Mirrored Commitment: Fixing “Randomized Partial Checking” and Applications

Abstract

Randomized Partial Checking (RPC) [16] was proposed by Jakobsson, Juels, and Rivest and attracted attention as an efficient method of verifying the correctness of the mixing process in numerous applied scenarios. In fact, RPC is a building block for many electronic voting schemes, including Prêt à Voter [6], Civitas [9], Scantegrity II [5] as well as voting-systems used in real-world elections (e.g., in Australia [4]). Mixing is also used in anonymous transfers of cryptocurrencies. It turned out, however, that a series of works [17, 18] showed subtle issues with analyses behind RPC. First, that the actual security level of the RPC protocol is way off the claimed [16] bounds. The probability of successful manipulation of k votes is \((\frac{3}{4})^k\) instead of the claimed \(\frac{1}{2^k}\) (this difference, in turn, negatively affects actual implementations of the notion within existing election systems. This is so since concrete implemented procedures of a given length were directly based on this parameter). Further, privacy guarantees [11] that a constant number of mix-servers is enough turned out [17] to also not be correct. We can conclude from the above that these analyses of the processes of mixing are not trivial.

In this paper, we review the relevant attacks, and we present Mirrored-RPC (mRPC) – a fix to RPC based on “mirrored commitment” which makes it optimally secure; namely, having a probability of successful manipulation of k votes \(\frac{1}{2^k}\).

Then, we present an analysis of the privacy level of both RPC and mRPC. We show that for n messages, the number of mix-servers (rounds) needed to be \(\varepsilon \)-close to the uniform distribution in total variation distance is lower bounded by:

$$ r(n, \varepsilon ) \ge \log _{2}{n \atopwithdelims ()2}/\varepsilon . $$

This proof of privacy, in turn, gives insights into the anonymity of various cryptocurrencies (e.g., Zerocash [23]) using anonymizing pools. If a random fraction q of n existing coins is mixed (in each block), then to achieve full anonymity, the number of blocks one needs to run the protocol for, is:

$$ rb(n, q, \varepsilon ) \ge - \frac{\log n + \log (n-1) - \log (2\varepsilon )}{ {\log ({1-q^2}})}. $$

A Proofs

1.1 A.1 Proof of Lemma 4

Proof

Recall that \(I_j\) is a subset of [n] for which left link is revelead (challenge bit is set to 0). Let us denote \(S_{j,0}= I_j\) and \(S_{j,1}=[n]\setminus I_j\), i.e., those messages for which right link is revealed (challenge bit 1). In terms of an audit string \(B_j=b_{j,1} b_{j,2}\ldots b_{j,n}\), we may rewrite \(S_{j,b}=\{i: b_{j,i}=b\}.\)

If two elements x, y are not mixed in the \(M_j\) mix, it means that \(x \in S_{j,b}\) and \(y \in S_{j,1-b}\) for \(b \in \{0, 1\}\).

Let us compare distance between the uniform distribution \(\mathcal {U}(\mathcal {S}_n)\) on n-element permutations to the distribution \(\mathcal {L}({\textsf {RPC}} _{r, n})\) when \(n \ge \sqrt{2^r}\).

From Lemma 3 there exists two mix entries x, y that are not yet mixed after r steps, with high probability. It means that \(x \in S_{1, b_1}, S_{2, b_2}, \ldots , S_{r, b_r}\) and \(y \in S_{1, 1-b_1}, S_{2, 1-b_2}, \ldots , S_{r, 1-b_r}\) for \(b_1, \ldots , b_c \in \{0, 1\}\).

Let \(\mathcal {S}_n^0\) be the set of all permutations for which \(x \in S_{r, b}\) and \(y \in S_{r, 1-b}\) for \(b=0,1\). From the assumptions we have that \(|S_{r,0}|=m\). From Lemma 3, with high probability, only permutations from \(\mathcal {S}_n^0\) have nonzero probabilities in distribution \(\mathcal {L}({\textsf {RPC}} _{r, \sqrt{2^r}})\). In other words, we can write that the probability of \(\sigma \) under \(\mathcal {L}({\textsf {RPC}} _{r, \sqrt{2^r}})\) is \(f(\sigma )\) such that

$$ f(\sigma )\quad \left\{ \begin{array}{rll} > &{}0 &{} \text { if } \sigma \in \mathcal {S}_n^0, \\ =&{}0&{} \text {otherwise}, \end{array} \right. $$

for some distribution f on \(\mathcal {S}^0\) (Fig. 23).

Fig. 23.

Representation of sets \(S_{1,0}, S_{1,1}\) for \(M_1\) and sets \(S_{2,0}, S_{2,1}\) for \(M_2\). Audit/challenge bits \(A_1, A_2\) for \(M_1, M_2\) are presented next to columns \(C_1, C_3\). Sets \(S_{j,0}\) are denoted by and sets \(S_{j,1}\) are denoted by .

Now, let us compute the distance between uniform distribution and the distribution \(\mathcal {L}({\textsf {RPC}} _{r, n})\) for a set of permutations \(\mathcal {S}_n^0\) such that m left links were opened, i.e., \(|I_r|=|S_{r,0}|=m\).

$$ \begin{array}{llll} {\displaystyle \text {TVD}\left[ \mathcal {U}(\mathcal {S}_n),\mathcal {L}({\textsf {RPC}} _{r, n}) \ \big | \ |S_{r,0}|=m\right] =} \\ \displaystyle = {1\over 2}\left( \sum _{\sigma \in \mathcal {S}_n^0\atop |S_{r,0}|=m} \left| f(\sigma )-{1\over n!}\right| +\sum _{\sigma \notin \mathcal {S}_n^0\atop |S_{r,0}|=m} {1\over n!}\right) &{}\ge &{} \displaystyle {1\over 2}\left( \sum _{\sigma \in \mathcal {S}_n^0\atop |S_{r,0}|=m} \left( f(\sigma )-{1\over n!}\right) +\sum _{\sigma \notin \mathcal {S}_n^0\atop |S_{r,0}|=m} {1\over n!}\right) \\[12pt] \displaystyle = {1\over 2} + {1\over 2}\left( \sum _{\sigma \notin \mathcal {S}_n^0\atop |S_{r,0}|=m} {1\over n!} -\sum _{\sigma \in \mathcal {S}_n^0\atop |S_{r,0}|=m} {1\over n!}\right) &{}= &{} \displaystyle {1\over 2} + {1\over 2n!} \left( n!-2|\{\sigma \in \mathcal {S}_n^0: |S_{r,0}|=m\}|\right) \\[10pt] &{}= &{} \displaystyle 1-{|\{\sigma \in \mathcal {S}_n^0: |S_{r,0}|=m\}\over n!}\\ \end{array} $$

Noting that

$$|\{\sigma \in \mathcal {S}_n^0: |S_{r,0}|=m\}|=2m(n-m)(n-2)!$$

we have

$$\text {TVD}\left[ \mathcal {U}(\mathcal {S}_n),\mathcal {L}({\textsf {RPC}} _{r, n}) \ \big | \ |S_{r,0}|=m\right] \ge 1-{2\,m(n-m)\over n(n-1)}.$$

The worst-case is exactly half left links are open (say n is even), i.e., \(m=n/2\), then

$$ \begin{array}{llll} {\displaystyle \text {TVD}\left[ \mathcal {U}(\mathcal {S}_n),\mathcal {L}({\textsf {RPC}} _{r, n}) \ \big | \ |S_{r,0}|=m\right] } &{}\ge &{} \displaystyle \text {TVD}\left[ \mathcal {U}(\mathcal {S}_n),\mathcal {L}({\textsf {RPC}} _{r, n}) \ \big | \ |S_{r,0}|=n/2\right] \\ &{}\ge &{} \displaystyle 1-{2 {n\over 2} {n\over 2}\over n(n-1)} ={1\over 2} - {1\over 2(n-1)}. \end{array} $$

1.2 A.2 Proof of Lemma 6

Proof

We will use some tools from Markov chain theory. We will consider two chains \(\{X_t\}_{t\ge 0}, \{Y_t\}_{t\ge 0}\) on \(\mathcal {S}_n\). We set \(X_0=Y_0\) to be the identity permutation (note that \({\textsf {RPC}} _{0,n}\) is the identity permutation).

Recall that server j performs permutations \(\pi _{2j-1}\) and \(\pi _{2j}\), in total 2r permutations are performed.

Concerning \(X_{t+1}\): it is \(X_{t}\) to which we apply a uniformly random permutation \(\pi _{t}=(\pi _t(1),\ldots ,\pi _t(n))\) (note that then \(X_t\sim \mathcal {U}(\mathcal {S}_n)\) for any \(t\ge 1\)).

Note that in Scheme One each server performs independently identical (in distribuion) steps. That is why we will look at the distribution after each application of \(\pi _t\).

Concerning \(Y_{t}\), this is \(X_{t}\) with the following extra knowledge. Let \(B_t=b_{t,1},\ldots ,b_{t,n}\) be the n random bits chosen independently from the distribution \(P(b_{t,i}=0)=p=1-P(b_{t,i}=1)\).

Now assume that the entries \(S_{j,0}=\{j: b_{t,j}=0\}\) from the permutation \(\pi _t\) are opened. \(Y_{t}\) has distribution of \(X_{t}\) provided we have a knowledge of \(B_1,\ldots ,B_t\). This corresponds to \({\textsf {RPC}} _{t,n}\). Since \(\{Y_t\}_{t\ge 0}\) is ergodic and aperiodic, the uniform distribution is the stationary distribution. By \(\mathcal {L}(Y_t)\) we denote the distribution of \(Y_t\).

We will use the strong stationary times (SST) approach (introduced in [1, 2]). We say that T is an SST for \(\{Y_k\}\) if for any permutation \(\sigma \) we have \(P(Y_t=\sigma |T=t)=1/n!\). For such SST we have \(\text {TVD}\left[ \mathcal {L}(Y_k),\mathcal {U}(\mathcal {S}_n)\right] \le P(T>t)\) (see, e.g., Theorem 6 in [1]).

Let us define

$$T_{ij}=\min \{t: b_{t,i}=b_{t,j}=1\},$$

i.e., this is the first time that both elements i and j were not opened. At this time the relative ordering of i and j is random (since \(\pi _k\) is uniformly random). Note that the probability that this will not happen in one step is \(1-(1-p)^2\) (at least one entry was opened), thus \(P(T_{ij}>t)=(1-(1-p)^2)^t\).

Now, let T be the first time when all the pairs of elements were not opened in at least one step. It means that all \({n\atopwithdelims ()2}\) pairs are in random relative order – and that means that the permutation itself is random (since \(\pi _t\)’s are uniformly random). In other words, T is an SST for \(\{Y_t\}\). We may compute

$$ \begin{array}{rlccl} {\textrm{TVD}\left[ \mathcal {L}(Y_k),\mathcal {U}(\mathcal {S}_n)\right] } &{} \displaystyle \le &{} \displaystyle P(T>t) &{} = &{} P\left( \bigcup _{1\le i<j\le n}\{T_{ij}>t\}\right) \\ \displaystyle \le \sum _{1\le i<j\le n}P(T_{ij}>t) &{} = &{} \displaystyle \sum _{1\le i<j\le n}\left( 1-(1-p)^2\right) ^t &{} =&{}\displaystyle {n\atopwithdelims ()2}\left( 1-(1-p)^2\right) ^t. \end{array} $$

Taking \(t=\log _{1\over 1-(1-p)^2}\left[ {n\atopwithdelims ()2}/\varepsilon \right] \), we have \(\textrm{TVD}\left[ \mathcal {L}(Y_k),\mathcal {U}(\mathcal {S}_n)\right] \le \varepsilon \). In total there are \(t=2r\) permutations, thus the proof is completed.

1.3 A.3 Proof of Lemma 7

Proof

The proof is similar to the proof of Lemma 6. The t-th server applies two permutations \(\pi _{2t-1}\) and \(\pi _{2t}\), then each left link is opened independently with probability p, i.e., \(B_{2t-1}=b_{2t-1,1},\ldots ,b_{2t-1,n}\) with i.i.d. \(P(b_{2t-1,j}=0)=p=P(b_{2t-1,j}=1), j=1,\ldots ,n\). However the audit string \(B_{2t}\) is uniquely determined:

$$ B_{2t}=(b_{2t,1},\ldots ,b_{2t,n})=(1-b_{2t-1,1},\ldots ,1-b_{2t-1,n}).$$

The situation is depicted in Fig. 24. Again, let

$$T_{ij}=\min \{t:b_{t,i}=b_{t,j}=1\},$$

i.e., this is the first moment that elements i and j were not opened in the same permutation. Consider steps \(2t-1\) and 2t: the elements i and j will be both opened in the same step if i) they are both revealed in step \(2t-1\); ii) they are both not opened in step \(2t-1\) (since then they surely will be in next step). Thus, the pair will not be mixed in steps \(2t-1\) and 2t with probability \(2p(1-p)\). We have

$$P(T_{ij}>2t)=\left( 2p(1-p)\right) ^t.$$

Again, since all permutations \(\pi _t\)’s are random, the first moment T when all the pairs are mixed is an SST, and we have (consider t even)

$$ \begin{array}{l} {\textrm{TVD}\left[ \mathcal {L}(Y_t),\mathcal {U}(\mathcal {S}_n)\right] }\\ \le \displaystyle P(T>t) = P\left( \bigcup _{1\le i<j\le n}\{T_{ij}>t\}\right) \\ \le \displaystyle \sum _{1\le i<j\le n}P(T_{ij}>{2t/2})=\sum _{1\le i<j\le n}\left( 2p(1-p)\right) ^{t\over 2} \\ =\displaystyle {n\atopwithdelims ()2}\left( 2p(1-p)\right) ^{t\over 2}. \end{array} $$

Taking the last step, i.e., \(t=2r\) we have that \(r=\log _{1\over 2p(1-p)}\left[ {n\atopwithdelims ()2}/\varepsilon \right] \) what completes the proof.

Fig. 24.

Situation similar to Fig. 20: \(\pi _1\) and \(\pi _2\) and \(B_1=001010\) are the same as there, but now \(B_2\) is determined by \(B_1\), namely \(b^2_i=1-b^1_i\) – opened connections depicted in red.