A group of international researchers at the University of Melbourne discovered a flaw in the Swiss Post e-voting system that had also been independently discovered by Thomas Haines of NTNU and by Rolf Haenni of Bern University of Applied Sciences.
According to the research, the vote verification process is flawed. Researchers revealed there was a significant gap in the source code of the shuffle proof in the universal verifiability mechanism used to secure and authenticate the votes.
The disclosure has sparked interest among Twitter cryptographers and those concerned with voter fraud.
“The problem occurs because the voting system implements a series of sophisticated cryptographic zero-knowledge proofs, in order to keep votes encrypted and untraceable while also preserving election integrity. At a critical place, one of the proofs is flawed,” Matthew Green, cryptographer and professor at Johns Hopkins University, tweeted.
Originally discovered in 2017, the flaw in the source code is not new; however, it was not fully corrected by the technology partner Scytl, which is responsible for the source code, according to Swiss Post.
“Swiss Post regrets this and has asked Scytl to make the correction in full immediately, which they have done. The modified source code will be applied with the next regular release.
“The e-voting system currently being used in the cantons of Thurgau, Neuchâtel, Fribourg and Basel-Stadt is not affected by this gap in the source code. It exclusively affects the system with universal verifiability provided for the intrusion test, which has never been used for a real vote.”
In a statement shared with Infosecurity, a Swiss Post spokesperson said that the error is the code was corrected immediately and the modified source code will be applied with the next regular released.
“The error exclusively affects the system with universal verifiability provided for the intrusion test, which has never been used for a real vote,” the spokesperson said. In addition, Swiss Post is conducting a public intrusion test (PIT) from February 25 through March 24, 2019, on its e-voting system, wherein hackers are invited to find vulnerabilities in the system.