(hash bs gs) returns as a number in E the SHA256 hash of the given ByteString bs prefixing the decimal representation of given subgroup elements gs, with a comma (",") intercalated between them.

NOTE: to avoid any collision when the hash function is used in different contexts, a message gs is actually prefixed by a bs indicating the context.

Used by proveEncryption and verifyEncryption, where the bs usually contains the statement to be proven, and the gs contains the commitments.

(decodeBigEndian bs) interpret bs as big-endian number.

(base64SHA256 bs) returns the SHA256 hash of the given ByteString bs, as a Text escaped in base64 encoding (RFC 4648).

(hexSHA256 bs) returns the SHA256 hash of the given ByteString bs, escaped in hexadecimal into a Text of 32 lowercase characters.

Used (in retro-dependencies of this library) to hash the PublicKey of a voter or a trustee.

(randomR i) returns a random integer in [0..i-1].

(random) returns a random integer in the range determined by its type.

ElGamal-like encryption. Its security relies on the Discrete Logarithm problem.

Because (groupGen ^encNonce ^secKey == groupGen ^secKey ^encNonce), knowing secKey, one can divide encryption_vault by (encryption_nonce ^secKey) to decipher (groupGen ^clear), then the clear text must be small to be decryptable, because it is encrypted as a power of groupGen (hence the "-like" in "ElGamal-like") to enable the additive homomorphism.

NOTE: Since (encryption_vault * encryption_nonce == encryption_nonce ^ (secKey + clear)), then: (logBase encryption_nonce (encryption_vault * encryption_nonce) == secKey + clear).

(encrypt pubKey clear) returns an ElGamal-like Encryption.

WARNING: the secret encryption nonce (encNonce) is returned alongside the Encryption in order to prove the validity of the encrypted clear text in proveEncryption, but this secret encNonce MUST be forgotten after that, as it may be used to decipher the Encryption without the SecretKey associated with pubKey.

Non-Interactive Zero-Knowledge Proof of knowledge of a discrete logarithm: (secret == logBase base (base^secret)).

Zero-knowledge proof.

A protocol is zero-knowledge if the verifier learns nothing from the protocol except that the prover knows the secret.

DOC: Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In ACM-CCS’93, 1993.

(prove sec commitmentBases oracle) returns a Proof that sec is known (by proving the knowledge of its discrete logarithm).

The Oracle is given Commitments equal to the commitmentBases raised to the power of the secret nonce of the Proof, as those are the Commitments that the verifier will obtain when composing the proof_challenge and proof_response together (with commit).

WARNING: for prove to be a so-called strong Fiat-Shamir transformation (not a weak): the statement must be included in the hash (along with the commitments).

NOTE: a random nonce is used to ensure each prove does not reveal any information regarding the secret sec, because two Proofs using the same Commitment can be used to deduce sec (using the special-soundness).

Like prove but quicker. It chould replace prove entirely when Helios-C specifications will be fixed.

(fakeProof) returns a Proof whose proof_challenge and proof_response are uniformly chosen at random, instead of (proof_challenge == hash statement commitments) and (proof_response == nonce + sec * proof_challenge) as a Proof returned by prove.

Used in proveEncryption to fill the returned DisjProof with fake Proofs for all Disjunctions but the encrypted one.

A commitment from the prover to the verifier. It's a power of groupGen chosen randomly by the prover when making a Proof with prove.

(commit proof base basePowSec) returns a Commitment from the given Proof with the knowledge of the verifier.

Like commit but quicker. It chould replace commit entirely when Helios-C specifications will be fixed.

A Disjunction is an inversed (groupGen ^opinion) it's used in proveEncryption to generate a Proof that an encryption_vault contains a given (groupGen ^opinion),

A list of Proofs to prove that the opinion within an Encryption is indexing a Disjunction within a list of them, without revealing which opinion it is.

(proveEncryption elecPubKey voterZKP (prevDisjs,nextDisjs) (encNonce,enc)) returns a DisjProof that enc encrypts the Disjunction d between prevDisjs and nextDisjs.

The prover proves that it knows an encNonce, such that: (enc == Encryption{encryption_nonce=groupGen ^encNonce, encryption_vault=elecPubKey^encNonce * groupGen^d})

A NIZK Disjunctive Chaum Pedersen Logarithm Equality is used.

DOC: Pierrick Gaudry. Some ZK security proofs for Belenios, 2017.

(encryptionCommitments elecPubKey enc disj proof) returns the Commitments with only the knowledge of the verifier.

For the prover the Proof comes from fakeProof, and for the verifier the Proof comes from the prover.

Error raised by verifyEncryption.

Schnorr-like signature.

Used by each voter to sign his/her encrypted Ballot using his/her Credential, in order to avoid ballot stuffing.