]> Git — Sourcephile - majurity.git/blob - hjugement-protocol/hjugement-protocol.cabal
protocol: rename Proove -> Prove
[majurity.git] / hjugement-protocol / hjugement-protocol.cabal
1 name: hjugement-protocol
2 -- PVP: +-+------- breaking API changes
3 -- | | +----- non-breaking API additions
4 -- | | | +--- code changes with no API change
5 version: 0.0.0.20190428
6 category: Politic
7 synopsis: A cryptographic protocol for the Majority Judgment.
8 description:
9 This work-in-progress library aims at implementing an online voting protocol
10 named <https://eprint.iacr.org/2013/177.pdf Helios-C> (Helios with Credentials)
11 by its authors from the <https://www.cnrs.fr/ CNRS>,
12 the <http://www.loria.fr INRIA>
13 and the <https://www.univ-lorraine.fr/ Université de Lorraine>:
14 <http://www.loria.fr/~cortier/ Véronique Cortier>,
15 <https://dgalindo.es/ David Galindo>,
16 <http://www.loria.fr/~gaudry/ Pierrick Gaudry>,
17 <http://stephane.glondu.net/ Stéphane Glondu>
18 and Malika Izabachène.
19 .
20 (TODO) Actually, this protocol is adapted a little bit here to better support
21 a better method of voting known as the <http://libgen.io/book/index.php?md5=BF67AA4298C1CE7633187546AA53E01D Majority Judgment>.
22 .
23 A large-public introduction (in french) to Helios-C is available here:
24 <https://members.loria.fr/VCortier/files/Papers/Bulletin1024-2016.pdf Bulletin de la société informatique de France – numéro 9, novembre 2016>.
25 .
26 The main properties of this protocol are:
27 .
28 * /fully correct/: the published result are proven to correspond
29 to the (sum of) intended votes of the voters,
30 while accounting for a malicious bulletin board (BB) (adding fake ballots)
31 by requiring a registration authority (RA)
32 (responsible for generating and sending voters' credentials).
33 Assuming that the BB and the RA are not simultaneously dishonest.
34 .
35 * /verifiable/: each voter is able to check that:
36 his\/her ballot did contribute to the outcome (/individual verifiability/),
37 and that the tallying authorities did their job properly (/universal verifiability/).
38 .
39 * /private/: the identities of the voters who cast a vote are not publicly revealed.
40 .
41 More specifically, in this protocol :
42 .
43 * Ballots are encrypted using public-key cryptography
44 secured by the /Discrete Logarithm problem/:
45 finding @x@ in @g^x `mod` p@, where @p@ is a large prime
46 and @g@ a generator of @Gq@, the multiplicative subgroup of order @q@,
47 in @Fp@ (the finite prime field whose characteristic is @p@).
48 Here, @p@ is 2048-bit and @q@ is 256-bit.
49 The signing (Schnorr-like), the encrypting (ElGamal-like)
50 and the /Decisional Diffe Hellman/ (DDH) assumption,
51 all rely on the hardness of that problem.
52 * Ballots are added without being decrypted
53 because adding (multiplying actually) ciphertexts then decrypting,
54 is like decrypting then adding plaintexts (/additive homomorphism/).
55 Which requires to solve the /Discrete Logarithm Problem/
56 for numbers in the order of the number of voters,
57 which is not hard for small numbers (with a lookup table as here,
58 or with Pollard’s rho algorithm for logarithms).
59 * The /Schnorr protocol/ is used to prove that a voter has knowledge
60 of the secret key used to sign their votes.
61 A voter's credentials is a secret key (the signing key)
62 that has a public part (the verification key).
63 The association between the public part and the corresponding voter’s identity
64 does not need to be known, and actually should not be disclosed to satisfy
65 e.g. the French requirements regarding voting systems.
66 Using credentials prevent the submission of duplicated ballots
67 (because they are added as an additional input to the random oracle
68 in the /non-interactive zero-knowledge/ (NIZK) proofs for ciphertext well-formedness).
69 This allows a testing of duplicates which depends only on the size of the number of voters,
70 and thus enables Helios-C to scale for larger elections while attaining correctness.
71 * The /Chaum-Pedersen protocol/ (proving that equality of discrete logarithms)
72 is used to prove that ciphertexts are well-formed
73 (encrypting a 0 or a 1… or any expected natural) without decrypting them.
74 Which is known as a /Disjunctive Chaum-Pedersen/ proof of partial knowledge.
75 * A /strong Fiat-Shamir transformation/ is used
76 to transform the /interactive zero-knowledge/ (IZK) /Chaum-Pedersen protocol/
77 into a /non-interactive zero-knowledge/ (NIZK) proof, using a SHA256 hash.
78 * (TODO) A Pedersen's /distributed key generation/ (DKG) protocol
79 coupled with ElGamal keys (under the DDH assumption),
80 is used to have a fully distributed semantically secure encryption.
81 extra-doc-files:
82 license: GPL-3
83 license-file: COPYING
84 stability: experimental
85 author: Julien Moutinho <julm+hjugement@autogeree.net>
86 maintainer: Julien Moutinho <julm+hjugement@autogeree.net>
87 bug-reports: Julien Moutinho <julm+hjugement@autogeree.net>
88 -- homepage:
89
90 build-type: Simple
91 cabal-version: 1.24
92 tested-with: GHC==8.4.4
93 extra-source-files:
94 stack.yaml
95 extra-tmp-files:
96
97 Source-Repository head
98 location: git://git.autogeree.net/hjugement
99 type: git
100
101 Library
102 exposed-modules:
103 Protocol.Arithmetic
104 Protocol.Credential
105 Protocol.Election
106 default-language: Haskell2010
107 default-extensions:
108 AllowAmbiguousTypes
109 ConstraintKinds
110 DefaultSignatures
111 FlexibleContexts
112 FlexibleInstances
113 GeneralizedNewtypeDeriving
114 LambdaCase
115 MonoLocalBinds
116 MultiParamTypeClasses
117 NamedFieldPuns
118 NoImplicitPrelude
119 NoMonomorphismRestriction
120 RecordWildCards
121 ScopedTypeVariables
122 TupleSections
123 TypeApplications
124 TypeFamilies
125 TypeOperators
126 UndecidableInstances
127 ghc-options:
128 -Wall
129 -Wincomplete-uni-patterns
130 -Wincomplete-record-updates
131 -fno-warn-tabs
132 -- -fhide-source-paths
133 build-depends:
134 base >= 4.6 && < 5
135 , bytestring >= 0.10
136 , containers >= 0.5
137 , cryptonite >= 0.25
138 -- , fixed-vector >= 1.1
139 -- , hashable >= 1.2.6
140 , memory >= 0.14
141 , mmorph >= 1.1
142 -- , monad-classes >= 0.3
143 , random >= 1.1
144 -- , reflection >= 2.1
145 , text >= 1.2
146 , transformers >= 0.5
147 , unordered-containers >= 0.2.8
148
149 Test-Suite hjugement-protocol-test
150 type: exitcode-stdio-1.0
151 hs-source-dirs: test
152 main-is: Main.hs
153 other-modules:
154 HUnit
155 HUnit.Arithmetic
156 HUnit.Credential
157 HUnit.Election
158 HUnit.Utils
159 -- QuickCheck
160 default-language: Haskell2010
161 default-extensions:
162 AllowAmbiguousTypes
163 ConstraintKinds
164 DefaultSignatures
165 FlexibleContexts
166 FlexibleInstances
167 GeneralizedNewtypeDeriving
168 LambdaCase
169 MonoLocalBinds
170 MultiParamTypeClasses
171 NamedFieldPuns
172 NoImplicitPrelude
173 NoMonomorphismRestriction
174 RecordWildCards
175 ScopedTypeVariables
176 TupleSections
177 TypeApplications
178 TypeFamilies
179 TypeOperators
180 UndecidableInstances
181 ghc-options:
182 -Wall
183 -Wincomplete-uni-patterns
184 -Wincomplete-record-updates
185 -fno-warn-tabs
186 -- -fhide-source-paths
187 build-depends:
188 hjugement-protocol
189 , base >= 4.6 && < 5
190 , containers >= 0.5
191 , hashable >= 1.2.6
192 , QuickCheck >= 2.0
193 -- , monad-classes >= 0.3
194 , random >= 1.1
195 -- , reflection >= 2.1
196 , tasty >= 0.11
197 , tasty-hunit >= 0.9
198 , tasty-quickcheck
199 , text >= 1.2
200 , transformers >= 0.5
201 , unordered-containers >= 0.2.8