johnlcaron / egk-ec Goto Github PK

Cases where contest and/or selection limit > 1 are not well understood or tested.

see votingworks/electionguard-kotlin-multiplatform#337

The Preencryption info in the EncryptedBallot serialization is our own.

The whole thing is not well tested.

if the trustees are not trusted, we could do other verification tests in keyCeremonyExchange.
// are the public keys valid?
// are the encrypted shares valid?
// are the unencrypted shares valid?

0 is success and non-zero is failure that will have some kind of log error message.

Do this for mixnet CLIs also.

To match the field name on EncryptedBallotJson.

The idea here is an attacker manages to insert a modified manifest into your encryptor, if you store the manifest as a plaintext file somewhere. You have to be able to verify that the plaintext file matches the ByteArray used when generating Hm, Hb and He. EGK just uses the He stored in electionInit to do encryption.

So what if manifest has been hacked, and attacker can feed bogus ballots to the encryptor? One could set contestLimit to > 1 and vote > 1. I think the encryption would validate.

Sent message to Josh Benaloh and Michael Naehrig:

I need some advice on how to implement these two functions in the egk-ec library, namely testing if an ElementModP is "in bounds" and testing if it is a "valid residual":

/**
 * Normal computations should ensure that every [Element] is in the modular bounds defined by
 * the group, but deserialization of hostile inputs or buggy code might not preserve this
 * property, so it's valuable to have a way to check. This method allows anything in [0, N)
 * where N is the group modulus.
 */
fun inBounds(): Boolean

/**
 * Validates that this element is a quadratic residue, ie in Z_p^r.
 * "Z_p^r is the set of r-th-residues in Z∗p", see spec 2.0 p.9
 */
fun isValidResidue(): Boolean

In the standard electionguard Integer group, they are implemented as

override fun inBounds() = element >= BigInteger.ZERO && element < groupContext.p

override fun isValidResidue(): Boolean {
    val residue = this.element.modPow(groupContext.q, groupContext.p) == groupContext.ONE_MOD_P.element
    return inBounds() && residue
}

Im trying to figure out what the equivalent implementation is for the Elliptic Curve P-256 group.

An EncryptedTally has accumulated encoded counts with no internal state to catch errors.

Ive added in EncryptedTally:

1. a list of castBallotIds so you can detect if ballot tries to get added twice
2. the electionId, so you dont add a ballot to the wrong tally
3. optional ballot_count in the contest should help diagnose miscounts.

Anticipating the possibility of a tree of tallies that need to be added together
4. In TallyResult, a list of tally ids that were summed to get the EncryptedTally.

Noe of these are part of the EG specification. They may in some case compromise privacy. So they need to be thought about for a specific use cases.

From Brian Donavan:

I noticed that the part that determines the paths of the plaintext/encrypted/decrypted ballots just interpolates the id into the path without any sort of validation. since the id itself also has no validation beyond requiring that it not be empty, it could cause some unexpected behavior. for example, you could have a plaintext ballot file whose ballot_id doesn’t match the filename, resulting in an eballot- file that has no corresponding pballot- file. you could also have a ballot_id of something like /../../election_initialized which could cause the RunBatchEncryption CLI to overwrite some other config. I’m not sure whether anything silently nefarious could be achieved, but I thought it was worth bringing this to your attention since I don’t believe the system should be letting ballot_id in the input ballots determine things like the paths being written to ElectionRecordJsonPaths.kt:

    fun plaintextBallotPath(ballotDir: String, ballotId: String): String {
        val id = ballotId.replace(" ", "_")
        return "$ballotDir/$PLAINTEXT_BALLOT_PREFIX$id$JSON_SUFFIX"
    }

Hashing strings (5.1.4)

"When an input to the function H is a string s, it is encoded as a byte array b(s, len(s)) using UTF-8
encoding. Here, len(s) is the length of the UTF-8 encoding of the string s in bytes."

But we are just using String.encodeToByteArray().

Works as long as we are consistent, but will break vs conformant implementation.

Affects

ContestData.encryptContestData()
KeyCeremonyTrustee.shareEncryption()
AddEncryptedBallot.closeChain()

Or use GitHub publishing ?

Consider this feature incomplete. Not fully specified, will not agree with another implementation. Mostly matters for the Verifier, perhaps a flag to ignore is needed.

See votingworks/electionguard-kotlin-multiplatform#155

Could make contestData optional (by election or contest?). Likely not always needed.

data class Contest(
override val contestId: String, // matches ContestDescription.contestIdd
override val sequenceOrder: Int, // matches ContestDescription.sequenceOrder
val contestHash: UInt256, // eq 58
override val selections: List,
val proof: ChaumPedersenRangeProofKnownNonce,
override val contestData: HashedElGamalCiphertext, // TODO make optional?
val preEncryption: PreEncryption? = null, // pre-encrypted ballots only
) : EncryptedBallotIF.Contest {

Savings is
EC: 33 + messageSize + 32 + 4 = typically 133 bytes
IG: 512 + messageSize + 32 + 4 = typically 612 bytes
messageSize = (1 + contestLimit) * 32

An election will often have multiple election records. What extra processing needs to be done?

check duplicate confirmation codes (7.C)
what about checking for duplicate ballot ids? serial numbers?