Especially considering Swiss Post keep wanting to (inconsistently) associate our findings with the PIT.
(Do we know how much money that was? Last I checked it hadn't been disclosed.)
NSWEC had to address 2 critical issues in the code base during an election cycle.
On the other hand...wow that's an interesting time to plan a PIT for.
OR...they didn't know...which calls into question the competence of Swiss Post.
My vote would be for a public inquiry, but I don't get a vote (at least officially...)
* How many reviews did this system go through prior to the source code "release"
* When was the Shuffle Proof trapdoor found initially (2017? by who?)
* Why was the Shuffle Proof trapdoor not fixed if it was found
* Why didn't any of the previous audits identify the use of a non-collision-resistant hash function in the ZKP implementation?
* Why was non-Swiss ZKP code released as part of the Swiss code base?
* How much code does the Swiss system share with iVote?
* Why was the PIT scheduled to occur during an election using iVote?
* Did Swiss Post know that iVote shared much of the same code?
* If this code has been reworked, can we see previous implementations of these ZKPs?
Were those findings acted upon?
Considering that it has been reported by Swiss Post that Scytl did not act upon a previous discovery of the Shuffle Proof issue what mechanisms failed to catch that inaction?
Why are they so confident that the Decryption Proof issue doesn't impact them when they felt the need to emergency patch their system when the Shuffle Proof issue was discovered?
Was this a naive implementation? Are there in-house review processes to catch such issues? (If there are then why did they fail? Otherwise, why didn't they exist?)
This is the security of national elections we are talking about.
This is, quite simply, a complete clusterfuck.
Evoting is, by far, the most opaque, convoluted meta-system I've every encountered.
These questions aren't going away though.