Commit 4125bb8c authored by Stephane Glondu's avatar Stephane Glondu

Specification: use \mathcal for parties

parent 5f045ead
...@@ -62,11 +62,11 @@ section~\ref{default-group}. ...@@ -62,11 +62,11 @@ section~\ref{default-group}.
\section{Parties} \section{Parties}
\begin{itemize} \begin{itemize}
\item $S$: voting server \item $\mathcal{S}$: voting server
\item $A$: server administrator \item $\mathcal{A}$: server administrator
\item $C$: credential authority \item $\mathcal{C}$: credential authority
\item $T_1,\dots,T_m$: trustees \item $\mathcal{T}_1,\dots,\mathcal{T}_m$: trustees
\item $V_1,\dots,V_n$: voters \item $\mathcal{V}_1,\dots,\mathcal{V}_n$: voters
\end{itemize} \end{itemize}
\section{Processes} \section{Processes}
...@@ -76,20 +76,20 @@ section~\ref{default-group}. ...@@ -76,20 +76,20 @@ section~\ref{default-group}.
\label{election-setup} \label{election-setup}
\begin{enumerate} \begin{enumerate}
\item $A$ generates a fresh \hyperref[basic-types]{$\uuid$} $u$ and \item $\mathcal{A}$ generates a fresh \hyperref[basic-types]{$\uuid$} $u$ and
sends it to $C$ sends it to $\mathcal{C}$
\item $C$ generates \hyperref[credentials]{credentials} \item $\mathcal{C}$ generates \hyperref[credentials]{credentials}
$c_1,\dots,c_n$ and computes $c_1,\dots,c_n$ and computes
$L=\shuffle(\public(c_1),\dots,\public(c_n))$ $L=\shuffle(\public(c_1),\dots,\public(c_n))$
\item for $j\in[1\dots n]$, $C$ sends $c_j$ to $V_j$ \item for $j\in[1\dots n]$, $\mathcal{C}$ sends $c_j$ to $\mathcal{V}_j$
\item $C$ forgets $c_1,\dots,c_n$ \item $\mathcal{C}$ forgets $c_1,\dots,c_n$
\item $C$ forgets the mapping between $j$ and $\public(c_j)$ \item $\mathcal{C}$ forgets the mapping between $j$ and $\public(c_j)$
if credential recovery is not needed if credential recovery is not needed
\item $C$ sends $L$ to $A$ \item $\mathcal{C}$ sends $L$ to $\mathcal{A}$
\item $A$ and $T_1,\dotsc,T_m$ run a key establishment protocol \item $\mathcal{A}$ and $\mathcal{T}_1,\dotsc,\mathcal{T}_m$ run a key establishment protocol
(either \ref{no-threshold} or \ref{threshold}) (either \ref{no-threshold} or \ref{threshold})
\item $A$ creates the \hyperref[elections]{$\election$} $E$ \item $\mathcal{A}$ creates the \hyperref[elections]{$\election$} $E$
\item $A$ loads $E$ and $L$ into $S$ and starts it \item $\mathcal{A}$ loads $E$ and $L$ into $\mathcal{S}$ and starts it
\end{enumerate} \end{enumerate}
\subsubsection{Basic decryption support} \subsubsection{Basic decryption support}
...@@ -101,11 +101,11 @@ partial decryption. ...@@ -101,11 +101,11 @@ partial decryption.
\begin{enumerate} \begin{enumerate}
\item for $z\in[1\dots m]$, \item for $z\in[1\dots m]$,
\begin{enumerate} \begin{enumerate}
\item $T_z$ generates a \hyperref[trustee-keys]{$\tpk$} $k_z$ and \item $\mathcal{T}_z$ generates a \hyperref[trustee-keys]{$\tpk$} $k_z$ and
sends it to $A$ sends it to $\mathcal{A}$
\item $A$ checks $k_z$ \item $\mathcal{A}$ checks $k_z$
\end{enumerate} \end{enumerate}
\item $A$ combines all the trustee public keys into the election \item $\mathcal{A}$ combines all the trustee public keys into the election
public key $y$ public key $y$
\end{enumerate} \end{enumerate}
...@@ -118,65 +118,65 @@ a partial decryption. ...@@ -118,65 +118,65 @@ a partial decryption.
\begin{enumerate} \begin{enumerate}
\item for $z\in[1\dots m]$, \item for $z\in[1\dots m]$,
\begin{enumerate} \begin{enumerate}
\item $T_z$ generates a \hyperref[certificates]{$\cert$} $\gamma_z$ \item $\mathcal{T}_z$ generates a \hyperref[certificates]{$\cert$} $\gamma_z$
and sends it to $A$ and sends it to $\mathcal{A}$
\item $A$ checks $\gamma_z$ \item $\mathcal{A}$ checks $\gamma_z$
\end{enumerate} \end{enumerate}
\item $A$ assembles $\Gamma=\gamma_1,\dotsc,\gamma_n$ \item $\mathcal{A}$ assembles $\Gamma=\gamma_1,\dotsc,\gamma_n$
\item for $z\in[1\dots m]$, \item for $z\in[1\dots m]$,
\begin{enumerate} \begin{enumerate}
\item $A$ sends $\Gamma$ to $T_z$ and $T_z$ checks it \item $\mathcal{A}$ sends $\Gamma$ to $\mathcal{T}_z$ and $\mathcal{T}_z$ checks it
\item $T_z$ generates a \hyperref[polynomials]{$\poly$} $P_z$ and \item $\mathcal{T}_z$ generates a \hyperref[polynomials]{$\poly$} $P_z$ and
sends it to $A$ sends it to $\mathcal{A}$
\item $A$ checks $P_z$ \item $\mathcal{A}$ checks $P_z$
\end{enumerate} \end{enumerate}
\item for $z\in[1\dots m]$, $A$ computes a \item for $z\in[1\dots m]$, $\mathcal{A}$ computes a
\hyperref[vinputs]{$\vinput$} $\textsf{vi}_z$ \hyperref[vinputs]{$\vinput$} $\textsf{vi}_z$
\item for $z\in[1\dots m]$, \item for $z\in[1\dots m]$,
\begin{enumerate} \begin{enumerate}
\item $A$ sends $\Gamma$ to $T_z$ and $T_z$ checks it \item $\mathcal{A}$ sends $\Gamma$ to $\mathcal{T}_z$ and $\mathcal{T}_z$ checks it
\item $A$ sends $\textsf{vi}_z$ to $T_z$ and $T_z$ checks it \item $\mathcal{A}$ sends $\textsf{vi}_z$ to $\mathcal{T}_z$ and $\mathcal{T}_z$ checks it
\item $T_z$ computes a \hyperref[voutputs]{$\voutput$} $\textsf{vo}_z$ and \item $\mathcal{T}_z$ computes a \hyperref[voutputs]{$\voutput$} $\textsf{vo}_z$ and
sends it to $A$ sends it to $\mathcal{A}$
\item $A$ checks $\textsf{vo}_z$ \item $\mathcal{A}$ checks $\textsf{vo}_z$
\end{enumerate} \end{enumerate}
\item $A$ extracts encrypted decryption keys $K_1,\dots,K_m$ and \item $\mathcal{A}$ extracts encrypted decryption keys $K_1,\dots,K_m$ and
\hyperref[threshold-params]{threshold parameters} \hyperref[threshold-params]{threshold parameters}
\end{enumerate} \end{enumerate}
\subsection{Vote} \subsection{Vote}
\begin{enumerate} \begin{enumerate}
\item $V$ gets $E$ \item $\mathcal{V}$ gets $E$
\item $V$ creates a \hyperref[ballots]{$\ballot$} $b$ and submits it to $S$ \item $\mathcal{V}$ creates a \hyperref[ballots]{$\ballot$} $b$ and submits it to $\mathcal{S}$
\item $S$ validates $b$ and publishes it \item $\mathcal{S}$ validates $b$ and publishes it
\end{enumerate} \end{enumerate}
\subsection{Credential recovery} \subsection{Credential recovery}
\begin{enumerate} \begin{enumerate}
\item $V$ contacts $C$ \item $\mathcal{V}_i$ contacts $\mathcal{C}$
\item $C$ looks up $V$'s public credential $\public(c_i)$ and \item $\mathcal{C}$ looks up $\mathcal{V}_i$'s public credential $\public(c_i)$ and
generates a new credential $c'_i$ generates a new credential $c'_i$
\item $C$ sends $c'_i$ to $V$ and forgets it \item $\mathcal{C}$ sends $c'_i$ to $\mathcal{V}_i$ and forgets it
\item $C$ sends $\public(c_i)$ and $\public(c'_i)$ to $A$ \item $\mathcal{C}$ sends $\public(c_i)$ and $\public(c'_i)$ to $\mathcal{A}$
\item $A$ checks that $\public(c_i)$ has not been used and replaces it \item $\mathcal{A}$ checks that $\public(c_i)$ has not been used and replaces it
by $\public(c'_i)$ in $L$ by $\public(c'_i)$ in $L$
\end{enumerate} \end{enumerate}
\subsection{Tally} \subsection{Tally}
\begin{enumerate} \begin{enumerate}
\item $A$ stops $S$ and computes the \hyperref[tally]{$\etally$} $\Pi$ \item $\mathcal{A}$ stops $\mathcal{S}$ and computes the \hyperref[tally]{$\etally$} $\Pi$
\item for $z\in[1\dots m]$ (or, if in threshold mode, a subset of it \item for $z\in[1\dots m]$ (or, if in threshold mode, a subset of it
of size at least $t+1$), of size at least $t+1$),
\begin{enumerate} \begin{enumerate}
\item $A$ sends $\Pi$ (and $K_z$ if in threshold mode) to $T_z$ \item $\mathcal{A}$ sends $\Pi$ (and $K_z$ if in threshold mode) to $\mathcal{T}_z$
\item $T_z$ generates a \hyperref[tally]{$\pdecryption$} $\delta_z$ \item $\mathcal{T}_z$ generates a \hyperref[tally]{$\pdecryption$} $\delta_z$
and sends it to $A$ and sends it to $\mathcal{A}$
\item $A$ verifies $\delta_z$ \item $\mathcal{A}$ verifies $\delta_z$
\end{enumerate} \end{enumerate}
\item $A$ combines all the partial decryptions, computes and publishes \item $\mathcal{A}$ combines all the partial decryptions, computes and publishes
the election \hyperref[election-result]{\result} the election \hyperref[election-result]{\result}
\end{enumerate} \end{enumerate}
...@@ -278,7 +278,7 @@ Belenios uses a custom public key infrastructure. During the key ...@@ -278,7 +278,7 @@ Belenios uses a custom public key infrastructure. During the key
establishment protocol, each trustee starts by generating a secret establishment protocol, each trustee starts by generating a secret
seed (at random), then derives from it encryption and decryption keys, seed (at random), then derives from it encryption and decryption keys,
as well as signing and verification keys. These four keys are then as well as signing and verification keys. These four keys are then
used to exchange messages between trustees by using $A$ as a proxy. used to exchange messages between trustees by using $\mathcal{A}$ as a proxy.
The secret seed $s$ is a 22-character string, where characters are The secret seed $s$ is a 22-character string, where characters are
taken from the set: taken from the set:
...@@ -415,16 +415,16 @@ in step 3 of the key establishment protocol. ...@@ -415,16 +415,16 @@ in step 3 of the key establishment protocol.
\end{array} \end{array}
\right\} \right\}
\end{gather*} \end{gather*}
Suppose $T_i$ is the trustee who is computing. Therefore, $T_i$ knows Suppose $\mathcal{T}_i$ is the trustee who is computing. Therefore, $\mathcal{T}_i$ knows
the signing key $\textsf{sk}_i$ corresponding to $\textsf{vk}_i$ and the the signing key $\textsf{sk}_i$ corresponding to $\textsf{vk}_i$ and the
decryption key $\textsf{dk}_i$ corresponding to $\textsf{ek}_i$. $T_i$ decryption key $\textsf{dk}_i$ corresponding to $\textsf{ek}_i$. $\mathcal{T}_i$
first checks that keys indeed match. Then $T_i$ picks a random first checks that keys indeed match. Then $\mathcal{T}_i$ picks a random
polynomial polynomial
\[ \[
f_i(x)=a_{i0}+a_{i1}x+\dotsb+a_{it}x^t\in\Z_q[x] f_i(x)=a_{i0}+a_{i1}x+\dotsb+a_{it}x^t\in\Z_q[x]
\] \]
and computes $A_{ik}=g^{a_{ik}}$ for $k=0,\dotsc,t$ and and computes $A_{ik}=g^{a_{ik}}$ for $k=0,\dotsc,t$ and
$s_{ij}=f_i(j)\mod q$ for $j=1,\dotsc,m$. $T_i$ then fills the $s_{ij}=f_i(j)\mod q$ for $j=1,\dotsc,m$. $\mathcal{T}_i$ then fills the
\texttt{polynomial} structure as follows: \texttt{polynomial} structure as follows:
\begin{itemize} \begin{itemize}
\item the \textsf{polynomial} field is \item the \textsf{polynomial} field is
...@@ -480,7 +480,7 @@ trustees. Step 4 can be seen as a routing step. ...@@ -480,7 +480,7 @@ trustees. Step 4 can be seen as a routing step.
\right\} \right\}
\end{gather*} \end{gather*}
Suppose we are computing the \texttt{vinput} structure $\textsf{vi}_j$ Suppose we are computing the \texttt{vinput} structure $\textsf{vi}_j$
for trustee $T_j$. We fill it as follows: for trustee $\mathcal{T}_j$. We fill it as follows:
\begin{itemize} \begin{itemize}
\item the \textsf{polynomial} field is the same as the one of $P_j$ \item the \textsf{polynomial} field is the same as the one of $P_j$
\item the \textsf{secret} field is \item the \textsf{secret} field is
...@@ -490,7 +490,7 @@ for trustee $T_j$. We fill it as follows: ...@@ -490,7 +490,7 @@ for trustee $T_j$. We fill it as follows:
\end{itemize} \end{itemize}
Note that the \textsf{coefexps} field is the same for all trustees. Note that the \textsf{coefexps} field is the same for all trustees.
In step~5, $T_j$ checks consistency of $\textsf{vi}_j$ by unpacking it In step~5, $\mathcal{T}_j$ checks consistency of $\textsf{vi}_j$ by unpacking it
and checking that, for $i=1,\dotsc,m$, and checking that, for $i=1,\dotsc,m$,
\[ \[
g^{s_{ij}}=\prod_{k=0}^t(A_{ik})^{j^k} g^{s_{ij}}=\prod_{k=0}^t(A_{ik})^{j^k}
...@@ -499,7 +499,7 @@ g^{s_{ij}}=\prod_{k=0}^t(A_{ik})^{j^k} ...@@ -499,7 +499,7 @@ g^{s_{ij}}=\prod_{k=0}^t(A_{ik})^{j^k}
\subsubsection{Voutputs} \subsubsection{Voutputs}
\label{voutputs} \label{voutputs}
In step 5 of the key establishment protocol, a trustee $T_j$ receives In step 5 of the key establishment protocol, a trustee $\mathcal{T}_j$ receives
$\Gamma$ and $\textsf{vi}_j$, and produces a \texttt{voutput} $\Gamma$ and $\textsf{vi}_j$, and produces a \texttt{voutput}
$\textsf{vo}_j$. $\textsf{vo}_j$.
\begin{gather*} \begin{gather*}
...@@ -510,10 +510,10 @@ $\textsf{vo}_j$. ...@@ -510,10 +510,10 @@ $\textsf{vo}_j$.
\end{array} \end{array}
\right\} \right\}
\end{gather*} \end{gather*}
Trustee $T_j$ fills $\textsf{vo}_j$ as follows: Trustee $\mathcal{T}_j$ fills $\textsf{vo}_j$ as follows:
\begin{itemize} \begin{itemize}
\item \textsf{private\_key} is set to \item \textsf{private\_key} is set to
$\textsf{send}(\textsf{sk}_j,\textsf{ek}_j,S_j)$, where $S_j$ is $T_j$'s $\textsf{send}(\textsf{sk}_j,\textsf{ek}_j,S_j)$, where $S_j$ is $\mathcal{T}_j$'s
(private) decryption key: (private) decryption key:
\[ \[
S_j=\sum_{i=1}^m s_{ij}\mod q S_j=\sum_{i=1}^m s_{ij}\mod q
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment