6.897: Advanced Topics in Crypography Apr 9, 2004 Lecure 18: Mix ne Voing Sysems Scribed by: Yael Tauman Kalai 1 Inroducion In he previous lecure, we defined he noion of an elecronic voing sysem, and specified he requiremens from such a sysem. In paricular, we required an elecronic voing sysem o be verifiable and robus. Loosely speaking, a voing sysem is said o be verifiable if any individual can verify ha his voe was couned. A voing sysem is said o be robus if here does no exis any small se of servers ha can disrup he elecion. The voing sysems ha appear in he lieraure can be roughly caegorized ino hree groups: one based on mix nes, one based on homomorphic encrypions, and one based on blind signaures. In his lecure we concenrae on mix ne proocols. We describe wo ypes of mix ne proocols: decrypion mix nes and re encrypion mix nes. The general srucure of mix nes was illusraed in he previous lecure. They begin wih an iniial encrypion phase E, whose oupus are posed on a bullein board, in order o achieve verifiabiliy. The iniial encrypion phase is followed by several mix phases mix 1,..., mix k. The reason we need several of hem is o achieve robusness. In decrypion mix nes, he mix phases mix and parially decryp, whereas in re encrypion mix nes, he mix phases mix and re encryp. In re encrypion mix nes a final decrypion phase D is added. 2 Decrypion Mix Ne A decrypion mix ne does no have a final decrypion phase. Raher, he iniial encrypion phase E encryps is inpus by applying a concaenaion of k encrypion operaions o each inpu; each mix peels off one of hese encrypions by applying a corresponding decrypion algorihm; i hen mixes all is decryped inpus by applying a secre random permuaion o hem. Thus, his scheme has he srucure of an onion; E builds he onion, and each mix peels off one layer of he onion. More specifically, each mix has is own pair of keys. We denoe he keys of mix i by (SK i, P K i ). mix i decryps is inpus using is keys (SK i, P K i ); i hen secrely permues all is decryped inpus. The iniial encrypion E has he public keys of all he mixes (P K 1,..., P K k ); i encryps each inpu by firs encryping i wih P K k, hen encryping he resul wih P K k 1, hen encryping he resul wih P K k 2, and so on. Thus, if we denoe he ballos by B 1,..., B n, hen for each i = 1,..., n, C i = E(B i ) = E(P K 1... E(P K k 1, E(P K k, B i ))...). There are some issues ha need o be addressed: 18 1
1. Noe ha secure encrypion schemes do no hide he lengh of he plain exs. Since he oupus of E appear publicly on a bullein board, in order o preserve secrecy, we mus require all he cipher exs o be of he same lengh. 2. Noe ha ha mix k (he las mix) generaes he final oupu of he voe. Thus, if he doesn like he oupu he may abor. One way of prevening mix k from aboring, is by making his secre shared. This arouses furher issues, such as key managemen. 3. I seems like semanic securiy is enough, assuming he encryped ballos are publicized only afer all he voers have voed. Oherwise, we need a sronger securiy noion, such as CCA2 securiy, in order o achieve non malleabiliy. 4. The above proocol, as described, is neiher verifiable nor robus. In order o achieve hese wo desired properies, we need o add some ingrediens o he proocol. These ingrediens will be added following he descripion of re encrypion mix nes. 3 Re encrypion Mix nes As opposed o a mix phase in a decrypion mix ne, whose role is boh o mix and o parially decryp, he role of a mix phase in a re encrypion mix ne is only o mix. Noe, however, ha a mix which merely scrambles he inpus is no good enough. This is so, since by merely scrambling, he resuling se of cipherexs does no change, and hus for each resuling cipherex i is easy o recover he voer associaed wih i. Thus, an exra operaion is needed in order o mix in an unrecoverable way. In a re encrypion mix ne, he exra operaion added o each mix phase is a re encrypion operaion. In oal, a re encrypion mix ne consiss of an iniial encrypion phase E, several mix phases mix i,..., mix k, who mix by scrambling and re encryping, and a final decrypion phase D. Typically, he encrypion scheme used in a re encrypion mix ne is he El Gamal encrypion scheme, which has a nice re encrypion propery. In wha follows, we describe in more deail an El Gamal based re encrypion mix ne. 3.1 El Gamal Based Re encrypion Mix nes Recall ha in he El Gamal encrypion scheme, an encrypion of a message m, wih respec o a public key (p, g, y), consiss of a pair (g r, my r ), where all he operaions are done modulo p, and r R Z q where q is a large prime dividing p 1, where g is a generaor of he subgroup of elemens whose order divides q, and m is in his subgroup. The secre key corresponding o (p, g, y) is x such ha g x = y(mod p). The El Gamal encrypion scheme has he following nice re encryping propery: any encryped message (a, b) = (g r, my r ) can be re encryped by choosing a random s R Z q and compuing (ag s, by s ) = (g r+s, my r+s ). Noe ha his re encryping operaion resuls wih a random cipherex for he same message m. We are now ready o define he El Gamal based re encrypion mix ne: 1. An El Gamal public key (p, g, y) is generaed (in some disribued manner). 18 2
2. The iniial encrypion phase E simply encryps all he ballos B 1,..., B n by applying he El Gamal encrypion algorihm wih he public key (p, g, y). I hen poss all he resuling cipherexs (C 1,0,..., C n,0 ) on a bullein board. 3. The i h mix phase, on inpu a se of cipherexs (C 1,i 1,..., C n,i 1 ), re encryps each cipherex and permues he resuling cipherexs using a secrely chosen random permuaion. 4. The final decrypion phase D, given a se of cipherexs (C 1,k,..., C n,k ), simply decryps all he cipherexs in some disribued manner (in order o achieve robusness). 3.2 Verifiabiliy and Robusness Recall ha a voing sysem is said o be verifiable if all voers can verify ha heir voe was couned. A voing sysem is said o be robus is a small se of servers canno disrup he elecion. Noe ha he above mix ne proocol is neiher verifiable nor robus. In order o obain hese wo properies several ingrediens mus be added o he proocol. In paricular, one ingredien which may be added is he requiremen ha each mix server prove ha he has indeed done he correc operaion. Namely, each mix i will be required o prove ha here exiss a permuaion π such ha C j,i is a re encrypion of C π(j),i 1, for j = 1,..., n. In wha follows we consider he simpler ask of merely proving ha one cipherex is a re encrypion of anoher. Le c 1 = (α 1, β 1 ) = (g, m 1 y ) and c 2 = (α 2, β 2 ) = (g u, m 2 y u ) be any wo cipherexs. Noe ha c 2 is a re encrypion of c 1 if and only if c 1 and c 2 are boh encrypions of he same message. Consider he uple m 2 (g, y, α 2, β 2 ) = (g, y, g u, y u ). α 1 β 1 m 1 Thus, c 2 is a re encrypion of c 1 if and only if (g, y, α1, β 2 β 1 ) is a DDH uple, i.e., uple of he form (g, y, g r, y r ), which is equivalen o being a uple of he form (g, g x, g r, g rx ). Thus, proving ha c 2 is a re encrypion of c 1 boils down o proving ha (g, y, g r, y r ) DDH. In wha follows we describe he Chaum Pederson proocol [CP92] for proving ha a uple (g, y, w, u) = (g, g x, g r, g rx ) is a DDH uple. α 2 P V s Z q s (a, b) = (g, y s ) c c Z q accep if and only if = s + cr g = aw c y = buc I is easy o verify ha he above proocol is an hones verifier zero knowledge proof ofknowledge proocol. Remarks: 18 3
1. Neff proposed a slighly differen re encrypion mix ne, also based on El Gamal. In Neff s proocol a re encrypion operaion consiss in par of aking a cipherex (a, b) and generaing anoher cipherex (a c, b c ), for a randomly chosen c R Z q. Noe ha his operaion does change he encryped message from m o m c. The moivaion behind Neff s scheme is ha he manages o give efficien zero knowledge proofs, which involve only a linear (in n) number of exponeniaions. 2. There are faser proocols ha are no zero knowledge, such as he one proposed by Boneh and Golle [BG02] and he one proposed by Jacobsson, Juels and Rives [JJR02]. Boh use new echniques o verify correcness. In [BG02], for each mix server, he produc of a random subse of is inpus is compued, and he mix server is required o produce a subse of oupus of equal producs. In [JJR02], a new echnique is used, called randomized parial checking, in which each server provides srong evidence of is correc operaion by revealing a pseudo randomly seleced subse of is inpu/oupu relaions. 3.3 An overview of an El Gamal based Re encrypion Mix ne 1. Voers voe. 2. An El Gamal public key (p, g, y) is produced (in a disribued manner) 3. The iniial encrypion phase is performed. 4. All he mix phases are performed. 5. Each mix phase produces a proof. The proof includes a non ineracive version of he Chaum Pederson proof, obained by applying he following Fia Shamir ype sep: he challenge is compued by applying some pseudo random funcion o he firs message and o he conen of he bullein board; he seed o he pseudo random funcion is chosen in a disribued manner. 6. All he proofs are checked, and if hey are correc, hen he decrypion phase is performed by applying a hreshold decrypion. If a proof of mix i fails, hen he bad server mix i is skipped and all he mix phases mix i+1,..., mix k are redone. Noe ha so far we only showed how o prove ha one cipherex is a re encrypion of anoher cipherex. We didn show how o fully prove ha a mix operaed correcly. References [BG02] D. Boneh and P. Golle. Almos enirely correc mixing wih applicaions o voing. ACM Conference on Compuer and Communicaions Securiy 2002: 68 77. [CP92] D. Chaum and T. P. Pedersen. Walle Daabases wih Observers. CRYPTO 1992: 89 105. 18 4
[JJR02] M. Jakobsson, A. Juels, and R. Rives. Making Mix Nes Robus for Elecronic Voing by Randomized Parial Checking. In D. Boneh, ed., USENIX Securiy 02, pp. 339 353. 2002. (Also available as IACR eprin 2002/025.) 18 5