ElGamal-like encryption. Its security relies on the Discrete Logarithm problem.

Because (groupGen ^encNonce ^secKey == groupGen ^secKey ^encNonce), knowing secKey, one can divide encryption_vault by (encryption_nonce ^secKey) to decipher (groupGen ^clear), then clear must be small to be decryptable, because it is encrypted as a power of groupGen to enable the additive homomorphism.

(encrypt pubKey clear) returns an ElGamal-like Encryption.

WARNING: the secret encryption nonce (encNonce) is returned alongside the Encryption in order to prove the validity of the encrypted clear in prove, but this secret encNonce MUST be forgotten after that, as it may be used to decipher the Encryption without the secret key associated with pubKey.

Proof of knowledge of a discrete logarithm: secret == logBase base (base^secret).

NOTE: Since (pubKey == groupGen ^secKey), then: (logBase encryption_nonce (encryption_vault * encryption_nonce) == secKey + clear).

(prove sec commitments oracle) returns a Proof that sec is known.

The Oracle is given the commitments raised to the power of the secret nonce of the Proof, as those are the commitments that the verifier will obtain when composing the proof_challenge and proof_response together (in encryptionCommitments).

NOTE: sec is secKey in signature_proof or encNonce in proveEncryption.

NOTE: The commitments are [groupGen] in signature_proof or [groupGen, pubKey] in proveEncryption.

WARNING: for prove to be a so-called strong Fiat-Shamir transformation (not a weak): the statement must be included in the hash (not only the commitments).

NOTE: a random nonce is used to ensure each prove does not reveal any information regarding the secret sec.

(commit proof x y) returns a Commitment from the given Proof with the knowledge of the verifier.

NOTE: Contrary to Helios-C specifications, (*) is used instead of (/) to avoid the performance cost of a modular exponentiation (^ (groupOrder - one)), this is compensated by using (-) instead of (+) in prove.

Index of a Disjunction within a list of them. It is encrypted as an Exponent by encrypt.

A Disjunction is an inversed (groupGen ^opinion) it's used in proveEncryption to generate a Proof that an encryption_vault contains a given (groupGen ^opinion),

A list of Proofs to prove that the Opinion within an Encryption is indexing a Disjunction within a list of them, without knowing which Opinion it is.

(proveEncryption pubKey zkp disjs opin (encNonce, enc)) returns a DisjProof that enc encrypts one of the Disjunctions within disjs, without revealing which one it is.

A NIZK Disjunctive Chaum Pedersen Logarithm Equality is used.

(encryptionCommitments pubKey enc (disj,proof)) returns the Commitments with only the knowledge of the verifier.

The Proof comes from prove of fakeProof in proveEncryption.

Zero-knowledge proof

Error raised by proveEncryption.

Error raised by verifyEncryption.

Error raised by encryptAnswer.

(encryptAnswer pubKey zkp quest opinions) returns an Answer validable by verifyAnswer, unless an ErrorAnswer is returned.

(encryptBallot elec (Just secKey) opinionsByQuest) returns a Ballot signed by secKey (the voter's secret key) where opinionsByQuest is a list of Opinions on each question_choices of each election_questions.

Schnorr-like signature.

Used to avoid Ballot stuffing.

(signatureStatement answers) returns all the encryption_nonces and encryption_vaults of the given answers.

(signatureCommitments zkp commitment) returns the hashable content from the knowledge of the verifier.

Error raised by encryptBallot.