Commit 356992f4 authored by Stephane Glondu's avatar Stephane Glondu
Browse files

Add ciphertexts to ZKPs to fix cryptographic vulnerability

parent a8ed13da
......@@ -448,7 +448,7 @@ ElGamal.DLogProof.fromJSONObject = function(d) {
// a challenge generator based on a list of commitments of
// proofs of knowledge of plaintext. Just appends A and B with commas.
ElGamal.disjunctive_challenge_generator = function(id) { return function(commitments) {
ElGamal.disjunctive_challenge_generator = function(id, c) { return function(commitments) {
var strings_to_hash = [];
// go through all proofs and append the commitments
......@@ -460,7 +460,8 @@ ElGamal.disjunctive_challenge_generator = function(id) { return function(commitm
// console.log(strings_to_hash);
// STRINGS = strings_to_hash;
return new BigInt(hex_sha256("prove|" + id + "|" + strings_to_hash.join(",")), 16);
var prefix = "prove|" + id + "|" + c.alpha.toJSONObject() + "," + c.beta.toJSONObject() + "|"
return new BigInt(hex_sha256(prefix + strings_to_hash.join(",")), 16);
}};
// same structure as above, adapted for (alpha, beta) pairs of
......
......@@ -278,7 +278,7 @@ HELIOS.EncryptedAnswer = Class.extend({
// generate proof
if (generate_new_randomness) {
// generate proof that this ciphertext is a 0 or a 1
individual_proofs[i] = choices[i].generateDisjunctiveProof(zero_one_plaintexts, plaintext_index, randomness[i], ElGamal.disjunctive_challenge_generator(id));
individual_proofs[i] = choices[i].generateDisjunctiveProof(zero_one_plaintexts, plaintext_index, randomness[i], ElGamal.disjunctive_challenge_generator(id, choices[i]));
}
if (progress)
......@@ -306,7 +306,7 @@ HELIOS.EncryptedAnswer = Class.extend({
if (question.min)
overall_plaintext_index -= question.min;
overall_proof = hom_sum.generateDisjunctiveProof(plaintexts, overall_plaintext_index, rand_sum, ElGamal.disjunctive_challenge_generator(id));
overall_proof = hom_sum.generateDisjunctiveProof(plaintexts, overall_plaintext_index, rand_sum, ElGamal.disjunctive_challenge_generator(id, hom_sum));
if (progress) {
for (var i=0; i<question.max; i++)
......
......@@ -219,7 +219,10 @@ module MakeElection (P : ELECTION_PARAMS) (M : RANDOM) = struct
(* compute genuine proof *)
fs_prove [| g; y |] r (fun commitx ->
Array.blit commitx 0 commitments (2*x) 2;
Z.((G.hash ("prove|"^id^"|") commitments + !total_challenges) mod q)
let prefix = Printf.sprintf "prove|%s|%s,%s|"
id (G.to_string alpha) (G.to_string beta)
in
Z.((G.hash prefix commitments + !total_challenges) mod q)
) >>= fun p ->
proofs.(x) <- p;
return proofs
......@@ -240,7 +243,10 @@ module MakeElection (P : ELECTION_PARAMS) (M : RANDOM) = struct
) else raise Exit
done;
total_challenges := Z.(!total_challenges mod q);
hash ("prove|"^id^"|") commitments =% !total_challenges
let prefix = Printf.sprintf "prove|%s|%s,%s|"
id (G.to_string alpha) (G.to_string beta)
in
hash prefix commitments =% !total_challenges
with Exit -> false
(** Ballot creation *)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment