Commit fb518be9 authored by CORTIER Veronique's avatar CORTIER Veronique Committed by Stephane Glondu

Be more verbose about checks to do during the election

parent e8c71f82
Pipeline #93891 passed with stages
in 24 minutes and 38 seconds
......@@ -6,6 +6,7 @@
\usepackage{amsmath}
\usepackage{bbm}
\usepackage{hyperref}
\usepackage{xcolor}
\newcommand{\version}{1.6}
......@@ -35,6 +36,9 @@
\newcommand{\vinput}{\texttt{vinput}}
\newcommand{\voutput}{\texttt{voutput}}
\newcommand{\vc}[1]{\textcolor{blue}{#1}}
\newcommand{\vcomment}[1]{\textcolor{violet}{#1}}
\title{Belenios specification}
\date{Version~\version}
\author{Stéphane Glondu}
......@@ -44,7 +48,6 @@
\tableofcontents
\section{Introduction}
This document is a specification of the voting protocol implemented in
Belenios v\version. More discussion, theoretical explanations and
bibliographical references can be found in an article
......@@ -76,11 +79,20 @@ section~\ref{default-group}.
\newcommand{\Hash}{\mathcal{H}}
\begin{itemize}
\item $\mathcal{S}$: voting server
\item $\mathcal{A}$: server administrator
\item $\mathcal{C}$: credential authority
\item $\mathcal{T}_1,\dots,\mathcal{T}_m$: trustees
\item $\mathcal{V}_1,\dots,\mathcal{V}_n$: voters
\item $\mathcal{S}$: voting server \\
The voting server maintains the public data $D$ that
consists of:
\begin{itemize}
\item the election data $E$
\item the list $PK$ of public keys of the trustees
\item the list $L$ of public credentials
\item the list $B$ of accepted ballots
\item the result of the election {\result} (once the election is tallied)
\end{itemize}
\end{itemize}
\section{Processes}
......@@ -96,21 +108,24 @@ section~\ref{default-group}.
$c_1,\dots,c_n$ and computes
$L=\shuffle(\public(c_1),\dots,\public(c_n))$
\item for $j\in[1\dots n]$, $\mathcal{C}$ sends $c_j$ to $\mathcal{V}_j$
\item $\mathcal{C}$ forgets $c_1,\dots,c_n$
\item $\mathcal{C}$ forgets the mapping between $j$ and $\public(c_j)$
if credential recovery is not needed
\item $\mathcal{C}$ sends $L$ to $\mathcal{A}$
\item \label{item-forget} (optionnal) $\mathcal{C}$ forgets $c_1,\dots,c_n$
\item $\mathcal{C}$ sends $L$ to $\mathcal{A}$
\item $\mathcal{A}$ and $\mathcal{T}_1,\dotsc,\mathcal{T}_m$ run a key establishment protocol
(either \ref{no-threshold} or \ref{threshold})
\item $\mathcal{A}$ creates the \hyperref[elections]{$\election$} $E$
\item $\mathcal{A}$ loads $E$ and $L$ into $\mathcal{S}$ and starts it
\item $\mathcal{C}$ checks that the list of public credentials $L$
is exactly the one that appears on the election data of the election of
{$\uuid$} $u$.
\end{enumerate}
Step~\ref{item-forget} is optional. It offers a better protection
against ballot stuffng in case $\mathcal{C}$ unintentionally leaks
private credentials.
\subsubsection{Basic decryption support}
\label{no-threshold}
To perform tally with this scheme, all trustees will need to compute a
partial decryption.
The trustees jointly compute the public election key. They will
all need to contribute to the tally.
\begin{enumerate}
\item for $z\in[1\dots m]$,
......@@ -123,14 +138,15 @@ partial decryption.
public key $y$:
\[
y=\prod_{z\in[1\dots m]}\pklabel(k_z)
\]
\]
\item for $z\in[1\dots m]$, $\mathcal{T}_z$ checks that $k_z$ appears in the set of public keys $PK$ of the election of {$\uuid$} $u$ (the
id of the election should be publicly known).
\end{enumerate}
\subsubsection{Threshold decryption support}
\label{threshold}
To perform tally with this scheme, $t+1$ trustees will need to compute
a partial decryption.
The trustees jointly compute the public election key such that
only a subgroup of $t+1$ of them will be needed to compute the tally.
\begin{enumerate}
\item for $z\in[1\dots m]$,
......@@ -161,26 +177,34 @@ a partial decryption.
\hyperref[threshold-params]{threshold parameters}
\item $\mathcal{A}$ computes the election public key $y$ as specified
in section~\ref{polynomials}.
\end{enumerate}
\item for $z\in[1\dots m]$, $\mathcal{T}_z$ checks that $\gamma_z$ appears
in the set of public keys $PK$ of the election of {$\uuid$} $u$ (the
id of the election should be publicly known).
\end{enumerate}
\subsection{Vote}
\begin{enumerate}
\item $\mathcal{V}$ gets $E$
\item $\mathcal{V}$ creates a \hyperref[ballots]{$\ballot$} $b$ and submits it to $\mathcal{S}$
\item $\mathcal{S}$ validates $b$ and publishes it
\item $\mathcal{S}$ validates $b$ and adds it to $B$
\item at any time (even after tally), $\mathcal{V}$ may check that $b$
appears in the list of accepted ballots $B$
\end{enumerate}
\subsection{Credential recovery}
If $\mathcal C$ has forgotten the private credentials of the voter
(optional step~\ref{item-forget} of the setup) then credentials cannot
be recovered.
If $\mathcal C$ has the list of private credentials (associated to the
voters), credentials can be recovered:
\begin{enumerate}
\item $\mathcal{V}_i$ contacts $\mathcal{C}$
\item $\mathcal{C}$ looks up $\mathcal{V}_i$'s public credential $\public(c_i)$ and
generates a new credential $c'_i$
\item $\mathcal{C}$ sends $c'_i$ to $\mathcal{V}_i$ and forgets it
\item $\mathcal{C}$ sends $\public(c_i)$ and $\public(c'_i)$ to $\mathcal{A}$
\item $\mathcal{A}$ checks that $\public(c_i)$ has not been used and replaces it
by $\public(c'_i)$ in $L$
\item $\mathcal{C}$ looks up $\mathcal{V}_i$'s private credential $c_i$
\item $\mathcal{C}$ sends $c_i$
\end{enumerate}
\subsection{Tally}
......@@ -190,14 +214,79 @@ a partial decryption.
\item for $z\in[1\dots m]$ (or, if in threshold mode, a subset of it
of size at least $t+1$),
\begin{enumerate}
\item $\mathcal{A}$ sends $\Pi$ (and $K_z$ if in threshold mode) to $\mathcal{T}_z$
\item $\mathcal{A}$ sends $\Pi$ (and $K_z$ if in threshold mode) to
$\mathcal{T}_z$
\item $\mathcal{T}_z$ generates a \hyperref[tally]{$\pdecryption$} $\delta_z$
and sends it to $\mathcal{A}$
\item $\mathcal{A}$ verifies $\delta_z$
\end{enumerate}
\item $\mathcal{A}$ combines all the partial decryptions, computes and publishes
the election \hyperref[election-result]{\result}
\item $\mathcal{T}_z$ checks that $\delta_z$ appears in {\result}
\end{enumerate}
\subsection{Audit}
Belenios can be publicly audited: anyone having access to the (public)
election data can check that the ballots are well formed and that the
result corresponds to the ballots. Ideally, the list of ballots should
also be monitored during the voting phase, to guarantee that no ballot
disappears.
\subsubsection{During the voting phase}
\label{sec:audit-voting}
At any time, an auditor can retrieve the public board and check its consistency. She should
always record at least the last audited board. Then:
\begin{enumerate}
\item she retrieves the election data $D = (E,PK,L,B,r)$ where $B$ is the list of ballots;
\begin{itemize}
\item she records $B$;
\item for $b\in B$, she checks that the proofs of $b$ are valid and that
the signature of $b$ is valid and corresponds to one of the keys in
$L$;
\item she checks that any two ballots in $B$ correspond to distinct keys (of
$L$);
\end{itemize}
\item she retrieves the previously recorded election data $D' = (E',PK',L',B',r')$ (if it
exists);
\begin{itemize}
\item for $b\in B'$, she checks that
\begin{itemize}
\item $b\in B$
\item or $\exists b'\in B$ such that $b$ and $b'$ correspond to
the same key in $L$. This corresponds to the case where a voter
has revoted;
\end{itemize}
\item she checks that all the other data is unchanged: $E=E'$, $PK=PK'$, $L=L'$,
and $r=r'$ (actually the result is empty at this step).
\end{itemize}
\end{enumerate}
There is no tool support on the web interface for these checks,
instead the command line tool \texttt{verify-diff} can be used.
\subsubsection{After the tally}
The auditor retrieve the election data $D$ and in
particular the list $B$ of ballots and the
\hyperref[election-result]{\result} $r$. Then:
\begin{enumerate}
\item she checks consistency of $B$, that is, perform all
the checks described at step 1 of section~\ref{sec:audit-voting};
\item she checks that $B$ corresponds to the board
monitored so far thus performs all
the checks described at step 2 of section~\ref{sec:audit-voting};
\item she checks that the proofs of the result $r$ are valid w.r.t. $B$.
\end{enumerate}
To ease verification of the trustees and the credential authorities,
it is possible to display the hash of their public data (e.g. the
public keys and the partial decryptions of the trustees, the hash of
the list of the public credentials) in some human-readable form. In
that case, the audit should also check that this human-readable data is
consistent with the election data.
There is no tool support on the web interface for these checks,
instead the command line tool \texttt{verify} can be used.
\section{Messages}
\label{messages}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment