Swiss e-voting pilot can't count 2,048 ballots after decryption failure

Original Article ↗ Hacker News Discussion ↗

Scope of the Swiss incident

  • Several comments stress the word “pilot”: small-scale, limited to a few cantons, with participants told it was experimental.
  • Only one of four participating cantons was affected; others worked.
  • Failure seems tied to decryption / key-handling (USB sticks, Shamir secret sharing), with suspicion around the “2048” number but no firm technical explanation in the thread.
  • Many see this as exactly what pilots are for: finding problems before wider rollout.

Why e-voting at all?

  • Proponents: faster counts, lower cost, easier logistics, better access for:
    • Citizens abroad with unreliable mail.
    • Large, sparsely populated or continent-sized countries.
    • People with disabilities or other barriers to in‑person voting.
  • Critics: paper systems in places like Germany, Canada, UK, Netherlands already work quickly and reliably; e‑voting often looks like a “solution in search of a problem.”

Security, verifiability, and public trust

  • Strong theme: elections must not just be secure but obviously so to non-experts.
  • Paper ballots:
    • Are simple, observable, and auditable by ordinary citizens and party observers.
    • Fraud is possible but hard to scale and leaves physical traces; usually local and detectable.
  • E‑voting:
    • Expands attack surface (supply chain, software bugs, insiders, malware, remote actors).
    • Shifts trust to opaque code, hardware, and central databases.
    • Gives losers “infinite” technical angles to contest results.
  • Several argue the core purpose of elections is “agreeable consent,” not mathematically perfect cryptography.

Cryptographic and design proposals

  • Mention of homomorphic encryption, mixnets, zero‑knowledge proofs, and schemes like Helios/Belenios to get verifiable tallies without revealing individual votes.
  • Counter‑arguments:
    • Average voters cannot understand or personally verify such systems.
    • Cast‑as‑intended verifiability conflicts with ballot secrecy and anti‑coercion (no receipts proving how you voted).
    • Even with open source, reproducible builds and full-image audits are hard in practice.

Hybrid and alternative models

  • Suggested compromises:
    • Machine interfaces that produce voter‑verifiable paper ballots, then scan them; paper retained for recounts and risk‑limiting audits.
    • Dual paper+electronic systems used only for comparison and research.
  • Some note that once you have robust paper, the marginal benefit of electronics is mostly speed, which many consider not worth the added complexity and risk.