220 likes | 244 Views
Optimistic Mixing for Exit-Polls. Philippe Golle, Stanford Sheng Zhong, Yale Dan Boneh, Stanford Markus Jakobsson, RSA Labs Ari Juels, RSA Labs. Inputs. Outputs. Proof. Mix Server. Mix Server. ?. A mix server is a cryptographic implementation of a hat. Proof. Proof. Proof.
E N D
Optimistic Mixing for Exit-Polls Philippe Golle, Stanford Sheng Zhong, Yale Dan Boneh, Stanford Markus Jakobsson, RSA Labs Ari Juels, RSA Labs
Inputs Outputs Proof Mix Server Mix Server ? A mix server is a cryptographic implementation of a hat.
Proof Proof Proof Inputs Outputs Mix Network Server 1 Server 2 Server 3 ? ? ? • Servers sequentially mix the inputs • Verify the proofs of correct mixing: • OK: accept the output • Otherwise: remove cheaters and mix again If a single mix server is honest, global permutation is secret.
Applications • Anonymous voting • Votes submitted to the mix • Votes are mixed • Verify correct mixing (expensive): • OK: decrypt the votes & announce results of election • Otherwise: remove cheater and mix again • Other applications • Anonymous payments • Anonymous channels All these applications require efficient schemes
Properties • Privacy: outputs can’t be matched to inputs • Correctness: outputs match inputs • Robustness: an output is produced regardless of possible mix server failures or bad inputs • Verifiability: local or universal • Efficiency
Our contribution • Servers sequentially mix the inputs • Verify the proofs of correct mixing [expensive] • OK: accept the output [the usual case] • Otherwise: remove cheaters and mix again [very rare] • Optimistic mixnet • If all servers mix correctly, verification extremely fast • If a server cheats, verification slower • Application: exit-polls • Note: Cheating by users has (almost) no impact
Comparison of proofs of correct mixing n = number of inputs k = number of servers
? Inputs Outputs Zoology of Mix Networks • Decryption Mix Nets [Cha81,…]: • Inputs: ciphertexts • Outputs: decryption of the inputs. • Re-encryption Mix Nets [PIK93,…]: • Inputs: ciphertexts • Outputs: re-encryption of the inputs
ElGamal Cryptosystem • ElGamal is a randomized public-key cryptosystem • Plaintexts in a group G of prime order q • Ciphertexts are pairs (a,b) where a,b in G. • Malleable: Er(m) Er+s(m) • ZK proof that two CT decrypt to the same PT (1 exp) • Multiplicative homomorphism: E(m) , E(m’) E(mm’)
1. Users encrypt their inputs: Input Input Pub-key 2. Encrypted inputs are mixed: Server 1 Server 2 Server 3 re-encrypt & mix re-encrypt & mix re-encrypt & mix Proof Proof Proof 3. A quorum of mix servers decrypts the outputs Priv-key Output Output Re-encryption Mixnet 0. Setup: mix servers generate a shared ElGamal key
Problem • Mix servers must prove correct re-encryption • Inputs: n ElGamal ciphertexts E(mi ) • Outputs: n ElGamal ciphertexts E(m’i) • Mix proves that there is a permutation π such that: without revealing π.
Our techniques to Prove Correct Re-encryption • Proof of product with checksum: Verification that the mix is product-preserving • Double-enveloppe: Inputs are encrypted twice
Verifier: • Computes: E(i=1mi) and E(i=1m’i) • Ask Mix for ZK proof that these CT decrypt to same PT. n n Proof of Product • Mix server: • Receives: n ElGamal ciphertexts E(mi ) • Produces: n ElGamal ciphertexts E(m’i) • Observations: • Honest mix can always give this proof • Verification is necessary but not sufficient • Idea: append a cryptographic checksum to the inputs
Proof of Product with Checksum • Inputs: mi = E( Input || Checksum(Input) ) • Outputs: m’i = E( Input || Checksum(Input) ) • Proposition: If • All input checksums are correct • mi = m’i • All output checksums are correct Then {mi}={m’i} with all but negligible probability
Proof of Product with Checksum Input || Checksum(input) • Submission of inputs E(mi) = • Mixing • Each mix proves E(mi) = E(m’i) • Mixes which fail are kicked out • Decryption mi = Input || Checksum(input) • Verification of checksum: • All checksums OK {mi}={m’i} • Otherwise: either a mix or a user cheated
Incorrect Output Checksums • Cheating by user: • Input submitted with incorrect Checksum • We do not (can not) verify that input checksums OK • This cheating is harmless • Cheating by mix server: • One (or several) servers produced corrupted output(s) • This cheating is serious: • The mix server can trace selected inputs • The harm is already done by the time cheating is discovered
Input || Checksum ( Input) Double Envelope Replace with Input || Checksum(input)
Input || Checksum ( Input) Optimistic Mixnet • Submission of inputs E(mi) = • Mixing • Each mix proves E(mi) = E(m’i) • Mixes which fail are kicked out • Partial decryption mi = Input || Checksum( input ) • Verification of checksums…
Optimistic Mixnet (cont’d) • Verification of checksum: • All checksums OK {mi}={m’i} We are done! • Otherwise: either a mix or a user cheated • Investigation of user cheating: • Mixes must trace every bad output to a bad input. • No privacy for cheating users! • If every bad output successfully traced, We are done! • Otherwise mix servers cheated: • The checksums are discarded • The Inputs are mixed again with standard mix
Properties of Optimistic Mixnet • Privacy: for honest users only • Correctness: OK (if discrete log is hard in Zp) • Robustness: up to a minority of faulty servers • Efficiency: • Mix: 6n exponentiations • Proof: 3 + 3Nk exponentiations • Plus cost of alternative decryption if a mix server cheats • The expensive operation is the mix, not the proof.
Conclusion • Optimistic mix based on 2 new techniques: • Proof of product with checksum • Double envelope • Optimistic mix is extremely fast when no server cheats. Cheating by users has minimal impact on performance • When a server cheats: • Cheating is detected • It does not compromise the privacy of users • It only causes the mix to run slower • Application: exit-polls