ElGamal-like encryption. Its security relies on the Discrete Logarithm problem.

Because (groupGen ^encNonce ^secKey == groupGen ^secKey ^encNonce), knowing secKey, one can divide encryption_vault by (encryption_nonce ^secKey) to decipher (groupGen ^clear), then the clear text must be small to be decryptable, because it is encrypted as a power of groupGen (hence the "-like" in "ElGamal-like") to enable the additive homomorphism.

NOTE: Since (encryption_vault * encryption_nonce == encryption_nonce ^ (secKey + clear)), then: (logBase encryption_nonce (encryption_vault * encryption_nonce) == secKey + clear).

(encrypt pubKey clear) returns an ElGamal-like Encryption.

WARNING: the secret encryption nonce (encNonce) is returned alongside the Encryption in order to prove the validity of the encrypted clear text in proveEncryption, but this secret encNonce MUST be forgotten after that, as it may be used to decipher the Encryption without the secret key associated with pubKey.

Proof of knowledge of a discrete logarithm: (secret == logBase base (base^secret)).

Zero-knowledge proof

DOC: Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In ACM-CCS’93, 1993.

DOC: Pierrick Gaudry. Some ZK security proofs for Belenios, 2017.

(prove sec commitBases oracle) returns a Proof that sec is known.

The Oracle is given the commitBases raised to the power of the secret nonce of the Proof, as those are the commitBases that the verifier will obtain when composing the proof_challenge and proof_response together (in commit).

NOTE: sec is secKey in signature_proof or encNonce in proveEncryption.

WARNING: for prove to be a so-called strong Fiat-Shamir transformation (not a weak): the statement must be included in the hash (not only the commitments).

NOTE: a random nonce is used to ensure each prove does not reveal any information regarding the secret sec.

(commit proof base basePowSec) returns a Commitment from the given Proof with the knowledge of the verifier.

A Disjunction is an inversed (groupGen ^opinion) it's used in proveEncryption to generate a Proof that an encryption_vault contains a given (groupGen ^opinion),

Index of a Disjunction within a list of them. It is encrypted as an Exponent by encrypt.

A list of Proofs to prove that the Opinion within an Encryption is indexing a Disjunction within a list of them, without revealing which Opinion it is.

(proveEncryption elecPubKey voterZKP (prevDisjs,nextDisjs) (encNonce,enc)) returns a DisjProof that enc encrypts the Disjunctions between prevDisjs and nextDisjs.

A NIZK Disjunctive Chaum Pedersen Logarithm Equality is used.

(encryptionCommitments elecPubKey enc (disj,proof)) returns the Commitments with only the knowledge of the verifier.

The Proof comes from prove of fakeProof in proveEncryption.

Error raised by verifyEncryption.

(encryptAnswer elecPubKey zkp quest opinions) returns an Answer validable by verifyAnswer, unless an ErrorAnswer is returned.

Error raised by encryptAnswer.

(encryptBallot elec (Just secKey) opinionsByQuest) returns a Ballot signed by secKey (the voter's secret key) where opinionsByQuest is a list of Opinions on each question_choices of each election_questions.

Schnorr-like signature.

Used by each voter to sign his/her encrypted Ballot using his/her Credential, in order to avoid ballot stuffing.

(signatureStatement answers) returns the encrypted material to be signed: all the encryption_nonces and encryption_vaults of the given answers.

(signatureCommitments voterZKP commitment)

Error raised by encryptBallot.

A decryption share. It is computed by a trustee from his/her private key share and the encrypted tally, and contains a cryptographic Proof that he/she didn't cheat.

(checkDecryptionShare encTally pubKey decShare) checks that decShare (supposedly submitted by a trustee whose public key is pubKey) is valid with respect to the encrypted tally encTally.