Commit c94c6290 authored by CORTIER Veronique's avatar CORTIER Veronique

Bibliography in intro

parent 725ac65d
author="Cortier, V{\'e}ronique
and Gaudry, Pierrick
and Glondu, St{\'e}phane",
title="Belenios: A Simple Private and Verifiable Electronic Voting System",
bookTitle="Foundations of Security, Protocols, and Equational Reasoning: Essays Dedicated to Catherine A. Meadows",
publisher="Springer International Publishing",
author = {V\'eronique Cortier and Constantin Catalin Dragan and Pierre-Yves Strub and Francois Dupressoir and Bogdan Warinschi},
title = {Machine-checked proofs for electronic voting: privacy and verifiability for Belenios},
booktitle = {{P}roceedings of the 31st {IEEE} {C}omputer {S}ecurity {F}oundations {S}ymposium ({CSF} 2018)},
year = {2018},
pages = {298--312},
author = {V\'eronique Cortier and David Galindo and St\'ephane Glondu and Malika Izabachene},
title = {Distributed ElGamal \`a la Pedersen - Application to Helios},
booktitle = {Workshop on Privacy in the Electronic Society (WPES 2013)},
OPTpages = {},
year = {2013},
address = {Berlin, Germany},
author = {V\'eronique Cortier and David Galindo and St\'ephane Glondu and Malika Izabachene},
title = {Election Verifiability for Helios under Weaker Trust Assumptions},
booktitle = {Proceedings of the 19th European Symposium on Research in Computer Security (ESORICS 2014)},
pages = {327--344},
year = {2014},
OPTeditor = {},
volume = {8713},
OPTnumber = {},
series = {LNCS},
address = {Wroclaw, Poland},
publisher = {Springer},
author = {Rolf Haenni and Reto E. Koenig and Philipp Locher and Eric Dubuis},
title = {CHVote System Specification},
howpublished = {Cryptology ePrint Archive, Report 2017/325},
year = {2017},
note = {\url{}},
author = {David Bernhard and Bogdan Warinschi and Olivier Pereira},
title = {How Not to Prove Yourself: Pitfalls of Fiat-Shamir and Applications to Helios},
booktitle = {Advances in Cryptology (AsiaCrypt 2012)},
year = {2012},
OPTeditor = {Springer Verlag},
volume = {7658},
OPTnumber = {},
series = {LNCS},
pages = {626--643},
OPTmonth = {},
OPTaddress = {},
OPTorganization = {},
OPTpublisher = {},
OPTnote = {},
OPTannote = {}
author = {Adida, Ben},
title = {Helios: web-based open-audit voting},
booktitle = {Proceedings of the 17th conference on Security symposium (SS 2018)},
series = {SS'08},
location = {San Jose, CA},
pages = {335--348},
publisher = {USENIX Association},
address = {Berkeley, CA, USA},
TITLE = {{Some ZK security proofs for Belenios}},
AUTHOR = {Gaudry, Pierrick},
URL = {},
NOTE = {working paper or preprint},
YEAR = {2017},
PDF = {},
author = {Torben P. Pedersen},
title = {Non-interactive and information-theoretic secure verifiable secret sharing},
booktitle = {CRYPTO 1991},
year = {1991},
OPTeditor = {},
OPTvolume = {},
OPTnumber = {},
OPTseries = {},
pages = {129-–140},
......@@ -51,9 +51,40 @@
This document is a specification of the voting protocol implemented in
Belenios \version. More discussion, theoretical explanations and
bibliographical references can be found in an article
available online.\footnote{\url{}}
Belenios \version.
A high level description of Belenios and some statistics about its
usage can be found~\cite{Belenios-Meadows2019}.
A security proof of the protocol for ballot privacy and verifiability
is presented in~\cite{Belenios-Easycrypt-CSF18}. The proof has been conducted with the
tool EasyCrypt. It focuses on the protocol aspects and assumes
security of the cryptographic primitives.
The cryptographic primitives have been introduced in various places
and their security proofs is spread across several references.
The threshold decryption scheme is
based on a ``folklore'' scheme:
Pedersen’s~\cite{Pedersen} Distributed Key Generation (DKG) that has several variations.
The variant considered in Belenios is described in~\cite{wpes2013} and
proved in~\cite{wpes2013,asiacrypt12}.
\item Ballots are formed of an ElGamal encryption of the votes and a
zero-knowledge proof of well-formedness, as for the Helios
protocol~\cite{Helios}. Compared to Helios, we support blank votes,
which required to adapt the zero-knowledge proofs, as specified and
proved in~\cite{note-Pierrick}. Additionnally, ballots are signed to
avoid ballot stuffing, as introduced in~\cite{CGGI-esorics14} but also
described in~\cite{Belenios-Meadows2019}.
\item During the tally phase, Belenios supports two modes. Ballots are either combined
homomorphically or shuffled and randomized, using mixnets. The
mixnet algorithms are taken from the CHVote specification~\cite{CHVote}.
% Veronique : c'est un cauchemar toutes ces refs... ;-)
% has been conducted with EasyCrypt and shows
% More discussion, theoretical explanations and
% bibliographical references can be found in an article
% available online.\footnote{\url{}}
The cryptography involved in Belenios needs a cyclic group $\G$ where
discrete logarithms are hard to compute. We will denote by $g$ a
......@@ -1279,8 +1310,9 @@ later), they must be merged into the encrypted tally as $a'$ such that
Shuffles are done in the same way as the CHVote system\footnote{See
version 1.3.2 of the CHVote System Specification at
\url{}}. For each non-homomorphic
version 1.3.2 of the CHVote System Specification at~\cite{CHVote}}.
% \url{}}.
For each non-homomorphic
question, its ciphertexts are re-encrypted and applied a random
permutation, and a zero-knowledge proof of the permutation is
computed. All these shuffles are then assembled into a
......@@ -1544,7 +1576,9 @@ Additionally, its \textsf{embedding} field is set to:
The algorithms $\textsf{GenShuffle}$ and $\textsf{GenShuffleProof}$
are referred to in section~\ref{shuffles}. They were taken from
version 1.3.2 of the CHVote System
Specification\footnote{\url{}}, and
are given here for self-completeness. We also give the
$\textsf{CheckShuffleProof}$ algorithm, used to check a proof produced
by $\textsf{GenShuffleProof}$. For more explanations on these
......@@ -1933,4 +1967,8 @@ algorithms, please refer to the CHVote System Specification.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment