Almost Entirely Correct Mixing With Applications to Voting Philippe Golle Dan Boneh Stanford University.

Slides:

Advertisements

Similar presentations

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Advertisements

A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:

Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

Secure Evaluation of Multivariate Polynomials

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Electronic Voting Ronald L. Rivest MIT CSAIL Norway June 14, 2004.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Auditable Privacy: On Tamper-Evident Mix Networks Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research.

Asymmetric-Key Cryptography

Short course on quantum computing Andris Ambainis University of Latvia.

Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.

Electronic Voting Presented by Ben Riva Based on presentations and papers of: Schoenmakers, Benaloh, Fiat, Adida, Reynolds, Ryan and Chaum.

Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.

7. Asymmetric encryption-

Reusable Anonymous Return Channels

Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)

Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.

1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’

10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Parallel Mixing Philippe Golle, PARC Ari Juels, RSA Labs.

Paillier Threshold Encryption WebService by Brett Wilson.

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Universal Re-encryption: For Mix-Nets

UMBC Protocol Meeting 10/01/03 Universal Re-encryption: For Mix-Nets and Other Applications (to appear CT-RSA ’04) Paul Syverson NRL Markus Jakobsson Ari.

1/11/2007 bswilson/eVote-PTCWS 1 Enhancing PTC based Secure E-Voting System (note: modification of Brett Wilson’s Paillier Threshold Cryptography Web Service.

1 Hidden Exponent RSA and Efficient Key Distribution author: He Ge Cryptology ePrint Archive 2005/325 PDFPDF 報告人：陳昱升.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

Introduction to Computer and Network Security Iliano Cervesato 26 August 2008 – Modern Cryptography.

Foundations of Cryptography Lecture 2 Lecturer: Moni Naor.

ASYMMETRIC CIPHERS.

Public Key Model 8. Cryptography part 2.

1 CIS 5371 Cryptography 8. Asymmetric encryption-.

Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.

ElGamal Public Key Cryptography CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Taher ElGamal, "A Public-Key Cryptosystem and a Signature Scheme.

Lecture 11: Privacy and Anonymity Using Anonymizing Networks CS 336/536: Computer Network Security Fall 2014 Nitesh Saxena Some slides borrowed from Philippe.

A Few Simple Applications to Cryptography Louis Salvail BRICS, Aarhus University.

Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms David Chaum CACM Vol. 24 No. 2 February 1981 Presented by: Adam Lee 1/24/2006 David.

RSA Ramki Thurimella.

Optimistic Mixing for Exit-Polls Philippe Golle, Stanford Sheng Zhong, Yale Dan Boneh, Stanford Markus Jakobsson, RSA Labs Ari Juels, RSA Labs.

Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.

1 Public-Key Cryptography and Message Authentication.

Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻.

An Analysis of Parallel Mixing with Attacker-Controlled Inputs Nikita Borisov formerly of UC Berkeley.

SANDRA GUASCH CASTELLÓ PHD EVOTING WORKSHOP LUXEMBOURG, 15-16/10/2012 SUPERVISOR: PAZ MORILLO BOSCH Verifiable Mixnets.

The Paillier Cryptosystem

Privacy and Anonymity Using Mix Networks* Slides borrowed from Philippe Golle, Markus Jacobson.

Secure Conjunctive Keyword Search Over Encrypted Data Philippe Golle Jessica Staddon Palo Alto Research Center Brent Waters Princeton University.

A Brief Introduction to Mix Networks Ari Juels RSA Laboratories © 2001, RSA Security Inc.

Diffie-Hellman Key Exchange first public-key type scheme proposed by Diffie & Hellman in 1976 along with the exposition of public key concepts – note:

Information Security and Management 10. Other Public-key Cryptosystems Chih-Hung Wang Fall

Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.

Voting System Properties Most voting systems assume no collusion between more than one party for keys Most voting systems require a consistency check by.

@Yuan Xue Announcement Project Release Team forming Homework 1 will be released next Tuesday.

Cryptographic Shuffles Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA.

Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.

Cryptography and Network Security Chapter 13

Zero Knowledge r Two parties:  All powerful prover P  Polynomially bounded verifier V r P wants to prove a statement to V with the following properties:

PUBLIC-KEY ENCRYPTION Focusing on RSA

Some slides borrowed from Philippe Golle, Markus Jacobson

RSA and El Gamal Cryptosystems

Helger Lipmaa University of Tartu, Estonia

Some slides borrowed from Philippe Golle, Markus Jacobson

Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813

Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813

Presentation transcript:

Almost Entirely Correct Mixing With Applications to Voting Philippe Golle Dan Boneh Stanford University

Mix Server A mix server is a cryptographic implementation of a hat. InputsOutputs ? Mix Server Proof

Mix Network Mix network A group of mix servers that operate sequentially. Server 1Server 2Server 3 InputsOutputs ??? Proof If a single mix server is honest, global permutation is secret.

Applications Other applications: –Anonymous payments –Anonymous channels All these applications require efficient schemes Anonymous voting Mix SubmissionTabulation

Properties Privacy: outputs can’t be matched to inputs Correctness: outputs match inputs Robustness: an output is produced regardless of possible mix server failures or bad inputs Verifiability: local or universal Efficiency

Zoology of Mix Networks Decryption Mix Nets [Cha81,…]: –Inputs: ciphertexts –Outputs: decryption of the inputs. Re-encryption Mix Nets[PIK93,…]: –Inputs: ciphertexts –Outputs: re-encryption of the inputs InputsOutputs ?

Re-encryption Mixnet 0.Setup: mix servers generate a shared ElGamal key 1. Users encrypt their inputs: Input Pub-key 3. A quorum of mix servers decrypts the outputs Output Priv-key Server 1Server 2Server 3 re-encrypt & mix re-encrypt & mix re-encrypt & mix 2. Encrypted inputs are mixed: Proof

ElGamal Cryptosystem ElGamal is a randomized public-key cryptosystem Plaintexts in a group G of prime order q Ciphertext are pairs (a,b) where a,b in G. Malleable: E r (m)  E r+s (m) ZK proof that two CT decrypt to the same PT (1 exp) M ultiplicative homomorphism: E(m), E(m’)  E(mm’)

Problem Mix servers must prove correct re-encryption –Inputs: n ElGamal ciphertexts E(m i ) –Outputs: n ElGamal ciphertexts E(m’ i ) Mix proves that there is a permutation π such that: without revealing π.

Quick survey of proofs of re-encryption Cut and Choose ZK [SK95,OKST97] 642nk Pairwise Permutations [JJ99,Abe99] 14nk·log n Matrix Representation [FS01] 36nk Polynomial Scheme [Nef01] 16nk Randomized Partial Checking [JJR01] nk Global privacy Optimistic Mix [GZBJJ02] k Optimistic Proof of Subproduct[BG02] αkαk Near-correct n = number of inputs k = number of servers

Proving Correct Re-encryption Mix server: –Receives: n ElGamal ciphertexts E(m i ) –Produces: n ElGamal ciphertexts E(m’ i ) Observations: –Honest mix can always give this proof –Verification is necessary but not sufficient –Idea: use random subsets  the name PSP Verifier: –Computes: E(  i=1 m i ) and E(  i=1 m’ i ) –Ask Mix for ZK proof that these CT decrypt to same PT. n n

Proof-of-Subproduct (PSP) Mix net 1.Mix the inputs S Mix Server S’ Inputs m i Outputs m’ i 3. Verifiers choose random subset S 4. The mix server reveals image S’ 5. Mix gives ZK proof that Repeat α times 2. Mix gives ZK proof that  i=1 m i =  i=1 m’ i mod q nn

Properties of PSP PSP is sound PSP is robust Efficiency (per mix server, for n inputs): Mixing: n exponentiations Proof:α exponentiations (e.g. α = 5) Constant in number of inputs! Privacy: users only lose α bits of privacy on average Theorem: cheating mix is detected with prob > Conjecture: cheating is detected with prob > where w is the number of wrong outputs

Applications of PSP Large elections: 160,000 ballots. Suppose the mixnet corrupts 100 votes. With α = 6: Every ballot hidden among 2,500 others Provable bound: prob > 94% cheating detected Conjectured bound: prob > 99.9% cheating detected PSP is compatible with other verification schemes that offer full correctness: Use PSP to verify output Announce the output Run another slower scheme to verify the output

Proof of Correctness Theorem: cheating is detected with probability 1 – (5/8)  A cheating mix that fools the verifier with prob > 1 – (5/8)  can compute discrete logarithm in G. Reduction relies on the following theorem: Let S be a subset of {0,1} n such that |S| > (5/8)2 n Let F : S  {0,1} n be a linear function such that: –F(S) spans all of Z q n –F preserves the L norm Then there exists a permutation matrix P such that F(v)=P.v for all v in S.

Conclusion The difficulty lies in giving efficient proofs of correctness. We propose a new scheme: PSP –Exploit the multiplicative homomorphism of ElGamal –Exceptionally computationally efficient –PSP only guarantees near correctness Full paper at: