Secure and Insecure Mixing Shahram Khazaei March 10, 2012 TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA

Voting Voters cast secret votes Authorities reveal votes in random order

Mix-Net v1 … v2 … … … … vN …

Mix-Net Epk(v1) vπ(1) Epk(v2) vπ(2) Mix-Net … … Epk(vN) vπ(N)

Mix-Net ci = Epk(vi) vi = Dsk(ci) di = vπ(i) v1 v2 v3 v4 v1 v2 v3 v4

Chaum's Mix-Net (1981) Server 1 Server 2 Server 3 A B C D Voter: C B D To distribute trust, several mix-servers cooperate Voters use public keys in reverse order to encrypt their votes Mix-servers decrypt and permute

Homomorphic encryption Epk(m,r) ∙ Epk(m',s) = Epk(m∙m',r+s) Rerandomization of ciphertext Epk(m,r) ∙ Epk(1,s) = Epk(m,r+s)

Re-encryption Mix (PIK'93) Epk(vπ(1),t1) vπ(1) Epk(v1,r1) Re-encrypt & Permute Joint Decryption Epk(v2,r2) Epk(vπ(2),t2) vπ(2) … … … Epk(vN,rN) Epk(vπ(N),tN) vπ(N)

Mix-Net C B D A Server 1 Server 2 Server 3 To distribute trust, each mix-server in sequence shuffles the ciphertexts from the previous mix-server

Re-encrypt & Permute ci = Epk(vi;ri) ei = ci ∙ Epk(1;si) di = eπ(i) v1

Problem: Corrupt Server D A Server 3 Server 2 Server 1 m m m Server 1 Server 2 Server 3 A C m D D B B m C B C D B A D m A A C

More threats Voter might be an attacker Servers and voters might collude Solution: add verification

Secure mix-nets Chaumian mix-net Re-encryption mix-net Heuristically secure: Randomized Partial Checking (RPC) No provably secure solution Re-encryption mix-net Heuristically secure: many incl. RPC Provably secure: many

Contributions I: Cryptanalysis of RPC II: First provably secure Chaumian mix-net

Cryptanalysis of RPC Joint work with Douglas Wikström

Randomized Partial Checking By Jakobsson, Juels, and Rivest (USENIX 2002) For both Chaumian and homomorphic mixing No attack for a decade Implement by experts including Chaum, Rivest, Adida, Clarkson Its variants was adopted for several real elections including 2009/2011 Takoma Park City Municipal

Verification A B C D C C D C B A B D D A Mix-servers are paired The intermediate ciphertexts are divided in two groups Each mix-server reveals information to verify the correspondences A B C D C C D C B A B D D A

Permutation Commitment Mix-servers commit to their permutations beforehand Decommit to the opened connections No check is performed to verify that the decommited values are distinct!! A B C D C C D C B A B D D A

Pfitzmann Attack Attacks privacy in homomorphic mixing Success probability: 50 % Target a voter and take his vote c = E(A) Replace with ce Joint Decryption A B C D B C D A D C B A Ae D B A C Ae

Improved Attack Needs two corrupted voters to submit re- encryptions of the same message m Will not be caught if the permutation is not checked Joint Decryption A B m m B A m B A Ae m B A Ae

Rigging an Election Replace all ciphertexts with your own submission m Possible to make less suspicious Joint Decryption m B A C m A B C m m C B m A m C B A m

RPC with Chamian mixing If the duplicates are not removed: Privacy of senders can be violated Votes can be replaced If duplicates are removed: No attack on privacy Votes can be eliminated With proper tweak of the protocol: May be possible to provide a security proof Seems difficult and nontrivial

Summary Protocol flaw rather than an implementation bug Found while attempting to make a proof Do not use RPC with homomorphic mixing Check the previous election results Postpone usage of RPC-like protocols until properly analyzed

A Provably Secure Mix-Net From Any CCA2-Secure Cryptosystem TWT A Provably Secure Mix-Net From Any CCA2-Secure Cryptosystem Joint work with Tal Moran and Douglas Wikström

Trip-Wire Tracing (TWT) Three decryption layers Two nested Chaumian mix-nets One with explicit verification One with partial tracing Public Decryption Chaum's Mix-Net

Trip-Wire Tracing (TWT) Parametrized with an integer parameter t ≥ 2 t is a security parameter determined based on the number of honest voters and servers In large scale elections t = 2 or 3 suffices Each voter submits a bundle of t ciphertexts Mix-servers decrypt and keep only one copy

Security Provably secure Works with any CCA2-secure cryptosystem No concern against quantum computers Proof is different than the usual paradigm

Public Decryption Chaum's Mix-Net Voters v v v v v

Decryption

v ? v ? v ? All the same? v ? v ? v ?

Mixing Have each mix-server submit a dummy input Decrypt, Mix, Mix and Decrypt But up to the final decryption

If all copysets are complete, perform the final decryption Verification Explicitly verify the first Chaumian mix-net Trace the dummies If all copysets are complete, perform the final decryption

Broken copysets? Trace backward broken copysets and identify a cheating server or “bad” senders If no server caught cheating, trace forward all copies from the originating senders. Trace Forward Trace Forward Trace Backward Trace Backward

How can a server cheat? Due to dummies a server can not replace all Has to guess positions of complete copysets Success probability at most H-(t-1) H is number of honest voters and servers

Explanation Outer: to prevent copying part of a voter's ciphertext CEV: to prevent the 1st server in CPT cheating Repetition: to prevent the last server in CPT cheating Final: to stop securely in case of failing Dummies: to prevent replacing all ciphertexts in CPT Public Decryption (Outer) With Explicit Verification Chaum's Mix-Net (CEV) With Partial Tracing Chaum's Mix-Net (CPT) Public Decryption (Repetition) Public Decryption (Final)

TWT versus RPC Full privacy Full correctness Provably security Slightly less efficient Lack of public verifiability

Thank you! Any question?