RPC Mixing:Making Mix-Nets Robust for

Electronic Voting

Ron RivestMIT

Markus Jakobsson Ari Juels RSA Laboratories

What does a mix network do?

message 1

message 2

message 3

message 4

Randomly permutes and decrypts inputs

Mix network

What does a mix network do?

message 2

Key property: Adversary can’t tell which ciphertext corresponds

to a given message

?

Example application: Anonymizing bulletin board or e-mail

From Bob

From CharlieFrom Alice

From Bob

From CharlieFrom Alice

“I love

Alice”

“Nobody loves Bob”

“Ilove

Charlie”

Is it Bob, Charlie,

self-love, or other?

Example application: Anonymizing bulletin board or e-mail

Our focus: Voting

Digitally signed by

Eve Digitally signed by

Charlie

Digitally signed by

CharlieDigitally signed by

Bob

Digitally signed by

Alice

A vote forAl G re

A vote forG.W. Bush

A vote forAl Gore

A vote forG.W. Bush Final Tally:

Bush 2

Gore 1

A look under the hood

Basic Mix (Chaum ‘81)

Server 1 Server 2 Server 3

PK1 PK2PK3

Encryption of Message

PK1 PK2PK3

message

Ciphertext = EPK1[EPK2[EPK3[message]]]

Basic Chaumian Mix

Server 1 Server 2 Server 3

m1

m2

m3

m2

m3

m1

decrypt

and

permute

m2

m1

m3

decrypt

and

permute

decrypt

and

permute

m2

m3

m1

Basic Chaumian Mix

m1

m2

m3

m2

m3

m1

decrypt

and

permute

m2

m1

m3

decrypt

and

permute

decrypt

and

permute

m2

m3

m1

Observe: As long as one server is honest,

privacy is preserved

Basic Chaumian Mix

Server 1 Server 2 Server 3

m3?

What if one server fails?

Server 1 Server 2 Server 3

SK2

•Privacy now requires a majority of honest servers•Tolerance of minority of server failures

•Solution idea: Share key among others

ballot ballot Lenin LeninLenin

What if one server cheats?

Solution idea: •Have each server prove that it permuted and decrypted correctly

Robust Mix

Server 1 Server 2 Server 3

m1

m2

m3

m2

m3

m1

decrypt,

permute,

and prove

correct

m2

m1

m3

decrypt, permute,

and prove

correct

decrypt,

permute,

and prove

correct

m2

m3

m1

Practical Robust Mixes

Jakobsson “Flash Mix” (PODC ‘99)– Mitomo and Kurosawa (AC ‘00)– Secure only for large input sizes– Only for El Gamal

Desmedt and Kurosawa (EC ‘00)– Good only if O(n1/2) of servers corrupted

Practical Robust Mixes Neff (ACM CCS ‘01) ; Furukawa-

Sako (Crypto ‘01) (renamed “shuffling”)

– All desired properties– Only for El Gamal– Computationally intensive

Golle (ACM CCS ‘02) – Some similarity in technique with RPC– Only for El Gamal– Speed for El Gamal somewhat better than RPC

Practical Robust Mixes Golle, Zhong, Boneh, Jakobsson, Juels

(Asiacrypt ‘02)– Only for El Gamal– Speed for El Gamal somewhat better than RPC

Our Randomized Probabilistic Checking (RPC) mix– Conceptually simple– Very efficient -- particularly for RSA– Works with RSA, El Gamal, etc.– Aimed at voting

Proving correctness in RPC

Server i

decrypt and

permute

ballot

ballot

ballot

ballot

ballot

ballot

ballot

ballot

Proving correctness in RPC

Server i

ballot

ballot

ballot

ballot

ballot

ballot

ballot

ballot

Proving correctness in RPC

Server i

Very efficient proof/verification! – Particularly with RSA

Each ballot operation checked with probability 1/2

If Server i cheats on k ballots, it is caught with probability 1 - 2k – e.g., changing 20 ballots means 99.9999%

of detection

Proving correctness in RPC

Server i

Example: Florida tally in 2000 Presidential election– 2,910,074 Bush; 2,909,114 Gore– Tampering with 480 ballots needed to

change outcome– Probability of catching cheating 1 - 2-480

– Smaller than probability of being hit by meteor during this session

Privacy in RPC

Server 1 Server 2 Server 3 Server 4

Bob

Alice

Carl

Delia

ballot

ballot

ballot

ballot

ballot

ballot

ballot

ballot

ballot

ballot

ballot

ballot

Gore

Gore

Bush

Bush

Privacy in RPC

Server 1 Server 2 Server 3 Server 4

Bob

Alice

Carl

Delia

ballot

ballot

ballot

ballot

ballot

ballot

ballot

ballot

ballot

ballot

ballot

ballot

Gore

Gore

Bush

Bush

!!!!!!

Privacy in RPC

Chance of privacy breach small with correct parameterization– Needs many servers (or rounds)

We can do better...

Server pairing

Server 2i Server 2i+1

ballot

ballot

ballot

ballot

ballot

ballot

ballot

ballot

ballot

ballot

ballot

ballot

Server pairing

Server 2i Server 2i+1

ballot

ballot

ballot

ballot

ballot

ballot

ballot

ballot

ballot

ballot

ballot

ballot

ballot

Left or

right?

ballot

ballot

ballot

Server pairing

Server 2i Server 2i+1

Private provided that at least one pair of servers is uncorrupted– Thus, private if minority corrupted– Each ballot concealed among half of total

Correct because forward link on any ballot checked with probability 1/2

Public verifiability

Server 1 Server 2 Server 3 Server 4

Bob

Alice

Carl

Delia

ballot

ballot

ballot

ballot

ballot

ballot

ballot

ballot

ballot

ballot

ballot

ballot

Gore

Gore

Bush

Bush

???

Public verifiability

Server 1 Server 2 Server 3 Server 4

Idea: Inspection coins depend on hash of full set of ballots

Suppose election threshold is d– Recall Florida threshold was 960

Attacker must (roughly) try number of hashes 2d/2 to swing election undetected

Public verifiability

Server 1 Server 2 Server 3 Server 4

If threshold d is small, use a more expensive mix– e.g., Neff, Furukawa/Sako

Final Remarks

Good for applications other than voting? Paper (with details) available on

homepages of three authors, at:– Google “Markus Jakobsson homepage” – Google “Ari Juels homepage”– Google “Ron Rivest homepage”

Idea is unpatented Implementation warmly welcomed