Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
belenios
belenios
Commits
6b320cd4
Commit
6b320cd4
authored
Nov 20, 2013
by
Stephane Glondu
Browse files
David's comments on spec (no code changes)
parent
8d56da59
Changes
1
Hide whitespace changes
Inline
Side-by-side
doc/specification.tex
View file @
6b320cd4
...
...
@@ -46,7 +46,8 @@ available online.\footnote{\url{http://eprint.iacr.org/2013/177}}
The Belenios protocol is very similar to Helios (with a signature
added to ballots and different zero-knowledge proofs) and Helios-C
(without distributed key generation of trustees).
(with the distributed key generation of trustees of Helios, without
threshold support).
The cryptography involved in Belenios needs a cyclic group
$
\G
$
where
discrete logarithms are hard to compute. We will denote by
$
g
$
a
...
...
@@ -71,6 +72,7 @@ section~\ref{default-group} (they are the same as Helios v3).
\label
{
processes
}
\subsection
{
Election setup
}
\label
{
election-setup
}
\begin{enumerate}
\item
$
A
$
generates a fresh
\hyperref
[basic-types]
{$
\uuid
$}
$
u
$
and
...
...
@@ -83,11 +85,11 @@ section~\ref{default-group} (they are the same as Helios v3).
\item
$
C
$
forgets the mapping between
$
j
$
and
$
\public
(
c
_
j
)
$
if credential recovery is not needed
\item
$
C
$
sends
$
L
$
to
$
A
$
\item
for
$
i
\in
[
1
\dots
m
]
$
,
\item
for
$
z
\in
[
1
\dots
m
]
$
,
\begin{enumerate}
\item
$
T
_
i
$
generates a
\hyperref
[trustee-keys]
{$
\tpk
$}
$
k
_
i
$
and
\item
$
T
_
z
$
generates a
\hyperref
[trustee-keys]
{$
\tpk
$}
$
k
_
z
$
and
sends it to
$
A
$
\item
$
A
$
checks
$
k
_
i
$
\item
$
A
$
checks
$
k
_
z
$
\end{enumerate}
\item
$
A
$
combines all the trustee public keys into the election
public key
$
y
$
...
...
@@ -100,7 +102,7 @@ section~\ref{default-group} (they are the same as Helios v3).
\begin{enumerate}
\item
$
V
$
gets
$
E
$
\item
$
V
$
creates a
\hyperref
[ballots]
{$
\ballot
$}
$
b
$
and submits it to
$
S
$
\item
$
S
$
v
erifi
es
$
b
$
and publishes it
\item
$
S
$
v
alidat
es
$
b
$
and publishes it
\end{enumerate}
\subsection
{
Credential recovery
}
...
...
@@ -119,12 +121,12 @@ section~\ref{default-group} (they are the same as Helios v3).
\begin{enumerate}
\item
$
A
$
stops
$
S
$
and computes the
\hyperref
[tally]
{$
\etally
$}
$
\Pi
$
\item
for
$
i
\in
[
1
\dots
m
]
$
,
\item
for
$
z
\in
[
1
\dots
m
]
$
,
\begin{enumerate}
\item
$
A
$
sends
$
\Pi
$
to
$
T
_
i
$
\item
$
T
_
i
$
generates a
\hyperref
[tally]
{$
\pdecryption
$}
$
\delta
_
i
$
\item
$
A
$
sends
$
\Pi
$
to
$
T
_
z
$
\item
$
T
_
z
$
generates a
\hyperref
[tally]
{$
\pdecryption
$}
$
\delta
_
z
$
and sends it to
$
A
$
\item
$
A
$
verifies
$
\delta
_
i
$
\item
$
A
$
verifies
$
\delta
_
z
$
\end{enumerate}
\item
$
A
$
combines all the partial decryptions, computes and publishes
the election
\hyperref
[election-result]
{
\result
}
...
...
@@ -295,6 +297,14 @@ trustees, and bundled with the group parameters in a
\newcommand
{
\choices
}{
\textsf
{
choices
}}
\newcommand
{
\dprove
}{
\textsf
{
dprove
}}
During an election, public data include:
\begin{itemize}
\item
the
$
\election
$
structure described above;
\item
all the
$
\tpk
$
s that were generated during the
\hyperref
[election-setup]
{
setup phase
}
;
\item
the set
$
L
$
of public credentials.
\end{itemize}
\subsection
{
Disjunctive proofs
}
\begin{gather*}
...
...
@@ -318,13 +328,13 @@ following procedure, parameterised by a group element $S$:
\begin{enumerate}
\item
pick a random
$
w
\in\Z
_
q
$
\item
compute
$
A
_
i
=
g
^
w
$
and
$
B
_
i
=
y
^
w
$
\item
$
\challenge
(
\pi
_
i
)=
\Hash
_
\dprove
(
S,A
_
0
,B
_
0
,
\dots
,A
_
k,B
_
k
)-
\sum
_{
j
\neq
\item
$
\challenge
(
\pi
_
i
)=
\Hash
_
\dprove
(
S,
\alpha
,
\beta
,
A
_
0
,B
_
0
,
\dots
,A
_
k,B
_
k
)-
\sum
_{
j
\neq
i
}
\challenge
(
\pi
_
j
)
\mod
q
$
\item
$
\response
(
\pi
_
i
)=
w
+
r
\times\challenge
(
\pi
_
i
)
\mod
q
$
\end{enumerate}
\end{enumerate}
In the above,
$
\Hash
_
\dprove
$
is computed as follows:
\[
\Hash
_
\dprove
(
S,A
_
0
,B
_
0
,
\dots
,A
_
k,B
_
k
)=
\shatwo
(
\verb
=
prove|
=
S
\verb
=
|
=
\alpha\verb
=
,
=
\beta\verb
=
|
=
A
_
0
\verb
=
,
=
B
_
0
\verb
=
,
=
\dots\verb
=
,
=
A
_
k
\verb
=
,
=
B
_
k
)
\]
\[
\Hash
_
\dprove
(
S,
\alpha
,
\beta
,
A
_
0
,B
_
0
,
\dots
,A
_
k,B
_
k
)=
\shatwo
(
\verb
=
prove|
=
S
\verb
=
|
=
\alpha\verb
=
,
=
\beta\verb
=
|
=
A
_
0
\verb
=
,
=
B
_
0
\verb
=
,
=
\dots\verb
=
,
=
A
_
k
\verb
=
,
=
B
_
k
)
\]
where
\verb
=
prove
=
, the vertical bars and the commas are verbatim and
numbers are written in base 10. The result is interpreted as a 256-bit
big-endian number. We will denote the whole procedure by
...
...
@@ -336,7 +346,7 @@ The proof is verified as follows:
\[
A
_
j
=
\frac
{
g
^
\response
}{
\alpha
^
\challenge
}
\quad\text
{
and
}
\quad
B
_
j
=
\frac
{
y
^
\response
}{
(
\beta
/
g
^{
M
_
j
}
)
^
\challenge
}\]
\item
check that
\[
\Hash
_
\dprove
(
S,A
_
0
,B
_
0
,
\dots
,A
_
k,B
_
k
)=
\sum
_{
j
\in
[
0
\dots
\[
\Hash
_
\dprove
(
S,
\alpha
,
\beta
,
A
_
0
,B
_
0
,
\dots
,A
_
k,B
_
k
)=
\sum
_{
j
\in
[
0
\dots
k
]
}
\challenge
(
\pi
_
j
)
\mod
q
\]
\end{enumerate}
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment