search

glondu / belenios

Verifiable online voting system. This is a mirror of https://gitlab.inria.fr/belenios/belenios
https://www.belenios.org
GNU Affero General Public License v3.0
133 stars 21 forks source link

Possible vulnerability to election faking? #48

Closed Vadiml1024 closed 2 years ago

Vadiml1024 commented 2 years ago

Is there any plans to address this: https://hal.inria.fr/hal-02928953/document

glondu commented 2 years ago

It has been addressed in Belenios 1.17 :-)

Vadiml1024 commented 2 years ago

Thank you, Stéphane for the info, would you mind, please, pointing to a specific patch - my Ocaml is VERY Rusty :-(

glondu commented 2 years ago

The fix was part of the "crypto-v1" branch, which aimed at fixing several theoretical bugs like the one you mention, that couldn't be fixed in a backward-compatible way. The branch has been merged in d267ee3c410855a0936f8f435f9961022ab885e0. The specific issue you raise was addressed by adding a "full" description of the group in zero-knowledge proofs, so that the generator cannot be changed (without changing the source code). Actually, this gives less flexibility in the code but we don't think this flexibility is actually needed.

Vadiml1024 commented 2 years ago

Hi Stéphane, thank you for the pointer

Le ven. 7 janv. 2022 à 07:27, Stéphane Glondu @.***> a écrit :

The fix was part of the "crypto-v1" branch, which aimed at fixing several theoretical bugs like the one you mention, that couldn't be fixed in a backward-compatible way. The branch has been merged in d267ee3 https://github.com/glondu/belenios/commit/d267ee3c410855a0936f8f435f9961022ab885e0. The specific issue you raise was addressed by adding a "full" description of the group in zero-knowledge proofs, so that the generator cannot be changed (without changing the source code). Actually, this gives less flexibility in the code but we don't think this flexibility is actually needed.

— Reply to this email directly, view it on GitHub https://github.com/glondu/belenios/issues/48#issuecomment-1007172357, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAG76GKF2SUIOIKZ776FICLUU2BUVANCNFSM5LMKHJOQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you authored the thread.Message ID: @.***>