Presentation is loading. Please wait.

Presentation is loading. Please wait.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

Similar presentations


Presentation on theme: "RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories."— Presentation transcript:

1 RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories

2 What does a mix network do? message 1 message 2 message 3 message 4 Randomly permutes and decrypts inputs Mix network

3 What does a mix network do? message 2 Key property: Adversary can’t tell which ciphertext corresponds to a given message ?

4 Example application: Anonymizing bulletin board or e-mail From Bob From Charlie From Alice

5 From Bob From Charlie From Alice “I love Alice” “Nobody loves Bob” “I love Charlie” Is it Bob, Charlie, self-love, or other? Example application: Anonymizing bulletin board or e-mail

6 Our focus: Voting Digitally signed by Eve Digitally signed by Charlie Digitally signed by Charlie Digitally signed by Bob Digitally signed by Alice A vote for Al G re A vote for G.W. Bush A vote for Al Gore A vote for G.W. Bush Final Tally: Bush 2 Gore 1

7 A look under the hood

8 Basic Mix (Chaum ‘81) Server 1 Server 2 Server 3 PK 1 PK 2 PK 3

9 Encryption of Message PK 1 PK 2 PK 3 message Ciphertext = E PK1 [E PK2 [E PK3 [message]]]

10 Basic Chaumian Mix Server 1 Server 2 Server 3 m1 m2 m3 m2 m3 m1 decrypt and permute m2 m1 m3 decrypt and permute decrypt and permute m2 m3 m1

11 Basic Chaumian Mix m1 m2 m3 m2 m3 m1 decrypt and permute m2 m1 m3 decrypt and permute decrypt and permute m2 m3 m1 Observe: As long as one server is honest, privacy is preserved

12 Basic Chaumian Mix Server 1 Server 2 Server 3 m3 ?

13 What if one server fails? Server 1 Server 2 Server 3 SK 2 Privacy now requires a majority of honest servers Tolerance of minority of server failures Solution idea: Share key among others

14 ballot Lenin What if one server cheats? Solution idea: Have each server prove that it permuted and decrypted correctly

15 Robust Mix Server 1 Server 2 Server 3 m1 m2 m3 m2 m3 m1 decrypt, permute, and prove correct m2 m1 m3 decrypt, permute, and prove correct decrypt, permute, and prove correct m2 m3 m1

16 Practical Robust Mixes u Jakobsson “Flash Mix” (PODC ‘99) –Mitomo and Kurosawa (AC ‘00) –Secure only for large input sizes –Only for El Gamal u Desmedt and Kurosawa (EC ‘00) –Good only if O(n 1/2 ) of servers corrupted

17 Practical Robust Mixes u Neff (ACM CCS ‘01) ; Furukawa-Sako (Crypto ‘01) (renamed “shuffling”) –All desired properties –Only for El Gamal –Computationally intensive u Golle (ACM CCS ‘02) –Some similarity in technique with RPC –Only for El Gamal –Speed for El Gamal somewhat better than RPC

18 Practical Robust Mixes u Golle, Zhong, Boneh, Jakobsson, Juels (Asiacrypt ‘02) –Only for El Gamal –Speed for El Gamal somewhat better than RPC u Our Randomized Probabilistic Checking (RPC) mix –Conceptually simple –Very efficient -- particularly for RSA –Works with RSA, El Gamal, etc. –Aimed at voting

19 Proving correctness in RPC Server i decrypt and permute ballot

20 Proving correctness in RPC Server i ballot

21 Proving correctness in RPC Server i u Very efficient proof/verification! –Particularly with RSA u Each ballot operation checked with probability 1/2 u If Server i cheats on k ballots, it is caught with probability 1 - 2 k –e.g., changing 20 ballots means 99.9999% of detection

22 Proving correctness in RPC Server i Example: Florida tally in 2000 Presidential election –2,910,074 Bush; 2,909,114 Gore –Tampering with 480 ballots needed to change outcome –Probability of catching cheating 1 - 2 -480 –Smaller than probability of being hit by meteor during this session

23 Privacy in RPC Server 1 Server 2 Server 3 Server 4 Bob Alice Carl Delia ballot Gore Bush

24 Privacy in RPC Server 1 Server 2 Server 3 Server 4 Bob Alice Carl Delia ballot Gore Bush !!!

25 Privacy in RPC u Chance of privacy breach small with correct parameterization –Needs many servers (or rounds) u We can do better...

26 Server pairing Server 2i Server 2i+1 ballot

27 Server pairing Server 2i Server 2i+1 ballot Left or right? ballot

28 Server pairing Server 2i Server 2i+1 u Private provided that at least one pair of servers is uncorrupted –Thus, private if minority corrupted –Each ballot concealed among half of total u Correct because forward link on any ballot checked with probability 1/2

29 Public verifiability Server 1 Server 2 Server 3 Server 4 Bob Alice Carl Delia ballot Gore Bush ???

30 Public verifiability Server 1 Server 2 Server 3 Server 4 u Idea: Inspection coins depend on hash of full set of ballots u Suppose election threshold is d –Recall Florida threshold was 960 u Attacker must (roughly) try number of hashes 2 d/2 to swing election undetected

31 Public verifiability Server 1 Server 2 Server 3 Server 4 u If threshold d is small, use a more expensive mix –e.g., Neff, Furukawa/Sako

32 Final Remarks u Good for applications other than voting? u Paper (with details) available on homepages of three authors, at: –Google  “Markus Jakobsson homepage” –Google  “Ari Juels homepage” –Google  “Ron Rivest homepage” u Idea is unpatented u Implementation warmly welcomed


Download ppt "RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories."

Similar presentations


Ads by Google