Presentation is loading. Please wait.

Presentation is loading. Please wait.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

Published byAdriel Albury Modified over 10 years ago

Similar presentations

Presentation on theme: "RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories."— Presentation transcript:

1 RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories

2 What does a mix network do? message 1 message 2 message 3 message 4 Randomly permutes and decrypts inputs Mix network

3 What does a mix network do? message 2 Key property: Adversary can’t tell which ciphertext corresponds to a given message ?

4 Example application: Anonymizing bulletin board or e-mail From Bob From Charlie From Alice

5 From Bob From Charlie From Alice “I love Alice” “Nobody loves Bob” “I love Charlie” Is it Bob, Charlie, self-love, or other? Example application: Anonymizing bulletin board or e-mail

6 Our focus: Voting Digitally signed by Eve Digitally signed by Charlie Digitally signed by Charlie Digitally signed by Bob Digitally signed by Alice A vote for Al G re A vote for G.W. Bush A vote for Al Gore A vote for G.W. Bush Final Tally: Bush 2 Gore 1

7 A look under the hood

8 Basic Mix (Chaum ‘81) Server 1 Server 2 Server 3 PK 1 PK 2 PK 3

9 Encryption of Message PK 1 PK 2 PK 3 message Ciphertext = E PK1 [E PK2 [E PK3 [message]]]

10 Basic Chaumian Mix Server 1 Server 2 Server 3 m1 m2 m3 m2 m3 m1 decrypt and permute m2 m1 m3 decrypt and permute decrypt and permute m2 m3 m1

11 Basic Chaumian Mix m1 m2 m3 m2 m3 m1 decrypt and permute m2 m1 m3 decrypt and permute decrypt and permute m2 m3 m1 Observe: As long as one server is honest, privacy is preserved

12 Basic Chaumian Mix Server 1 Server 2 Server 3 m3 ?

13 What if one server fails? Server 1 Server 2 Server 3 SK 2 Privacy now requires a majority of honest servers Tolerance of minority of server failures Solution idea: Share key among others

14 ballot Lenin What if one server cheats? Solution idea: Have each server prove that it permuted and decrypted correctly

15 Robust Mix Server 1 Server 2 Server 3 m1 m2 m3 m2 m3 m1 decrypt, permute, and prove correct m2 m1 m3 decrypt, permute, and prove correct decrypt, permute, and prove correct m2 m3 m1

16 Practical Robust Mixes u Jakobsson “Flash Mix” (PODC ‘99) –Mitomo and Kurosawa (AC ‘00) –Secure only for large input sizes –Only for El Gamal u Desmedt and Kurosawa (EC ‘00) –Good only if O(n 1/2 ) of servers corrupted

17 Practical Robust Mixes u Neff (ACM CCS ‘01) ; Furukawa-Sako (Crypto ‘01) (renamed “shuffling”) –All desired properties –Only for El Gamal –Computationally intensive u Golle (ACM CCS ‘02) –Some similarity in technique with RPC –Only for El Gamal –Speed for El Gamal somewhat better than RPC

18 Practical Robust Mixes u Golle, Zhong, Boneh, Jakobsson, Juels (Asiacrypt ‘02) –Only for El Gamal –Speed for El Gamal somewhat better than RPC u Our Randomized Probabilistic Checking (RPC) mix –Conceptually simple –Very efficient -- particularly for RSA –Works with RSA, El Gamal, etc. –Aimed at voting

19 Proving correctness in RPC Server i decrypt and permute ballot

20 Proving correctness in RPC Server i ballot

21 Proving correctness in RPC Server i u Very efficient proof/verification! –Particularly with RSA u Each ballot operation checked with probability 1/2 u If Server i cheats on k ballots, it is caught with probability 1 - 2 k –e.g., changing 20 ballots means 99.9999% of detection

22 Proving correctness in RPC Server i Example: Florida tally in 2000 Presidential election –2,910,074 Bush; 2,909,114 Gore –Tampering with 480 ballots needed to change outcome –Probability of catching cheating 1 - 2 -480 –Smaller than probability of being hit by meteor during this session

23 Privacy in RPC Server 1 Server 2 Server 3 Server 4 Bob Alice Carl Delia ballot Gore Bush

24 Privacy in RPC Server 1 Server 2 Server 3 Server 4 Bob Alice Carl Delia ballot Gore Bush !!!

25 Privacy in RPC u Chance of privacy breach small with correct parameterization –Needs many servers (or rounds) u We can do better...

26 Server pairing Server 2i Server 2i+1 ballot

27 Server pairing Server 2i Server 2i+1 ballot Left or right? ballot

28 Server pairing Server 2i Server 2i+1 u Private provided that at least one pair of servers is uncorrupted –Thus, private if minority corrupted –Each ballot concealed among half of total u Correct because forward link on any ballot checked with probability 1/2

29 Public verifiability Server 1 Server 2 Server 3 Server 4 Bob Alice Carl Delia ballot Gore Bush ???

30 Public verifiability Server 1 Server 2 Server 3 Server 4 u Idea: Inspection coins depend on hash of full set of ballots u Suppose election threshold is d –Recall Florida threshold was 960 u Attacker must (roughly) try number of hashes 2 d/2 to swing election undetected

31 Public verifiability Server 1 Server 2 Server 3 Server 4 u If threshold d is small, use a more expensive mix –e.g., Neff, Furukawa/Sako

32 Final Remarks u Good for applications other than voting? u Paper (with details) available on homepages of three authors, at: –Google  “Markus Jakobsson homepage” –Google  “Ari Juels homepage” –Google  “Ron Rivest homepage” u Idea is unpatented u Implementation warmly welcomed

Download ppt "RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories."

Similar presentations

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Simple and Practical Anonymous Digital Coin Tracing

Simple and Practical Anonymous Digital Coin Tracing
Error-Tolerant Password Recovery Niklas Frykholm and Ari Juels RSA Laboratories.

Error-Tolerant Password Recovery Niklas Frykholm and Ari Juels RSA Laboratories.
Public Key Cryptosystem

Public Key Cryptosystem
Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Votinbox - a voting system based on smart cards Sébastien Canard.

Research & Development Workshop on e-Voting and e-Government in the UK - February 27, 2006 Votinbox - a voting system based on smart cards Sébastien Canard.
Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.

Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.
David Evans CS588: Cryptography University of Virginia Computer Science Lecture 17: Public-Key Protocols.

David Evans CS588: Cryptography University of Virginia Computer Science Lecture 17: Public-Key Protocols.
Talk by Vanessa Teague, University of Melbourne Joint work with Chris Culnane, James Heather & Steve Schneider at University of.

Talk by Vanessa Teague, University of Melbourne Joint work with Chris Culnane, James Heather & Steve Schneider at University of.
Electronic Voting Ronald L. Rivest MIT CSAIL Norway June 14, 2004.

Electronic Voting Ronald L. Rivest MIT CSAIL Norway June 14, 2004.
Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.

Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.
Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)

Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
On the Security of Ballot Receipts in E2E Voting Systems Jeremy Clark, Aleks Essex, and Carlisle Adams Presented by Jeremy Clark.

On the Security of Ballot Receipts in E2E Voting Systems Jeremy Clark, Aleks Essex, and Carlisle Adams Presented by Jeremy Clark.
Auditable Privacy: On Tamper-Evident Mix Networks Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research.

Auditable Privacy: On Tamper-Evident Mix Networks Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research.
Lecture 7.1: Privacy and Anonymity Using Anonymizing Networks - I CS 436/636/736 Spring 2012 Nitesh Saxena Some slides borrowed from Philippe Golle, Markus.

Lecture 7.1: Privacy and Anonymity Using Anonymizing Networks - I CS 436/636/736 Spring 2012 Nitesh Saxena Some slides borrowed from Philippe Golle, Markus.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.

Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.
Reusable Anonymous Return Channels

Reusable Anonymous Return Channels

Similar presentations

Ads by Google