How electronic elections will be protected or a paraphrase about homomorphic encryption developed in Russia

They invited me here to moderate a meeting of experts on remote electronic voting technologies (DEG) and I gladly agreed, since this topic is not new to me – three years ago I was already a member of the working group on electronic voting at the DIT of Moscow. Then I had questions to vote from a technical point of view. This time we were talking about the federal vote and I was wondering what happened in 3 years.

Although it is rather difficult to compare the Moscow and federal DEG systems – the only thing they have in common is that this is voting and it is built on the basis of the blockchain 🙂 Joke!

In any case, I am grateful to the organizers who invited me to the event, where I was able not only to listen, but also to ask questions to those who “ruled” the entire system from the inside, when in a month and a half, in the fall of 2023, they will once again take voters into their “embraces”.

The event took place in museum of cryptography and this predetermined the topic of the first session, devoted entirely to the issues of cryptography, which allows you to protect the integrity, non-repudiation and confidentiality of will. When I was preparing for the event, this was one of the issues that I wanted to voice. We understand that pure cryptography is not able to solve all the problems of information security. And, at a minimum, it is necessary to evaluate the correctness of the implementation of cryptography, as well as its application in a particular system. In the end, DEG is a lot of components, among which CIPF is only a small part. But this fear was dispelled during the first technical presentation – colleagues from Rostelecom, who are the developers and operators of the DEG, assured me that at the next meeting, the conversation will focus on other aspects related to the safety of the DEG. In particular, about putting the system on one of the platforms Bug bounty!

Yes, you heard right, the remote electronic voting system, which will be used in federal elections, will be posted on a bug bounty to assess its real security. It’s good that this method of verifying invalid events (and vote substitution is one of them) is gradually gaining popularity!

I hope that at the next meetings (I don’t know who will moderate them) they will also raise issues related to security monitoring DEG in the process of voting, ensuring its availability in the face of DDoS attacks (I think pro-Ukrainian hacker groups will not miss such an opportunity), protecting anonymized personal data (after all, we remember that the RKN now does not make a difference between personal and anonymized data), etc.

Representatives of Rostelecom made a good overview of the evolution of the DEG, cryptographic algorithms and protocols used in different years, ways to deal with identified attacks on cryptography (yes, there were such attacks too), and what they eventually came to. Here I must say that by the early years of the work of the DEG, including the presidential elections, I still had questions, although they will gradually sink into oblivion:

1. Were foreign algorithms actually used? It is clear that this is so (I voted at one time without installing any cryptographic providers and cryptographic information protection tools, from a regular browser), but it’s still interesting. And I want to scream like the hero of Leonid Kuravlev from the film “Ivan Vasilyevich Changes His Profession”, the thief Georges Miloslavsky: “How did you let it happen ?!” 🙂

What are legal implications in case of post-factum (after voting) the possibility of carrying out cryptographic attacks on the DEG? It turned out that the previously used blind Schnorr signature can be “easy” (it was enough to organize 256 parallel sessions) “broken“. To my question, I received an answer that after the publication of the relevant study, they retrospectively analyzed the possibility of carrying out an attack during the voting, but did not find confirmation of this. My question about the legal significance has remained unsolved (and I’m afraid that no one will answer it now).

2. If the DEG is built on the blockchain and all its nodes are located in three data centers of Rostelecom, then what are the guaranteesthat changes cannot be made to the system? I received the answer on the sidelines and it was in the style of “why do this?” and “blockchain uploads are available to a wide range of people – from observers to the Public Chamber, and everything can be checked.” But, to be honest, it doesn’t suit me very much 🙁 Back in the late 90s, I had something to do with the Elections GAS, and even then I had the feeling that it doesn’t matter how votes are counted, it’s important how they are displayed. So here, why is it impossible to have two systems – one collects votes, and the second displays what needs to be displayed? And although the issues of audit and observability were not ignored and a separate meeting will be devoted to them, I still have questions for this part.

By the way, a very strange idea was voiced by a representative of the Public Chamber at the meeting that only cryptographic protection is an ideal tool for monitoring elections. The other two that he cited are, in his opinion, ineffective. The first one is bureaucratic procedures, verification of votes, etc. (everything is the same as in ordinary polling stations). The second is to provide the code of the system to everyone for its analysis. And this is where it got weird. It sounded that the code would not be given to anyone, since there is a lot of it (just a few hundred thousand lines) and no one is able to analyze it, and you still can’t find a competent bookmark.

