Russian authorities announced their plans to test a new blockchain-based voting system in the upcoming elections to the Moscow City parliament to be held in September. But one independent cryptographer managed to crack it in 20 minutes.

Pierrick Gaudry, one of the most respected cryptographers in the world, discovered vulnerabilities in the Russian blockchain-based voting system that is expected to be tested during the September elections to the Moscow City Duma. Gaudry published an article about revealed bugs. He found out that the encryption mechanism used in published parts of the code is “completely insecure” and “can be broken in about 20 minutes using a standard personal computer, and using only free software that is publicly available.”

The Moscow information technologies department published a part of the source code of its blockchain-based voting system in Github for public testing at the end of July. The one who could crack the system was promised a reward of 1.5 million rubles (approximately $25,000).

“Although we did not find (yet?) a public specification of the protocol in English, we understand that it uses the Ethereum blockchain, with its smart contract capabilities,” Gaudry writes in the article.

During the public test, the public code was updated every day, proposing new public keys and new encrypted data, and revealing the private keys and the original data of the day before. The goal was to decrypt the data in less than 12 hours since this will be the duration of the election to be held in September. The reason the code is too vulnerable is that the length of the public encryption key in the system is less than 256 bits, so one can easily calculate private keys and decrypt the encrypted data.

He notes that as he saw only a part of the source code he cannot accurately say what consequences the weak encryption mechanism will have and how likely it is that he will be able to easily identify the voting participants and correlate them with the ballots.

“In the worst-case scenario, the votes of all the voters using this system would be revealed to anyone as soon as they cast their vote.”

The Moscow Department of Information Technologies responded in a comment to Julia Krivonosova, PhD candidate at the Ragnar Nurkse Department of Innovation and Governance, Tallinn University of Technology, who detailed bugs of the Russian blockchain-based voting system in her blog post on Medium. The Department wrote that it was planned to increase the length of the public encryption key to 1024 bits in the near future. DIT Moscow explained the lack of protocol specifications by the fact that it has not yet been translated from Russian into English, but this will be done soon. The DIT also emphasized that even in the event of hacking and decryption, hackers would not be able to associate ballots with voters.

The Moscow government emphasized the need to develop an electronic voting system: “The blockchain technology ensures the transparency and invariability of all data. Tracing the newsletter’s path will be virtually impossible.”