As part of the e-voting source code review process in Switzerland, 67 reports have been received to date. These observations have been very valuable. One of the most important contributions refers to a missing audit mechanism, preventing the voting system to fully ensure universal verifiability during the mixing process. The reported finding has been analyzed and the code has been updated.
The Swiss e-voting system uses a Mixnet which is based on the Bayer Groth-Mixnet proofs. This property requires the independent and verifiable generation of random commitment parameters to ensure universal verifiability. However, the researchers have reported that the code does not currently generate these parameters in a verifiable random manner and that therefore the Mixnet proofs cannot guarantee the complete auditability of the counting process.
The code has already been updated by using the random verifiable mechanism that was already implemented in the voting system but had not been activated. The e-voting system currently in use in various cantons is not affected by this situation. The finding exclusively concerns universal verifiability properties, which have never been used in a real election in Switzerland so far.
Security and transparency have always been a cornerstone for Scytl. The recent publication of the source code as well as the public intrusion test are part of the company’s commitment to ensuring secure and transparent online voting processes. We are thankful to those researchers who helped us identify this issue and support us in building the future of secure online voting.