IACR Nullifies Election Because of Lost Decryption Key

The International Association of Cryptologic Research—the academic cryptography association that’s been putting conferences like Crypto (back when “crypto” meant “cryptography”) and Eurocrypt since the 1980s—had to nullify an online election when trustee Moti Yung lost his decryption key.

For this election and in accordance with the bylaws of the IACR, the three members of the IACR 2025 Election Committee acted as independent trustees, each holding a portion of the cryptographic key material required to jointly decrypt the results. This aspect of Helios’ design ensures that no two trustees could collude to determine the outcome of an election or the contents of individual votes on their own: all trustees must provide their decryption shares.

Unfortunately, one of the three trustees has irretrievably lost their private key, an honest but unfortunate human mistake, and therefore cannot compute their decryption share. As a result, Helios is unable to complete the decryption process, and it is technically impossible for us to obtain or verify the final outcome of this election.

The group will redo the election, but this time setting a 2-of-3 threshold scheme for decrypting the results, instead of requiring all three

News articles.

Tags: , , ,

Posted on November 24, 2025 at 7:03 AM17 Comments

Comments

Alan November 24, 2025 7:11 AM

Zero Knowledge Proofs could do this better — secure, confidential voting with no decryption key required to see the results.

Jan Willem de Vries November 24, 2025 8:08 AM

This is a brilliant joke. A cryptology organisation which fails due to a tobe foreseen mistake.

Clive Robinson November 24, 2025 8:29 AM

@ ALL,

To much security makes things fragile

First off there is the old human sayings of,

1, Accidents happen.
2, And to err is human.

I’m known for saying,

“There is no such thing as accidents, only too little time, knowledge or both.”

As for humans, they are not the only thing to err or fail, systems do it to as many can attest. But untill recently we said that such things were the product of man thus man was the element that was responsible as an easy get out rather than admit “we don’t know enough”.

The design of the voting system was not that of the IACR but another organisation entirely. I would also guess that based on appearances neither the IACR or the voting system organisation had any engineers that had experience in designing intrinsically safe, or fail safe systems, or they got over ridden.

Because there are two fundamental rules for such design,

1, Design to have no single point of failure.
2, Design to fail safe.

If we look at what happened both rules were apparently broken.

The article says,

“Per the association’s bylaws, three members of the election committee act as independent trustees. To prevent two of them from colluding to cook the results, each trustee holds a third of the cryptographic key material needed to decrypt results.”

And thereby each of the trustee becomes intrinsically,

“A single point of failure”

Whilst the second point of “fail safe” can be problematic with some security protocols and the supporting Cryptographic based systems. The first rule becomes even more critical and should always hold.

The use of an M of N shared secret protocol would have stopped this particular “fail unsafe” issue.

As I’ve previously noted,

“At the very least the associations rules should have allowed for human frailty. Aircraft fall out of the sky, ships sink, and motor vehicles crash many on more than a daily basis, likewise sickness and unfortunate health events take many more, often quite unexpectedly.”

These things may be unpalatable, but we do recognise they happen all the time.

Robin November 24, 2025 8:52 AM

I am reassured that there are at least some officials who are honorable enough to resign when they screw up. Once upon a time politicians did that.

NombreNoImportante November 24, 2025 12:27 PM

……….. Kind of hard to miss the point that the current president of that board messed up… Crypto the point of the Org he is president of… New President time?

Clive Robinson November 24, 2025 2:53 PM

@ KC, ALL,

With regards the comments of “Ben Adida” –the implementor of the Helios Voting system used–, he links to the NYT article, the last two paragraphs of which are,

“Though errors are rare in Helios’s work with the cryptology group, said Mr. Adida, the software engineer, the case showed that there can be trade-offs in designing and using hyper-secure systems.

“It turns out that managing keys and managing secret keys is the hardest part of this — even among the world’s best cryptographers,” he said.”

The article and what has subsequently been said in the MSM and trade press and blogs etc still does not say who was responsible for the design / usage of the Helios system.

So we are left with the question as to who made the choice of operating the vote in an extremely fragile way.

That is,

1, IACR dictating the terms of Helios use.
2, Helios pushing an overly fragile design on the IACR.

Not that it really matters as far as the vote or subsequent actions are concerned “the omelet has been served”.

However the fact that it’s being said the IACR are shifting to an M of N of 2,3… Is actually not the correct decision if they want to stop “collusion between two officers” (the stated aim). Because the difference between 2 and 3 is only one not two or more.

What they need is a minimum of two times the collusion margin of officers plus one if a majority decision is required.

So if my maths is upto the task 😉 they need a 3 of 5 system. That is five officers need a key share.

But something for all system implementors to consider, a point that I’ve made here from time to time,

“Technical systems are rarely the solution for social issues.”

It there is one social issue that causes more strife in humanity than anything else it’s “Fairness Systems” of which “voting systems” is the most frequently seen cause of arguments to see serious consideration.

Gary Sturgess November 24, 2025 8:41 PM

Forgive me if this is a stupid question, but if the intent of a 3-split is to ensure that no two trustees can collude, doesn’t that make it impossible to switch to a 2 out of 3? Couldn’t any two trustees collude in such a case?

Clive Robinson November 25, 2025 1:02 AM

@ Gary Sturgess,

With regards,

“if the intent of a 3-split is to ensure that no two trustees can collude, doesn’t that make it impossible to switch to a 2 out of 3?”

Simple answer “yes”.

The longer answer is what sort of collusion are you looking at preventing, as there are two basic types,

1, To stop fake results being accepted.
2, To stop honest results being rejected.

The worst case is the second where both colluders have to actively show their hand.

To prevent that you need more “election officers”(5) as I detail in my post above yours,

https://www.schneier.com/blog/archives/2025/11/iacr-nullifies-election-because-of-lost-decryption-key.html/#comment-450122

nosocial November 25, 2025 4:33 AM

From the docs:

To create and administer an election, you will need to log in using Google, Facebook, Yahoo, or Twitter.

And hence to accept their EUA. No, thanks.

Kevin November 25, 2025 9:30 AM

This situation could have been avoided if they just added a little bit of redundancy in the system. Rather than splitting up the key into only 3 parts, split it up into more parts (say 7 or 9), where 2-3 parts are just parity. In this way, you wouldn’t need all the parts, but they would still require a majority to decrypt the results, something like 5 out of 7 parts, or 6 out of 9.

Kevin November 25, 2025 2:40 PM

I’m no expert in cryptography, so I had to look it up. The general concept is called threshold cryptography, and one implementation is Shamir’s secret sharing developed in 1979. So this has long been a solved problem, and this situation was completely avoidable.

KC November 25, 2025 3:46 PM

One of the six election questions is ‘Yes or No’ to modifications of the Bylaws, which includes the “Introduction of an IT Manager Position.” (note: 3 questions only have one possibility.)

https://www.iacr.org/elections/2025/candidates.php

Perusing through the current Bylaws, there’s also this under Article VI: Elections:

Substantial change to the voting system requires prior approval of the membership, except that the paper-ballot system used by the Association from its inception through 2008 may be used at any time without such approval.

So worst case, paper? I also see there are more actively-maintained extensions of Helios such as Belenios.

Clive Robinson November 25, 2025 5:36 PM

@ Kevin,

You say,

“I’m no expert in cryptography, so I had to look it up.”

It’s actually not “cryptography” but “simple logic / geometry / math”.

Even before we get to high school we get told about points on a line, usually it’s the “number line” first and we don’t get told much about points untill we get to the “real numbers”.

At some point we get told 2 points define a straight line, and 3 points define a circle.

We also get told a circle has a central point and a radius. But only sometimes that the radius can only be found if all three points are known.

You could give as many people as you need points on the circumference of that circle and only if three or more become known then the radius becomes known.

And that’s the principle behind one of the simplest forms of M of N or “threshold systems”.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.