Addendum to How not to prove your election outcome

Published: 29 March 2019

The use of non-adaptive zero knowledge proofs in theScytl-SwissPost Internet voting system, and its implications for decryption proof soundness


  • Sarah Jamie Lewis - Open Privacy Research Society
  • Olivier Pereira - UCLouvain – ICTeam, B-1348 Louvain-la-Neuve, Belgium
  • Vanessa Teague - The University of Melbourne, Parkville, Australia


This note extends our earlier analysis of the use of the weak Fiat-Shamir transform in the Scytl-SwissPost Internet voting system. Here we show that a cheating client can perform essentially the same attack we described in “How not to prove your election outcome.” In the client case, this involves submitting a nonsense vote while successfully faking a proof that its partial return codes match the vote. The effect would be that the voter would receive exactly the right return codes as if their vote had been properly cast, but at decryption time the vote would be nonsense that would not be counted.


Since the above abstract was written SwissPost & Scytl have confirmed our analysis, and the entire evoting program was suspended after it was determined that this flaw impacted Individual Verifiability in systems currently in use in Switzerland.

Full Text: