name: hjugement-protocol -- PVP: +-+------- breaking API changes -- | | +----- non-breaking API additions -- | | | +--- code changes with no API change version: 0.0.0.20190415 category: Politic synopsis: A fully distributed threshold cryptosystem for the Majority Judgment. description: This library implements an online voting protocol known as (Helios with Credentials) which is: . * /fully correct/: the published result are proven to correspond to the (sum of) intended votes of the voters, while accounting for a malicious bulletin board (BB) (adding fake ballots) by requiring a registration authority (RA) (responsible for generating and sending voters' credentials). Assuming that the BB and the RA are not simultaneously dishonest. . * /verifiable/: voters are able to check that: their ballots did contribute to the outcome (/individual verifiability/), and that the tallying authorities did their job properly (/universal verifiability/). . * /private/: the identities of the voters who cast a vote are not publicly revealed. . Credentials: A voter's credentials is a private key (the signing key) that has a public part (the verification key). The association between the public part and the corresponding voter’s identity does not need to be known, and actually should not be disclosed to satisfy e.g. the French requirements regarding voting systems. Using credentials prevent the submission of duplicated ballots (because they are added as an additional input to the random oracle in the /non-interactive zero-knowledge/ (NIZK) proofs for ciphertext well-formedness). This allows a testing of duplicates which depends only on the size of the number of voters, and thus enables Helios-C to scale for larger elections while attaining correctness. . In this protocol : . * Ballots are encrypted using public-key cryptography secured by the /Discrete Logarithm problem/: finding @x@ in @g^x `mod` p@, where @p@ is a large prime and @g@ a generator of @Gq@, the multiplicative subgroup of @Fp@ (the finite prime field whose characteristic is @p@) of order @q@. Here, @p@ is 2048-bit and @q@ is 256-bit. The signing (Schnorr-like), the encrypting (ElGamal-like) and the /Decisional Diffe Hellman/ (DDH) assumption, all rely on the hardness of that problem. * Ballots are added without being decrypted because adding ciphertexts then decrypting is like decrypting then adding plaintexts (/additive homomorphism/). This uses an /ElGamal encryption scheme/ with a transformation so that from being a /multiplicative homomorphism/ it becomes an /additive homomorphism/. Which requires to solve the /Discrete Logarithm Problem/ for numbers in the order of the number of voters, which is not hard for small numbers (with a lookup table as here, or with Pollard’s rho algorithm for logarithms). * A Pedersen's /distributed key generation/ (DKG) protocol coupled with ElGamal keys (under the DDH assumption), is used to have a fully distributed semantically secure encryption. * The /Schnorr protocol/ is used to prove that a voter has knowledge of the secret key used to encrypt their votes. * The /Chaum-Pedersen protocol/ (proving that equality of discrete logarithms) is used to prove that two given ciphertexts belonging to two voters with different public credentials, are well-formed (encrypting a 0 or a 1) without decrypting them. Which is known as a /Disjunctive Chaum-Pedersen/ proof of partial knowledge. * A /Fiat-Shamir transformation/ is used to transform the /interactive zero-knowledge/ (IZK) /Chaum-Pedersen protocol/ into a /non-interactive zero-knowledge/ (NIZK) proof, using a SHA256 hash. extra-doc-files: license: GPL-3 license-file: COPYING stability: experimental author: Julien Moutinho maintainer: Julien Moutinho bug-reports: Julien Moutinho -- homepage: build-type: Simple cabal-version: 1.24 tested-with: GHC==8.4.4 extra-source-files: stack.yaml extra-tmp-files: Source-Repository head location: git://git.autogeree.net/hjugement type: git Library exposed-modules: Protocol.Arith Protocol.Credential Protocol.Election default-language: Haskell2010 default-extensions: AllowAmbiguousTypes ConstraintKinds DefaultSignatures FlexibleContexts FlexibleInstances GeneralizedNewtypeDeriving LambdaCase MonoLocalBinds MultiParamTypeClasses NamedFieldPuns NoImplicitPrelude NoMonomorphismRestriction RecordWildCards ScopedTypeVariables TupleSections TypeApplications TypeFamilies UndecidableInstances ghc-options: -Wall -Wincomplete-uni-patterns -Wincomplete-record-updates -fno-warn-tabs -- -fhide-source-paths build-depends: base >= 4.6 && < 5 , bytestring >= 0.10 , containers >= 0.5 , cryptonite >= 0.25 , hashable >= 1.2.6 , memory >= 0.14 , random >= 1.1 , reflection >= 2.1 , transformers >= 0.5 , unordered-containers >= 0.2.8 Test-Suite hjugement-protocol-test type: exitcode-stdio-1.0 hs-source-dirs: test main-is: Main.hs other-modules: HUnit HUnit.Arith HUnit.Credential HUnit.Election HUnit.Utils -- QuickCheck default-language: Haskell2010 default-extensions: AllowAmbiguousTypes ConstraintKinds DefaultSignatures FlexibleContexts FlexibleInstances GeneralizedNewtypeDeriving LambdaCase MonoLocalBinds MultiParamTypeClasses NamedFieldPuns NoImplicitPrelude NoMonomorphismRestriction RecordWildCards ScopedTypeVariables TupleSections TypeApplications TypeFamilies UndecidableInstances ghc-options: -Wall -Wincomplete-uni-patterns -Wincomplete-record-updates -fno-warn-tabs -- -fhide-source-paths build-depends: hjugement-protocol , base >= 4.6 && < 5 , containers >= 0.5 , hashable >= 1.2.6 , QuickCheck >= 2.0 , random >= 1.1 , reflection >= 2.1 , tasty >= 0.11 , tasty-hunit >= 0.9 , tasty-quickcheck , text >= 1.2 , transformers >= 0.5 , unordered-containers >= 0.2.8