A Universally Composable Mix-Net

  • Douglas Wikström
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2951)


A mix-net is a cryptographic protocol executed by a set of mix-servers that provides anonymity for a group of senders. The main application is electronic voting.

Numerous mix-net constructions and stand-alone definitions of security are proposed in the literature, but only partial proofs of security are given for most constructions and no construction has been proved secure with regards to any kind of composition.

We define an ideal mix-net in the universally composable security framework of Canetti [6]. Then we describe a mix-net based on Feldman [13] and using similar ideas as Desmedt and Kurosawa [10], and prove that it securely realizes the ideal mix-net with respect to static adversaries that corrupt a minority of the mix-servers and arbitrarily many senders.

The mix-net executes in a hybrid model with access to ideal distributed key generation, but apart from that our only assumption is the existence of a group in which the Decision Diffie-Hellman Problem is hard.

If there are relatively few mix-servers or a strong majority of honest mix-servers our construction is practical.


Hybrid Model Random Oracle Ideal Functionality Strong Majority Universally Composable 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. Abe, M.: Universally Verifiable Mix-Net with Verification Work Independent of the Number of Mix-Servers. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 437–447. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  2. Abe, M.: Flaws in Some Robust Optimistic Mix-Nets. In: Safavi-Naini, R., Seberry, J. (eds.) ACISP 2003. LNCS, vol. 2727, pp. 39–50. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  3. Beaver, D.: Foundations of secure interactive computing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 377–391. Springer, Heidelberg (1992)Google Scholar
  4. Canetti, R.: Towards realizing random oracles: Hash functions that hide all partial information. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 455–469. Springer, Heidelberg (1997)Google Scholar
  5. Canetti, R.: Security and composition of multi-party cryptographic protocols. Journal of Cryptology 13(1) (Winter 2000)Google Scholar
  6. Canetti, R.: Universally Composable Security: A New Paradigm for Cryptographic Protocols, and ECCC TR 01–24; Extended abstract appears in 42nd FOCS. IEEE Computer Society, Los Alamitos (2001)
  7. Chaum, D.: Untraceable Electronic Mail, Return Addresses and Digital Pseudonyms. Communications of the ACM - CACM 1981 24(2), 8-4–88 (1981)Google Scholar
  8. Canetti, R., Lindell, Y., Ostrovsky, R., Sahai, A.: Universally Composable Two-Party and Multi-Party Secure Computation. In: 34th STOC, pp. 494–503 (2002)Google Scholar
  9. Cramer, R., Shoup, V.: A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998)Google Scholar
  10. Desmedt, Y., Kurosawa, K.: How to break a practical MIX and design a new one. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 557–572. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  11. Dolev, D., Dwork, C., Naor, M.: Non-Malleable Cryptography. In: 23rd STOC, pp. 542–552 (1991)Google Scholar
  12. El Gamal, T.: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. IEEE Transactions on Information Theory 31(4), 469–472 (1985)zbMATHCrossRefGoogle Scholar
  13. Feldman, P.: A practical scheme for non-interactive verifiable secret sharing. In: Proceedings of the 28th FOCS, pp. 427–438 (1987)Google Scholar
  14. Fujioka, A., Okamoto, T., Ohta, K.: A practical secret voting scheme for large scale elections. In: Zheng, Y., Seberry, J. (eds.) AUSCRYPT 1992. LNCS, vol. 718, pp. 244–251. Springer, Heidelberg (1993)Google Scholar
  15. Furukawa, J., Sako, K.: An efficient scheme for proving a shuffle. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 368–387. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  16. Furukawa, J., Miyauchi, H., Mori, K., Obana, S., Sako, K.: An implementation of a universally verifiable electronic voting scheme based on shuffling. In: Blaze, M. (ed.) FC 2002. LNCS, vol. 2357. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  17. Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Secure Distrubuted Key Generation for Discrete-Log Based Cryptosystems. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 295–310. Springer, Heidelberg (1999)Google Scholar
  18. Goldreich, O., Micali, S., Wigderson, A.: How to Play Any Mental Game. In: 19th STOC, pp. 218–229 (1987)Google Scholar
  19. Goldwasser, S., Levin, L.: Fair computation of general functions in presence of immoral majority. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 77–93. Springer, Heidelberg (1991)Google Scholar
  20. Goldwasser, S., Lindell, Y.: Secure Multi-Party Computation Without Agreement. In: Malkhi, D. (ed.) DISC 2002. LNCS, vol. 2508, pp. 17–32. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  21. Goldwasser, S., Micali, S.: Probabilistic Encryption. Journal of Computer and System Sciences (JCSS) 28(2), 270–299 (1984)zbMATHCrossRefMathSciNetGoogle Scholar
  22. Golle, P., Zhong, S., Boneh, D., Jakobsson, M., Juels, A.: Optimistic Mixing for Exit-Polls. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 451–465. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  23. Groth, N.: A Verifiable Secret Shuffle of Homomorphic Encryptions. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 145–160. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  24. Jakobsson, M.: A Practical Mix. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 448–461. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  25. Jakobsson, M.: Flash Mixing. In: Proceedings of the 18th ACM Symposium on Principles of Distributed Computing - PODC 1998, pp. 83–89 (1998)Google Scholar
  26. Jakobsson, M., Juels, A.: Millimix: Mixing in small batches, DIMACS Techical report 99-33 (June 1999)Google Scholar
  27. Jakobsson, M., Juels, A.: An optimally robust hybrid mix network. In: Proceedings of the 20th ACM Symposium on Principles of Distributed Computing - PODC 2001, pp. 284–292 (2001)Google Scholar
  28. Lindell, Y., Lysyanskaya, A., Rabin, T.: On the Composition of Authenticated Byzantine Agreement. In: 34th STOC, pp. 514–523 (2002)Google Scholar
  29. Micali, S., Rackoff, C., Sloan, B.: The notion of security for probabilistic cryptosystems. SIAM Journal of Computing 17(2), 412–426 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  30. Micali, S., Rogaway, P.: Secure Computation. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 392–404. Springer, Heidelberg (1992)Google Scholar
  31. Michels, M., Horster, P.: Some remarks on a reciept-free and universally verifiable Mix-type voting scheme. In: Kim, K.-c., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163, pp. 125–132. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  32. Mitomo, M., Kurosawa, K.: Attack for Flash MIX. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 192–204. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  33. Neff, A.: A verifiable secret shuffle and its application to E-Voting. In: Proceedings of the 8th ACM Conference on Computer and Communications Security - CCS 2001, pp. 116–125 (2001)Google Scholar
  34. Neff, A.: Personal communication (2003)Google Scholar
  35. Niemi, V., Renvall, A.: How to prevent buying of votes in computer elections. In: Safavi-Naini, R., Pieprzyk, J.P. (eds.) ASIACRYPT 1994. LNCS, vol. 917, pp. 164–170. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  36. Ogata, W., Kurosawa, K., Sako, K., Takatani, K.: Fault Tolerant Anonymous Channel. In: Han, Y., Quing, S. (eds.) ICICS 1997. LNCS, vol. 1334, pp. 440–444. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  37. Park, C., Itoh, K., Kurosawa, K.: Efficient Anonymous Channel and All/Nothing Election Scheme. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 248–259. Springer, Heidelberg (1994)Google Scholar
  38. Pedersen, T.: A threshold cryptosystem without a trusted party. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 522–526. Springer, Heidelberg (1991)Google Scholar
  39. Pfitzmann, B.: Breaking an Efficient Anonymous Channel. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 332–340. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  40. Pfitzmann, B., Pfitzmann, A.: How to break the direct RSA-implementation of mixes. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 373–381. Springer, Heidelberg (1990)Google Scholar
  41. Pfitzmann, B., Waidner, M.: Composition and Integrity Preservation of Secure Reactive Systems. In: 7th Conference on Computer and Communications Security of the ACM, pp. 245–254 (2000)Google Scholar
  42. Rackoff, C., Simon, D.: Noninteractive zero-knowledge proofs of knowledge and chosen ciphertext attacks. In: 22nd STOC, pp. 433–444 (1991)Google Scholar
  43. Sako, K., Kilian, J.: Receipt-Free Mix-Type Voting Scheme. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 393–403. Springer, Heidelberg (1995)Google Scholar
  44. Schnorr, C., Jakobsson, M.: Security of Signed El Gamal Encryption. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 73–89. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  45. Tsiounis, Y., Yung, M.: On the Security of El Gamal based Encryption. In: Imai, H., Zheng, Y. (eds.) PKC 1998. LNCS, vol. 1431, pp. 117–134. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  46. Wikström, D.: Five Practical Attacks for “Optimistic Mixing for Exit-Polls”. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  47. Wikström, D.: A Universally Composable Mix-Net, manuscript will be available at:

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Douglas Wikström
    • 1
    • 2
  1. 1.Royal Institute of Technology (KTH)KTH, NadaStockholmSweden
  2. 2.Swedish Institute of Computer Science (SICS)KistaSweden

Personalised recommendations