As of 06/15/2020, this repository is no longer being actively maintained. ElectionGuard development has transitioned to the ElectionGuard-Python Repo.
This repository will remain open sourced and available, but will no longer be actively maintained or updated. Development is underway for a replacement low-level language repository (C/C++) and updates will be posted here and on our Main repository Page. This URL will become archived and read-only in Summer of 2020.
This is the core SDK that performs election functions such as vote encryption, decryption, key generation, and tallying. This code is meant to be run on voting system hardware and to be integrated into existing (or new) voting system software. The ElectionGuard SDK is written in C and is meant to add end-to-end verifiability and encryption into 3rd party comprehensive voting systems. There is also a simplistic, proof-of-concept C application to understand how the API should be called.
This implementation of the ElectionGuard SDK serves to showcase the API provided by the SDK. It focuses on specifying and fixing the API so programming against the header files presented in the include document should allow you to develop a voting system that is automatically improved as the development of the ElectionGuard SDK continues.
This repository is pre-release. We look forward to engaging with the elections, security, and software engineering communities to continue to improve it as we move towards a full release.
For Documentation on how to use this API, visit ElectionGuard C Documentation. Docs can also be compiled from this repository, see the "Documentation" section below.
For more details about the API, see the include.
A file describing the build process for Windows can be found here.
First create a build directory and configure the build.
mkdir build
cmake -S . -B buildTo build the SDK static library libelectionguard.a, run
cmake --build buildAlternatively there is a Makefile to wrap the cmake commands:
make buildCurrently you can exercise the SDK by running the api client
<examples/api>. We include a cmake test to do so automatically. You can also execute the client directly to better examine the output it produces.
Warning
The current implementation allocates many things statically, leading to a large stack. This can cause stack-overflows as the size of elections grows.
The size of the stack mostly depends on the value of MAX_TRUSTEES in include/max_trustees.h, so one way to fix the problem is to reduce that number and recompile.
You can also increase the stack size, for example using ulimit.
In addition, this causes issues with valgrind. The error messages are usually pretty helpful, and setting --main-stacksize and --main-stackframe according to its reccomendations usually fixes the issue.
A file describing the build process for Windows can be found here.
To build and run an example client of the SDK, run the tests:
cmake --build build --target testAlternatively you can build the client as a stand-alone project. Create a separate build directory for the client, configure the build to refer to the built library, and build the client.
mkdir api_build
ElectionGuard_DIR="$PWD/build/ElectionGuard" cmake -S examples/api -B api_build
cmake --build api_build --target apiThe built binary should be located at api_build/api.
alternatively, you can use the convenience Makefile
make run-apiTo enable debug builds suitable for running with debuggers like lldb, set the CMAKE_BUILD_TYPE cmake variable to Debug when configuring. From the command-line, this looks like
cmake -S . -B build -DCMAKE_BUILD_TYPE=DebugSome development tools like ccls or cquery use a JSON file called compile_commands.json to lookup which build flags are used to build different files. To produce such a file while compiling, set the CMAKE_EXPORT_COMPILE_COMMANDS cmake variable. From the command-line, this looks like
cmake -S . -B build -DCMAKE_EXPORT_COMPILE_COMMANDS=ONTo build the HTML documentation, you will need to have doxygen installed, as well as python with the sphinx and breathe packages. Then configure your build with the BUILD_DOCUMENTATION variable set and rebuild.
Note
Make sure that you've initialized git submodules correctly. The theme used for the documentation is in a submodule.
git submodule update --init --recursivecmake -S . -B build -DBUILD_DOCUMENTATION=ON
cmake --build buildand the documentation will be built in the build/docs/html directory. You can browse it locally by opening build/docs/html/index.html, or by running a local server
# python2
(cd build/docs/html && python -m SimpleHTTPServer)
# python3
python3 -m http.server --directory build/docs/htmlAny pointers returned by functions in the SDK are considered to be owned by the caller. This means that the SDK will retain no references to them, and that the caller must free them when they are done.
Any pointers passed to functions in the SDK as arguments are considered to be borrowed by the function, which means that they will not be freed by that function, and it is still the responsibility of the caller to free the pointer. This of course excludes functions whose purpose is to free an opaque data type, like KeyCeremony_Trustee_free().
This only applies when functions return with a successful status. If a function returns with an error status, the client does not need to free any memory that may have been allocated by the function; it will clean up after itself.
All public functions are prefixed with the name of their “class” or module, capitalized.
There are a few different kinds of types, and they each have their own naming conventions. The rationale is that for types that we rely on the fact that they are enums or structs, we should not typedef them so that it is clear that they are enums and structs. If that changes, we will have to go fix it everywhere, which is good, because now we cannot rely on their representation anymore. Abstract types should be typedefed because we don’t rely on their implementation.
A type whose implementation we want to be hidden from clients. This means that it must be hidden behind a pointer so its size doesn’t need to be known.
Naming convention: uppercase, with their structs suffixed with _s.
typedef struct Car_s *Car;A enum whose values represent possible statuses that we want to return.
Naming convention: prefixed by module or scope, then lowercase, and no typedef.
enum Car_status {
CAR_SUCCESS,
CAR_ON_FIRE,
};A struct whose sole purpose is to allow us to return multiple values, often a status enum and a payload.
Naming convention: prefixed by module or scope, then lowercase, then _r, and no typedef. If only used for a single function, make the name identical to the function name, then _r. You can forward declare in the return type.
struct Car_drive_r Car_drive(Car c);
struct Car_drive_r {
enum Car_status status;
int x;
int y;
};A type we want to name, but whose implementation need not be hidden. In fact, we might rely on the details of its representation.
Naming convention: all lowercase, no typedef.
struct model {
int year;
enum color color;
};- Elections configurations are hard-coded. Later versions will be dynamically configurable by JSON input.
- Proof checks are sanity checks only, they are suitable to double check output from a trustworthy source, but not for a verifier.
- Election output is not yet structured for JSON output. Future versions will output data that will be compatible with our verifier specifications.
- The code is tested to be memory safe, however there are known memory leaks, these will be fixed in the next versions
- Decryption works by loading the entire election into memory. Due to the size of elections, this will not be desirable for larger elections.
- We use a dummy hash for the base hash, when JSON input is enabled, that must feed into the base hash
- We use RSA for sharing key-shares. Ideally ElGamal would be used, however it requires different parameters than the rest of the election.
Help defend democracy and contribute to the project.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent