Abstract
Randomized Partial Checking (RPC) [16] was proposed by Jakobsson, Juels, and Rivest and attracted attention as an efficient method of verifying the correctness of the mixing process in numerous applied scenarios. In fact, RPC is a building block for many electronic voting schemes, including Prêt à Voter [6], Civitas [9], Scantegrity II [5] as well as voting-systems used in real-world elections (e.g., in Australia [4]). Mixing is also used in anonymous transfers of cryptocurrencies. It turned out, however, that a series of works [17, 18] showed subtle issues with analyses behind RPC. First, that the actual security level of the RPC protocol is way off the claimed [16] bounds. The probability of successful manipulation of k votes is \((\frac{3}{4})^k\) instead of the claimed \(\frac{1}{2^k}\) (this difference, in turn, negatively affects actual implementations of the notion within existing election systems. This is so since concrete implemented procedures of a given length were directly based on this parameter). Further, privacy guarantees [11] that a constant number of mix-servers is enough turned out [17] to also not be correct. We can conclude from the above that these analyses of the processes of mixing are not trivial.
In this paper, we review the relevant attacks, and we present Mirrored-RPC (mRPC) – a fix to RPC based on “mirrored commitment” which makes it optimally secure; namely, having a probability of successful manipulation of k votes \(\frac{1}{2^k}\).
Then, we present an analysis of the privacy level of both RPC and mRPC. We show that for n messages, the number of mix-servers (rounds) needed to be \(\varepsilon \)-close to the uniform distribution in total variation distance is lower bounded by:
This proof of privacy, in turn, gives insights into the anonymity of various cryptocurrencies (e.g., Zerocash [23]) using anonymizing pools. If a random fraction q of n existing coins is mixed (in each block), then to achieve full anonymity, the number of blocks one needs to run the protocol for, is:
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
As most authors we refer to Pairwise Dependent Selection scheme as to original RPC.
References
Aldous, D., Diaconis, P.: Shuffling cards and stopping times. Am. Math. Mon. 93(5), 333–348 (1986)
Aldous, D., Diaconis, P.: Strong uniform times and finite random walks. Adv. Appl. Math. 8(1), 69–97 (1987)
Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among notions of security for public-key encryption schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 26–45. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055718
Burton, C., Culnane, C., Heather, J.: Thea Peacock, Peter YA Ryan, Steve A Schneider, Vanessa Teague, Roland Wen, Zhe Xia, and Sriramkrishnan Srinivasan. Using prêt à voter in victoria state elections. EVT/WOTE, 2 (2012)
Carback, R.T., et al.: The scantegrity voting system and its use in the takoma park elections. In: Real-World Electronic Voting, pp. 253–292. Auerbach Publications (2016)
Chaum, D., Ryan, P.Y.A., Schneider, S.: A practical voter-verifiable election scheme. In: di Vimercati, S.C., Syverson, P., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 118–139. Springer, Heidelberg (2005). https://doi.org/10.1007/11555827_8
Chaum, D.L.: Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM 24(2), 84–90 (1981)
Chen, C., Asoni, D.E., Barrera, D., Danezis, G., Perrig, A.: Hornet: high-speed onion routing at the network layer. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1441–1454 (2015)
Clarkson, M.R., Chong, S., Myers, A.C.: Civitas: toward a secure voting system. In: 2008 IEEE Symposium on Security and Privacy (S &P 2008), pp. 354–368. IEEE (2008)
Gjøsteen, K.: The Norwegian internet voting protocol. In: Kiayias, A., Lipmaa, H. (eds.) Vote-ID 2011. LNCS, vol. 7187, pp. 1–18. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32747-6_1
Gomułkiewicz, M., Klonowski, M., Kutyłowski, M.: Rapid mixing and security of Chaum’s visual electronic voting. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 132–145. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-39650-5_8
Groth, J., Ishai, Y.: Sub-linear zero-knowledge argument for correctness of a shuffle. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 379–396. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_22
Haenni, R., Koenig, R.E., Locher, P., Dubuis, E.: Chvote system specification (2017)
Haines, T., Müller, J.: Optimal randomized partial checking for decryption mix nets. In: Baek, J., Ruj, S. (eds.) ACISP 2021. LNCS, vol. 13083, pp. 277–292. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-90567-5_14
Haines, T., Müller, J.: Sok: techniques for verifiable mix nets. In: 2020 IEEE 33rd Computer Security Foundations Symposium (CSF), pp. 49–64 (2020)
Jakobsson, M., Juels, A., Rivest, R.L.: Making mix nets robust for electronic voting by randomized partial checking. In: USENIX Security Symposium, San Francisco, USA, pp. 339–353 (2002)
Khazaei, S., Wikström, D.: Randomized partial checking revisited. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 115–128. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36095-4_8
Küsters, R., Truderung, T., Vogt, A.: Formal analysis of Chaumian mix nets with randomized partial checking. In: 2014 IEEE Symposium on Security and Privacy, pp. 343–358. IEEE (2014)
Lorek, P., Kulis, M., Zagórski, F.: Leakage-resilient riffle shuffle. In: Blömer, J., Kotsireas, I.S., Kutsia, T., Simos, D.E. (eds.) MACIS 2017. LNCS, vol. 10693, pp. 395–408. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-72453-9_32
Miers, I., Garman, C., Green, M., Rubinm, A.D.: Zerocoin: anonymous distributed e-cash from bitcoin. In: 2013 IEEE Symposium on Security and Privacy, pp. 397–411. IEEE (2013)
Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_9
Piotrowska, A.M., Hayes, J., Elahi, T., Meiser, S., Danezis, G.: The loopix anonymity system. In: 26th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 17), pp. 1199–1216 (2017)
Sasson, E.B., et al.: Zerocash: decentralized anonymous payments from bitcoin. In: 2014 IEEE Symposium on Security and Privacy, pp. 459–474. IEEE (2014)
Toledo, R.R., Danezis, G., Echizen, I.: Mix-ORAM: using delegated shuffles. In: Proceedings of the 2017 on Workshop on Privacy in the Electronic Society, pp. 51–61 (2017)
van Saberhagen, N.: Cryptonote v 1.0 (2012). https://cryptonote.org/whitepaperv1.pdf (2021)
Wikström, D.: A commitment-consistent proof of a shuffle. In: Boyd, C., González Nieto, J. (eds.) ACISP 2009. LNCS, vol. 5594, pp. 407–421. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02620-1_28
Douglas Wikström. Verificatum (2018). https://www.verificatum.org/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proofs
A Proofs
1.1 A.1 Proof of Lemma 4
Proof
Recall that \(I_j\) is a subset of [n] for which left link is revelead (challenge bit is set to 0). Let us denote \(S_{j,0}= I_j\) and \(S_{j,1}=[n]\setminus I_j\), i.e., those messages for which right link is revealed (challenge bit 1). In terms of an audit string \(B_j=b_{j,1} b_{j,2}\ldots b_{j,n}\), we may rewrite \(S_{j,b}=\{i: b_{j,i}=b\}.\)
If two elements x, y are not mixed in the \(M_j\) mix, it means that \(x \in S_{j,b}\) and \(y \in S_{j,1-b}\) for \(b \in \{0, 1\}\).
Let us compare distance between the uniform distribution \(\mathcal {U}(\mathcal {S}_n)\) on n-element permutations to the distribution \(\mathcal {L}({\textsf {RPC}} _{r, n})\) when \(n \ge \sqrt{2^r}\).
From Lemma 3 there exists two mix entries x, y that are not yet mixed after r steps, with high probability. It means that \(x \in S_{1, b_1}, S_{2, b_2}, \ldots , S_{r, b_r}\) and \(y \in S_{1, 1-b_1}, S_{2, 1-b_2}, \ldots , S_{r, 1-b_r}\) for \(b_1, \ldots , b_c \in \{0, 1\}\).
Let \(\mathcal {S}_n^0\) be the set of all permutations for which \(x \in S_{r, b}\) and \(y \in S_{r, 1-b}\) for \(b=0,1\). From the assumptions we have that \(|S_{r,0}|=m\). From Lemma 3, with high probability, only permutations from \(\mathcal {S}_n^0\) have nonzero probabilities in distribution \(\mathcal {L}({\textsf {RPC}} _{r, \sqrt{2^r}})\). In other words, we can write that the probability of \(\sigma \) under \(\mathcal {L}({\textsf {RPC}} _{r, \sqrt{2^r}})\) is \(f(\sigma )\) such that
for some distribution f on \(\mathcal {S}^0\) (Fig. 23).
Now, let us compute the distance between uniform distribution and the distribution \(\mathcal {L}({\textsf {RPC}} _{r, n})\) for a set of permutations \(\mathcal {S}_n^0\) such that m left links were opened, i.e., \(|I_r|=|S_{r,0}|=m\).
Noting that
we have
The worst-case is exactly half left links are open (say n is even), i.e., \(m=n/2\), then
1.2 A.2 Proof of Lemma 6
Proof
We will use some tools from Markov chain theory. We will consider two chains \(\{X_t\}_{t\ge 0}, \{Y_t\}_{t\ge 0}\) on \(\mathcal {S}_n\). We set \(X_0=Y_0\) to be the identity permutation (note that \({\textsf {RPC}} _{0,n}\) is the identity permutation).
Recall that server j performs permutations \(\pi _{2j-1}\) and \(\pi _{2j}\), in total 2r permutations are performed.
Concerning \(X_{t+1}\): it is \(X_{t}\) to which we apply a uniformly random permutation \(\pi _{t}=(\pi _t(1),\ldots ,\pi _t(n))\) (note that then \(X_t\sim \mathcal {U}(\mathcal {S}_n)\) for any \(t\ge 1\)).
Note that in Scheme One each server performs independently identical (in distribuion) steps. That is why we will look at the distribution after each application of \(\pi _t\).
Concerning \(Y_{t}\), this is \(X_{t}\) with the following extra knowledge. Let \(B_t=b_{t,1},\ldots ,b_{t,n}\) be the n random bits chosen independently from the distribution \(P(b_{t,i}=0)=p=1-P(b_{t,i}=1)\).
Now assume that the entries \(S_{j,0}=\{j: b_{t,j}=0\}\) from the permutation \(\pi _t\) are opened. \(Y_{t}\) has distribution of \(X_{t}\) provided we have a knowledge of \(B_1,\ldots ,B_t\). This corresponds to \({\textsf {RPC}} _{t,n}\). Since \(\{Y_t\}_{t\ge 0}\) is ergodic and aperiodic, the uniform distribution is the stationary distribution. By \(\mathcal {L}(Y_t)\) we denote the distribution of \(Y_t\).
We will use the strong stationary times (SST) approach (introduced in [1, 2]). We say that T is an SST for \(\{Y_k\}\) if for any permutation \(\sigma \) we have \(P(Y_t=\sigma |T=t)=1/n!\). For such SST we have \(\text {TVD}\left[ \mathcal {L}(Y_k),\mathcal {U}(\mathcal {S}_n)\right] \le P(T>t)\) (see, e.g., Theorem 6 in [1]).
Let us define
i.e., this is the first time that both elements i and j were not opened. At this time the relative ordering of i and j is random (since \(\pi _k\) is uniformly random). Note that the probability that this will not happen in one step is \(1-(1-p)^2\) (at least one entry was opened), thus \(P(T_{ij}>t)=(1-(1-p)^2)^t\).
Now, let T be the first time when all the pairs of elements were not opened in at least one step. It means that all \({n\atopwithdelims ()2}\) pairs are in random relative order – and that means that the permutation itself is random (since \(\pi _t\)’s are uniformly random). In other words, T is an SST for \(\{Y_t\}\). We may compute
Taking \(t=\log _{1\over 1-(1-p)^2}\left[ {n\atopwithdelims ()2}/\varepsilon \right] \), we have \(\textrm{TVD}\left[ \mathcal {L}(Y_k),\mathcal {U}(\mathcal {S}_n)\right] \le \varepsilon \). In total there are \(t=2r\) permutations, thus the proof is completed.
1.3 A.3 Proof of Lemma 7
Proof
The proof is similar to the proof of Lemma 6. The t-th server applies two permutations \(\pi _{2t-1}\) and \(\pi _{2t}\), then each left link is opened independently with probability p, i.e., \(B_{2t-1}=b_{2t-1,1},\ldots ,b_{2t-1,n}\) with i.i.d. \(P(b_{2t-1,j}=0)=p=P(b_{2t-1,j}=1), j=1,\ldots ,n\). However the audit string \(B_{2t}\) is uniquely determined:
The situation is depicted in Fig. 24. Again, let
i.e., this is the first moment that elements i and j were not opened in the same permutation. Consider steps \(2t-1\) and 2t: the elements i and j will be both opened in the same step if i) they are both revealed in step \(2t-1\); ii) they are both not opened in step \(2t-1\) (since then they surely will be in next step). Thus, the pair will not be mixed in steps \(2t-1\) and 2t with probability \(2p(1-p)\). We have
Again, since all permutations \(\pi _t\)’s are random, the first moment T when all the pairs are mixed is an SST, and we have (consider t even)
Taking the last step, i.e., \(t=2r\) we have that \(r=\log _{1\over 2p(1-p)}\left[ {n\atopwithdelims ()2}/\varepsilon \right] \) what completes the proof.
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Lorek, P., Yung, M., Zagórski, F. (2024). Mirrored Commitment: Fixing “Randomized Partial Checking” and Applications. In: Pöpper, C., Batina, L. (eds) Applied Cryptography and Network Security. ACNS 2024. Lecture Notes in Computer Science, vol 14585. Springer, Cham. https://doi.org/10.1007/978-3-031-54776-8_1
Download citation
DOI: https://doi.org/10.1007/978-3-031-54776-8_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-54775-1
Online ISBN: 978-3-031-54776-8
eBook Packages: Computer ScienceComputer Science (R0)