The paper notes another, distinct, attack possibility:
> Before going to this, we mention quickly another mistake in the design that could in itself have led to devastating attacks. The generators that are given in public- key.json are generators of the whole multiplicative group. However, due to the Chinese remainder theorem, it is a good practice to use a generator of prime order. In the present case, the generators will have their order divisible by 2, and therefore there is a huge risk that one bit of information leaks from a ciphertext. In a context like e-voting where a ballot can have a very simple form, this bit of information could reveal a lot of the vote (or even all of it in the case of a yes/no question). In principle, we would have had to investigate more in this direction. But due to the main attack that is much easier and far more powerful, we keep this as a remark.
This still leaves the question why the developer(s) decided to roll his/her own crypto in this way:
> A possible explanation is a confusion with the key size that can be used when using elliptic curves for which the Number Field Sieve algorithm does not apply.
This is such an obvious mistake that the entire protocol (whether or not it's ever documented) might be vulnerable.
> Another less excusable but still possible explanation might be related to the use of the Ethereum blockchain. In the Solidity programming language that is used to write smart contracts, the bit size of the largest supported integers is 256. Maybe the authors did not want to write a multiprecision arithmetic library that would have been required to deal with larger key sizes. This hypothesis is supported by frequent tests in the source code, checking that the big integers they manipulate are not bigger than SOLIDITY_MAX_INT.
This seems more likely. However, that last sentence checking for overflow sounds like another trove of vulnerabilities.
Moreover, the claim by the developer in the ZDnet article that a patch is forthcoming seems suspect given that it will need to also include multiprecision arithmetic functionality, where there are still more opportunities for snafu.
It seems they covered the other attack possibility with the new update as well but another researcher from Harvard was able to break the system so he could count the votes before the election was over. Plus, now there is a new big update and writing code for numerical methods in such a short period is never bug-free. Let's see how it plays.
Here is the original blog post by the french researcher (in english) [1].
In an update, he says the updated system with a 1024-bit key was also compromised, on august the 24th [2].
But this sure surprised me:Pierrick Gaudry, from Lorraine University, was able to break the Ethereum-based smart contract encryption in only 20 minutes using nothing more than an average desktop computer and free, publicly available software. Gaudry estimates more modern equipment and sophisticated techniques could crack the encryption in only 10 minutes."
Poor programming and cryptography by the contract developers is always going to be the biggest weakness of smart contracts. This one was developed by a government entity so the quality issue is not really surprising...
> It was developed in-house by the Moscow Department of Information Technology
The developers claim [1] they were only using a weak private key during a "trial period" which doesn't really make sense. Who releases a different public/private key scheme before launching into production?
If the development team doesn't hire outside security testing or request public review - to test the real software - then it's pretty useless. Their response notes a meetup in Moscow in Sept (which is the same month as the election?) which seems like a strange requirement if they were expecting solid public feedback.
OK, so I think a little political context about this would be useful.
On September 8th, Russia has "universal voting day", with elections to different regional parliaments, heads of some regions and even additional members of parliament. This year, the campaign have been very political because of Moscow parliament - which was for years treated as a completely uninteresting event with very low news coverage and turnout. This year, however, in response to opposition candidates getting a serious momentum, many have been disallowed to run, triggering escalating protests - some legal, some illegal, with sometimes brutal reaction to the police, which, in turn, led even more people to take part in the protest. This amount of people in the street haven't been seen since 2011 protests.
So, after the trust in the elections, rule of law and democracy process have been eroded this much, I'm genuinely surprised that they even bothered to build a buzzword-fueled voting system.
Researchers overlook more important issue. As the government controls the servers, it can impersonate any number of users.
Users submit an application to vote remotely through a government-controlled site and confirm it by receiving a SMS with code. It is obvious that government is able to submit such an application to its own server without bothering the real user.
The users vote remotely and confirm their identity by providing a code from SMS (again) and the government can just look at the code on the server. It isn't important what cryptography is used there. You don't need to guess random numbers when you have root access to the server.
The observers are supposed to see a tape where some hashes will be printed when someone votes. Maybe they will be allowed to see the registry of voters who chose to vote remotely, maybe they will not be allowed.
I cannot prove this, and this is my personal opinion, so you shouldn't believe me, but I think the government wants an opaque procedure to produce legitimate looking election results with desired outcome. With paper voting, there are too many points of failure: it is difficult to throw the ballots in the box when there is a vigilant observer. Remote voting doesn't have such flaws.
If there was a fraud, it would be difficult to explain to a non-programmer. They don't understand anything, they just see how the program says "hash doesn't match". But maybe it is just a program written by foreign agents (and stored on foreign "Github" servers) producing fake results. For comparison, with paper voting anyone can understand that there is a fraud if you show them the video.
Also, the government party is slowly losing its rating and starts losing regional elections. Remote voting might be a cure for this undesired situation.
And probably any other government (for example Estonian) that implements such an opaque system has similar aims.
Excuse me, please, are you living here? Do you really think there is a possibility the majority (or even 10%) of voters will vote digitally?
It's so out of character of Russian voters, that I honestly suppose you're a Prigozhin's troll.
I was pointing out that the system is not protected from malicious actions of administrators. What method of voting will the real voters choose doesn't matter here. The government can choose it for them.
The turnout for elections into Moscow Parliament in 2014 was 21%. 79% of voters didn't vote which means that the government can falsify their votes in remote voting and nobody notices.
This time because of protests the turnout might be higher, like 30% or 40%. This still leaves 60% of people who won't vote and whose votes can be used for falsifications.
I’ve never been to Russia and don’t know the Russian attitude towards tech or voting. But I’m confident that if the US had a system like this and made a reasonably usable phone app to be the front end, almost no one under the age of 60 would bother to wait in line for a physical voting booth ever again.
>would bother to wait in line for a physical voting booth ever again
As someone living in a state with mail-in ballots, it still boggles my mind waiting in line for physical voting is a thing. Mail-in ballots seem to be the best of all worlds. It's easy. I have time to do the research for who I want to choose. It's all backed by USPS so it's pretty damn secure- as secure as everything else we trust in the mail.
Mail-in means you can be coerced to vote a certain way by someone in your household. It also means someone might be able to get a hold of your ballot papers and vote in your name (there are Austrian politicians who have been convicted for doing just this). The postal service might "lose" ballots depending on whether they come from minority neighborhoods or other characteristics (in Austria, mail-in ballots have the voter's name on the outside). This is different from normal mail since if the postal service regularly lost your mail you would notice and complain; can you tell of your mail-in vote has really arrived? Votes might also be "lost" after they arrive wherever they are meant to be counted; letters presumably need to be guarded for several days, as opposed to votes put in a ballot box and counted later that day (this was one of the factors in the Austrian constitutional court cancelling one round of the most 2016 presidential election).
There are certainly other failure modes. In the last Hungarian parliamentary election the ruling party got less than 50% of the votes overall but literally 99% of the postal vote. That seems rather fishy to me.
Anyway, if you have long lines, that means the people organizing your elections are not doing their job right. There need to be more polling places. Other civilized countries manage this, the US would only need to take their democracy seriously.
They have proven not to be. Here you sign them and add phone number or email. An advanced state could copy my signature but they verify I am a voter so double voting would be detected.
I shouldn't have used that language, not proud of myself.
However, codedokode's concerns are utterly irrelevant. Vast majority of Moscow voters won't use this system, neither care whether the election is scientifically legitimate. Those who do have a presumption of guilt wrt Voting Committee (for a thousand good reasons). As a Moscow sociologist put it: "a political party with 30% support aims to get 90% in the City Duma. How would they do that? Obviously, by cheating and violence".
Thus, codedokode's concerns have no meaning inside Russia, and outside they serve only the purpose intended by the creators of all this: for foreigners to scorn imperfect system, and be relieved when they update it to something passable, for the same ultimate effect - steal the election.
I'm definitely missing something here. The standard size of both Ethereum and Bitcoin private keys is a 256bit secp256k1 key. If a 256bit key is guessable within 20 mins then the entire Blockchain is also broken.
The article doesn't mention this, but if you look at the paper[1] it turns out they aren't using ElGamal with elliptic curve fields -- instead they're using prime fields. In that case, you'd want similar key sizes to RSA. (The "less than 256 bit" part is a red herring, the problem is that they are using key sizes that would only be safe if they were using elliptic curves.)
Wow, they are using conventional discrete log cryptography with 256-bit key? What the actual fxxk?! It's literally the equivalent of using 256-bit Diffie-Hellman, or RSA-256, DSA-256, dammit, even NSA's bad DH_EXPORT ciphers use 512-bit. Totally unbelievable.
Totally different kind of cryptography. sec256k1 is an elliptic curve, and 256-bit elliptic curves are generally believed to provide comparable security to 3072-bit RSA or DH or ElGamal. (See https://www.keylength.com for a good compilation of reputable comparisons along these lines.)
For obvious reasons, the US government was never an authorized CA in firefox, and the application to be put on the list of trusted CAs was denied. The DoD root cert (for .mil addresses) is similarly distrusted. AFAIK most other browsers operate similarly. If you so desire, you can simply add the FCPCA and DoD certs to your trust store. Or... you know.. not.
My understanding is that the FPKI has tons of sub-CAs all doing their own thing and thus couldn't meet the Baseline Requirements. If they could meet the BRs then I'm sure the public comments would be full of comments about the NSA et al, but pre-CNNIC Mozilla was a lot more willing to follow a technical checklist for approval. The the recent DarkMatter request indicates the process isn't so trusting anymore.
Yeah it really doesn't make any sense that it's not that way. I'd very much like to add the fcpca cert for .gov addresses and dod cert for .mil addresses, as I sometimes use these TLDs for work, but it doesn't make any sense to enable them globally. In fact I would like to ban all other CAs from those TLDs as they would be obviously fraudulent. I wouldn't have an issue adding cnnic for .cn either.
While I'm at it, why can't... Nevermind. The certificate authority system is so damned broken I could sit here for hours. Arrrg.
Scanned the paper and looks like they're using keys that are < 256-bit hence the vulnerability. Also I think the encryption keys which were found vulnerable are separate from the transaction signing keys
But then the article and its citation is plain wrong. 256 bit keys(3 of them) are cited multiple times
""This is a mystery," the French researcher said. "The only possible explanation we can think of is that the designers thought this would compensate for the too small key sizes of the primes involved. But 3 primes of 256 bits are really not the same as one prime of 768 bits."
However, a public key of a length of 1024 bits may not be enough, according to Gaudry, who believes officials should use one of at least 2048 bits instead."
The paper[1] makes it much clearer. They aren't using elliptic curves, they're using prime fields with ElGamal (with a weird construction using three separate keys for some reason). The security is similar to RSA-256 (in other words, "awful") -- it makes sense that they could crack it in 20 minutes.
Why do people do weird stuff like this when there is gobs of good ECC code for things like ed25519 and ECDSA with standard curves that is easy to use and just sitting on GitHub?
Implementating complex crypto correctly is hard but its really not that tough to use common constructions in a secure way. A few days of reading can tell you how to build a cryptosystem that is at least not total holey cheese.
One theory that the paper has (in the last page) is that the reason for the construction was a consequence of Solidity only having support for 256 bit integer arithmetic. So as a workaround (to avoid writing a library that does larger bit operations) they came up with a scheme using three 256-bit keys instead.
Obviously using Curve25519 would've made it possible to have a secure setup under the "256 bit arithmetic only" constraints, but I have a feeling (assuming this theory is correct) that someone who thinks that three 256-bit keys are significantly more secure than one 256-bit key probably would've messed that up too.
There's just no way any elections in Russia would produce the results not approved by the government. Government controls the entire chain of custody, from ballot counting to final vote tallies, and has been routinely falsifying the results at all levels. It often doesn't even need to tell those in charge to do anything: they "know" who should win and they make sure it happens. They also know they will have significant issues, career, legal, and otherwise, if it doesn't happen.
Funniest thing is, they don't even need to do this. Because nearly all of the mass media is under government control, the incumbents have overwhelming support of the people as it is.
This is also why it's absolutely terrifying that all the press in the US is controlled by like 5 people, and the rest of the information one gets is controlled by Google, Facebook and Twitter. Anyone who thinks this is not being used for nefarious purposes is incredibly naive. There are trillions of dollars at stake.
How do you know that, though? Are you a citizen of Russia? Because if you are not, I'm suspicious.
I live in an undemocratic country but even then, we have a fairly good opposition and kind of a free media thanks to the journalists taking the risk of prison and social media so I was really surprised to find out there is no powerful opposition in my country, all of the media belongs to him and we citizens are just dumb people who wouldn't know our country better than outsiders.
The thing is, a leader can't hold that much power. If he lost the election, s/he can play dirty, fight etc. but wouldn't be able to do as s/he pleases with the results. There is always a balance they need to be careful about and not everything is black and white.
Yes I am, in fact, a citizen of Russia. I'm also a US citizen. I know this because there's been both video and statistical evidence, as well as numerous reports of electoral district vote counters simply falsifying final vote tallies, people being bused around to vote in multiple districts, etc, etc. Statistical evidence of vote count manipulation is actually pretty damning. If you calculate the distribution of vote count _percentages_ across all electoral districts, you will see that there are spikes around multiples of 5 and 10%. That means the vote for the "right" candidate was rounded up to an even number on a statistically significant number of them.
Don’t those spikes happen in small districts though, where you’re likely to have 1,2,4,5,10,or20 votes which would all guarantee a result with a multiple of 5 or 10%?
I don't have those graphs with spikes at the moment, but there are more interesting ones.
Here is an article in Russian with graphs [1]. This [2] is a graph where axis X contains a turnout percent (how many voters took part in voting at a polling station) and axis Y contains a number of polling stations with that value of turnout.
Here is another graph [3]: axis X contains turnout percent, axis Y contains number of people registered at the polling stations and each point is a station (there are about 90 000 total in Russia). You can see that there are large polling stations with turnout above 90% and number of voters above 2000. You can also see that elections seem to be very popular as majority of the points lie in the right part of the graph.
This graph [4] is built by the same rules, but contains data only on polling stations from one southern region - Ingushetia. You can see how neatly points align along the line at 80% turnout. People of Ingushetia are very active.
These graphs [5] are built by the same rules, but for other region - Chechnya and for 4 different elections in 2011, 2012, 2016 and 2018. The perfect line in 2011 becomes diffused by 2018 and slightly shifts to the left. On the graph for year 2018 one can see that there are "atypical" polling stations who have suspiciously low turnout. One of possible explanations for this could be that in 2018 several dozens of brave volunteers decided to take a risk to go to Chechnya as observers.
Voting irregularities are pretty standard in Russia, lots of international observers and reports have established it. Opposition candidates are regularly jailed, major protests and civil actions are suppressed, and if you really get under the Kremlin's skin, you find yourself assassinated or thrown out of a window.
Putin's Russia is a very blatant authoritarian regime.
Not just Putin's. There was only one time in my lifetime when nobody knew who would win the election. That was the 1996 election which was largely won by Yeltsin by hiring a bunch of consultants from the US to run it (and I also suspect that his campaign was at least in part financed by the US as well - his opponent was Gennady Zyuganov, a communist). Other than that I don't recall any even somewhat democratic elections at all. Needless to say, there weren't any real elections in the USSR either. Nor under Czar before that. It's a long, established tradition.
Pretty sure. In the first round Zuyganov and Yeltsin were neck and neck. Zuyganov looked _very_ viable to most of the older voting population who had quite enough of the "wild 90's" and wanted to go back to the socialist certainty of how things were before Perestroika, at least to some extent, and Zuyganov promised exactly that. Or at least how they remembered how things were: people tend to forget the bad things first, this is called the "good old days syndrome".
The entirety of Russia's entertainment industry was paid huge amounts of cash, mostly under the table, to stage concerts in support of Yeltsin. Where that cash came from nobody knows to this day.
>Russian presidents don't usually try to dance awkwardly on stage
Probably not in the case of Yeltsin though, who willingly jumped from the CPSU Olympus once (which was probably the only relatively bright moment in his career) and was fairly eccentric otherwise, especially when drunk.
I was one year short of the voting age back then, but I remember it very well. What you're saying is true, but you're only describing his "Vote or Lose" campaign. My impression was that he won mostly due to the support of the elites (aka oligarchs who owned the media) faced with the possibility of a communist president, not just because he paid the media. Also the support of other candidates, in particular he convinced Chernomyrdin and Nemtsov, fairly popular back then, to abstain from running for presidency in his favor, after they declared they would run for the office.
Regarding the US consultants, I think his only foreign consultant was Tim Bell, who was British, IIRC he didn't design Yeltsin's Vote or Lose since his experience wasn't directly applicable in Russia, it was Malashenko who designed it.
Thanks, this is a solid piece describing the amount and the source of money went into that campaign. It doesn't necessarily contradict what I was saying though - Yeltsin wouldn't have won without the oligarchs like Berezovsky or Gusinsky supporting him (and the money of course), there's also no way for him to win with either Nemtsov or Chernomyrdin running for the office, even with the campaign of that scale. And the article you linked seems to be skeptical about the role of those consultants as well.
If this was about to be used for elections, shouldn't such a critical piece of software have more developers working on it? Why is there only one contributor to the whole project? Why does it have only 37 stars? Is this project well known among the citizens?
This is a small pilot project, it will be run in just a few districts of Moscow for municipal elections this September. Also, as of now, only about 1% of the population of those districts have registered for online voting, around 500 people.
So it's more like a proof of concept, and a first step in making larger-scale electronic elections possible in the future (from technological, political, organizational, and public trust standpoints).
> This repository contains the code for electronic voting that will be used for Moscow City Parliament elections.
> Purposes of creating this repository
> The repository was created to allow examination of a source code. Although the purpose of the system is electronic voting, we ask to leave comments and open issues only on technical questions. All comments containing political statements will be deleted.
But the code is incomplete. For example, PHP code looks like a "module" for a larger CMS and cannot be run independently. Also, here [1] there is a header that says "prototype" in Russian. And in several files where there should be the rules and explanations for users there is just a placholder, for example in this file [2]. So I assume this is just an early version of code.
This code was published as a part of a challenge to break the encryption used in remote voting.
There is no git history probably because this is just a snapshot, github is not used for development.
> Data for testing are in the following directories:
> - data - contains randomly generated data set for applying encryption keys
> - keys - contains encryption keys
> In the beginning of every day, the `data` folder will contain a file with encrypted data and `keys` folder will contain a public key. The task is to decrypt the data in time that is equal to voting duration - 12 hours.
> 12 hours later, original data will be published in the `data` folder and `keys` folder will contain a private key.
Electronic voting should be used to forecast votes and offer confirmation/more data points, and nothing more. It's just too hard to secure currently, and the influence problems (lack of anonymity, possibility of election tampering) isn't worth the risk currently.
Electronic voting could also be used simply as a way to save and fast-track the voting process, making it more convenient. Confirm your votes on the app, get to upload them in-bulk to the machine (via QR code or something), and all you have to do is confirm. Lots more time to think about the vote, but you still have t confirm in person.
Longer, more casual access to voting booths and mandatory paid time off is the best thing most democratic/semi-democratic systems could do to help voting these days.
İ used to think that, but actually a Blockchain can also require something to be publically announced, which is quite powerful and is the basis of a lot of applications
Blockchain is used in cryptocurrencies to have a shared registry modified and verified by independent nodes who don't trust each other. Using it, you can prove to anyone that you have X bitcoins, and anyone who received them from you can prove this too.
In case of voting, there are no independent nodes, all modifications to the registry are done by the election committee (or authorised by them) and users can only verify the transaction list. So it would be easier to just present election events as a Merkle tree (voter X has submitted an encrypted ballot Y, and the hash of the registry before this was Z).
But in this case there would be no "blockchain" and no feeling of reliability and security.
If I made a mistake here, I would be happy if someone would point at it.
My old country as always at its best when it comes to propaganda. This elections will be noted in history for the first usage of blockchain instead of for the brutal suppression of opposition https://www.cnn.com/2019/08/14/europe/russia-protests-arrest... (note the helmeted Russian storm-troopers don't have any ID on their uniform, so they are practically unpunisheable for their actions - I mean there is even no guarantee that it is actual law enforcement and not just some dressed up guys who enjoy beating people )
Meta: Where's the manual for administrating Moscow's elections? What portion of election administration was this applied to?
Thru recurring embarrassment, I've learned that you start with the jurisdiction's laws, rules, procedures, manuals.
Update: Julia Krivonosova, cited by this OC paper, appears to be doing excellent work, and does cover some of the context, assumptions. She'd definitely a better election integrity advocate than I ever was.
It's possible (however unlikely) that a voting system built on top of Etherium is perfectly reasonable for Moscow, Russia, where ever.
Even in the USA, where the Australian Ballot (private voting, public counting) is the gold standard, there are many, many exceptions (compromises made). For very good reasons. For instance, postal balloting. Originally implemented to enfranchise soldiers kept away from their homes for long durations.
Further, even in the USA, YMMV. Local variations impact election administration. For instance, how "voter intent" is adjudicated (when a mistake is made by the voter).
If we don't start with the context and assumptions, we end up talking past each other, and getting no where.
--
Though I am a blockchain skeptic, for voting and tabulation, there are other exciting potential applications. Election administration is a big, complicated problem. While tabulation is the most important step, it's also relatively minor.
Since blockchain is just a shared ledger, it could help with pretty much every other step: candidate filing, political boundaries (GIS), voter registration (eligibility), reporting campaign contributions and expenses, publishing reports (certification), audit of material handling. Etc.
How can a blockchain-based voting system be a good idea if it invites an attacker who can afford lots of ASICs, e.g. a hostile nation who like to interfere, to launch a 51% attack?
Probably for its homomorphic encryption properties. Used in the correct setting with the appropriate Generator ( ElGamal on Elliptic Curve Fields) it is very secure but limited in use beyond Set Intersection as the results cannot be decrypted.
-Status quo, old voting system. Corrupt process with vote results that remain in force. Nothing changes.
-Novel, manipulated system where the regime loses the vote. The vote gets overturned because it's illegitimate in the wrong way. Maybe embarrassing to the authorities?
> The vote gets overturned because it's illegitimate in the wrong way.
...and it's house cleaning time, because the Enemy of the State(TM) was identified and it was caught red-handed stealing the national election! The dictator can name whoever he wants as the Enemy of the State(TM), sending a few choice persons to path of exile or worse, and the public will eat it up, because their country is under attack!
Just think about what 9/11 did to Bush's support rating.
Meddling with foreign elections is the quickest way to create inner turmoil and conflict. Instead of busying themselves with creating a functioning democracy, you've just created an illegitimate system which will be destroyed from the inside-out, while provoking hate for the meddling party. I don't see the upside here unless you intend to (and are able to) keep it a secret for forever or unless turmoil and suffering is your goal.
I think we're talking about very different things. I'm thinking of hacktivists exploiting a bug in a stupid system to expose the flaws in it. You seem to be thinking of some kind of attempted coup.
There's a difference between people exposing a bug and publishing it, revealing the flaws inherent in the implemented voting system, and people finding a bug and using it to manipulate the vote directly, then revealing the manipulation to 'overturn' the vote. Which ties into what I said earlier. It's going to cause a crisis and it can be used to spin a narrative about how they're under attack from the West and/or America, further cementing their hold on power. Really, there are so many things that can and have gone wrong in attempts to mess with elections that I just don't see the benefit for anybody.
I'm going to play devil's advocate here: It may be a corrupt system, but who's to say the next won't be worse? Far more people are going to die in the civil conflict that'll occur if Putin is displaced. The evil you know, etc..
maybe they meant presenting its vulnerabilities to claim the election illegitimate. But that still won't work, they will just ignore/deny everything as usual
He is genuinely popular I believe, not just from state run polls but also independent ones. You must understand the fact that he pulled Russia out of one of its worst crises in history and made it a force to be reckoned with again.
Yeah there’s plenty to criticise but that fact alone will make him quite popular. He’s certainly authoritarian, I wouldn’t characterize him as a “ruthless dictator”
It’s clearly a political designation. It’s authoritarian for sure. I’m not gonna defend his actions. There are plenty of countries which so far worse though and do not get designated as “ruthless dictators” by the media. When Yeltsin was in power he was a ruthless dictator, but because he toes the line there were no issues.
Current voting system in Russia is so adjustable the data from it is used as examples of statistics anomalies.
A moth ago a scientific paper was published with a formally proven mathematical model which described the last year's election of a Primorskiy kray governor. Results of that vote were nullified in 2 weeks just to make a new temporary governor so he would win an opposing candidate in the next one by using an administrative resource.
Putin might win; Putin's party ("United Russia") is not so popular, has a lot of negative opinions, has dubious people (e.g. a government official having lot of expensive real estate which cannot be bought with their declared income), has lot of people who are incompetent and who are kept for their loyality.
If they could win easily, why would they falsify election results or ban opposition candidates? They don't want to play fair.
This is actually a problem for Putin, that he has certain popularity and trust, but it isn't transferred to people from his party, to governors etc.
Did you confirm the parent was American before posting that?
Even if they were, how does one person's comment on HN apply to a couple hundred million people? It obviously doesn't. You're making a similar type of intellectual mistake as the parent (Russia bad; Americans bad).
> Before going to this, we mention quickly another mistake in the design that could in itself have led to devastating attacks. The generators that are given in public- key.json are generators of the whole multiplicative group. However, due to the Chinese remainder theorem, it is a good practice to use a generator of prime order. In the present case, the generators will have their order divisible by 2, and therefore there is a huge risk that one bit of information leaks from a ciphertext. In a context like e-voting where a ballot can have a very simple form, this bit of information could reveal a lot of the vote (or even all of it in the case of a yes/no question). In principle, we would have had to investigate more in this direction. But due to the main attack that is much easier and far more powerful, we keep this as a remark.
https://arxiv.org/pdf/1908.05127.pdf
This still leaves the question why the developer(s) decided to roll his/her own crypto in this way:
> A possible explanation is a confusion with the key size that can be used when using elliptic curves for which the Number Field Sieve algorithm does not apply.
This is such an obvious mistake that the entire protocol (whether or not it's ever documented) might be vulnerable.
> Another less excusable but still possible explanation might be related to the use of the Ethereum blockchain. In the Solidity programming language that is used to write smart contracts, the bit size of the largest supported integers is 256. Maybe the authors did not want to write a multiprecision arithmetic library that would have been required to deal with larger key sizes. This hypothesis is supported by frequent tests in the source code, checking that the big integers they manipulate are not bigger than SOLIDITY_MAX_INT.
This seems more likely. However, that last sentence checking for overflow sounds like another trove of vulnerabilities.
Moreover, the claim by the developer in the ZDnet article that a patch is forthcoming seems suspect given that it will need to also include multiprecision arithmetic functionality, where there are still more opportunities for snafu.