how not to secure an election - open privacy · sha256(“3”+“10”+”10 20”) ==...
TRANSCRIPT
![Page 1: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/1.jpg)
How Not To Secure An Election
Sarah’s Adventures in Switzerland
![Page 2: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/2.jpg)
This work was done in collaboration with Vanessa Teague (University of Melbourne) & Olivier Pereira (UCLouvain)
![Page 3: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/3.jpg)
Sarah Jamie LewisExecutive Director, Open Privacy Research Society
Before:
● Independent Privacy & Anonymity Researcher & Book Publisher (Queer Privacy)
● Automated Systems Fraud / Security @ Amazon● Computer Scientist @ <Redacted> (British Government)
![Page 4: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/4.jpg)
February 2019
![Page 5: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/5.jpg)
![Page 6: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/6.jpg)
![Page 7: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/7.jpg)
“These criticisms are mainly based on misunderstandings related to the cryptographic mechanisms”
https://www.scytl.com/en/statement-recent-comments-regarding-source-code-publication-swiss-e-voting/
![Page 8: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/8.jpg)
What is Universal Verifiability?
![Page 9: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/9.jpg)
Universal Verifiability: anyone may determine that all of the ballots in the box have been correctly counted.
![Page 10: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/10.jpg)
What is a Zero Knowledge Proof?
![Page 11: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/11.jpg)
A Zero Knowledge Proof...
“is a method by which one party (the prover) can prove to another party (the verifier) that they know a value x, without conveying any information apart from the fact that they know the value x.”
![Page 12: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/12.jpg)
Meet Alice And Bob!
![Page 13: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/13.jpg)
Meet Alice Peggy And Bob Vicky!
![Page 14: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/14.jpg)
What is an OR-Proof...?
![Page 15: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/15.jpg)
In theory land...Peggy encrypts 1 of 2* possibilities
Vicky can verify that Peggy didn’t cheat and encrypt something else...
*Simplified
![Page 16: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/16.jpg)
In the Scytl Codebase*…
*Simplified
![Page 17: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/17.jpg)
In the Scytl Codebase*… Vicky doesn’t check the challenge!
*Simplified
![Page 18: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/18.jpg)
![Page 19: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/19.jpg)
![Page 20: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/20.jpg)
Turns out: we had broken two different pieces, and we decided to team up.
![Page 21: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/21.jpg)
![Page 22: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/22.jpg)
What is a Shuffle Proof?
![Page 23: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/23.jpg)
![Page 24: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/24.jpg)
Stephanie Bayer and Jens Groth. Efficient zero-knowledge argument for correctness of a shuffle. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 263–280. Springer, 2012
![Page 25: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/25.jpg)
Peggy is a given a set of Ciphertexts, mixes (and re-encrypts them)
Vicky wants proof that the new Re-encrypted ciphertexts are the same as the ones Peggy was given….
![Page 26: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/26.jpg)
Peggy & Vicky need to agree on a set of
generators…
We need these so we can build commitments!
![Page 27: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/27.jpg)
While mixing, Peggy cryptographically
commits (sends locked boxes) to Vicky
After Peggy has finished mixing, she opens the boxes for Vicky and shows her what is inside
![Page 28: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/28.jpg)
public CommitmentParams(final ZpSubgroup group, final int n) {group = group;h = GroupTools.getRandomElement(group);commitmentlength = n;g = GroupTools.getVectorRandomElement(group,
this.commitmentlength);}
// from getRandomElement(group)Exponent randomExponent = ExponentTools.getRandomExponent(group.getQ());return group.getGenerator().exponentiate(randomExponent);
![Page 29: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/29.jpg)
Using these trapdoored parameters, Peggy can open the commitments to any value she desires!
![Page 30: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/30.jpg)
Peggy can manipulate votes by replacing them when she mixes...
![Page 31: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/31.jpg)
“How Do We Disclose This”?
![Page 32: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/32.jpg)
We decided to not sign any Non-Disclosure Agreements, but to contact Swiss Post as a courtesy.
![Page 33: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/33.jpg)
March 2019
![Page 34: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/34.jpg)
Sarah Jamie Lewis, Olivier Pereira, and Vanessa Teague. "Ceci n’est pas une preuve." (2019).
https://people.eng.unimelb.edu.au/vjteague/UniversalVerifiabilitySwissPost.pdf
![Page 35: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/35.jpg)
“This mixnet has a trapdoor—a malicious administrator or software provider for the mix could manipulate votes but produce a proof transcript that passes verification.
Thus complete verifiability fails.”
![Page 36: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/36.jpg)
Meanwhile In Australia…
...There was an election going on
![Page 37: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/37.jpg)
![Page 38: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/38.jpg)
“The identification of this issue does not affect the use of iVote for the NSW State election...because...Air Gap”
https://www.elections.nsw.gov.au/About-us/Media-centre/News-media-releases/NSW-Electoral-Commission-iVote-and-Swiss-Post-e-vo
![Page 39: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/39.jpg)
“Scytl is delivering a patch which will be tested and implemented shortly to address this matter.”
https://www.elections.nsw.gov.au/About-us/Media-centre/News-media-releases/NSW-Electoral-Commission-iVote-and-Swiss-Post-e-vo
![Page 40: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/40.jpg)
Back to Switzerland...
![Page 41: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/41.jpg)
What is a Decryption Proof?
![Page 42: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/42.jpg)
![Page 43: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/43.jpg)
Peggy has a Ciphertext & a Key to decrypt it, which she uses to get the Plaintext
Vicky wants proof that the Plaintext came from the Ciphertext (but we cannot allow Vicky to have the key)
![Page 44: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/44.jpg)
In theory land...Peggy constructs Proof….
The Ciphertext has the form (C0, C1)
Alice computes C′1=C1/m where m is the decryption. And proves to Bob that the decryption factor is correct.
Alice picks a random aB0=ga
B1=C0a
Alice compute.. z=a+cx. (x is the private key)
Vicky picks a random challenge c
Vicky checks that….B0 ?=gz(pk)−c
B1 ?=C0z(C′1)−c
![Page 45: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/45.jpg)
What is Fiat-Shamir?
![Page 46: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/46.jpg)
Instead of waiting for a challenge from Vicky. Peggy & Vicky agree on a way of generating challenges
We can do this by using a cryptographic hash function,
assuming it acts
as a random oracle.
![Page 47: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/47.jpg)
In secure codebases, a primitive known as a “transcript” is used.
The transcript is given ALL public information associated with the proof and generates a hash based on that input.
![Page 48: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/48.jpg)
Sha256(“3”+“10”+”1020”) == 23648ddd3be51d04a21d90c254cd529a7f70f719161e6645c5bde72cf9d948b7
We use the public parameters as the input, and get unpredictable “randomness” as an output
![Page 49: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/49.jpg)
What is Weak Fiat-Shamir?
![Page 50: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/50.jpg)
David Bernhard, Olivier Pereira, and Bogdan Warinschi. "How not to prove yourself: Pitfalls of the fiat-shamir heuristic and applications to helios." International Conference on the Theory and Application of Cryptology and Information Security. Springer, Berlin, Heidelberg, 2012.
![Page 51: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/51.jpg)
In the Scytl code base...
Only certain public parameters were given to the hash function. And they were not differentiated by context
![Page 52: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/52.jpg)
Sha256(“3”+“10”) == Sha256(“31” + “0”)
This means given one valid proof we can generate other valid proofs!
![Page 53: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/53.jpg)
Peggy constructs Proof….
The Ciphertext has the form (C0, C1)
Peggy computes C′1=C1/m where m is the decryption. And proves to Vicky that the decryption factor is correct.
Peggy picks a random aB0=ga
B1=C0a
c = Hash(pk,C′1, B0, B1)
z=a+cx. (x is the private key)
Vicky checks that….B0 ?= gz(pk)−c
B1 ?= C0z(C′
1)−c
C ?= Hash (pk, C′1, B0, B1)
![Page 54: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/54.jpg)
Peggy constructs a Cheating Proof….
Peggy can modify her proof because the challenge only hashes parameters she has control over instead of all of the context (e.g. the ciphertext, the group etc.)
She can modify her statement based on the challenge!
Peggy picks a random a,s,t
B0=ga
B1=gt
C’1=gs
c = Hash(pk,C′1, B0, B1)
z=a+cx. (x is the private key)
C0 = g(t+sc)/z
Verifier checks that….B0 ?= gz(pk)−c
B1 ?= C0z(C′
1)−c
C ?= Hash (pk,C′1, B0, B1)
![Page 55: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/55.jpg)
Sarah Jamie Lewis, Olivier Pereira, and Vanessa Teague. "How not to prove your election outcome: The use of non-adaptive zero knowledge proofs in the scytl-swisspost internet voting system, and its implications for decryption proof soundness” 2019.
https://people.eng.unimelb.edu.au/vjteague/HowNotToProveElectionOutcome.pdf
![Page 56: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/56.jpg)
Unanswered Questions...
![Page 57: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/57.jpg)
What is an OR-Proof doing in this code base!?
![Page 58: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/58.jpg)
????
![Page 59: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/59.jpg)
“Yes, you are right. The verifier was using the hash for checking the proofs but if was not checking if hash is related to the sum of c_j. Thank you for the highlight!” - Scytl Employee
![Page 60: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/60.jpg)
“The reason is because it is inside our cryptolib and this was initially planned as a library and therefore, it is not prepared to break it in small pieces and include only the needed parts. So while a refactor is not finished, we are still including it as a library.” - Scytl Employee
![Page 61: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/61.jpg)
The Vulnerability That (temporarily) Stopped E-Voting
![Page 62: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/62.jpg)
What isIndividual Verifiability?
![Page 63: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/63.jpg)
Individual Verifiability: Any voter can check that their ballot has been correctly counted.
![Page 64: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/64.jpg)
![Page 65: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/65.jpg)
![Page 66: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/66.jpg)
Sarah Jamie Lewis, Olivier Pereira, and Vanessa Teague. "Addendum to How not to prove your election outcome: The use of non-adaptive zero knowledge proofs in the Scytl-SwissPost Internet voting system, and its implications for cast-as-intended verification” 2019.
https://people.eng.unimelb.edu.au/vjteague/HowNotToProveElectionOutcomeAddendum.pdf
![Page 67: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/67.jpg)
![Page 68: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/68.jpg)
![Page 69: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/69.jpg)
“It will therefore not provide its e-voting system to the cantons for the votes of 19 May.”
https://www.post.ch/en/about-us/news/news/2019/swiss-post-temporarily-suspends-its-e-voting-system
![Page 70: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/70.jpg)
“Temporarily”
https://www.post.ch/en/about-us/news/news/2019/swiss-post-temporarily-suspends-its-e-voting-system
![Page 71: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/71.jpg)
April 2019
![Page 72: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/72.jpg)
“Last week, a vulnerability was found that affects the individual verifiability process used by the cantons of Thurgau, Neuchâtel, Fribourg and Basel-Stadt”
https://www.scytl.com/en/statement-related-to-the-recent-decision-to-place-evoting-temporarily-on-hold-in-switzerland/
![Page 73: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/73.jpg)
Scytl acknowledges the valuable input provided by the researchers who have participated in this initiative and more concretely to the ones that detected the issues in the source code.
https://www.scytl.com/en/statement-related-to-the-recent-decision-to-place-evoting-temporarily-on-hold-in-switzerland/
![Page 74: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/74.jpg)
“These criticisms are mainly based on misunderstandings related to the cryptographic mechanisms”
https://www.scytl.com/en/statement-recent-comments-regarding-source-code-publication-swiss-e-voting/
![Page 75: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/75.jpg)
Aftermath
![Page 76: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/76.jpg)
SwissPost awarded our research team
5000 CHf
![Page 77: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/77.jpg)
![Page 78: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/78.jpg)
The system that was previously in use in four cantons will therefore no longer be operated by Swiss Post... and will not be available for
the National Council elections in the autumn.
![Page 79: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/79.jpg)
What Happened In Australia?
![Page 80: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/80.jpg)
Remember the Air-Gap?
![Page 81: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/81.jpg)
![Page 82: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/82.jpg)
The reports that came out after the election also make no reference to the emergency
patch.
![Page 83: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/83.jpg)
Remember….
![Page 84: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/84.jpg)
Takeaways
![Page 85: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/85.jpg)
Public Infrastructure Demands Public Scrutiny
![Page 86: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/86.jpg)
The Math and the Implementation of that Math
are different
![Page 87: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/87.jpg)
If researchers working on little to no sleep can break your system, so can actual
threat actors.
![Page 88: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/88.jpg)
Transparency is as important as Technology
![Page 89: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/89.jpg)
Swiss Post announced it wants to offer the new
system to the cantons for trial operation from 2020.
![Page 90: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/90.jpg)
![Page 91: How Not To Secure An Election - Open Privacy · Sha256(“3”+“10”+”10 20”) == 23648ddd3be51d04a 21d90c254cd529a7f7 0f719161e6645c5bde 72cf9d948b7 We use the public parameters](https://reader033.vdocuments.us/reader033/viewer/2022050211/5f5d8057cfc6ef5d055e4ea9/html5/thumbnails/91.jpg)
The End!Open Privacy Research Society is a non-profit dedicated to researching and building privacy-enhancing technologies that benefit marginalized communities.
Please support our work: https://openprivacy.ca/donate