Download presentation
Presentation is loading. Please wait.
Published byAdriel Albury Modified over 10 years ago
1
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories
2
What does a mix network do? message 1 message 2 message 3 message 4 Randomly permutes and decrypts inputs Mix network
3
What does a mix network do? message 2 Key property: Adversary can’t tell which ciphertext corresponds to a given message ?
4
Example application: Anonymizing bulletin board or e-mail From Bob From Charlie From Alice
5
From Bob From Charlie From Alice “I love Alice” “Nobody loves Bob” “I love Charlie” Is it Bob, Charlie, self-love, or other? Example application: Anonymizing bulletin board or e-mail
6
Our focus: Voting Digitally signed by Eve Digitally signed by Charlie Digitally signed by Charlie Digitally signed by Bob Digitally signed by Alice A vote for Al G re A vote for G.W. Bush A vote for Al Gore A vote for G.W. Bush Final Tally: Bush 2 Gore 1
7
A look under the hood
8
Basic Mix (Chaum ‘81) Server 1 Server 2 Server 3 PK 1 PK 2 PK 3
9
Encryption of Message PK 1 PK 2 PK 3 message Ciphertext = E PK1 [E PK2 [E PK3 [message]]]
10
Basic Chaumian Mix Server 1 Server 2 Server 3 m1 m2 m3 m2 m3 m1 decrypt and permute m2 m1 m3 decrypt and permute decrypt and permute m2 m3 m1
11
Basic Chaumian Mix m1 m2 m3 m2 m3 m1 decrypt and permute m2 m1 m3 decrypt and permute decrypt and permute m2 m3 m1 Observe: As long as one server is honest, privacy is preserved
12
Basic Chaumian Mix Server 1 Server 2 Server 3 m3 ?
13
What if one server fails? Server 1 Server 2 Server 3 SK 2 Privacy now requires a majority of honest servers Tolerance of minority of server failures Solution idea: Share key among others
14
ballot Lenin What if one server cheats? Solution idea: Have each server prove that it permuted and decrypted correctly
15
Robust Mix Server 1 Server 2 Server 3 m1 m2 m3 m2 m3 m1 decrypt, permute, and prove correct m2 m1 m3 decrypt, permute, and prove correct decrypt, permute, and prove correct m2 m3 m1
16
Practical Robust Mixes u Jakobsson “Flash Mix” (PODC ‘99) –Mitomo and Kurosawa (AC ‘00) –Secure only for large input sizes –Only for El Gamal u Desmedt and Kurosawa (EC ‘00) –Good only if O(n 1/2 ) of servers corrupted
17
Practical Robust Mixes u Neff (ACM CCS ‘01) ; Furukawa-Sako (Crypto ‘01) (renamed “shuffling”) –All desired properties –Only for El Gamal –Computationally intensive u Golle (ACM CCS ‘02) –Some similarity in technique with RPC –Only for El Gamal –Speed for El Gamal somewhat better than RPC
18
Practical Robust Mixes u Golle, Zhong, Boneh, Jakobsson, Juels (Asiacrypt ‘02) –Only for El Gamal –Speed for El Gamal somewhat better than RPC u Our Randomized Probabilistic Checking (RPC) mix –Conceptually simple –Very efficient -- particularly for RSA –Works with RSA, El Gamal, etc. –Aimed at voting
19
Proving correctness in RPC Server i decrypt and permute ballot
20
Proving correctness in RPC Server i ballot
21
Proving correctness in RPC Server i u Very efficient proof/verification! –Particularly with RSA u Each ballot operation checked with probability 1/2 u If Server i cheats on k ballots, it is caught with probability 1 - 2 k –e.g., changing 20 ballots means 99.9999% of detection
22
Proving correctness in RPC Server i Example: Florida tally in 2000 Presidential election –2,910,074 Bush; 2,909,114 Gore –Tampering with 480 ballots needed to change outcome –Probability of catching cheating 1 - 2 -480 –Smaller than probability of being hit by meteor during this session
23
Privacy in RPC Server 1 Server 2 Server 3 Server 4 Bob Alice Carl Delia ballot Gore Bush
24
Privacy in RPC Server 1 Server 2 Server 3 Server 4 Bob Alice Carl Delia ballot Gore Bush !!!
25
Privacy in RPC u Chance of privacy breach small with correct parameterization –Needs many servers (or rounds) u We can do better...
26
Server pairing Server 2i Server 2i+1 ballot
27
Server pairing Server 2i Server 2i+1 ballot Left or right? ballot
28
Server pairing Server 2i Server 2i+1 u Private provided that at least one pair of servers is uncorrupted –Thus, private if minority corrupted –Each ballot concealed among half of total u Correct because forward link on any ballot checked with probability 1/2
29
Public verifiability Server 1 Server 2 Server 3 Server 4 Bob Alice Carl Delia ballot Gore Bush ???
30
Public verifiability Server 1 Server 2 Server 3 Server 4 u Idea: Inspection coins depend on hash of full set of ballots u Suppose election threshold is d –Recall Florida threshold was 960 u Attacker must (roughly) try number of hashes 2 d/2 to swing election undetected
31
Public verifiability Server 1 Server 2 Server 3 Server 4 u If threshold d is small, use a more expensive mix –e.g., Neff, Furukawa/Sako
32
Final Remarks u Good for applications other than voting? u Paper (with details) available on homepages of three authors, at: –Google “Markus Jakobsson homepage” –Google “Ari Juels homepage” –Google “Ron Rivest homepage” u Idea is unpatented u Implementation warmly welcomed
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.