A Commitment-Consistent Proof of a Shuffle

We introduce a pre-computation technique that drastically reduces the online computational complexity of mix-nets based on homomorphic cryptosystems. More precisely, we show that there is a permutation commitment scheme that allows a mix-server to: (1) commit to a permutation and efficiently prove knowledge of doing so correctly in the offline phase, and (2) shuffle its input and give an extremely efficient commitment-consistent proof of a shuffle in the online phase. We prove our result for a general class of shuffle maps that generalize all known types of shuffles, and even allows shuffling ciphertexts of different cryptosystems in parallel

cMix: Mixing with Minimal Real-Time Asymmetric Cryptographic Operations

We introduce cMix, a new approach to anonymous communications. Through a precomputation, the core cMix protocol eliminates all expensive realtime public-key operations --- at the senders, recipients and mixnodes --- thereby decreasing real-time cryptographic latency and lowering computational costs for clients. The core real-time phase performs only a few fast modular multiplications. In these times of surveillance and extensive profiling there is a great need for an anonymous communication system that resists global attackers. One widely recognized solution to the challenge of traffic analysis is a mixnet, which anonymizes a batch of messages by sending the batch through a fixed cascade of mixnodes. Mixnets can offer excellent privacy guarantees, including unlinkability of sender and receiver, and resistance to many traffic-analysis attacks that undermine many other approaches including onion routing. Existing mixnet designs, however, suffer from high latency in part because of the need for real-time public-key operations. Precomputation greatly improves the real-time performance of cMix, while its fixed cascade of mixnodes yields the strong anonymity guarantees of mixnets. cMix is unique in not requiring any real-time public-key operations by users. Consequently, cMix is the first mixing suitable for low latency chat for lightweight devices. Our presentation includes a specification of cMix, security arguments, anonymity analysis, and a performance comparison with selected other approaches. We also give benchmarks from our prototype

AOT: Anonymization by Oblivious Transfer

We introduce AOT, an anonymous communication system based on mix network architecture that uses oblivious transfer (OT) to deliver messages. Using OT to deliver messages helps AOT resist blending (n−1) attacks and helps AOT preserve receiver anonymity, even if a covert adversary controls all nodes in AOT. AOT comprises three levels of nodes, where nodes at each level perform a different function and can scale horizontally. The sender encrypts their payload and a tag, derived from a secret shared between the sender and receiver, with the public key of a Level-2 node and sends them to a Level-1 node. On a public bulletin board, Level-3 nodes publish tags associated with messages ready to be retrieved. Each receiver checks the bulletin board, identifies tags, and receives the associated messages using OT. A receiver can receive their messages even if the receiver is offline when messages are ready. Through what we call a handshake process, communicants can use the AOT protocol to establish shared secrets anonymously. Users play an active role in contributing to the unlinkability of messages: periodically, users initiate requests to AOT to receive dummy messages, such that an adversary cannot distinguish real and dummy requests

Mix-Nets from Re-Randomizable and Replayable CCA-secure Public-Key Encryption

Mix-nets are protocols that allow a set of senders to send messages anonymously. Faonio et al. (ASIACRYPT’19) showed how to instantiate mix-net protocols based on Public-Verifiable Re-randomizable Replayable CCA-secure (Rand-RCCA) PKE schemes. The bottleneck of their approach is that public-verifiable Rand-RCCA PKEs are less efficient than typical CPA-secure re-randomizable PKEs. In this paper, we revisit their mix-net protocol, showing how to get rid of the cumbersome public-verifiability property, and we give a more efficient instantiation for the mix-net protocol based on a (non publicly-verifiable) Rand-RCCA scheme. Additionally, we give a more careful security analysis of their mix-net protocol

Did you mix me? Formally Verifying Verifiable Mix Nets in Electronic Voting

Verifiable mix nets, and specifically proofs of (correct) shuffle, are a fundamental building block in numerous applications: these zero-knowledge proofs allow the prover to produce a public transcript which can be perused by the verifier to confirm the purported shuffle. They are particularly vital to verifiable electronic voting, where they underpin almost all voting schemes with non-trivial tallying methods. These complicated pieces of cryptography are a prime location for critical errors which might allow undetected modification of the outcome. The best solution to preventing these errors is to machine-check the cryptographic properties of the design and implementation of the mix net. Particularly crucial for the integrity of the outcome is the soundness of the design and implementation of the verifier (software). Unfortunately, several different encryption schemes are used in many different slight variations which makes t infeasible to machine-check every single case individually. However, a particular optimized variant of the Terelius-Wikstrom mix net is, and has been, widely deployed in elections including national elections in Norway, Estonia and Switzerland, albeit with many slight variations and several different encryption schemes. In this work, we develop the logical theory and formal methods tools to machine-check the design and implementation of all these variants of Terelius-Wikstrom mix nets, for all the different encryption schemes used; resulting in provably correct mix nets for all these different variations. We do this carefully to ensure that we can extract a formally verified implementation of the verifier (software) which is compatible with existing deployed implementations of the Terelius-Wikstrom mix net. This gives us provably correct implementations of the verifiers for more than half of the national elections which have used verifiable mix nets. Our implementation of a proof of correct shuffle is the first to be machine-checked to be cryptographically correct and able to verify proof transcripts from national elections. We demonstrate the practicality of our implementation by verifying transcripts produced by the Verificatum mix net system and the CHVote evoting system from Switzerland

Secure multi party computations for electronic voting

Στην παρούσα εργασία, μελετούμε το πρόβλημα της ηλεκτρονικής ψηφοφορίας. Θεωρούμε ότι είναι έκφανση μιας γενικής διαδικασίας αποφάσεων που μπορεί να υλοποιηθεί μέσω υπολογισμών πολλαπλών οντοτήτων, οι οποίοι πρέπει να ικανοποιούν πολλές και αντικρουόμενες απαιτήσεις ασφαλείας. Έτσι μελετούμε σχετικές προσεγγίσεις οι οποίες βασιζονται σε κρυπτογραφικές τεχνικές, όπως τα ομομορφικά κρυπτοσυστήματα, τα δίκτυα μίξης και οι τυφλές υπογραφές. Αναλύουμε πώς προσφέρουν ακεραιότητα και ιδιωτικότητα (μυστικότητα) στην διαδικασία και την σχέση τους με την αποδοτικότητα. Εξετάζουμε τα είδη λειτουργιών κοινωνικής επιλογής που μπορούν να υποστηρίξουν και παρέχουμε δύο υλοποιήσεις. Επιπλέον ασχολούμαστε με την αντιμετώπιση ισχυρότερων αντιπάλων μη παρέχοντας αποδείξεις ψήφου ή προσφέροντας δυνατότητες αντίστασης στον εξαναγκασμό. Με βάση την τελευταία έννοια προτείνουμε μια τροποποίηση σε ένα ευρέως χρησιμοποιούμενο πρωτόκολλο. Τέλος μελετούμε δύο γνωστές υλοποιήσεις συστημάτων ηλεκτρονικής ψηφοφοριας το Helios και το Pret a Voter .In this thesis, we study the problem of electronic voting as a general decision making process that can be implemented using multi party computations, fulfilling strict and often conflicting security requirements. To this end, we review relevant cryptographic techniques and their combinations to form voting protocols. More specifically, we analyze schemes based on homomorphic cryptosystems, mixnets with proofs of shuffles and blind signatures. We analyze how they achieve integrity and privacy in the voting process, while keeping efficiency. We examine the types of social choice functions that can be supported by each protocol. We provide two proof of concept implementations. Moreover, we review ways to thwart stronger adversaries by adding receipt freeness and coercion resistance to voting systems. We build on the latter concept to propose a modification to a well known protocol. Finally, we study two actual e-Voting implementations namely Helios and Pret a Voter

Offline/Online Mixing

We introduce an offline precomputation technique for mix-nets that drastically reduces the amount of online computation needed. Our method can be based on any additively homomorphic cryptosystem and is applicable when the number of senders and the maximal bit-size of messages are relatively small