1 / 22

Optimistic Mixing for Exit-Polls

Optimistic Mixing for Exit-Polls. Philippe Golle, Stanford Sheng Zhong, Yale Dan Boneh, Stanford Markus Jakobsson, RSA Labs Ari Juels, RSA Labs. Inputs. Outputs. Proof. Mix Server. Mix Server. ?. A mix server is a cryptographic implementation of a hat. Proof. Proof. Proof.

alunceford
Download Presentation

Optimistic Mixing for Exit-Polls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Optimistic Mixing for Exit-Polls Philippe Golle, Stanford Sheng Zhong, Yale Dan Boneh, Stanford Markus Jakobsson, RSA Labs Ari Juels, RSA Labs

  2. Inputs Outputs Proof Mix Server Mix Server ? A mix server is a cryptographic implementation of a hat.

  3. Proof Proof Proof Inputs Outputs Mix Network Server 1 Server 2 Server 3 ? ? ? • Servers sequentially mix the inputs • Verify the proofs of correct mixing: • OK: accept the output • Otherwise: remove cheaters and mix again If a single mix server is honest, global permutation is secret.

  4. Applications • Anonymous voting • Votes submitted to the mix • Votes are mixed • Verify correct mixing (expensive): • OK: decrypt the votes & announce results of election • Otherwise: remove cheater and mix again • Other applications • Anonymous payments • Anonymous channels All these applications require efficient schemes

  5. Properties • Privacy: outputs can’t be matched to inputs • Correctness: outputs match inputs • Robustness: an output is produced regardless of possible mix server failures or bad inputs • Verifiability: local or universal • Efficiency

  6. Our contribution • Servers sequentially mix the inputs • Verify the proofs of correct mixing [expensive] • OK: accept the output [the usual case] • Otherwise: remove cheaters and mix again [very rare] • Optimistic mixnet • If all servers mix correctly, verification extremely fast • If a server cheats, verification slower • Application: exit-polls • Note: Cheating by users has (almost) no impact

  7. Comparison of proofs of correct mixing n = number of inputs k = number of servers

  8. Optimistic Mixing

  9. ? Inputs Outputs Zoology of Mix Networks • Decryption Mix Nets [Cha81,…]: • Inputs: ciphertexts • Outputs: decryption of the inputs. • Re-encryption Mix Nets [PIK93,…]: • Inputs: ciphertexts • Outputs: re-encryption of the inputs

  10. ElGamal Cryptosystem • ElGamal is a randomized public-key cryptosystem • Plaintexts in a group G of prime order q • Ciphertexts are pairs (a,b) where a,b in G. • Malleable: Er(m)  Er+s(m) • ZK proof that two CT decrypt to the same PT (1 exp) • Multiplicative homomorphism: E(m) , E(m’)  E(mm’)

  11. 1. Users encrypt their inputs: Input Input Pub-key 2. Encrypted inputs are mixed: Server 1 Server 2 Server 3 re-encrypt & mix re-encrypt & mix re-encrypt & mix Proof Proof Proof 3. A quorum of mix servers decrypts the outputs Priv-key Output Output Re-encryption Mixnet 0. Setup: mix servers generate a shared ElGamal key

  12. Problem • Mix servers must prove correct re-encryption • Inputs: n ElGamal ciphertexts E(mi ) • Outputs: n ElGamal ciphertexts E(m’i) • Mix proves that there is a permutation π such that: without revealing π.

  13. Our techniques to Prove Correct Re-encryption • Proof of product with checksum: Verification that the mix is product-preserving • Double-enveloppe: Inputs are encrypted twice

  14. Verifier: • Computes: E(i=1mi) and E(i=1m’i) • Ask Mix for ZK proof that these CT decrypt to same PT. n n Proof of Product • Mix server: • Receives: n ElGamal ciphertexts E(mi ) • Produces: n ElGamal ciphertexts E(m’i) • Observations: • Honest mix can always give this proof • Verification is necessary but not sufficient • Idea: append a cryptographic checksum to the inputs

  15. Proof of Product with Checksum • Inputs: mi = E( Input || Checksum(Input) ) • Outputs: m’i = E( Input || Checksum(Input) ) • Proposition: If • All input checksums are correct • mi = m’i • All output checksums are correct Then {mi}={m’i} with all but negligible probability

  16. Proof of Product with Checksum Input || Checksum(input) • Submission of inputs E(mi) = • Mixing • Each mix proves E(mi) = E(m’i) • Mixes which fail are kicked out • Decryption mi = Input || Checksum(input) • Verification of checksum: • All checksums OK  {mi}={m’i} • Otherwise: either a mix or a user cheated

  17. Incorrect Output Checksums • Cheating by user: • Input submitted with incorrect Checksum • We do not (can not) verify that input checksums OK • This cheating is harmless • Cheating by mix server: • One (or several) servers produced corrupted output(s) • This cheating is serious: • The mix server can trace selected inputs • The harm is already done by the time cheating is discovered

  18. Input || Checksum ( Input) Double Envelope Replace with Input || Checksum(input)

  19. Input || Checksum ( Input) Optimistic Mixnet • Submission of inputs E(mi) = • Mixing • Each mix proves E(mi) = E(m’i) • Mixes which fail are kicked out • Partial decryption mi = Input || Checksum( input ) • Verification of checksums…

  20. Optimistic Mixnet (cont’d) • Verification of checksum: • All checksums OK  {mi}={m’i} We are done! • Otherwise: either a mix or a user cheated • Investigation of user cheating: • Mixes must trace every bad output to a bad input. • No privacy for cheating users! • If every bad output successfully traced, We are done! • Otherwise mix servers cheated: • The checksums are discarded • The Inputs are mixed again with standard mix

  21. Properties of Optimistic Mixnet • Privacy: for honest users only • Correctness: OK (if discrete log is hard in Zp) • Robustness: up to a minority of faulty servers • Efficiency: • Mix: 6n exponentiations • Proof: 3 + 3Nk exponentiations • Plus cost of alternative decryption if a mix server cheats • The expensive operation is the mix, not the proof.

  22. Conclusion • Optimistic mix based on 2 new techniques: • Proof of product with checksum • Double envelope • Optimistic mix is extremely fast when no server cheats. Cheating by users has minimal impact on performance • When a server cheats: • Cheating is detected • It does not compromise the privacy of users • It only causes the mix to run slower • Application: exit-polls

More Related