Download presentation
Presentation is loading. Please wait.
Published byJoel Logan Modified over 8 years ago
1
Almost Entirely Correct Mixing With Applications to Voting Philippe Golle Dan Boneh Stanford University
2
Mix Server A mix server is a cryptographic implementation of a hat. InputsOutputs ? Mix Server Proof
3
Mix Network Mix network A group of mix servers that operate sequentially. Server 1Server 2Server 3 InputsOutputs ??? Proof If a single mix server is honest, global permutation is secret.
4
Applications Other applications: –Anonymous payments –Anonymous channels All these applications require efficient schemes Anonymous voting Mix SubmissionTabulation
5
Properties Privacy: outputs can’t be matched to inputs Correctness: outputs match inputs Robustness: an output is produced regardless of possible mix server failures or bad inputs Verifiability: local or universal Efficiency
6
Zoology of Mix Networks Decryption Mix Nets [Cha81,…]: –Inputs: ciphertexts –Outputs: decryption of the inputs. Re-encryption Mix Nets[PIK93,…]: –Inputs: ciphertexts –Outputs: re-encryption of the inputs InputsOutputs ?
7
Re-encryption Mixnet 0.Setup: mix servers generate a shared ElGamal key 1. Users encrypt their inputs: Input Pub-key 3. A quorum of mix servers decrypts the outputs Output Priv-key Server 1Server 2Server 3 re-encrypt & mix re-encrypt & mix re-encrypt & mix 2. Encrypted inputs are mixed: Proof
8
ElGamal Cryptosystem ElGamal is a randomized public-key cryptosystem Plaintexts in a group G of prime order q Ciphertext are pairs (a,b) where a,b in G. Malleable: E r (m) E r+s (m) ZK proof that two CT decrypt to the same PT (1 exp) M ultiplicative homomorphism: E(m), E(m’) E(mm’)
9
Problem Mix servers must prove correct re-encryption –Inputs: n ElGamal ciphertexts E(m i ) –Outputs: n ElGamal ciphertexts E(m’ i ) Mix proves that there is a permutation π such that: without revealing π.
10
Quick survey of proofs of re-encryption Cut and Choose ZK [SK95,OKST97] 642nk Pairwise Permutations [JJ99,Abe99] 14nk·log n Matrix Representation [FS01] 36nk Polynomial Scheme [Nef01] 16nk Randomized Partial Checking [JJR01] nk Global privacy Optimistic Mix [GZBJJ02] 6 + 12k Optimistic Proof of Subproduct[BG02] αkαk Near-correct n = number of inputs k = number of servers
11
Proving Correct Re-encryption Mix server: –Receives: n ElGamal ciphertexts E(m i ) –Produces: n ElGamal ciphertexts E(m’ i ) Observations: –Honest mix can always give this proof –Verification is necessary but not sufficient –Idea: use random subsets the name PSP Verifier: –Computes: E( i=1 m i ) and E( i=1 m’ i ) –Ask Mix for ZK proof that these CT decrypt to same PT. n n
12
Proof-of-Subproduct (PSP) Mix net 1.Mix the inputs S Mix Server S’ Inputs m i Outputs m’ i 3. Verifiers choose random subset S 4. The mix server reveals image S’ 5. Mix gives ZK proof that Repeat α times 2. Mix gives ZK proof that i=1 m i = i=1 m’ i mod q nn
13
Properties of PSP PSP is sound PSP is robust Efficiency (per mix server, for n inputs): Mixing: n exponentiations Proof:α exponentiations (e.g. α = 5) Constant in number of inputs! Privacy: users only lose α bits of privacy on average Theorem: cheating mix is detected with prob > Conjecture: cheating is detected with prob > where w is the number of wrong outputs
14
Applications of PSP Large elections: 160,000 ballots. Suppose the mixnet corrupts 100 votes. With α = 6: Every ballot hidden among 2,500 others Provable bound: prob > 94% cheating detected Conjectured bound: prob > 99.9% cheating detected PSP is compatible with other verification schemes that offer full correctness: Use PSP to verify output Announce the output Run another slower scheme to verify the output
15
Proof of Correctness Theorem: cheating is detected with probability 1 – (5/8) A cheating mix that fools the verifier with prob > 1 – (5/8) can compute discrete logarithm in G. Reduction relies on the following theorem: Let S be a subset of {0,1} n such that |S| > (5/8)2 n Let F : S {0,1} n be a linear function such that: –F(S) spans all of Z q n –F preserves the L norm Then there exists a permutation matrix P such that F(v)=P.v for all v in S.
16
Conclusion The difficulty lies in giving efficient proofs of correctness. We propose a new scheme: PSP –Exploit the multiplicative homomorphism of ElGamal –Exceptionally computationally efficient –PSP only guarantees near correctness Full paper at: http://crypto.stanford.edu/~pgolle
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.