Swiss Post’s Cryptographic E-Voting System Allows for Vote Manipulation Claims Research
A trio of researchers has discovered that the cryptographic e-voting system used by the Swiss Post has a vulnerability that enables authorities to manipulate the outcome of elections in an undetectable manner.
E-Voting Platform Can Be Manipulated
Sarah Jamie Lewis from Open Privacy, Olivier Pereira from UCLouvain, and Vanessa Teague from the University of Melbourne have published a report titled “The use of trapdoor commitments in Bayer-Groth proofs and the implications for the verifiability of the Scytl-SwissPost Internet voting system,” in which the researchers illustrate their findings of a vulnerability in the Swiss Post’s e-voting platform that would allow for undetectable vote manipulation by an authority.
The Swiss Post e-voting platform, created by Spanish e-voting technology developer Scytl, is meant to provide a secure, trustworthy e-voting platform. However, as Lewis, Pereira, and Teague found, that is not the case.
After the Swiss Post open-sourced its code as part of a bug bounty campaign, the researchers analyzed the system’s code and found a substantial vulnerability that completely negates the value proposition of a cryptographic e-voting system.
According to the report, the commitment scheme used in the SwissPost-Scytl mixnet utilizes a trapdoor commitment scheme that enables an authority that knows the trapdoor value to create a shuffle proof transcript that can pass verification and alter votes.
In the Swiss Post e-voting system, votes are encrypted and are required to be shuffled to ensure individual voter privacy. Each server that shuffles the electronic votes should prove that the set of input votes it has received corresponds with the differently encrypted votes that it outputs. The intention of this is to provide a digital equivalent of a publicly observable use of a ballot box. However, the mixnet specifications and code of the Swiss Post’s system do not meet the assumption of a sound shuffle proof and, therefore, does not supply complete verifiability of the votes, according to the researchers.
As a result, an authority that is aware of the trapdoors for the cryptographic commitments in the system could provide cryptographically-valid proof that passes the platform’s verification while manipulating votes.
The same vulnerability was also discovered by Thomas Haines of NTNU and by Rolf Haenni of Bern University of Applied Sciences independent of the report mentioned above, which can be considered a confirmation of the existing problem of the Swiss Post’s voting platform.
Swiss Post and Scytl Respond to Findings
After the e-voting system’s vulnerability was made public, the Swiss Post responded to the findings in a statement downplaying the severity of the error in their system’s code and stating that it has been found as a result of its bug bounty campaign. Moreover, the Swiss Post noted that the platform’s developer Scytl has fixed the code.
“The error in itself did not make it possible to infiltrate the e-voting system. Swiss Post requested that its technology partner, Scytl, corrects the error in the code immediately and they have already done so. The modified source code will be applied with the next regular release,” the statement said.
Moreover, the Swiss Post highlighted that no hackers were able to infiltrate their system and that the error in the code only related to universal verifiability, which – surprisingly – was already identified in 2017 but never adequately fixed by Scytl.
In a statement on its website, Scytl responded saying that:
“The code has already been updated by using the random verifiable mechanism that was already implemented in the voting system but had not been activated. The e-voting system currently in use in various cantons is not affected by this situation. The finding exclusively concerns universal verifiability properties, which have never been used in a real election in Switzerland so far.”
Given that the issue was known since 2017, it is unclear why Scytl has not made an effort to fix the problem in its code. Instead, downplaying it and highlighting the apparent success of the bug bounty campaign does not bestow much confidence in the e-voting platform developer’s ability to do its job correctly.
How Safe Are E-Voting Platforms Really?
In light of the recent revelations about Scytl’s e-voting platform’s severe vulnerability, it begs the question of how safe e-voting is. Fortunately for Switzerland, by open-sourcing the code of its e-voting system, researchers were able to find an error in the code that could have had massive implications on the level of democracy the European nation.
Sarah Jamie Lewis stated on Twitter:
“Let us not downplay this. This code is intended to secure national elections. Election security has a direct impact on the distribution of power within a democracy. The public has a right to know everything about the design and implementation of the system.”
However, what about e-voting systems whose codes are not open-sourced?
If one of the most “state-of-the-art” cryptographic e-voting platforms came with an error that would enable authorities to manipulate the outcome of an election and remain entirely undetected, how much trust can be placed in closed-sourced e-voting platforms being used around the globe?
Election rigging is a major issue in nations across the globe, and with governments moving towards the adoption of e-voting systems, it’s increasingly important to question whether e-voting is the most secure, fair and democratic way to hold an election.
Given how easy it can be to get away with election fraud even with one of the most “high-tech” e-voting systems, society is not at a point where it can trust technology enough to help in the determination of the democratic process.