August 8, 2022

What the Assessments Say About the Swiss E-voting System

(Part 4 of a 5-part series starting here)

In 2021 the Swiss government commissioned several in-depth technical studies of the Swiss Post E-voting system, by independent experts from academia and private consulting firms.  They sought to assess, does the protocol as documented guarantee the security called for by Swiss law (the “ordinance on electronic voting”, OEV)?  Does the system as implemented in software correctly correspond to the protocol as documented?  Are the networks and systems, on which the system is deployed, adequately secure?

Before the reports even answer those questions, they point out: “the engineers who build the system need to do a better job of documenting how the software, line by line, corresponds to the protocol it’s supposed to be implementing.”  That is, this kind of assessment can’t work on an impenetrable black-box system; the Swiss Post developers have made good progress in “showing their work” so that it can be assessed, but they need to keep improving.

And this is a very complex protocol, and system, because it’s attempting to solve a very difficult problem:  conduct an election securely even though some of the servers and most of the client computers may be under the control of an adversary.   The server-side solution is to split the trust among several servers using a cryptographic consensus protocol.  The client-side solution is what I described in the previous post: even if the client computer is hacked, it’s not supposed to be able to succeed in cheating because there are certain secrets that it can’t see, printed on the paper and only visible to the voter.

Now, does the voting protocol work in principle?  The experts on cryptographic voting protocols say, “The Swiss Post e-voting system protocol documentation, code and security proofs show continuing improvement. The clarity of the protocol and documentation is much improved on earlier versions [which] has exposed many issues that were already present but not visible in the earlier versions of the system; this is progress. … There are, at present, significant gaps in the protocol specification, verification specification, and proofs. … [S]everal of the issues that we found require structural changes …. ”

And, is the system architecture secure?  The expert on system security says, “the SwissPost E-voting system [has] been evolving … for well over a decade. … The current generation of the system under audit takes many important and valuable measures for security and transparency that are to this author’s knowledge unprecedented or nearly-unprecedented among governmental E-voting programs worldwide. At a technical level, these measures include individual and universal verifiability mechanisms, trust-splitting of critical functions across four control components, the incorporation of an independent auditor role in the E-voting process, and the adoption of a reproducible build process for the E-voting software.  [I see] ample evidence overall of both a system and a development process represent[ing] an exemplar that other governments worldwide should examine closely, learn from, and adopt similar state-of-the-art practices where appropriate.”

But on the other hand, he says, “the current system under audit is still far from the ideal system that … perhaps any expert well-versed in this technology domain – would in principle like to see. Some issues [include] the current system’s reliance on a trusted and fully-centralized printing authority, and its exclusion of coercion or vote-buying as a risk to be taken seriously and potentially mitigated.  [And] Explicit documentation of the architecture’s security principles and assumptions, and how the concrete system embodies them, is still incomplete or unclear in many respects … The architecture’s trust-splitting across four control components strengthens vote privacy, but does not currently strengthen either end-to-end election integrity or availability … The architecture critically relies on an independent auditor for universal verifiability, but the measures taken to ensure the auditor’s independence appear incomplete … While the system’s abstract cryptographic protocol is well-specified and rigorously formalized, the security of the lower-level message-based interactions between the critical devices – especially the interactions involving offline devices – do not yet appear to be fully specified or analyzed.”

In conclusion,  the cryptographic-protocol experts recommend, “We encourage the stakeholders in Swiss e-voting to allow adequate time for the system to thoroughly reviewed before restarting the use of e-voting,”  while the system-security expert concludes, “as imperfect as the current system might be when judged against a nonexistent ideal, the current system generally appears to achieve its stated goals, under the corresponding assumptions and the specific threat model around which it was designed.”

In the next part of this series:  Threats that the experts didn’t think of.