Well, at least it’s weird. SecDevOps was not invented yesterday, and even for software with a large volume of lines, checks are carried out. In addition, no one bothers to solve the problem in other ways – at least to check the checksums of the software used in the elections with what was provided to the inspectors. In general, there are verification methods. It is strange when the Public Chamber thinks otherwise.

But from the point of view of cryptographic transformations and protocols in the DEG, I liked everything. Especially the fact that we had a circuit designed and tested homomorphic encryptionwhich, as you know, allows you to perform operations on ciphertext without revealing it, and this is exactly what you need in voting systems when you need to count votes without revealing them.

Other cryptographic protocols were developed, which were approved by the FSB, went through TK26, and may be standardized in the foreseeable future. In my opinion, this will allow them to be used not only in DEG, but also in other scenarios requiring similar operating conditions. Here CryptoPro and Kryptonite did a good job. True, this part of the speech was not without my questions:

1. It turns out that before the CIPF used in the DEG were not certified?
2. So far, the algorithms are not designed in the form of GOSTs and it is not very clear whether they will be? Yes, they were approved by the 8th Center of the FSB and therefore, according to PKZ-2005, they can be used in cryptographic information protection, but will not only CryptoPro specialists be able to implement them?
3. Yes, the CIPF installed on the side of Rostelecom are certified according to the KA class. But what about user computers? It sounded that the certificate in this case is class KS1. But then two additional questions immediately popped up for me:
   1. If this is a certified CIPF, then what about instance-by-instance accounting? Does this mean that voters must go through some procedure to account for the used CIPF? This question was gently ignored, only clarifying that I’m asking the right and hard questions 🙂
   2. Do I need to install CIPF KS1 separately or is it already built-in? Where? It turned out that we are talking about a separate application for voting, as well as browsers with built-in cryptography (Yandex Browser and Atom from VK).
   3. What to do for those who do not want to install the application or the mentioned browsers? And here it turned out to be interesting – you can vote without them, from ordinary browsers. But then the question arises – how will all the developed cryptographic schemes mentioned above be implemented? Most likely not 🙁 They work only where they are implemented; otherwise, good old foreign cryptography will be used. Although there is an opportunity to block it and prevent voting with its help in the system.

Although the meeting was held at the Museum of Cryptography and cryptographers were present, there were also journalists from IT and business publications. It seemed to me that they were a little dumbfounded when they heard about disjunctive Chaum-Pedersen protocol, the Tessaro-Zhu scheme, etc. cryptographic terms 🙂 The eyes of many on such slides have been widened 🙂

And the last thing that hit me, but I no longer asked these questions, was the emphasis on the fact that the cryptographic strength was assessed on the basis formal models, not in the real environment. That is, they checked more the possibility of implementing cryptographic attacks in theory, on schemes and algorithms, and not on their implementation. And is it important! Who knows how software around cryptographic protection will be implemented? Maybe there will be errors that a potential violator will take advantage of?

Speaking of the intruder. The approved violator model does not take into account the substitution of the vote of one voter. It seems to me that this is quite logical for such a large-scale project, but it may be insulting to a particular citizen whose vote is not counted or not accepted due to any targeted or random influences. But exactly the same problem has a reverse side – already from the point of view of trust in the system. If some citizen wants to check how his vote was taken into account and what was recorded in the blockchain, he can easily do this, the system allows this (with the proviso that we do not know what will be displayed, what is in the blockchain, or something else). But check mass substitution of votes unrealistic precisely because of the secrecy of the vote. In order to massively check whether the votes were counted correctly, you need to know what they were, and this contradicts the secrecy of the vote.

Well, excuse me, I have professional deformation and I’m thinking about how to get around the protected system, and not just about how cool it is and what opportunities it gives!

On the whole, I liked the meeting. It can be seen that from a scientific point of view, remote electronic voting is developing and new approaches are emerging that can be used in other areas of our life, for example, in e-commerce. Yes, there are always questions of trust in those who implement all this and what goals are pursued by the organizers of the vote. But there’s nothing you can do about it – technology can hardly solve these issues 🙁

The note How electronic elections will be protected or a paraphrase about homomorphic encryption developed in Russia was first published on Business without danger .