FAQ Answers to frequently asked questions and definition of terms
As part of the e-voting community programme, Swiss Post is disclosing the source code, specifications, cryptographic foundations and documentation of its e-voting system. The aim is to make access to the system as simple as possible for independent experts and to constantly improve the system. Disclosure facilitates an in-depth examination and dialogue between specialists and with the Swiss Post e-voting team. Swiss Post is gradually refining the system, taking confirmed findings into consideration. Disclosure therefore serves to enhance the security of the e-voting system.
The rules for participation in the e-voting community programme are established in a Code of Conduct. For Swiss Post, the secure implementation of the democratic process is of paramount concern, with the priority on ensuring a secure voting process and guaranteeing a secret ballot. Reports from experts represent a key contribution to improving the security of the system. Swiss Post respects the academic freedom of researchers.
Yes. Findings can be published. In the case of findings classified as high or critical, we require a maximum time frame of 90 days to analyze a report and check it with the other stakeholders (in particular the cantons). As soon as our analysis is complete, even a critical finding can be disclosed by the person who reported it. For its part, Swiss Post discloses all confirmed findings. More information can be found under Reporting a finding.
Yes. For confirmed vulnerabilities submitted as part of the public e-voting bug bounty programme, Swiss Post pays remuneration in accordance with the applicable regulations. Swiss Post believes that bug bounty programmes help to improve IT systems. For this reason, it opts to run bug bounties as part of its information security strategy. Interested parties can find all further information for taking part in the e-voting bug bounty programme on the YesWeHackTarget not accessible platform.
Swiss Post previously cooperated with Scytl, a company specializing in electronic voting. In spring 2020, Swiss Post acquired all rights to the source code necessary for independent development of the system. Since then, Swiss Post has continued developing the system with its own team in Switzerland, working in close cooperation with external specialists (see also the blog article of 22.06.2019).
Swiss Post is disclosing its new e-voting system, providing a compilable system and allowing independent experts to check the system and the implementation of voting procedures. It is constantly improving the system and meets the transparency requirements of the open-source approach. Key components of the e-voting system are provided by Swiss Post under an open-source licence. This includes the disclosed library of cryptographic primitives and the verification software.
The date when the new e-voting system will be available to the cantons depends on various factors, such as the legal bases for e-voting, which are being redefined, and the feedback that Swiss Post receives from the specialist community during the disclosure. Our goal is for the system to be ready for use in the cantons in the course of 2022.
This document describes the Swiss Post e-voting system in mathematical form. It demonstrates that the cryptographic elements ensure voting secrecy as well as individual and universal verifiability. Putting the different cryptographic elements together produces the cryptographic protocol. This document is intended to describe the security goals and trust assumptions of the e-voting system and, building on this, to prove that these are satisfied by means of mathematical methods. This formal demonstration is a key element of modern cryptography and is required by the Federal Chancellery for e-voting.
The symbolic analysis supplements the cryptographic evidence as verification that Swiss Post’s e-voting system maintains voting secrecy and complies with individual and universal verifiability. The symbolic analysis is written in the ProVerif programming language. Its correctness can be checked automatically using suitable software.
A source code is a text written in a particular programming language. It sets out the specific rules and requirements used to create a piece of software. The e-voting system’s source code contains the elements of the entire software through which the requirements of the cryptographic protocol are implemented.
The published source code for the e-voting system is prepared in such a way that it can be compiled, tested and simulated with ease.
The specification provides a detailed description of the cryptographic protocol. It describes the process from the configuration of the electronic contest to the casting and counting of votes. It contains codes known as pseudocodes, which serve to illustrate algorithms. The specification describes the more general algorithms and some of the underlying components.
The library released by Swiss Post contains key cryptographic algorithms, known as cryptographic primitives. These are used in both the e-voting system and the separate verification software. A key element of the cryptographic primitives that are currently available is the algorithms used in the mix network. Additional algorithms will be integrated in later phases of the disclosure.
The specifications for the cryptographic primitives are also available.
System documentation (“infrastructure white paper”)
The infrastructure white paper describes the e-voting infrastructure and all the security aspects that have been implemented. This includes information about data centers and the structure and application of the infrastructure and the databases. The various security measures are also outlined.
The architecture documentation details the overall structure of the e-voting system: from the legal framework to the actual e-voting solution with its various components and interfaces, the principles of the architecture and decisions related to it, and the quality requirements specified for the system.
Description of the development process
Swiss Post is developing the e-voting system using agile project management. This document describes the software development, gives an overview of which tools were used and demonstrates how the various quality specifications are followed during development and how they are checked. The procedure for the regular source code disclosure is also explained.
Operation Whitepaper describes the e-voting operational processes and all the security aspects that have been implemented. This includes information on the business organization, support provisions, modifications and maintenance, and also back-up and restoration processes.
Tests are carried out at various levels as part of the development of the e-voting system. The software is checked for compliance with the requirements set out in the Federal Chancellery’s Ordinance on Electronic Voting (OEV) and Post CH Ltd’s internal specifications in accordance with the ISO 25010 standard. The test concept describes the entire procedure, including the test objects, the infrastructure used, the reporting and the test organization.
The Trusted Build is a reliable, verifiable software compilation used to ensure that the executable release is created using verified components. Procedural and organizational measures are carried out to meet the requirements of the OEV.
The mix network is the basis for the complete verifiability of Swiss Post’s e-voting system. It consists of mixers that mix and re-encrypt the votes after the electronic ballot box has been closed on the Election/Voting Sunday. The mix network prevents the individual and the vote they have cast from being linked to each other and ensures that voting secrecy is protected. Additionally, the mix network provides evidence that no votes were changed, deleted or added. The algorithms used in the mix network are available in the published open-source library of cryptographic primitives. Swiss Post has completely rewritten these algorithms. Swiss Post’s e-voting system is based on the Bayer-Groth mix network.
Thanks to universal verifiability, electoral authorities can verify the votes during counting to see whether they have been manipulated in the electronic ballot box. The check is comparable to the recounting of physical ballots. Universal verifiability enables independent control and verification of the ballot by the cantons. For universal verifiability, separate software is required, which is referred to as a verifier.
In the case of individual verifiability, voters receive choice return codes on paper together with their election or voting documents. When they cast their vote, they compare the codes with the codes shown on the screen and can thus be sure that their vote has arrived correctly in the ballot box.
Swiss Post’s new e-voting system provides complete verifiability. Cantonal electoral authorities can use this system to check all electronically cast votes after the ballot box has been closed and determine any irregularities. The verification software is available to the auditors for these checks. This software, which is independent of the system and not connected to any network, provides proof of whether the generated cryptographic evidence has been registered correctly. If all evidence is correct, the authenticity of all electronically cast votes and their counting is confirmed. Among other things, the software detects if the server on which the provider is running the system has been infiltrated.
Swiss Post will publish the verification software under an expansive open-source licence.
On this basis, third parties with or without commercial objectives can test and redevelop the software, and place it on the market as an independent product. Swiss Post’s aim is to enable the use of third-party verification software.
Ethical hackers from around the world can attempt to access Swiss Post’s e-voting infrastructure as part of the public intrusion test. The test serves to find vulnerabilities and continually improve the system’s security. It is Swiss Post’s e-voting infrastructure that is attacked, and not its entire IT infrastructure. Swiss Post rewards confirmed vulnerabilities and publishes them on the GitLabTarget not accessible specialist platform. The four-week public intrusion test is part of Swiss Post’s e-voting community programme and is conducted on a recurring basis.