Transcript Binding Failure in Fiat-Shamir Decryption Proofs: A Case Study in Swiss Post E-Voting Infrastructure

We report a transcript binding failure in the Fiat-Shamir challenge construction of the DecryptionProofService component within the Swiss Post e-voting cryptographic primitives library (crypto-primitives v1.5.2.1). The vulnerability arises because the Fiat-Shamir auxiliary transcript omits the gamma component of the ElGamal ciphertext during challenge derivation. Since the challenge hash is computed over (phi, m) rather than the complete ciphertext (gamma, phi, m), a proof generated for one ciphertext may verify successfully against a distinct ciphertext sharing the same phi and plaintext m but with a different gamma. We demonstrate this class of weakness through proof-of-concept analysis, characterise the cryptographic conditions under which it manifests, assess the practical security implications for verifiable election systems, and propose a minimal one-line remediation. The finding was responsibly disclosed to the Swiss Post security team on March 10, 2026 under report YWH-R879012.