How not to prove your election outcome

Published: 25 March 2019

The use of non-adaptive zero knowledge proofs in theScytl-SwissPost Internet voting system, and its implications for decryption proof soundness


  • Sarah Jamie Lewis - Open Privacy Research Society
  • Olivier Pereira - UCLouvain – ICTeam, B-1348 Louvain-la-Neuve, Belgium
  • Vanessa Teague - The University of Melbourne, Parkville, Australia


We show that a weakness in the SwissPost-Scytl implementation of th eFiat-Shamir transform allows the creation of false decryption proofs, which verify perfectly but actually “prove” a decryption that is different from thetrue plaintext.

this could, for instance, be used by a cheating decryption service to changevalid votes into nonsense that would not be counted. This attack could have a political effect if the attacker knew which votes supported a party it wanted to harm.

Although it would be informally apparent that something had gone wrong,the formal verification process would pass. This contradicts the completeverifiability property that this voting system is supposed to offer.If the decryption proofs were mistakenly believed to be sound, it seemsthat our exploit would put the system in an “impossible state”, which would make it difficult to define a meaningful investigation process. We have provided two cheating decryption proof transcripts with this re-port, which verify but do not claim the correct plaintext.

SwissPost have not yet confirmed our analysis, and NSWEC claim that this problem does not affect the iVote system.We also list a collection of other issues in the implementation of non-interactive zero knowledge proofs. These cause concern, though it is notimmediately obvious how they could be exploited


Since the above abstract was written SwissPost & Scytl have confirmed our analysis, and the entire evoting program was suspended after we reported a 3rd critical flaw which impacted Individual Verifiability.

Full Text: