According to a study by a French cryptography expert, the current version of the blockchain system for voting Moscow residents in municipal elections turned out to be easily vulnerable to hacking.
Researcher from the National Center for Scientific Research of France (CNRS) Pierrick Gaudry published a document entitled “Hacking the encryption scheme of the Moscow Internet voting system”. In his research, he studied the encryption scheme used to protect the open code of the Ethereum-based blockchain platform, which was developed by the Moscow government for conducting online voting.
Gaudry concluded that the encryption scheme used in part of the code is “completely insecure”. He notes:
“It can be hacked in about 20 minutes using a standard personal computer and only free and publicly available software. In particular, you can calculate private keys from public keys. Once they become known, any encrypted data can be decrypted as quickly as it was created.”
At the same time, the researcher clarifies that the problem is not in the Ethereum code used as the basis for the platform. According to Gaudry, the encryption used in the Moscow system is a variant of the El Gamal scheme and uses keys with a length of no more than 256 bits.
“This is too, too little to guarantee any security,” Gaudry notes.
As indicated on the website of the Moscow City Administration, voters from three districts can choose to use the blockchain system to vote during the elections of deputies of the Moscow City Duma or parliament on September 8.
According to Gaudry,” in the worst case, ” a low level of encryption will mean that the data of voters and their votes “will be open to everyone as soon as they vote.” He added that without having access to the system protocol, it is difficult to determine the consequences of a potential hack.
To be fair to the project development team Gaudry noted that the system was the subject of a” public hacking test”, the purpose of which was to identify any such problems. Gaudry used the source code available on Github.
Gaudry addressed the team of the Moscow Department of Information Technologies (DIT), which developed the voting system, about security problems. The Department acknowledged that cryptographic keys are currently not secure enough, and said that they will soon be updated to 1024 bits.
Recently it became known that the Moscow DIT will create a
blockchain platform for automating electronic services and data storage