In a notable illustration of the “human factor” in cybersecurity, the International Association for Cryptologic Research (IACR) has voided its 2025 leadership election. As the standard-setter for encryption science, the global non-profit admitted that a single lost private key rendered the final vote tally mathematically inaccessible.
Relying on the Helios electronic web-based electronic voting system, the process required three independent trustees to combine their cryptographic shares to decrypt the results. Because the protocol demanded unanimity rather than a redundancy threshold, the loss of one trustee’s key made decryption impossible.
Officials have immediately launched a new election running through December 20, this time adopting a fail-safe “2-out-of-3” mechanism to prevent a recurrence of the deadlock.
Promo
A Fatal ‘Human Mistake’
Despite the sophisticated mathematical principles underpinning the organization, the failure point proved strictly analog. Intended to select new leadership for the cryptology body, the 2025 election ended in a deadlock not due to a hack or a software bug, but a simple lost password.
According to the official announcement, officials confirmed that one of the three designated trustees “irretrievably lost” their private key, a component essential for the final tally. Without this third share, the encrypted votes remain locked in a state of permanent secrecy.
In its statement, the committee admitted that “Unfortunately, one of the three trustees has irretrievably lost their private key, an honest but unfortunate human mistake, and therefore cannot compute their decryption share.”
While the text emphasized the accidental nature of the loss, the consequences were absolute: the election results are technically impossible to retrieve.
Following the error, trustee Moti Yung, a prominent figure in the field with affiliations at Google and Columbia University, has resigned his position. His departure shows the high stakes involved even in routine administrative cryptography.
Systemic Fragility: The 3-out-of-3 Flaw
Under the strict rules of the Helios protocol, the election’s design prioritized privacy over resilience. Highlighting a critical architectural choice in the implementation used by the IACR, the failure exposes the risks of unanimity requirements.
As detailed in the IACR’s explanation of the failure, the setup demanded all three shares:
“For this election and in accordance with the bylaws of the IACR, the three members of the IACR 2025 Election Committee acted as independent trustees, each holding a portion of the cryptographic key material required to jointly decrypt the results.” […] “This aspect of Helios’ design ensures that no two trustees could collude to determine the outcome of an election or the contents of individual votes on their own: all trustees must provide their decryption shares.”
Intended to prevent collusion, this “all-or-nothing” approach ensured no two trustees could peek at votes without the third. However, it created a single point of failure where human error could, and did, destroy the entire process.
Bruce Schneier, a renowned cryptographer and fellow at the Harvard Kennedy School, noted in comments to the BBC that such vulnerabilities are inherent to systems managed by people. He observed: “Whether it’s forgetting keys, improperly sharing keys, or making some other mistake, cryptographic systems often fail for very human reasons.”
Ultimately, even the most secure algorithms cannot account for lost credentials. As Schneier added, “To provide any actual security [cryptographic systems] have to be operated by humans.”
Remediation and the Path Forward
Addressing the operational oversight, the IACR has moved quickly to restore the integrity of its voting process. Facing a voided election, the organization has restarted the process immediately, with the renewed election timeline running from November 21 to December 20.
Retaining the same candidate list and electoral roll, the organization’s statement outlines how the new election fundamentally alters the cryptographic safeguards:
“In particular, we will adopt a 2-out-of-3 threshold mechanism for the management of private keys, and we will circulate a clear written procedure for all trustees to follow before and during the election.” […] “Following the resignation of Moti Yung from his position as trustee for this election, he will be replaced by Michel Abdalla.”
With Abdalla joining the remaining trustees to oversee the rerun, the lower threshold ensures that the loss of a single key will no longer be catastrophic.
Voters who previously opted out of email notifications face a hurdle: they must manually opt back in to receive a new ballot. To ensure participation in the rescheduled vote, the IACR has urged members to verify their status on the trustee status page.