hjugement-protocol: A cryptographic protocol for the Majority Judgment.

[ gpl, library, politic ] [ Propose Tags ] [ Report a vulnerability ]

This work-in-progress library aims at implementing an online voting protocol named Helios-C (Helios with Credentials) by its authors from the CNRS, the INRIA and the Université de Lorraine: Véronique Cortier, David Galindo, Pierrick Gaudry, Stéphane Glondu and Malika Izabachène.

A large-public introduction (in french) to Helios-C is available here: Bulletin de la société informatique de France – numéro 9, novembre 2016.
A more scientific (yet understandable) introduction (in english) to Belenios (an implementation of Helios-C) is available here: Belenios: a simple private and verifiable electronic voting system.

The main properties of this protocol are:

fully correct: the published result are proven to correspond to the (sum of) intended votes of the voters, while accounting for a malicious bulletin board (BB) (adding fake ballots) by requiring a registration authority (RA) (responsible for generating and sending voters' credentials). Assuming that the BB and the RA are not simultaneously dishonest.
verifiable: each voter is able to check that: his/her ballot did contribute to the outcome (individual verifiability), and that the tallying authorities did their job properly (universal verifiability).
private: the identities of the voters who cast a vote are not publicly revealed.

[Skip to Readme]

Modules

[Index] [Quick Jump]

Voting
- Voting.Protocol

Downloads

hjugement-protocol-0.0.8.20191027.tar.gz [browse] (Cabal source package)
Package description (as included in the package)

Maintainer's Corner

Package maintainers

julm

For package maintainers and hackage trustees

edit package information

Candidates

No Candidates

Versions [RSS]	0.0.0.20190428, 0.0.0.20190501, 0.0.0.20190511, 0.0.0.20190513, 0.0.0.20190519, 0.0.1.20190623, 0.0.4.20190711, 0.0.7.20190815, 0.0.8.20191027, 0.0.9.20191031, 0.0.10.20191104
Dependencies	aeson (>=1.3), base (>=4.6 && <5), base64-bytestring (>=1.0), binary (>=0.8), bytestring (>=0.10), containers (>=0.5), cryptonite (>=0.25), deepseq (>=1.4), memory (>=0.14), random (>=1.1), reflection (>=2.1), text (>=1.2), transformers (>=0.5), unordered-containers (>=0.2.8) [details]
Tested with	ghc ==8.4.4
License	GPL-3.0-only
Author	Julien Moutinho <julm+hjugement@autogeree.net>
Maintainer	Julien Moutinho <julm+hjugement@autogeree.net>
Category	Politic
Bug tracker	Julien Moutinho <julm+hjugement@autogeree.net>
Source repo	head: git clone git://git.autogeree.net/hjugement
Uploaded	by julm at 2019-10-28T17:02:24Z
Distributions
Downloads	4035 total (27 in the last 30 days)
Rating	(no votes yet) [estimated by Bayesian average]
Your Rating	λ λ λ
Status	Docs available [build log] Last success reported on 2019-10-28 [all 1 reports]

Readme for hjugement-protocol-0.0.8.20191027

[back to package description]

Voting protocol

Ballot

Ballots are encrypted using public-key cryptography secured by the Discrete Logarithm problem: finding x in (g^x mod p), where p is a large prime and g a generator of Gq, the multiplicative subgroup of order q, in Fp (the finite prime field whose characteristic is p).

Here, p is 2048-bit and q is 256-bit.

The signing (Schnorr-like), the encrypting (ElGamal-like) and the Decisional Diffe Hellman (DDH) assumption, all rely on the hardness of that problem.

Ballot signing

The Schnorr protocol is used to prove that a voter has knowledge of the secret key used to sign their votes.

Voter's credential

A voter's credential is a secret key (the signing key) from which a public part can be derived (the verification key).

The association between the public part and the corresponding voter's identity does not need to be known, and actually should not be disclosed to satisfy e.g. the French requirements regarding voting systems. Using credentials prevent the submission of duplicated ballots (because they are added as an additional input to the random oracle in the non-interactive zero-knowledge (NIZK) proofs for ciphertext well-formedness). This allows a testing of duplicates which depends only on the size of the number of voters, and thus enables Helios-C to scale for larger elections while attaining correctness.

Tallying

Ballots are added without being decrypted because adding (multiplying actually) ciphertexts then decrypting, is like decrypting then adding plaintexts (additive homomorphism). Which requires to solve the Discrete Logarithm Problem for numbers in the order of the number of voters, which is not hard for small numbers (with a lookup table as here, or with Pollard’s rho algorithm for logarithms).

Verifying

The Chaum-Pedersen protocol (proving an equality of discrete logarithms) is used to prove that ciphertexts are well-formed (encrypting a 0 or a 1… or any expected natural) without decrypting them. Which is known as a Disjunctive Chaum-Pedersen proof of partial knowledge.
See: Some ZK security proofs for Belenios.

A strong Fiat-Shamir transformation is used to transform the interactive zero-knowledge (IZK) Chaum-Pedersen protocol into a non-interactive zero-knowledge (NIZK) proof, using a SHA256 hash.
See: How not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios.

Public Key Infrastructure

(TODO) A Pedersen's distributed key generation (DKG) protocol coupled with ElGamal keys (under the DDH assumption), is used to have a fully distributed semantically secure encryption.