So I’m a little torn. Yesterday for fun (yes, I have bad work-life balance) I took a look at some of the @swisspost e-voting code that the agency recently provided under bug bounty. Apparently it’s being used in real elections. 1/

I did maybe an hour’s poking with @SarahJamieLewis, who also has bad work/life balance, and in that hour we found a whole bunch of non-cryptographically-secure parameters being used in their test code. So we commented on it. 2/

Woke up to a tweet from @swisspost informing me that I “may have missed” a note on page 48 of their 163-page protocol spec, that informs the reader of the “production parameters”. They’re not included in the code. 3/

https://twitter.com/swisspost/status/1097491713084571649?s=21

The actual parameters are larger and will be generated using some unspecified process. So I felt a little bad about that, even though on reflection, I don’t exactly know how they could have done a worse job at specifying this. 4/

Maybe if they’d hid them in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard,’ I would have found them. :) 5/

As some kind of penance I spent the day poking through their specs and code and OH LORD I love complicated crypto, but this terrifies even me. I can’t even make sense of some of these code patterns to find the right routines, let alone verify they’re correct. 6/

I think @SarahJamieLewis has done a great job at showing a million different scary things in that code. Go read her timeline. Here’s one just for fun:

https://twitter.com/sarahjamielewis/status/1097584389750284289?s=21

7/

In any case, I’m not going to drop a bunch of vulns because I don’t understand this code well enough to find them yet, and Sarah’s comments are worrying enough. Instead I’m going to explain what this thing is supposed to do — and why even the smallest bug is so dangerous. 8/

When you vote, your ballot is encrypted. The magic of this system is that it can do four things:

1. Verify your ballot is legit.
2. Strip away your ID, and cryptographically shuffle ballots.
3. Add the ballots up *without decrypting them*.
4. Decrypt the final tallies. 9/

The beauty of this system is that nobody can see what’s in the ballots. So I could try to vote twice. Or much more worryingly, the shuffle step could just *replace* all the ballots with new ones that elect, say, a Swiss cryptographer to office. 10/

All of these bad things are kept at bay with one of my favorite tools: zero knowledge proofs.

A ZKP makes sure you can’t vote 10,000 times. A ZKP makes sure that the shuffler (mix) doesn’t just throw away and replace all the ballots. (Actually this is a MESS of proofs.) 11/

The wonderful, horrible thing about zero knowledge proofs is that when they work, they’re amazing. When they fail, they can fail *undetectably*. Believe me, I have stories. 12/ fortune.com/2019/02/05/zca…

What I’m trying to get across here is that this is *not* exactly like a bad online voting system, where the attacker maybe has to tamper with thousands of clients. If there are bugs in these proofs, the attacker could potentially do a huge amount of damage. 13/

In the worst case, a malicious or hacked shuffling (mix) server could simply pick the next Swiss president. Or chocolate king —whatever the equivalent is over there.

I kid!! ;)

(Note to self: learn something about the Swiss political system.) 14/

All of this is a long-winded way of saying that, no, a bug bounty is NOT the right tool to evaluate something so complex and fragile. PARTICULARLY when, thanks to enterprise Java, huge portions of the critical code look like this: 15/

So to summarize this long tweet thread: *no* it is not the case (apparently) that this code is trivially broken. *no*, that does not make it safe to use in real elections, nor (as far as I know) has it been audited by anyone competent enough to really bless it. 16/

In summary, that is my story of how I ticked off the Swiss Post office and learned more about Java cryptography than I ever wanted in my head. Fin/