Open JohnLCaron opened 1 year ago
p 31, 3.3.5: "NIZK Proof: Proves that (α, β) is an encryption of an integer in the range 0, 1, . . . , R...."
p 34, 3.3.8: (6.3) aj = g vj · ᾱcj mod p for all 0 ≤ j ≤ L,
R for selection limit (verification 5), L for contest limit (verification 6)
Verification 13.B, 13.C
(13.B) For each option in the contest, the selection σ is a valid value — usually either a 0 or a 1. (13.C) The sum of all selections in the contest is at most the selection limit L for that contest.
should be:
(13.B) For each option in the contest, the selection σ is a valid value — between 0 and R
"Using range proofs with a range up to a certain option selection limit for the individual option as well as the contest selection sum therefore enables cardinal voting methods such as cumulative voting, score voting, STAR-voting, and Borda count in ElectionGuard." p. 28
contest selection sum == contest selection limit
p.32 and 6.2.4
Verification 5 (Well-formedness of selection encryptions)
For each selectable option on each cast ballot, an election verifier must compute the values
(5.1) aj = g^vj · α^cj mod p for all 0 ≤ j ≤ R,
(5.2) bj = K^wj · β^cj mod p, where wj = (vj − j * cj ) mod q for all 0 ≤ j ≤ R,
(5.3) c = H(HE ; 0x21, K, α, β, a0 , b0 , a1 , b1 , . . . , aR , bR ),
where R is the option selection limit. An election verifier must then confirm the following:
(5.A) The given values α and β are in the set Zrp .
(A value x is in Zrp if and only if x is an integer such that 0 ≤ x < p and xq mod p = 1.)
(5.B) The given values cj each satisfy 0 ≤ cj < 2256 for all 0 ≤ j ≤ R.
(5.C) The given values vj are each in the set Zq for all 0 ≤ j ≤ R.
(A value x is in Zq if and only if x is an integer such that 0 ≤ x < q.)
(5.D) The equation c = (c0 + c1 + · · · + cR ) mod q is satisfied.
PR#384 solves most of this. Still to do:
contest selection limit vs option selection limit.
"ElectionGuard allows a selection to be the assignment of a value in a range {0, 1, . . . , R}, where R is the option selection limit, a positive integer that defines the maximal value allowed to be assigned to this option by the voter. For each contest, the election manifest must specify the option selection limit for the options in this contest, and must also specify a contest selection limit L, which is the maximal total value for the sum of all selections made in that contest." p 17