, 7 tweets, 2 min read Read on Twitter
Scytl, the company that developed the broken @swisspost voting system, put out a misleading statement about what the problem in their system is. I think it’s worth unpacking.
The BG mix proof in their system has a “setup” phase in which the parameters for the proof are chosen. That means the parameters need to be chosen by a trusted party or a verifiable process, not chosen during the proving routine (as Scytl currently does.)
From an API perspective, the parameters should be an *input* to the Prove routine. Scytl didn’t realize this. They decided to put the Setup routine inside the Prove routine, which is the cryptographic equivalent of trying to walk through a glass door.
Scytl and @swisspost are trying to write this off as some sort of arcane argument about “how to generate parameters”, when the misunderstanding here is much deeper and more fundamental. It’s like they’ve been using the shaft of the hammer to pound down nails.
They’re also trying to use some kind of “we knew about this serious bug and failed to fix it” defense, which is frankly even worse than the alternative. You knew, and you left a devastating flaw in? And you should be trusted, how?
It is very hard to convey how bad this looks from an expert perspective. It’s like meeting a “surgeon” who doesn’t realize that a scalpel should be sterilized between patients; and when you point this out, they try to explain scalpel-reuse as “standard”.
Also, some folks object to my colorful analogies. So here’s the same statement expressed in technical language: “Scytl used a proof that relies on a Common Reference String and didn’t realize this, so they generated the CRS at Proving time.”
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Matthew Green
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!