## A practical mix (1998)

Citations: | 71 - 11 self |

### BibTeX

@INPROCEEDINGS{Jakobsson98apractical,

author = {Markus Jakobsson},

title = {A practical mix},

booktitle = {},

year = {1998},

pages = {448--461},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

vvu.bel1-labs.com/user/markusj Abstract. We introduce a robust and efficient mix-network for expo-nentiation, and use it to obtain a threshold decryption mix-network for ElGamal encrypted messages, in which mix servers do not need to trust each other for the correctness of the result. If a subset of mix servers cheat, they will be caught with an overwhelming probability, and the decryption can restart after replacing them, in a fashion that is trans-parent to the participants providing the input to be decrypted. As long as a quorum is not controlled by an adversary, the privacy of the mix is guaranteed. Our solution is proved to be secure if a commonly used assumption, the Decision Diffie-Hellman assumption, holds. Of possible independent interest are two new methods that we intro-duce: blinded destructive robustness, a type of destructive robustness with protection against leaks of secret information; and repetition ro-bustness, a method for obtaining robustness for some distributed vector computations. Here, two or more calculations of the same equation are performed, where the different computations are made independent by the use of blinding and permutation. The resulting vectors are then un-blinded, sorted and compared to each other. This allows us to detect cheating (resulting in inequality of the vectors). Also of possible independent interest is a modular extension to the El-Gamal encryption scheme, making the resulting scheme non-malleable in the random oracle model. This is done by interpreting part of the ci-phertext as a public key, and sign the ciphertext using the corresponding secret key.

### Citations

1773 | How to share a secret
- Shamir
- 1979
(Show Context)
Citation Context ...l Decryption 3.1 Review Public and Secret Information: Let p, q be primes such that p = 2q + 1, and g be a generator of G p . The mix servers share a secret key x using a (k; n) threshold scheme (see =-=[30, 24]-=-); their corresponding public key is y = g x mod p. Server j's secret share is x j , its public share y j = g x j mod p. (Onwards, we assume all arithmetic to be modulo p where applicable, unless othe... |

1204 | Untraceable electronic mail, return addresses, and digital pseudonyms
- Chaum
- 1981
(Show Context)
Citation Context ...a permuted list of function evaluations (typically decryptions) of the input items, without revealing the relationship between input and output elements. Mix-networks were introduced by Chaum in 1981 =-=[4]-=- as a primitive for privacy. Although alternative primitives for privacy (e.g., [27]) can be used where users trust each other to some extent, for most applications, mix-networks still today remain th... |

1186 | Probabilistic encryption - Goldwasser, Micali - 1984 |

1121 |
Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
- ElGamal, “A
- 1985
(Show Context)
Citation Context ... also excludes certain types of uses of the mix-network. We demonstrate an elegant and efficient solution to this problem. More precisely, we suggest a mix-network for decryption of a list of ElGamal =-=[10]-=- encrypted messages, with the properties for privacy, availability, robustness, and efficiency listed in the next section. Using novel methods for catching cheaters, we propose a solution to the same ... |

584 |
Efficient signature generation by smart cards
- Schnorr
- 1991
(Show Context)
Citation Context ...a given quadruple (m; s; g; y). There are several protocol versions developed; in order to obtain a high degree of efficiency, we will use a non-interactive proof version, such as a Schnorr signature =-=[29]-=-. This requires one exponentiation per proof for the prover, and two per verifier. 3.2 Non-Malleable ElGamal Even if we have a primitive that takes a list of encrypted messages and decrypts these in a... |

463 | A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack
- Cramer, Shoup
- 1998
(Show Context)
Citation Context ...n the random oracle model [26], as shown in the appendix. Remark: Other methods of providing non-malleability can be employed. For example, we may use the recently proposed scheme by Cramer and Shoup =-=[7]-=-, which is shown to be secure against an adaptive chosen message attack (which is shown to imply non-malleability in [2].) A list of such encryptions can be mix-decrypted using almost identical method... |

239 | Anonymous Connections and Onion Routing, in
- Syverson, Goldschlag, et al.
- 1997
(Show Context)
Citation Context ...ic method to ensure connection privacy in settings like the Internet. Consequently, mixnetworks have seen many applications since they were introduced, spanning the areas of pure communication (e.g., =-=[31, 25]-=-), the special case of web-browsing [12], and election schemes [4, 11, 28]. They also have other potential uses wherever privacy is important, as in payment schemes. Mix-networks are also often used i... |

236 |
A practical secret voting scheme for large scale elections
- Fujioka, Okamoto, et al.
- 1993
(Show Context)
Citation Context ...onsequently, mixnetworks have seen many applications since they were introduced, spanning the areas of pure communication (e.g., [31, 25]), the special case of web-browsing [12], and election schemes =-=[4, 11, 28]-=-. They also have other potential uses wherever privacy is important, as in payment schemes. Mix-networks are also often used implicitly, by the assumption of an anonymous channel. However, in spite of... |

209 | Security Proofs for Signature Schemes
- Pointcheval, Stern
- 1996
(Show Context)
Citation Context ...valid if the above signature is valid and correpsonds to the ciphertext pair. Encryptions that are not valid are discarded. The resulting encryption scheme is non-malleable in the random oracle model =-=[26]-=-, as shown in the appendix. Remark: Other methods of providing non-malleability can be employed. For example, we may use the recently proposed scheme by Cramer and Shoup [7], which is shown to be secu... |

191 |
A Threshold Cryptosystem without a Trusted Party
- Pedersen
- 1991
(Show Context)
Citation Context ...l Decryption 3.1 Review Public and Secret Information: Let p, q be primes such that p = 2q + 1, and g be a generator of G p . The mix servers share a secret key x using a (k; n) threshold scheme (see =-=[30, 24]-=-); their corresponding public key is y = g x mod p. Server j's secret share is x j , its public share y j = g x j mod p. (Onwards, we assume all arithmetic to be modulo p where applicable, unless othe... |

185 | Proactive secret sharing or how to cope with perpetual leakage
- Herzberg, Jarecki, et al.
- 1995
(Show Context)
Citation Context ...me standard, or generally just behaving in a way that is not allowed in the system on the whole.) Finally, we have the adversary, who can control other participants, and who may be mobile (see, e.g., =-=[15]-=-). The adversary may wish to break the privacy of a user he does not control, or make participants he does not control accept as valid an invalid decryption of the posted messages. More rigorously, th... |

161 | Mixing E-mail with BABEL
- Gulcu, Tsudik
- 1996
(Show Context)
Citation Context ...f currently used remailers use only one mix server, which has to be fully trusted by the users for both privacy and correctness. If several such servers are pipelined for improved privacy (such as in =-=[14, 23, 31]-=-), this raises concerns in terms of both correctness and availability of service, especially in situations where mix servers are welcome targets of attackers. (It is interesting to note that if an att... |

98 | ISDNmixes: Untraceable communication with very small bandwidth overhead
- Pfitzmann, Pfitzmann, et al.
- 1991
(Show Context)
Citation Context ...ic method to ensure connection privacy in settings like the Internet. Consequently, mixnetworks have seen many applications since they were introduced, spanning the areas of pure communication (e.g., =-=[31, 25]-=-), the special case of web-browsing [12], and election schemes [4, 11, 28]. They also have other potential uses wherever privacy is important, as in payment schemes. Mix-networks are also often used i... |

84 | Proactive public key and signature systems
- Herzberg, Jakobsson, et al.
- 1997
(Show Context)
Citation Context ...correctness (theorem 1,) robustness (theorem 2,) and privacy (theorem 3.) As a result, the scheme for mix-decryption of ElGamal can easily be seen to have the same properties. Following the method in =-=[16]-=-, the system can be shown to be proactivizable. Our proposed non-malleable ElGamal version is proved to indeed be non-malleable in theorem 4. 6 Efficiency Analysis In this section, we specify the cost... |

81 |
Universally Verifiable mix-net with Verification Work Independent of the
- Abe
- 1403
(Show Context)
Citation Context ...mputation (without sacrificing privacy). There has been no suggestion of how to do this efficiently. So far, the most efficient proposals are those of Ogata, Kurosawa, Sako and Takatani [22], and Abe =-=[1]-=-. Apart from these, no robust threshold mix-network has been proposed. A threshold solution is important, or users would be forced to re-encrypt and re-send the encrypted messages in situations where ... |

67 | How to make personalized Web browsing simple, secure and anonymous
- Gabber, Gibbons, et al.
- 1997
(Show Context)
Citation Context ...ttings like the Internet. Consequently, mixnetworks have seen many applications since they were introduced, spanning the areas of pure communication (e.g., [31, 25]), the special case of web-browsing =-=[12]-=-, and election schemes [4, 11, 28]. They also have other potential uses wherever privacy is important, as in payment schemes. Mix-networks are also often used implicitly, by the assumption of an anony... |

66 | How to share a function securely - Santis, Desmedt, et al. - 1994 |

22 |
Waidner: ISDN-MIXes -- Untraceable Communication with Very Small Bandwidth Overhead
- Pfitzmann, Pfitzmann, et al.
- 1991
(Show Context)
Citation Context ...ic method to ensure connection privacy in settings like the Internet. Consequently, mixnetworks have seen many applications since they were introduced, spanning the areas of pure communication (e.g., =-=[31, 25]-=-), the special case of web-browsing K. Nyberg (Ed.): Advances in Cryptology - EUROCRYPT '98, LNCS 1403, pp. 448-461, 1998. 0 Springer-Verlag Berlin Heidelberg 1998s449 [12], and election schemes [4, 1... |

15 |
All/nothing election scheme and anonymous channel,” Eurocrypt ’93
- Park, Itoh, et al.
(Show Context)
Citation Context ...f currently used remailers use only one mix server, which has to be fully trusted by the users for both privacy and correctness. If several such servers are pipelined for improved privacy (such as in =-=[14, 23, 31]-=-), this raises concerns in terms of both correctness and availability of service, especially in situations where mix servers are welcome targets of attackers. (It is interesting to note that if an att... |

9 | Zero-knowledge undeniable signatures", Eurocrypt '90, LNCS 473 - Chaum |

7 | Receipt-Free Mix-Type Voting Scheme, Eurocrypt - Sako, Kilian - 1995 |

6 |
Receipt-Free Mix-Type Voting Scheme", Eurocrypt
- Sako, Kilian
- 1995
(Show Context)
Citation Context ...onsequently, mixnetworks have seen many applications since they were introduced, spanning the areas of pure communication (e.g., [31, 25]), the special case of web-browsing [12], and election schemes =-=[4, 11, 28]-=-. They also have other potential uses wherever privacy is important, as in payment schemes. Mix-networks are also often used implicitly, by the assumption of an anonymous channel. However, in spite of... |

5 |
Some remarks on a receipt free and universally verifiable mix-type voting scheme
- Horster, Michels, et al.
- 1996
(Show Context)
Citation Context ...ttacker corrupting some subset of mix servers can verify a claimed mix decryption, the degree of privacy might paradoxically decrease with increased pipelining/distribution. This was first noticed in =-=[17], in the c-=-ontext of an adversary desiring to verify that purchased votes were cast "correctly".) Furthermore, in order to allow an adversarial trust model of the type often assumed in commerce and ele... |

4 | PUB XX, "Digital Signature Standard," National Institute of Standards and - FIPS - 1993 |

3 |
Crowds: Anonymous Web Transactions. Manuscript at http://www.research.att.com/projects/crowds
- Reiter, Rubin
(Show Context)
Citation Context ... without revealing the relationship between input and output elements. Mix-networks were introduced by Chaum in 1981 [4] as a primitive for privacy. Although alternative primitives for privacy (e.g., =-=[27]-=-) can be used where users trust each other to some extent, for most applications, mix-networks still today remain the only realistic method to ensure connection privacy in settings like the Internet. ... |

2 | Designated Verifier Proofs and Their Applications," Eurocrypt '96 - Jakobsson, Sako, et al. |

2 |
Distributed `Magic Ink' Signatures," Eurocrypt '97
- Jakobsson, Yung
(Show Context)
Citation Context ... made robust by having each participant prove to each other participant that he perfomed his part of the computation according to the protocol. The concept of destructive robustness was introduced in =-=[19, 20]-=- to improve the efficiency of robustness verifications by making the common case inexpensive to perform. The method of destructive robustness involves two steps: the detection of an error, and the tra... |

2 |
Privacy vs. Anonymity
- Jakobsson
- 1997
(Show Context)
Citation Context ... made robust by having each participant prove to each other participant that he perfomed his part of the computation according to the protocol. The concept of destructive robustness was introduced in =-=[19, 20]-=- to improve the efficiency of robustness verifications by making the common case inexpensive to perform. The method of destructive robustness involves two steps: the detection of an error, and the tra... |

1 |
Plaintext Awareness, NonMalleability, and Chosen Ciphertext Security: Implications and Separations," manuscript
- Bellare, Desai, et al.
(Show Context)
Citation Context ...loyed. For example, we may use the recently proposed scheme by Cramer and Shoup [7], which is shown to be secure against an adaptive chosen message attack (which is shown to imply non-malleability in =-=[2]-=-.) A list of such encryptions can be mix-decrypted using almost identical methods to those described in this paper. 3.3 Mix-decryption of ElGamal Assume that we have a primitive MIXEXP that takes a li... |

1 |
Batch Verification with Applications to Program Checking and Cryptography," Eurocrypt '98
- Bellare, Garay, et al.
(Show Context)
Citation Context ...pproximately a factor of between 1500 and 4000 (in a setting with no external verifiers.) We note that all of the above costs can be somewhat reduced by applying methods for batch verification (e.g., =-=[3]-=-), but it appears that our algorithm would be more efficient for all sizes of inputs and quorums even after the algorithms are optimized. Novel Methods: In order to balance robustness and integrity of... |

1 |
Non-malleable cryptography," STOC'91, pp. 542 -- 552 Recall that we do not assume that the participants are honest, but only that the common case is that they are. When they are not, an extra cost is imposed for finding the identities of the cheaters
- Dolev, Dwork, et al.
(Show Context)
Citation Context ...) and then determine (with some probability) what the decryption of the attacked message was, by counting repeats or correlations in the output list. Therefore, it is necessary to use a non-malleable =-=[9]-=- scheme, such as our proposed extension to the ElGamal encryption scheme. Before the mix-decryption process starts, the mix servers remove any invalid encryption entry, and any duplicates of the same ... |

1 |
Crowds: Anonymous Web Transactions," Manuscript at www.research.att.com/projects/crowds
- Reiter, Rubin
(Show Context)
Citation Context ... without revealing the relationship between input and output elements. Mix-networks were introduced by Chaum in 1981 [4] as a primitive for privacy. Although alternative primitives for privacy (e.g., =-=[27]-=-) can be used where users trust each other to some extent, for most applications, mix-networks still today remain the only realistic method to ensure connection privacy in settings like the Internet. ... |

1 | Probabilistic Encryption,” 3 - Goldwasser, Micah - 1984 |