Robustness Modelling and Verification of a Mix Net Protocol

  • Efstathios Stathakidis
  • Steve Schneider
  • James Heather
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8893)


Re-encryption Mix Nets are used to provide anonymity by passing encrypted messages through a collection of servers which each permute and re-encrypt messages. They are used in secure electronic voting protocols because they provide a combination of anonymity and verifiability. The use of several peers also provides for robustness, since a Mix Net can run even in the presence of a minority of dishonest or incorrectly behaving peers. However, in practice the protocols for peers to decide when to exclude a peer are complex distributed algorithms, and it is non-trivial to gain confidence that the Mix Net will be robust and live in the presence of faulty or malicious peers. In this paper we model and analyse the algorithm used by Ximix, a particular Mix Net implementation, using the CSP process algebra and the FDR model checker. We model and analyse the protocol in the presence of a realistic intruder based on Roscoe and Goldsmith’s perfect Spy [1]. We show that in the current implementation the protocol does not satisfy the robustness requirement. Finally, we propose a method of making it robust, and verify in FDR that the proposed solution is sound and provides this robustness. Along the way, we highlight the omissions and deviations from the original RPC proposal; Mix Net protocols are extremely fragile, and small and seemingly benign changes may result in security flaws. Our experimental results show that, with our modification, Ximix guarantees termination and produces a correct output in the presence of an intruder who can corrupt a minority of mix servers.


Mix Nets formal methods model-checking CSP FDR 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Roscoe, A.W., Goldsmith, M.: The perfect spy for model-checking crypto-protocols. In: Proceedings of DIMACS Workshop on the Design and Formal Verification of Crypto-Protocols. Rutgers University (September 1997)Google Scholar
  2. 2.
    Chaum, D.: Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM 24(2), 84–88 (1981)CrossRefGoogle Scholar
  3. 3.
    Golle, P., Jakobsson, M., Juels, A., Syverson, P.F.: Universal re-encryption for mixnets. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 163–178. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  4. 4.
    Park, C.-s., Itoh, K., Kurosawa, K.: Efficient Anonymous channel and all/nothing election Scheme. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 248–259. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  5. 5.
    Adida, B.: Helios: Web-based open-audit voting. In: Proceedings of the 17th USENIX Security Symposium (Security 2008) (2008)Google Scholar
  6. 6.
    Ryan, P.Y.A., Bismark, D., Heather, J., Schneider, S., Xia, Z.: Prêt à voter: a voter-verifiable voting system. IEEE Transactions on Information Forensics and Security 4(4), 662–673 (2009)CrossRefGoogle Scholar
  7. 7.
    Burton, C., Culnane, C., Heather, J., Peacock, T., Ryan, P.Y.A., Schneider, S., Srinivasan, S., Teague, V., Wen, R., Xia, Z.: A supervised verifiable voting protocol for the victorian electoral commission. In: Kripp, M.J., Volkamer, M., Grimm, R. (eds.) Electronic Voting. LNI, vol. 205, pp. 81–94. GI (2012)Google Scholar
  8. 8.
    Burton, C., Culnane, C., Heather, J., Peacock, T., Ryan, P.Y.A., Schneider, S., Srinivasan, S., Teague, V., Wen, R., Xia, Z.: Using prêt à voter in victorian state elections. In: Proceedings of the 2012 International Conference on Electronic Voting Technology/Workshop on Trustworthy Elections, EVT/WOTE 2012, p. 1. USENIX Association, Berkeley (2012)Google Scholar
  9. 9.
    Jakobsson, M., Juels, A., Rivest, R.L.: Making mix nets robust for electronic voting by randomized partial checking. In: Boneh, D. (ed.) USENIX Security Symposium, USENIX, pp. 339–353 (2002)Google Scholar
  10. 10.
    Wikström, D.: Verificatum. Website (2014),
  11. 11.
    Gamal, T.E.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory 31(4), 469–472 (1985)CrossRefzbMATHGoogle Scholar
  12. 12.
    Chaum, D., Pedersen, T.P.: Wallet databases with observers. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 89–105. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  13. 13.
    Stathakidis, E., Williams, D.M., Heather, J.: Verifying a mix net in csp. In: Proceedings of the 13th International Workshop on Automated Verification of Critical Systems (AVoCS 2013). Electronic Communications of the EASST, vol. 66. European Association of Software Science and Technology (2013)Google Scholar
  14. 14.
    Roscoe, A.W.: The theory and practice of concurrency. Prentice Hall (1998)Google Scholar
  15. 15.
    Küsters, R., Truderung, T., Vogt, A.: Formal analysis of chaumian mix nets with randomized partial checking. IACR Cryptology ePrint Archive 2014, 341 (2014)Google Scholar
  16. 16.
    Hoare, C.A.R.: Communicating sequential processes. Commun. ACM 21(8), 666–677 (1978)CrossRefMathSciNetzbMATHGoogle Scholar
  17. 17.
    Schneider, S.: Concurrent and Real Time Systems: The CSP Approach, 1st edn. John Wiley & Sons, Inc., New York (1999)Google Scholar
  18. 18.
    Roscoe, A.: Understanding Concurrent Systems, 1st edn. Springer-Verlag New York, Inc., New York (2010)CrossRefzbMATHGoogle Scholar
  19. 19.
    Gardiner, P., Goldsmith, M., Hulance, J., Jackson, D., Roscoe, B., Scattergood, B., Armstrong, P.: Fdr2 user manual (2010),

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Efstathios Stathakidis
    • 1
  • Steve Schneider
    • 1
  • James Heather
    • 2
  1. 1.Computing DepartmentUniversity of SurreyGuildfordUK
  2. 2.Chiastic Security LtdGuildfordUK

Personalised recommendations