1 / 16

Almost Entirely Correct Mixing With Applications to Voting

Almost Entirely Correct Mixing With Applications to Voting. Philippe Golle Dan Boneh Stanford University. Inputs. Outputs. Proof. Mix Server. Mix Server. ?. A mix server is a cryptographic implementation of a hat. Proof. Proof. Proof. Inputs. Outputs. Mix Network. Mix network

lorand
Download Presentation

Almost Entirely Correct Mixing With Applications to Voting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Almost Entirely Correct MixingWith Applications to Voting Philippe Golle Dan Boneh Stanford University

  2. Inputs Outputs Proof Mix Server Mix Server ? A mix server is a cryptographic implementation of a hat.

  3. Proof Proof Proof Inputs Outputs Mix Network • Mix network • A group of mix servers that operate sequentially. Server 1 Server 2 Server 3 ? ? ? • If a single mix server is honest, global permutation is secret.

  4. Submission Tabulation Mix Applications • Anonymous voting • Other applications: • Anonymous payments • Anonymous channels All these applications require efficient schemes

  5. Properties • Privacy: outputs can’t be matched to inputs • Correctness: outputs match inputs • Robustness: an output is produced regardless of possible mix server failures or bad inputs • Verifiability: local or universal • Efficiency

  6. ? Inputs Outputs Zoology of Mix Networks • Decryption Mix Nets [Cha81,…]: • Inputs: ciphertexts • Outputs: decryption of the inputs. • Re-encryption Mix Nets[PIK93,…]: • Inputs: ciphertexts • Outputs: re-encryption of the inputs

  7. 1. Users encrypt their inputs: Input Input Pub-key 2. Encrypted inputs are mixed: Server 1 Server 2 Server 3 re-encrypt & mix re-encrypt & mix re-encrypt & mix Proof Proof Proof 3. A quorum of mix servers decrypts the outputs Priv-key Output Output Re-encryption Mixnet 0. Setup: mix servers generate a shared ElGamal key

  8. ElGamal Cryptosystem • ElGamal is a randomized public-key cryptosystem • Plaintexts in a group G of prime order q • Ciphertext are pairs (a,b) where a,b in G. • Malleable: Er(m)  Er+s(m) • ZK proof that two CT decrypt to the same PT (1 exp) • Multiplicative homomorphism: E(m) , E(m’)  E(mm’)

  9. Problem • Mix servers must prove correct re-encryption • Inputs: n ElGamal ciphertexts E(mi ) • Outputs: n ElGamal ciphertexts E(m’i) • Mix proves that there is a permutation π such that: without revealing π.

  10. Quick survey of proofs of re-encryption n = number of inputs k = number of servers

  11. Verifier: • Computes: E(i=1mi) and E(i=1m’i) • Ask Mix for ZK proof that these CT decrypt to same PT. n n Proving Correct Re-encryption • Mix server: • Receives: n ElGamal ciphertexts E(mi ) • Produces: n ElGamal ciphertexts E(m’i) • Observations: • Honest mix can always give this proof • Verification is necessary but not sufficient • Idea: use random subsets  the name PSP

  12. n n 2. Mix gives ZK proof that i=1mi = i=1m’i mod q Repeat α times 5. Mix gives ZK proof that Proof-of-Subproduct (PSP) Mix net Mix Server Inputs mi Outputs m’i S S’ • Mix the inputs 3. Verifiers choose random subset S 4. The mix server reveals image S’

  13. Theorem: cheating mix is detected with prob > Conjecture: cheating is detected with prob > where w is the number of wrong outputs Properties of PSP • PSP is sound • PSP is robust • Efficiency (per mix server, for n inputs): • Mixing: n exponentiations • Proof: α exponentiations (e.g. α = 5) • Constant in number of inputs! • Privacy:users only lose α bits of privacy on average

  14. Applications of PSP • Large elections: 160,000 ballots. • Suppose the mixnet corrupts 100 votes. • With α = 6: • Every ballot hidden among 2,500 others • Provable bound: prob > 94% cheating detected • Conjectured bound: prob > 99.9% cheating detected • PSP is compatible with other verification schemes that offer full correctness: • Use PSP to verify output • Announce the output • Run another slower scheme to verify the output

  15. Proof of Correctness • Theorem: cheating is detected with probability 1 – (5/8) • A cheating mix that fools the verifier with prob > 1 – (5/8)can compute discrete logarithm in G. • Reduction relies on the following theorem: Let S be a subset of {0,1}n such that |S| > (5/8)2n Let F : S  {0,1}n be a linear function such that: • F(S) spans all of Zqn • F preserves the L norm Then there exists a permutation matrix P such that F(v)=P.v for all v in S.

  16. Conclusion • The difficulty lies in giving efficient proofs of correctness. • We propose a new scheme: PSP • Exploit the multiplicative homomorphism of ElGamal • Exceptionally computationally efficient • PSP only guarantees near correctness • Full paper at: http://crypto.stanford.edu/~pgolle

More Related