1 {-# LANGUAGE DataKinds #-}
2 {-# LANGUAGE PolyKinds #-}
3 {-# LANGUAGE DeriveAnyClass #-}
4 {-# LANGUAGE DeriveGeneric #-}
5 {-# LANGUAGE DerivingStrategies #-}
6 {-# LANGUAGE OverloadedStrings #-}
7 {-# LANGUAGE UndecidableInstances #-} -- for Reifies constraints in instances
8 module Voting.Protocol.Cryptography where
10 import Control.DeepSeq (NFData)
11 import Control.Monad (Monad(..), join, replicateM)
12 import Control.Monad.Trans.Except (ExceptT(..), throwE)
13 import Data.Aeson (ToJSON(..), FromJSON(..), (.:), (.=))
16 import Data.Eq (Eq(..))
17 import Data.Function (($), (.))
18 import Data.Functor (Functor, (<$>))
19 import Data.Maybe (Maybe(..), fromJust)
20 import Data.Ord (Ord(..))
21 import Data.Proxy (Proxy(..))
22 import Data.Reflection (Reifies(..))
23 import Data.Semigroup (Semigroup(..))
24 import Data.String (IsString(..))
25 import Data.Text (Text)
26 import GHC.Generics (Generic)
27 import GHC.Natural (minusNaturalMaybe)
28 import Numeric.Natural (Natural)
29 import Prelude (Bounded(..), fromIntegral)
30 import System.Random (RandomGen)
31 import Text.Show (Show(..))
32 import qualified Control.Monad.Trans.State.Strict as S
33 import qualified Crypto.Hash as Crypto
34 import qualified Data.Aeson as JSON
35 import qualified Data.ByteArray as ByteArray
36 import qualified Data.ByteString as BS
37 import qualified Data.ByteString.Base64 as BS64
38 import qualified Data.List as List
39 import qualified Data.Text as Text
40 import qualified Data.Text.Encoding as Text
41 import qualified Data.Text.Lazy as TL
42 import qualified Data.Text.Lazy.Builder as TLB
43 import qualified Data.Text.Lazy.Builder.Int as TLB
44 import qualified System.Random as Random
46 import Voting.Protocol.Utils
47 import Voting.Protocol.Arithmetic
48 import Voting.Protocol.Version
50 -- ** Type 'PublicKey'
52 -- ** Type 'SecretKey'
56 newtype Hash crypto c = Hash (E crypto c)
57 deriving newtype (Eq,Ord,Show,NFData)
59 -- | @('hash' bs gs)@ returns as a number in 'E'
60 -- the 'Crypto.SHA256' hash of the given 'BS.ByteString' 'bs'
61 -- prefixing the decimal representation of given subgroup elements 'gs',
62 -- with a comma (",") intercalated between them.
64 -- NOTE: to avoid any collision when the 'hash' function is used in different contexts,
65 -- a message 'gs' is actually prefixed by a 'bs' indicating the context.
67 -- Used by 'proveEncryption' and 'verifyEncryption',
68 -- where the 'bs' usually contains the 'statement' to be proven,
69 -- and the 'gs' contains the 'commitments'.
70 hash :: CryptoParams crypto c => BS.ByteString -> [G crypto c] -> E crypto c
72 let s = bs <> BS.intercalate (fromString ",") (bytesNat <$> gs)
73 let h = Crypto.hashWith Crypto.SHA256 s
75 decodeBigEndian $ ByteArray.convert h
77 -- | @('decodeBigEndian' bs)@ interpret @bs@ as big-endian number.
78 decodeBigEndian :: BS.ByteString -> Natural
81 (\acc b -> acc`shiftL`8 + fromIntegral b)
84 -- ** Type 'Base64SHA256'
85 newtype Base64SHA256 = Base64SHA256 Text
86 deriving (Eq,Ord,Show,Generic)
87 deriving anyclass (ToJSON,FromJSON)
88 deriving newtype NFData
90 -- | @('base64SHA256' bs)@ returns the 'Crypto.SHA256' hash
91 -- of the given 'BS.ByteString' 'bs',
92 -- as a 'Text' escaped in @base64@ encoding
93 -- (<https://tools.ietf.org/html/rfc4648 RFC 4648>).
94 base64SHA256 :: BS.ByteString -> Base64SHA256
96 let h = Crypto.hashWith Crypto.SHA256 bs in
98 Text.takeWhile (/= '=') $ -- NOTE: no padding.
99 Text.decodeUtf8 $ BS64.encode $ ByteArray.convert h
101 -- ** Type 'HexSHA256'
102 newtype HexSHA256 = HexSHA256 Text
103 deriving (Eq,Ord,Show,Generic)
104 deriving anyclass (ToJSON,FromJSON)
105 deriving newtype NFData
106 -- | @('hexSHA256' bs)@ returns the 'Crypto.SHA256' hash
107 -- of the given 'BS.ByteString' 'bs', escaped in hexadecimal
108 -- into a 'Text' of 32 lowercase characters.
110 -- Used (in retro-dependencies of this library) to hash
111 -- the 'PublicKey' of a voter or a trustee.
112 hexSHA256 :: BS.ByteString -> Text
114 let h = Crypto.hashWith Crypto.SHA256 bs in
115 let n = decodeBigEndian $ ByteArray.convert h in
116 -- NOTE: always set the 256 bit then remove it
117 -- to always have leading zeros,
118 -- and thus always 64 characters wide hashes.
120 TL.tail $ TLB.toLazyText $ TLB.hexadecimal $
125 -- | @('randomR' i)@ returns a random integer in @[0..i-1]@.
128 Random.RandomGen r =>
132 randomR i = S.StateT $ return . Random.randomR (zero, i-one)
134 -- | @('random')@ returns a random integer
135 -- in the range determined by its type.
138 Random.RandomGen r =>
142 random = S.StateT $ return . Random.random
144 -- * Type 'Encryption'
145 -- | ElGamal-like encryption.
146 -- Its security relies on the /Discrete Logarithm problem/.
148 -- Because ('groupGen' '^'encNonce '^'secKey '==' 'groupGen' '^'secKey '^'encNonce),
149 -- knowing @secKey@, one can divide 'encryption_vault' by @('encryption_nonce' '^'secKey)@
150 -- to decipher @('groupGen' '^'clear)@, then the @clear@ text must be small to be decryptable,
151 -- because it is encrypted as a power of 'groupGen' (hence the "-like" in "ElGamal-like")
152 -- to enable the additive homomorphism.
154 -- NOTE: Since @('encryption_vault' '*' 'encryption_nonce' '==' 'encryption_nonce' '^' (secKey '+' clear))@,
155 -- then: @(logBase 'encryption_nonce' ('encryption_vault' '*' 'encryption_nonce') '==' secKey '+' clear)@.
156 data Encryption crypto v c = Encryption
157 { encryption_nonce :: !(G crypto c)
158 -- ^ Public part of the randomness 'encNonce' used to 'encrypt' the 'clear' text,
159 -- equal to @('groupGen' '^'encNonce)@
160 , encryption_vault :: !(G crypto c)
161 -- ^ Encrypted 'clear' text,
162 -- equal to @('pubKey' '^'encNone '*' 'groupGen' '^'clear)@
164 deriving instance Eq (G crypto c) => Eq (Encryption crypto v c)
165 deriving instance (Show (G crypto c), Show (G crypto c)) => Show (Encryption crypto v c)
166 deriving instance NFData (G crypto c) => NFData (Encryption crypto v c)
169 , CryptoParams crypto c
170 ) => ToJSON (Encryption crypto v c) where
171 toJSON Encryption{..} =
173 [ "alpha" .= encryption_nonce
174 , "beta" .= encryption_vault
176 toEncoding Encryption{..} =
178 ( "alpha" .= encryption_nonce
179 <> "beta" .= encryption_vault
183 , CryptoParams crypto c
184 ) => FromJSON (Encryption crypto v c) where
185 parseJSON = JSON.withObject "Encryption" $ \o -> do
186 encryption_nonce <- o .: "alpha"
187 encryption_vault <- o .: "beta"
188 return Encryption{..}
190 -- | Additive homomorphism.
191 -- Using the fact that: @'groupGen' '^'x '*' 'groupGen' '^'y '==' 'groupGen' '^'(x'+'y)@.
192 instance CryptoParams crypto c => Additive (Encryption crypto v c) where
193 zero = Encryption one one
195 (encryption_nonce x * encryption_nonce y)
196 (encryption_vault x * encryption_vault y)
198 -- *** Type 'EncryptionNonce'
199 type EncryptionNonce = E
201 -- | @('encrypt' pubKey clear)@ returns an ElGamal-like 'Encryption'.
203 -- WARNING: the secret encryption nonce (@encNonce@)
204 -- is returned alongside the 'Encryption'
205 -- in order to 'prove' the validity of the encrypted 'clear' text in 'proveEncryption',
206 -- but this secret @encNonce@ MUST be forgotten after that,
207 -- as it may be used to decipher the 'Encryption'
208 -- without the 'SecretKey' associated with 'pubKey'.
211 CryptoParams crypto c =>
212 Monad m => RandomGen r =>
213 PublicKey crypto c -> E crypto c ->
214 S.StateT r m (EncryptionNonce crypto c, Encryption crypto v c)
215 encrypt pubKey clear = do
217 -- NOTE: preserve the 'encNonce' for 'prove' in 'proveEncryption'.
220 { encryption_nonce = groupGen^encNonce
221 , encryption_vault = pubKey ^encNonce * groupGen^clear
225 -- | Non-Interactive Zero-Knowledge 'Proof'
226 -- of knowledge of a discrete logarithm:
227 -- @(secret == logBase base (base^secret))@.
228 data Proof crypto v c = Proof
229 { proof_challenge :: !(Challenge crypto c)
230 -- ^ 'Challenge' sent by the verifier to the prover
231 -- to ensure that the prover really has knowledge
232 -- of the secret and is not replaying.
233 -- Actually, 'proof_challenge' is not sent to the prover,
234 -- but derived from the prover's 'Commitment's and statements
235 -- with a collision resistant 'hash'.
236 -- Hence the prover cannot chose the 'proof_challenge' to his/her liking.
237 , proof_response :: !(E crypto c)
238 -- ^ A discrete logarithm sent by the prover to the verifier,
239 -- as a response to 'proof_challenge'.
241 -- If the verifier observes that @('proof_challenge' '==' 'hash' statement [commitment])@, where:
243 -- * @statement@ is a serialization of a tag, @base@ and @basePowSec@,
244 -- * @commitment '==' 'commit' proof base basePowSec '=='
245 -- base '^' 'proof_response' '*' basePowSec '^' 'proof_challenge'@,
246 -- * and @basePowSec '==' base'^'sec@,
248 -- then, with overwhelming probability (due to the 'hash' function),
249 -- the prover was not able to choose 'proof_challenge'
250 -- yet was able to compute a 'proof_response' such that
251 -- (@commitment '==' base '^' 'proof_response' '*' basePowSec '^' 'proof_challenge'@),
252 -- that is to say: @('proof_response' '==' logBase base 'commitment' '-' sec '*' 'proof_challenge')@,
253 -- therefore the prover knows 'sec'.
255 -- The prover choses 'commitment' to be a random power of @base@,
256 -- to ensure that each 'prove' does not reveal any information
258 } deriving (Eq,Show,NFData,Generic)
259 instance Reifies v Version => ToJSON (Proof crypto v c) where
262 [ "challenge" .= proof_challenge
263 , "response" .= proof_response
265 toEncoding Proof{..} =
267 ( "challenge" .= proof_challenge
268 <> "response" .= proof_response
271 ( CryptoParams crypto c
273 ) => FromJSON (Proof crypto v c) where
274 parseJSON = JSON.withObject "TrusteePublicKey" $ \o -> do
275 proof_challenge <- o .: "challenge"
276 proof_response <- o .: "response"
280 -- | Zero-knowledge proof.
282 -- A protocol is /zero-knowledge/ if the verifier
283 -- learns nothing from the protocol except that the prover
286 -- DOC: Mihir Bellare and Phillip Rogaway. Random oracles are practical:
287 -- A paradigm for designing efficient protocols. In ACM-CCS’93, 1993.
288 newtype ZKP = ZKP BS.ByteString
290 -- ** Type 'Challenge'
294 -- An 'Oracle' returns the 'Challenge' of the 'Commitment's
295 -- by 'hash'ing them (eventually with other 'Commitment's).
297 -- Used in 'prove' it enables a Fiat-Shamir transformation
298 -- of an /interactive zero-knowledge/ (IZK) proof
299 -- into a /non-interactive zero-knowledge/ (NIZK) proof.
300 -- That is to say that the verifier does not have
301 -- to send a 'Challenge' to the prover.
302 -- Indeed, the prover now handles the 'Challenge'
303 -- which becomes a (collision resistant) 'hash'
304 -- of the prover's commitments (and statements to be a stronger proof).
305 type Oracle list crypto c = list (Commitment crypto c) -> Challenge crypto c
307 -- | @('prove' sec commitmentBases oracle)@
308 -- returns a 'Proof' that @sec@ is known
309 -- (by proving the knowledge of its discrete logarithm).
311 -- The 'Oracle' is given 'Commitment's equal to the 'commitmentBases'
312 -- raised to the power of the secret nonce of the 'Proof',
313 -- as those are the 'Commitment's that the verifier will obtain
314 -- when composing the 'proof_challenge' and 'proof_response' together
317 -- WARNING: for 'prove' to be a so-called /strong Fiat-Shamir transformation/ (not a weak):
318 -- the statement must be included in the 'hash' (along with the commitments).
320 -- NOTE: a 'random' @nonce@ is used to ensure each 'prove'
321 -- does not reveal any information regarding the secret @sec@,
322 -- because two 'Proof's using the same 'Commitment'
323 -- can be used to deduce @sec@ (using the special-soundness).
325 forall crypto v c list m r.
327 CryptoParams crypto c =>
328 Monad m => RandomGen r => Functor list =>
331 Oracle list crypto c ->
332 S.StateT r m (Proof crypto v c)
333 prove sec commitmentBases oracle = do
335 let commitments = (^ nonce) <$> commitmentBases
336 let proof_challenge = oracle commitments
339 , proof_response = nonce `op` (sec*proof_challenge)
342 -- | See comments in 'commit'.
344 if reflect (Proxy @v) `hasVersionTag` versionTagQuicker
348 -- | Like 'prove' but quicker. It chould replace 'prove' entirely
349 -- when Helios-C specifications will be fixed.
352 CryptoParams crypto c =>
353 Monad m => RandomGen r => Functor list =>
356 Oracle list crypto c ->
357 S.StateT r m (Proof crypto v c)
358 proveQuicker sec commitmentBases oracle = do
360 let commitments = (^ nonce) <$> commitmentBases
361 let proof_challenge = oracle commitments
364 , proof_response = nonce - sec*proof_challenge
367 -- | @('fakeProof')@ returns a 'Proof'
368 -- whose 'proof_challenge' and 'proof_response' are uniformly chosen at random,
369 -- instead of @('proof_challenge' '==' 'hash' statement commitments)@
370 -- and @('proof_response' '==' nonce '+' sec '*' 'proof_challenge')@
371 -- as a 'Proof' returned by 'prove'.
373 -- Used in 'proveEncryption' to fill the returned 'DisjProof'
374 -- with fake 'Proof's for all 'Disjunction's but the encrypted one.
376 CryptoParams crypto c =>
377 Monad m => RandomGen r =>
378 S.StateT r m (Proof crypto v c)
380 proof_challenge <- random
381 proof_response <- random
384 -- ** Type 'Commitment'
385 -- | A commitment from the prover to the verifier.
386 -- It's a power of 'groupGen' chosen randomly by the prover
387 -- when making a 'Proof' with 'prove'.
390 -- | @('commit' proof base basePowSec)@ returns a 'Commitment'
391 -- from the given 'Proof' with the knowledge of the verifier.
395 CryptoParams crypto c =>
400 commit Proof{..} base basePowSec =
401 (base^proof_response) `op`
402 (basePowSec^proof_challenge)
405 if reflect (Proxy @v) `hasVersionTag` versionTagQuicker
408 -- TODO: contrary to some textbook presentations,
409 -- @('*')@ should be used instead of @('/')@ to avoid the performance cost
410 -- of a modular exponentiation @('^' ('groupOrder' '-' 'one'))@,
411 -- this is compensated by using @('-')@ instead of @('+')@ in 'prove'.
412 {-# INLINE commit #-}
414 -- | Like 'commit' but quicker. It chould replace 'commit' entirely
415 -- when Helios-C specifications will be fixed.
417 CryptoParams crypto c =>
422 commitQuicker Proof{..} base basePowSec =
423 base^proof_response *
424 basePowSec^proof_challenge
426 -- * Type 'Disjunction'
427 -- | A 'Disjunction' is an 'inverse'd @('groupGen' '^'opinion)@
428 -- it's used in 'proveEncryption' to generate a 'Proof'
429 -- that an 'encryption_vault' contains a given @('groupGen' '^'opinion)@,
432 booleanDisjunctions ::
434 CryptoParams crypto c =>
435 [Disjunction crypto c]
436 booleanDisjunctions = List.take 2 $ groupGenInverses @crypto
438 intervalDisjunctions ::
440 CryptoParams crypto c =>
441 Natural -> Natural -> [Disjunction crypto c]
442 intervalDisjunctions mini maxi =
443 List.genericTake (fromJust $ (nat maxi + 1)`minusNaturalMaybe`nat mini) $
444 List.genericDrop (nat mini) $
445 groupGenInverses @crypto
447 -- ** Type 'DisjProof'
448 -- | A list of 'Proof's to prove that the opinion within an 'Encryption'
449 -- is indexing a 'Disjunction' within a list of them,
450 -- without revealing which opinion it is.
451 newtype DisjProof crypto v c = DisjProof [Proof crypto v c]
452 deriving (Eq,Show,Generic)
453 deriving newtype (NFData)
454 deriving newtype instance Reifies v Version => ToJSON (DisjProof crypto v c)
455 deriving newtype instance (Reifies v Version, CryptoParams crypto c) => FromJSON (DisjProof crypto v c)
457 -- | @('proveEncryption' elecPubKey voterZKP (prevDisjs,nextDisjs) (encNonce,enc))@
458 -- returns a 'DisjProof' that 'enc' 'encrypt's
459 -- the 'Disjunction' 'd' between 'prevDisjs' and 'nextDisjs'.
461 -- The prover proves that it knows an 'encNonce', such that:
462 -- @(enc '==' Encryption{encryption_nonce='groupGen' '^'encNonce, encryption_vault=elecPubKey'^'encNonce '*' groupGen'^'d})@
464 -- A /NIZK Disjunctive Chaum Pedersen Logarithm Equality/ is used.
466 -- DOC: Pierrick Gaudry. <https://hal.inria.fr/hal-01576379 Some ZK security proofs for Belenios>, 2017.
469 CryptoParams crypto c =>
470 Monad m => RandomGen r =>
471 PublicKey crypto c -> ZKP ->
472 ([Disjunction crypto c],[Disjunction crypto c]) ->
473 (EncryptionNonce crypto c, Encryption crypto v c) ->
474 S.StateT r m (DisjProof crypto v c)
475 proveEncryption elecPubKey voterZKP (prevDisjs,nextDisjs) (encNonce,enc) = do
476 -- Fake proofs for all 'Disjunction's except the genuine one.
477 prevFakeProofs <- replicateM (List.length prevDisjs) fakeProof
478 nextFakeProofs <- replicateM (List.length nextDisjs) fakeProof
479 let fakeChallengeSum =
480 sum (proof_challenge <$> prevFakeProofs) +
481 sum (proof_challenge <$> nextFakeProofs)
482 let statement = encryptionStatement voterZKP enc
483 genuineProof <- prove encNonce [groupGen, elecPubKey] $ \genuineCommitments ->
484 let validCommitments = List.zipWith (encryptionCommitments elecPubKey enc) in
485 let prevCommitments = validCommitments prevDisjs prevFakeProofs in
486 let nextCommitments = validCommitments nextDisjs nextFakeProofs in
487 let commitments = join prevCommitments <> genuineCommitments <> join nextCommitments in
488 let challenge = hash statement commitments in
489 let genuineChallenge = challenge - fakeChallengeSum in
491 -- NOTE: here by construction (genuineChallenge == challenge - fakeChallengeSum)
492 -- thus (sum (proof_challenge <$> proofs) == challenge)
493 -- as checked in 'verifyEncryption'.
494 let proofs = prevFakeProofs <> (genuineProof : nextFakeProofs)
495 return (DisjProof proofs)
499 CryptoParams crypto c =>
501 PublicKey crypto c -> ZKP ->
502 [Disjunction crypto c] -> (Encryption crypto v c, DisjProof crypto v c) ->
503 ExceptT ErrorVerifyEncryption m Bool
504 verifyEncryption elecPubKey voterZKP disjs (enc, DisjProof proofs) =
505 case isoZipWith (encryptionCommitments elecPubKey enc) disjs proofs of
507 throwE $ ErrorVerifyEncryption_InvalidProofLength
508 (fromIntegral $ List.length proofs)
509 (fromIntegral $ List.length disjs)
511 return $ challengeSum ==
512 hash (encryptionStatement voterZKP enc) (join commitments)
514 challengeSum = sum (proof_challenge <$> proofs)
517 encryptionStatement ::
518 CryptoParams crypto c =>
519 ZKP -> Encryption crypto v c -> BS.ByteString
520 encryptionStatement (ZKP voterZKP) Encryption{..} =
521 "prove|"<>voterZKP<>"|"
522 <> bytesNat encryption_nonce<>","
523 <> bytesNat encryption_vault<>"|"
525 -- | @('encryptionCommitments' elecPubKey enc disj proof)@
526 -- returns the 'Commitment's with only the knowledge of the verifier.
528 -- For the prover the 'Proof' comes from @fakeProof@,
529 -- and for the verifier the 'Proof' comes from the prover.
530 encryptionCommitments ::
532 CryptoParams crypto c =>
533 PublicKey crypto c -> Encryption crypto v c ->
534 Disjunction crypto c -> Proof crypto v c -> [G crypto c]
535 encryptionCommitments elecPubKey Encryption{..} disj proof =
536 [ commit proof groupGen encryption_nonce
537 -- == groupGen ^ nonce if 'Proof' comes from 'prove'.
538 -- base==groupGen, basePowSec==groupGen^encNonce.
539 , commit proof elecPubKey (encryption_vault*disj)
540 -- == elecPubKey ^ nonce if 'Proof' comes from 'prove'
541 -- and 'encryption_vault' encrypts (- logBase groupGen disj).
542 -- base==elecPubKey, basePowSec==elecPubKey^encNonce.
545 -- ** Type 'ErrorVerifyEncryption'
546 -- | Error raised by 'verifyEncryption'.
547 data ErrorVerifyEncryption
548 = ErrorVerifyEncryption_InvalidProofLength Natural Natural
549 -- ^ When the number of proofs is different than
550 -- the number of 'Disjunction's.
553 -- * Type 'Signature'
554 -- | Schnorr-like signature.
556 -- Used by each voter to sign his/her encrypted 'Ballot'
557 -- using his/her 'Credential',
558 -- in order to avoid ballot stuffing.
559 data Signature crypto v c = Signature
560 { signature_publicKey :: !(PublicKey crypto c)
561 -- ^ Verification key.
562 , signature_proof :: !(Proof crypto v c)
564 deriving instance (NFData crypto, NFData (G crypto c)) => NFData (Signature crypto v c)
567 , CryptoParams crypto c
568 ) => ToJSON (Signature crypto v c) where
569 toJSON (Signature pubKey Proof{..}) =
571 [ "public_key" .= pubKey
572 , "challenge" .= proof_challenge
573 , "response" .= proof_response
575 toEncoding (Signature pubKey Proof{..}) =
577 ( "public_key" .= pubKey
578 <> "challenge" .= proof_challenge
579 <> "response" .= proof_response
583 , CryptoParams crypto c
584 ) => FromJSON (Signature crypto v c) where
585 parseJSON = JSON.withObject "Signature" $ \o -> do
586 signature_publicKey <- o .: "public_key"
587 proof_challenge <- o .: "challenge"
588 proof_response <- o .: "response"
589 let signature_proof = Proof{..}