Post on 14-Dec-2015
transcript
RPC Mixing:Making Mix-Nets Robust for
Electronic Voting
Ron RivestMIT
Markus Jakobsson Ari Juels RSA Laboratories
What does a mix network do?
message 1
message 2
message 3
message 4
Randomly permutes and decrypts inputs
Mix network
What does a mix network do?
message 2
Key property: Adversary can’t tell which ciphertext corresponds
to a given message
?
Example application: Anonymizing bulletin board or e-mail
From Bob
From CharlieFrom Alice
From Bob
From CharlieFrom Alice
“I love
Alice”
“Nobody loves Bob”
“Ilove
Charlie”
Is it Bob, Charlie,
self-love, or other?
Example application: Anonymizing bulletin board or e-mail
Our focus: Voting
Digitally signed by
Eve Digitally signed by
Charlie
Digitally signed by
CharlieDigitally signed by
Bob
Digitally signed by
Alice
A vote forAl G re
A vote forG.W. Bush
A vote forAl Gore
A vote forG.W. Bush Final Tally:
Bush 2
Gore 1
A look under the hood
Basic Mix (Chaum ‘81)
Server 1 Server 2 Server 3
PK1 PK2PK3
Encryption of Message
PK1 PK2PK3
message
Ciphertext = EPK1[EPK2[EPK3[message]]]
Basic Chaumian Mix
Server 1 Server 2 Server 3
m1
m2
m3
m2
m3
m1
decrypt
and
permute
m2
m1
m3
decrypt
and
permute
decrypt
and
permute
m2
m3
m1
Basic Chaumian Mix
m1
m2
m3
m2
m3
m1
decrypt
and
permute
m2
m1
m3
decrypt
and
permute
decrypt
and
permute
m2
m3
m1
Observe: As long as one server is honest,
privacy is preserved
Basic Chaumian Mix
Server 1 Server 2 Server 3
m3?
What if one server fails?
Server 1 Server 2 Server 3
SK2
•Privacy now requires a majority of honest servers•Tolerance of minority of server failures
•Solution idea: Share key among others
ballot ballot Lenin LeninLenin
What if one server cheats?
Solution idea: •Have each server prove that it permuted and decrypted correctly
Robust Mix
Server 1 Server 2 Server 3
m1
m2
m3
m2
m3
m1
decrypt,
permute,
and prove
correct
m2
m1
m3
decrypt, permute,
and prove
correct
decrypt,
permute,
and prove
correct
m2
m3
m1
Practical Robust Mixes
Jakobsson “Flash Mix” (PODC ‘99)– Mitomo and Kurosawa (AC ‘00)– Secure only for large input sizes– Only for El Gamal
Desmedt and Kurosawa (EC ‘00)– Good only if O(n1/2) of servers corrupted
Practical Robust Mixes Neff (ACM CCS ‘01) ; Furukawa-
Sako (Crypto ‘01) (renamed “shuffling”)
– All desired properties– Only for El Gamal– Computationally intensive
Golle (ACM CCS ‘02) – Some similarity in technique with RPC– Only for El Gamal– Speed for El Gamal somewhat better than RPC
Practical Robust Mixes Golle, Zhong, Boneh, Jakobsson, Juels
(Asiacrypt ‘02)– Only for El Gamal– Speed for El Gamal somewhat better than RPC
Our Randomized Probabilistic Checking (RPC) mix– Conceptually simple– Very efficient -- particularly for RSA– Works with RSA, El Gamal, etc.– Aimed at voting
Proving correctness in RPC
Server i
decrypt and
permute
ballot
ballot
ballot
ballot
ballot
ballot
ballot
ballot
Proving correctness in RPC
Server i
ballot
ballot
ballot
ballot
ballot
ballot
ballot
ballot
Proving correctness in RPC
Server i
Very efficient proof/verification! – Particularly with RSA
Each ballot operation checked with probability 1/2
If Server i cheats on k ballots, it is caught with probability 1 - 2k – e.g., changing 20 ballots means 99.9999%
of detection
Proving correctness in RPC
Server i
Example: Florida tally in 2000 Presidential election– 2,910,074 Bush; 2,909,114 Gore– Tampering with 480 ballots needed to
change outcome– Probability of catching cheating 1 - 2-480
– Smaller than probability of being hit by meteor during this session
Privacy in RPC
Server 1 Server 2 Server 3 Server 4
Bob
Alice
Carl
Delia
ballot
ballot
ballot
ballot
ballot
ballot
ballot
ballot
ballot
ballot
ballot
ballot
Gore
Gore
Bush
Bush
Privacy in RPC
Server 1 Server 2 Server 3 Server 4
Bob
Alice
Carl
Delia
ballot
ballot
ballot
ballot
ballot
ballot
ballot
ballot
ballot
ballot
ballot
ballot
Gore
Gore
Bush
Bush
!!!!!!
Privacy in RPC
Chance of privacy breach small with correct parameterization– Needs many servers (or rounds)
We can do better...
Server pairing
Server 2i Server 2i+1
ballot
ballot
ballot
ballot
ballot
ballot
ballot
ballot
ballot
ballot
ballot
ballot
Server pairing
Server 2i Server 2i+1
ballot
ballot
ballot
ballot
ballot
ballot
ballot
ballot
ballot
ballot
ballot
ballot
ballot
Left or
right?
ballot
ballot
ballot
Server pairing
Server 2i Server 2i+1
Private provided that at least one pair of servers is uncorrupted– Thus, private if minority corrupted– Each ballot concealed among half of total
Correct because forward link on any ballot checked with probability 1/2
Public verifiability
Server 1 Server 2 Server 3 Server 4
Bob
Alice
Carl
Delia
ballot
ballot
ballot
ballot
ballot
ballot
ballot
ballot
ballot
ballot
ballot
ballot
Gore
Gore
Bush
Bush
???
Public verifiability
Server 1 Server 2 Server 3 Server 4
Idea: Inspection coins depend on hash of full set of ballots
Suppose election threshold is d– Recall Florida threshold was 960
Attacker must (roughly) try number of hashes 2d/2 to swing election undetected
Public verifiability
Server 1 Server 2 Server 3 Server 4
If threshold d is small, use a more expensive mix– e.g., Neff, Furukawa/Sako
Final Remarks
Good for applications other than voting? Paper (with details) available on
homepages of three authors, at:– Google “Markus Jakobsson homepage” – Google “Ari Juels homepage”– Google “Ron Rivest homepage”
Idea is unpatented Implementation warmly welcomed