Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure and Insecure Mixing

Published byShauna Blake Modified over 6 years ago

Similar presentations

Presentation on theme: "Secure and Insecure Mixing"— Presentation transcript:

1 Secure and Insecure Mixing
Shahram Khazaei March 10, 2012 TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA

2 Voting Voters cast secret votes
Authorities reveal votes in random order

3 Mix-Net v1 v2 vN

4 Mix-Net Epk(v1) vπ(1) Epk(v2) vπ(2) Mix-Net Epk(vN) vπ(N)

5 Mix-Net ci = Epk(vi) vi = Dsk(ci) di = vπ(i) v1 v2 v3 v4 v1 v2 v3 v4

6 Chaum's Mix-Net (1981) Server 1 Server 2 Server 3 A B C D Voter: C B D
To distribute trust, several mix-servers cooperate Voters use public keys in reverse order to encrypt their votes Mix-servers decrypt and permute

7 Homomorphic encryption
Epk(m,r) ∙ Epk(m',s) = Epk(m∙m',r+s) Rerandomization of ciphertext Epk(m,r) ∙ Epk(1,s) = Epk(m,r+s)

8 Re-encryption Mix (PIK'93)
Epk(vπ(1),t1) vπ(1) Epk(v1,r1) Re-encrypt & Permute Joint Decryption Epk(v2,r2) Epk(vπ(2),t2) vπ(2) Epk(vN,rN) Epk(vπ(N),tN) vπ(N)

9 Mix-Net C B D A Server 1 Server 2 Server 3
To distribute trust, each mix-server in sequence shuffles the ciphertexts from the previous mix-server

10 Re-encrypt & Permute ci = Epk(vi;ri) ei = ci ∙ Epk(1;si) di = eπ(i) v1

11 Problem: Corrupt Server
D A Server 3 Server 2 Server 1 m m m Server 1 Server 2 Server 3 A C m D D B B m C B C D B A D m A A C

12 More threats Voter might be an attacker
Servers and voters might collude Solution: add verification

13 Secure mix-nets Chaumian mix-net Re-encryption mix-net
Heuristically secure: Randomized Partial Checking (RPC) No provably secure solution Re-encryption mix-net Heuristically secure: many incl. RPC Provably secure: many

14 Contributions I: Cryptanalysis of RPC
II: First provably secure Chaumian mix-net

15 Cryptanalysis of RPC Joint work with Douglas Wikström

16 Randomized Partial Checking
By Jakobsson, Juels, and Rivest (USENIX 2002) For both Chaumian and homomorphic mixing No attack for a decade Implement by experts including Chaum, Rivest, Adida, Clarkson Its variants was adopted for several real elections including 2009/2011 Takoma Park City Municipal

17 Verification A B C D C C D C B A B D D A Mix-servers are paired
The intermediate ciphertexts are divided in two groups Each mix-server reveals information to verify the correspondences A B C D C C D C B A B D D A

18 Permutation Commitment
Mix-servers commit to their permutations beforehand Decommit to the opened connections No check is performed to verify that the decommited values are distinct!! A B C D C C D C B A B D D A

19 Pfitzmann Attack Attacks privacy in homomorphic mixing
Success probability: 50 % Target a voter and take his vote c = E(A) Replace with ce Joint Decryption A B C D B C D A D C B A Ae D B A C Ae

20 Improved Attack Needs two corrupted voters to submit re- encryptions of the same message m Will not be caught if the permutation is not checked Joint Decryption A B m m B A m B A Ae m B A Ae

21 Rigging an Election Replace all ciphertexts with your own submission m
Possible to make less suspicious Joint Decryption m B A C m A B C m m C B m A m C B A m

22 RPC with Chamian mixing
If the duplicates are not removed: Privacy of senders can be violated Votes can be replaced If duplicates are removed: No attack on privacy Votes can be eliminated With proper tweak of the protocol: May be possible to provide a security proof Seems difficult and nontrivial

23 Summary Protocol flaw rather than an implementation bug
Found while attempting to make a proof Do not use RPC with homomorphic mixing Check the previous election results Postpone usage of RPC-like protocols until properly analyzed

24 A Provably Secure Mix-Net From Any CCA2-Secure Cryptosystem
TWT A Provably Secure Mix-Net From Any CCA2-Secure Cryptosystem Joint work with Tal Moran and Douglas Wikström

25 Trip-Wire Tracing (TWT)
Three decryption layers Two nested Chaumian mix-nets One with explicit verification One with partial tracing Public Decryption Chaum's Mix-Net

26 Trip-Wire Tracing (TWT)
Parametrized with an integer parameter t ≥ 2 t is a security parameter determined based on the number of honest voters and servers In large scale elections t = 2 or 3 suffices Each voter submits a bundle of t ciphertexts Mix-servers decrypt and keep only one copy

27 Security Provably secure Works with any CCA2-secure cryptosystem
No concern against quantum computers Proof is different than the usual paradigm

28 Public Decryption Chaum's Mix-Net Voters v v v v v

29 Decryption

30 v ? v ? v ? All the same? v ? v ? v ?

31 Mixing Have each mix-server submit a dummy input
Decrypt, Mix, Mix and Decrypt But up to the final decryption

32 If all copysets are complete, perform the final decryption
Verification Explicitly verify the first Chaumian mix-net Trace the dummies If all copysets are complete, perform the final decryption

33 Broken copysets? Trace backward broken copysets and identify a cheating server or “bad” senders If no server caught cheating, trace forward all copies from the originating senders. Trace Forward Trace Forward Trace Backward Trace Backward

34 How can a server cheat? Due to dummies a server can not replace all
Has to guess positions of complete copysets Success probability at most H-(t-1) H is number of honest voters and servers

35 Explanation Outer: to prevent copying part of a voter's ciphertext
CEV: to prevent the 1st server in CPT cheating Repetition: to prevent the last server in CPT cheating Final: to stop securely in case of failing Dummies: to prevent replacing all ciphertexts in CPT Public Decryption (Outer) With Explicit Verification Chaum's Mix-Net (CEV) With Partial Tracing Chaum's Mix-Net (CPT) Public Decryption (Repetition) Public Decryption (Final)

36 TWT versus RPC Full privacy Full correctness Provably security
Slightly less efficient Lack of public verifiability

37 Thank you! Any question?

Download ppt "Secure and Insecure Mixing"

Similar presentations

Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.

Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.
Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.

Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Talk by Vanessa Teague, University of Melbourne Joint work with Chris Culnane, James Heather & Steve Schneider at University of.

Talk by Vanessa Teague, University of Melbourne Joint work with Chris Culnane, James Heather & Steve Schneider at University of.
Electronic Voting Ronald L. Rivest MIT CSAIL Norway June 14, 2004.

Electronic Voting Ronald L. Rivest MIT CSAIL Norway June 14, 2004.
Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.

Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.
Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)

Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
On the Security of Ballot Receipts in E2E Voting Systems Jeremy Clark, Aleks Essex, and Carlisle Adams Presented by Jeremy Clark.

On the Security of Ballot Receipts in E2E Voting Systems Jeremy Clark, Aleks Essex, and Carlisle Adams Presented by Jeremy Clark.
Auditable Privacy: On Tamper-Evident Mix Networks Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research.

Auditable Privacy: On Tamper-Evident Mix Networks Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.
Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.

Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.
1 Analyzing Anonymity Protocols 1.Analyzing onion-routing security 1.Anonymity Analysis of Onion Routing in the Universally Composable Framework in Provable.

1 Analyzing Anonymity Protocols 1.Analyzing onion-routing security 1.Anonymity Analysis of Onion Routing in the Universally Composable Framework in Provable.
Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.

Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.
Reusable Anonymous Return Channels

Reusable Anonymous Return Channels
Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)

Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.

10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.

Similar presentations

Ads by Google