486902142540395785614572268133031351548262091859360232929939444$
		$1379077427748866822254003 .$

If the number of candidates is $k \leq 4$ , and the deputy ids are integers from $1$ to $k$ , then the adversary can easily count the number of votes cast for candidate number 2. (In particular, if there are only two candidates, then the adversary can count the total number of votes for each of the candidates).

Indeed, since $1, 3$ and $4$ are quadratic residues modulo $p$ , and $2$ is not, it suffices to raise the encrypted message to the power $(p - 1) / 2$ to check whether the vote is cast for candidate number $2$ . In Appendix C we give Python code emulating the implemented encryption system, and give an example of how to count the number of encryptions of the message $2$ among encryptions of messages from $1$ to $4$ .

We emphasize that this attack will distinguish (with high probability) two messages that differ only in their vote, regardless of the values of the deputy ids and which fields of the ballots are encrypted. Let $k$ be the number of candidates. Note that exactly half of the elements of $Z_{p}^{*}$

are quadratic residues. Assuming the uniform distribution of the plain messages we have that the probability of distinguishing a vote for one candidate from the votes for other candidates is

0.5

for

k = 2

, and is

\frac{k}{2^{k - 1}}

for

k > 2

4 Suggested Fix

The described security vulnerability is a major issue of the implemented cryptographic scheme. We note that the provided attack does not recover the secret key as required by the public testing scenario [Pub19], but rather breaks the system without recovering the secret key.

On the other hand, we believe that there might be an easy way to fix this issue. Since the current implementation already assumes that the message $0 < m < q = (p - 1) / 2$ (see line 13 in the code block in Appendix A), one can use a trivial hashing procedure to map each such message $m$ to the group of quadratic residues.

In the encoding procedure, we suggest to check whether $m^{(p - 1) / 2} = - 1 mod p$ . If the equality holds, then $m$ is not a quadratic residue, but $- m$ is. Therefore, one can set $m \leftarrow p - m$ and continue the encoding procedure.

In the decoding procedure, an analogous step will be required. If the decoded message $m \geq q$ , then it also should be negated ( $m \leftarrow p - m$ ).

Acknowledgements

I would like to thank Pierrick Gaudry and Noah Stephens-Davidowitz for their comments on an earlier version of this note.

References

[Gau19a] Pierrick Gaudry. Breaking the encryption scheme of the Moscow internet voting system. arXiv preprint arXiv:1908.05127, 2019.
[Gau19b] Pierrick Gaudry. Breaking the encryption scheme of the Moscow internet voting system. https://members.loria.fr/PGaudry/moscow/, 2019.
[git19] Public source code of the Moscow internet voting system. https://github.com/moscow-technologies/blockchain-voting, 2019.
[Kri19] Julia Krivonosova. Internet voting in Russia: how? https://medium.com/@juliakrivonosova/internet-voting-in-russia-how-9382db4da71f, 2019.
[Pub19] Public testing of the Internet voting system. https://www.mos.ru/upload/documents/files/5381/Formal_Offer.pdf, 2019.

Appendix A Current Implementation of ElGamal

Below we provide the current implementation of the ElGamal encryption in the Internet voting system.³³3https://github.com/moscow-technologies/blockchain-voting/blob/1d4f348681e961420a28e8a3a3d64719c4ddc628/smart-contracts/packages/crypto-lib/src/elGamal.js#L84-L125

⬇

async encrypt(data, entropy) {

if (!data) {

throw new Error(’Data must present!’);

}

if (!entropy) {

throw new Error(’Entropy must present!’);

}

const dataAsBI = new BigInt(data.toString());

const entropyAsBI = new BigInt(entropy.toString());

if (dataAsBI.compareTo(this.Q) >= 0) {

throw new Error(’Data to encrypt can not be bigger or equal that (P-1)/2!’);

}

if (entropyAsBI.compareTo(BigInt.ONE) <= 0) {

throw new Error(’Entropy for Session Key must be Integer bigger than 1!’);

}

if (entropyAsBI.compareTo(this.moduleP) >= 0) {

throw new Error(’Entropy for Session Key can not be bigger or equal Basis Module P!’);

