Safe Haskell | None |
---|---|
Language | Haskell2010 |
Synopsis
- data Encryption q = Encryption {
- encryption_nonce :: G q
- encryption_vault :: G q
- type EncryptionNonce = E
- encrypt :: Monad m => RandomGen r => SubGroup q => PublicKey q -> E q -> StateT r m (EncryptionNonce q, Encryption q)
- data Proof q = Proof {
- proof_challenge :: Challenge q
- proof_response :: E q
- newtype ZKP = ZKP ByteString
- type Challenge = E
- type Oracle list q = list (Commitment q) -> Challenge q
- prove :: Monad m => RandomGen r => SubGroup q => Functor list => E q -> list (Commitment q) -> Oracle list q -> StateT r m (Proof q)
- type Commitment = G
- commit :: SubGroup q => Proof q -> G q -> G q -> Commitment q
- type Disjunction = G
- booleanDisjunctions :: SubGroup q => [Disjunction q]
- intervalDisjunctions :: SubGroup q => Opinion q -> Opinion q -> [Disjunction q]
- type Opinion = E
- newtype DisjProof q = DisjProof [Proof q]
- proveEncryption :: forall m r q. Monad m => RandomGen r => SubGroup q => PublicKey q -> ZKP -> ([Disjunction q], [Disjunction q]) -> (EncryptionNonce q, Encryption q) -> StateT r m (DisjProof q)
- verifyEncryption :: Monad m => SubGroup q => PublicKey q -> ZKP -> [Disjunction q] -> (Encryption q, DisjProof q) -> ExceptT ErrorValidateEncryption m Bool
- encryptionStatement :: SubGroup q => ZKP -> Encryption q -> ByteString
- encryptionCommitments :: SubGroup q => PublicKey q -> Encryption q -> (Disjunction q, Proof q) -> [G q]
- data ErrorValidateEncryption = ErrorValidateEncryption_InvalidProofLength Natural Natural
- data Question q = Question {
- question_text :: Text
- question_choices :: [Text]
- question_mini :: Opinion q
- question_maxi :: Opinion q
- data Answer q = Answer {
- answer_opinions :: [(Encryption q, DisjProof q)]
- answer_sumProof :: DisjProof q
- encryptAnswer :: Monad m => RandomGen r => SubGroup q => PublicKey q -> ZKP -> Question q -> [Bool] -> StateT r (ExceptT ErrorAnswer m) (Answer q)
- verifyAnswer :: SubGroup q => PublicKey q -> ZKP -> Question q -> Answer q -> Bool
- data ErrorAnswer
- data Election q = Election {}
- newtype Hash = Hash Text
- data Ballot q = Ballot {
- ballot_answers :: [Answer q]
- ballot_signature :: Maybe (Signature q)
- ballot_election_uuid :: UUID
- ballot_election_hash :: Hash
- encryptBallot :: Monad m => RandomGen r => SubGroup q => Election q -> Maybe (SecretKey q) -> [[Bool]] -> StateT r (ExceptT ErrorBallot m) (Ballot q)
- verifyBallot :: SubGroup q => Election q -> Ballot q -> Bool
- data Signature q = Signature {
- signature_publicKey :: PublicKey q
- signature_proof :: Proof q
- signatureStatement :: Foldable f => SubGroup q => f (Answer q) -> [G q]
- signatureCommitments :: SubGroup q => ZKP -> Commitment q -> ByteString
- data ErrorBallot
- data DecryptionShare q = DecryptionShare {
- decryptionShare_factors :: [[DecryptionFactor q]]
- decryptionShare_proofs :: [[Proof q]]
- computeDecryptionShare :: Monad m => SubGroup q => RandomGen r => SecretKey q -> [[Encryption q]] -> StateT r m (DecryptionShare q)
- decryptionFactor :: Monad m => SubGroup q => RandomGen r => SecretKey q -> Encryption q -> StateT r m (DecryptionFactor q, Proof q)
- decryptionStatement :: SubGroup q => PublicKey q -> ByteString
- type DecryptionFactor = G
- data ErrorDecryptionShare = ErrorDecryptionShare_Invalid
- checkDecryptionShare :: Monad m => SubGroup q => RandomGen r => [[Encryption q]] -> PublicKey q -> DecryptionShare q -> ExceptT ErrorDecryptionShare m Bool
Type Encryption
data Encryption q Source #
ElGamal-like encryption. Its security relies on the Discrete Logarithm problem.
Because (groupGen
^
encNonce ^
secKey ==
groupGen
^
secKey ^
encNonce),
knowing secKey
, one can divide encryption_vault
by (
to decipher encryption_nonce
^
secKey)(
, then the groupGen
^
clear)clear
text must be small to be decryptable,
because it is encrypted as a power of groupGen
(hence the "-like" in "ElGamal-like")
to enable the additive homomorphism.
NOTE: Since (
,
then: encryption_vault
*
encryption_nonce
==
encryption_nonce
^
(secKey +
clear))(logBase
.encryption_nonce
(encryption_vault
*
encryption_nonce
) ==
secKey +
clear)
Instances
Eq (Encryption q) Source # | |
Defined in Protocol.Election (==) :: Encryption q -> Encryption q -> Bool # (/=) :: Encryption q -> Encryption q -> Bool # | |
Show (Encryption q) Source # | |
Defined in Protocol.Election showsPrec :: Int -> Encryption q -> ShowS # show :: Encryption q -> String # showList :: [Encryption q] -> ShowS # | |
SubGroup q => Additive (Encryption q) Source # | Additive homomorphism.
Using the fact that: |
Defined in Protocol.Election zero :: Encryption q Source # (+) :: Encryption q -> Encryption q -> Encryption q Source # sum :: Foldable f => f (Encryption q) -> Encryption q Source # |
Type EncryptionNonce
type EncryptionNonce = E Source #
encrypt :: Monad m => RandomGen r => SubGroup q => PublicKey q -> E q -> StateT r m (EncryptionNonce q, Encryption q) Source #
(
returns an ElGamal-like encrypt
pubKey clear)Encryption
.
WARNING: the secret encryption nonce (encNonce
)
is returned alongside the Encryption
in order to prove
the validity of the encrypted clear
text in proveEncryption
,
but this secret encNonce
MUST be forgotten after that,
as it may be used to decipher the Encryption
without the secret key associated with pubKey
.
Type Proof
Proof
of knowledge of a discrete logarithm:
(secret == logBase base (base^secret))
.
Proof | |
|
Type ZKP
Zero-knowledge proof
DOC: Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In ACM-CCS’93, 1993.
DOC: Pierrick Gaudry. Some ZK security proofs for Belenios, 2017.
Type Challenge
Type Oracle
type Oracle list q = list (Commitment q) -> Challenge q Source #
prove :: Monad m => RandomGen r => SubGroup q => Functor list => E q -> list (Commitment q) -> Oracle list q -> StateT r m (Proof q) Source #
(
returns a prove
sec commitBases oracle)Proof
that sec
is known.
The Oracle
is given the commitBases
raised to the power of the secret nonce of the Proof
,
as those are the commitBases
that the verifier will obtain
when composing the proof_challenge
and proof_response
together
(in commit
).
NOTE: sec
is secKey
in signature_proof
or encNonce
in proveEncryption
.
WARNING: for prove
to be a so-called strong Fiat-Shamir transformation (not a weak):
the statement must be included in the hash
(not only the commitments).
NOTE: a random
nonce
is used to ensure each prove
does not reveal any information regarding the secret sec
.
Type Commitment
type Commitment = G Source #
commit :: SubGroup q => Proof q -> G q -> G q -> Commitment q Source #
(
returns a commit
proof base basePowSec)Commitment
from the given Proof
with the knowledge of the verifier.
Type Disjunction
type Disjunction = G Source #
A Disjunction
is an inv
ersed (
it's used in groupGen
^
opinion)proveEncryption
to generate a Proof
that an encryption_vault
contains a given (
,groupGen
^
opinion)
booleanDisjunctions :: SubGroup q => [Disjunction q] Source #
intervalDisjunctions :: SubGroup q => Opinion q -> Opinion q -> [Disjunction q] Source #
Type Opinion
Index of a Disjunction
within a list of them.
It is encrypted as an E
xponent by encrypt
.
Type DisjProof
A list of Proof
s to prove that the Opinion
within an Encryption
is indexing a Disjunction
within a list of them,
without revealing which Opinion
it is.
proveEncryption :: forall m r q. Monad m => RandomGen r => SubGroup q => PublicKey q -> ZKP -> ([Disjunction q], [Disjunction q]) -> (EncryptionNonce q, Encryption q) -> StateT r m (DisjProof q) Source #
(
returns a proveEncryption
elecPubKey voterZKP (prevDisjs,nextDisjs) (encNonce,enc))DisjProof
that enc
encrypt
s
the Disjunction
s between prevDisjs
and nextDisjs
.
A NIZK Disjunctive Chaum Pedersen Logarithm Equality is used.
verifyEncryption :: Monad m => SubGroup q => PublicKey q -> ZKP -> [Disjunction q] -> (Encryption q, DisjProof q) -> ExceptT ErrorValidateEncryption m Bool Source #
Hashing
encryptionStatement :: SubGroup q => ZKP -> Encryption q -> ByteString Source #
encryptionCommitments :: SubGroup q => PublicKey q -> Encryption q -> (Disjunction q, Proof q) -> [G q] Source #
(
returns the encryptionCommitments
elecPubKey enc (disj,proof))Commitment
s with only the knowledge of the verifier.
The Proof
comes from prove
of fakeProof
in proveEncryption
.
Type ErrorValidateEncryption
data ErrorValidateEncryption Source #
Error raised by verifyEncryption
.
ErrorValidateEncryption_InvalidProofLength Natural Natural | When the number of proofs is different than
the number of |
Instances
Eq ErrorValidateEncryption Source # | |
Defined in Protocol.Election | |
Show ErrorValidateEncryption Source # | |
Defined in Protocol.Election showsPrec :: Int -> ErrorValidateEncryption -> ShowS # show :: ErrorValidateEncryption -> String # showList :: [ErrorValidateEncryption] -> ShowS # |
Type Question
Question | |
|
Type Answer
Answer | |
|
encryptAnswer :: Monad m => RandomGen r => SubGroup q => PublicKey q -> ZKP -> Question q -> [Bool] -> StateT r (ExceptT ErrorAnswer m) (Answer q) Source #
(
returns an encryptAnswer
elecPubKey zkp quest opinions)Answer
validable by verifyAnswer
,
unless an ErrorAnswer
is returned.
Type ErrorAnswer
data ErrorAnswer Source #
Error raised by encryptAnswer
.
ErrorAnswer_WrongNumberOfOpinions Natural Natural | When the number of opinions is different than
the number of choices ( |
ErrorAnswer_WrongSumOfOpinions Natural Natural Natural | When the sum of opinions is not within the bounds
of |
Instances
Eq ErrorAnswer Source # | |
Defined in Protocol.Election (==) :: ErrorAnswer -> ErrorAnswer -> Bool # (/=) :: ErrorAnswer -> ErrorAnswer -> Bool # | |
Show ErrorAnswer Source # | |
Defined in Protocol.Election showsPrec :: Int -> ErrorAnswer -> ShowS # show :: ErrorAnswer -> String # showList :: [ErrorAnswer] -> ShowS # |
Type Election
Election | |
|
Type Hash
Type Ballot
Ballot | |
|
encryptBallot :: Monad m => RandomGen r => SubGroup q => Election q -> Maybe (SecretKey q) -> [[Bool]] -> StateT r (ExceptT ErrorBallot m) (Ballot q) Source #
(
returns a encryptBallot
elec (Just
secKey) opinionsByQuest)Ballot
signed by secKey
(the voter's secret key)
where opinionsByQuest
is a list of Opinion
s
on each question_choices
of each election_questions
.
Type Signature
Schnorr-like signature.
Used by each voter to sign his/her encrypted Ballot
using his/her Credential
,
in order to avoid ballot stuffing.
Signature | |
|
Hashing
signatureStatement :: Foldable f => SubGroup q => f (Answer q) -> [G q] Source #
(
returns the encrypted material to be signed:
all the signatureStatement
answers)encryption_nonce
s and encryption_vault
s of the given answers
.
signatureCommitments :: SubGroup q => ZKP -> Commitment q -> ByteString Source #
(signatureCommitments
voterZKP commitment)
Type ErrorBallot
data ErrorBallot Source #
Error raised by encryptBallot
.
ErrorBallot_WrongNumberOfAnswers Natural Natural | When the number of answers is different than the number of questions. |
ErrorBallot_Answer ErrorAnswer | When |
Instances
Eq ErrorBallot Source # | |
Defined in Protocol.Election (==) :: ErrorBallot -> ErrorBallot -> Bool # (/=) :: ErrorBallot -> ErrorBallot -> Bool # | |
Show ErrorBallot Source # | |
Defined in Protocol.Election showsPrec :: Int -> ErrorBallot -> ShowS # show :: ErrorBallot -> String # showList :: [ErrorBallot] -> ShowS # |
Type DecryptionShare
data DecryptionShare q Source #
A decryption share. It is computed by a trustee from his/her
private key share and the encrypted tally,
and contains a cryptographic Proof
that he/she didn't cheat.
DecryptionShare | |
|
computeDecryptionShare :: Monad m => SubGroup q => RandomGen r => SecretKey q -> [[Encryption q]] -> StateT r m (DecryptionShare q) Source #
decryptionFactor :: Monad m => SubGroup q => RandomGen r => SecretKey q -> Encryption q -> StateT r m (DecryptionFactor q, Proof q) Source #
decryptionStatement :: SubGroup q => PublicKey q -> ByteString Source #
Type DecryptionFactor
type DecryptionFactor = G Source #
Type ErrorDecryptionShare
checkDecryptionShare :: Monad m => SubGroup q => RandomGen r => [[Encryption q]] -> PublicKey q -> DecryptionShare q -> ExceptT ErrorDecryptionShare m Bool Source #
(
checks that checkDecryptionShare
encTally pubKey decShare)decShare
(supposedly submitted by a trustee whose public key is pubKey
)
is valid with respect to the encrypted tally encTally
.