Commit 4fb80fe4 authored by Stephane Glondu's avatar Stephane Glondu Committed by Stéphane Glondu

Merge branch 'master' into explicit-homomorphism

parents 2dfebc8a 09ae493c
Pipeline #100274 passed with stages
in 27 minutes and 29 seconds
......@@ -74,8 +74,8 @@ Verifications all along the process is done using command line tools `belenios-t
- Administrator logs in and goes to the election draft page
- In the "Trustees" section, she clicks on the "here" link
- She clicks on the "threshold mode" link
- In the field next to "Threshold:", she types `U`, and clicks on the "Set" button
- She adds `T` trustees (their email address), and remembers the link she will send to each trustee
- In the field next to "Threshold:", she types `U`, and clicks on the "Set" button
- (She checks that in the table, the "STATE" column is "1a" on every row)
- She sends to each trustee an email containing their own link
- She logs out and closes the window
......
......@@ -8,6 +8,7 @@
\usepackage{hyperref}
\usepackage{framed}
\usepackage{stmaryrd}
\usepackage{xcolor}
\newcommand{\version}{1.10}
......@@ -37,6 +38,9 @@
\newcommand{\vinput}{\texttt{vinput}}
\newcommand{\voutput}{\texttt{voutput}}
\newcommand{\vc}[1]{\textcolor{blue}{#1}}
\newcommand{\vcomment}[1]{\textcolor{violet}{#1}}
\title{Belenios specification}
\date{Version~\version}
\author{Stéphane Glondu}
......@@ -46,11 +50,10 @@
\tableofcontents
\section{Introduction}
This document is a specification of the voting protocol implemented in
Belenios \version. More discussion, theoretical explanations and
bibliographical references can be found in a technical report
available online.\footnote{\url{http://eprint.iacr.org/2013/177}}
bibliographical references can be found in an article
available online.\footnote{\url{https://hal.inria.fr/hal-02066930/document}}
The cryptography involved in Belenios needs a cyclic group $\G$ where
discrete logarithms are hard to compute. We will denote by $g$ a
......@@ -78,12 +81,21 @@ section~\ref{default-group}.
\newcommand{\Hash}{\mathcal{H}}
\begin{itemize}
\item $\mathcal{S}$: voting server
\item $\mathcal{A}$: server administrator
\item $\mathcal{C}$: credential authority
\item $\mathcal{T}_1,\dots,\mathcal{T}_m$: trustees
\item $\mathcal{V}_1,\dots,\mathcal{V}_n$: voters
\item $\mathcal{M}_1,\dots,\mathcal{M}_p$: shufflers (if using non-homomorphic questions)
\item $\mathcal{S}$: voting server \\
The voting server maintains the public data $D$ that
consists of:
\begin{itemize}
\item the election data $E$
\item the list $PK$ of public keys of the trustees
\item the list $L$ of public credentials
\item the list $B$ of accepted ballots
\item the result of the election {\result} (once the election is tallied)
\end{itemize}
\end{itemize}
\section{Processes}
......@@ -99,21 +111,24 @@ section~\ref{default-group}.
$c_1,\dots,c_n$ and computes
$L=\shuffle(\public(c_1),\dots,\public(c_n))$
\item for $j\in[1\dots n]$, $\mathcal{C}$ sends $c_j$ to $\mathcal{V}_j$
\item $\mathcal{C}$ forgets $c_1,\dots,c_n$
\item $\mathcal{C}$ forgets the mapping between $j$ and $\public(c_j)$
if credential recovery is not needed
\item $\mathcal{C}$ sends $L$ to $\mathcal{A}$
\item \label{item-forget} (optionnal) $\mathcal{C}$ forgets $c_1,\dots,c_n$
\item $\mathcal{C}$ sends $L$ to $\mathcal{A}$
\item $\mathcal{A}$ and $\mathcal{T}_1,\dotsc,\mathcal{T}_m$ run a key establishment protocol
(either \ref{no-threshold} or \ref{threshold})
\item $\mathcal{A}$ creates the \hyperref[elections]{$\election$} $E$
\item $\mathcal{A}$ loads $E$ and $L$ into $\mathcal{S}$ and starts it
\item $\mathcal{C}$ checks that the list of public credentials $L$
is exactly the one that appears on the election data of the election of
{$\uuid$} $u$.
\end{enumerate}
Step~\ref{item-forget} is optional. It offers a better protection
against ballot stuffng in case $\mathcal{C}$ unintentionally leaks
private credentials.
\subsubsection{Basic decryption support}
\label{no-threshold}
To perform tally with this scheme, all trustees will need to compute a
partial decryption.
The trustees jointly compute the public election key. They will
all need to contribute to the tally.
\begin{enumerate}
\item for $z\in[1\dots m]$,
......@@ -126,14 +141,15 @@ partial decryption.
public key $y$:
\[
y=\prod_{z\in[1\dots m]}\pklabel(k_z)
\]
\]
\item for $z\in[1\dots m]$, $\mathcal{T}_z$ checks that $k_z$ appears in the set of public keys $PK$ of the election of {$\uuid$} $u$ (the
id of the election should be publicly known).
\end{enumerate}
\subsubsection{Threshold decryption support}
\label{threshold}
To perform tally with this scheme, $t+1$ trustees will need to compute
a partial decryption.
The trustees jointly compute the public election key such that
only a subgroup of $t+1$ of them will be needed to compute the tally.
\begin{enumerate}
\item for $z\in[1\dots m]$,
......@@ -164,26 +180,34 @@ a partial decryption.
\hyperref[threshold-params]{threshold parameters}
\item $\mathcal{A}$ computes the election public key $y$ as specified
in section~\ref{polynomials}.
\end{enumerate}
\item for $z\in[1\dots m]$, $\mathcal{T}_z$ checks that $\gamma_z$ appears
in the set of public keys $PK$ of the election of {$\uuid$} $u$ (the
id of the election should be publicly known).
\end{enumerate}
\subsection{Vote}
\begin{enumerate}
\item $\mathcal{V}$ gets $E$
\item $\mathcal{V}$ creates a \hyperref[ballots]{$\ballot$} $b$ and submits it to $\mathcal{S}$
\item $\mathcal{S}$ validates $b$ and publishes it
\item $\mathcal{S}$ validates $b$ and adds it to $B$
\item at any time (even after tally), $\mathcal{V}$ may check that $b$
appears in the list of accepted ballots $B$
\end{enumerate}
\subsection{Credential recovery}
If $\mathcal C$ has forgotten the private credentials of the voter
(optional step~\ref{item-forget} of the setup) then credentials cannot
be recovered.
If $\mathcal C$ has the list of private credentials (associated to the
voters), credentials can be recovered:
\begin{enumerate}
\item $\mathcal{V}_i$ contacts $\mathcal{C}$
\item $\mathcal{C}$ looks up $\mathcal{V}_i$'s public credential $\public(c_i)$ and
generates a new credential $c'_i$
\item $\mathcal{C}$ sends $c'_i$ to $\mathcal{V}_i$ and forgets it
\item $\mathcal{C}$ sends $\public(c_i)$ and $\public(c'_i)$ to $\mathcal{A}$
\item $\mathcal{A}$ checks that $\public(c_i)$ has not been used and replaces it
by $\public(c'_i)$ in $L$
\item $\mathcal{C}$ looks up $\mathcal{V}_i$'s private credential $c_i$
\item $\mathcal{C}$ sends $c_i$
\end{enumerate}
\subsection{Tally}
......@@ -196,14 +220,79 @@ a partial decryption.
\item for $z\in[1\dots m]$ (or, if in threshold mode, a subset of it
of size at least $t+1$),
\begin{enumerate}
\item $\mathcal{A}$ sends $\Pi$ (and $K_z$ if in threshold mode) to $\mathcal{T}_z$
\item $\mathcal{A}$ sends $\Pi$ (and $K_z$ if in threshold mode) to
$\mathcal{T}_z$
\item $\mathcal{T}_z$ generates a \hyperref[tally]{$\pdecryption$} $\delta_z$
and sends it to $\mathcal{A}$
\item $\mathcal{A}$ verifies $\delta_z$
\end{enumerate}
\item $\mathcal{A}$ combines all the partial decryptions, computes and publishes
the election \hyperref[election-result]{\result}
\item $\mathcal{T}_z$ checks that $\delta_z$ appears in {\result}
\end{enumerate}
\subsection{Audit}
Belenios can be publicly audited: anyone having access to the (public)
election data can check that the ballots are well formed and that the
result corresponds to the ballots. Ideally, the list of ballots should
also be monitored during the voting phase, to guarantee that no ballot
disappears.
\subsubsection{During the voting phase}
\label{sec:audit-voting}
At any time, an auditor can retrieve the public board and check its consistency. She should
always record at least the last audited board. Then:
\begin{enumerate}
\item she retrieves the election data $D = (E,PK,L,B,r)$ where $B$ is the list of ballots;
\begin{itemize}
\item she records $B$;
\item for $b\in B$, she checks that the proofs of $b$ are valid and that
the signature of $b$ is valid and corresponds to one of the keys in
$L$;
\item she checks that any two ballots in $B$ correspond to distinct keys (of
$L$);
\end{itemize}
\item she retrieves the previously recorded election data $D' = (E',PK',L',B',r')$ (if it
exists);
\begin{itemize}
\item for $b\in B'$, she checks that
\begin{itemize}
\item $b\in B$
\item or $\exists b'\in B$ such that $b$ and $b'$ correspond to
the same key in $L$. This corresponds to the case where a voter
has revoted;
\end{itemize}
\item she checks that all the other data is unchanged: $E=E'$, $PK=PK'$, $L=L'$,
and $r=r'$ (actually the result is empty at this step).
\end{itemize}
\end{enumerate}
There is no tool support on the web interface for these checks,
instead the command line tool \texttt{verify-diff} can be used.
\subsubsection{After the tally}
The auditor retrieve the election data $D$ and in
particular the list $B$ of ballots and the
\hyperref[election-result]{\result} $r$. Then:
\begin{enumerate}
\item she checks consistency of $B$, that is, perform all
the checks described at step 1 of section~\ref{sec:audit-voting};
\item she checks that $B$ corresponds to the board
monitored so far thus performs all
the checks described at step 2 of section~\ref{sec:audit-voting};
\item she checks that the proofs of the result $r$ are valid w.r.t. $B$.
\end{enumerate}
To ease verification of the trustees and the credential authorities,
it is possible to display the hash of their public data (e.g. the
public keys and the partial decryptions of the trustees, the hash of
the list of the public credentials) in some human-readable form. In
that case, the audit should also check that this human-readable data is
consistent with the election data.
There is no tool support on the web interface for these checks,
instead the command line tool \texttt{verify} can be used.
\section{Messages}
\label{messages}
......
......@@ -34,11 +34,11 @@ fi
mkdir -p "$BELENIOS_SYSROOT/bootstrap/src"
cd "$BELENIOS_SYSROOT/bootstrap/src"
wget https://github.com/ocaml/opam/releases/download/2.0.0/opam-full-2.0.0.tar.gz
wget https://github.com/ocaml/opam/releases/download/2.0.5/opam-full-2.0.5.tar.gz
if which sha256sum >/dev/null; then
sha256sum --check <<EOF
9dad4fcb4f53878c9daa6285d8456ccc671e21bfa71544d1f926fb8a63bfed25 opam-full-2.0.0.tar.gz
776c7e64d6e24c2ef1efd1e6a71d36e007645efae94eaf860c05c1929effc76f opam-full-2.0.5.tar.gz
EOF
else
echo "WARNING: sha256sum was not found, checking tarballs is impossible!"
......@@ -50,8 +50,8 @@ echo
echo "=-=-= Compilation and installation of OPAM =-=-="
echo
cd "$BELENIOS_SYSROOT/bootstrap/src"
tar -xzf opam-full-2.0.0.tar.gz
cd opam-full-2.0.0
tar -xzf opam-full-2.0.5.tar.gz
cd opam-full-2.0.5
make cold CONFIGURE_ARGS="--prefix $BELENIOS_SYSROOT/bootstrap"
make cold-install LIBINSTALL_DIR="$BELENIOS_SYSROOT/bootstrap/lib/ocaml"
......
......@@ -38,8 +38,8 @@ let run_post_login_handler auth_system f =
match%lwt Eliom_reference.get auth_env with
| None -> Printf.ksprintf failwith "%s handler was invoked without environment" auth_system
| Some (uuid, a, cont) ->
let%lwt () = Eliom_reference.unset auth_env in
let authenticate name =
let%lwt () = Eliom_reference.unset auth_env in
let user = { user_domain = a.auth_instance; user_name = name } in
match uuid with
| None -> Eliom_reference.set Web_state.site_user (Some user)
......
......@@ -444,7 +444,7 @@ let create_new_election owner cred auth =
let () = Html.register ~service:election_draft_pre
(fun () () -> T.election_draft_pre ())
let http_rex = "^https?://[a-z/.-]+$"
let http_rex = "^https?://[a-z0-9/.-]+$"
let is_http_url =
let rex = Pcre.regexp ~flags:[`CASELESS] http_rex in
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment