.gitlab-ci.yml

@@ -64,6 +64,10 @@ build_and_run_automated_test_scenarios_with_preinstalled_image:
     - source venv/bin/activate
     # Install pip packages
     - pip install -r requirements.txt
+    # Run the automated test scenario 4
+    - python3 ./tests/test_scenario_4.py
+    # Run the automated test scenario 3
+    - python3 ./tests/test_scenario_3.py
     # Run the automated test scenario 2
     - python3 ./tests/test_scenario_2.py
     # Run the automated test scenario 1

CHANGES.md

+1.10 (2019-12-09)
+=================
+
+ * Add support for non-homomorphic questions (experimental)
+ * Check group membership of signature verification key more often
+ * Command-line tool:
+   + Assume there is no ballots when ballots.jsons is missing
+ * Web server:
+   + Move setting of maxrequestbodysizeinmemory to configuration
+   + Rework presentation of links that must be sent to third-parties
+   + Bugfixes in the data policy loop:
+     - its first iteration was done with the wrong spool dir
+     - it died when trying to send warning e-mails
+   + Update JSBN
+   + Importing non-threshold trustees replaces current trustees
+
+1.9.1 (2019-10-24)
+==================
+
+ * Specification:
+   + Link to Meadows instead of eprint (easier to read)
+   + Be more verbose about checks to do during the election
+ * Web server:
+   + Avoid error 500 on "accepted ballots" page when no ballots have
+     been cast
+   + Trim usernames and passwords before checking them
+   + Trim and check CAS server addresses
+   + Case-insensitive comparison of usernames
+   + Set a limit on election names to prevent abuse
+   + Protect third-party pages (creds, trustee) from authenticated
+     users
+   + Avoid error 500 when attempting to authenticate several times in
+     a row
+ * Use opam 2.0.5 in bootstrap script
+
 1.9 (2019-05-28)
 ================
 

Makefile

@@ -12,6 +12,7 @@ all:
 check: minimal
 	demo/demo.sh
 	demo/demo-threshold.sh
+	demo/demo-nh.sh
 
 clean:
 	-ocamlbuild -clean

VERSION

-1.9
+1.10

all.itarget

@@ -9,3 +9,4 @@ src/static/tool_js_ttkeygen.js
 src/static/tool_js_credgen.js
 src/static/tool_js_questions.js
 src/static/tool_js_pd.js
+src/static/tool_js_shuffle.js

demo/demo-nh.sh

+#!/bin/bash
+
+set -e
+
+export BELENIOS_USE_URANDOM=1
+
+BELENIOS=${BELENIOS:-$PWD}
+
+belenios-tool () {
+    $BELENIOS/_build/belenios-tool "$@"
+}
+
+header () {
+    echo
+    echo "=-=-= $1 =-=-="
+    echo
+}
+
+header "Setup election"
+
+UUID=`uuidgen`
+echo "UUID of the election is $UUID"
+
+DIR=$BELENIOS/demo/data/$UUID
+mkdir $DIR
+cd $DIR
+
+# Common options
+uuid="--uuid $UUID"
+group="--group $BELENIOS/demo/groups/rfc3526-2048.json"
+
+# Generate credentials
+belenios-tool credgen $uuid $group --count 5
+mv *.pubcreds public_creds.txt
+mv *.privcreds private_creds.txt
+
+# Generate trustee keys
+belenios-tool trustee-keygen $group
+belenios-tool trustee-keygen $group
+belenios-tool trustee-keygen $group
+cat *.pubkey > public_keys.jsons
+
+# Generate election parameters
+belenios-tool mkelection $uuid $group --template $BELENIOS/demo/templates/questions-nh.json
+
+header "Simulate votes"
+
+cat > votes.txt <<EOF
+[[1,0],[1,0,0],[1,2,3]]
+[[1,0],[0,1,0],[6,5,4]]
+[[0,1],[0,0,1],[7,9,8]]
+[[1,0],[1,0,0],[11,10,12]]
+[[0,0],[0,1,0],[15,13,14]]
+EOF
+
+paste private_creds.txt votes.txt | while read id cred vote; do
+    belenios-tool vote --privcred <(echo "$cred") --ballot <(echo "$vote")
+    echo "Voter $id voted" >&2
+    echo >&2
+done > ballots.tmp
+mv ballots.tmp ballots.jsons
+
+header "Perform verification"
+
+belenios-tool verify
+
+header "Simulate and verify update"
+
+tdir="$(mktemp -d)"
+cp election.json public_creds.txt public_keys.jsons "$tdir"
+head -n3 ballots.jsons > "$tdir/ballots.jsons"
+belenios-tool verify-diff --dir1="$tdir" --dir2=.
+rm -rf "$tdir"
+
+header "Shuffle ciphertexts"
+
+belenios-tool shuffle > shuffles.jsons
+echo >&2
+belenios-tool shuffle >> shuffles.jsons
+
+header "Perform decryption"
+
+for u in *.privkey; do
+    belenios-tool decrypt --privkey $u
+    echo >&2
+done > partial_decryptions.tmp
+mv partial_decryptions.tmp partial_decryptions.jsons
+
+header "Finalize tally"
+
+belenios-tool validate
+rm -f shuffles.jsons
+
+header "Perform final verification"
+
+belenios-tool verify
+
+echo
+echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-="
+echo
+echo "The simulated election was successful! Its result can be seen in"
+echo "  $DIR/result.json"
+echo
+echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-="
+echo