}

const randomBigInt = await getRandomBigInt(BigInt.ONE, this.moduleP.subtract(BigInt.ONE));

const xoredRandomBigInt = randomBigInt.xor(entropyAsBI);

const sessionKey = trimBigInt(xoredRandomBigInt, this.moduleP.bitLength() - 1);

const sharedKey = this.publicKey.modPow(sessionKey, this.moduleP);

const a = this.generatorG.modPow(sessionKey, this.moduleP).toString();

const b = sharedKey

.multiply(dataAsBI)

.remainder(this.moduleP)

.toString();

return { a, b };

}

Appendix B Published Encrypted Messages are Not Quadratic Residues

In this Appendix we use the provided public key and encrypted messages⁴⁴4https://github.com/moscow-technologies/blockchain-voting/blob/1d4f348681e961420a28e8a3a3d64719c4ddc628/encryption-keys/keys/public-key.json#L1-L5 and https://github.com/moscow-technologies/blockchain-voting/blob/1d4f348681e961420a28e8a3a3d64719c4ddc628/encryption-keys/data/encrypted-datums.csv#L1-L10 to show that not all messages are quadratic residues in $Z_{p}^{*}$ . Here $c 2$ is the set of the second components of the encrypted messages (that is, each element of the set is ${p k}^{r} \cdot m$ where $m$ is some plain message, $p k$ is the public key, and $r$ is a random number). The code shows that only five out of ten elements are quadratic residues (give 1 when raised to the power $(p - 1) / 2$ ).

⬇

p = 10062759081450625618037903678618826196600591242500860802791085970455088296159&\break&14188038720723057459046019130152450978128758867982127126946624453236782013843&\break&59740027439588690880234391145675099291004487668846511981135309331094869021425&\break&403957856145722681330313515482620918593602329299394441379077427748866822254003

q = (p-1)//2

c2 = [

86911001506497462251782638567319361833688978813664946437333829354738909404&\break&43974481927929263283486987233406326466505025027434679060583881689706232630&\break&52860581382950559847777412555501704989450676046755496358356631412743565509&\break&63994173797345489306417174072514309856175754908122436241421564859178326320&\break&313204945649,

32994578715846315625334282465389128113015193084444994471583135772127926449&\break&51892161427453570566766298979864185170520616403124797427010730707520161094&\break&83404053598174999416617877699551805519137361275465665467691230764443752248&\break&89357541488942667685714188203805416972085863674686599803137288027861639262&\break&227344813980,

25605451399106620676652873102021964641362454624148409311459772958496440670&\break&16843578315908545184077772794593830979151616819810966255709567920814130778&\break&19709806694723689969137957383923170349530451483441188337477065322871518389&\break&97509598299206147956479381022563215978764100195629663712388182647511089787&\break&862332483202,

30936197551567269685847042352240834287171756541862382295858852516666762117&\break&55805979729879023007285286880732674891989007741022633330800550368742563469&\break&41237089009381794632389798562078456796442958644789501357076108208779625474&\break&70703268773776147336174270678101221755152924933175072952910690305403946708&\break&512011344065,

90189227659365697355063500941760536836478537551461759945631823319091683131&\break&30539947043416222984580270526152593756457555485599018740243229324226849605&\break&61239260442729637671756134870576696053584273031857981168518983390538640849&\break&29055706240055307151918736952456608210700937953363208336695605308414504363&\break&789714782355,

91764714915834445310265717136195446845915020510854708634828807741642908650&\break&88805234016509342009913809428795919722926613847539079055997816788187991705&\break&26245002211336442034207826902363786376681934271623388852857592304132784015&\break&33846260888398253877915981254520562872698617685705979612448346470413913994&\break&244174120780,

53180133541691920877303393106622876213880557470163604793597655634027675133&\break&60685116768376758300338878651961955633191844125587620057500524945640239322&\break&77996165942274611488630312874402187304375485303772307277867299568052321426&\break&13661312171461386140429576621530845469410809123204273518058446975266361694&\break&186911940244,

96389110287648758509344773386657594488132549702589565012028823522666392603&\break&23174326871289534690190117827254235251942037419181816826781045590593293711&\break&55623633657479236340811419693309298082823008055773940379928788914612436976&\break&30183068655120651685499248763092459000930306871431366198968873609555301941&\break&599393034947,

68868518968718401961947565883286957678496859516081208645391394051517430601&\break&54089569868014396600078685718742310976349636761884312463762214119090170143&\break&67814111630789237262689248078371187306393398854088463937893954685309796570&\break&18007065848405280697276892839194542147616119874097494557367533448036396670&\break&81357573332,

59049331935932409191703521981449178033897833739363938803374780496048381081&\break&67852649116009537459386386032599267182731855221804003545963016545542412314&\break&67392800236514010370577555635998585837533974218865577533874244033450031333&\break&65685878245562130520111649077186632157205095851334912141011894784614717824&\break&328145876601

]

for i in range(len(c2)):

print(pow(c2[i], q, p))

Appendix C Example

Here we show that with high probability one can distinguish encryptions of one message from the encryptions of other messages. In this example we use the currently provided public key for the ElGamal system.⁵⁵5https://github.com/moscow-technologies/blockchain-voting/blob/1d4f348681e961420a28e8a3a3d64719c4ddc628/encryption-keys/keys/public-key.json#L1-L5 We generate a hundred of random encryptions of the messages from $1$ to $4$ . Then without the knowledge of the secret key, we correctly recover the number of encryptions of the message $2$ .

⬇

import random

q = (p-1)//2

g = 20938162663634717592050150871604811965450185147804653686210341370048875526465&\break&65192598809608149897753169371105819433388566048465513249705171128931623257482&\break&20949810611902707966342172282736385317307210244235915353395023927031589746870&\break&88258365877782810885461860894240185695001397437423927797525752628688868571010

pk = 69869939556699578412481990448414288405398435179055114398103563207158851026044&\break&17268760023814098454244173381151935563527447828022461894488632630303059380694&\break&21286985815829955355067923635563794223005965324347558568201679805005654774823&\break&09964287055106318673831750120449183092965628809034498878410377075732012129326

def encrypt(data):

if (data >= q):

print(’Data to encrypt can not be bigger or equal that (P-1)/2!’)

sessionKey = random.randint(1, p-1)

sharedKey = pow(pk, sessionKey, p)

a = pow(g, sessionKey, p)

b = sharedKey * data % p

return (a, b)

#number of candidates is 4, their ids are {1, 2, 3, 4}.

count = [0] * 5

encryptions = []

for i in range(100):

candidate = random.randint(1, 4)

count[candidate] += 1

encryptions.append(encrypt(candidate))

for i in range(1, len(count)):

print(’Number of votes for candidate %d is %d’ % (i, count[i]))

notQResidues = 0

for (a, b) in encryptions:

if pow(b, q, p) != 1:

notQResidues += 1

print(’\nNumber of encrypted votes for candidate 2 is %d’ % notQResidues)

An Attack on the the Encryption Scheme of the Moscow Internet Voting System

Breaking the encryption scheme of the Moscow internet voting system

UC Modelling and Security Analysis of the Estonian IVXV Internet Voting System

Pakistan's Internet Voting Experiment

An analysis of Coggia-Couvreur attack on Loidreau's rank-metric public key encryption scheme in the general case

A code-based hybrid signcryption scheme

An algorithm for a fairer and better voting system

Blind proxy voting

1 Introduction

2 Attack

3 Example

4 Suggested Fix

Acknowledgements

References

Appendix A Current Implementation of ElGamal

Appendix B Published Encrypted Messages are Not Quadratic Residues

Appendix C Example

An Attack on the the Encryption Scheme of the Moscow Internet Voting System

Related Research

Breaking the encryption scheme of the Moscow internet voting system

UC Modelling and Security Analysis of the Estonian IVXV Internet Voting System

Pakistan's Internet Voting Experiment

An analysis of Coggia-Couvreur attack on Loidreau's rank-metric public key encryption scheme in the general case

A code-based hybrid signcryption scheme

An algorithm for a fairer and better voting system

Blind proxy voting

1 Introduction

2 Attack

3 Example

4 Suggested Fix

Acknowledgements

References

Appendix A Current Implementation of ElGamal

Appendix B Published Encrypted Messages are Not Quadratic Residues

Appendix C Example