The rest of this part of the thesis is structured as follows. In Chapter 5, exhaustive research on the literature pertaining to Mix Nets is provided, where robustness is of primary concern. Additionally, the Mix Nets that inspired the current re- search in Part III are presented alongside their drawbacks and the found attacks. Furthermore, a justification of how these selected Mix Nets are related to this work is also given. Due to their important role in constructing trustworthy elec- tronic voting schemes, in Chapter 6, some of the most well-known are presented and their role is highlighted. Moreover, how Mix Nets are used in other domains is described and finally, this part of the thesis is concluded with a summary of findings thus far.
4.5. Summary 75
4.5
Summary
In this chapter, an introduction to Mix Nets has been provided. They have been categorised based on how mix servers operate on the input data and an overview of the security requirements such a cryptographic protocol must satisfy has been given. Additionally, the most common verification methods used in Part III to model the proposals for this research have been presented. Furthermore, it has been demonstrated how a typical Mix Net and verifiable voting system behave under the assumption of a secure and trusted Web Bulletin Board. Finally, the problem of having a single point of trust and whether or not other researchers’ approaches and existing solutions are similar to those employed here has been examined.
Chapter 5
Chronological Review
In the preceding chapter, Mix Nets were defined and categorised based on how they operate and process input messages. Additionally, the security requirements they must satisfy were presented as well as the benefits and problems that occur when using a WBB examined. The use of a WBB is a common assumption in the Mix Nets literature, which spans more than 30 years and dozens of different constructions have been proposed since their first introduction in 1981. Although a complete picture cannot be provided given the vast amount of extant work in this area, in this chapter, a critical review of the most important contributions to Mix Nets development of relevance to the current research is presented. A summary of and comparison between the different proposals described in detail in this chapter is illustrated in Table 5.1.
This chapter is organised as follows. A study of previous works in Mix Nets where robustness is of major concern is presented in Section 5.1 and then thor- ough analysis of the protocols employed in this work is presented from Section 5.2 to 5.9, in chronological order. Subsequently, a justification of how and why the presented Mix Nets relate to the current research is given in Section 5.10. Finally, a conclusion to the chapter is provided in Section 5.11.
5.1
Previous Works on Robustness
In this section, previous works in Mix Nets where liveness is of major concern are reviewed. Regarding which, robustness is the liveness property in relation to successful termination in the presence of faulty mix servers. The first Mix Net introduced by Chaum [Cha81] is not robust, because in the case where one of the mix servers refuses to participate or is absent, the execution halts and no output is obtained. Sako and Kilian [SK95] proposed Mix Net constructions that are not robust either: if at least one mix server stops responding, then the entire sys- tem stops without outputting a result. Jakobsson [Jak98] presented a practical
Mix Net, which was believed to be robust, until Desmedt and Kurosawa [DK00] found an attack in which one malicious mix server could prevent the Mix Net from computing the correct result. In these approaches the mixing cannot pro- ceed if a single mix server is unavailable. Ogata et al. [OKST97] proposed the first robust Mix Net and similar techniques for achieving robustness were later employed by Abe [Abe98].
The most common approach to achieving robustness is by using ZKP proto- cols, which were introduced by Furukawa [Fur04], Furukawa and Sako [FS01] and Neff [Nef01]. An alternative approach to that proposed in [OKST97] for achieving robustness was presented by Jakobsson and Juels [JJ01] and Golle et al. [GZB+02]. They proposed protocols that are more efficient than those where
each mix server proves in zero-knowledge the correctness of the mixing and de- cryption operations. However, Abe and Imai [AI03] discovered weaknesses in these two protocols in that their anonymity can be lost either when a sender is corrupt and all mix servers honest or when a malicious sender collaborates with the first mix server in the Mix Net (see Section 7.5). Deviating from the use of ZKP for attaining robustness, Jakobsson, Juels and Rivest [JJR02] introduced a different approach, where they relaxed the robustness requirement and each mix server produces strong evidence of correct operation instead of proof of cor- rectness.
Diverging from what has been described so far for making Mix Nets robust, Jakob- sson [Jak98] introduced the notion of repetition robustness in which the mixing phase is performed on blinded inputs twice or more. The result is then sorted and compared by the mix servers and any cheating is found with overwhelm- ing probability. The same technique was used in [Jak99] and [MK00]. Another different approach for achieving robustness was presented by Abe [Abe99] and Jakobsson and Juels [JJ99]. These Mix Nets rely on an efficient ZKP of cipher- text and plaintext equivalence and they are useful for small batches of ciphertexts. All the schemes that have been briefly described so far and others that are anal- ysed in depth in the following sections, operate in the presence of a secure and publicly available WBB. As has been mentioned in Section 4.3, this is a strong assumption. To the best knowledge of this researcher, there is no Mix Net pro- posal in the literature that works without such a single point of trust. In Part III, this gap is successfully bridged by showing how to remove the WBB from the mixing and decryption phases whilst maintaining the robustness of the analysed Mix Nets. In addition to this, how these Mix Nets satisfy robustness against a minority of faulty mix servers controlled by a Dolev-Yao-based intruder [DY81], is explored.