# A practical mix

## Abstract

We introduce a robust and efficient mix-network for exponentiation, and use it to obtain a threshold decryption mix-network for ElGamal encrypted messages, in which mix servers do not need to trust each other for the correctness of the result. If a subset of mix servers cheat, they will be caught with an overwhelming probability, and the decryption can restart after replacing them, in a fashion that is transparent to the participants providing the input to be decrypted. As long as a quorum is not controlled by an adversary, the privacy of the mix is guaranteed. Our solution is proved to be secure if a commonly used assumption, the Decision Diffie-Hellman assumption, holds.

Of possible independent interest are two new methods that we introduce: *blinded destructive robustness*, a type of destructive robustness with protection against leaks of secret information; and *repetition robustness*, a method for obtaining robustness for some distributed vector computations. Here, two or more calculations of the same equation are performed, where the different computations are made independent by the use of blinding and permutation. The resulting vectors are then unblinded, sorted and compared to each other. This allows us to detect cheating (resulting in inequality of the vectors).

Also of possible independent interest is a modular extension to the El-Gamal encryption scheme, making the resulting scheme non-malleable in the random oracle model. This is done by interpreting part of the ciphertext as a public key, and sign the ciphertext using the corresponding secret key.

## Keywords

mix-network decryption privacy robustness error detection## References

- 1.M. Abe, “Universally Verifiable Mix-net with Verification Work Independent of the Number of Mix-centers,” Eurocrypt '98.Google Scholar
- 2.M. Bellare, A. Desai, D. Pointcheval, P. Rogaway, “Plaintext Awareness, Non-Malleability, and Chosen Ciphertext Security: Implications and Separations,” manuscript.Google Scholar
- 3.M. Bellare, J. Garay, T. Rabin, “Batch Verification with Applications to Program Checking and Cryptography,” Eurocrypt '98Google Scholar
- 4.D. Chaum, “Untraceable electronic mail, return addresses, and digital pseudonyms,” Communications of the ACM, ACM 1981, pp. 84–88 “Undeniable Signatures,”Google Scholar
- 5.D. Chaum, H. Van Antwerpen, Crypto '89, pp. 212–216Google Scholar
- 6.D. Chaum, “Zero-Knowledge Undeniable Signatures,” Eurocrypt '90, pp. 458–464Google Scholar
- 7.R. Cramer, V. Shoup, “A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack,” available at www.cs.wisc.edu/ shoup.Google Scholar
- 8.A. De Santis, Y. Desmedt, Y. Frankel, and M. Yung, “How to Share a Function Securely,” STOC '94, pp. 522–533Google Scholar
- 9.D. Dolev, C. Dwork, M. Naor, “Non-malleable cryptography,” STOC'91, pp. 542–552Google Scholar
- 10.T. ElGamal “A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms,” Crypto '84, pp. 10–18Google Scholar
- 11.A. Fujioka, T. Okamoto, K. Ohta, “A practical secret voting scheme for large scale elections,” Auscrypt '92, pp. 244–251Google Scholar
- 12.E. Gabber, P. Gibbons, Y. Matias, A. Mayer, “How to make personalized web browsing simple, secure, and anonymous,” Financial Cryptography '97Google Scholar
- 13.S. Goldwasser and S. Micali, “Probabilistic Encryption,” J. Comp. Sys. Sci. 28, pp 270–299, 1984.MATHMathSciNetCrossRefGoogle Scholar
- 14.C. Gulcu, G. Tsudik, “Mixing email with babel,” ISOC Symposium on Network and Distributed System Security, 1996.Google Scholar
- 15.A. Herzberg, S. Jarecki, H. Krawczyk, M. Yung, “Proactive Secret Sharing, or How to Cope with Perpetual Leakage,” Crypto '95, pp. 339–352Google Scholar
- 16.A. Herzberg, M. Jakobsson, S. Jarecki, H. Krawczyk, M. Yung, “Proactive Public Key and Signature Systems,” Proceedings of the 4th ACM Conference on Computer and Communications Security, 1997, pp. 100–110Google Scholar
- 17.M. Michels, P. Horster, “Some remarks on a receipt free and universally verifiable Mix-Type Voting scheme,” Asiacrypt '96, pp. 125–132Google Scholar
- 18.M. Jakobsson, K. Sako, R. Impagliazzo, “Designated Verifier Proofs and Their Applications,” Eurocrypt '96, pp. 143–154Google Scholar
- 19.M. Jakobsson, M. Yung, “Distributed ‘Magic Ink’ Signatures,” Eurocrypt '97, pp. 450–464Google Scholar
- 20.M. Jakobsson, “Privacy vs. Anonymity,” Ph.D. Thesis, University of California, San Diego, 1997. Available at http://www.bell-labs.com/markusj/.Google Scholar
- 21.NIST FIPS PUB XX, “Digital Signature Standard,” National Institute of Standards and Technology, U.S. Department of Commerce, Draft, 1 Feb. 1993Google Scholar
- 22.W. Ogata, K. Kurosawa, K. Sako, K. Takatani, “Fault Tolerant Anonymous Channel,” ICICS '97, pp. 440–444Google Scholar
- 23.C. Park, K. Itoh, K. Kurosawa, “All/nothing election scheme and anonymous channel,” Eurocrypt '93, pp. 248–259Google Scholar
- 24.T. P. Pedersen. “A threshold cryptosystem without a trusted party,” Eurocrypt '91, pp. 522–526.Google Scholar
- 25.A. Pfitzmann, B. Pfitzmann, M. Waidner, “ISDN-MIXes: Untraceable Communication with Very Small Bandwidth Overhead,” Information Security, Proc. IFIP/Sec'91, Mai 1991, Brighton, D. T. Lindsay, W. L. Price (eds.), North-Holland, Amsterdam 1991, 245–258.Google Scholar
- 26.D. Pointcheval and J. Stern, “Security Proofs for Signature Schemes,” Advances in Cryptology — Proceedings of Eurocrypt '96, pp. 387–398.Google Scholar
- 27.M. Reiter, A. Rubin, “Crowds: Anonymous Web Transactions,” Manuscript at www.research.att.com/projects/crowds/Google Scholar
- 28.K. Sako, J. Kilian, “Receipt-Free Mix-Type Voting Scheme,” Eurocrypt '95, pp. 393–403Google Scholar
- 29.C. P. Schnorr, “Efficient Signature Generation for Smart Cards,” Advances in Cryptology — Proceedings of Crypto '89, pp. 239–252Google Scholar
- 30.A. Shamir, “How to Share a Secret,” Communications of the ACM, Vol. 22, 1979, pp. 612–613MATHMathSciNetCrossRefGoogle Scholar
- 31.P. Syverson, D. Goldschlag, M. Reed, “Anonymous connections and onion routing,” IEEE Symposium on Security and Privacy, 1997.Google Scholar