Mix Networks

1
Mix Networks
2
Contents

• Mix Network (Mixnet)
• Two demonstrations
• Mixnet Applications
• Mixnet Requirements
• Robustness of Mixnets
• Checking a Mixnets Robustness

3
Electronic Voting Demonstration

• Who do you like best?
• Put your ballot into
• an WHITE envelope
• and put again in a RED
  one and sign on it

• Washington
• Lincoln
• Roosevelt

4
Electronic Voting Demo. (Contd)

• Administrators will
• Verify signatures together
• 1st Admin. shuffles and
  opens RED envelopes
• Send them to 2nd Admin.
  
• 2nd Admin. shuffles again and
  opens WHITE envelopes
• Count ballots together

5
A real system for elections

• Sign voter 1 (encr(encr (vote1)))
• Sign voter 2 (encr(encr (vote2)))
• .
• .
• .
• Sign voter n (encr(encr (voten)))

vote1 vote2 vote3 . . voten
Mix Net
Mix Net
6
MIX NETWORKS

• Hide ? who voted for whom?
  ? who paid whom?
• ? who said what?
• Good for protecting privacy for
• election and communication
• Used as a privacy building block

Note all of the following focuses on synchronous
mixes.
7
Electronic Payment Demo.

• Choose one person you like to pay 5
• Put your ballot into
• an WHITE envelope
• and put again in a RED
  one and sign on it

Name of the person ( ___________ )
8
Electronic Voting Demo. (Contd)

• Administrators will
• Verify signatures together
• Deduct 5 from each account
• 1st Admin. shuffles and
  opens RED envelopes
• Send them to 2nd Admin.
  
• 2nd Admin. shuffles again and
  opens WHITE envelopes
• Credit 5 to recipients

9
For payments
payee1 payee2 payee3 . . payeen

• Sign payer 1 (encr(encr (payee1)))
• Sign payer 2 (encr(encr (payee2)))
• .
• .
• .
• .
• .
• Sign payer n (encr(encr (payeen)))

D E D U C T
Mix Net
Credit

• Name
• (________ )

10
For email communication
. . .

• encr (email1, addressee1)
• encr (email2, addressee2)
• .
• .
• .
• encr (emailn, addresseen)

To Jerry Dont forget to have lunch.
Deliver
11
Other uses

• Anonymous web browsing (LPWA Anonymizer)

From LPWA homepage
12
Other uses (Contd)

• Location privacy for cellular devices

• Location-based service is GOOD !
• Landline-phone calling to 911 in the US, 112 in
  Europe
• All cellular carrier by December 2005
• RISK !
• Location-based spam
• Harm to a reputation

13
Other uses (Contd)

• Private physical deliveries
• Example Fedex
• Observer doesnt know who sent to whom
• Anonymize senders information
  by temporary pseudonym ID
  number
• Anonymous bulletin boards

Mix
From A. Juels at WOTE01
14
Other uses (Contd)

• Sometimes abuses
• Avoid legislation (e.g., piracy)
  
• I had no idea that I etc
• Especially good for election
  but can be abused in other
  application

15
Principle
Chaum 81
Issues
Privacy Efficiency Trust Robustness
16
But what about robustness?
I ignore his output
and produce my own

• encr(Berry)
• encr(Kush)
• encr(Kush)

Kush Kush Kush
There is no robustness!
17
Requirements

• Privacy
  Nobody
  knows who said what
• Efficiency
  Mixing is efficient (
  practically useful)
• Trust
  How many entities do we have
  to trust?
• Robustness
  Will replacement cheaters be
  caught?

18
First Solution
Chaum 81, implemented by Syverson, Goldschlag
Not robust (or tolerates 0 cheaters for
correctness) Requires every server to
participate (and in the right order!)
19
Recall El Gamal encryption

• Public parameters q is a prime
• p 2kq1 is a prime
• g generator of Gp
• Secret key of a user x (where 0 lt x lt q)
• Public key of this user y gx mod p

20
El Gamal Encryption (encrypt m using y)

• For message (or plaintext) m
• Pick a number k randomly from 0q-1
• Compute a yk. m mod p
  b gk
  mod p
• Output (a,b)

Decryption technique (to decrypt (a,b) using x)
Compute m a / bx ( yk. m gxk.
m) (gk)x gkx
21
Re-encryption technique

• Input a ciphertext (a,b) wrt public key y
• Pick a number a randomly from 0q-1
• Compute
  a ya . a mod p
  
  b ga . b mod p
• Output (a, b)
• Same decryption technique!

Compute m a / bx ( yk. ya . m gx
(ka). m) (gk . ga )x
g (ka)x
22
A simple mix

• (a1, b1)
• (a2, b2)
• .
• .
• .
• (an, bn)

(a1,b1) (a2,b2) . . . (an,bn)
(a1,b1) (a2,b2) . . . (an,b
n)
Note different cipher text, different
re-encryption exponents!
23
And to get privacy permute, too!

• (a1, b1)
• (a2, b2)
• .
• .
• .
• (an, bn)

(a1,b1) (a2,b2) . . . (an,b
n)
24
But what if the two servers cheat?

Add more! They all have to collude!
25
Problem in proving correct re-encryption
Privacy?
Robustness?
26
Random Partial Checking
Jakobsson-Juels-Rivest 02
cheater changes one vote. Probability
discovered 1- ½ cheaters change K votes.
Probability discovers 1- (½)k
For k 80 negligible probability Even close
races differ in more than 80 votes!