Security Cryptography Whatever

The IACR Can't Decrypt with Matt Bernhard

Season 5 Episode 2

Share episode

The International Association of Cryptologic Research held their regular election using secure voting software called Helios…and lost the keys to decrypt the results, leaving them with no choice but to throw out the vote and call a new election. Hilarity ensues. We welcome special guest Matt Bernhard who actually works on secure voting systems to explain which bits are homomorphically additive or not.

Watch on YouTube: https://www.youtube.com/watch?v=euw_yqAQFI8

Transcript: https://securitycryptographywhatever.com/2025/12/30/iacr-helios

Links:

- NYT: https://www.nytimes.com/2025/11/21/world/cryptography-group-lost-election-results.html
- IACR Memo: https://www.iacr.org/news/item/27138
- https://www.iacr.org/elections/
- https://vote.heliosvoting.org/faq
- https://github.com/Election-Tech-Initiative/electionguard
- https://www.usenix.org/legacy/events/sec08/tech/full_papers/adida/adida.pdf
- https://www.iacr.org/elections/eVoting/about-helios.html
- https://www.iacr.org/elections/eVoting/
- https://crypto.ethz.ch/publications/files/CrGeSc97b.pdf
- https://electionguard.vote/
- https://eprint.iacr.org/2025/1901
- https://freeandfair.us/blog/open-free-election-technology/
- https://www.starvoting.org/
- https://mbernhard.com/


"Security Cryptography Whatever" is hosted by Deirdre Connolly (@durumcrustulum), Thomas Ptacek (@tqbf), and David Adrian (@davidcadrian)

no no no no no no no No No one has ever made anything easier by introducing threshold cryptography have at best made something possible but you haven't made anything easier Hello. Welcome to Security Cryptography, whatever. I'm Deirdre. I'm David I am pretty amused right now. That's Thomas. And today we have a special guest. Hi Matt Bernhard. there. It's great to be here. Thanks. Um, we invited Matt on today because there was a very funny thing that happened in the world of cryptography, uh, this past week. Uh. you're you're shooting too low This was in the New York Times Okay. Yes. Although We, we wouldn't be talking. they were in the New York Times because of my tweet. This all stems from my tweet. you sure? I didn't see your tweet. I decided to be confident about this fact. So, Um, I'll, didn't even know you tweeted either, but my, I, I smashed my phone, so I'm all, I'm all out of the loop, uh, uh, on Twitter. At least so the the International Association of Cryptographic Research of Crypto logic. research, the logic. Yes, the IACR, uh, holds, what is it, annual Or semi-annual elections, um, for roles within that organization. IACR runs a bunch of the major crypto conferences. Um, so these are like the people that manage that whole enterprise. They have elections of all their members, um, you know, to elect directors of the organization and a president and a bunch of other things like that. Um, they just held their election, which I, um, found out because they emailed me, um, to say that the election had failed due to the fact that one of the trustees of the election the cryptographic key that was required to decrypt the results. So they ran the entire election, but are unable to decrypt it because somebody lost a USB key. That's what happened. Or the file that on the USB key or something like that. that. it is a USB key that holds the threshold key required to decrypt the, uh, the IACR election. Yeah. they, they use a system called Helios, Yes, for this whole scheme. Um, and I guess Helios has been used for other things besides this election. yes. we. They've been using Helios for a long, long time, and I've used Helios in other election thingies and other, the Helios has been used and it's been around for over 15 years. Uh, but this one was very funny because it's the cryptographers can't decrypt. So, Uh, we're gonna get into the Helios details and online elections and all that, but I think like a better place to start out with is just what the IACR is. So I'd like to start with the fact that, um, I'm pretty sure half the internet now believes that every protocol ever presented at an IACR conference is now backdoored by the NSA. Uh, they're just papers like I That was, that was true of the post quantum cryptography con competition too, and all that stuff is backdoored. Oh, all of it? this is an all of it. Yeah. this is an actual bogus election. This is like The January 6th of cryptography. didn't. count was in fact stopped Somebody didn't like the way that count was going. What are they hiding from us So Deirdre, can you help me understand more? I, I happen to be a member of the IACR and the reason for that is, um, I went to meet David and Deirdre at, uh, real World Crypto, which is the best of all of the, uh, annual cryptography events, right. Uh, last year it was, hell, Was it last year? I think it was last year, Was two years ago ago. a year and a half ago It was held in Toronto, uh, Yeah. a driving distance from my, from my place. So, uh, we drove up, I picked up David on the way. Um, and then we went to real world Crypto. Um, to get into RWC, I was required to join the IACR David disputes that this was a requirement, but I remember distinctly not wanting to be a member of the IACR or Revenue that it would have no value. value. be a member of this organization. And yet I am a member. And I know that because I was told A to vote and b, the vote didn't work. Um, so you guys could read me a little bit more about what this organization actually does and really what the implications of the, the vote are. It's, um, it's just another academic, uh, body that runs, uh, conferences and, uh, lets you, so the, the flag, the, the tent poles for, uh, being a, uh, academic cryptographer, uh, is the CRYPTO conference, which is held in Santa Barbara every year, and it's been going for 40 years now. I think EUROCRYPT, which is in a different place in Europe or every year, and now ASIACRYPT, and those are the big three. Um, they're considered some, like the most prestigious academic, like purely, not purely theoretical, but like straight up cryptography, cryology, and, you know, a little bit of a, you know, attack stuff. Uh. In the world. Um, there are other venues where you can do more applied stuff that's more of like a security be, for straight up cryptographers who are doing straight up academic cryptography, uh, those venues run and operated by the IACR, uh, is where it's at. And then they add, they added the Real World Crypto Symposium a couple, like over 10 years ago now. And that became very, very popular because it's not a place where you submit papers and get published in peer review, but you submit presentations and they, they also get reviewed for, um, you know, quality and uh, uh, relevance. And it also app apply appeals to people in industry who may not be publishing cryptography papers, but they're very interested in like what, how this stuff gets deployed and, and results that affect the real world. WC is the good one because it's where most of the good attack presentations get published, or at least most of the Real world crypto is just the worst MTV reality show I remember it not being an especially good MTV reality show Do Yeah. the directors of the ICR pick the program committees for RWC? Um, I think you have a. Chair of the actual, uh, of the actual conference and the actual symposium. You have several chairs and they help choose the program committee and they help us like try to find them because for example, for crypto euro, cryp, inia crypt, you might need like a hundred people to be on the program committee because there're just so many submissions to review. Um, I think it's smaller for real world crypto to review submissions'cause it's not full on papers. Um, it's presentations. And then they, there's a bunch of other smaller, uh, conferences for, uh, real World IACR. Uh, and then the other thing that IACR does, they run the Eprint Crypto Cryptology archive. It's basically archive, you know, where you've published all sorts of, uh, you know, pre-print papers from all over science, uh, and academia. But, uh, IACR and the cryptographers basically have their own, and we don't know why they, they just aren't on archive like everybody other, every other field. But they, they do and they, uh, that is a really good place to keep up to date on the latest developments in academic cryptography.'cause basically everyone submits a paper there. Uh, whether it's, uh, just a idea or like a very important results that every, they want to see everybody, that everyone to see. Um, yeah. runs the three most important conferences in cryptography. Uh, Yeah. Conferences where, uh, papers are peer reviewed and published, and then they also run real world crypto, which is very important for applied industry stuff. so in the field. They're doing essentially the same thing that a CM does for computer science or usix or, or like Springer for the other sciences that are even There Springer's a publisher, but a CM and Usix. Correct? Yes. It's just, it's, specific to, uh, you know, robust quote academic cryptography for under peer They're arguably more competent because they run multiple good conferences Whereas like US N runs well USIX runs a few in a different fields but they run one security one and then a CM runs one security conference And then IEEE runs one security conference that's not in Oakland and everyone calls Oakland Um but the IECR manages to run more than one top tier cryptography con conference which is actually kind of impressive for an organization to do Okay. This makes sense. So yeah, I still don't know why the New York Times cares about. The vote. I do get Who who was the author Let's see. Uh, it was, was, a, it's, it's a fellow, it's a, it's a, it's a person, like an early career journalist that like got a break on this story. um, a little blurb about it at the Oh of it. I'm sure they're great. I'm just saying there's a little blurb about this at the bottom. I too was wondering whether this was like A beat reporter at the New York Times that found this out. Um, but, uh, no, apparently not. A person who's assigned to cryptography the whole time Well, I mean, there's people that are assigned to like the internet or like, you know, computer security. Those are topics that actually get covered. the entire angle on this story is just that. It's really funny, yeah. I mean, I literally cryptographers have a fancy way of doing their elections with fancy cryptography, and even the cryptographers can't hold onto their keys to do their fancy decryption. Like, I think that's, that's it. Among the four of us, could anybody competently describe how the system roughly works? So one thing that I did learn, like I'm, I'm threshold pilled because I worked on threshold signatures for several years. When I was working on, uh, uh, when I was at DC Helios has, I'm pretty sure elgamal encrypted ballots. And that's kind of funny because Oh wow. We're, we're, we're, we are still doing elgamal in 2025. Okay. This is the last place There are others. there, It's not the only, it's not the only end-to-end voting library that uses Elgamal. In fact, there are two others that I know of offhand that are used. it kind of makes sense because of the pro, because literally Elgamal is basically like public key encryption with, I mean, I'm assuming it's elliptic curves. It's not, you know, finite field or something like that. Maybe it's, I, I you're assuming. looked at the paper and it just, it just said Elgamal, and I'm just like, okay, I have to go, go dig into the code to actually figure out if it's, you know, something not as fancy, but, we'll, we can go see. but the nice we could find out on the voting site right now that, so the whole thing is Oh, a web app. it is to via a web app, uh, which is nice. is cosmetic. Oh, shush. We have an old, old episode where we can like, refer to whether or not that you believe in that or not, but I, no, I do not think the, the Helios hosting is like doing any of the fancy, like. Pinning and hashing and website, web app, transparency stuff that we, we all recommend for like secure delivery of clients based apps, uh, in the browser. But we're just gonna leave that aside We all recommend Nope, Well, you know, if you want to really try to get application level security for a web app, a client side web app, anywhere close to like what you can get for a mobile app or a, uh, desktop app with, you know, comp, comparable security, you need some extra stuff on top because it's, otherwise it's just tofu, whatever the server gives you, right? It is. the, the code for Helios version that is run for this election, which is hosted on helios voting.org, is public. There's a link to it at the top of it and it's finite field Almo? It is. I say this is from this is from oh eight It's definitely finite fields Yeah. Okay. So we have finite field and as far as I can understand it, there's, it's, it's using elgamal to basically commit to this stuff and the, the to, to voting values, um, in these ballots. And it's, you, you have a ballot and you can tick more than one value, or you can tick yes or no for, for like a ballot position or, you know, whatever, a referendum. Um, which is one of the things in those most recent election, um, and these, the nice properties of elga, it lets you add up stuff that is still encrypted. It lets you tally these, these things in a private way. Um, and then at the very end, if you know the secret, you can decrypt these final values or, you know, you, you have to know all enough of the secret or all of the secret. I thought that, you know, in this day and age, they were using like a T of N threshold of key holders to decrypt, because that's a thing that we've known how to do for a very long time. They're not, they're not doing that. It just sounds like they just have, like, you have a third and you have a third and you have a third, and you have to smush them all together to just get the decryption secret of the, like tally the, you know, homo added up elgamal ballots, and then you can decrypt them at the very end. hold on a second. So Be fair That's still a threshold It I might be learning. is, I feel like I might be learning something here. Right? So RSA is famously homomorphic with respect to multiplication. like a, there are attacks that work that way, right? Um, yes. El Gamal is Additively. Homomorphic. I think so. Matt Bernard is, Well, it's, it's, yeah, additively, homomorphic by multiplying ciphertext together. So yeah, yeah. So like you, you multiply the things together, but underneath the value is like, you know, here's, you know, one for Thomas, one for David, and yeah. Yeah. I think it's, it's this, it's the Scalor multiplication nurse, that, that we've forgotten more cryptography than he had, that he he'd ever had. But like, I didn't, I've it's still true. This is the one small sliver of it that I, I know sort of well sometimes. It's, if it's cryptography that it, that no one would ever have to pen test. I know nothing at all about it. And Elga MA exists nowhere in industry other than apparently this, so. and it's, it's tough because the papers, the documentation is from two thou, the paper from 2008, and we are looking at the updated maintained source code. But it's, you know, there's not a lot of docs in between here and there that I can see. but yeah, this was a. There are other ways to do, private balloting, private computation, private tallying that do involve a T of n sort of decryption scenario. And this is using a slightly different way of doing cryptography, um, that makes it so that you may configure the system. Uh, a system, not necessarily Helios Halos doesn't support that yet, um, to have, say two out of three if you have two out And key shares because you know, three of the cryptographers that you have trusted to run the election into crypto results are available and one of them lost their share. You can still decrypt the, the tally no And this uses fun stuff like shair secret sharing and things like that, And lovely polynomials, uh, to make it happen. But that is not implemented here. If any one of them lost their share, uh, or not even shared, but piece of the key, um. no one can decrypt. Everything's fucked. Why? Why is this the one sliver Is that have? What? I was asking Matt why this is the Okay. of cryptography actually has. That I actually know about. Uh, it's because it's, uh, when I was an undergrad, I had to implement, uh, a slightly newer variant of it for the star vote project, which, so, so, you know, even before Helios came out, there's been, you know, the stream of internet voting of, of enabling voters to vote. their phones for all variety of me of, of reasons. Right. and Helios was a really big and kind of surprising, I think even to Ben himself step forward in that realm. Uh, it was like accessible. He actually productionized it in a way that people like IACR could use it. but it did have some very obvious and serious drawbacks. And so a bunch of people in the academic community picked it up and ran with it pretty much immediately. Like there are, pretty sure, um, forks of the Helios GitHub that have Threshold fully implemented, right? There are like, and there've been, uh, you know, not dozens, but a dozen papers written about how to do certain things with Helios. And they're still being published today, right? Like there's, there are new attacks on Helios all the time, are other, other systems that have come out since then. Um, star Vote was one, um, that, you know, like Ron Rivest and a bunch of folks worked on, um. Election Guard is probably the biggest name right now in, in our industry, uh, in the elections industry. Uh, that came outta Microsoft. It was Josh Belo, who like way back in the eighties wrote his PhD dissertation on how to do basically what Helios is, and then, you know, with mixed nets at the time. And then it's, it's come forward a lot, so. That's a thing that I didn't realize was built into Helios. I thought Helios was like just homomorphic stuff. Like the, the niceness. The niceness of the underlying, like I, I, I didn't think it was like some fancy schmancy, like fully homomorphic encryption going on, but I knew that there was, you know, leveraging the homomorphic properties of whatever the math was under the hood to tally the stuff up. Um, but it does involve some sort of mixing as well to get, to give you more anonymity. Can you tell us a little bit about that? Yeah, that I'm not super clear on, um, the, like, you know, the, the, the kind of off the cuff read of it that I can give Is uh, you know, when you're tallying the mix net, typically, and I think Helios publishes a bulletin board of ballots too, right? So when you, when you vote your, your vote gets encrypted into a, a homomorphic ciphertext that when they run the tally, they, you know, multiply the ciphertext together and then decrypt the final tally, but they also publish the encryptions of all the ballots, um, individually, right? And so you can, cast my vote before we started recording and you mm-hmm. see the whole bullet board of all the Yeah. there. Right. And so theoretically, you know, after the election is run, the, the, the, uh, administrators can provide a way to decrypt to, to some, and decre, right? You can implement your own verifier is what they call, you know, what, what this typically called, um, and that, I don't think Helios does it, but newer systems have like nix and, and other fancy things that you can do to, you know, you can prove that like this contest was a vote for one. And so there's only one valid vote in this ciphertext and all that stuff. I don't know that Helios does that or not, but, see anything to indicate that, and especially because if that was, has to be completely in the browser, that sounds doable. Like I know that like fancy cryptocurrency wallets will be oh, it's doable. Uh, yeah. Mm-hmm. I have a feeling that's just not gonna be supported in this, Yeah. Circa 2008. Yeah. Uhhuh. Or, or, you know, even that sounds like a big chunk. That's a big upgrade and a big chunk of work. And like, I think it's Ben Adida who is the, the creator of Helios. He's still maintaining it just sort of in his copious spare time. Um, I don't know if that would be supported, but, uh, yeah, uh, having, having real zero knowledge proofs or at least some sort of, uh, maybe not a zkSNARK some, some sort of proof on top of it, I think would be a very cool, uh, evolution of these sort of systems. But Yeah. that's, they have some independent, uh, implementations of, to audit all the ciphertext, uh, for, for ballots, um, which is cool. I don't, I don't know if anyone uses them, so. It's always the, the challenge with that kind of technology, and that's true for, for not just Helios, but Scan or Prete. There are a bunch of these like kinds of protocols that have been proposed or, or even mostly implemented and used but have never been. Um, you know, turns out that like there aren't enough people who know enough about the stuff, who care enough about the outcomes of the elections and who have the time and ability to do it, that you know, they go and do it. I'm like, I'm like 80% sure that Helios itself does verification of whether the ballots are well formed, but I'm not seeing it in the original vanilla Helios paper. well formed? Huh? This may be me, like munging several papers together Yeah, but in my head. that actually understands all this stuff, so just gonna take your I was distracted distracted voting I feel like this this uh failed election is really just gonna act as a way to get out the vote Did you vote for the, did you vote for the referendum? Um I did vote for the referendum Yay. this is one of the other, one of the other major problems with, with a lot of these is privacy. Right? And, and Helios has a, a coerced me function that, that you can expose how you voted. I don't think your ballot gets counted when you click that, but Yeah, it does. I think they spoil it. I Mm-hmm. spoil it, or at least that's what the UI says to the human. Um, they include information to prove how well the ciphertext was formed. But I don't think there's anything else about, you know, making sure that things are well formed when you're not spoiling your ballot, um, to prove, like, to prove that you are able to create the ciphertext with your public key and the randomness that you used to create it. Um, that's one kind of, well, formness. Can I just check my intuition on this? So the idea here is if you're relying on the additive homomorphic property of El Gamal, then you can tally the votes without decrypting them. So the well-formed-ness thing is really important because when you're tallying the votes, you're not actually decrypting them. You're just trusting that whatever's in there. So if it's like a pick two of three, then you really care about whether somebody like did three of three instead of two of Mm-hmm. Right? Um, and so some kind of system would have to get built to let you check, you know, let you verify the integrity of the votes themselves to make the system secure. Is Yeah, because you could do, you could do all kinds of things like have, you know, minus five votes for a candidate or something in a, in a ciphertext that cancel out votes or, you know. It seems like a hard problem to, well, I don't know. about the specifics of Finite Field El Gamal, but it does seem like a difficult problem to verify anything about a ciphertext. Until you actually have like all this, all you have like the plain text and the inputs, uh, and the randomness and like a public key or something like that, and the ciphertext. Otherwise, you just have a ciphertext and as long as it's like in a range, like you can't really say much about it until you can actually decrypt it. Right. Yeah, there's, there's typically several, like in the systems that do publish proofs, there's like several component, like the cipher, we call it the ciphertext. But really it's like four different things that get published and it's, uh, there's like a commitment and, and some other stuff that a little vague on at the moment, but I. That sounds, that sounds better because there are other systems that use these homomorphic properties. Like Z cash, uh, where you're doing all these balance computations of like, I am trying to spend a note and I'm going to send it to this thing. And, you know, uh, here's all the balances that are, you know, fully encrypted on chain, but you're doing all this other stuff at the same time. You're doing a full Z case snark about all with witnesses of all the inputs and you have knowledge of your spending key authority and like all this sort of stuff with all of these little commitments. And those commitments are with elliptic curves, um, that let you get a lot of that stuff, quote for free. Yeah, and that's actually sort of the central problem in voting in particular is like you both have. Kind of an extreme need for privacy and a really also an extreme need for public transparency, right? A way to, like, you can't have, can't allow any voter to prove how they voted, in most constructions because it, it leads to things like vote buying or, you know, vote my way, or I'm gonna break your kneecaps, or whatever. Uh, but if you don't have that, it's really hard to prove later that everything was well-formed if you're, if you're doing, especially if you're doing like homo sic, you know, uh, that kind of thing. The, and that's also where like the, the coerced me thing that I talked about, there's this notion of like, voters can kind of prove to themselves, because like, as a voter, why would you believe that the system is accurately recording your vote? Right? I, I vote for candidate A, how do I know that it did that? Um, and so the idea is that you can kind of iteratively spoil your ballot and make the system decrypted. And usually it's decrypted with proofs of correctness that like it did the right thing. Or you can rework the math yourself, I guess, um, to show. And so hopefully over time you build like statistical confidence that if it was gonna cheat. You know, some amount of the time. Um, I would've caught it by now where I'm like 90% confident or 99% or whatever that it's, it's recording my vote correctly And that or that gives you like a system wide trust. Like any, if, if people are doing it right. There's, Yeah. possibility that any one ballot could still be, you know, messed with by the system. Mm-hmm. that is a, that is a one-off ballot in a vote. That's hopefully, you know, many, many, many, many more than that. I will not throw off, uh, the results. Um, yeah, and this is, this kind of gets into the, like, the difficulty of voting in any, with any technology that's not just, is my paper ballot. it is. Go figure out how the, like, I created it myself. Maybe I used my pen, maybe I used some, you know, assistive device to produce my marked paper ballot and I hand it in to somebody either via by mail or literally handing it to a human being at the, you know, at my local Or putting it into the, the thing that counts it yourself, right? Yeah. Mm-hmm. know, in theory, if the computer who is counting my ballot and scanning my ballot is just like. Totally fucked up and like full of malware or something like that. You still just have a big pile of paper ballots that I, you know, I saw with my human eyes or, you know, my, my human senses that I produced a ballot and then I gave it to you. Um, try and then all of these other dynamics about transparency, but privacy, but also like, I can't like, prove. You know, I voted a certain way, but I know I voted a certain way because I voted and I handed you my vote. Like all of these dynamics are part of why, uh, voting online or voting digitally or, you know, remotely or even with encryption is like a harder problem than basically anything else that we do online, including banking, including cryptocurrency, weird private cryptocurrency. Like, are we getting any closer? Like, you know, we can skip Helios, but like, are we getting any closer to something that we feel pretty good about? gives us anything close to the kind of like the feel good nature of here's my paper ballot that I produced somehow and handed to a human. I think in the US maybe, um, in many countries not as much. So, so it's US elections are ridiculously complicated compared to most of the world. Um, like we have hundreds of items on ballots, whereas if you vote in Germany, for example, maybe there's two or three contests on your ballot at a time. Um, which is why when people say we should hand counter that kind of thing, it, it also doesn't really make a ton of sense. Germany, you know, I picked them for a specific reason. They, they're, I believe it's the constitution has, has explicitly says like, no, no, uh, election can be held with technology that the average German couldn't understand. And so that's where they, so like, yeah, so like homomorphic encryption gone, right? Um, in the US, because we vote for so many things, we vote for dog catcher, right? In some jurisdictions, um. We have to use technology to administer elections, right. It's not, it's not really optional. We, we, we vote for lots of things. We have lots of, um, different languages. We're a very diverse population. Um, we have, uh, the Americans with Disabilities Act that that guarantees, you know, your right to and, and the Help America Vote Act, which tie together to, if you're of a blind voter, for example, you have to be offered the same voting experience that everybody else gets. it turns out, that doesn't work very well in practice, but, um, but because of all that stuff, we have to use computers in some facility, right? And so we have a lot of robust methods to use computers and check them that all rely on right now on paper ballots. Right. Uh, as you mentioned. And so internet voting is still, I think, a pretty far, a long way off. We're a lot closer to it than we were in 2008 right. When Helios came out. Um, but there's still so many, even, even just the, you know, the, the specific cryptographic challenges are, are— p ale in comparison to all the other problems that we have, right? To, like, not every voter has a smartphone to, um, you know, the, the coercion problem, right? Like, if I can, and this is actually true for absentee voting at home as well to some extent, right? Um, where if, if you're filling out your ballot, not in a booth that is under watch of, you know, poll workers or whatever, you could be coerced. Um, and even if you are right, we have smartphones now. So you can take a picture of your ballot as it goes into the scanner or something, which may or may not be legal depending on where you live. It's complicated. but, you know, there's that stuff. There's, okay, so I'm voting on my phone. I also have client side malware on my phone that's watching me vote. Um, there's, you're creating a single point of failure. So there's like one server or many servers that are taking in votes. What if they go down on election day? What if CloudFlare or Amazon or Microsoft have an outage? You know, let's say, just to pick an example, totally at random, that's never happened before. Um, so there, there's all of these kind of problems that stack up on each other that it's not, it is not even just the, the, the, you know, public evidence, secret ballot problem, specifically, there's so many other challenges that where maybe starting to kind of solve in some ways, but not really robustly enough for everyone to vote. Right? Like if it becomes the single, if a few people are doing it, it's probably okay because the margins are gonna be wide enough or whatever. Uh, but they're, yeah, there are su substantial challenges. Yeah. And like was legislation on a lot of, you know. Different jurisdictions books of like, is one voting day, like Mm-hmm. vote on a day. And you know, maybe they have, you know, absentee ballots or something like that. But like everything else is like, you have a single day. It must not fail. Right. you know, what do you do if Which. you know, doss some critical service and you know, et cetera, et cetera. It's a, Which happens, right? I mean, that's what causes lines at polling places, right? It's not just, you know, there, there's all manner of, of crazy things that happen. But the fun fact is many jurisdictions in the US and not just here, Canada also has this as well. And, and a couple of other countries, Estonia's also at the top of the list, uh, also require internet voting for certain voters. Um, if you are on a battleship overseas, right, um, or you're in a, in active war zone, or, or just in a country that doesn't have robust mail, we can't mail you a ballot. It's not gonna get there in time. And even if it does, it's not gonna get back to us in time. so, you know, internet, internet voting, air scare quotes right, has been a thing in the US for 20 or 30 years. Um, but what it has meant historically is I'm gonna fax my ballot or maybe email a PDF of my ballot, right? And so. We are getting closer to making that situation better. Right? Because like I, you know, we can talk about, you know, homomorphic encryption all day, but if you're faxing your ballot at the end of the day, like, um, so we are getting that, that is already getting better just because it has to, right? Like it's, it's too big to fail or whatever you want to call it. Um. I, honest to God, don't hate the idea of like filling out a PDF of my ballot and like sending it somewhere. Like, I don't like security wise, reliability wise, even privacy wise to a degree. I don't mind that, that much like All this other stuff. I'm just like, ah, that's gonna, we're gonna fuck that up. Something's gonna go wrong. But like, literally like, here's my ballot. I, I emailed it or I digitally faxed it. Like there has to be some sort of, you know, digital service that gets between the, you know, turns my PDF into like, you know, a dial tone on the back end to, to fax it to a number. I don't hate that. And games until you don't sanitize your PDF file names and then suddenly that'll be the next thing is like, we found this Next parser next in this, in the critical like absentee voting system of such and such an election. well, and we have, right? I mean, um, it's not just the fax and email, but also there have been several vendors who have tried to do some flavor of, of vote by app, right? Votes is the most, uh, poignant one to me, uh, because they, they were a blockchain voting app, right? In the, and they're, they're still around, but, um, their heyday was like right before COVID. and, you know, a couple of security researchers started looking at their stuff and found out they didn't even use a blockchain, right? Like it's, it, it turned, and, and, you know, when they were transmitting the data, they weren't, um. Masking it. So you could literally just watch the bytes, go across the wire and tell who someone voted for because, you know, they weren't, they were scrambling it or whatever, but it wasn't like actually robustly encrypted. So like, the longer the candidate's name was, the longer the bites were that went to the server. And so, you know, like, uh, so you know, it, it's, it, you know, support you voting by PDF necessarily, but you know, there are, there are better ways to do it. Oh gosh. I, uh, I hate, I hate that you didn't even, you didn't even use the blockchain. You could, you could've. right. Yeah. I, I have, I have, I have a, I have a Helios question. Even though none of us are necessarily Helios experts here, so if, if you look, there's the, if you look at the Helios paper or the first Helios paper, um, there's like a, like two four of that paper is what the whole process is. And just a couple of bullets, right? So it's like, um, you know, the person who's voting a ballot for themselves. You can prepare as many ballots as you want, right? When you, uh, you know, when, when you feel comfortable with That the ballots are valid or whatever, you're like getting predictable fees on the ballots, you can cast that ballot, which is essentially. that ballot to the private key of the election administrators to the trustees effectively. So far so good. That's right. That sounds good. That sounds they have to do that in some fashion. Yes. So the key thing on the system, like all of the, you know, the, the voting systems of this vintage, I guess that's, it's gonna be true of blockchain voting too, but you cast a vote, it gets recorded by the server on a bulletin board for the vote. Right. Um, which is what I see I've seen, my, my ballot for ICR just now is like, you, you, you don't see people's names. You see like an identifier, um, you get like a voting ID or whatever. You see the, the, the bulletin board of all of the votes cast, that's step two. Everybody can check that and see who's voted. Um, and then when the election closes and they're about to go tally all the votes, shuffle. All of the votes in the bulletin board. So the votes in the bulletin board as cast are linked to the voter if only by metadata. Right? Like, you know, when it was cast, you can do traffic analysis to see when it was cast, um, to count all the votes. They're gonna decrypt them, uh, They're gonna Not individually, I don't think. yeah, not individually. We're gonna multiply all of them together to add them and then decrypt that right Yes. they're, yeah. They're gonna decrypt, talli, vote thingie. Right? So like they do the shuffle step because they don't want to be operating directly on the bulletin board entries, which are linked to the identifying the, the i, the identities of the voters, which is why they have all this mechanism to do the shuffle and then to produce a proof that there was a shuffle, which seems like a, a big part of the core of the system is like the verifiable shuffle. And the safeguard is if you don't have that verifiable shuffle, people will know the election wasn't valid. They'll just say It wasn't, it wasn't right. But Um, if you skip the shuffle, you can violate the privacy of everybody that voted. yeah, it's, I don't think that if you don't do the shuffle and have a verifiable proof of shuffle. That you can't still do the, the homomorphic tally and then decrypt it. You just lose the privacy of the, of associating times of ballot, and like literally the order in which those, uh, those encrypted ballots came in. Um, you lose the privacy, but you don't necessarily lose, like, quote, the integrity um, of the actual, uh, of the actual results. So leaving the server itself, like the code behind it aside, which might enforce arbitrary policies, right? From a cryptographic perspective, it is possible to tally all the votes that were cast without shuffling them. think so. Yes. Yeah. Yes. the only cryptographic safeguard that they give you is, you would at least know that that happened.'cause you wouldn't get the, the, the, the, the cryptographic proof that they did the shuffle. This is Yeah. why they have multiple trustees. So multiple trustees can provide a cryptographic proof that they did the shuffle. Oh, I didn't know that. That's cool. I mean you could just like take a backup right Like there's no cryptographic proof that the un shuffled version doesn't still exist right my whole question, right? And this, this, this gets more generally to voting systems and not just Helios. And I'm also saying this because maybe Beida will hear this and yell at me, but like. Do I care that much? Like it seems like you want more safeguard than, okay. I know the election was, you know, manipulated. right Um, like it's still a pretty grave privacy violation to decrypt somebody's vote. To know how somebody voted. Like if that's the attack you're worried about, it's, that's not an attack on the integrity of the vote. It's an, it's an attack on, you know, the safety of individual voters. I'm wondering what I'm missing about this. So I don't think, the, the, uh, executors of the election, the ones that you encrypt your ballot to. Um, can decrypt, uh, individual ballots, um, or your, your individual ballot Clearly they cannot, individual trustees cannot be crypt. or else we wouldn't be in this situation. Uh, yeah. So it it's, there's still a level. It's, yeah, like, like you mentioned there, there's still a level of like value that you cast as your ballot is still protected, um, by the El Gamal, The fact that you, like, it's can be, you can get a lot of meta information, metadata about the voters and when they voted and at what time they voted. And you can associate, um, you know, this encrypted ballot was cast first and you know, based on the, the server logs, we can see that it was cast from somewhere in European Central time or whatever. Um, tweeted, Hey, I, I just voted in the, you know? Yeah. So it's, it's, I think it's that sort of thing, but I do not think you cannot, you can decrypt literally what the very first vote cast, um, by someone who tweeted that they did that, uh, what the value of that vote is. Um, do the shuffle right, like just, just assume you're doing everything ho amorphously. Right. You'd yeah, roughly what the votes were. Right. Because you know the before and after state of each one of the Yes. I, making faces at me. Let the I guess you could. faces at I'm with you Yeah You just homomorphic with all but one Mm-hmm. in theory you could just be like, cool the vote, like, one, one vote cast decrypt the entire thing, Right. Yeah. Mm-hmm. the entire thing, and so on and so on. Yes Yeah but is not like a new attack on the system. Like you would reason they you would need all three Yes. You trustees or whatever to Yeah all, all the shards or whatever. Uh, you know, the three of three, I'm not even fully sure if it's three of three or if it's, I think it, I think it's literal. Like this version of he Helios is it's just three. just like, I need this chunk. It's not even like three of three. you know, which Shamir polynomials under the hood. it's it's everyone gets a third I think so. Okay I think so. yeah. Okay. so. even if you wanted to, like, even if you wanted to break the whole election and violate somebody's privacy, you'd need to get all three trustees to do it. After you did that, there'd be cryptographic proof that that happened, or at least there'd be cryptographic proof that you didn't do the shuffle. But as long as any of the No shuffle, would be Crip There wouldn't be cryptographic proof that you did the shuffle That's what I mean. Yes. So Wikipedia page says 2.0, Helios abandoned the shuffle and switch to a homomorphic encryption scheme to make sure that that was, uh, kept Mm-hmm So we Great job of Because you could, you could still do this, could because couldn't you still decrypt as you went and then at the end you still have the original ciphertext. Just add them all together and decrypt them. Final tally or, or do the shuffle or whatever. Right. Yes, I think so. So I think there's like two things going on here. yes. concern and one is the, Integrity. Integrity yeah. sort of. the privacy on this podcast will have an indeterminate amount of time in between when we record this episode um and when we release it So you can't figure time and figure out which vote came from me And Thomas we'll provide some sort of non-interactive zero knowledge proof that we, you know, of the time. I don't know, something like that. have when you just message Deirdre and she says yes or no depending on if you're on the right or left side of the time just like understanding why there are three trustees and how they're actually like, what the roles of these people are yeah. these components in the system, mark. One trustee always tells the truth One trustee always tells lies Two trustees. Yeah. Three trustees is a party. Right? What's the, you know, All of them are trying to cross the river to get to real world crypto But one of em has a wolf and one of em has a chicken One of em threw their USB stick in the lake I think what I heard is literally there was a file and it got saved down somewhere and they just couldn't find it. I I, I wish it was just literally, this is, there's a USB stick and I have to plug it in and I can't find it anymore. Yeah, the shuffling thing is, is still confusing to me in that because I don't, does the paper talk about elgamal? Uh, the 2008 paper does. Um, Yeah, it does. Okay. I'm just impressed Ben has maintained a Python project for like what 17 years Like that's pretty good a solid Django project? Like were we even on Python two TH two seven in 2008 Like I don't not even remember might have been two five still or two 3 2 4 Um, so unfortunately, even if we do the fancy whizzbang version with like, uh, fully homomorphic encryption and, uh, threshold decryption and two of n or, you know, however, t event, uh, for actually decrypting the, the ballots, uh, the full, the full tally, everything like that. It still reduces down to you have a key and you gotta maintain that key. It sounds like a very human issue, uh, that we just don't quite have a good way to solve. So, don't know. Matt, you seem to have the most experience in this field. Like are we getting any, uh, getting anywhere into a future where like, don't lose this key is not just like the root of all of our problems. I think you're, you're, you know, there's, always devolves to like somebody maintaining an X 5 0 9 cert in an HSM somewhere and then deriving, uh, you know, keys from there. Uh, I don't really know. Uh, yeah. I do think that the actually getting threshold, threshold, encryption, threshold, whatever. working, uh, helps so that, you know, if you lose one piece, you're not totally fucked. Mm-hmm. have TA configurable T of N. the trouble is that actually setting up all of those threshold-ized keys is a whole other rigmarole. Um, you can have a trusted dealer usually, and that's, you know, maybe if you all sit in one place and you do it and you just trust each other, you could just do that. But if you're not, you either have to send, just send them via some other secure, confidential channel that you authenticate, a Is another key bootstrapping problem. Yeah. Mm-hmm. you do some sort of fancy distributed key generation thing, which is very, you know, it's very popular and they try to make that happen in like, kind of the blockchain world where you don't really trust each other and there's, you don't want to have any centralized, trusted authority who's generating keys and handing them out. Um, but depending on the kind of cryptographic system that you're using, um, that can get real complicated too. Like you might have dkg that have multiple rounds and can fail and, on, on and on and on. And, you know, maybe you need to use something called a broadcast channel. If you ask a cryptographer who publishes a distributed key generation algorithm of paper, and you're like, where can I get, where can I pull an implementation of a broadcast channel from like GitHub? They're like, what? What do you mean? Because that thing doesn't exist. So. You know, uh, to, to quote Lee Kissner, um, you just, cryptography tends to take security or other problems and turn them into key management problems. And that could, like, it continues even down the rabbit hole of the threshold stuff, which in theory would help mitigate the, someone loses their part of the key thing to a point. And, uh, I don't know if we're, uh, we might be improving it a little bit, but not completely. Yeah, I mean, I I mean, like Election Guard does threshold, it does KFN or TFN. Um, and yeah, you literally sit in a room with your Microsoft Surface tablets, you know, all the trustees come and they, they do a key generation ceremony. So it's not, it doesn't really get better than that, as far as I can tell. what What is Election Guard Sorry Yeah. Yeah. So Election Guard is an open source specification and implementation of end-to-end. So Helios is like classified as an end-to-end verifiable voting system. There's like three properties of end-to-end verifiability, or it depends on who you ask, but there's a bunch of different definitions of the literature. Um, I think the most adopted one is, is there's three properties. There's, um, cast as intended, collected as cast, and, uh, tallied as collected. cast as intended means, I'm the voter. I voted for Bob and the system recorded my vote for Bob correctly. That's the Helios coercing thing where you can decrypt your ballot. There's, um, collected as cast, which is, I submitted my ballot and I now have proof that it was received by the server. So that's the bulletin board thing where I have the ciphertext and I can see that the ciphertext is in the same place. And again, I've convinced myself that the same inputs produce the same ciphertext or whatever, you know, a correct ciphertext. And then there's a tallied as collected, which is the homomorphic encryption thing. Anyone can grab all the ciphertexts and, and, uh, munch them all together, produce a tally and verify that the ballots, you know, uh, it's, it's garbage in, garbage out, right? That if the right data went in, then the, the right election outcome comes out. So Helios is, is part of a broader, like, constellation of these end-to-end voting systems. And, uh, Election Guard is sort of the most, not, it's definitely not the only, uh, robust Swiss Post actually has a, a, uh, an implementation that I believe Olivier Pereira, who also worked on Helios. Did an analysis of with, uh, Vanessa Teague. And, um, yeah. yeah. Um, and they, they found a bunch of problems. You know, they went through an open process 'cause they're, uh, you know, it's a governmental process, so they had to submit for feedback and all that kind of stuff. Um, so, so Swiss Post is one variant. Um, and, and Microsoft kind of their goal was like. How do we make election security better? Why don't we just put out an SDK that supports all the end-to-end primitives so that any vendor, you know, like a voting machine vendor or an internet voting vendor can use it and actually do better than just being votes and not using a blockchain and saying you're using a blockchain. Right. and there's actually, literally a couple weeks ago they launched, uh, there was another competitor, SDK kind of thing launched that also is, it's, it was written by Free and Fair and it's, uh, it's, you know, Election Guard and this new thing by Free and Fair that I can't remember the name of are, you know, they've done, like, they've written up proofs in like Coq and stuff and they've like, you know, it's verifiable, et cetera. Supposedly it's correct. Um, uh, yeah, so Election Guard is Microsoft versions of that. Microsoft's version of that is probably the most. used in the United States. Um, it's been taken up by one of the major voting hardware vendors. Um, my employer. We use it for our, um, one of our applications. Um, and yeah, it, it's just, it's kind of like Helios with a few more bells and whistles that is just an SDK that you can use instead of hosting it as a, a web, as a wholly self-contained app. so if it's an sdk, like is there, like how does it fit into some sort of backend or is it just sort of like all sitting on, you know, basically like a, like a PC that you sit in your precinct or something like that? so there's many different ways you can run it, right? So there's, uh, that is one of them. And I think that's what, like Hart Inner Civic, the, the vendor that has integrated it Voting Works actually also, uh, did a pilot with it as well. where you have, there is an Election Guard app that is what does the key ceremony and all that stuff and exports the cryptographic material. And then whatever thing on the other end of it is, takes in that material and uses it to generate ciphertext. And then you export the ciphertext from whatever that thing is back to the Election Guard machine, uh, to tally, you know, and do the, the, the crypto. Um, so like we use it for, um. Internet voting for military and overseas voters, right. Harden or Civic is using it for paper ballots, right? So you, you put your paper ballot through the scanner and it, it has a little bit of Election Guard code local to the scanner that encrypts the ballot there. Uh, and you can do, you know, the whole challenge decrypt process, I think locally as well there, but, that's, really cool.'cause I hadn't heard of like, the only, the only systems that I heard of was like, like the Swiss Post one and mm-hmm. which is like, we have the whole thing and Mm-hmm. the value of that, but also it's like, it's like a big thing that you have to take on if you decide you wanna support that. So having kind of like the SDK version, that's really cool. Yeah, it lets the cryptographers focus on what they're good at and it lets like human factors, people or you know, hardware engineers or whoever focus on what they're good at. And I think that was a really important lesson that came out of like the star vote project, which Josh Nellow was one of the cryptographers on, and he is the driving force behind Election Guard as well. Uh, realizing that, you know, voting systems are really, really complicated and trying to do all of it at once is maybe not the right approach to get started. Oh yeah. This is really cool. And I'm looking, I'm looking at that you even support rank choice cha rank choice voting Mm-hmm. uh, all the risk limiting audits and stuff like that. Um, can we, can we, not to to completely go off of, um, you know, Election Guard and things like that, but, um, can we at least talk about how, if there's anything in cryptography, you have to get a quote from Ron Rivest and you and the New York Times got a little nice quote from Ron Rivest, um, and he was very nice about it, but. Ron Rivest, like Ron Rivest is the r and RSA. So if you, if, if anyone knows anything about cryptography, they've probably heard about RSA and Ron Rivest is the one, is the RSA is the r and RSA. Uh, in his like later academic career, he basically has switched to secure voting and verifiable voting. And I remember when I was getting into cryptography, like in 2015 or so or whatever, I went to go see a talk by Ron Rivest and he's just talking about risk limiting audits of paper ballots time. And he's not talking about any math or any cryptography at all. I'm like at the very end he kind of I have to show my. jar of 10 sided dice that are used for risk menting audit, um, because you use a random number generator to draw the ballots, you have to generate a random seed as input, so, Oh my God, I love that so much. And even for that, you're using, you're just using a jar of yep, of, of, and not even like a computer based seed. yep. like what do you think about like like I completely, at this point in my career, I completely am just like, yeah, let's, like, as much as possible, like try to like collapse down to paper. Like maybe you have to like fax in a p like whatever your ballot from overseas, maybe you have to have, some of it is, you know, via systems powered by Election Guard or something like that. But like at the end of the day, you're, you know, you're pulling everything down to paper and then you have, you have your paper record and you have like automatic risk limiting audits and things like that. What do you think about that sort of Yeah. Yeah. It's, in America?'cause it's. an American and so like, I'm thinking about our extremely diverse voting systems and, and all of that stuff. Yeah, I mean, simplicity Is king. I think wherever it can be. Um, the, you know, the, there are too many challenges. I don't think we can get rid of technology altogether. Um, like I said, know, if, if you want to know how hard hand counting is, go buy a ream of paper at Staples and count how many sheets of paper are in it and see if you get the same number as the outside of the package. Um, you know, so I, I don't think that's ever gonna be super viable. Um, but, you know, it, it's sort of, this is another one of these problems where there's like two really important things, totally intention with each other. It's like the need to accommodate every voter and the need to be, uh, intelligible by anybody. Um, so like, you know, there will always be blind voters who need assistance filling out a ballot in some capacity, whether it's a paper ballot that they mark on a screen and then it gets printed out, or, you know, it's totally electronic, whatever. Um, it turns out if they print it out, um, they're still blind, so they can't read the paper. Yeah. Yeah. Awesome. All right. Did we, uh, did we miss anything fun about the, uh, cryptographers not able to run their fancy, or at least 2008 flavor of fancy, uh, online voting election. we kind of, we kind of touched on like voting is a very interesting, it's a very social process. Um, and there's a lot of other, there's a lot of other things that we do online or do like extremely assisted by technology that like. It's different. Like you, you wanna talk to your bank, you wanna do banking online, like cool. That's between you and your bank making recommendations, uh, of specific, you know, very, we have very powerful cryptography and technology that we can try to apply, but sometimes that's not the important thing. It's all these other social dynamics that matter a lot more to trust, uh, in the system. So I can, I can both understand why people recommend it and also just sort of like, nah, nah, not, not yet. Maybe not yet. We miss anything? Is there like a funnier thing for a group of like scientists or specialists to do besides like cryptographers lose key and can't count election and like like physicists get stuck in a dumb waiter Like like can can we top this like chemists like eat poison berries off of a bush Yeah I mean, I, I, I feel like the, uh, the demon core, uh, criticality experiments, uh, when they were, they had just started making nuclear weapons. Uh, and they're literally, they're literally like twiddling two halves of a plutonium sphere with like a, like a flathead screwdriver. And like several people died because someone went oopsie. And they, they have achieved criticality, uh, of the nuclear core like twice. Um, feel like, I feel like we can't really top that one, Yeah Matt, thank you very much for hopping on with us to, to giggle about, cryptography, uh, and, and nerds who can't handle their own keys, because apparently we're all human and handling keys and things like that is still difficult for real human cryptographers to do. Is pretty sure that anybody could have gotten this right. Twitter is pretty sure that anybody could have gotten this Any Anybody to, yeah, anybody? Yeah, sure. Yeah, Yeah Yeah Cool. No not, not yet. Maybe we'll make it a little easier with threshold, but still we have to figure out how to distribute the keys. no no no no no no no No No one has ever made anything easier by introducing threshold cryptography maybe. have at best made something possible but you haven't made anything easier I, yes. Never has taken an existing thing and been like you know what would make this easier Well, I would Some groups and more people argue. Yeah. And then yes, because literally it goes from this failure mode, which is if one of one of them is lost, everything's fucked to, if one of them is lost, not everything is fucked. But if two of them are lost, everything's fucked. And then you have to do all the other stuff of distributing the sh the key shares in the first place. So anyway, thank you, Matt. Um, security at Cryptography, whatever is a side project from Dear De Cony, Thomas Tak and David Adrian. Our editor is Ne Smith. You can find the podcast online at e and the host online at at Durham Crust alone, at T QB F, and at David z Adrian. You can buy merch online at merch@securitycryptographywhatever.com. If you like the pod, give us a five star review wherever you rate your favorite podcasts. Thank you for listening.