Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Security analysis of the Australian Capital Territory's eVACS 2020/2024 paperless direct recording electronic voting system

Chris Culnane, Andrew Conway, Vanessa Teague, Ty Wilson-Brown

TL;DR

This report describes the implications for eVACS of two cryptographic errors in the Ada Web Services Library that it depends on in the course of examining and testing the 2024 eVACS code.

Abstract

This report describes the implications for eVACS of two cryptographic errors in the Ada Web Services Library that it depends on. We identified these errors in the course of examining and testing the 2024 eVACS code, which was made publicly available in March 2024. We disclosed the problems to AdaCore, and explained the implications at the time to the relevant electoral authorities.

Security analysis of the Australian Capital Territory's eVACS 2020/2024 paperless direct recording electronic voting system

TL;DR

This report describes the implications for eVACS of two cryptographic errors in the Ada Web Services Library that it depends on in the course of examining and testing the 2024 eVACS code.

Abstract

This report describes the implications for eVACS of two cryptographic errors in the Ada Web Services Library that it depends on. We identified these errors in the course of examining and testing the 2024 eVACS code, which was made publicly available in March 2024. We disclosed the problems to AdaCore, and explained the implications at the time to the relevant electoral authorities.
Paper Structure (15 sections, 1 figure, 1 algorithm)

This paper contains 15 sections, 1 figure, 1 algorithm.

Table of Contents

  1. Linking voting order to votes in eVACS 2020/2024
  2. Main finding (privacy)
  3. Recommendations
  4. Related work
  5. How eVACS generates the published votes
  6. Background: pseudorandom number generation
  7. How eVACS generates pseudorandom pindex values
  8. Algorithm for un-shuffling ballots
  9. Results
  10. Bias in the generation of random column selections
  11. Main finding (party bias)
  12. TLS Security
  13. Main finding (network security)
  14. Code updates 15 Sep 2024
  15. Conclusion: Implications and recommendations

Figures (1)

  • Figure 1: Two published votes from Ginninderra 2020. Note that each vote has several different preferences, all with the same pindex