Almost Entirely Correct Mixing With Applications to Voting

1
Almost Entirely Correct MixingWith Applications
to Voting

• Philippe Golle
• Dan Boneh
• Stanford University

2
Mix Server
Mix Server
?
A mix server is a cryptographic implementation of
a hat.
3
Mix Network

• Mix network
• A group of mix servers that operate
  sequentially.

Server 1
Server 2
Server 3
?
?
?

• If a single mix server is honest, global
  permutation is secret.

4
Applications

• Anonymous voting

• Other applications
• Anonymous payments
• Anonymous channels

All these applications require efficient schemes
5
Properties

• Privacy outputs cant be matched to inputs
• Correctness outputs match inputs
• Robustness an output is produced regardless of
  possible mix server failures or bad inputs
• Verifiability local or universal
• Efficiency

6
Zoology of Mix Networks

• Decryption Mix Nets Cha81,
• Inputs ciphertexts
• Outputs decryption of the inputs.
• Re-encryption Mix NetsPIK93,
• Inputs ciphertexts
• Outputs re-encryption of the inputs

7
Re-encryption Mixnet
0. Setup mix servers generate a shared ElGamal
key
8
ElGamal Cryptosystem

• ElGamal is a randomized public-key cryptosystem
• Plaintexts in a group G of prime order q
• Ciphertext are pairs (a,b) where a,b in G.
• Malleable Er(m) ? Ers(m)
• ZK proof that two CT decrypt to the same PT (1
  exp)
• Multiplicative homomorphism
• E(m) , E(m) ? E(mm)

9
Problem

• Mix servers must prove correct re-encryption
• Inputs n ElGamal ciphertexts E(mi )
• Outputs n ElGamal ciphertexts E(mi)
• Mix proves that there is a permutation p such
  that
• without revealing p.

10
Quick survey of proofs of re-encryption
n number of inputs k number of
servers
11
Proving Correct Re-encryption

• Mix server
• Receives n ElGamal ciphertexts E(mi )
• Produces n ElGamal ciphertexts E(mi)

• Observations
• Honest mix can always give this proof
• Verification is necessary but not sufficient
• Idea use random subsets ? the name PSP

12
Proof-of-Subproduct (PSP) Mix net
Mix Server
Inputs mi
Outputs mi
S
S

• Mix the inputs

3. Verifiers choose random subset S
4. The mix server reveals image S
13
Properties of PSP

• PSP is sound
• PSP is robust
• Efficiency (per mix server, for n inputs)
• Mixing n exponentiations
• Proof a exponentiations (e.g. a 5)
• Constant in number of inputs!
• Privacy users only lose a bits of privacy on
  average

14
Applications of PSP

• Large elections 160,000 ballots.
• Suppose the mixnet corrupts 100 votes.
• With a 6
• Every ballot hidden among 2,500 others
• Provable bound prob gt 94 cheating detected
• Conjectured bound prob gt 99.9 cheating
  detected
• PSP is compatible with other verification
  schemes that offer full correctness
• Use PSP to verify output
• Announce the output
• Run another slower scheme to verify the output

15
Proof of Correctness

• Theorem cheating is detected with probability 1
  (5/8)?
• A cheating mix that fools the verifier with
• prob gt 1 (5/8)? can compute discrete logarithm
  in G.
• Reduction relies on the following theorem
• Let S be a subset of 0,1n such that S gt
  (5/8)2n
• Let F S ? 0,1n be a linear function such
  that
• F(S) spans all of Zqn
• F preserves the L norm
• Then there exists a permutation matrix P such
  that F(v)P.v for all v in S.

16
Conclusion

• The difficulty lies in giving efficient proofs of
  correctness.
• We propose a new scheme PSP
• Exploit the multiplicative homomorphism of
  ElGamal
• Exceptionally computationally efficient
• PSP only guarantees near correctness
• Full paper at
• http//crypto.stanford.edu/pgolle