Staying in this context, when a cheater is identified, in most cases, the whole execution stops and hence, manual intervention is needed to replace the corrupt mix server(s) before the protocol can restart. However, this is unsatisfactory be- haviour, especially in applications like electronic-voting, where the results should be announced and made public within a predefined period of time, for any delay could be interpreted by sceptics as an attempt to modify the final result. Hence, mix server replacement is not a good tactic to succeed in dealing with cheating and as shown in Part III, the position taken here is that ignoring any dishonest behaviour, without stopping the execution, is the right solution to this problem.
5.2
Chaum’s First Decryption Mix Net
The first Mix Net was introduced by Chaum [Cha81] in 1981 using the RSA public-key cryptosystem with random padding [BR94]. This random padding was employed to avoid the re-encryption attack that occurs in a deterministic cryptosystem, in which one could take an output message, encrypt it again and check which input message is obtained. Chaum’s Mix Net was designed to de- liver an anonymous mail system by allowing the receiver of a message, m, to reply to the sender by keeping their address and identity untraceable throughout the communication. Chaum also suggested the use of his Mix Net for designing a secure electronic voting scheme [Cha88].
Chaum’s proposal is based on the public-key cryptosystem theory, where only the owner of the secret key, sk, is able to decrypt a message encrypted using the corresponding public key, pk, as presented in Section 2.3 and Table 2.4. Here, a sender, S, wishes to send a message, m, to a receiver, R, at address A, using a cascade of mix servers P1, . . . ,Pn. Each mix server holds its own pair of keys
(pki, ski), for i = 1, . . . , n, of which each pki is known to the sender prior to exe-
cution. Additionally, the receiver’s public key, pkR, and address, A, are publicly
known. When a single mix server is used, the sender prepares the message by concatenating it with a random bit-string, r0, and sealing it with the receiver’s
public key, thus creating EpkR(m, r0). The sender then appends the receiver’s ad- dress and encrypts it using the mix server’s public key and a new random value, r1, thus creating Epk1(EpkR(m, r0), r1, A). This message is fed to the mix server, which decrypts it using its own secret key, throws away the random value r1 and
outputs EpkR(m, r0), A. This message is then sent to the receiver who decrypts it with its own secret key, removes the randomness and reads the plaintext message
m. The whole procedure is illustrated as:
Epk1(EpkR(m, r0), r1, A)→ EpkR(m, r0)→
m
where the two ‘→’ denote the transformation of the input by the mix server and the receiver, respectively. When more than one mix servers is used, S encrypts successively the message with the public keys of the mix servers in reverse order, thus constructing an “onion” (or layers) of encryptions. Similar to the above procedure, each mix server in turn peels off the outer layer using its own secret key, discards the random value and forwards the resulting output to the next mix server in the chain. Finally, R decrypts the inner-most layer and reads the plaintext message. In this case, the procedure is described as:
Epkn(Epkn−1(. . . Epk1(EpkR(m, r0), r1, A) . . . , rn−1), rn)→ Epkn−1(. . . Epk1(EpkR(m, r0), r1, A) . . . , rn−1)→ .. .→ Epk1(EpkR(m, r0), r1, A)→ EpkR(m, r0)→ m
What has been described so far allows S to send an anonymous message m to R. The reverse procedure is now needed, that is, a way for R to reply to S while keeping the identity of S secret from R. For this reason, the sender needs to send extra information to the receiver, concatenated with the original message as described above. This additional information is of the form Epk1(AS, r1), pkS, where AS is the sender’s address, r1 is a random value chosen by the sender and
pkS is the sender’s public key. Then, S sends the following return address to R
through the first mix server:
Epk1(AS, r1), EpkR(m, r0)
To process the respond message, the mix server decrypts the left part of the re- ceived message using its own secret key, encrypts the right part using the random r1 and sends Er1(EpkS(m, r0)) to the address AS. Only the addressee can decrypt this message because he created both r1 and pkS. This procedure is illustrated
as:
Epk1(AS, r1), EpkR(m, r0)→ Er1(EpkS(m, r0)), AS→ m
5.2. Chaum’s First Decryption Mix Net 81
By using the technique described above and in the case where only one mix server is used, anonymity is not guaranteed when this mix server is dishonest. This is because the mix server knows the sender-receiver correspondence and so Chaum suggested the use of more than one mix server, for in this case, anonymity is violated only when all of them collude together. Moreover, this construction does not provide robustness in the situation where one of the mix servers refuses to forward its output to the next mix server or, for some reason, is not present during the execution. When the last mix server cheats, it could output anything; in this case, the senders are able to detect the cheating behaviour, but cannot perform any action, because then privacy will be violated.
Apart from these drawbacks, Chaum’s Mix Net suffers from others, such as: • the length of the encrypted messages is proportional to the number of the
mix servers used (this is solved using re-encryption techniques for Mix Nets as presented in Section 5.3);
• all the mix servers should be present during the execution and their se- quence cannot be changed (the assumption being made that a threshold number of mix servers are honest resolves this issue); and
• an attacker can break the Mix Net exploiting the multiplicative homomor- phism of RSA and trace a certain message as shall be seen in the next subsection.
5.2.1 Breaking the Chaumian Mix Net
Eight years after the publication of Chaum’s Mix Net, Pfitzmann and Pfitz- mann [PP89] discovered an attack which is based upon the well-known attack on RSA and exploits its multiplicative homomorphism property. In this attack, the aim of the attacker is to trace a particular message which was an input to the Mix Net. To achieve this, the attacker injects another message that is related to the message he wishes to trace and the ciphertext relationship results in a plain- text one; after that, the attacker can detect the input-output correspondence. For consistency, the notation of the RSA cryptosystem from Subsection 2.3.1 is used and this procedure is described below.
Let L be the length of an encrypted message, m, b the length of the random value r and B the length of the actual message (in bits). Then, encrypting a message, m0, under the public key pk1 and randomness r0, the resulting cipher-
text is of the form:
c0 = Epk1(m0, r0) = (r02
B+ m
The attacker wants to trace c0, so he chooses a small factor f > 2B , computes:
c1 = c0Epk1(f )
and inputs it to the Mix Net which decrypts and interprets it as message m1with
attached randomness r1, i.e as r12B+ m1. Decryption of this message results in
m1. Only the attacker knows how to decrypt c0Epk1(f ) because he possesses the decryption value d and hence:
cd0Epk1(f )
d= cd
0fed = f (r02B+ m1)
Combining the last equations gives:
m1− fm0 = f r02B− r12B
and because gcd(2B, N ) = 1, the above equation leads to:
(m1− fm0)2−B = f r0− r1
The attacker knows both f and 2−B and also that m0 and m1 belong to the
Mix Net’s output set. If the number of inputs is small, the attacker can compute both sides of the above equation and try to find out which pair of output messages is the (m0, m1) pair. This type of attack is referred to in the literature as a related
input attack.