Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
B
belenios
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
1
Issues
1
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
belenios
belenios
Commits
4fb80fe4
Commit
4fb80fe4
authored
Oct 24, 2019
by
Stephane Glondu
Committed by
Stéphane Glondu
Oct 24, 2019
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'master' into explicithomomorphism
parents
2dfebc8a
09ae493c
Pipeline
#100274
passed with stages
in 27 minutes and 29 seconds
Changes
5
Pipelines
1
Hide whitespace changes
Inline
Sidebyside
Showing
5 changed files
with
120 additions
and
31 deletions
+120
31
doc/election_test_scenario_4_specification.md
doc/election_test_scenario_4_specification.md
+1
1
doc/specification.tex
doc/specification.tex
+113
24
opambootstrap.sh
opambootstrap.sh
+4
4
src/web/web_auth.ml
src/web/web_auth.ml
+1
1
src/web/web_site.ml
src/web/web_site.ml
+1
1
No files found.
doc/election_test_scenario_4_specification.md
View file @
4fb80fe4
...
...
@@ 74,8 +74,8 @@ Verifications all along the process is done using command line tools `beleniost

Administrator logs in and goes to the election draft page

In the "Trustees" section, she clicks on the "here" link

She clicks on the "threshold mode" link

In the field next to "Threshold:", she types
`U`
, and clicks on the "Set" button

She adds
`T`
trustees (their email address), and remembers the link she will send to each trustee

In the field next to "Threshold:", she types
`U`
, and clicks on the "Set" button

(She checks that in the table, the "STATE" column is "1a" on every row)

