For the 2022 legislative elections, French nationals living abroad were able to use remote electronic voting (e-voting). While this offers many advantages in terms of organisation and accessibility, e-voting requires a specific protocol that offers the same guarantees of security and confidentiality as a traditional polling station. “Internet voting wasn’t used in the 2017 legislative elections because the French National Cybersecurity Agency (ANSSI) considered that the system proposed at the time didn’t provide a sufficient degree of security”, says Alexandre Debant.
“ANSSI issues an advisory opinion, which the authorities responsible for organising elections generally follow”, adds Lucca Hirschi. “In 2022, the stakes were high because it was the biggest electronic election in terms of the number of ballot transmitted that had ever been organised on a global scale. The ANSSI gave the green light after an audit”.
The two researchers took a close interest in the operation. “Our colleagues Véronique Cortier, Pierrick Gaudry and Stéphane Glondu, who work on the Belenios voting platform, were asked to set up a 'trusted third-party' verification tool for these elections”, they explain. “We independently decided to explore the question by studying the limits of defence mechanisms. A document presenting the protocol was published one month before the election and on first reading we suspected potential security flaws. Our examination of the code confirmed our fears about the vacuity of the trusted third-party verification tool.
Guarantees of sincerity and secrecy of electronic voting
In a traditional polling station, the sincerity of the election is guaranteed by the physical presence of the voter, who place their ballot paper in a transparent ballot box, and that of the assessors, who record the vote and open the ballot boxes in public. “In general, there are two types of security guarantee. The first is the confidentiality of the vote. In concrete terms: no one can know who you voted for. The second is the integrity of the result: the result declared must correspond to the sum of the ballots submitted (with no ballot altered or removed) and these ballots must have been sent in by legitimate voters. The aim is to use cryptography to achieve the same level of security in e-voting as with paper-based voting”.
During the 2022 legislative elections, each voter received a PDF receipt composed of cryptographic data when their vote was submitted, allowing them to check their vote had been registered correctly, either on the website of the French Ministry for Europe and Foreign Affairs (MEAE), or on the website of the trusted third party, appointed by the MEAE. The confidentiality of the vote was ensured by a decryption key shared between the sixteen people in charge of the electronic polling station, including a member of the Conseil d'État, the director of ANSSI, ministry staff and members of the Assembly of French Citizens Abroad. Alexandre Debant and Lucca Hirschi identified vulnerabilities in the design and implementation of the protocol that could allow attacks on both the verifiability and secrecy of the vote.
Vulnerabilities in the protocol and code
“In terms of the verifiability of the vote, we detected a problem in the implementation of the protocol, mainly due to a bug. When voters create their electronic ballot, their device encrypts their vote with the election public key and computes a unique fingerprint for the electronic ballot. The ballot is sent to the server, which in turn calculates a receipt containing this fingerprint, among other things.”
“The receipt is sent in several forms and then displayed to the voter. Logic would dictate that the voter's computer should check the consistency of the receipt with the previously calculated fingerprint before displaying it, but when we analysed the code, we found there was a flaw at this stage in the process: this check was incomplete and it was possible to fool the system”. If the server was compromised, it would be possible to modify the electronic ballot sent and send voters a receipt that would lead them to believe that their ballot had been faithfully recorded according to their choice. The verifiability, integrity and sincerity of the ballot are all undermined.
"In terms of the secrecy of the vote, the attack exploits another weakness, not in the code but in the protocol design itself. At the electoral level, French citizens living abroad are divided into eleven zones, which are in turn divided into consular constituencies, each attached to a polling station. These constituencies are not all the same size. In Sydney, for example, there were tens of thousands of voters, whereas in Ekaterinburg there were less than ten. We discovered that it was possible for an attacker to target a voter, divert their ballot to a consular constituency where there were very few votes, or none at all, and then find out who they voted for when the votes are counted and the result revealed. This was made possible by a flaw in the design of the zero-knowledge proofs that accompany the ballots”. This also means that the other central objective of the protocol, namely the confidentiality of the vote, is also compromised.
From ENS to Inria
Alexandre Debant studied at the École Normale Supérieure in Rennes and then defended his thesis at IRISA before joining the Inria centre in Nancy as a post-doc in September 2020, where he was appointed as a researcher two years later.
Lucca Hirschi hails from Switzerland and completed his PhD at the École Normale Supérieure de Cachan before joining the Swiss Federal Institute of Technology (ETH) in Zurich as a post-doc. He joined Inria as a researcher in January 2019.
A constructive approach
"We have shown that some attacks allow the attacker to cheat, depending on the attacker model. We cannot say whether such attacks have been exploited during the 2022 election. We have shown that these attacks wouldn’t have left any detectable trace, not even under later investigation. The definition of the attacker model is very important because it defines the nature of potential attacks. The vulnerabilities and attacks we have shown can be exploited by an attacker who would compromise either the voting server administered by the MEAE or the secure communication channel (TLS). In the context of an election of this scale, such scenarios must not be overlooked (as recommended by the CNIL, see its level 3 security).
In practice, the voting server could be compromised due to human negligence, a malicious act or a bug, and the secure channel could be compromised by faulty or compromised architecture at the entry point (e.g. a professional network) or the point of arrival (voting server administered by the MEAE). From a societal point of view, this raises the broader issue of a national election of which the sincerity relies entirely on the trustworthiness of a single entity, which happens to be government managed (the MEAE). Conversely, paper ballots allow to distribute the trust between the different polling stations and the assessors. From a purely technical point of view, the whole point of verifiability and the use of cryptographic receipts is precisely to avoid having to trust such a centralising authority”.
Moving from theory to practice is one of our key concerns
Alexandre Debant and Lucca Hirschi's work does not stop at highlighting system's weaknesses but aims to propose solutions for improvement. After discussions with the ministry (MEAE), ANSSI and Voxaly Docaposte, the supplier of the voting system, they proposed six countermeasures to fix and strengthen the security of the established protocol. “The idea is to always take a constructive approach. In March and April 2023, parliamentary by-elections were successfully held in constituencies whose results had been invalidated by the Constitutional Council in 2022. The protocol that was put in place incorporated most of the fixes we had proposed”.
The results of their research will be presented at the Usenix Security symposium this summer and were shown in Tokyo last March at the Real World Crypto symposium, which brought together academics and industrialists. “This kind of conference creates links between the two worlds, which is very important for us. The transfer from theory to practice is relevant for our research. Some solutions look very effective on paper, but their practical implementation is not necessarily quite as straightforward. The aim is to allow everyone to move forward, whether they are industrial players in the field of IT security or researchers like us carrying out research in line with the problems and constraints of real-life applications, such as e-voting”.