Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Traceable mixnets

Prashant Agrawal, Abhinav Nakarmi, Mahavir Prasad Jhawar, Subodh Sharma, Subhashis Banerjee

TL;DR

A construction of traceable mixnets is proposed using novel distributed zero-knowledge proofs of set membership and of a statement the authors call reverse set membership, which is faster than state-of-the-art by at least one order of magnitude.

Abstract

We introduce the notion of \emph{traceable mixnets}. In a traditional mixnet, multiple mix-servers jointly permute and decrypt a list of ciphertexts to produce a list of plaintexts, along with a proof of correctness, such that the association between individual ciphertexts and plaintexts remains completely hidden. However, in many applications, the privacy-utility tradeoff requires answering some specific queries about this association, without revealing any information beyond the query result. We consider queries of the following types: a) given a ciphertext in the mixnet input list, whether it encrypts one of a given subset of plaintexts in the output list, and b) given a plaintext in the mixnet output list, whether it is a decryption of one of a given subset of ciphertexts in the input list. Traceable mixnets allow the mix-servers to jointly prove answers to the above queries to a querier such that neither the querier nor a threshold number of mix-servers learn any information beyond the query result. Further, if the querier is not corrupted, the corrupted mix-servers do not even learn the query result. We first comprehensively formalise these security properties of traceable mixnets and then propose a construction of traceable mixnets using novel distributed zero-knowledge proofs (ZKPs) of set membership and of a statement we call reverse set membership. Although set membership has been studied in the single-prover setting, the main challenge in our distributed setting lies in making sure that none of the mix-servers learn the association between ciphertexts and plaintexts during the proof. We implement our distributed ZKPs and show that they are faster than state-of-the-art by at least one order of magnitude.

Traceable mixnets

TL;DR

A construction of traceable mixnets is proposed using novel distributed zero-knowledge proofs of set membership and of a statement the authors call reverse set membership, which is faster than state-of-the-art by at least one order of magnitude.

Abstract

We introduce the notion of \emph{traceable mixnets}. In a traditional mixnet, multiple mix-servers jointly permute and decrypt a list of ciphertexts to produce a list of plaintexts, along with a proof of correctness, such that the association between individual ciphertexts and plaintexts remains completely hidden. However, in many applications, the privacy-utility tradeoff requires answering some specific queries about this association, without revealing any information beyond the query result. We consider queries of the following types: a) given a ciphertext in the mixnet input list, whether it encrypts one of a given subset of plaintexts in the output list, and b) given a plaintext in the mixnet output list, whether it is a decryption of one of a given subset of ciphertexts in the input list. Traceable mixnets allow the mix-servers to jointly prove answers to the above queries to a querier such that neither the querier nor a threshold number of mix-servers learn any information beyond the query result. Further, if the querier is not corrupted, the corrupted mix-servers do not even learn the query result. We first comprehensively formalise these security properties of traceable mixnets and then propose a construction of traceable mixnets using novel distributed zero-knowledge proofs (ZKPs) of set membership and of a statement we call reverse set membership. Although set membership has been studied in the single-prover setting, the main challenge in our distributed setting lies in making sure that none of the mix-servers learn the association between ciphertexts and plaintexts during the proof. We implement our distributed ZKPs and show that they are faster than state-of-the-art by at least one order of magnitude.
Paper Structure (47 sections, 8 theorems, 3 equations, 31 figures)

This paper contains 47 sections, 8 theorems, 3 equations, 31 figures.

Table of Contents

  1. Introduction
  2. Our contributions
  3. Related work
  4. Controlled information release in statistical databases
  5. Existing traceability notions
  6. Existing verifiable mixnets
  7. Set membership proofs
  8. Techniques with quadratic complexity
  9. Accumulator-based techniques
  10. Extending to the distributed setting
  11. Signature-based set membership
  12. Formal definitions
  13. Notation
  14. Completeness
  15. Soundness
  16. ...and 32 more sections

Key Result

Theorem 1

Let $\Pi_{\mathsf{TM}}$ be the protocol of Figure fig:construction. $\Pi_{\mathsf{TM}}$ is complete (Definition def:compl). (Proof in Appendix pf:completeness).

Figures (31)

  • Figure 1: Traditional and traceable mixnets. ${\boldsymbol{u}}_{i}$ denotes the $i^{\text{th}}$ individual's identity information and ${\boldsymbol{v}}_{i}$ denotes their sensitive data; ${\boldsymbol{c}}_{i}$s encrypt ${\boldsymbol{v}}_{i}$s and are passed as input to the mixnet; the mixnet consists of mix-servers $\mathcal{M}_{1}$ and $\mathcal{M}_{2}$ that jointly decrypt and permute input list $\boldsymbol{c}$ to output a plaintext list $\boldsymbol{v}':=(\boldsymbol{v}_{\pi(i)})_{i=1}^{5}$, where $\pi$ is composed of secret permutations ${\pi}^{(1)}$ and ${\pi}^{(2)}$ of $\mathcal{M}_{1}$ and $\mathcal{M}_{2}$.
  • Figure 2: Subfigures $(a)$ and $(b)$ are for a TraceIn$({\boldsymbol{c}}_{4}, V)$ query, where $V=\{{\boldsymbol{v}}_{2}', {\boldsymbol{v}}_{3}', {\boldsymbol{v}}_{4}'\}$. With proofs-of-shuffle and verifiable decryption, the mix-servers can either $a)$ verifiably reveal the plaintext encrypted by ${\boldsymbol{c}}_{4}$, say ${\boldsymbol{v}}_{3}'$, and let the querier check if ${\boldsymbol{v}}_{3}' \in V$, or $b)$ verifiably reveal the set of ciphertexts encrypting set $V$, say $C:=\{{\boldsymbol{c}}_{1}, {\boldsymbol{c}}_{2}, {\boldsymbol{c}}_{4}\}$, and let the querier check if ${\boldsymbol{c}}_{4} \in C$. Subfigures $(c)$ and $(d)$ are for a TraceOut$(C, {\boldsymbol{v}}_{2}')$ query, where $C=\{{\boldsymbol{c}}_{3}, {\boldsymbol{c}}_{4}, {\boldsymbol{c}}_{5}\}$. The mix-servers can either $c)$ verifiably reveal the ciphertext encrypting ${\boldsymbol{v}}_{2}'$, say ${\boldsymbol{c}}_{3}$, and let the querier check if ${\boldsymbol{c}}_{3} \in C$, or $d)$ verifiably reveal the set of plaintexts that set $C$ decrypts to, say $V:=\{{\boldsymbol{v}}_{1}', {\boldsymbol{v}}_{2}', {\boldsymbol{v}}_{4}'\}$, and let the querier check that ${\boldsymbol{v}}_{2}' \in V$. With traceable mixnets, they do not need to reveal any such intermediate information.
  • Figure 3: Completeness experiment
  • Figure 4: Soundness experiment
  • Figure 5: Secrecy experiment
  • ...and 26 more figures

Theorems & Definitions (13)

  • Definition 1: Traceable mixnets
  • Definition 2: Completeness
  • Definition 3: Soundness
  • Definition 4: Secrecy
  • Definition 5: Output secrecy
  • Theorem 1: Completeness
  • Theorem 2: Soundness
  • Theorem 3: Secrecy
  • Theorem 4: Output secrecy
  • Lemma 1
  • ...and 3 more