A Brief Introduction to Mix Networks Ari Juels RSA Laboratories © 2001, RSA Security Inc.

What does a mix network do? message 1 message 2 message 3 message 4 Randomly permutes and decrypts inputs Mix network

What does a mix network do? message 2 Key property: We can’t tell which ciphertext corresponds to a given message ?

Example application: Anonymizing bulletin board or From Bob From Charlie From Alice

From Bob From Charlie From Alice “I love Alice” “Nobody loves Bob” “I love Charlie” Is it Bob, Charlie, self-love, or other? Example application: Anonymizing bulletin board or

Another application: Voting Digitally signed by Eve Digitally signed by Charlie Digitally signed by Charlie Digitally signed by Bob Digitally signed by Alice A vote for Al G re A vote for G.W. Bush A vote for Al Gore A vote for G.W. Bush Final Tally: Bush 2 Gore 1

A look under the hood

Basic Mix (Chaum ‘81) Server 1 Server 2 Server 3 PK 1 PK 2 PK 3

Encryption of Message PK 1 PK 2 PK 3 message Ciphertext = E PK1 [E PK2 [E PK3 [message]]]

Basic Chaumian Mix Server 1 Server 2 Server 3 m1 m2 m3 m2 m3 m1 decrypt and permute m2 m1 m3 decrypt and permute decrypt and permute m2 m3 m1

Basic Chaumian Mix m1 m2 m3 m2 m3 m1 decrypt and permute m2 m1 m3 decrypt and permute decrypt and permute m2 m3 m1 Observe: As long as one server is honest, privacy is preserved

Basic Chaumian Mix Server 1 Server 2 Server 3 m3 ?

What if one server fails? Server 1 Server 2 Server 3 SK 2 Privacy now requires a majority of honest servers Tolerance of failure is called robustness Solution idea: Share key among others

ballot BUSH What if one server cheats? Solution idea: Have each server prove that it permuted and decrypted correctly Proof may be digitally signed and carried along with ciphertexts

Robust Mix Server 1 Server 2 Server 3 m1 m2 m3 m2 m3 m1 decrypt, permute, and prove correct m2 m1 m3 decrypt, permute, and prove correct decrypt, permute, and prove correct m2 m3 m1

History of Robust Mixing u Park, Itoh, Kurosawa (EC ‘93) u Ogata, Kurosawa, Sako, Takatani (ICICS ‘97) u Abe (EC ‘98) u Jakobsson (EC ‘98) u Desmedt and Kurosawa (EC ‘00)

History of Robust Mixing u Jakobsson “Flash Mix” (PODC ‘99) –Secure only for large input sizes –Idea: Employ “dummy” inputs to check correctness u Mitomo and Kurosawa (AC ‘00) –Repair weakness in Jakobsson ‘99

Publicly verifiable mixing u Idea: Ensure that proofs are legitimate even if all servers try to cheat u Abe (AC ‘99), Jakobsson and Juels (DIMACS-TR ‘99) –Idea: Use “swap” as atomic unit; prove correctness of “swap” –Efficient only on small input sizes u Sako (Crypto ‘01) (renamed “shuffling”) u Neff (ACM CCS ‘01)

Hybrid mixing u Idea: Use symmetric and asymmetric crypto to achieve efficiency on long messages u Ohkuba and Abe (AC ‘00) u Jakobsson and Juels (PODC ‘01)

Asynchronous mixing Alice Preserves traffic routing privacy Examples: Crowds (AT&T), ZK Systems, CIA, etc. Ecoterrorism server U.S. England Finland Mix network ?

Some other applications of mixes u Anonymous payment schemes u Secure multiparty computation u Privacy-preserving content retrieval (A weak but efficient form of PIR)

What properties are desirable for voting? u Privacy: YES u Robustness: YES u Long messages: NO u Public verifiability: MAYBE –NO: Jakobsson’s “Flash Mix” (for large mixes) –YES: Mix by Neff

Can we improve with different modeling? u Voter can collaborate with server to change vote in mid-mix -- prior to seeing other votes –“Beauty flaw” in JJ ‘01 u Very efficient asymmetric mix can probably be designed if we accept this “flaw” u What other modeling changes are permissible?

Questions?