Online voting test in Moscow: a security flaw discovered by a CNRS researcher
Less than a month before Moscow tries out online voting as part of the city’s election of a new parliament, a French cryptographer has just revealed a security flaw in the recently tested protocol. Pierrick Gaudry, a CNRS researcher at the Laboratoire lorrain de recherche en informatique et ses applications (CNRS/Inria/Université de Lorraine), did so simply by meeting the challenged proposed by an election monitoring organisation, who each day posted a set of encrypted data corresponding to fictitious votes along with a public key1. The goal for participants was to test the quality of the data encryption. Pierrick Gaudry showed that using a standard computer and software freely accessible to all, he could obtain a private key in approximately 20 minutes. He believes that a computer pirate could have obtained this private key in just 10 minutes, and would have subsequently been able to follow the results of the Russian election live. This flaw resulted from the small size of the public key, which made calculating the private key very simple. Since the publication of his article on the arXiv platform on 14 August 2019, the final tests proposed a new protocol with a longer public key, and the Moscow mayor’s office contacted Pierrick Gaudry to inform him that he would shortly be receiving an award of 13,500 euros for his research.
- 1. In asymmetric cryptography, a “public key” is the encryption code and the “private key” is the decryption code. For online elections, all electors encrypt their vote using the same public key before sending it to a server. Authorities have the private key needed to decrypt all of the votes received.
Breaking the encryption scheme of the Moscow internet voting system. Pierrick Gaudry. Released on arXiv, August 14 2019: https://arxiv.org/abs/1908.05127