ElGamal-like encryption. Its security relies on the Discrete Logarithm problem.

Because (groupGen ^encNonce ^secKey == groupGen ^secKey ^encNonce), knowing secKey, one can divide encryption_vault by (encryption_nonce ^secKey) to decipher (groupGen ^clear), then the clear text must be small to be decryptable, because it is encrypted as a power of groupGen (hence the "-like" in "ElGamal-like") to enable the additive homomorphism.

NOTE: Since (encryption_vault * encryption_nonce == encryption_nonce ^ (secKey + clear)), then: (logBase encryption_nonce (encryption_vault * encryption_nonce) == secKey + clear).

(encrypt pubKey clear) returns an ElGamal-like Encryption.

WARNING: the secret encryption nonce (encNonce) is returned alongside the Encryption in order to prove the validity of the encrypted clear text in proveEncryption, but this secret encNonce MUST be forgotten after that, as it may be used to decipher the Encryption without the SecretKey associated with pubKey.

Non-Interactive Zero-Knowledge Proof of knowledge of a discrete logarithm: (secret == logBase base (base^secret)).

Zero-knowledge proof.

A protocol is zero-knowledge if the verifier learns nothing from the protocol except that the prover knows the secret.

DOC: Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In ACM-CCS’93, 1993.

(prove sec commitmentBases oracle) returns a Proof that sec is known (by proving the knowledge of its discrete logarithm).

The Oracle is given Commitments equal to the commitmentBases raised to the power of the secret nonce of the Proof, as those are the Commitments that the verifier will obtain when composing the proof_challenge and proof_response together (with commit).

WARNING: for prove to be a so-called strong Fiat-Shamir transformation (not a weak): the statement must be included in the hash (along with the commitments).

NOTE: a random nonce is used to ensure each prove does not reveal any information regarding the secret sec, because two Proofs using the same Commitment can be used to deduce sec (using the special-soundness).

Like prove but quicker. It chould replace prove entirely when Helios-C specifications will be fixed.

(fakeProof) returns a Proof whose proof_challenge and proof_response are uniformly chosen at random, instead of (proof_challenge == hash statement commitments) and (proof_response == nonce + sec * proof_challenge) as a Proof returned by prove.

Used in proveEncryption to fill the returned DisjProof with fake Proofs for all Disjunctions but the encrypted one.

A commitment from the prover to the verifier. It's a power of groupGen chosen randomly by the prover when making a Proof with prove.

(commit proof base basePowSec) returns a Commitment from the given Proof with the knowledge of the verifier.

Like commit but quicker. It chould replace commit entirely when Helios-C specifications will be fixed.

A Disjunction is an inversed (groupGen ^opinion) it's used in proveEncryption to generate a Proof that an encryption_vault contains a given (groupGen ^opinion),

Index of a Disjunction within a list of them. It is encrypted as a GroupExponent by encrypt.

A list of Proofs to prove that the Opinion within an Encryption is indexing a Disjunction within a list of them, without revealing which Opinion it is.

(proveEncryption elecPubKey voterZKP (prevDisjs,nextDisjs) (encNonce,enc)) returns a DisjProof that enc encrypts the Disjunction d between prevDisjs and nextDisjs.

The prover proves that it knows an encNonce, such that: (enc == Encryption{encryption_nonce=groupGen ^encNonce, encryption_vault=elecPubKey^encNonce * groupGen^d})

A NIZK Disjunctive Chaum Pedersen Logarithm Equality is used.

DOC: Pierrick Gaudry. Some ZK security proofs for Belenios, 2017.

(encryptionCommitments elecPubKey enc disj proof) returns the Commitments with only the knowledge of the verifier.

For the prover the Proof comes from fakeProof, and for the verifier the Proof comes from the prover.

Error raised by verifyEncryption.

(encryptAnswer elecPubKey zkp quest opinions) returns an Answer validable by verifyAnswer, unless an ErrorAnswer is returned.

Error raised by encryptAnswer.

(reifyCrypto crypto k) is like (reify crypto k) but gives to (k) more constraints than just (Reifies c crypto), which is used when defining classes on (crypto) where (c) (the type variable guarantying the same cryptographic parameters are used throughout) is not yet in scope and thus where one cannot add those constraints requiring to have (c) in scope. See for instance the QuickcheckElection class, in the tests.

For convenience, the ReifyCrypto class also implies the pervasive constraint Group.

List the Constraints on the element of the field when the (crypto) has not been instantiated to a specific type yet. It concerns only Constraints whose method act on (a), not (x c) (eg. Group).

(encryptBallot c (Just ballotSecKey) opinionsByQuest) returns a Ballot signed by secKey (the voter's secret key) where opinionsByQuest is a list of Opinions on each question_choices of each election_questions.

Schnorr-like signature.

Used by each voter to sign his/her encrypted Ballot using his/her Credential, in order to avoid ballot stuffing.

(signatureStatement answers) returns the encrypted material to be signed: all the encryption_nonces and encryption_vaults of the given answers.

(signatureCommitments voterZKP commitment)

Error raised by encryptBallot.

Version of the Helios-C protocol.