1 name: hjugement-protocol
2 -- PVP: +-+------- breaking API changes
3 -- | | +----- non-breaking API additions
4 -- | | | +--- code changes with no API change
5 version: 0.0.0.20190428
7 synopsis: A cryptographic protocol for the Majority Judgment.
9 This work-in-progress library aims at implementing an online voting protocol
10 named <https://eprint.iacr.org/2013/177.pdf Helios-C> (Helios with Credentials)
11 by its authors from the <https://www.cnrs.fr/ CNRS>,
12 the <http://www.loria.fr INRIA>
13 and the <https://www.univ-lorraine.fr/ Université de Lorraine>:
14 <http://www.loria.fr/~cortier/ Véronique Cortier>,
15 <https://dgalindo.es/ David Galindo>,
16 <http://www.loria.fr/~gaudry/ Pierrick Gaudry>,
17 <http://stephane.glondu.net/ Stéphane Glondu>
18 and Malika Izabachène.
20 (TODO) Actually, this protocol is adapted a little bit here to better support
21 a better method of voting known as the <http://libgen.io/book/index.php?md5=BF67AA4298C1CE7633187546AA53E01D Majority Judgment>.
23 A large-public introduction (in french) to Helios-C is available here:
24 <https://members.loria.fr/VCortier/files/Papers/Bulletin1024-2016.pdf Bulletin de la société informatique de France – numéro 9, novembre 2016>.
26 The main properties of this protocol are:
28 * /fully correct/: the published result are proven to correspond
29 to the (sum of) intended votes of the voters,
30 while accounting for a malicious bulletin board (BB) (adding fake ballots)
31 by requiring a registration authority (RA)
32 (responsible for generating and sending voters' credentials).
33 Assuming that the BB and the RA are not simultaneously dishonest.
35 * /verifiable/: each voter is able to check that:
36 his\/her ballot did contribute to the outcome (/individual verifiability/),
37 and that the tallying authorities did their job properly (/universal verifiability/).
39 * /private/: the identities of the voters who cast a vote are not publicly revealed.
41 More specifically, in this protocol :
43 * Ballots are encrypted using public-key cryptography
44 secured by the /Discrete Logarithm problem/:
45 finding @x@ in @g^x `mod` p@, where @p@ is a large prime
46 and @g@ a generator of @Gq@, the multiplicative subgroup of order @q@,
47 in @Fp@ (the finite prime field whose characteristic is @p@).
48 Here, @p@ is 2048-bit and @q@ is 256-bit.
49 The signing (Schnorr-like), the encrypting (ElGamal-like)
50 and the /Decisional Diffe Hellman/ (DDH) assumption,
51 all rely on the hardness of that problem.
52 * Ballots are added without being decrypted
53 because adding (multiplying actually) ciphertexts then decrypting,
54 is like decrypting then adding plaintexts (/additive homomorphism/).
55 Which requires to solve the /Discrete Logarithm Problem/
56 for numbers in the order of the number of voters,
57 which is not hard for small numbers (with a lookup table as here,
58 or with Pollard’s rho algorithm for logarithms).
59 * The /Schnorr protocol/ is used to prove that a voter has knowledge
60 of the secret key used to sign their votes.
61 A voter's credentials is a secret key (the signing key)
62 that has a public part (the verification key).
63 The association between the public part and the corresponding voter’s identity
64 does not need to be known, and actually should not be disclosed to satisfy
65 e.g. the French requirements regarding voting systems.
66 Using credentials prevent the submission of duplicated ballots
67 (because they are added as an additional input to the random oracle
68 in the /non-interactive zero-knowledge/ (NIZK) proofs for ciphertext well-formedness).
69 This allows a testing of duplicates which depends only on the size of the number of voters,
70 and thus enables Helios-C to scale for larger elections while attaining correctness.
71 * The /Chaum-Pedersen protocol/ (proving that equality of discrete logarithms)
72 is used to prove that ciphertexts are well-formed
73 (encrypting a 0 or a 1… or any expected natural) without decrypting them.
74 Which is known as a /Disjunctive Chaum-Pedersen/ proof of partial knowledge.
75 * A /strong Fiat-Shamir transformation/ is used
76 to transform the /interactive zero-knowledge/ (IZK) /Chaum-Pedersen protocol/
77 into a /non-interactive zero-knowledge/ (NIZK) proof, using a SHA256 hash.
78 * (TODO) A Pedersen's /distributed key generation/ (DKG) protocol
79 coupled with ElGamal keys (under the DDH assumption),
80 is used to have a fully distributed semantically secure encryption.
84 stability: experimental
85 author: Julien Moutinho <julm+hjugement@autogeree.net>
86 maintainer: Julien Moutinho <julm+hjugement@autogeree.net>
87 bug-reports: Julien Moutinho <julm+hjugement@autogeree.net>
92 tested-with: GHC==8.4.4
97 Source-Repository head
98 location: git://git.autogeree.net/hjugement
106 default-language: Haskell2010
113 GeneralizedNewtypeDeriving
116 MultiParamTypeClasses
119 NoMonomorphismRestriction
129 -Wincomplete-uni-patterns
130 -Wincomplete-record-updates
132 -- -fhide-source-paths
138 -- , fixed-vector >= 1.1
139 -- , hashable >= 1.2.6
142 -- , monad-classes >= 0.3
144 -- , reflection >= 2.1
146 , transformers >= 0.5
147 , unordered-containers >= 0.2.8
149 Test-Suite hjugement-protocol-test
150 type: exitcode-stdio-1.0
160 default-language: Haskell2010
167 GeneralizedNewtypeDeriving
170 MultiParamTypeClasses
173 NoMonomorphismRestriction
183 -Wincomplete-uni-patterns
184 -Wincomplete-record-updates
186 -- -fhide-source-paths
193 -- , monad-classes >= 0.3
195 -- , reflection >= 2.1
200 , transformers >= 0.5
201 , unordered-containers >= 0.2.8