we have encountered a fatal technical problem that prevents us from concluding the election and accessing the final tally, [1]
How is someone losing their key a "technical problem"? Is that hard to own up and put the actual reason in the summary? It's not like they have stockholders to placate.
we will adopt a 2-out-of-3 threshold mechanism for the management of private keys [1]
The trustee responsible has resigned so why weaken security going forward?
I would have thought cryptography experts losing keys would be pretty rare, like a fire at a Sea Parks.
It sounds like the technical problem is that they spent more time thinking about cryptography itself than they did about the prudent application of it.
Confidentiality that undermines availability might be good cryptography but it violates basic tenets of information security.
“Unfortunately, one of the three trustees has irretrievably lost their private key, an honest but unfortunate human mistake, and therefore cannot compute their decryption share. As a result, Helios is unable to complete the decryption process, and it is technically impossible for us to obtain or verify the final outcome of this election.”
⇒ that first paragraph is badly worded, but they’re not hiding facts.
I also think “3 out of 3” is not a good idea, as it allows any single key holder to prevent election outcomes that they don’t like (something that may have happened here, too. I don’t think cryptography experts often lose such keys by accident)
> I also think “3 out of 3” is not a good idea, as it allows any single key holder to prevent election outcomes that they don’t like (something that may have happened here, too. I don’t think cryptography experts often lose such keys by accident)
It's also important to factor in the case of "a key holder was hit by a bus, and now we can no longer access their private key".
I’m fairly sure the holder of a single private key cannot see the outcome of the election, then withhold the key if they don’t like it. Of course, if they reasons outside the narrow election process (media, gossip) to believe that the outcome would be unfavourable to them, then that’s a reasonable worry.
Cryptographer and IACR member with a tiny bit of inside knowledge here.
To me, the entire matter is mostly amusing; the negative impact on IACR is pretty low. I now have to spend 10-15 minutes voting again. No big deal.
It saddens me that Moti Yung is stepping down from his position as an election trustee; in my opinion, this is unwarranted. We have been using Helios voting for some time; this was bound to happen at some point.
Don't forget that the IACR is not a large political body with a decent amount of staff; it's all overworked academics (in academia or corporate) administering IACR in their spare time. Many of them are likely having to review more Eurocrypt submissions than any human could reasonably manage right now. There are structural issues in cryptography, and this event might be a symptom of the structural pressure to work way more than any human should, which is pervasive not just in cryptography, but in all of science.
From what I heard on the grapevine, this scenario was discussed when Helios was adopted; people wanted threshold schemes to avoid this exact scenario from the start, but from the sources I can find, Helios does not support this, or at least it does not make threshold encryption easy. The book Real-World Electronic Voting (2016)[^0] mentions threshold encryption under "Helios Variants and Related Systems", and the original Helios paper (2008)[^1] mentions it as a future direction.
You don't have to tell these academics that usable security is important. Usable security is a vital and accepted aspect of academic cryptography, and pretty much everyone agrees that a system is only as secure as it is usable. The hard part is finding the resources—both financial and personnel-wise—to put this lesson into practice. Studying the security of cryptographic systems and building them are two vastly different skills. Building them is harder, and there are even fewer people doing this.
This seems a bit confusing and their documentation page was out of action when I tried it - why do the results need to be decrypted by trustees after the election? Is the concern that Helios itself isn't trustworthy to hold a key? And why do they need all trustees instead of a quorum of trustees by default? Not using a secret share for the real key seems like it is setting people up for this to happen and it sets up an odd dynamic where the more election trustees there are the less likely it is that the vote will be readable (in this case, if they'd only had one trustee they'd probably be in a position to read the results). In even a small group of people it is possible that one has a moderate-to-severe personal emergency in any week.
It'd be more robust in my opinion to have 4 mostly trustworthy people and a 3-in-4 secret share. That seems as good as 3 trusted people.
>why do the results need to be decrypted by trustees after the election?
Because they’re an association of cryptographers. They’ve invented all these cool encrypted voting protocols that split trust among multiple people, so of course that’s what they’re going to use.
>why do the results need to be decrypted by trustees after the election?
they probably design this system to be used for government elections, how they can convince anyone to use it when they do not use it for their own elections?
- Availability is a security requirement. "Availability" of critical assets just as important as "Confidentiality". While this seems like a truism, it is not uncommon to come across system designs, or even NSA/NIST specifications/points-of-view, that contradict this principle.
- Security is more than cryptography. Most secure systems fail or get compromised, not due to cryptanalytic attacks, but due to implementation and OPSEC issues.
Lastly, I am disappointed that IACR is publicly framing the root cause as an "unfortunate human mistake", and thereby throwing a distinguished member of the community under the bus. This is a system design issue; no critical system should have 3 of 3 quorum requirement. Devices die. Backups fail. People quit. People forget. People die. Anyone who has worked with computers or people know that this is what they do sometimes.
IACR's system design should have accounted for this. I wish IACR took accountability for the system design failure. I am glad that IACR is addressing this "human mistake" by making a "system design change" to 2 of 3 quorum.
It is quite negligent that they are not using the threshold decryption ceremony, but at the same time, I don't think we should dismiss the framing of human mistake here. Even if there were a threshold decryption ceremony in place, such a failure mode could still happen; here, it simply makes it more visible. The question of how one would select the threshold seems pertinent.
A small threshold reduces privacy, whereas a large threshold makes human error or deliberate sabotage attempts more likely. What is the optimum here? How do we evaluate the risks?
You are absolutely right that it is easy to rule out obviously bad choices, such as 3 of 3. However, determining the actual quorum to use is a qualitative risk analysis exercise.
Considering that this is an election for a professional organization with thousands of members, I am going to go out on a limb and say that it should be easily possible to assemble a group of 5 people that the community/board trusts woudn't largely collude to break their privacy. If I were in the room, I would have advocated for 3 of 5 quorum.
But the lifecycle of the key is only a few months. That limits the availability risk a little bit, so I can be convinced to support a 2 of 3 quorum, if others feel strongly that the incremental privacy risk introduced by 3 of 5 quorum is unacceptable.
I don't know if they used such a method, but it is possible to provide a proof for the key before it is actually useful.
E.g. everyone provides a hash for their key first, and the actual key a some seconds later, when all the hashes for the keys have arrived. Someone is 'cheating' by claiming key loss if s/he claims the s/he lost the key during that few seconds.
Even if this was an accident, isn't it theoretically possible for one of the trustees to intentionally not provide the key to trigger the re-election? There's no guarantee that the people will vote the same. I see this as a kind of vulnerability.
Even knowing that the results of a repeat election are likely to be the same, I can easily imagine someone being petty and "losing" their key to sabotage the process as a demonstration of power. It's just human nature at it's worst.
This is casting accusation as a member of a community, without a shred of a proof.
This is also not realistic and Occam's razor applies here strongly: why sabotage your career and frankly embarrass yourself just to make a tiny election delay, based on uncertain assumptions? This doesn't pass the sniff test.
In short, I think always assuming the worst in people is not healthy and we should trust that this was indeed a honest, unfortunate mistake. This could happen to everyone.
I'm sorry. I should have made it clear that I wasn't discussing the present situation of which I know nothing about and have no reason to doubt the good faith of all involved.
I was merely expanding on the hypothetical case where bad politics overcame a theoretically sound selection process.
The opposite is interesting to think about - for a commonly used threshold cipher, could you craft your part to secretly force a chosen plaintext regardless of the other parts?
I'd make a joke about NSA conspiracies here but I'm 95% sure some kind of Foucault's Pendulum / QAnon thing would happen and 6 years from now I'd be the contrarian on a bunch of threads about how the IACR had been suborned to suppress cryptanalysis of MLKEM.
we have encountered a fatal technical problem that prevents us from concluding the election and accessing the final tally, [1]
How is someone losing their key a "technical problem"? Is that hard to own up and put the actual reason in the summary? It's not like they have stockholders to placate.
we will adopt a 2-out-of-3 threshold mechanism for the management of private keys [1]
The trustee responsible has resigned so why weaken security going forward?
I would have thought cryptography experts losing keys would be pretty rare, like a fire at a Sea Parks.
[1]: https://www.iacr.org/news/item/27138
It sounds like the technical problem is that they spent more time thinking about cryptography itself than they did about the prudent application of it.
Confidentiality that undermines availability might be good cryptography but it violates basic tenets of information security.
> spent more time thinking about cryptography itself than they did about the prudent application
"Your Scientists Were So Preoccupied With Whether Or Not They Could, They Didn’t Stop To Think If They Should"
A few paragraphs down, they say:
“Unfortunately, one of the three trustees has irretrievably lost their private key, an honest but unfortunate human mistake, and therefore cannot compute their decryption share. As a result, Helios is unable to complete the decryption process, and it is technically impossible for us to obtain or verify the final outcome of this election.”