demo/groups/rfc3526-2048.json

-{"g":"2","p":"32317006071311007300338913926423828248817941241140239112842009751400741706634354222619689417363569347117901737909704191754605873209195028853758986185622153212175412514901774520270235796078236248884246189477587641105928646099411723245426622522193230540919037680524235519125679715870117001058055877651038861847280257976054903569732561526167081339361799541336476559160368317896729073178384589680639671900977202194168647225871031411336429319536193471636533209717077448227988588565369208645296636077250268955505928362751121174096972998068410554359584866583291642136218231078990999448652468262416972035911852507045361090559","q":"16158503035655503650169456963211914124408970620570119556421004875700370853317177111309844708681784673558950868954852095877302936604597514426879493092811076606087706257450887260135117898039118124442123094738793820552964323049705861622713311261096615270459518840262117759562839857935058500529027938825519430923640128988027451784866280763083540669680899770668238279580184158948364536589192294840319835950488601097084323612935515705668214659768096735818266604858538724113994294282684604322648318038625134477752964181375560587048486499034205277179792433291645821068109115539495499724326234131208486017955926253522680545279"}
+{"g":"2","p":"32317006071311007300338913926423828248817941241140239112842009751400741706634354222619689417363569347117901737909704191754605873209195028853758986185622153212175412514901774520270235796078236248884246189477587641105928646099411723245426622522193230540919037680524235519125679715870117001058055877651038861847280257976054903569732561526167081339361799541336476559160368317896729073178384589680639671900977202194168647225871031411336429319536193471636533209717077448227988588565369208645296636077250268955505928362751121174096972998068410554359584866583291642136218231078990999448652468262416972035911852507045361090559","q":"16158503035655503650169456963211914124408970620570119556421004875700370853317177111309844708681784673558950868954852095877302936604597514426879493092811076606087706257450887260135117898039118124442123094738793820552964323049705861622713311261096615270459518840262117759562839857935058500529027938825519430923640128988027451784866280763083540669680899770668238279580184158948364536589192294840319835950488601097084323612935515705668214659768096735818266604858538724113994294282684604322648318038625134477752964181375560587048486499034205277179792433291645821068109115539495499724326234131208486017955926253522680545279","embedding":{"padding":8,"bits_per_int":8}}

demo/ocsigenserver.conf.in

@@ -9,7 +9,7 @@
     <datadir>_RUNDIR_/lib</datadir>
 
     <uploaddir>_RUNDIR_/upload</uploaddir>
-    <maxuploadfilesize>128kB</maxuploadfilesize>
+    <maxuploadfilesize>1024kB</maxuploadfilesize>
 
     <commandpipe>_TMPDIR_/run/ocsigenserver_command</commandpipe>
 
@@ -41,6 +41,7 @@
         <eliom findlib-package="eliom.server.monitor.start"/>
       </site>
       <eliom module="_build/src/web/server.cma">
+        <maxrequestbodysizeinmemory value="1048576"/>
         <maxmailsatonce value="1000"/>
         <uuid length="14"/>
         <gdpr uri="http://www.example.org/privacy_policy.html"/>
@@ -52,6 +53,7 @@
         <!-- <auth name="google"><oidc server="https://accounts.google.com" client_id="client-id" client_secret="client-secret"/></auth> -->
         <source file="../belenios.tar.gz"/>
         <default-group file="demo/groups/default.json"/>
+        <nh-group file="demo/groups/rfc3526-2048.json"/>
         <log file="_RUNDIR_/log/security.log"/>
         <spool dir="_RUNDIR_/spool"/>
         <warning file="demo/warning.html"/>

demo/templates/questions-nh.json

+{"description":"Description of the election.","name":"Name of the election","questions":[{"answers":["Answer 1","Answer 2"],"min":0,"max":1,"question":"Question 1?"},{"answers":["Answer 1","Answer 2"],"blank":true,"min":1,"max":1,"question":"Question 2?"},{"type":"NonHomomorphic","value":{"answers":["Answer 1","Answer 2","Answer 3"],"question":"Question 3?"}}]}

doc/election_test_scenario_2_specification.md

@@ -27,7 +27,7 @@ Verifications all along the process is done using command line tools `belenios-t
     - `belenios-tool verify` does a static verification (it verifies that vote data at current time is coherent)
     - `belenios-tool verify-diff` does a dynamic verification (it verifies that current state of vote data is a possible/legitimate evolution of a vote data snapshot that has been saved during a previous step of the process) 
 
-## Detailed steps of the Test Scenario 1 process
+## Detailed steps of the Test Scenario 2 process
 
 - Starting setup of the election (action of the administrator)
     - Creation of the draft election

doc/election_test_scenario_4_specification.md

+Scenario 4: Vote with vote codes in manual mode and manual trustees, using a threshold for trustees
+=================================
+
+## Introduction and parameters
+
+This scenario is adapted from scenario 2.
+
+Protagonists to emulate: election administrator, credential authority, `T` trustees, `K` electors, an auditor.
+
+Administrator and trustees uses only thier browser. Credential authority uses her browser and sends emails.
+
+Electors use their browser and read emails sent by the server and by the credential authority.
+
+`L` electors re-vote (with `L <= K`)
+
+`M` electors ask administrator to re-generate their password, and vote with their re-generated password (with `M <= K`).
+
+A threshold of `U` trustees are needed (among all `T` trustees, with `U <= T`) to validate the vote.
+
+The auditor makes web requests, has a persistent state, and runs the commandline version of the Belenios tool.
+
+Auditor makes web requests, has a persistent state, and runs the commandline version of the Belenios tool.
+Authentication of administrator and electors are done using a login / password combination.
+
+Examples of parameters sizes: `N` and `K` would be between 6 (quick test) and 1000 (load test)
+
+## Note about verification
+
+Verifications all along the process is done using command line tools `belenios-tool verify` and `belenios-tool verify-diff`:
+
+    - `belenios-tool verify` does a static verification (it verifies that vote data at current time is coherent)
+    - `belenios-tool verify-diff` does a dynamic verification (it verifies that current state of vote data is a possible/legitimate evolution of a vote data snapshot that has been saved during a previous step of the process) 
+
+## Detailed steps of the Test Scenario 4 process
+
+- Starting setup of the election (action of the administrator)
+    - Creation of the draft election
+        - Alice has been given administrator rights on an online voting app called Belenios. She goes to check out its homepage and logs in.
+        - She clicks on the "Prepare a new election" link
+        - She picks the Credential management method: manual
+        - (She keeps default value for Authentication method: it is Password, not CAS)
+        - She clicks on the "Proceed" button (this redirects to the "Preparation of election" page)
+        - In the "Name and description of the election" section, she changes values of fields name and description of the election
+        - She clicks on the "Save changes button" (the one that is next to the election description field)
+        - In the "Contact" section, the changes values of field "Contact:", and clicks on the "Save changes button" of this section
+        - She remembers the URL of the draft election administration page
+    - Edition of election's questions
+        - She clicks on the "Edit questions" link, to write her own questions
+        - She arrives on the Questions page. She checks that the page title is correct
+        - She removes answer 3
+        - She clicks on the "Save changes" button (this redirects to the "Preparation of election" page)
+    - Setting election's voters
+        - She clicks on the "Edit voters" link, to then type the list of voters
+        - She types `N` e-mail addresses (the list of invited voters)
+        - She clicks on the "Add" button to submit changes
+        - She clicks on "Return to draft page" link
+        - In "Authentication" section, she clicks on the "Generate and mail missing passwords" button
+        - She checks that the page contains expected confirmation text, instead of an error
+        - She clicks on the "Proceed" link
+        - In "Credentials" section, she clicks on "Credential management" link
+        - She remembers the link displayed
+        - She sends the remembered link to the credential authority by email
+        - She logs out and closes the browser
+- Credential authority sends credentials to electors
+    - Cecily, the Credential Authority, receives the email sent by Alice, and opens the link in it
+    - She remembers what the link to the election will be, so that she will be able to send it to voters by email with their private credential
+    - She clicks on the "Generate" button
+    - She clicks on the "private credentials" and "public credentials" links and downloads these files. (Files are by default downloaded using filenames `creds.txt` and `public_creds.txt` respectively)
+    - She clicks on the "Submit public credentials" button
+    - She checks that redirected page shows correct confirmation sentence
+    - She closes the window
+    - She reads the private credentials file (`creds.txt`) and sends credential emails to voters
+- Continuing setup of the election: Administrator invites trustees and sets threshold
+    - Administrator logs in and goes to the election draft page
+    - In the "Trustees" section, she clicks on the "here" link
+    - She clicks on the "threshold mode" link
+    - She adds `T` trustees (their email address), and remembers the link she will send to each trustee
+    - In the field next to "Threshold:", she types `U`, and clicks on the "Set" button
+    - (She checks that in the table, the "STATE" column is "1a" on every row)
+    - She sends to each trustee an email containing their own link
+    - She logs out and closes the window
+- Trustees initialization step 1/3: Trustees generate election private keys. Each of the `T` trustees will do the following process:
+    - Trustee opens link that has been sent to him by election administrator
+    - He checks that the page content shows the same election URL as the one the administrator saw
+    - He clicks on the "Generate private key" button
+    - He clicks on the "private key" link, to download the private key (file is saved by default as `private_key.txt`)
+    - He clicks on the "Submit" button
+    - He checks that the next page shows the expected confirmation sentence (If trustee was the last one in the list, he checks that page contains text "Now, all the certificates of the trustees have been generated. Proceed to generate your share of the decryption key."
+, else he checks for sentence "Waiting for the other trustees... Reload the page to check progress.")
+    - He closes the window
+    - (Administrator logs in, selects the election by clicking on its link, and in the "Trustees" section clicks on "here". She checks that in the table on the current trustee row, the "STATE" column is now "1b" instead of "1a")
+- (Administrator logs in, selects the election by clicking on its link, and in the "Trustees" section clicks on "here". She checks that in the table on every row, the "STATE" column is now "2a")
+- Trustees initialization step 2/3: Trustees generate their share of the decryption key. Each of the `T` trustees will do the following process:
+    - Trustee opens link that has been sent to him by election administrator
+    - He checks that the page content shows the same election URL as the one the administrator saw
+    - He checks the presence of text "Now, all the certificates of the trustees have been generated. Proceed to generate your share of the decryption key."
+    - In field next to "Enter your private key:", he types the content of the `private_key.txt` file he downloaded
+    - He clicks on the "Proceed" button
+    - He waits until the text field next to "Data:" contains text, and clicks on the "Submit" button
+    - If he is not the last trustee in the list, he checks that the next page contains text "Waiting for the other trustees... Reload the page to check progress.". Else, he checks that the next page contains text "Now, all the trustees have generated their secret shares. Proceed to the final checks so that the election can be validated."
+    - He closes the window
+    - (Administrator logs in, selects the election by clicking on its link, and in the "Trustees" section clicks on "here". She checks that in the table on the current trustee row, the "STATE" column is now "2b" instead of "2a")
+- Trustees initialization step 3/3: Trustees do the final checks so that the election can be validated. Each of the `T` trustees will do the following process:
+    - Trustee opens link that has been sent to him by election administrator
+    - He checks that the page content shows the same election URL as the one the administrator saw
+    - He checks the presence of text "Step 3/3"
+    - In field next to "Enter your private key:", he types the content of the `private_key.txt` file he downloaded
+    - He clicks on the "Proceed" button
+    - He waits until the text field next to "Data:" contains text, and clicks on the "Submit" button
+    - He checks that the next page contains text "Your job in the key establishment protocol is done!"
+    - He clicks on the "public key" link and downloads the file (file is saved by default as `public_key.json`)
+    - He closes the window
+    - (Administrator logs in, selects the election by clicking on its link, and in the "Trustees" section clicks on "here". She checks that in the table on the current trustee row, the "STATE" column is now "3b" instead of "3a")
+- Administrator completes setup of the election
+    - Alice, as an administrator of an election, wants to finalize her draft election creation, to start the vote. She opens a browser and logs in as administrator
+    - She goes to the draft election administration page
+    - In the "Trustees" section, she clicks on "here". She checks that in the table on all rows, the "STATE" column is now "done"
+    - She clicks on the "Go back to election draft" link
+    - In "Validate creation" section, she clicks on the "Create election" link
+    - (She arrives on the "Checklist" page, that lists all main parameters of the election for review, and that flags incoherent or misconfigured parameters.)
+    - She checks the presence of text "election ready"
+    - In the "Validate creation" section, she clicks on the "Create election" button
+    - (She arrives back on the "My test election for Scenario 1 — Administration" page. Its contents have changed. There is now a text saying "The election is open. Voters can vote.", and there are now buttons "Close election", "Archive election", "Delete election")
+    - She remembers the URL of the voting page, that is where the "Election home" link points to
+    - She checks that a "Close election" button is present (but she does not click on it)
+    - She logs out and closes the window
+- Verify election consistency (using command line tool `belenios_tool verify`)
+- All voting electors cast their vote (`K` electors vote). We check vote data consistency for every batch of `X` votes (using `belenios_tool verify-diff` and a snapshot of election data copied in previous batch). For each batch of `X` voters:
+    - Create election data snapshot
+    - Current batch of electors vote. For each voter of this batch:
+        - Bob checks that he has received 2 emails containing an invitation to vote and all necessary credentials (election page URL, username, password). He goes to the election page URL.
+        - He clicks on the "Start" button
+        - A loading screen appears, then another screen appears. He clicks on the "Here" button
+        - A modal opens (it is an HTML modal created using Window.prompt()), with an input field. He types his credential.
+        - He fills his votes to each answer of the question (for each displayed checkbox, he decides to mark it or leave it empty)
+        - He clicks on the "Next" button
+        - He remembers the smart ballot tracker that is displayed
+        - He clicks on the "Continue" button
+        - He types his voter username and password, and submits the form
+        - He checks that the smart ballot tracker value that appears on screen is the same as the one he noted
+        - He clicks on the "I cast my vote" button
+        - He clicks on the "ballot box" link
+        - He checks that his smart ballot tracker appears in the list
+        - He closes the window (there is no log-out link, because user is not logged in: credentials are not remembered)
+        - He checks his mailbox to find a new email with confirmation of his vote, and verifies the value of the smart ballot tracker written in this email is the same as the one he noted.
+    - Verify election consistency (using `belenios_tool verify-diff`)
+    - Delete election data snapshot
+- Verify election consistency (using command line tool `belenios_tool verify`)
+- Create election data snapshot
+- All electors who want to change their vote re-vote (`L` electors re-vote)
+    - We re-apply the same procedure as listed in previous step, except we use the set of `L` re-voters instead of the set of `K` voters
+- Verify election consistency (using `belenios_tool verify-diff` and the snapshot created right before re-votes)
+- Delete election data snapshot
+- Verify election consistency (using command line tool `belenios_tool verify`)
+- Administrator starts tallying of the election
+    - Alice goes to the election page
+    - She clicks on the "Administer this election" link
+    - She logs in as administrator
+    - She clicks on the "Close election" button
+    - She clicks on the "Proceed to vote counting" button
+    - She checks the presence of text "We are now waiting for trustees... At least ${U} trustee(s) must act."
+    - She checks that in the table on every content row, the "DONE?" column is "No"
+    - She remembers the encrypted tally hash
+    - She remembers the link to send to each trustee, so they can tally the election
+    - She sends to each trustee an email containing their own link
+    - She logs out and closes the window
+- Trustees do tallying (partial decryption). Each trustee (Tom and Taylor) will do the following process:
+    - He opens the link that Alice (the election administrator) has sent to him
+    - We verify that the encrypted election hash is the same as the one that has been displayed to election administrator
+    - He verifies that the "private key" input field is empty (at the beginning)
+    - He clicks on the "Browse..." button and selects his private key file (initially downloaded as `private_key.json` by default)
+    - He waits until the "private key" input field (that has id "#private_key") becomes not empty anymore. This is because once the user has selected the file to upload, the Javascript code in the page detects that a file has been selected, reads it, and fills "private key" input field with file's contents. The computation triggered by click on the "Compute decryption factors" button will use the value of this field, not directly the uploaded file contents.
+    - He clicks on the "Compute decryption factors" button
+    - He checks that the text field below (used as visual feedback) now contains text
+    - He clicks on the "Submit" button
+    - He checks that next screen contains a confirmation sentence
+    - He closes the window
+- Administrator finished tallying of the election
+    - Alice goes to the election page
+    - She clicks on the "Administer this election" link
+    - She logs in as administrator
+    - She checks that encrypted tally hash is still the same as the first time it has been displayed to her
+    - She checks that the "DONE?" column of each trustee is to "Yes"
+    - She clicks on the "Compute the result" button
+    - She checks consistency of the election result
+        - She checks that the number of accepted ballots is the same as the number of voters who voted
+        - For each available answer in the question, she checks that the total number of votes in favor of Answer X displayed in result page is the same as the sum of votes for Answer X in all votes of voters who voted that have been randomly generated in advance
+        - She checks that each ballot content corresponds to content that of this vote that has been randomly generated in advance
+- Verify election consistency (using command line tool `belenios_tool verify`)
+

doc/references.bib

+@InProceedings{Belenios-Meadows2019,
+author="Cortier, V{\'e}ronique
+and Gaudry, Pierrick
+and Glondu, St{\'e}phane",
+title="Belenios: A Simple Private and Verifiable Electronic Voting System",
+bookTitle="Foundations of Security, Protocols, and Equational Reasoning: Essays Dedicated to Catherine A. Meadows",
+year="2019",
+publisher="Springer International Publishing",
+pages="214--238",
+}
+
+@InProceedings{Belenios-Easycrypt-CSF18,
+  author = 	 {V\'eronique Cortier and Constantin Catalin Dragan and Pierre-Yves Strub and Francois Dupressoir and Bogdan Warinschi},
+  title = 	 {Machine-checked proofs for electronic voting: privacy
+      and verifiability for {B}elenios},
+  booktitle = {{P}roceedings of the 31st {IEEE} {C}omputer {S}ecurity {F}oundations {S}ymposium ({CSF} 2018)},
+  year = 	 {2018},
+  pages = 	 {298--312},
+}
+
+@InProceedings{wpes2013,
+  author = 	 {V\'eronique Cortier and David Galindo and St\'ephane Glondu and Malika Izabachene},
+  title = 	 {Distributed {ElGamal} \`a la {P}edersen - {A}pplication
+      to {H}elios},
+  booktitle = {Workshop on Privacy in the Electronic Society (WPES 2013)},
+  OPTpages = 	 {},
+  year = 	 {2013},
+  address = 	 {Berlin, Germany},
+}
+
+
+@InProceedings{CGGI-esorics14,
+  author = 	 {V\'eronique Cortier and David Galindo and St\'ephane Glondu and Malika Izabachene},
+  title = 	 {Election Verifiability for {H}elios under Weaker Trust Assumptions},
+  booktitle = {Proceedings of the 19th European Symposium on Research in Computer Security (ESORICS 2014)},
+  pages = 	 {327--344},
+  year = 	 {2014},
+  OPTeditor = 	 {},
+  volume = 	 {8713},
+  OPTnumber = 	 {},
+  series = 	 {LNCS},
+  address = 	 {Wroclaw, Poland},
+  publisher = {Springer},
+}
+
+@misc{CHVote,
+    author = {Rolf Haenni and Reto E. Koenig and Philipp Locher and Eric Dubuis},
+    title = {{CHV}ote System Specification},
+    howpublished = {Cryptology ePrint Archive, Report 2017/325},
+    year = {2017},
+    note = {\url{https://eprint.iacr.org/2017/325}},
+}
+
+
+@InProceedings{asiacrypt12,
+  author = 	 {David Bernhard and Bogdan Warinschi and Olivier Pereira},
+  title = 	 {How Not to Prove Yourself: {P}itfalls of
+      {F}iat-{S}hamir and Applications to {H}elios},
+  booktitle = {Advances in Cryptology (AsiaCrypt 2012)},
+  year = 	 {2012},
+  OPTeditor = 	 {Springer Verlag},
+  volume = 	 {7658},
+  OPTnumber = 	 {},
+  series = 	 {LNCS},
+  pages = 	 {626--643},
+  OPTmonth = 	 {},
+  OPTaddress = 	 {},
+  OPTorganization = {},
+  OPTpublisher = {},
+  OPTnote = 	 {},
+  OPTannote = 	 {}
+}
+
+@inproceedings{Helios,
+ author = {Adida, Ben},
+ title = {Helios: web-based open-audit voting},
+ booktitle = {Proceedings of the 17th conference on Security symposium (SS 2018)},
+ series = {SS'08},
+ location = {San Jose, CA},
+ pages = {335--348},
+ publisher = {USENIX Association},
+ address = {Berkeley, CA, USA},
+} 
+
+@unpublished{note-Pierrick,
+  TITLE = {Some {ZK} security proofs for {B}elenios},
+  AUTHOR = {Gaudry, Pierrick},
+  URL = {https://hal.inria.fr/hal-01576379},
+  NOTE = {working paper or preprint},
+  YEAR = {2017},
+  PDF = {https://hal.inria.fr/hal-01576379/file/ZK-securityproof.pdf},
+  }
+
+
+@InProceedings{Pedersen,
+  author = 	 {Torben P. Pedersen},
+  title = 	 {Non-interactive and information-theoretic secure verifiable secret sharing},
+  booktitle = {CRYPTO 1991},
+  year = 	 {1991},
+  OPTeditor = 	 {},
+  OPTvolume = 	 {},
+  OPTnumber = 	 {},
+  OPTseries = 	 {},
+  pages = 	 {129-–140},
+}
+

