Russia’s new blockchain-based polling system might not be as secure as previously assumed. A recent report revealed that there is a bug in the system, one that might be exploited to allow a third party to view how people voted.
Russian journalists discovered a vulnerability in Moscow’s blockchain-based polling system, according to Coindesk. If exploited, users’ votes could be decrypted revealing the way how they voted in the election.
The bug was reported on Wednesday by Meduza, a Russian online newspaper based in Riga. Meduza published research claiming that by using the HTML code of the electronic ballot, the decryption keys for the votes can be retrieved as well.
From June 25 to July 1, 2020, Russian citizens voted on whether or not they approve of the proposed constitutional amendments. One of the changes is the removal of the two-term restriction for the Russian presidency, which would allow Vladimir Putin to stay in power until 2036.
Residents in the region of Nizhny Novgorod and Moscow had the option to cast their votes electronically. In Moscow’s case, the city’s Department of Information Technologies and Kaspersky Lab created a polling system that recorded votes on an Exonum-based blockchain system.
Poll data was encrypted using TweetNaCl.js cryptographic library for security and to keep the electronic votes confidential. According to Meduza, the system used a deterministic algorithm which meant that it would generate the same cryptographic key if a similar input data.
Since the 2020 Russian constitutional referendum basically asked citizens to either vote “Yes” or “No,” there are two universally used keys in the system. Meduza claimed that it was able to decode voting data published in CSV files by the Department of Information Technologies using the two keys.
Publishing the CSV files was meant for use by independent observers so they can verify the vote count. But Meduza’s discovery meant that third parties can check how a particular person voted, which could mean that voters “may be pressured to vote a certain way in future polls.”
However, the Department of Information Technologies contradicted Meduza’s report. The department’s representative Artyom Kostyrko explained that “people can only decode their own votes on their own devices,” which is opposite to the publication’s claim that one can decode any vote with the same cryptographic keys.
Comment 4