The algorithm GenCMTable allows an adversary to recover the election event's set of possible short return codes
Brief Description/ Summary
Thomas Haines discovered a problem in the way the print office generates the return codes mapping table CMTable. It concerns version 0.9.8 of the computational proof of the Swiss Post Voting System. The problem was not present in the earlier version of the protocol, which included additional elements in the hash function for deriving the secret key.
Below, we include an internal analysis of the problem. Moreover, we attach Thomas Haines' analysis of the problem in the attached PDF, which matches our understanding of the problem. However, we propose a slightly different resolution of the problem.
The problem concerns the creation of the return codes mapping table CMTable in GenCMTable. Find below an extract with the relevant points of the algorithm GenCMTable highlighted.
The print office encrypts the short Choice Return Codes symmetrically before putting them into the return codes mapping table. Afterwards, the print office sends the mapping table to the untrustworthy voting server.
However, there is a flaw in the usage of the symmetric encryption scheme in the current protocol. The print office derives the symmetric encryption key from the hash of the long choice return code - which corresponds to the first column of the return code mapping table. The same is true for the short Vote Cast Return Code. The voting server could decrypt the short Choice Return Codes easily with the following algorithm.
skcc_{id,i} <-- KDF(H(lCC_{id,i},16)
CC_{id,i} <-- Dec(ctCC_{id,i}, skcc_{id,i})
Initially, the symmetric key was derived differently and included the codes secret key. Find below an extract of the earlier version of the protocol.
Impact
The voting server can learn the set of Choice Return Codes and Vote Cast Return Codes for a specific voting card set. This gives an adversary controlling the voting server an advantage for guessing the return codes.
For instance, in a given voting card set of an election, it may be that the print office assigned only half of the 10'000 possible Choice Return Codes to all possible voting options of all voters. Hence, instead of having to guess a Choice Return Code out of 10'000 possibilities, the adversary can narrow the set of possible choice return codes to 5'000 possibilities. Correct encryption of the return codes would ensure that the adversary cannot learn the set of possible return codes.
Severity
high = report with urgent priority, important and time-critical finding
Possible Solution
We solve the issue by deriving skcc from KDF(lCC_{id,i}, 16) instead of deriving it from the hash KDF(H(lCC_{id,i}), 16). Hence, we would use the hash of the long choice return code for the mapping table's entry key and the long choice return code for deriving the secret key. The same applies to the Vote Cast Return Code. Moreover, this simplifies the protocol. The next version of the protocol is going to include this correction.
Thomas Haines' Original Analysis
We want to thank Thomas Haines for the scrutiny of the Swiss Post Voting System. Attached you find the original analysis which Thomas Haines submitted to Swiss Post on 22.02.2021. Break_in_cast_as_intended.pdf