protocol description

Belenios specification
Stéphane Glondu
Version 0.1
Contents
1 Introduction
1
2 Parties
2
3 Processes
3.1 Election setup . . .
3.2 Vote . . . . . . . .
3.3 Credential recovery
3.4 Tally . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
2
2
2
2
3
4 Messages
4.1 Conventions . . . . .
4.2 Basic types . . . . .
4.3 Common structures .
4.4 Trustee keys . . . . .
4.5 Credentials . . . . .
4.6 Election . . . . . . .
4.7 Disjunctive proofs .
4.8 Encrypted answers .
4.9 Signatures . . . . . .
4.10 Ballots . . . . . . . .
4.11 Tally . . . . . . . . .
4.12 Election result . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
3
3
3
3
3
4
4
5
5
6
6
7
7
5 Default group parameters
1
8
Introduction
This document is a specification of the voting protocol implemented in Belenios v0.1. More
discussion, theoretical explanations and bibliographical references can be found in a technical
report available online.1
The Belenios protocol is very similar to Helios (with a signature added to ballots and different
zero-knowledge proofs) and Helios-C (with the distributed key generation of trustees of Helios,
without threshold support).
The cryptography involved in Belenios needs a cyclic group G where discrete logarithms are
hard to compute. We will denote by g a generator and q its order. We use a multiplicative notation
for the group operation. For practical purposes, we use a multiplicative subgroup of F∗p (hence,
all exponentiations are implicitly done modulo p). We suppose the group parameters are agreed
1 http://eprint.iacr.org/2013/177
1
on beforehand. Default group parameters are given as examples in section 5 (they are the same
as Helios v3).
2
Parties
• S: voting server
• A: server administrator
• C: credential authority
• T1 , . . . , Tm : trustees
• V1 , . . . , Vn : voters
3
Processes
3.1
Election setup
1. A generates a fresh uuid u and sends it to C
2. C generates credentials c1 , . . . , cn and computes L = shuffle(public(c1 ), . . . , public(cn ))
3. for j ∈ [1 . . . n], C sends cj to Vj
4. C forgets c1 , . . . , cn
5. C forgets the mapping between j and public(cj ) if credential recovery is not needed
6. C sends L to A
7. for z ∈ [1 . . . m],
(a) Tz generates a trustee_public_key kz and sends it to A
(b) A checks kz
8. A combines all the trustee public keys into the election public key y
9. A creates the election E
10. A loads E and L into S and starts it
3.2
Vote
1. V gets E
2. V creates a ballot b and submits it to S
3. S validates b and publishes it
3.3
Credential recovery
1. V contacts C
2. C looks up V ’s public credential public(ci ) and generates a new credential c0i
3. C sends c0i to V and forgets it
4. C sends public(ci ) and public(c0i ) to A
5. A checks that public(ci ) has not been used and replaces it by public(c0i ) in L
2
3.4
Tally
1. A stops S and computes the encrypted_tally Π
2. for z ∈ [1 . . . m],
(a) A sends Π to Tz
(b) Tz generates a partial_decryption δz and sends it to A
(c) A verifies δz
3. A combines all the partial decryptions, computes and publishes the election result
4
Messages
4.1
Conventions
Structured data is encoded in JSON (RFC 4627). There is no specific requirement on the formatting and order of fields, but care must be taken when hashes are computed. We use the notation
field(o) to access the field field of o.
4.2
Basic types
• string: JSON string
• uuid: UUID (see RFC 4122), encoded as a JSON string
• I: small integer, encoded as a JSON number
•
4.3
N, Zq , G: big integer, written in base 10 and encoded as a JSON string
Common structures
proof =
4.4
challenge :
response :
Zq
Zq
ciphertext =
alpha :
beta :
G
G
Trustee keys
public_key = G
trustee_public_key =
private_key = Zq
pok : proof
public_key : public_key
A private key is a random number x modulo q. The corresponding public_key is X = g x .
A trustee_public_key is a bundle of this public key with a proof of knowledge computed as
follows:
1. pick a random w ∈ Zq
2. compute A = g w
3. challenge = Hpok (X, A) mod q
4. response = w + x × challenge mod q
where Hpok is computed as follows:
Hpok (X, A) = SHA256(pok|X|A)
where pok and the vertical bars are verbatim and numbers are written in base 10. The result is
interpreted as a 256-bit big-endian number. The proof is verified as follows:
3
1. compute A = g response /y challenge
2. check that challenge = Hpok (public_key, A) mod q
4.5
Credentials
A secret credential c is a 15-character string, where characters are taken from the set:
123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz
The first 14 characters are random, and the last one is a checksum to detect typing errors. To
compute the checksum, each character is interpreted as a base 58 digit: 1 is 0, 2 is 1, . . . , z is
57. The first 14 characters are interpreted as a big-endian number c1 The checksum is 53 − c1
mod 53.
From this string, a secret exponent s = secret(c) is derived by using PBKDF2 (RFC 2898)
with:
• c as password;
• HMAC-SHA256 (RFC 2104, FIPS PUB 180-2) as pseudorandom function;
• the uuid (interpreted as a 16-byte array) of the election as salt;
• 1000 iterations
and an output size of 1 block, which is interpreted as a big-endian 256-bit number and then
reduced modulo q to form s. From this secret exponent, a public key public(c) = g s is computed.
4.6
Election
wrapped_pk =

g :


p

 q
y
:
:
:
G
N
N
G





The election public key, which is denoted by y thoughout this document, is computed by multiplying all the public keys of the trustees, and bundled with the group parameters in a wrapped_pk
structure.

answers


min
question =
max


question
:
:
:
:

string∗ 

I
I
string
election =

description




name










public_key
questions
uuid
short_name
:
:
:
:
:
:
string
string
wrapped_pk
question∗
uuid
string













During an election, the following data needs to be public in order to verify the setup phase
and to validate ballots:
• the election structure described above;
• all the trustee_public_keys that were generated during the setup phase;
• the set L of public credentials.
4
4.7
Disjunctive proofs
dproof = proof∗
Given a pair (α, β) of group elements, one can prove that it has the form (g r , y r g Mi ) with
Mi ∈ [M0 , . . . , Mk ] by creating a sequence of proofs π0 , . . . , πk with the following procedure,
parameterised by a group element S:
1. for j 6= i:
(a) create πj with a random challenge and a random response
(b) compute
Aj =
g response
αchallenge
and Bj =
y response
(β/g Mj )challenge
2. πi is created as follows:
(a) pick a random w ∈ Zq
(b) compute Ai = g w and Bi = y w
(c) challenge(πi ) = Hdprove (S, α, β, A0 , B0 , . . . , Ak , Bk ) −
P
j6=i
challenge(πj ) mod q
(d) response(πi ) = w + r × challenge(πi ) mod q
In the above, Hdprove is computed as follows:
Hdprove (S, α, β, A0 , B0 , . . . , Ak , Bk ) = SHA256(prove|S|α,β|A0 ,B0 , . . . ,Ak ,Bk )
where prove, the vertical bars and the commas are verbatim and numbers are written in base 10.
The result is interpreted as a 256-bit big-endian number. We will denote the whole procedure by
dprove(S, r, i, M0 , . . . , Mk ).
The proof is verified as follows:
1. for j ∈ [0 . . . k], compute
Aj =
g response
αchallenge
and Bj =
y response
(β/g Mj )challenge
2. check that
Hdprove (S, α, β, A0 , B0 , . . . , Ak , Bk ) =
X
challenge(πj )
mod q
j∈[0...k]
4.8
Encrypted answers
(
answer =
choices
individual_proofs
overall_proof
:
:
:
ciphertext∗
dproof∗
dproof
)
An answer to a question is the vector of encrypted weights (choices, same length as answers)
given to each answer. Each weight comes with a disjunctive proof (in individual_proofs, same length
as choices) that it is indeed 0 or 1. The whole answer also comes with a proof (overall_proof) that
the sum of weights is within bounds [min . . . max].
More concretely, each weight m ∈ [0 . . . 1] is encrypted into a ciphertext as follows:
1. pick a random r ∈ Zq
2. alpha = g r
5
3. beta = y r g m
where y is the election public key.
To compute the proofs, the voter needs a credential c. Let s = secret(c), and S = g s written in
base 10. The individual proof that m ∈ [0 . . . 1] is computed by running dprove(S, r, m, 0, 1). The
overall proof that M ∈ [min . . . max] is computed by running dprove(S, R, M − min, min, . . . , max)
where R is the sum of the r used in ciphertexts, and M the sum of the m.
4.9
Signatures
(
signature =
public_key
challenge
response
:
:
:
public_key
Z
Z
)
q
q
Each ballot contains a digital signature to avoid ballot stuffing. The signature needs a credential
c and uses all the ciphertexts γ1 , . . . , γl that appear in the ballot (l is the sum of the lengths of
choices). It is computed as follows:
1. compute s = secret(c)
2. pick a random w ∈ Zq
3. compute A = g w
4. public_key = g s
5. challenge = Hsignature (public_key, A, γ1 , . . . , γl ) mod q
6. response = w − s × challenge mod q
In the above, Hsignature is computed as follows:
Hsignature (S, A, γ1 , . . . , γl ) = SHA256(sig|S|A|alpha(γ1 ),beta(γ1 ), . . . ,alpha(γl ),beta(γl ))
where sig, the vertical bars and commas are verbatim and numbers are written in base 10. The
result is interpreted as a 256-bit big-endian number.
Signatures are verified as follows:
1. compute A = g response × y challenge
2. check that challenge = Hsignature (public_key, A, γ1 , . . . , γl ) mod q
4.10
Ballots



answers
election_hash
ballot =

 election_uuid
signature
:
:
:
:
answer∗


string
uuid


signature

The so-called hash (or fingerprint) of the election is computed with the function HJSON :
HJSON (J) = BASE64(SHA256(J))
Where J is the serialization (done by the server) of the election structure.
The same hashing function is used on a serialization (done by the voting client) of the ballot
structure to produce a so-called smart ballot tracker.
6
4.11
Tally
encrypted_tally = ciphertext∗∗
The encrypted tally is the pointwise product of the ciphertexts of all accepted ballots:
Q
alpha(encrypted_tallyi,j ) = Q alpha(choices(answers(ballot)i )j )
beta(encrypted_tallyi,j ) =
beta(choices(answers(ballot)i )j )
partial_decryption =
decryption_factors
decryption_proofs
:
:
G
∗∗
proof∗∗
From the encrypted tally, each trustee computes a partial decryption using the private key x (and
the corresponding public key X = g x ) he generated during election setup. It consists of so-called
decryption factors:
decryption_factorsi,j = alpha(encrypted_tallyi,j )x
and proofs that they were correctly computed. Each decryption_proofsi,j is computed as follows:
1. pick a random w ∈ Zq
2. compute A = g w and B = alpha(encrypted_tallyi,j )w
3. challenge = Hdecrypt (X, A, B) mod q
4. response = w + x × challenge mod q
In the above, Hdecrypt is computed as follows:
Hdecrypt (X, A, B) = SHA256(decrypt|X|A,B)
where decrypt, the vertical bars and the comma are verbatim and numbers are written in base
10. The result is interpreted as a 256-bit big-endian number.
These proofs are verified using the trustee_public_key structure k that the trustee sent to
the administrator during the election setup:
1. compute
A=
g response
public_key(k)challenge
and B =
alpha(encrypted_tallyi,j )response
decryption_factorschallenge
i,j
2. check that Hdecrypt (public_key(k), A, B) = challenge mod q
4.12
Election result



num_tallied
encrypted_tally
result =

 partial_decryptions
result
:
:
:
:
I



encrypted_tally
partial_decryption∗ 

I
∗∗
The decryption factors are combined for each ciphertext to build synthetic ones:
Y
Fi,j =
partial_decryptionsz,i,j
z∈[1...m]
where m is the number of trustees. The result field of the result structure is then computed as
follows:
beta(encrypted_tallyi,j )
resulti,j = logg
Fi,j
Here, the discrete logarithm can be easily computed because it is bounded by num_tallied.
After the election, the following data needs to be public in order to verify the tally:
7
• the election structure;
• all the trustee_public_keys that were generated during the setup phase;
• the set of public credentials;
• the set of ballots;
• the result structure described above.
5
Default group parameters
p
g
q
=
16328632084933010
002384055033805457329601614771185955389739167309086214800406
465799038583634953752941675645562182498120750264980492381375
579367675648771293800310370964745767014243638518442553823973
482995267304044326777047662957480269391322789378384619428596
446446984694306187644767462460965622580087564339212631775817
895958409016676398975671266179637898557687317076177218843233
150695157881061257053019133078545928983562221396313169622475
509818442661047018436264806901023966236718367204710755935899
013750306107738002364137917426595737403871114187750804346564
731250609196846638183903982387884578266136503697493474682071
=
14887492224963187
634282421537186040801304008017743492304481737382571933937568
724473847106029915040150784031882206090286938661464458896494
215273989547889201144857352611058572236578734319505128042602
372864570426550855201448111746579871811249114781674309062693
442442368697449970648232621880001709535143047913661432883287
150003429802392229361583608686643243349727791976247247948618
930423866180410558458272606627111270040091203073580238905303
994472202930783207472394578498507764703191288249547659899997
131166130259700604433891232298182348403175947450284433411265
966789131024573629546048637848902243503970966798589660808533
=
61329566248342901
292543872769978950870633559608669337131139375508370458778917
8