Advances in Cryptology — EUROCRYPT 2000

Volume 1807 of the series Lecture Notes in Computer Science pp 557-572


How to Break a Practical MIX and Design a New One

  • Yvo DesmedtAffiliated withDepartment of Computer Science, Florida State UniversityDept. of Mathematics, Royal Holloway, University of London
  • , Kaoru KurosawaAffiliated withDept. of Electrical and Electronic Engineering Faculty of Engineering, Tokyo Institute of Technology


A MIX net takes a list of ciphertexts (c 1, ..., c N) and outputs a permuted list of the plaintexts (m 1, ..., m N) without revealing the relationship between (c 1,..., c N) and (m 1, ...,m N). This paper first shows that the Jakobsson’s MIX net of Eurocrypt’98, which was believed to be resilient and very efficient, is broken. We next propose an efficient t-resilient MIX net with O(t 2) servers in which the cost of each MIX server is O(N). Two new concepts are introduced, existential-honesty and limited-open-verification. They will be useful for distributed computation in general.