A Brief Introduction to Mix Networks Ari Juels RSA Laboratories 2001, RSA Security Inc. What does a mix network do? message 1 message 2 message 3 message 4 Randomly permutes and decrypts inputs Mix network What does a mix network do? message 2 Key property: We cant tell which ciphertext corresponds to a given message ? Example application: Anonymizing bulletin board orFrom Bob From Charlie From Alice From Bob From Charlie From Alice I love Alice Nobody loves Bob I love Charlie Is it Bob, Charlie, self-love, or other? Example application: Anonymizing bulletin board or Another application: Voting Digitally signed by Eve Digitally signed by Charlie Digitally signed by Charlie Digitally signed by Bob Digitally signed by Alice A vote for Al G re A vote for G.W. Bush A vote for Al Gore A vote for G.W. Bush Final Tally: Bush 2 Gore 1 A look under the hood Basic Mix (Chaum 81) Server 1 Server 2 Server 3 PK 1 PK 2 PK 3 Encryption of Message PK 1 PK 2 PK 3 message Ciphertext = E PK1 [E PK2 [E PK3 [message]]] Basic Chaumian Mix Server 1 Server 2 Server 3 m1 m2 m3 m2 m3 m1 decrypt and permute m2 m1 m3 decrypt and permute decrypt and permute m2 m3 m1 Basic Chaumian Mix m1 m2 m3 m2 m3 m1 decrypt and permute m2 m1 m3 decrypt and permute decrypt and permute m2 m3 m1 Observe: As long as one server is honest, privacy is preserved Basic Chaumian Mix Server 1 Server 2 Server 3 m3 ? What if one server fails? Server 1 Server 2 Server 3 SK 2 Privacy now requires a majority of honest servers Tolerance of failure is called robustness Solution idea: Share key among others ballot BUSH What if one server cheats? Solution idea: Have each server prove that it permuted and decrypted correctly Proof may be digitally signed and carried along with ciphertexts Robust Mix Server 1 Server 2 Server 3 m1 m2 m3 m2 m3 m1 decrypt, permute, and prove correct m2 m1 m3 decrypt, permute, and prove correct decrypt, permute, and prove correct m2 m3 m1 History of Robust Mixing u Park, Itoh, Kurosawa (EC 93) u Ogata, Kurosawa, Sako, Takatani (ICICS 97) u Abe (EC 98) u Jakobsson (EC 98) u Desmedt and Kurosawa (EC 00) History of Robust Mixing u Jakobsson Flash Mix (PODC 99) Secure only for large input sizes Idea: Employ dummy inputs to check correctness u Mitomo and Kurosawa (AC 00) Repair weakness in Jakobsson 99 Publicly verifiable mixing u Idea: Ensure that proofs are legitimate even if all servers try to cheat u Abe (AC 99), Jakobsson and Juels (DIMACS-TR 99) Idea: Use swap as atomic unit; prove correctness of swap Efficient only on small input sizes u Sako (Crypto 01) (renamed shuffling) u Neff (ACM CCS 01) Hybrid mixing u Idea: Use symmetric and asymmetric crypto to achieve efficiency on long messages u Ohkuba and Abe (AC 00) u Jakobsson and Juels (PODC 01) Asynchronous mixing Alice Preserves traffic routing privacy Examples: Crowds (AT&T), ZK Systems, CIA, etc. Ecoterrorism server U.S. England Finland Mix network ? Some other applications of mixes u Anonymous payment schemes u Secure multiparty computation u Privacy-preserving content retrieval (A weak but efficient form of PIR) What properties are desirable for voting? u Privacy: YES u Robustness: YES u Long messages: NO u Public verifiability: MAYBE NO: Jakobssons Flash Mix (for large mixes) YES: Mix by Neff Can we improve with different modeling? u Voter can collaborate with server to change vote in mid-mix -- prior to seeing other votes Beauty flaw in JJ 01 u Very efficient asymmetric mix can probably be designed if we accept this flaw u What other modeling changes are permissible? Questions?