⇒ that first paragraph is badly worded, but they’re not hiding facts.
I also think “3 out of 3” is not a good idea, as it allows any single key holder to prevent election outcomes that they don’t like (something that may have happened here, too. I don’t think cryptography experts often lose such keys by accident)
> I also think “3 out of 3” is not a good idea, as it allows any single key holder to prevent election outcomes that they don’t like (something that may have happened here, too. I don’t think cryptography experts often lose such keys by accident)
It's also important to factor in the case of "a key holder was hit by a bus, and now we can no longer access their private key".
I’m fairly sure the holder of a single private key cannot see the outcome of the election, then withhold the key if they don’t like it. Of course, if they reasons outside the narrow election process (media, gossip) to believe that the outcome would be unfavourable to them, then that’s a reasonable worry.
Maybe when the next draft of democracy is written it can leverage these tools.
> How is someone losing their key a "technical problem"?
The human half of the problem is the loss of the key; the technical half of the problem is being unable to decrypt the election results.
> The trustee responsible has resigned so why weaken security going forward?
I don't think there's a scenario in which a 2-of-3 threshold is a significant risk to IACR.
There's physical loss and data loss as well. Key storage devices are not perfect. You even have to account for HSM failures.
I believe the DNSSEC uses a 5 of 7 approach.
Thanks for the reminder of a brilliant IT crowd moment!
Cryptographer and IACR member with a tiny bit of inside knowledge here.
To me, the entire matter is mostly amusing; the negative impact on IACR is pretty low. I now have to spend 10-15 minutes voting again. No big deal.
It saddens me that Moti Yung is stepping down from his position as an election trustee; in my opinion, this is unwarranted. We have been using Helios voting for some time; this was bound to happen at some point.
Don't forget that the IACR is not a large political body with a decent amount of staff; it's all overworked academics (in academia or corporate) administering IACR in their spare time. Many of them are likely having to review more Eurocrypt submissions than any human could reasonably manage right now. There are structural issues in cryptography, and this event might be a symptom of the structural pressure to work way more than any human should, which is pervasive not just in cryptography, but in all of science.
From what I heard on the grapevine, this scenario was discussed when Helios was adopted; people wanted threshold schemes to avoid this exact scenario from the start, but from the sources I can find, Helios does not support this, or at least it does not make threshold encryption easy. The book Real-World Electronic Voting (2016)[^0] mentions threshold encryption under "Helios Variants and Related Systems", and the original Helios paper (2008)[^1] mentions it as a future direction.
You don't have to tell these academics that usable security is important. Usable security is a vital and accepted aspect of academic cryptography, and pretty much everyone agrees that a system is only as secure as it is usable. The hard part is finding the resources—both financial and personnel-wise—to put this lesson into practice. Studying the security of cryptographic systems and building them are two vastly different skills. Building them is harder, and there are even fewer people doing this.
[^0]: Pereira, Olivier. "Internet voting with Helios." Real-World Electronic Voting. Auerbach Publications, 2016. 293-324, https://www.realworldevoting.com/files/Chapter11.pdf
[^1]: Adida, Ben. "Helios: Web-based Open-Audit Voting." USENIX security symposium. Vol. 17. 2008, https://www.usenix.org/legacy/event/sec08/tech/full_papers/a...
This seems a bit confusing and their documentation page was out of action when I tried it - why do the results need to be decrypted by trustees after the election? Is the concern that Helios itself isn't trustworthy to hold a key? And why do they need all trustees instead of a quorum of trustees by default? Not using a secret share for the real key seems like it is setting people up for this to happen and it sets up an odd dynamic where the more election trustees there are the less likely it is that the vote will be readable (in this case, if they'd only had one trustee they'd probably be in a position to read the results). In even a small group of people it is possible that one has a moderate-to-severe personal emergency in any week.
It'd be more robust in my opinion to have 4 mostly trustworthy people and a 3-in-4 secret share. That seems as good as 3 trusted people.
>why do the results need to be decrypted by trustees after the election?
Because they’re an association of cryptographers. They’ve invented all these cool encrypted voting protocols that split trust among multiple people, so of course that’s what they’re going to use.
>why do the results need to be decrypted by trustees after the election?
they probably design this system to be used for government elections, how they can convince anyone to use it when they do not use it for their own elections?
Well, they're redoing it with 2 out of 3, so I guess they learned the lesson.
Cryptography is the science of turning any problem into a key management problem
https://archive.is/NOnfx
Few lessons to relearn here:
- Availability is a security requirement. "Availability" of critical assets just as important as "Confidentiality". While this seems like a truism, it is not uncommon to come across system designs, or even NSA/NIST specifications/points-of-view, that contradict this principle.
- Security is more than cryptography. Most secure systems fail or get compromised, not due to cryptanalytic attacks, but due to implementation and OPSEC issues.
Lastly, I am disappointed that IACR is publicly framing the root cause as an "unfortunate human mistake", and thereby throwing a distinguished member of the community under the bus. This is a system design issue; no critical system should have 3 of 3 quorum requirement. Devices die. Backups fail. People quit. People forget. People die. Anyone who has worked with computers or people know that this is what they do sometimes.
IACR's system design should have accounted for this. I wish IACR took accountability for the system design failure. I am glad that IACR is addressing this "human mistake" by making a "system design change" to 2 of 3 quorum.
It is quite negligent that they are not using the threshold decryption ceremony, but at the same time, I don't think we should dismiss the framing of human mistake here. Even if there were a threshold decryption ceremony in place, such a failure mode could still happen; here, it simply makes it more visible. The question of how one would select the threshold seems pertinent.
A small threshold reduces privacy, whereas a large threshold makes human error or deliberate sabotage attempts more likely. What is the optimum here? How do we evaluate the risks?
You are absolutely right that it is easy to rule out obviously bad choices, such as 3 of 3. However, determining the actual quorum to use is a qualitative risk analysis exercise.
Considering that this is an election for a professional organization with thousands of members, I am going to go out on a limb and say that it should be easily possible to assemble a group of 5 people that the community/board trusts woudn't largely collude to break their privacy. If I were in the room, I would have advocated for 3 of 5 quorum.
But the lifecycle of the key is only a few months. That limits the availability risk a little bit, so I can be convinced to support a 2 of 3 quorum, if others feel strongly that the incremental privacy risk introduced by 3 of 5 quorum is unacceptable.
So what's it like between Cryptographers and secret keys? Is it like between Mathematicians and doing mental calculation of big numbers?
Why don’t they use password manager ?
Nerds do tend to forget that people make procedural errors.
Oh man, I read "electron" and I thought this was quantum entanglement and cryptography :D
in other words, someone didnt like the election results
I don't know if they used such a method, but it is possible to provide a proof for the key before it is actually useful.
E.g. everyone provides a hash for their key first, and the actual key a some seconds later, when all the hashes for the keys have arrived. Someone is 'cheating' by claiming key loss if s/he claims the s/he lost the key during that few seconds.
Don't know why your comment is downvoted so much.
Even if this was an accident, isn't it theoretically possible for one of the trustees to intentionally not provide the key to trigger the re-election? There's no guarantee that the people will vote the same. I see this as a kind of vulnerability.
They wouldnt know the result before providing the key.
yet we know the results of presidential elections before all the votes are tallied, or have a pretty sure guess
It's possible to gauge where the election is going; you don't need to see the votes. With social profiling, and people talking in general...
Even knowing that the results of a repeat election are likely to be the same, I can easily imagine someone being petty and "losing" their key to sabotage the process as a demonstration of power. It's just human nature at it's worst.
This is casting accusation as a member of a community, without a shred of a proof.
This is also not realistic and Occam's razor applies here strongly: why sabotage your career and frankly embarrass yourself just to make a tiny election delay, based on uncertain assumptions? This doesn't pass the sniff test.
In short, I think always assuming the worst in people is not healthy and we should trust that this was indeed a honest, unfortunate mistake. This could happen to everyone.
I'm sorry. I should have made it clear that I wasn't discussing the present situation of which I know nothing about and have no reason to doubt the good faith of all involved.
I was merely expanding on the hypothetical case where bad politics overcame a theoretically sound selection process.
The opposite is interesting to think about - for a commonly used threshold cipher, could you craft your part to secretly force a chosen plaintext regardless of the other parts?
"When you definitely know what an IACR director does."
I'd make a joke about NSA conspiracies here but I'm 95% sure some kind of Foucault's Pendulum / QAnon thing would happen and 6 years from now I'd be the contrarian on a bunch of threads about how the IACR had been suborned to suppress cryptanalysis of MLKEM.
Good.
Break your systems, identify the issues, fix it.
I want this to happen because I want mathematically secure elections.
That said… holy shit, you didnt think one of three groups could possibly lose a key due to human error!?