Earlier this month, research by our team – based on joint work with Sarah Jamie Lewis from the Open Privacy Research Society and Professor Olivier Pereira at Université Catholique de Louvain – found a trapdoor in the Swiss Internet voting system. It’s a flaw in the proof the system uses to prevent electoral fraud.
The sVote Internet voting system is designed to allow observers to verify that the votes reported by the electoral commission match those that were cast — without compromising the identity of a voter. But if the flaw is exploited, it could allow insiders who ran or implemented the election system to modify votes undetected.
Soon after the Swiss trapdoor was revealed, the New South Wales Electoral Commission (NSWEC ) announced that the same flaw affects their iVote system. The two systems, the Swiss and the NSW e-voting software, were developed by the same company and feature the same core component.
But the Commission has since said that its iVote platform is safe to use in the state’s recent election.
However, we have recently discovered a second, independent method by which a proof mechanism in sVote could be subverted to prove an election outcome that has actually been manipulated.
SwissPost and NSWEC have both been notified, and NSWEC says that this second issue does not affect them.
Verifiability and Trust
Verifiability is a critical part of the trustworthiness of e-voting systems.
The SwissPost e-voting system, provided by Scytl, offers one form of verifiability, called “complete verifiability” – this means that any manipulation should be detectable unless all but one part of the system colludes to cheat.
In the SwissPost system, encrypted electronic votes are shuffled to protect individual vote privacy. Each server shuffling votes is supposed to prove that the set of input votes it gets correspond exactly to the differently-encrypted votes it outputs.
This process is intended to provide an electronic version of a ballot box.
Previously, we’ve shown that this system contains a cryptographic trapdoor that could allow a cheating authority (or software provider) to add or remove votes from the shuffle, while providing an apparently-correct (but false) proof of accuracy.
Both SwissPost and NSWEC say that the software provider has now patched the issue.
Proving a fake decryption
The next step after shuffling is decrypting the votes.
It wouldn’t be secure to simply accept any authority’s claim of what those encrypted votes contain, because that allows for the possibility that the authority could declare different votes from the voter’s actual choice.
It also wouldn’t work to ask the authority to reveal its private decryption key, because that would expose how individuals voted.
So, the sVote system uses a clever cryptographic construct called a zero knowledge proof. Zero knowledge means that it doesn’t reveal anything about the decryption key, so vote privacy is protected. And proof is supposed to mean that observers can run a verification algorithm to make sure that the claimed vote really is what’s hidden within the encryption.
But our research has found that this proof is not sound. It’s possible to generate a proof that passes verification, but changes the contents of the encrypted vote. It’s a little like leaving the ballot box observable all through polling day, yet somehow managing to slip different votes into the count.
It’s a technical process – but one that can be done by anyone who has access to the right part of the voting system. You can download our cheating proof transcripts and verify them yourself if you have the sVote code.
Internet voting security
Both SwissPost and NSWEC say they have corrected the first issue – the shuffling proofs. Of course, without seeing the patched source code we have to take their word for it.
But the second issue, the unsound decryption proofs, was only noticed very recently and as far as we’re aware it has yet to be corrected. NSWEC says their decryption proofs are not affected, but without seeing the source code this can’t be checked.
So, what does this mean for Internet voting security?
First of all, it means that Australians should be grateful to Switzerland for passing a Federal Ordinance mandating open access to the source code of their voting system.
Open, public review is important even for systems that are intended to be verifiable, because the voters and candidates need to be convinced that it will not seem to verify something that is wrong. Otherwise, the risk of undetectable electoral fraud remains, because of the risk that the verification mechanism itself might be manipulated.
It’s lucky that a problem in iVote could be discovered by inspecting the Swiss code, because the iVote code is available only under very restrictive terms that would not have allowed us to analyse the code and publish our findings promptly.
Were it not for the opportunity to examine the Swiss Post code, opportunities for undetectable electoral fraud might have gone unnoticed in the NSW election.
The bottom line
We have now found two, independent means by which a single authority could commit large-scale fraud in the sVote system, while passing verification using a false proof that everything was correct.
For iVote, we’re told that the first issue has been patched and the second doesn’t apply. If the source code were openly available, we could check; without it, we can’t.
There’s no reason to think that correcting this second flaw in the proofs will be easy, or that it will produce a secure system with no further opportunities for undetectable electoral fraud.
Banner: Getty Images