Crypto defect found in Swiss e-voting system

A group of researchers have uncovered a cryptographic trapdoor in the Swiss government’s e-voting system that could allow vote manipulation to take place unbeknown to the authorities.

The problem centres around the way the country's sVote system run by Swiss Post verifies votes – that is, the way they are received and actually counted – using a sequence of shuffle proofs.

This is despite claims the system, which like the NSW government’s iVote system uses software from the Spanish vendor Scytl, offers a form of proof dubbed “complete verifiability”.

The research paper by cryptography and privacy researchers Sarah Jamie Lewis, Oliver Pereira and Australia’s-own Venessa Teague reveals an issue with the soundness of the proof of correctness.

“The SwissPost-Scytl mixnet specification and code ... does not meet the assumptions of a sound shuffle proof and hence does not provide universal or complete verifiability,” the paper entitled 'This is not proof’ released on Tuesday states.

The researchers said the issue stems from “the use of a trapdoor commitment scheme in the shuffle proof”, which means a malicious authority “can provide an apparently-valid proof, which passes verification, while actually having manipulated votes”.

They were able to demonstrate “how an attacker who knows the trapdoor can manipulate any votes for which it learns the randomness used to generate the vote ciphertext” without detection, as well as “exploit the trapdoor in the commitment scheme to break the soundness of the proof shuffle”.

This transpired without any modification of the audit process, making it impossible to detect if a manipulation has occurred.

The researchers put the problem down to the specific implementation of the Bayer and Groth proof mechanism, which the Swiss Post system generates randomly.

“The system should prove, and the verifiers should check, that these generators are selected properly, that is, without the possibility for anyone to learn a trapdoor except by computing discrete logs,” the paper states.

“In the Scytl-Swisspost code, the commitment parameters are just randomly generated without a proof of how they arose.

However, it was this random group element that was “precisely the trapdoor that is needed to break the binding property of the commitment scheme”.

The researchers suggested applying a PRG based on a cryptographic has function, the outputs of which are then mapped to group elements” to correct the issue, but noted that even this might not be enough.

"Even if this particular issue is corrected, we do not know whether there might be other
ways of manipulating votes while still producing an apparently-valid proof transcript,” the paper states.

The researchers also acknowledged that although the invisibility of the problem made it a perfect opportunity for manipulation, there was no evidence to suggest the problem was introduced deliberately.

“It is entirely consistent with a naïve implementation of a complex cryptographic protocol by well-intentioned people who lacked a full understanding of its security assumptions and other important details,” the paper states.

In a statement, Swiss Post said that although "critical" in nature the "error itself did not make it possible to infiltrate the e-voting system".

"To exploit the weak point the attacker had to override numerous protective measures," it said.

"They needed control over Swiss Post's secured IT infrastructure, for example, as well as help from several insiders with specialist knowledge of Swiss Post or the cantons.

"Swiss Post requested that its technology partner, Scytl, correct the error in the code immediately and they have already done so."

Last month the Swiss government opened the e-voting system to public intrusion testing, with offers of large cash rewards on the line for hackers who find vulnerabilities in the system and report them to the Swiss government.

The NSW government, on the other hand, has not made public the iVote source code, a decision that was questioned by former secretary of the federal Attorney-General’s Department Roger Wilkins in his recent review into the platform.