electionguard-python icon indicating copy to clipboard operation
electionguard-python copied to clipboard
verified publisher icon Election-Tech-Initiative

🤔 Revisit export of private guardian information

Open keithrfung opened this issue 3 years ago • 0 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Suggestion

The PrivateGuardianRecord is designed to be part of the data schema for one particular use case.

https://github.com/microsoft/electionguard-python/blob/03698c683ab35f608e35dc9b66217caa1d40f7eb/src/electionguard/guardian.py#L88-L110

This class is designed to be an export of exclusively the private information of the Guardian. A class that could perhaps be saved on a yubikey or similar device. It should only have the information that the Guardian should maintain for the decryption process and nothing else.

Possible Implementation

Simplify the class down to less items and include the decrypted values of the backups as opposed to the encrypted. This will only matter once secret sharing is complete but it means the class is inaccurate at this juncture.

@dataclass
class PrivateGuardianRecord
        guardian_id: GuardianId
        election_keys: ElectionKeyPair
        guardian_key_shares: Dict[GuardianId, ElementModQ] # Same as decrypted_backups, could be a class

Anything else?

Closely relates to #355

Adding more context and detail.

The Guardian only needs to be responsible for keeping minimal information from Key Ceremony to Decryption. This is represented in the PrivateGuardianRecord. The items that need to be maintained secretly are some self identifying pieces of information and the secrets themselves.

The two secrets are the ElectionKeyPair in particular the Secret Key and the key shares for any guardians that could be missing. Note, the shares themselves are the actual value not the backup which is used in the ceremony. This will help prevent future issues with key sharing when the values are encrypted and any storage issues since the only value needed to store is essentially a number, even if represented in hex.

The key share or Backup is the share of the private key given by a guardian to each other guardian . Secret sharing is the distribution of these keys. The only value that is used is the coordinate which can be seen in use here in the threshold decryption. https://github.com/microsoft/electionguard-python/blob/03698c683ab35f608e35dc9b66217caa1d40f7eb/src/electionguard/decryption.py#L474

The issue comes that when secret sharing is added, these values will now be encrypted in the backup so the backup itself shouldn't be saved. This makes sense regardless because it contains proofs that are not used after the key ceremony and aren't contained in the Election Record.

keithrfung avatar Apr 22 '22 17:04 keithrfung