E-voting at the Swiss Cyber Storm conference 06.11.17
The eighth Swiss Cyber Storm conference was held in Lucerne on 18 October 2017. The main topic was e-voting. Swiss Post and the Canton of Geneva each gave a presentation about security mechanisms in e-voting systems. Christian Folini looks back at the event.
Swiss Cyber Storm is aimed at IT security experts of all types and deals with cyber security in very broad terms. The focus was on e-voting early on at the event. Around three hundred people met in Lucerne and looked forward to around twenty talks.
Various presentations addressed people’s behaviour. The days in which experts only believed in technical solutions to security problems are long gone. It is users who are increasingly the focus of attention. Professor Daniela Oliveira from Florida, for example, investigated people’s susceptibility to phishing e-mails.
Anonymous yet traceable
Professor Bryan Ford from the EPFL introduced the topic of e-voting by looking back on how it has developed in Switzerland: pilot voting schemes under the supervision of the Federal Chancellery have been taking place in Switzerland for more than fifteen years. The advances made are so promising that in spring 2017, the Federal Council called on the cantons to introduce e-voting across the board.
The prerequisite for this, however, is that numerous security problems are solved first. There are two key requirements which, for the layman, seem almost irreconcilable: Voting has to be completely anonymous, yet at the same time the results must always be transparent and tamper-proof. Modern cryptographic procedures, which have partly been developed in Swiss universities, seem to make squaring this circle distinctly possible.
Verifiability as a security mechanism
The Swiss Post solution has already reached its first important milestone. The Federal Chancellery has given it approval for federal voting at the 50% level. This means that up to 50% of voting citizens in a canton can vote using the Swiss Post system. Jordi Puiggalí from Barcelona presented the solution. The speaker is the Head of R&D at SCYTL, the Spanish company that teamed up with Swiss Post to develop the e-voting solution. He took the bull by the horns and described the cryptographic procedures that enable so-called verifiability. This means that after casting their vote electronically, voters receive a verification code which allows them to ensure that the vote arrived in the encrypted ballot box correctly and without modification.
Inspection groups monitor the voting process
Thomas Hofer from Geneva followed on from Swiss Post’s Spanish partner. The EPFL graduate has worked for many years as a systems administrator for Geneva’s e-voting system. He presented the new CHVote system that the Canton of Geneva has developed together with the Bern University of Applied Sciences. Thomas Hofer described how Geneva has sought 100% certification from the Federal Chancellery; a goal which Swiss Post has also set its sights on. The biggest hurdle is four inspection groups that have to monitor the voting and counting process independently of one another. A requirement set by the Federal Chancellery is that these groups are organized in such a way that the correctness of the voting result is guaranteed as long as at least one of the inspection groups is capable of withstanding an attack. This means that an attacker must manipulate the result and at the same time corrupt all four inspection groups in order to falsify the result of a vote.
After this final presentation of the day, intensive talks took place. Guests then moved to the Networking Lounge where they enjoyed refreshments, and continued their discussions for over an hour. During this time Swiss Post specialists held in-depth talks with representatives from the Canton of Geneva. This indicated that they get on well, at least on the technical side, and that so-called coopetition, as Bryan Ford describes it, could potentially be a viable option.
Christian Folini (https://twitter.com/ChrFolini) is Program Chair at Swiss Cyber Storm and an external Security Engineer at Swiss Post.