How to Break a Practical MIX and Design a New One

  • Yvo Desmedt
  • Kaoru Kurosawa
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1807)


A MIX net takes a list of ciphertexts (c 1, ..., c N) and outputs a permuted list of the plaintexts (m 1, ..., m N) without revealing the relationship between (c 1,..., c N) and (m 1, ...,m N). This paper first shows that the Jakobsson’s MIX net of Eurocrypt’98, which was believed to be resilient and very efficient, is broken. We next propose an efficient t-resilient MIX net with O(t 2) servers in which the cost of each MIX server is O(N). Two new concepts are introduced, existential-honesty and limited-open-verification. They will be useful for distributed computation in general.


Encryption Scheme Signature Scheme Random Permutation Random Oracle Secret Sharing Scheme 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    M. Abe, “Universally verifiable mix-net with verification work independent of the number of mix-centers,” Eurocrypt’ 98, pp. 437–447.Google Scholar
  2. 2.
    M. Abe, “A mix-network on permutation networks,” ISEC Technical report 99-10 (in Japanese) (May, 1999)Google Scholar
  3. 3.
    M. Abe, “Mix-networks on permutation networks,” Asiacrypt’ 99, pp. 258–273.Google Scholar
  4. 4.
    M. Bellare, A. Desai, D. Poincheval, P. Rogaway, “Relations among notions of security for public key encryption schemes,” Crypto’ 98, pp. 26–45.Google Scholar
  5. 5.
    M. Bellare, P. Rogaway, “Optimal asymmetric encryption-How to encrypt with RSA,” Eurocrypt’ 94, pp. 92–111.Google Scholar
  6. 6.
    D. Chaum, “Untraceable electronic mail, return addresses, and digital pseudonyms,” Communications of the ACM, Vol. 24, 1981, pp. 84–88.CrossRefGoogle Scholar
  7. 7.
    D. Chaum, H. Van Antwerpen, “Undeniable signatures,” Crypto’ 89, pp. 212–216.Google Scholar
  8. 8.
    Y. Desmedt, Y. Frankel, “Threshold cryptosystems,” Crypto’ 89, pp. 307–315.Google Scholar
  9. 9.
    D. Dolev, C. Dwork, M. Naor, “Non-malleable cryptography,” STOC’ 91, pp. 542–552.Google Scholar
  10. 10.
    T. ElGamal, “A public-key cryptosystem and a signature scheme based on discrete logarithms,” Crypto’ 84, pp. 10–18.Google Scholar
  11. 11.
    A. Fujioka, T. Okamoto, K. Ohta, “A practical secret voting scheme for large scale elections,” Auscrypt’ 92, pp. 244–251.Google Scholar
  12. 12.
    R. Gennaro, S. Jarecki, H. Krawczyk, T. Rabin, “Robust and efficient sharing of RSA functions,” Crypto’ 96, pp. 157–172.Google Scholar
  13. 13.
    M. Jakobsson, “A practical MIX,” Eurocrypt’ 98, pp. 448–461.Google Scholar
  14. 14.
    M. Jakobsson, D. M’Raihi, “Mix-based electronic payments,” SAC’98, pp. 157–173.Google Scholar
  15. 15.
    M. Jakobsson, “Flash mixing,” PODC’99, pp. 83–89.Google Scholar
  16. 16.
    M. Jakobsson, A. Juels “Millimix: Mixing in small batches,” DIMACS Technical report 99-33 (June 1999)Google Scholar
  17. 17.
    W. H. Mills, “Covering design I: coverings by a small number of subsets,” Ars Combin. 8, (1979), pp. 199–315.zbMATHMathSciNetGoogle Scholar
  18. 18.
    W. Ogata, K. Kurosawa, K. Sako, K. Takatani, “Fault tolerant anonymous channel,” ICICS’ 97, pp. 440–444.Google Scholar
  19. 19.
    C. Park, K. Itoh, K. Kurosawa, “All/nothing election scheme and anonymous channel,” Eurocrypt’ 93, pp. 248–259.Google Scholar
  20. 20.
    T. P. Pedersen, “A threshold cryptosystem without a trusted party,” Eurocrypt’ 91, pp. 522–526.Google Scholar
  21. 21.
    B. Pfitzmann, A. Pfitzmann. “How to break the direct RSA-implementation of MIXes,” Eurocrypt’ 89, pp. 373–381.Google Scholar
  22. 22.
    D. Pointcheval, J. Stern, “Security proofs for signature schemes,” Eurocrypt’ 96, pp. 387–398.Google Scholar
  23. 23.
    R. Rees, D. R. Stinson, R. Wei, G. H. J. van Rees, “An application of covering designs: Determining the maximum consistent set of shares in a threshold scheme,” Ars Combin. 531 (1999), pp. 225–237.MathSciNetGoogle Scholar
  24. 24.
    K. Sako, J. Kilian, “Receipt-free mix-type voting scheme,” Eurocrypt’ 95, pp. 393–403.Google Scholar
  25. 25.
    C. P. Schnorr, “Efficient signature generation for smart cards,” Crypto’ 89, pp. 239–252.Google Scholar
  26. 26.
    C. P. Schnorr, M. Jakobsson, “Security of discrete log cryptosystems in the random oracle + generic model,”
  27. 27.
    A. Shamir, “How to share a secret,” Communications of the ACM, Vol. 22, 1979, pp. 612–613zbMATHCrossRefMathSciNetGoogle Scholar
  28. 28.
    Y. Tsiounis, M. Yung, “On the security of ElGamal based encryption,” PKC’98, pp. 117–134.Google Scholar
  29. 29.
    Edited by C. J. Colbourn and J. H. Dinitz, Handbook of Combinatorial Design, CRC Press (1996)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  • Yvo Desmedt
    • 1
    • 2
  • Kaoru Kurosawa
    • 3
  1. 1.Department of Computer ScienceFlorida State UniversityTallahasseeUSA
  2. 2.Dept. of Mathematics, Royal HollowayUniversity of LondonUK
  3. 3.Dept. of Electrical and Electronic Engineering Faculty of EngineeringTokyo Institute of TechnologyTokyoJapan

Personalised recommendations