Cryptology ePrint Archive: Report 2017/544

Securing Abe's Mix-net Against Malicious Verifiers via Witness Indistinguishability

Elette Boyle and Saleet Klein and Alon Rosen and Gil Segev

Abstract: We show that the simple and appealing unconditionally sound mix-net due to Abe (Asiacrypt'99) can be augmented to further guarantee anonymity against malicious verifiers. This additional guarantee implies, in particular, that when applying the Fiat-Shamir transform to the mix-net's underlying sub-protocols, anonymity is provably guaranteed for {\em any} hash function.

As our main contribution, we demonstrate how anonymity can be attained, even if most sub-protocols of a mix-net are merely witness indistinguishable (WI). We instantiate our framework with two variants of Abe's mix-net. In the first variant, ElGamal ciphertexts are replaced by an alternative, yet equally efficient, "lossy" encryption scheme. In the second variant, new "dummy" vote ciphertexts are injected prior to the mixing process, and then removed.

Our techniques center on new methods to introduce additional witnesses to the sub-protocols within the proof of security. This, in turn, enables us to leverage the WI guarantees against malicious verifiers. In our first instantiation, these witnesses follow somewhat naturally from the lossiness of the encryption scheme, whereas in our second instantiation they follow from leveraging combinatorial properties of the Benes-network. These approaches may be of independent interest.

Finally, we demonstrate cases in Abe's original mix-net (without modification) where only one witness exists, such that if the WI proof leaks information on the (single) witness in these cases, then the system will not be anonymous against malicious verifiers.

Category / Keywords: cryptographic protocols / mix-nets, witness indistinguishability, Benes network

Date: received 6 Jun 2017

Contact author: saleet at mit edu

Available format(s): PDF | BibTeX Citation

Version: 20170608:155528 (All versions of this report)

Short URL: ia.cr/2017/544

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]