optimistic mixing for exit-polls philippe golle, stanford sheng zhong, yale dan boneh, stanford...
TRANSCRIPT
Optimistic Mixing for Exit-Polls
Philippe Golle, Stanford
Sheng Zhong, Yale
Dan Boneh, Stanford
Markus Jakobsson, RSA Labs
Ari Juels, RSA Labs
Mix Server
A mix server is a cryptographic implementation of a hat.
Inputs Outputs?
Mix Server
Proof
Mix Network
Server 1 Server 2 Server 3
Inputs Outputs
? ? ?
Proof Proof Proof
2. Verify the proofs of correct mixing:• OK: accept the output• Otherwise: remove cheaters and mix again
If a single mix server is honest, global permutation is secret.
1. Servers sequentially mix the inputs
Applications
• Other applications– Anonymous payments
– Anonymous channels
All these applications require efficient schemes
• Anonymous voting1. Votes submitted to the mix 2. Votes are mixed 3. Verify correct mixing (expensive):
• OK: decrypt the votes & announce results of election• Otherwise: remove cheater and mix again
Properties
• Privacy: outputs can’t be matched to inputs
• Correctness: outputs match inputs
• Robustness: an output is produced regardless of possible mix server failures or bad inputs
• Verifiability: local or universal
• Efficiency
Our contribution
• Optimistic mixnet– If all servers mix correctly, verification extremely fast
– If a server cheats, verification slower
• Application: exit-polls• Note: Cheating by users has (almost) no impact
1. Servers sequentially mix the inputs2. Verify the proofs of correct mixing [expensive]
• OK: accept the output [the usual case]• Otherwise: remove cheaters and mix again [very rare]
Comparison of proofs of correct mixing
Cut and Choose ZK [SK95,OKST97]
642nk
Pairwise Permutations [JJ99,Abe99]
14nk·log n
Matrix Representation [FS01] 36nk
Polynomial Scheme [Nef01] 16nk
Randomized Partial Checking [JJR01]
nk Global privacy
Proof of Subproduct [BG02] αk Near-correct
Optimistic Mix [GZBJJ02] 3 + 3Nk Optimistic
n = number of inputs k = number of servers
Optimistic Mixing
Zoology of Mix Networks
• Decryption Mix Nets [Cha81,…]:– Inputs: ciphertexts
– Outputs: decryption of the inputs.
• Re-encryption Mix Nets [PIK93,…]:– Inputs: ciphertexts
– Outputs: re-encryption of the inputs
Inputs Outputs?
ElGamal Cryptosystem
• ElGamal is a randomized public-key cryptosystem• Plaintexts in a group G of prime order q• Ciphertexts are pairs (a,b) where a,b in G.
• Malleable: Er(m) Er+s(m)• ZK proof that two CT decrypt to the same PT (1 exp)
• Multiplicative homomorphism:
E(m) , E(m’) E(mm’)
Re-encryption Mixnet
0. Setup: mix servers generate a shared ElGamal key
1. Users encrypt their inputs: Input Input Pub-key
3. A quorum of mix servers decrypts the outputs
Output OutputPriv-key
Server 1 Server 2 Server 3
re-encrypt
& mix
re-encrypt
& mix
re-encrypt
& mix
2. Encrypted inputs are mixed:
Proof ProofProof
Problem
• Mix servers must prove correct re-encryption
– Inputs: n ElGamal ciphertexts E(mi )
– Outputs: n ElGamal ciphertexts E(m’i)
• Mix proves that there is a permutation π such that:
without revealing π.
nimEmE ii ,...,1)'()( )(
Our techniques to Prove Correct Re-encryption
1. Proof of product with checksum: Verification that the mix is product-preserving
2. Double-enveloppe:
Inputs are encrypted twice
Proof of Product
• Mix server:– Receives: n ElGamal ciphertexts E(mi )
– Produces: n ElGamal ciphertexts E(m’i)
• Observations:– Honest mix can always give this proof
– Verification is necessary but not sufficient
– Idea: append a cryptographic checksum to the inputs
• Verifier:– Computes: E(i=1mi) and E(i=1m’i)
– Ask Mix for ZK proof that these CT decrypt to same PT.
n n
Proof of Product with Checksum
• Inputs: mi = E( Input || Checksum(Input) )
• Outputs: m’i = E( Input || Checksum(Input) )
• Proposition: If– All input checksums are correct mi = m’i
– All output checksums are correct
Then {mi}={m’i} with all but negligible probability
Proof of Product with Checksum
1. Submission of inputs E(mi) =
2. Mixing
3. Each mix proves E( mi) = E( m’i) • Mixes which fail are kicked out
4. Decryption mi = Input || Checksum(input)
5. Verification of checksum:• All checksums OK {mi}={m’i}• Otherwise: either a mix or a user cheated
Input || Checksum(input)
Incorrect Output Checksums
• Cheating by user:– Input submitted with incorrect Checksum
– We do not (can not) verify that input checksums OK
– This cheating is harmless
• Cheating by mix server:– One (or several) servers produced corrupted output(s)
– This cheating is serious:• The mix server can trace selected inputs
• The harm is already done by the time cheating is discovered
Double Envelope
Input || Checksum(input)
Input || Checksum ( Input )
Replace
with
Optimistic Mixnet
1. Submission of inputs E(mi) =
2. Mixing
3. Each mix proves E( mi) = E( m’i) • Mixes which fail are kicked out
4. Partial decryption mi = Input || Checksum( input )
5. Verification of checksums…
Input || Checksum ( Input )
Optimistic Mixnet (cont’d)
5. Verification of checksum:• All checksums OK {mi}={m’i} We are done!• Otherwise: either a mix or a user cheated
6. Investigation of user cheating:• Mixes must trace every bad output to a bad input.• No privacy for cheating users!• If every bad output successfully traced, We are done!
7. Otherwise mix servers cheated:
• The checksums are discarded
• The Inputs are mixed again with standard mix
Properties of Optimistic Mixnet
• Privacy: for honest users only
• Correctness: OK (if discrete log is hard in Zp)
• Robustness: up to a minority of faulty servers
• Efficiency: – Mix: 6n exponentiations
– Proof: 3 + 3Nk exponentiations
– Plus cost of alternative decryption if a mix server cheats
– The expensive operation is the mix, not the proof.
Conclusion
• Optimistic mix based on 2 new techniques:– Proof of product with checksum– Double envelope
• Optimistic mix is extremely fast when no server cheats. Cheating by users has minimal impact on performance
• When a server cheats:– Cheating is detected– It does not compromise the privacy of users– It only causes the mix to run slower
• Application: exit-polls