1. Introduction
1.1 Purpose of This Manual
This manual provides step-by-step operational procedures for all participants in the Swiss Post e-voting election ceremony, as implemented in the Go proof-of-concept (PoC) system evote.
The Go PoC reimplements the cryptographic core of the production Swiss Post e-voting system in approximately 6,500 lines of Go. It uses the same algorithms (ElGamal encryption, Schnorr proofs, Bayer-Groth verifiable shuffle) but operates as a single-machine, command-line tool rather than a distributed multi-server deployment.
Despite the simplified infrastructure, the Go PoC preserves the same role structure as the production system. Each role's responsibilities, trust boundaries, and ceremony steps are faithfully reproduced.
1.2 System Overview
The e-voting system operates in three phases across three days:
| Phase | Day | Key Operations | Primary Roles |
|---|
| Configuration | Day 1 | Key generation, voting card creation, system setup | Cantonal Admin, CC Operators |
| Release & Voting | Day 2 + Voting Period | Electoral Board constitution, setup verification, ballot casting | Electoral Board, Verifier, Voters |
| Tally | Day 3 | Mixing, decryption, tally verification, result publication | CC Operators, Electoral Board, Verifier |
1.3 Role Structure & Legal Basis
The role structure follows the Ordinance on Electronic Voting (OEV/VEleS) issued by the Federal Chancellery (Bundeskanzlei). All operational roles, trust boundaries, and separation-of-duties requirements are mandated by law.
The following organizational hierarchy applies:
Federal Chancellery (Bundeskanzlei)
|-- Issues OEV Ordinance, commissions independent examiners
|
+-- Cantons (each independent)
|-- Electoral Board (>= 2 members)
| +-- Verifier Operator
|
|-- Cantonal Administrator
| +-- Operates SDM (Setup, Online, Tally)
| +-- Manages 1 Control Component
| +-- Manages Printing Office
|
+-- Contracts with Swiss Post (System Provider)
|-- Operates Voting Server, Access Layer
+-- Operates 3 of 4 Control Components (separate teams)
In the Go PoC, all roles are exercised by the same person on the same machine via different evote subcommands. In production, these roles are performed by different people on different machines with strict access controls.
1.4 Prerequisites
- The
evote binary (build with go build ./cmd/evote)
- Go 1.21 or later (only for building; the binary is self-contained)
- A terminal (macOS Terminal, Linux shell, or Windows command prompt)
- No network access, database, or external services required
# Build the binary
cd evote/
go build -o evote ./cmd/evote
./evote --help
2. Cantonal Administrator
2.1 Role Description
The Cantonal Administrator operates the SDM under cantonal authority, not under Swiss Post. All personal data (electoral registers) remains exclusively at the canton. The four-eyes principle applies to all SDM operations.
2.2 Day 1 -- Configuration Phase
1
Initialize the election and generate cryptographic parameters
Decide on the number of voters and ballot options.
# Full automated ceremony:
./evote demo --voters=6 --options=2
2
Coordinate Control Component key generation
The system generates key pairs for all 4 CCs and the Electoral Board. Each CC generates a Schnorr proof of knowledge.
CC0 (Bern): Key generated, Schnorr proof VALID
CC1 (Zurich): Key generated, Schnorr proof VALID
CC2 (Geneva): Key generated, Schnorr proof VALID
CC3 (Lugano): Key generated, Schnorr proof VALID
3
Combine public keys into Election Public Key
The 5 public keys are multiplied together to form the joint Election Public Key.
ElectionPK = PK0 * PK1 * PK2 * PK3 * PK_EB mod p
4
Generate voting cards
Each voter receives a unique voting card with SVK, BCK, Choice Return Codes, and Vote Cast Code.
In the Go PoC, voting cards are displayed on screen. In production, these are printed on physical paper and mailed to voters.
2.3 Day 2 -- Release Phase
The Cantonal Administrator coordinates the Electoral Board constitution and triggers setup verification. Once verification passes, the voter portal is activated.
2.4 Day 3 -- Tally Phase
The Cantonal Administrator initiates mixing, coordinates Electoral Board password entry for decryption, and triggers tally verification.
3. Electoral Board
3.1 Role Description
The Ordinance requires a minimum of 2 Electoral Board members. Each member's password must meet complexity requirements (minimum 24 characters in production). The board operates on air-gapped machines.
3.2 Constituting the Board (Day 2)
1
Each board member sets a password
The combined passwords derive the Electoral Board's secret key via Argon2id.
EB member 1: enters password --> |
EB member 2: enters password --> |-- Argon2id --> sk_EB
EB member 3: enters password --> |
pk_EB = g^sk_EB mod p
If any board member forgets their password, the ballot box cannot be decrypted. There is no recovery mechanism.
3.3 Authorizing Decryption (Day 3)
1
Enter passwords on the Tally SDM
After 4 CC shuffles, each board member enters their password to reconstruct the EB secret key.
2
Authorize the final shuffle and decryption
The system performs the 5th Bayer-Groth shuffle and removes the last encryption layer.
The Electoral Board never sees which voter cast which vote. The 5 independent shuffles have permanently destroyed the link between voter identities and ballot contents.
4. Swiss Post -- System Provider
4.1 Role Description
4.2 Infrastructure & Central Services
| Component | Technology | Purpose |
|---|
| Access Layer | WAF, TLS termination | Protects the Voting Server |
| Voting Server | Spring Boot, Kubernetes | Processes vote submissions |
| 3 Control Components | Bare metal, diverse OS | Distributed key gen, return codes, shuffle |
| Message Broker | Apache ActiveMQ Artemis | Async communication |
| Databases | PostgreSQL | Encrypted ballots, config, audit logs |
In the Go PoC, all of Swiss Post's infrastructure is simulated within the evote binary.
4.3 Red Phase (Voting Period)
- No system modifications permitted
- Infrastructure access strictly controlled
- SIEM monitoring active
- Only pre-authorized personnel may access systems
5. Control Component Operators
5.1 Role Description & Split Trust
OEV Art. 3.15: "If a person has physical or logical access to a control component, that person may not have access to any other control component."
| CC | Location | OS | Operated By |
|---|
| CC0 | Canton premises | RHEL 9.6 | Canton |
| CC1 | Swiss Post DC | Debian 12.12 | Swiss Post Team A |
| CC2 | Swiss Post DC | Ubuntu 24.04 | Swiss Post Team B |
| CC3 | Swiss Post DC | Windows Server 2022 | Swiss Post Team C |
5.2 Key Generation (Setup Phase)
1
Generate the key pair
Each CC generates sk = (sk[0], sk[1]) randomly from Z_q. Publishes pk = (g^sk[0], g^sk[1]).
2
Generate the Schnorr proof of knowledge
Non-interactive Schnorr proof (Fiat-Shamir) demonstrating knowledge of the secret key.
3
Publish public key and proof
Transmitted to the central system for combination with other CCs' keys.
5.3 Shuffle & Partial Decryption (Tally Phase)
1
Receive the current ciphertext batch
2
Generate a random permutation
4
Generate the Bayer-Groth shuffle proof
Zero-knowledge proof with sub-linear O(√N) size: ProductArgument, HadamardArgument, ZeroArgument, SingleValueProductArgument, MultiExponentiationArgument.
5
Destroy the permutation
Securely erase the permutation and all re-encryption randomness.
6
Perform partial decryption
Remove this CC's encryption layer.
The permutation must be destroyed immediately after the proof is generated.
6. Printing Office
6.1 Role Description
6.2 Voting Card Generation & Distribution
| Field | Purpose | Example |
|---|
| Start Voting Key (SVK) | Authentication credential | SVK-0000 |
| Ballot Casting Key (BCK) | Vote confirmation credential | BCK-0000 |
| Choice Return Codes | Verify correct recording | CC00, CC01 |
| Vote Cast Code (VCC) | Confirm vote is sealed | VCC00 |
Voting cards must be printed on physical paper and delivered via postal mail. The codes must never be transmitted electronically.
7. Voter
7.1 Role Description
7.2 Voting Procedure
1
Open the voting portal
Navigate to the official URL. Verify the TLS certificate.
2
Authenticate
Enter your Start Voting Key (SVK) and date of birth.
3
Cast your vote
Your browser encrypts the vote locally using ElGamal. The plaintext vote never leaves your device.
4
Verify the Choice Return Code
Compare the code on screen to your physical voting card. If they match, proceed. If not, STOP.
5
Confirm with the Ballot Casting Key
Enter your BCK to finalize.
6
Verify the Vote Cast Code
Compare the VCC on screen to your card. If it matches, your vote is sealed.
7.3 Individual Verifiability
The return code mechanism provides individual verifiability: each voter can personally verify their vote was cast as intended and recorded as cast.
Even if your computer is compromised, the return codes on the physical card were generated independently by the 4 CCs during setup. A malware-modified vote would produce the wrong return code.
8. Independent Verifier
8.1 Role Description
The Verifier provides universal verifiability: any party can audit the election using only public data and mathematics.
8.2 Setup Verification (Day 2)
- Key proofs: Verify Schnorr proof for each CC
- Key combination: Verify Election Public Key is correct product of all 5 keys
- Voting card integrity: Verify return code mappings
8.3 Tally Verification (Day 3)
1
Verify all Schnorr proofs (4 key proofs)
CC0 (Bern): [PASS]
CC1 (Zurich): [PASS]
CC2 (Geneva): [PASS]
CC3 (Lugano): [PASS]
2
Verify all Bayer-Groth shuffle proofs (5 shuffle proofs)
Shuffle 0 (CC0, Bern): ==> VERIFIED
Shuffle 1 (CC1, Zurich): ==> VERIFIED
Shuffle 2 (CC2, Geneva): ==> VERIFIED
Shuffle 3 (CC3, Lugano): ==> VERIFIED
Shuffle 4 (Electoral Board): ==> VERIFIED
3
Verify ballot count consistency
Ballots submitted: 6
Ballots decrypted: 6
==> PASS
8.4 Interpreting Results
If all checks pass, the Verifier provides mathematical certainty that the election result is correct.
If any check fails, the election result must not be published. Contact the Federal Chancellery immediately.
9. Federal Chancellery & External Examiners
9.1 Oversight Role
9.2 Four Audit Scopes
| Scope | Subject | Examiner |
|---|
| Scope 1 | Cryptographic protocol | Academic cryptographers |
| Scope 2 | System software | Software security auditors |
| Scope 3 | Infrastructure & operations | Infrastructure security auditors |
| Scope 4 | Penetration testing | Pen testers + bug bounty |
Appendix A: Command Reference
| Command | Description | Key Flags |
|---|
evote demo | Run a full election ceremony | --voters=N, --options=N |
evote present | Interactive step-by-step presentation | (same as demo) |
evote serve | Serve the web presentations | --port=N |
# Minimal election
./evote demo --voters=3 --options=2
# Larger election
./evote demo --voters=100 --options=5
# Step-by-step presentation
./evote present
# Serve web presentations on local network
./evote serve --port=8080
Appendix B: Ceremony Checklist
Day 1 -- Configuration
- Election parameters defined (voters, options)
- Cryptographic group generated (safe prime p = 2q + 1)
- CC0: key pair generated, Schnorr proof valid
- CC1: key pair generated, Schnorr proof valid
- CC2: key pair generated, Schnorr proof valid
- CC3: key pair generated, Schnorr proof valid
- Election Public Key computed
- Candidate encoding computed
- Voting cards generated for all voters
Day 2 -- Release
- Electoral Board constituted, passwords set
- EB key pair generated
- Verifier: setup verification -- all PASS
- Voter portal activated
- Voting cards printed and mailed
Voting Period
- All voters: authenticated, voted, verified, confirmed
- System monitoring active (red phase)
Day 3 -- Tally
- CC0: shuffle + proof + partial decrypt
- CC1: shuffle + proof + partial decrypt
- CC2: shuffle + proof + partial decrypt
- CC3: shuffle + proof + partial decrypt
- Electoral Board: final shuffle + full decryption
- Votes decoded, result tallied
- Verifier: 4 key proofs -- all PASS
- Verifier: 5 shuffle proofs -- all PASS
- Verifier: ballot count -- PASS
- Result published
Appendix C: Production vs. Go PoC
| Aspect | Production | Go PoC |
|---|
| Language | Java 21 + TS + C# | Go |
| Prime size | 3072 bits | 256 bits (demo) |
| Infrastructure | Kubernetes + 4 bare-metal CCs + SDM | Single binary |
| Networking | HTTPS, RSocket/CBOR, ActiveMQ | In-memory |
| Persistence | PostgreSQL | In-memory |
| Voter Portal | Angular SPA, 4 languages | Simulated in CLI |
| ElGamal | Identical algorithm | Identical algorithm |
| Schnorr proofs | Identical algorithm | Identical algorithm |
| Bayer-Groth | Identical algorithm | Identical algorithm |
| Source code | ~500K lines, 14 repos | ~6,500 lines, 1 module |
| Dependencies | BouncyCastle, Spring, Angular, ... | Cobra + x/crypto |
Swiss Post E-Voting Go PoC -- Operator Manual v1.0 -- February 2026