E-voting system’s "construction manual" disclosed

E-voting system’s "construction manual" disclosed 05.05.2021

The disclosure of Swiss Post’s new e-voting system is making progress. Various improvements have already been implemented thanks to feedback from national and international experts. The system specifications are now ready for verification. A public bug bounty programme for e-voting is being launched in the second half of the year.

The disclosure of the future e-voting system with complete verifiability began in early 2021 and is being conducted in phases. Swiss Post specifically began this process at an early stage so that it would have enough time to implement reported improvements. The cryptographic protocol and an open source library with key cryptographic algorithms have already been disclosed. Swiss Post is now publishing the specifications for the system.

Experts can test the system specifications

The specifications provide a detailed description of the cryptographic protocol. They are effectively the construction manual for the e-voting system and explain all of its components. They describe the whole process, from the configuration of the electronic ballot to the casting and counting of votes. They contain codes, known as pseudocodes, which illustrate algorithms. The specifications describe the more general algorithms and some of the underlying building blocks.

Various improvements implemented thanks to feedback

The community programme has gathered pace since the start of the disclosure process: various national and international researchers have reported their findings. Swiss Post is posting all findings on GitLab and is in dialogue with the experts who submit reports and the community. Based on the feedback received, Swiss Post has identified various improvements to the algorithms published in the open source library. The new version of the cryptographic protocol, which is now being published, contains a correction to the individual verifiability reported as part of the disclosure.

Public bug bounty programme and forthcoming stages

Swiss Post is committed to bug bounty programmes. They are deemed best practice internationally, but are not yet firmly established in Switzerland. Swiss Post aims to pave the way for the introduction of these new methods in Switzerland. Bug bounty programmes are based on the premise that the development of IT systems is never complete, but is a continuous process in which security vulnerabilities are detected and rectified. This is vital, not least because the methods used to attack systems are continually evolving. Collaboration with ethical hackers is especially useful in this process, as it ensures that we always remain one step ahead of cybercriminals.

Swiss Post is gradually extending its bug bounty programme to e-voting. It will launch the public bug bounty programme for e-voting in the second half of 2021. Anyone who is interested can contact Swiss Post now to be notified when the programme starts.

Swiss Post will publish the system’s source code and separate verification software over the coming months.

More information about the disclosure of the new e-voting system can be found on the community website.

Legal basis for e-voting trial operation: Federal Council begins consultation procedure
Independent analysis: maturity of the disclosed system components