Optimistic Mixing for Exit-Polls

Philippe Golle, Stanford

Sheng Zhong, Yale

Dan Boneh, Stanford

Markus Jakobsson, RSA Labs

Ari Juels, RSA Labs

Mix Server

A mix server is a cryptographic implementation of a hat.

Inputs Outputs?

Mix Server

Proof

Mix Network

Server 1 Server 2 Server 3

Inputs Outputs

? ? ?

Proof Proof Proof

2. Verify the proofs of correct mixing:• OK: accept the output• Otherwise: remove cheaters and mix again

If a single mix server is honest, global permutation is secret.

1. Servers sequentially mix the inputs

Applications

• Other applications– Anonymous payments

– Anonymous channels

All these applications require efficient schemes

• Anonymous voting1. Votes submitted to the mix 2. Votes are mixed 3. Verify correct mixing (expensive):

• OK: decrypt the votes & announce results of election• Otherwise: remove cheater and mix again

Properties

• Privacy: outputs can’t be matched to inputs

• Correctness: outputs match inputs

• Robustness: an output is produced regardless of possible mix server failures or bad inputs

• Verifiability: local or universal

• Efficiency

Our contribution

• Optimistic mixnet– If all servers mix correctly, verification extremely fast

– If a server cheats, verification slower

• Application: exit-polls• Note: Cheating by users has (almost) no impact

1. Servers sequentially mix the inputs2. Verify the proofs of correct mixing [expensive]

• OK: accept the output [the usual case]• Otherwise: remove cheaters and mix again [very rare]

Comparison of proofs of correct mixing

Cut and Choose ZK [SK95,OKST97]

642nk

Pairwise Permutations [JJ99,Abe99]

14nk·log n

Matrix Representation [FS01] 36nk

Polynomial Scheme [Nef01] 16nk

Randomized Partial Checking [JJR01]

nk Global privacy

Proof of Subproduct [BG02] αk Near-correct

Optimistic Mix [GZBJJ02] 3 + 3Nk Optimistic

n = number of inputs k = number of servers

Optimistic Mixing

Zoology of Mix Networks

• Decryption Mix Nets [Cha81,…]:– Inputs: ciphertexts

– Outputs: decryption of the inputs.

• Re-encryption Mix Nets [PIK93,…]:– Inputs: ciphertexts

– Outputs: re-encryption of the inputs

Inputs Outputs?

ElGamal Cryptosystem

• ElGamal is a randomized public-key cryptosystem• Plaintexts in a group G of prime order q• Ciphertexts are pairs (a,b) where a,b in G.

• Malleable: Er(m) Er+s(m)• ZK proof that two CT decrypt to the same PT (1 exp)

• Multiplicative homomorphism:

E(m) , E(m’) E(mm’)

Re-encryption Mixnet

0. Setup: mix servers generate a shared ElGamal key

1. Users encrypt their inputs: Input Input Pub-key

3. A quorum of mix servers decrypts the outputs

Output OutputPriv-key

Server 1 Server 2 Server 3

re-encrypt

& mix

re-encrypt

& mix

re-encrypt

& mix

2. Encrypted inputs are mixed:

Proof ProofProof

Problem

• Mix servers must prove correct re-encryption

– Inputs: n ElGamal ciphertexts E(mi )

– Outputs: n ElGamal ciphertexts E(m’i)

• Mix proves that there is a permutation π such that:

without revealing π.

nimEmE ii ,...,1)'()( )(

Our techniques to Prove Correct Re-encryption

1. Proof of product with checksum: Verification that the mix is product-preserving

2. Double-enveloppe:

Inputs are encrypted twice

Proof of Product

• Mix server:– Receives: n ElGamal ciphertexts E(mi )

– Produces: n ElGamal ciphertexts E(m’i)

• Observations:– Honest mix can always give this proof

– Verification is necessary but not sufficient

– Idea: append a cryptographic checksum to the inputs

• Verifier:– Computes: E(i=1mi) and E(i=1m’i)

– Ask Mix for ZK proof that these CT decrypt to same PT.

n n

Proof of Product with Checksum

• Inputs: mi = E( Input || Checksum(Input) )

• Outputs: m’i = E( Input || Checksum(Input) )

• Proposition: If– All input checksums are correct mi = m’i

– All output checksums are correct

Then {mi}={m’i} with all but negligible probability

Proof of Product with Checksum

1. Submission of inputs E(mi) =

2. Mixing

3. Each mix proves E( mi) = E( m’i) • Mixes which fail are kicked out

4. Decryption mi = Input || Checksum(input)

5. Verification of checksum:• All checksums OK {mi}={m’i}• Otherwise: either a mix or a user cheated

Input || Checksum(input)

Incorrect Output Checksums

• Cheating by user:– Input submitted with incorrect Checksum

– We do not (can not) verify that input checksums OK

– This cheating is harmless

• Cheating by mix server:– One (or several) servers produced corrupted output(s)

– This cheating is serious:• The mix server can trace selected inputs

• The harm is already done by the time cheating is discovered

Double Envelope

Input || Checksum(input)

Input || Checksum ( Input )

Replace

with

Optimistic Mixnet

1. Submission of inputs E(mi) =

2. Mixing

3. Each mix proves E( mi) = E( m’i) • Mixes which fail are kicked out

4. Partial decryption mi = Input || Checksum( input )

5. Verification of checksums…

Input || Checksum ( Input )

Optimistic Mixnet (cont’d)

5. Verification of checksum:• All checksums OK {mi}={m’i} We are done!• Otherwise: either a mix or a user cheated

6. Investigation of user cheating:• Mixes must trace every bad output to a bad input.• No privacy for cheating users!• If every bad output successfully traced, We are done!

7. Otherwise mix servers cheated:

• The checksums are discarded

• The Inputs are mixed again with standard mix

Properties of Optimistic Mixnet

• Privacy: for honest users only

• Correctness: OK (if discrete log is hard in Zp)

• Robustness: up to a minority of faulty servers

• Efficiency: – Mix: 6n exponentiations

– Proof: 3 + 3Nk exponentiations

– Plus cost of alternative decryption if a mix server cheats

– The expensive operation is the mix, not the proof.

Conclusion

• Optimistic mix based on 2 new techniques:– Proof of product with checksum– Double envelope

• Optimistic mix is extremely fast when no server cheats. Cheating by users has minimal impact on performance

• When a server cheats:– Cheating is detected– It does not compromise the privacy of users– It only causes the mix to run slower

• Application: exit-polls