Commit 026a864c authored by Stephane Glondu's avatar Stephane Glondu
Browse files

Initial commit of Helios specification

parent 06a1bd69
*.aux
*.log
*.out
*.toc
*.pdf
\documentclass[a4paper]{article}
\usepackage{a4wide}
\usepackage[utf8]{inputenc}
\usepackage[T1]{fontenc}
\usepackage{lmodern}
\usepackage{amsmath,amssymb,amsthm,stmaryrd,bbm}
\usepackage{hyperref}
\newcommand{\Z}{\mathbb{Z}}
\newcommand{\N}{\mathbb{N}}
\title{Notes on Helios}
\author{Stéphane Glondu}
\begin{document}
\maketitle
\tableofcontents
\section{Protocol}
\subsection{Principals}
\begin{itemize}
\item authentication authority ($G$)
\item administrator ($A$)
\item Helios ($H$)
\item trustees ($T_1,\dots,T_m$)
\item voters ($V_1,\dots,V_n$)
\end{itemize}
\subsection{Process}
\begin{enumerate}
\item $A$ logs in by authenticating to $G$
\item $A$ creates a new election $E$; he fills in \textsf{short\_name}
(unique forever), \textsf{name}, \textsf{description},
\textsf{election\_type} (\textsf{election} or \textsf{referendum}),
\textsf{use\_voter\_aliases}, \textsf{private\_p}; \textsf{uuid} is
generated
\item $A$ creates questions $Q_1,\dots,Q_q$; for each $Q_i$, he fills in:
\begin{itemize}
\item number of answers (min and max)
\item result type: absolute or relative (\emph{i.e.} what kind of
majority wins if $\textrm{max}>1$, seems to be purely cosmetic)
\item the question itself
\item answers $R_1,\dots,R_r$
\item in the underlying object, there is also a choice type (always
approval), a tally type (always homomorphic), a URL for each answer (always null)
\end{itemize}
\item $A$ registers trustees $T_1,\dots,T_m$:
\begin{itemize}
\item one of them can be Helios itself
\begin{enumerate}
\item generation $\textsf{sk}=\langle x,\textsf{pk}\rangle$, $\textsf{pk}=\langle y,p,q,g\rangle$:
\begin{itemize}
\item $g$ (2046 bits), $p$ (2047 bits) and $q$ (255 bits) are
predefined parameters such that $g^q=1\mod p$
\item $p$ and $q$ are prime numbers
\item pick random $x\in \Z_q$
\item $y=g^x \mod p$
\end{itemize}
\item proof of knowledge $\textsf{pok}=\langle\textsf{commitment},\textsf{challenge},\textsf{response}\rangle$:
\begin{itemize}
\item pick random $w\in \Z_q$
\item $\textsf{commitment}=g^w \mod p$
\item $\textsf{challenge}=\textsf{SHA1}(\textsf{commitment}) \mod q$
\item $\textsf{response}=w+x\times\textsf{challenge} \mod q$
\end{itemize}
\end{enumerate}
\item for each other $T_i$:
\begin{itemize}
\item $A$ gives a name and an email address
\item $A$ sends an email to $T_i$ with a login (secret) URL
\item $T_i$ goes to that URL and uploads his public key
$\textsf{pk}=\langle y,p,q,g\rangle$ and a proof of knowledge
$\textsf{pok}=\langle\textsf{commitment},\textsf{challenge},\textsf{response}\rangle$
\item $H$ verifies $\textsf{pok}$:
\begin{itemize}
\item $g^\textsf{response} \mod p = \textsf{commitment}\times y^\textsf{challenge} \mod p$
\item $\textsf{challenge} = \textsf{SHA1}(\textsf{commitment}) \mod q$
\end{itemize}
\item the URL can also be used to check a private key $\langle x, \textsf{pk}\rangle$
\begin{itemize}
\item actually, it only checks that $\textsf{SHA1}(\textsf{pk})$ is correct
\end{itemize}
\item once the public key is uploaded, it doesn't seem to matter
that the URL becomes public\dots unless each individual trustee
public key is to be kept confidential
\end{itemize}
\end{itemize}
\item $A$ registers voters:
\begin{itemize}
\item either anyone (who can authenticate to $G$) can vote
\item or $A$ registers $V_1,\dots,V_n$; for each $V_i$, he fills in:
\begin{itemize}
\item login
\item email address
\item full name
\end{itemize}
Voters will then authenticate using $H$.
\end{itemize}
\item $A$ freezes and opens election:
\begin{itemize}
\item questions, options, and trustees are frozen
\item compute the hash of the list of voters\dots{} not implemented!
\item compute the public key of the election by multiplying all
trustee public keys
\item $A$ sends an email to each $V_i$
\end{itemize}
\item $A$ logs out
\item each $V$ votes (or not):
\begin{enumerate}
\item $V$ logs in if the election is private
\item $V$ enters the booth and gets \texttt{election} object
\item $V$ makes a ballot $B$ (see \ref{ballot-format})
\item the \emph{smart ballot tracke}r is $\textsf{BASE64}(\textsf{SHA256}(B))$
\item $V$ can print or email it (client-side)
\item $V$ can audit the ballot
\begin{itemize}
\item the whole ballot is then disclosed with randomness, $V_i$ can copy it and paste it in a ballot verifier
\item $V$ can post the audited ballot to a tracking center
\item audited ballots are discarded
\end{itemize}
\item $V$ authenticates (using either $H$ or $G$)
\item $V$ casts her ballot $B$
\item $H$ verifies $B$
\item $H$ publishes $B$
\end{enumerate}
\item anyone with the voting URL for $E$ can access the ballot
tracking center and audited ballots
\item at the end of the election, $A$ logs in, stops the election and
computes encrypted tally:
\[
\textsf{tally}_{i,j}=\prod_k (\textsf{choices}_k)_{i,j}
\qquad
\textsf{num\_tallied}=\sum_k 1
\]
where:
\begin{itemize}
\item $i$ ranges over questions, $j$ ranges over choices, $k$ over
all cast ballots
\item $(\textsf{choices}_k)_{i,j}$ is a ciphertext $\langle\alpha,\beta\rangle$
\item $\prod$ is pointwise multiplication
\end{itemize}
\item the encrypted tally fingerprint is computed
\item each $T$ provides his decrypted share:
\begin{itemize}
\item $T$ checks the encrypted tally fingerprint
\item $T$ computes
\[ \begin{array}{rcl}
\textsf{decryption\_factors}_{i,j}&=&\alpha_{i,j}^x\\
\textsf{decryption\_proofs}_{i,j}&=&\textsf{ElGamal.Proof.generate}(g,\alpha_{i,j},x,p,q,\textsf{SHA1}\circ\otimes)
\end{array} \]
and uploads $\langle\textsf{decryption\_factors},\textsf{decryption\_proofs}\rangle$
\item $H$ verifies proofs
\end{itemize}
\item $A$ combines trustee decryptions
\item $A$ releases results
\end{enumerate}
\section{Datatypes}
\subsection{ElGamal keys}
\label{key-format}
\begin{gather*}
\texttt{public\_key}=\left\{
\begin{array}{rcl}
\textsf{p}&:&\N\\
\textsf{q}&:&\N\\
\textsf{g}&:&\Z_p\\
\textsf{y}&:&\Z_p
\end{array}
\right\}
\qquad
\texttt{private\_key}=\left\{
\begin{array}{rcl}
\textsf{pk}&:&\texttt{public\_key}\\
\textsf{x}&:&\Z_q
\end{array}
\right\}
\end{gather*}
\subsection{Election}
\label{election-format}
\begin{gather*}
\texttt{uuid}=\textrm{RFC-4122}
\qquad
\texttt{datetime}=\textrm{RFC-3339}
\\
\texttt{tally\_type}=\textsf{homomorphic}
\qquad
\texttt{choice\_type}=\textsf{approval}
\\
\texttt{result\_type}=\textsf{absolute}\mid\textsf{relative}
\\
\hspace{-11.5pt} % ~half of what "Overfull \hbox" says
\texttt{question}=\left\{\small
\begin{array}{rcl}
\textsf{short\_name}&:&\texttt{string}\\
\textsf{question}&:&\texttt{string}\\
\textsf{answers}&:&\texttt{string}^\ast\\
\textsf{min}&:&\N\\
\textsf{max}&:&\N\\
\textsf{tally\_type}&:&\texttt{tally\_type}\\
\textsf{result\_type}&:&\texttt{result\_type}\\
\textsf{choice\_type}&:&\texttt{choice\_type}\\
\textsf{answer\_urls}&:&\texttt{null}^\ast
\end{array}
\right\}
\qquad
\texttt{election}=\left\{\small
\begin{array}{rcl}
\textsf{uuid}&:&\texttt{uuid}\\
\textsf{short\_name}&:&\texttt{string}\\
\textsf{name}&:&\texttt{string}\\
\textsf{description}&:&\texttt{string}\\
\textsf{openreg}&:&\texttt{bool}\\
\textsf{use\_voter\_aliases}&:&\texttt{bool}\\
\textsf{questions}&:&\texttt{question}^\ast\\
\textsf{cast\_url}&:&\texttt{string}\\
\textsf{frozen\_at}&:&\texttt{datetime}\\
\textsf{voting\_starts\_at}&:&\texttt{datetime}?\\
\textsf{voting\_ends\_at}&:&\texttt{datetime}?\\
\textsf{voters\_hash}&:&\texttt{null}\\
\textsf{public\_key}&:&\texttt{public\_key}
\end{array}
\right\}
\\
\texttt{tally}=\texttt{choice}^{\ast\ast}
\qquad
\texttt{encrypted\_tally}=\left\{
\begin{array}{rcl}
\textsf{num\_tallied}&:&\N\\
\textsf{tally}&:&\texttt{tally}
\end{array}
\right\}
\end{gather*}
\begin{itemize}
\item the \texttt{Election} Python class also has \textsf{private\_p}
and \textsf{election\_type}, but they are not exported in the JSON
object; hence, they are not part of the election fingerprint
(shouldn't they?)
\end{itemize}
\subsection{Ballot}
\label{ballot-format}
\begin{gather*}
\texttt{choice}=\left\{
\begin{array}{rcl}
\textsf{alpha}&:&\Z_p\\
\textsf{beta}&:&\Z_p
\end{array}
\right\}
\qquad
\texttt{commitment}=\left\{
\begin{array}{rcl}
\textsf{A}&:&\Z_p\\
\textsf{B}&:&\Z_p
\end{array}
\right\}
\\
\texttt{proof\_item}=\left\{
\begin{array}{rcl}
\textsf{commitment}&:&\texttt{commitment}\\
\textsf{challenge}&:&\Z_q\\
\textsf{response}&:&\Z_q
\end{array}
\right\}
\qquad
\texttt{proof}=\texttt{proof\_item}^\ast
\\
\texttt{answer}=\left\{
\begin{array}{rcl}
\makebox[0pt][l]{\rule[0.5ex]{6.5em}{0.7pt}}
\textsf{answer}&:&\Z_q^\ast\\
\makebox[0pt][l]{\rule[0.5ex]{8.5em}{0.7pt}}
\textsf{randomness}&:&\Z_q^\ast\\
\textsf{choices}&:&\texttt{choice}^\ast\\
\textsf{individual\_proofs}&:&\texttt{proof}^\ast\\
\textsf{overall\_proof}&:&\texttt{proof}
\end{array}
\right\}
\qquad
\texttt{vote}=\left\{
\begin{array}{rcl}
\textsf{answers}&:&\texttt{answer}^\ast\\
\textsf{election\_hash}&:&\texttt{string}\\
\textsf{election\_uuid}&:&\texttt{string}
\end{array}
\right\}
\end{gather*}
\begin{itemize}
\item $|\textsf{answers}|$ is the number of questions
\item for each question, let $N$ be the number of possible answers,
and $\textsf{min}$ and $\textsf{max}$ the bounds on the number of
answers that can be chosen
\item $\textsf{answer}$ is the list of accepted choices;
$|\textsf{answer}|\in\{\textsf{min},\dots,\textsf{max}\}$,
$\textsf{answer}_i\in\{0,\dots,N-1\}$
\item $\textsf{randomness}$ is a list (length $N$) of random secret
nonces used for ElGamal encryption
\item everything can be computed from $\textsf{answer}$,
$\textsf{randomness}$ and public election data; they are given out
for audit, but not for actual cast
\item $\textsf{choices}$ (length $N$) is the raw, unproved, vote; each
$\texttt{choice}$ in it is the encryption of $v\in\{0,1\}$,
depending on whether the choice is accepted or not
\item equations and notations, for each choice:
\begin{itemize}
\item let $r$ be the secret nonce, and $m$ be the message to be
encrypted
\item $(\alpha,\beta)=(g^r, y^r g^m)$
\item $(g,h)=(g,y)=(g,g^x)$
\item $(G,H)=(g^r,\beta/g^m)=(g^r,h^r)=(G,G^x)$
\end{itemize}
\item in a $\texttt{proof}$, there is one $\texttt{proof\_item}$ per
choice; one of them corresponds to the true choice and all the
others are simulated:
\begin{enumerate}
\item for each simulated choice:
\begin{enumerate}
\item pick at random $\textsf{challenge}\in\Z_q$ and $\textsf{response}\in\Z_q$
\item compute
\[
\textsf{A}=\frac{g^{\textsf{response}}}{G^{\textsf{challenge}}}
\qquad\textrm{and}\qquad
\textsf{B}=\frac{h^{\textsf{response}}}{H^{\textsf{challenge}}}
\]
\end{enumerate}
\item for the true choice:
\begin{enumerate}
\item pick at random $w\in\Z_q$
\item compute $\textsf{A}=g^w$, $\textsf{B}=h^w$ and
\[
\textsf{challenge}=
\textsf{SHA1}\left(\bigotimes_i\textsf{A}_i\otimes\textsf{B}_i\right)-
\sum_{i\neq m} \textsf{challenge}_i
\]
(here, $\otimes$ is concatenation with a comma)
\item compute $\textsf{response}=x\times\textsf{challenge}+w$
\end{enumerate}
\item verification:
\[
\left.\begin{array}{rcl}
g^{\textsf{response}}&=&G^{\textsf{challenge}}\times\textsf{A}\\
h^{\textsf{response}}&=&H^{\textsf{challenge}}\times\textsf{B}
\end{array}
\right\}\textrm{for each proof item}
\]
\[
\textsf{SHA1}\left(\bigotimes_i\textsf{A}_i\otimes\textsf{B}_i\right)=
\sum_i \textsf{challenge}_i
\]
\end{enumerate}
\item in $\textsf{individual\_proofs}$, each one proves that the
choice is in $\{0,1\}$
\item $\textsf{overall\_proof}$ proves that the homomorphic sum of
$\textsf{choices}$ is in $\{\textsf{min},\dots,\textsf{max}\}$
\item in $\textsf{answers}$, there is an $\texttt{answer}$ for each
question
\end{itemize}
\section{Miscellaneous}
\subsection{On ZK proofs}
\begin{itemize}
\item Kinds of ZK proofs:
\begin{itemize}
\item knowledge of a discrete logarithm
\item disjunction
\item four values $(g,h,G,H)$ (where $G=g^x$, $H=h^x$) are a DH
tuple:
\[
\textsf{ElGamal.Proof.generate}(g,h,x,p,q,\textsf{challenge\_generator}):
\texttt{proof\_item}\]
used in proofs of disjunctions and decryption
\end{itemize}
\item How to express formally the security of ZK proofs
\begin{itemize}
\item in terms of the security parameter ($k=128$)
\item what are the security assumptions (DDH? secure hash function?)
\end{itemize}
\end{itemize}
\subsection{Comments on the implementation}
\begin{itemize}
\item Code difficult to audit:
\begin{itemize}
\item bad separation of concerns, big trusted computing base
\item dead and/or duplicated code and data all around
\item fragile meta-programming, lack of flexibility
\end{itemize}
\item Administrator and voter sessions are mixed
\item The voter list is reversed in CSV uploads
\item Odd change of voter order during the voting phase
\item Bugs:
\begin{itemize}
\item add a second trustee with the same email address
\item email voters when there is none
\item election frozen, logged in as administrator, click on voters and ballots
\item election frozen, some voters registered, open to any voters, click on voter list
\item failed votes are not reported properly
\item exceptions raised by EncryptedVote.verify are lost
\end{itemize}
\end{itemize}
\end{document}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment