Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
B
belenios
Project overview
Project overview
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
belenios
belenios
Commits
fb518be9
Commit
fb518be9
authored
Sep 11, 2019
by
CORTIER Veronique
Committed by
Stephane Glondu
Sep 17, 2019
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Be more verbose about checks to do during the election
parent
e8c71f82
Pipeline
#93891
passed with stages
in 24 minutes and 38 seconds
Changes
1
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
111 additions
and
22 deletions
+111
-22
doc/specification.tex
doc/specification.tex
+111
-22
No files found.
doc/specification.tex
View file @
fb518be9
...
...
@@ -6,6 +6,7 @@
\usepackage
{
amsmath
}
\usepackage
{
bbm
}
\usepackage
{
hyperref
}
\usepackage
{
xcolor
}
\newcommand
{
\version
}{
1.6
}
...
...
@@ -35,6 +36,9 @@
\newcommand
{
\vinput
}{
\texttt
{
vinput
}}
\newcommand
{
\voutput
}{
\texttt
{
voutput
}}
\newcommand
{
\vc
}
[1]
{
\textcolor
{
blue
}{
#1
}}
\newcommand
{
\vcomment
}
[1]
{
\textcolor
{
violet
}{
#1
}}
\title
{
Belenios specification
}
\date
{
Version~
\version
}
\author
{
Stéphane Glondu
}
...
...
@@ -44,7 +48,6 @@
\tableofcontents
\section
{
Introduction
}
This document is a specification of the voting protocol implemented in
Belenios v
\version
. More discussion, theoretical explanations and
bibliographical references can be found in an article
...
...
@@ -76,11 +79,20 @@ section~\ref{default-group}.
\newcommand
{
\Hash
}{
\mathcal
{
H
}}
\begin{itemize}
\item
$
\mathcal
{
S
}$
: voting server
\item
$
\mathcal
{
A
}$
: server administrator
\item
$
\mathcal
{
C
}$
: credential authority
\item
$
\mathcal
{
T
}_
1
,
\dots
,
\mathcal
{
T
}_
m
$
: trustees
\item
$
\mathcal
{
V
}_
1
,
\dots
,
\mathcal
{
V
}_
n
$
: voters
\item
$
\mathcal
{
S
}$
: voting server
\\
The voting server maintains the public data
$
D
$
that
consists of:
\begin{itemize}
\item
the election data
$
E
$
\item
the list
$
PK
$
of public keys of the trustees
\item
the list
$
L
$
of public credentials
\item
the list
$
B
$
of accepted ballots
\item
the result of the election
{
\result
}
(once the election is tallied)
\end{itemize}
\end{itemize}
\section
{
Processes
}
...
...
@@ -96,21 +108,24 @@ section~\ref{default-group}.
$
c
_
1
,
\dots
,c
_
n
$
and computes
$
L
=
\shuffle
(
\public
(
c
_
1
)
,
\dots
,
\public
(
c
_
n
))
$
\item
for
$
j
\in
[
1
\dots
n
]
$
,
$
\mathcal
{
C
}$
sends
$
c
_
j
$
to
$
\mathcal
{
V
}_
j
$
\item
$
\mathcal
{
C
}$
forgets
$
c
_
1
,
\dots
,c
_
n
$
\item
$
\mathcal
{
C
}$
forgets the mapping between
$
j
$
and
$
\public
(
c
_
j
)
$
if credential recovery is not needed
\item
$
\mathcal
{
C
}$
sends
$
L
$
to
$
\mathcal
{
A
}$
\item
\label
{
item-forget
}
(optionnal)
$
\mathcal
{
C
}$
forgets
$
c
_
1
,
\dots
,c
_
n
$
\item
$
\mathcal
{
C
}$
sends
$
L
$
to
$
\mathcal
{
A
}$
\item
$
\mathcal
{
A
}$
and
$
\mathcal
{
T
}_
1
,
\dotsc
,
\mathcal
{
T
}_
m
$
run a key establishment protocol
(either
\ref
{
no-threshold
}
or
\ref
{
threshold
}
)
\item
$
\mathcal
{
A
}$
creates the
\hyperref
[elections]
{$
\election
$}
$
E
$
\item
$
\mathcal
{
A
}$
loads
$
E
$
and
$
L
$
into
$
\mathcal
{
S
}$
and starts it
\item
$
\mathcal
{
C
}$
checks that the list of public credentials
$
L
$
is exactly the one that appears on the election data of the election of
{$
\uuid
$}
$
u
$
.
\end{enumerate}
Step~
\ref
{
item-forget
}
is optional. It offers a better protection
against ballot stuffng in case
$
\mathcal
{
C
}$
unintentionally leaks
private credentials.
\subsubsection
{
Basic decryption support
}
\label
{
no-threshold
}
To perform tally with this scheme, all trustees will need to compute a
partial decryption.
The trustees jointly compute the public election key. They will
all need to contribute to the tally.
\begin{enumerate}
\item
for
$
z
\in
[
1
\dots
m
]
$
,
...
...
@@ -123,14 +138,15 @@ partial decryption.
public key
$
y
$
:
\[
y
=
\prod
_{
z
\in
[
1
\dots
m
]
}
\pklabel
(
k
_
z
)
\]
\]
\item
for
$
z
\in
[
1
\dots
m
]
$
,
$
\mathcal
{
T
}_
z
$
checks that
$
k
_
z
$
appears in the set of public keys
$
PK
$
of the election of
{$
\uuid
$}
$
u
$
(the
id of the election should be publicly known).
\end{enumerate}
\subsubsection
{
Threshold decryption support
}
\label
{
threshold
}
To perform tally with this scheme,
$
t
+
1
$
trustees will need to compute
a partial decryption.
The trustees jointly compute the public election key such that
only a subgroup of
$
t
+
1
$
of them will be needed to compute the tally.
\begin{enumerate}
\item
for
$
z
\in
[
1
\dots
m
]
$
,
...
...
@@ -161,26 +177,34 @@ a partial decryption.
\hyperref
[threshold-params]
{
threshold parameters
}
\item
$
\mathcal
{
A
}$
computes the election public key
$
y
$
as specified
in section~
\ref
{
polynomials
}
.
\end{enumerate}
\item
for
$
z
\in
[
1
\dots
m
]
$
,
$
\mathcal
{
T
}_
z
$
checks that
$
\gamma
_
z
$
appears
in the set of public keys
$
PK
$
of the election of
{$
\uuid
$}
$
u
$
(the
id of the election should be publicly known).
\end{enumerate}
\subsection
{
Vote
}
\begin{enumerate}
\item
$
\mathcal
{
V
}$
gets
$
E
$
\item
$
\mathcal
{
V
}$
creates a
\hyperref
[ballots]
{$
\ballot
$}
$
b
$
and submits it to
$
\mathcal
{
S
}$
\item
$
\mathcal
{
S
}$
validates
$
b
$
and publishes it
\item
$
\mathcal
{
S
}$
validates
$
b
$
and adds it to
$
B
$
\item
at any time (even after tally),
$
\mathcal
{
V
}$
may check that
$
b
$
appears in the list of accepted ballots
$
B
$
\end{enumerate}
\subsection
{
Credential recovery
}
If
$
\mathcal
C
$
has forgotten the private credentials of the voter
(optional step~
\ref
{
item-forget
}
of the setup) then credentials cannot
be recovered.
If
$
\mathcal
C
$
has the list of private credentials (associated to the
voters), credentials can be recovered:
\begin{enumerate}
\item
$
\mathcal
{
V
}_
i
$
contacts
$
\mathcal
{
C
}$
\item
$
\mathcal
{
C
}$
looks up
$
\mathcal
{
V
}_
i
$
's public credential
$
\public
(
c
_
i
)
$
and
generates a new credential
$
c'
_
i
$
\item
$
\mathcal
{
C
}$
sends
$
c'
_
i
$
to
$
\mathcal
{
V
}_
i
$
and forgets it
\item
$
\mathcal
{
C
}$
sends
$
\public
(
c
_
i
)
$
and
$
\public
(
c'
_
i
)
$
to
$
\mathcal
{
A
}$
\item
$
\mathcal
{
A
}$
checks that
$
\public
(
c
_
i
)
$
has not been used and replaces it
by
$
\public
(
c'
_
i
)
$
in
$
L
$
\item
$
\mathcal
{
C
}$
looks up
$
\mathcal
{
V
}_
i
$
's private credential
$
c
_
i
$
\item
$
\mathcal
{
C
}$
sends
$
c
_
i
$
\end{enumerate}
\subsection
{
Tally
}
...
...
@@ -190,14 +214,79 @@ a partial decryption.
\item
for
$
z
\in
[
1
\dots
m
]
$
(or, if in threshold mode, a subset of it
of size at least
$
t
+
1
$
),
\begin{enumerate}
\item
$
\mathcal
{
A
}$
sends
$
\Pi
$
(and
$
K
_
z
$
if in threshold mode) to
$
\mathcal
{
T
}_
z
$
\item
$
\mathcal
{
A
}$
sends
$
\Pi
$
(and
$
K
_
z
$
if in threshold mode) to
$
\mathcal
{
T
}_
z
$
\item
$
\mathcal
{
T
}_
z
$
generates a
\hyperref
[tally]
{$
\pdecryption
$}
$
\delta
_
z
$
and sends it to
$
\mathcal
{
A
}$
\item
$
\mathcal
{
A
}$
verifies
$
\delta
_
z
$
\end{enumerate}
\item
$
\mathcal
{
A
}$
combines all the partial decryptions, computes and publishes
the election
\hyperref
[election-result]
{
\result
}
\item
$
\mathcal
{
T
}_
z
$
checks that
$
\delta
_
z
$
appears in
{
\result
}
\end{enumerate}
\subsection
{
Audit
}
Belenios can be publicly audited: anyone having access to the (public)
election data can check that the ballots are well formed and that the
result corresponds to the ballots. Ideally, the list of ballots should
also be monitored during the voting phase, to guarantee that no ballot
disappears.
\subsubsection
{
During the voting phase
}
\label
{
sec:audit-voting
}
At any time, an auditor can retrieve the public board and check its consistency. She should
always record at least the last audited board. Then:
\begin{enumerate}
\item
she retrieves the election data
$
D
=
(
E,PK,L,B,r
)
$
where
$
B
$
is the list of ballots;
\begin{itemize}
\item
she records
$
B
$
;
\item
for
$
b
\in
B
$
, she checks that the proofs of
$
b
$
are valid and that
the signature of
$
b
$
is valid and corresponds to one of the keys in
$
L
$
;
\item
she checks that any two ballots in
$
B
$
correspond to distinct keys (of
$
L
$
);
\end{itemize}
\item
she retrieves the previously recorded election data
$
D'
=
(
E',PK',L',B',r'
)
$
(if it
exists);
\begin{itemize}
\item
for
$
b
\in
B'
$
, she checks that
\begin{itemize}
\item
$
b
\in
B
$
\item
or
$
\exists
b'
\in
B
$
such that
$
b
$
and
$
b'
$
correspond to
the same key in
$
L
$
. This corresponds to the case where a voter
has revoted;
\end{itemize}
\item
she checks that all the other data is unchanged:
$
E
=
E'
$
,
$
PK
=
PK'
$
,
$
L
=
L'
$
,
and
$
r
=
r'
$
(actually the result is empty at this step).
\end{itemize}
\end{enumerate}
There is no tool support on the web interface for these checks,
instead the command line tool
\texttt
{
verify-diff
}
can be used.
\subsubsection
{
After the tally
}
The auditor retrieve the election data
$
D
$
and in
particular the list
$
B
$
of ballots and the
\hyperref
[election-result]
{
\result
}
$
r
$
. Then:
\begin{enumerate}
\item
she checks consistency of
$
B
$
, that is, perform all
the checks described at step 1 of section~
\ref
{
sec:audit-voting
}
;
\item
she checks that
$
B
$
corresponds to the board
monitored so far thus performs all
the checks described at step 2 of section~
\ref
{
sec:audit-voting
}
;
\item
she checks that the proofs of the result
$
r
$
are valid w.r.t.
$
B
$
.
\end{enumerate}
To ease verification of the trustees and the credential authorities,
it is possible to display the hash of their public data (e.g. the
public keys and the partial decryptions of the trustees, the hash of
the list of the public credentials) in some human-readable form. In
that case, the audit should also check that this human-readable data is
consistent with the election data.
There is no tool support on the web interface for these checks,
instead the command line tool
\texttt
{
verify
}
can be used.
\section
{
Messages
}
\label
{
messages
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment