Check credentials if present (server-side)

src/lib/election.ml

@@ -43,6 +43,7 @@ let finite_field ~p ~q ~g =
     let invert x = Z.invert x p
     let ( =~ ) = Z.equal
     let check x = check_modulo p x && x **~ q =~ one
+    let to_string = Z.to_string
     let hash prefix xs =
       hashZ (prefix ^ (map_and_concat_with_commas Z.to_string xs))
     let compare = Z.compare
@@ -305,21 +306,42 @@ module MakeElection (P : ELECTION_PARAMS) (M : RANDOM) = struct
     return {
       answers;
       election_hash = fingerprint;
-      election_uuid = params.e_uuid
+      election_uuid = params.e_uuid;
+      signature = None;
     }
 
   (** Ballot verification *)
 
-  let verify_answer q a =
-    Array.forall2 (eg_disj_verify d01 "ID") a.individual_proofs a.choices &&
+  let verify_answer id q a =
+    Array.forall2 (eg_disj_verify d01 id) a.individual_proofs a.choices &&
     let sumc = Array.fold_left eg_combine dummy_ciphertext a.choices in
     let d = make_d q.q_min q.q_max in
-    eg_disj_verify d "ID" a.overall_proof sumc
+    eg_disj_verify d id a.overall_proof sumc
 
   let check_ballot b =
     b.election_uuid = params.e_uuid &&
     b.election_hash = P.fingerprint &&
-    Array.forall2 verify_answer params.e_questions b.answers
+    let ok, id = match b.signature with
+      | Some {s_commitment = y; s_challenge; s_response} ->
+        let ok =
+          check_modulo q s_challenge &&
+          check_modulo q s_response &&
+          let commitment = g **~ s_response *~ y **~ s_challenge in
+          let prefix = "sig|" ^ G.to_string commitment ^ "|" in
+          let ciphertexts = List.flatten (
+            List.map (fun a ->
+              List.flatten (
+                List.map (fun {alpha; beta} ->
+                  [alpha; beta]
+                ) (Array.to_list a.choices)
+              )
+            ) (Array.to_list b.answers)
+          ) |> Array.of_list in
+          s_challenge =% G.hash prefix ciphertexts
+        in ok, G.to_string y
+      | None -> true, "ID"
+    in ok &&
+    Array.forall2 (verify_answer id) params.e_questions b.answers
 
   let extract_ciphertext b = Array.map (fun x -> x.choices) b.answers
 

src/lib/serializable.atd

@@ -66,10 +66,18 @@ type 'a answer = {
 choice, a proof that each of these weights is 0 or 1, and an overall
 proof that the total weight is within bounds.">
 
+(* FIXME: merge this with trustee_public_key *)
+type 'a signature = {
+  commitment : 'a; (* FIXME: this is actually a public key *)
+  challenge : number;
+  response : number;
+} <ocaml field_prefix="s_">
+
 type 'a ballot = {
   answers : 'a answer list <ocaml repr="array">;
   election_hash : string;
   election_uuid : uuid;
+  ?signature : 'a signature option;
 }
 
 type 'a partial_decryption = {

src/lib/serializable_compat.ml

@@ -41,8 +41,9 @@ let answer a =
 let ballot b =
   let {answers; election_hash; election_uuid} = b in
   let answers = Array.map answer answers in
+  let signature = None in
   let open Serializable_t in
-  {answers; election_hash; election_uuid}
+  {answers; election_hash; election_uuid; signature}
 
 let partial_decryption p =
   let {decryption_factors; decryption_proofs} = p in

src/lib/signatures.mli

@@ -33,6 +33,9 @@ module type GROUP = sig
   val invert : t -> t
   (** Inversion. *)
 
+  val to_string : t -> string
+  (** Conversion to string. *)
+
   val hash : string -> t array -> Z.t
   (** Hash an array of elements into an integer mod [q]. The string
       argument is a string that is prepended before computing the hash. *)