We introduce a robust and efficient mix-network for exponentiation, and use it to obtain a threshold decryption mix-network for ElGamal encrypted messages, in which mix servers do not need to trust each other for the correctness of the result. If a subset of mix servers cheat, they will be caught with an overwhelming probability, and the decryption can restart after replacing them, in a fashion that is transparent to the participants providing the input to be decrypted. As long as a quorum is not controlled by an adversary, the privacy of the mix is guaranteed. Our solution is proved to be secure if a commonly used assumption, the Decision Diffie-Hellman assumption, holds.

Of possible independent interest are two new methods that we introduce: blinded destructive robustness, a type of destructive robustness with protection against leaks of secret information; and repetition robustness, a method for obtaining robustness for some distributed vector computations. Here, two or more calculations of the same equation are performed, where the different computations are made independent by the use of blinding and permutation. The resulting vectors are then unblinded, sorted and compared to each other. This allows us to detect cheating (resulting in inequality of the vectors).

Also of possible independent interest is a modular extension to the El-Gamal encryption scheme, making the resulting scheme non-malleable in the random oracle model. This is done by interpreting part of the ciphertext as a public key, and sign the ciphertext using the corresponding secret key.


mix-network decryption privacy robustness error detection 


  1. 1.
    M. Abe, “Universally Verifiable Mix-net with Verification Work Independent of the Number of Mix-centers,” Eurocrypt '98.Google Scholar
  2. 2.
    M. Bellare, A. Desai, D. Pointcheval, P. Rogaway, “Plaintext Awareness, Non-Malleability, and Chosen Ciphertext Security: Implications and Separations,” manuscript.Google Scholar
  3. 3.
    M. Bellare, J. Garay, T. Rabin, “Batch Verification with Applications to Program Checking and Cryptography,” Eurocrypt '98Google Scholar
  4. 4.
    D. Chaum, “Untraceable electronic mail, return addresses, and digital pseudonyms,” Communications of the ACM, ACM 1981, pp. 84–88 “Undeniable Signatures,”Google Scholar
  5. 5.
    D. Chaum, H. Van Antwerpen, Crypto '89, pp. 212–216Google Scholar
  6. 6.
    D. Chaum, “Zero-Knowledge Undeniable Signatures,” Eurocrypt '90, pp. 458–464Google Scholar
  7. 7.
    R. Cramer, V. Shoup, “A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack,” available at shoup.Google Scholar
  8. 8.
    A. De Santis, Y. Desmedt, Y. Frankel, and M. Yung, “How to Share a Function Securely,” STOC '94, pp. 522–533Google Scholar
  9. 9.
    D. Dolev, C. Dwork, M. Naor, “Non-malleable cryptography,” STOC'91, pp. 542–552Google Scholar
  10. 10.
    T. ElGamal “A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms,” Crypto '84, pp. 10–18Google Scholar
  11. 11.
    A. Fujioka, T. Okamoto, K. Ohta, “A practical secret voting scheme for large scale elections,” Auscrypt '92, pp. 244–251Google Scholar
  12. 12.
    E. Gabber, P. Gibbons, Y. Matias, A. Mayer, “How to make personalized web browsing simple, secure, and anonymous,” Financial Cryptography '97Google Scholar
  13. 13.
    S. Goldwasser and S. Micali, “Probabilistic Encryption,” J. Comp. Sys. Sci. 28, pp 270–299, 1984.MATHMathSciNetCrossRefGoogle Scholar
  14. 14.
    C. Gulcu, G. Tsudik, “Mixing email with babel,” ISOC Symposium on Network and Distributed System Security, 1996.Google Scholar
  15. 15.
    A. Herzberg, S. Jarecki, H. Krawczyk, M. Yung, “Proactive Secret Sharing, or How to Cope with Perpetual Leakage,” Crypto '95, pp. 339–352Google Scholar
  16. 16.
    A. Herzberg, M. Jakobsson, S. Jarecki, H. Krawczyk, M. Yung, “Proactive Public Key and Signature Systems,” Proceedings of the 4th ACM Conference on Computer and Communications Security, 1997, pp. 100–110Google Scholar
  17. 17.
    M. Michels, P. Horster, “Some remarks on a receipt free and universally verifiable Mix-Type Voting scheme,” Asiacrypt '96, pp. 125–132Google Scholar
  18. 18.
    M. Jakobsson, K. Sako, R. Impagliazzo, “Designated Verifier Proofs and Their Applications,” Eurocrypt '96, pp. 143–154Google Scholar
  19. 19.
    M. Jakobsson, M. Yung, “Distributed ‘Magic Ink’ Signatures,” Eurocrypt '97, pp. 450–464Google Scholar
  20. 20.
    M. Jakobsson, “Privacy vs. Anonymity,” Ph.D. Thesis, University of California, San Diego, 1997. Available at Scholar
  21. 21.
    NIST FIPS PUB XX, “Digital Signature Standard,” National Institute of Standards and Technology, U.S. Department of Commerce, Draft, 1 Feb. 1993Google Scholar
  22. 22.
    W. Ogata, K. Kurosawa, K. Sako, K. Takatani, “Fault Tolerant Anonymous Channel,” ICICS '97, pp. 440–444Google Scholar
  23. 23.
    C. Park, K. Itoh, K. Kurosawa, “All/nothing election scheme and anonymous channel,” Eurocrypt '93, pp. 248–259Google Scholar
  24. 24.
    T. P. Pedersen. “A threshold cryptosystem without a trusted party,” Eurocrypt '91, pp. 522–526.Google Scholar
  25. 25.
    A. Pfitzmann, B. Pfitzmann, M. Waidner, “ISDN-MIXes: Untraceable Communication with Very Small Bandwidth Overhead,” Information Security, Proc. IFIP/Sec'91, Mai 1991, Brighton, D. T. Lindsay, W. L. Price (eds.), North-Holland, Amsterdam 1991, 245–258.Google Scholar
  26. 26.
    D. Pointcheval and J. Stern, “Security Proofs for Signature Schemes,” Advances in Cryptology — Proceedings of Eurocrypt '96, pp. 387–398.Google Scholar
  27. 27.
    M. Reiter, A. Rubin, “Crowds: Anonymous Web Transactions,” Manuscript at Scholar
  28. 28.
    K. Sako, J. Kilian, “Receipt-Free Mix-Type Voting Scheme,” Eurocrypt '95, pp. 393–403Google Scholar
  29. 29.
    C. P. Schnorr, “Efficient Signature Generation for Smart Cards,” Advances in Cryptology — Proceedings of Crypto '89, pp. 239–252Google Scholar
  30. 30.
    A. Shamir, “How to Share a Secret,” Communications of the ACM, Vol. 22, 1979, pp. 612–613MATHMathSciNetCrossRefGoogle Scholar
  31. 31.
    P. Syverson, D. Goldschlag, M. Reed, “Anonymous connections and onion routing,” IEEE Symposium on Security and Privacy, 1997.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1998

Authors and Affiliations

  • Markus Jakobsson
    • 1
  1. 1.Information Sciences Research CenterBell LabsMurray Hill

Personalised recommendations