1. Almost Entirely Correct Mixing With Applications to Voting Philippe Golle Dan Boneh Stanford University

2. Mix Server A mix server is a cryptographic implementation of a hat. InputsOutputs ? Mix Server Proof

3. Mix Network Mix network A group of mix servers that operate sequentially. Server 1Server 2Server 3 InputsOutputs ??? Proof If a single mix server is honest, global permutation is secret.

4. Applications Other applications: –Anonymous payments –Anonymous channels All these applications require efficient schemes Anonymous voting Mix SubmissionTabulation

5. Properties Privacy: outputs can’t be matched to inputs Correctness: outputs match inputs Robustness: an output is produced regardless of possible mix server failures or bad inputs Verifiability: local or universal Efficiency

6. Zoology of Mix Networks Decryption Mix Nets [Cha81,…]: –Inputs: ciphertexts –Outputs: decryption of the inputs. Re-encryption Mix Nets[PIK93,…]: –Inputs: ciphertexts –Outputs: re-encryption of the inputs InputsOutputs ?

7. Re-encryption Mixnet 0.Setup: mix servers generate a shared ElGamal key 1. Users encrypt their inputs: Input Pub-key 3. A quorum of mix servers decrypts the outputs Output Priv-key Server 1Server 2Server 3 re-encrypt & mix re-encrypt & mix re-encrypt & mix 2. Encrypted inputs are mixed: Proof

8. ElGamal Cryptosystem ElGamal is a randomized public-key cryptosystem Plaintexts in a group G of prime order q Ciphertext are pairs (a,b) where a,b in G. Malleable: E r (m)  E r+s (m) ZK proof that two CT decrypt to the same PT (1 exp) M ultiplicative homomorphism: E(m), E(m’)  E(mm’)

9. Problem Mix servers must prove correct re-encryption –Inputs: n ElGamal ciphertexts E(m i ) –Outputs: n ElGamal ciphertexts E(m’ i ) Mix proves that there is a permutation π such that: without revealing π.

10. Quick survey of proofs of re-encryption Cut and Choose ZK [SK95,OKST97] 642nk Pairwise Permutations [JJ99,Abe99] 14nk·log n Matrix Representation [FS01] 36nk Polynomial Scheme [Nef01] 16nk Randomized Partial Checking [JJR01] nk Global privacy Optimistic Mix [GZBJJ02] 6 + 12k Optimistic Proof of Subproduct[BG02] αkαk Near-correct n = number of inputs k = number of servers

11. Proving Correct Re-encryption Mix server: –Receives: n ElGamal ciphertexts E(m i ) –Produces: n ElGamal ciphertexts E(m’ i ) Observations: –Honest mix can always give this proof –Verification is necessary but not sufficient –Idea: use random subsets  the name PSP Verifier: –Computes: E(  i=1 m i ) and E(  i=1 m’ i ) –Ask Mix for ZK proof that these CT decrypt to same PT. n n

12. Proof-of-Subproduct (PSP) Mix net 1.Mix the inputs S Mix Server S’ Inputs m i Outputs m’ i 3. Verifiers choose random subset S 4. The mix server reveals image S’ 5. Mix gives ZK proof that Repeat α times 2. Mix gives ZK proof that  i=1 m i =  i=1 m’ i mod q nn

13. Properties of PSP PSP is sound PSP is robust Efficiency (per mix server, for n inputs): Mixing: n exponentiations Proof:α exponentiations (e.g. α = 5) Constant in number of inputs! Privacy: users only lose α bits of privacy on average Theorem: cheating mix is detected with prob > Conjecture: cheating is detected with prob > where w is the number of wrong outputs

14. Applications of PSP Large elections: 160,000 ballots. Suppose the mixnet corrupts 100 votes. With α = 6: Every ballot hidden among 2,500 others Provable bound: prob > 94% cheating detected Conjectured bound: prob > 99.9% cheating detected PSP is compatible with other verification schemes that offer full correctness: Use PSP to verify output Announce the output Run another slower scheme to verify the output

15. Proof of Correctness Theorem: cheating is detected with probability 1 – (5/8)  A cheating mix that fools the verifier with prob > 1 – (5/8)  can compute discrete logarithm in G. Reduction relies on the following theorem: Let S be a subset of {0,1} n such that |S| > (5/8)2 n Let F : S  {0,1} n be a linear function such that: –F(S) spans all of Z q n –F preserves the L norm Then there exists a permutation matrix P such that F(v)=P.v for all v in S.

16. Conclusion The difficulty lies in giving efficient proofs of correctness. We propose a new scheme: PSP –Exploit the multiplicative homomorphism of ElGamal –Exceptionally computationally efficient –PSP only guarantees near correctness Full paper at: http://crypto.stanford.edu/~pgolle