myocamlbuild.ml

@@ -139,6 +139,7 @@ let () = dispatch & function
     copy_rule "tool_js_credgen.js" "src/tool/tool_js_credgen.js" "src/static/tool_js_credgen.js";
     copy_rule "tool_js_questions.js" "src/tool/tool_js_questions.js" "src/static/tool_js_questions.js";
     copy_rule "tool_js_pd.js" "src/tool/tool_js_pd.js" "src/static/tool_js_pd.js";
+    copy_rule "tool_js_shuffle.js" "src/tool/tool_js_shuffle.js" "src/static/tool_js_shuffle.js";
 
     List.iter
       copy_static

opam-bootstrap.sh

@@ -34,11 +34,11 @@ fi
 mkdir -p "$BELENIOS_SYSROOT/bootstrap/src"
 
 cd "$BELENIOS_SYSROOT/bootstrap/src"
-wget https://github.com/ocaml/opam/releases/download/2.0.0/opam-full-2.0.0.tar.gz
+wget https://github.com/ocaml/opam/releases/download/2.0.5/opam-full-2.0.5.tar.gz
 
 if which sha256sum >/dev/null; then
 sha256sum --check <<EOF
-9dad4fcb4f53878c9daa6285d8456ccc671e21bfa71544d1f926fb8a63bfed25  opam-full-2.0.0.tar.gz
+776c7e64d6e24c2ef1efd1e6a71d36e007645efae94eaf860c05c1929effc76f  opam-full-2.0.5.tar.gz
 EOF
 else
     echo "WARNING: sha256sum was not found, checking tarballs is impossible!"
@@ -50,8 +50,8 @@ echo
 echo "=-=-= Compilation and installation of OPAM =-=-="
 echo
 cd "$BELENIOS_SYSROOT/bootstrap/src"
-tar -xzf opam-full-2.0.0.tar.gz
-cd opam-full-2.0.0
+tar -xzf opam-full-2.0.5.tar.gz
+cd opam-full-2.0.5
 make cold CONFIGURE_ARGS="--prefix $BELENIOS_SYSROOT/bootstrap"
 make cold-install LIBINSTALL_DIR="$BELENIOS_SYSROOT/bootstrap/lib/ocaml"
 
@@ -74,7 +74,7 @@ eval $(opam env)
 echo
 echo "=-=-= Installation of Belenios build-dependencies =-=-="
 echo
-opam install --yes dune=1.6.3 atdgen zarith cryptokit uuidm calendar cmdliner sqlite3 ssl js_of_ocaml=3.3.0 eliom=6.3.0 csv
+opam install --yes dune=1.6.3 atdgen zarith cryptokit uuidm calendar cmdliner sqlite3 ssl=0.5.7 js_of_ocaml=3.3.0 eliom=6.3.0 csv
 
 echo
 echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-="

src/lib/common.ml

@@ -46,53 +46,14 @@ module Array = struct
        else true
      in check (pred n))
 
-  let fforall f xs =
-    let rec loop_outer i =
-      if i >= 0 then
-        let x = xs.(i) in
-        let n = Array.length x in
-        let rec loop_inner j =
-          if j >= 0 then f x.(j) && loop_inner (pred j)
-          else loop_outer (pred i)
-        in loop_inner (pred n)
-      else true
-    in
-    let n = Array.length xs in
-    loop_outer (pred n)
-
-  let fforall2 f xs ys =
-    let rec loop_outer i =
-      if i >= 0 then
-        let x = xs.(i) and y = ys.(i) in
-        let n = Array.length x in
-        n = Array.length y &&
-        let rec loop_inner j =
-          if j >= 0 then f x.(j) y.(j) && loop_inner (pred j)
-          else loop_outer (pred i)
-        in loop_inner (pred n)
-      else true
-    in
-    let n = Array.length xs in
-    n = Array.length ys &&
-    loop_outer (pred n)
-
-  let fforall3 f xs ys zs =
-    let rec loop_outer i =
-      if i >= 0 then
-        let x = xs.(i) and y = ys.(i) and z = zs.(i) in
-        let n = Array.length x in
-        n = Array.length y &&
-        n = Array.length z &&
-        let rec loop_inner j =
-          if j >= 0 then f x.(j) y.(j) z.(j) && loop_inner (pred j)
-          else loop_outer (pred i)
-        in loop_inner (pred n)
+  let forall3 f a b c =
+    let n = Array.length a in
+    n = Array.length b &&
+    n = Array.length c &&
+    (let rec check i =
+       if i >= 0 then f a.(i) b.(i) c.(i) && check (pred i)
        else true
-    in
-    let n = Array.length xs in
-    n = Array.length ys &&
-    n = Array.length zs &&
-    loop_outer (pred n)
+     in check (pred n))
 
   let map2 f a b =
     Array.mapi (fun i ai -> f ai b.(i)) a
@@ -100,30 +61,6 @@ module Array = struct
   let map3 f a b c =
     Array.mapi (fun i ai -> f ai b.(i) c.(i)) a
 
-  let mmap f a =
-    Array.map (fun ai ->
-      Array.map f ai
-    ) a
-
-  let mmap2 f a b =
-    Array.mapi (fun i ai ->
-      let bi = b.(i) in
-      Array.mapi (fun j aj ->
-        f aj bi.(j)
-      ) ai
-    ) a
-
-  let mmap3 f a b c =
-    Array.mapi (fun i ai ->
-      let bi = b.(i) and ci = c.(i) in
-      Array.mapi (fun j aj ->
-        f aj bi.(j) ci.(j)
-      ) ai
-    ) a
-
-  let ssplit a =
-    mmap fst a, mmap snd a
-
   let findi f a =
     let n = Array.length a in
     let rec loop i =
@@ -134,6 +71,9 @@ module Array = struct
       else None
     in loop 0
 
+  let split a =
+    Array.map fst a, Array.map snd a
+
 end
 
 module String = struct
@@ -175,6 +115,61 @@ module Option = struct
     | None -> None
 end
 
+module Shape = struct
+  type 'a t =
+    | SAtomic of 'a
+    | SArray of 'a t array
+
+  let of_array x =
+    SArray (Array.map (fun x -> SAtomic x) x)
+
+  let to_array = function
+    | SAtomic _ -> invalid_arg "Shape.to_array"
+    | SArray xs ->
+       Array.map (function
+           | SAtomic x -> x
+           | SArray _ -> invalid_arg "Shape.to_array"
+         ) xs
+
+  let to_shape_array = function
+    | SAtomic _ -> invalid_arg "Shape.to_shape_array"
+    | SArray xs -> xs
+
+  let rec map f = function
+    | SAtomic x -> SAtomic (f x)
+    | SArray x -> SArray (Array.map (map f) x)
+
+  let rec map2 f a b =
+    match a, b with
+    | SAtomic x, SAtomic y -> SAtomic (f x y)
+    | SArray x, SArray y -> SArray (Array.map2 (map2 f) x y)
+    | _, _ -> invalid_arg "Shape.map2"
+
+  let rec flatten = function
+    | SAtomic x -> [x]
+    | SArray xs -> Array.map flatten xs |> Array.to_list |> List.flatten
+
+  let split x =
+    map fst x, map snd x
+
+  let rec forall p = function
+    | SAtomic x -> p x
+    | SArray x -> Array.forall (forall p) x
+
+  let rec forall2 p x y =
+    match x, y with
+    | SAtomic x, SAtomic y -> p x y
+    | SArray x, SArray y -> Array.forall2 (forall2 p) x y
+    | _, _ -> invalid_arg "Shape.forall2"
+
+  let rec forall3 p x y z =
+    match x, y, z with
+    | SAtomic x, SAtomic y, SAtomic z -> p x y z
+    | SArray x, SArray y, SArray z -> Array.forall3 (forall3 p) x y z
+    | _, _, _ -> invalid_arg "Shape.forall3"
+
+end
+
 let save_to filename writer x =
   let oc = open_out filename in
   let ob = Bi_outbuf.create_channel_writer oc in
@@ -215,6 +210,7 @@ let bytes_to_sample q =
 
 module DirectRandom = struct
   type 'a t = 'a
+  let yield () = ()
   let return x = x
   let bind x f = f x
   let fail e = raise e

src/lib/common.mli

@@ -19,28 +19,19 @@
 (*  <http://www.gnu.org/licenses/>.                                       *)
 (**************************************************************************)
 
-open Signatures
+open Signatures_core
 
 module Array : sig
   include module type of Array
   val exists : ('a -> bool) -> 'a array -> bool
   val forall : ('a -> bool) -> 'a array -> bool
   val forall2 : ('a -> 'b -> bool) -> 'a array -> 'b array -> bool
-  val fforall : ('a -> bool) -> 'a array array -> bool
-  val fforall2 : ('a -> 'b -> bool) ->
-    'a array array -> 'b array array -> bool
-  val fforall3 : ('a -> 'b -> 'c -> bool) ->
-    'a array array -> 'b array array -> 'c array array -> bool
+  val forall3 : ('a -> 'b -> 'c -> bool) -> 'a array -> 'b array -> 'c array -> bool
   val map2 : ('a -> 'b -> 'c) -> 'a array -> 'b array -> 'c array
   val map3 : ('a -> 'b -> 'c -> 'd) ->
     'a array -> 'b array -> 'c array -> 'd array
-  val mmap : ('a -> 'b) -> 'a array array -> 'b array array
-  val mmap2 : ('a -> 'b -> 'c) ->
-    'a array array -> 'b array array -> 'c array array
-  val mmap3 : ('a -> 'b -> 'c -> 'd) ->
-    'a array array -> 'b array array -> 'c array array -> 'd array array
-  val ssplit : ('a * 'b) array array -> 'a array array * 'b array array
   val findi : (int -> 'a -> 'b option) -> 'a array -> 'b option
+  val split : ('a * 'b) array -> 'a array * 'b array
 end
 
 module String : sig
@@ -60,6 +51,22 @@ module Option : sig
   val map : ('a -> 'b) -> 'a option -> 'b option
 end
 
+module Shape : sig
+  type 'a t =
+    | SAtomic of 'a
+    | SArray of 'a t array
+  val of_array : 'a array -> 'a t
+  val to_array : 'a t -> 'a array
+  val to_shape_array : 'a t -> 'a t array
+  val map : ('a -> 'b) -> 'a t -> 'b t
+  val map2 : ('a -> 'b -> 'c) -> 'a t -> 'b t -> 'c t
+  val flatten : 'a t -> 'a list
+  val split : ('a * 'b) t -> 'a t * 'b t
+  val forall : ('a -> bool) -> 'a t -> bool
+  val forall2 : ('a -> 'b -> bool) -> 'a t -> 'b t -> bool
+  val forall3 : ('a -> 'b -> 'c -> bool) -> 'a t -> 'b t -> 'c t -> bool
+end
+
 val save_to : string -> (Bi_outbuf.t -> 'a -> unit) -> 'a -> unit
 
 val compare_b64 : string -> string -> int

src/lib/election.mli

@@ -21,13 +21,12 @@
 
 (** Election primitives *)
 
-open Serializable_t
 open Signatures
 
 val of_string : string -> Yojson.Safe.json election
 val get_group : Yojson.Safe.json election -> (module ELECTION_DATA)
 
-val question_length : question -> int
+val has_nh_questions : 'a election -> bool
 
 module Make (W : ELECTION_DATA) (M : RANDOM) :
   ELECTION with type elt = W.G.t and type 'a m = 'a M.t

src/lib/group_field.ml

@@ -39,7 +39,12 @@ let map_and_concat_with_commas f xs =
 
 (** Finite field arithmetic *)
 
-let check_params {p; q; g} =
+let check_params {p; q; g; embedding} =
+  (match embedding with
+   | None -> true
+   | Some {padding; bits_per_int} ->
+      padding > 0 && bits_per_int > 0 && bits_per_int < 32
+  ) &&
   Z.probab_prime p 20 > 0 &&
   Z.probab_prime q 20 > 0 &&
   check_modulo p g &&
@@ -51,7 +56,7 @@ module type GROUP = Signatures.GROUP
   and type group = ff_params
 
 let unsafe_make group =
-  let {p; q; g} = group in
+  let {p; q; g; embedding} = group in
   let module G = struct
     open Z
     type t = Z.t
@@ -67,6 +72,43 @@ let unsafe_make group =
     let to_string = Z.to_string
     let of_string = Z.of_string
 
+    let of_ints =
+      match embedding with
+      | None ->
+         fun _ -> failwith "Group_field.of_bits: missing parameters"
+      | Some {padding; bits_per_int} ->
+         let mask_per_int = pred (1 lsl bits_per_int) in
+         fun xs ->
+         let n = Array.length xs in
+         let rec encode_int i accu =
+           if i < n then
+             let x = xs.(i) land mask_per_int in
+             encode_int (succ i) (Z.shift_left accu bits_per_int + of_int x)
+           else
+             Z.shift_left accu padding
+         in
+         let rec find_element accu =
+           if check accu then accu else find_element (accu + one)
+         in
+         find_element (encode_int 0 zero)
+
+    let to_ints =
+      match embedding with
+      | None ->
+         fun _ -> failwith "Group_field.to_bits: missing parameters"
+      | Some {padding; bits_per_int} ->
+         let mask_per_int = shift_left one bits_per_int - one in
+         fun n x ->
+         let xs = Array.make n 0 in
+         let rec decode_int i x =
+           if i >= 0 then (
+             xs.(i) <- to_int (logand x mask_per_int);
+             decode_int (pred i) (shift_right x bits_per_int)
+           )
+         in
+         decode_int (pred n) (shift_right x padding);
+         xs
+
     let read state buf =
       match Yojson.Safe.from_lexbuf ~stream:true state buf with
       | `String s -> Z.of_string s
@@ -81,7 +123,21 @@ let unsafe_make group =
       let x = prefix ^ (map_and_concat_with_commas Z.to_string xs) in
       let z = Z.of_string_base 16 (sha256_hex x) in
       Z.(z mod q)
+
     let compare = Z.compare
+
+    let get_generator =
+      let cofactor = Z.((p - one) / q) in
+      fun i ->
+      let s = Printf.sprintf "ggen|%d" i in
+      let h = Z.of_string_base 16 (sha256_hex s) in
+      let h = Z.powm h cofactor p in
+      (* it is very unlikely (but theoretically possible) that one of the following assertions fails *)
+      assert (Z.(compare h zero) <> 0);
+      assert (Z.(compare h one) <> 0);
+      assert (Z.(compare h g) <> 0);
+      h
+
     type group = ff_params
     let group = group
     let write_group = write_ff_params