She sends to each trustee an email containing their own link

She logs out and closes the window
...
...
doc/specification.tex
View file @
4fb80fe4
...
...
@@ 8,6 +8,7 @@
\usepackage
{
hyperref
}
\usepackage
{
framed
}
\usepackage
{
stmaryrd
}
\usepackage
{
xcolor
}
\newcommand
{
\version
}{
1.10
}
...
...
@@ 37,6 +38,9 @@
\newcommand
{
\vinput
}{
\texttt
{
vinput
}}
\newcommand
{
\voutput
}{
\texttt
{
voutput
}}
\newcommand
{
\vc
}
[1]
{
\textcolor
{
blue
}{
#1
}}
\newcommand
{
\vcomment
}
[1]
{
\textcolor
{
violet
}{
#1
}}
\title
{
Belenios specification
}
\date
{
Version~
\version
}
\author
{
Stéphane Glondu
}
...
...
@@ 46,11 +50,10 @@
\tableofcontents
\section
{
Introduction
}
This document is a specification of the voting protocol implemented in
Belenios
\version
. More discussion, theoretical explanations and
bibliographical references can be found in a
technical report
available online.
\footnote
{
\url
{
http
://eprint.iacr.org/2013/177
}}
bibliographical references can be found in a
n article
available online.
\footnote
{
\url
{
http
s://hal.inria.fr/hal02066930/document
}}
The cryptography involved in Belenios needs a cyclic group
$
\G
$
where
discrete logarithms are hard to compute. We will denote by
$
g
$
a
...
...
@@ 78,12 +81,21 @@ section~\ref{defaultgroup}.
\newcommand
{
\Hash
}{
\mathcal
{
H
}}
\begin{itemize}
\item
$
\mathcal
{
S
}$
: voting server
\item
$
\mathcal
{
A
}$
: server administrator
\item
$
\mathcal
{
C
}$
: credential authority
\item
$
\mathcal
{
T
}_
1
,
\dots
,
\mathcal
{
T
}_
m
$
: trustees
\item
$
\mathcal
{
V
}_
1
,
\dots
,
\mathcal
{
V
}_
n
$
: voters
\item
$
\mathcal
{
M
}_
1
,
\dots
,
\mathcal
{
M
}_
p
$
: shufflers (if using nonhomomorphic questions)
\item
$
\mathcal
{
S
}$
: voting server
\\
The voting server maintains the public data
$
D
$
that
consists of:
\begin{itemize}
\item
the election data
$
E
$
\item
the list
$
PK
$
of public keys of the trustees
\item
the list
$
L
$
of public credentials
\item
the list
$
B
$
of accepted ballots
\item
the result of the election
{
\result
}
(once the election is tallied)
\end{itemize}
\end{itemize}
\section
{
Processes
}
...
...
@@ 99,21 +111,24 @@ section~\ref{defaultgroup}.
$
c
_
1
,
\dots
,c
_
n
$
and computes
$
L
=
\shuffle
(
\public
(
c
_
1
)
,
\dots
,
\public
(
c
_
n
))
$
\item
for
$
j
\in
[
1
\dots
n
]
$
,
$
\mathcal
{
C
}$
sends
$
c
_
j
$
to
$
\mathcal
{
V
}_
j
$
\item
$
\mathcal
{
C
}$
forgets
$
c
_
1
,
\dots
,c
_
n
$
\item
$
\mathcal
{
C
}$
forgets the mapping between
$
j
$
and
$
\public
(
c
_
j
)
$
if credential recovery is not needed
\item
$
\mathcal
{
C
}$
sends
$
L
$
to
$
\mathcal
{
A
}$
\item
\label
{
itemforget
}
(optionnal)
$
\mathcal
{
C
}$
forgets
$
c
_
1
,
\dots
,c
_
n
$
\item
$
\mathcal
{
C
}$
sends
$
L
$
to
$
\mathcal
{
A
}$
\item
$
\mathcal
{
A
}$
and
$
\mathcal
{
T
}_
1
,
\dotsc
,
\mathcal
{
T
}_
m
$
run a key establishment protocol
(either
\ref
{
nothreshold
}
or
\ref
{
threshold
}
)
\item
$
\mathcal
{
A
}$
creates the
\hyperref
[elections]
{$
\election
$}
$
E
$
\item
$
\mathcal
{
A
}$
loads
$
E
$
and
$
L
$
into
$
\mathcal
{
S
}$
and starts it
\item
$
\mathcal
{
C
}$
checks that the list of public credentials
$
L
$
is exactly the one that appears on the election data of the election of
{$
\uuid
$}
$
u
$
.
\end{enumerate}
Step~
\ref
{
itemforget
}
is optional. It offers a better protection
against ballot stuffng in case
$
\mathcal
{
C
}$
unintentionally leaks
private credentials.
\subsubsection
{
Basic decryption support
}
\label
{
nothreshold
}
To perform tally with this scheme, all trustees will need to compute a
partial decryption.
The trustees jointly compute the public election key. They will
all need to contribute to the tally.
\begin{enumerate}
\item
for
$
z
\in
[
1
\dots
m
]
$
,
...
...
@@ 126,14 +141,15 @@ partial decryption.
public key
$
y
$
:
\[
y
=
\prod
_{
z
\in
[
1
\dots
m
]
}
\pklabel
(
k
_
z
)
\]
\]
\item
for
$
z
\in
[
1
\dots
m
]
$
,
$
\mathcal
{
T
}_
z
$
checks that
$
k
_
z
$
appears in the set of public keys
$
PK
$
of the election of
{$
\uuid
$}
$
u
$
(the
id of the election should be publicly known).
\end{enumerate}
\subsubsection
{
Threshold decryption support
}
\label
{
threshold
}
To perform tally with this scheme,
$
t
+
1
$
trustees will need to compute
a partial decryption.
The trustees jointly compute the public election key such that
only a subgroup of
$
t
+
1
$
of them will be needed to compute the tally.
\begin{enumerate}
\item
for
$
z
\in
[
1
\dots
m
]
$
,
...
...
@@ 164,26 +180,34 @@ a partial decryption.
\hyperref
[thresholdparams]
{
threshold parameters
}
\item
$
\mathcal
{
A
}$
computes the election public key
$
y
$
as specified
in section~
\ref
{
polynomials
}
.
\end{enumerate}
\item
for
$
z
\in
[
1
\dots
m
]
$
,
$
\mathcal
{
T
}_
z
$
checks that
$
\gamma
_
z
$
appears
in the set of public keys
$
PK
$
of the election of
{$
\uuid
$}
$
u
$
(the
id of the election should be publicly known).
\end{enumerate}
\subsection
{
Vote
}
\begin{enumerate}
\item
$
\mathcal
{
V
}$
gets
$
E
$
\item
$
\mathcal
{
V
}$
creates a
\hyperref
[ballots]
{$
\ballot
$}
$
b
$
and submits it to
$
\mathcal
{
S
}$
\item
$
\mathcal
{
S
}$
validates
$
b
$
and publishes it
\item
$
\mathcal
{
S
}$
validates
$
b
$
and adds it to
$
B
$
\item
at any time (even after tally),
$
\mathcal
{
V
}$
may check that
$
b
$
appears in the list of accepted ballots
$
B
$
\end{enumerate}
\subsection
{
Credential recovery
}
If
$
\mathcal
C
$
has forgotten the private credentials of the voter
(optional step~
\ref
{
itemforget
}
of the setup) then credentials cannot
be recovered.
If
$
\mathcal
C
$
has the list of private credentials (associated to the
voters), credentials can be recovered:
\begin{enumerate}
\item
$
\mathcal
{
V
}_
i
$
contacts
$
\mathcal
{
C
}$
\item
$
\mathcal
{
C
}$
looks up
$
\mathcal
{
V
}_
i
$
's public credential
$
\public
(
c
_
i
)
$
and
generates a new credential
$
c'
_
i
$
\item
$
\mathcal
{
C
}$
sends
$
c'
_
i
$
to
$
\mathcal
{
V
}_
i
$
and forgets it
\item
$
\mathcal
{
C
}$
sends
$
\public
(
c
_
i
)
$
and
$
\public
(
c'
_
i
)
$
to
$
\mathcal
{
A
}$
\item
$
\mathcal
{
A
}$
checks that
$
\public
(
c
_
i
)
$
has not been used and replaces it
by
$
\public
(
c'
_
i
)
$
in
$
L
$
\item
$
\mathcal
{
C
}$
looks up
$
\mathcal
{
V
}_
i
$
's private credential
$
c
_
i
$
\item
$
\mathcal
{
C
}$
sends
$
c
_
i
$
\end{enumerate}
\subsection
{
Tally
}
...
...
@@ 196,14 +220,79 @@ a partial decryption.
\item
for
$
z
\in
[
1
\dots
m
]
$
(or, if in threshold mode, a subset of it
of size at least
$
t
+
1
$
),
\begin{enumerate}
\item
$
\mathcal
{
A
}$
sends
$
\Pi
$
(and
$
K
_
z
$
if in threshold mode) to
$
\mathcal
{
T
}_
z
$
\item
$
\mathcal
{
A
}$
sends
$
\Pi
$
(and
$
K
_
z
$
if in threshold mode) to
$
\mathcal
{
T
}_
z
$
\item
$
\mathcal
{
T
}_
z
$
generates a
\hyperref
[tally]
{$
\pdecryption
$}
$
\delta
_
z
$
and sends it to
$
\mathcal
{
A
}$
\item
$
\mathcal
{
A
}$
verifies
$
\delta
_
z
$
\end{enumerate}
\item
$
\mathcal
{
A
}$
combines all the partial decryptions, computes and publishes
the election
\hyperref
[electionresult]
{
\result
}
\item
$
\mathcal
{
T
}_
z
$
checks that
$
\delta
_
z
$
appears in
{
\result
}
\end{enumerate}
\subsection
{
Audit
}
Belenios can be publicly audited: anyone having access to the (public)
election data can check that the ballots are well formed and that the
result corresponds to the ballots. Ideally, the list of ballots should
also be monitored during the voting phase, to guarantee that no ballot
disappears.
\subsubsection
{
During the voting phase
}
\label
{
sec:auditvoting
}
At any time, an auditor can retrieve the public board and check its consistency. She should
always record at least the last audited board. Then:
\begin{enumerate}
\item
she retrieves the election data
$
D
=
(
E,PK,L,B,r
)
$
where
$
B
$
is the list of ballots;
\begin{itemize}
\item
she records
$
B
$
;
\item
for
$
b
\in
B
$
, she checks that the proofs of
$
b
$
are valid and that
the signature of
$
b
$
is valid and corresponds to one of the keys in
$
L
$
;
\item
she checks that any two ballots in
$
B
$
correspond to distinct keys (of
$
L
$
);
\end{itemize}
\item
she retrieves the previously recorded election data
$
D'
=
(
E',PK',L',B',r'
)
$
(if it
exists);
\begin{itemize}
\item
for
$
b
\in
B'
$
, she checks that
\begin{itemize}
\item
$
b
\in
B
$
\item
or
$
\exists
b'
\in
B
$
such that
$
b
$
and
$
b'
$
correspond to
the same key in
$
L
$
. This corresponds to the case where a voter
has revoted;
\end{itemize}
\item
she checks that all the other data is unchanged:
$
E
=
E'
$
,
$
PK
=
PK'
$
,
$
L
=
L'
$
,
and
$
r
=
r'
$
(actually the result is empty at this step).
\end{itemize}
\end{enumerate}
There is no tool support on the web interface for these checks,
instead the command line tool
\texttt
{
verifydiff
}
can be used.
\subsubsection
{
After the tally
}
The auditor retrieve the election data
$
D
$
and in
particular the list
$
B
$
of ballots and the
\hyperref
[electionresult]
{
\result
}
$
r
$
. Then:
\begin{enumerate}
\item
she checks consistency of
$
B
$
, that is, perform all
the checks described at step 1 of section~
\ref
{
sec:auditvoting
}
;
\item
she checks that
$
B
$
corresponds to the board
monitored so far thus performs all
the checks described at step 2 of section~
\ref
{
sec:auditvoting
}
;
\item
she checks that the proofs of the result
$
r
$
are valid w.r.t.
$
B
$
.
\end{enumerate}
To ease verification of the trustees and the credential authorities,
it is possible to display the hash of their public data (e.g. the
public keys and the partial decryptions of the trustees, the hash of
the list of the public credentials) in some humanreadable form. In
that case, the audit should also check that this humanreadable data is
consistent with the election data.
There is no tool support on the web interface for these checks,
instead the command line tool
\texttt
{
verify
}
can be used.
\section
{
Messages
}
\label
{
messages
}
...
...
opambootstrap.sh
View file @
4fb80fe4
...
...
@@ 34,11 +34,11 @@ fi
mkdir
p
"
$BELENIOS_SYSROOT
/bootstrap/src"
cd
"
$BELENIOS_SYSROOT
/bootstrap/src"
wget https://github.com/ocaml/opam/releases/download/2.0.
0/opamfull2.0.0
.tar.gz
wget https://github.com/ocaml/opam/releases/download/2.0.
5/opamfull2.0.5
.tar.gz
if
which
sha256sum
>
/dev/null
;
then
sha256sum
check
<<
EOF
9dad4fcb4f53878c9daa6285d8456ccc671e21bfa71544d1f926fb8a63bfed25 opamfull2.0.0
.tar.gz
776c7e64d6e24c2ef1efd1e6a71d36e007645efae94eaf860c05c1929effc76f opamfull2.0.5
.tar.gz
EOF
else
echo
"WARNING: sha256sum was not found, checking tarballs is impossible!"
...
...
@@ 50,8 +50,8 @@ echo
echo
"=== Compilation and installation of OPAM ==="
echo
cd
"
$BELENIOS_SYSROOT
/bootstrap/src"
tar
xzf
opamfull2.0.
0
.tar.gz
cd
opamfull2.0.
0
tar
xzf
opamfull2.0.
5
.tar.gz
cd
opamfull2.0.
5
make cold
CONFIGURE_ARGS
=
"prefix
$BELENIOS_SYSROOT
/bootstrap"
make coldinstall
LIBINSTALL_DIR
=
"
$BELENIOS_SYSROOT
/bootstrap/lib/ocaml"
...
...
src/web/web_auth.ml
View file @
4fb80fe4
...
...
@@ 38,8 +38,8 @@ let run_post_login_handler auth_system f =
match
%
lwt
Eliom_reference
.
get
auth_env
with

None
>
Printf
.
ksprintf
failwith
"%s handler was invoked without environment"
auth_system

Some
(
uuid
,
a
,
cont
)
>
let
%
lwt
()
=
Eliom_reference
.
unset
auth_env
in
let
authenticate
name
=
let
%
lwt
()
=
Eliom_reference
.
unset
auth_env
in
let
user
=
{
user_domain
=
a
.
auth_instance
;
user_name
=
name
}
in
match
uuid
with

None
>
Eliom_reference
.
set
Web_state
.
site_user
(
Some
user
)
...
...
src/web/web_site.ml
View file @
4fb80fe4
...
...
@@ 444,7 +444,7 @@ let create_new_election owner cred auth =
let
()
=
Html
.
register
~
service
:
election_draft_pre
(
fun
()
()
>
T
.
election_draft_pre
()
)
let
http_rex
=
"^https?://[az/.]+$"
let
http_rex
=
"^https?://[az
09
/.]+$"
let
is_http_url
=
let
rex
=
Pcre
.
regexp
~
flags
:
[
`CASELESS
]
http_rex
in
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment