Securing Abe\u27s Mix-net Against Malicious Verifiers via Witness Indistinguishability

We show that the simple and appealing unconditionally sound mix-net due to Abe (Asiacrypt\u2799) can be augmented to further guarantee anonymity against malicious verifiers. This additional guarantee implies, in particular, that when applying the Fiat-Shamir transform to the mix-net\u27s underlying sub-protocols, anonymity is provably guaranteed for {\em any} hash function. As our main contribution, we demonstrate how anonymity can be attained, even if most sub-protocols of a mix-net are merely witness indistinguishable (WI). We instantiate our framework with two variants of Abe\u27s mix-net. In the first variant, ElGamal ciphertexts are replaced by an alternative, yet equally efficient, lossy encryption scheme. In the second variant, new dummy vote ciphertexts are injected prior to the mixing process, and then removed. Our techniques center on new methods to introduce additional witnesses to the sub-protocols within the proof of security. This, in turn, enables us to leverage the WI guarantees against malicious verifiers. In our first instantiation, these witnesses follow somewhat naturally from the lossiness of the encryption scheme, whereas in our second instantiation they follow from leveraging combinatorial properties of the Benes-network. These approaches may be of independent interest. Finally, we demonstrate cases in Abe\u27s original mix-net (without modification) where only one witness exists, such that if the WI proof leaks information on the (single) witness in these cases, then the system will not be anonymous against malicious verifiers