Optimistic Mixing for Exit-Polls

1
Optimistic Mixing for Exit-Polls

• Philippe Golle, Stanford
• Sheng Zhong, Yale
• Dan Boneh, Stanford
• Markus Jakobsson, RSA Labs
• Ari Juels, RSA Labs

2
Mix Server
Mix Server
?
A mix server is a cryptographic implementation of
a hat.
3
Mix Network
Server 1
Server 2
Server 3
?
?
?

1. Servers sequentially mix the inputs

• Verify the proofs of correct mixing
• OK accept the output
• Otherwise remove cheaters and mix again

If a single mix server is honest, global
permutation is secret.
4
Applications

• Anonymous voting
• Votes submitted to the mix
• Votes are mixed
• Verify correct mixing (expensive)
• OK decrypt the votes announce results of
  election
• Otherwise remove cheater and mix again

• Other applications
• Anonymous payments
• Anonymous channels

All these applications require efficient schemes
5
Properties

• Privacy outputs cant be matched to inputs
• Correctness outputs match inputs
• Robustness an output is produced regardless of
  possible mix server failures or bad inputs
• Verifiability local or universal
• Efficiency

6
Our contribution

• Servers sequentially mix the inputs
• Verify the proofs of correct mixing expensive
• OK accept the output the usual
  case
• Otherwise remove cheaters and mix again very
  rare

• Optimistic mixnet
• If all servers mix correctly, verification
  extremely fast
• If a server cheats, verification slower
• Application exit-polls
• Note Cheating by users has (almost) no impact

7
Comparison of proofs of correct mixing
Cut and Choose ZK SK95,OKST97 642nk
Pairwise Permutations JJ99,Abe99 14nklog n
Matrix Representation FS01 36nk
Polynomial Scheme Nef01 16nk
Randomized Partial Checking JJR01 nk Global privacy
Proof of Subproduct BG02 ak Near-correct
Optimistic Mix GZBJJ02 3 3Nk Optimistic
n number of inputs k number of
servers
8
Optimistic Mixing
9
Zoology of Mix Networks

• Decryption Mix Nets Cha81,
• Inputs ciphertexts
• Outputs decryption of the inputs.
• Re-encryption Mix Nets PIK93,
• Inputs ciphertexts
• Outputs re-encryption of the inputs

10
ElGamal Cryptosystem

• ElGamal is a randomized public-key cryptosystem
• Plaintexts in a group G of prime order q
• Ciphertexts are pairs (a,b) where a,b in G.
• Malleable Er(m) ? Ers(m)
• ZK proof that two CT decrypt to the same PT (1
  exp)
• Multiplicative homomorphism
• E(m) , E(m) ? E(mm)

11
Re-encryption Mixnet
0. Setup mix servers generate a shared ElGamal
key
12
Problem

• Mix servers must prove correct re-encryption
• Inputs n ElGamal ciphertexts E(mi )
• Outputs n ElGamal ciphertexts E(mi)
• Mix proves that there is a permutation p such
  that
• without revealing p.

13
Our techniques to Prove Correct Re-encryption

• Proof of product with checksum Verification that
  the mix is product-preserving
• Double-enveloppe
• Inputs are encrypted twice

14
Proof of Product

• Mix server
• Receives n ElGamal ciphertexts E(mi )
• Produces n ElGamal ciphertexts E(mi)

• Observations
• Honest mix can always give this proof
• Verification is necessary but not sufficient
• Idea append a cryptographic checksum to the
  inputs

15
Proof of Product with Checksum

• Inputs mi E( Input Checksum(Input) )
• Outputs mi E( Input Checksum(Input) )
• Proposition If
• All input checksums are correct
• ? mi ? mi
• All output checksums are correct
• Then mimi with all but negligible
  probability

16
Proof of Product with Checksum
Input Checksum(input)

• Submission of inputs E(mi)
• Mixing
• Each mix proves E(? mi) E(? mi)
  
• Mixes which fail are kicked out
• Decryption mi Input
  Checksum(input)
• Verification of checksum
• All checksums OK ? mimi
• Otherwise either a mix or a user cheated

17
Incorrect Output Checksums

• Cheating by user
• Input submitted with incorrect Checksum
• We do not (can not) verify that input checksums
  OK
• This cheating is harmless
• Cheating by mix server
• One (or several) servers produced corrupted
  output(s)
• This cheating is serious
• The mix server can trace selected inputs
• The harm is already done by the time cheating is
  discovered

18
Double Envelope
Input Checksum(input)
Replace with
19
Optimistic Mixnet

• Submission of inputs E(mi)
• Mixing
• Each mix proves E(? mi) E(? mi)
  
• Mixes which fail are kicked out
• Partial decryption mi Input
  Checksum( input )
• Verification of checksums

20
Optimistic Mixnet (contd)

• Verification of checksum
• All checksums OK ? mimi We are done!
• Otherwise either a mix or a user cheated
• Investigation of user cheating
• Mixes must trace every bad output to a bad input.
• No privacy for cheating users!
• If every bad output successfully traced, We are
  done!
• Otherwise mix servers cheated
• The checksums are discarded
• The Inputs are mixed again with standard mix

21
Properties of Optimistic Mixnet

• Privacy for honest users only
• Correctness OK (if discrete log is hard in Zp)
• Robustness up to a minority of faulty servers
• Efficiency
• Mix 6n exponentiations
• Proof 3 3Nk exponentiations
• Plus cost of alternative decryption if a mix
  server cheats
• The expensive operation is the mix, not the proof.

22
Conclusion

• Optimistic mix based on 2 new techniques
• Proof of product with checksum
• Double envelope
• Optimistic mix is extremely fast when no server
  cheats. Cheating by users has minimal impact on
  performance
• When a server cheats
• Cheating is detected
• It does not compromise the privacy of users
• It only causes the mix to run slower
• Application exit-polls