An Optimally Robust Hybrid Mix Network (Extended Abstract)

Transcription

1 An Optmally Robust Hybrd Mx Network (Extended Abstract) Markus Jakobsson and Ar Juels RSA Laboratores Bedford, MA, USA Abstract We present a mx network that acheves effcent ntegraton of publc-key and symmetrc-key operatons. Ths hybrd mx network s capable of natural processng of arbtrarly long nput elements, and s fast n both practcal and asymptotc senses. Whle the overhead n the sze of nput elements s lnear n the number of mx servers, t s qute small n practce. In contrast to prevous hybrd constructons, ours has optmal robustness, that s, robustness aganst any mnorty coalton of malcous servers. 1 Introducton A mx network s a cryptographc prmtve that takes as nput a sequence of cphertexts and outputs the correspondng plantexts n a random order. The man securty goal of ths procedure s to hde the correspondence between nputs and outputs from all partcpants (apart, of course, from the fact that players wll recognze ther own contrbutons). Ths property s referred to n mx network constructons as prvacy. Acertandegreeofprvacycannprncplebe obtaned by gvng the lst of nput elements to a trusted server, who then performs some operaton (such as decrypton) and randomly permutes the results before outputtng them. Naturally, however, n ths procedure, the server n queston knows the exact relatonshp between nput and output elements. Most mx server contructons am at a stronger form of prvacy by dstrbutng the process among acollectonofservers. Inthsmodel,fullprvacysacheved provded that no quorum of servers collude wth one another. In most constructons a quorum conssts of the majorty of partcpatng servers, but a varety of threshold structures are possble. Gven no quorum of faulty or colludng servers, two other propertes desrable n a mx network are correctness and robustness. Amxnetworkssadtoberobustf t produces output rrespectve of server faults or falures. Correctness n a mx network s the property that the set of outputs from the mx network conssts of plantexts correspondng exactly to the set of cphertext nputs. Introduced by Chaum [3] as a prmtve for prvacy enhancement, mx networks have proven a powerful cryptographc tool for a dverse range of applcatons. One of the frst such applcatons, for nstance, s that of orgnatoranonymous e-mal [3, 26]. The dea here s for users to encrypt ther e-mal messages, and then apply a mx network to the resultng batch of cphertexts. The output of ths mxng operaton s the set of orgnal plantext e-mal messages. The prvacy property of the mx network ensures that no one can determne whch plantext e-mal message corresponds to whch cphertext. Thus, even f t s known whch user posted whch cphertext, the mx network n ths applcaton enables plantext e-mal messages to be rendered anonymous. The lterature ncludes a broad range of related applcatons of mx networks, ncludng anonymzed Web browsng [9] and secure electons [13, 25, 28], as well as seemngly unrelated applcatons such as anonymous payment systems [18] and general secure multparty computaton [17]. In ths paper, we present a mx network talored for applcatons that requre very hgh throughputs of long messages, and where robustness s of mportance. Such applcatons nclude prvate browsng and streamng, e-mal delvery, and prvacy-preservng applcatons relatng to advertsements [19]. 1.1 Related work We present a robust mx network that takes nput cphertexts of arbtrary (but equal) length and outputs the correspondng plantexts. The mx network ntroduced by Chaum [3] and related proposals such as those n [27, 29] handle long nputs n a natural and effcent way, due to ther ntensve use of both publc-key and symmetrc-key encrypton. The prncple used n these schemes s that of terated encrypton. In a frst step, the nput plantext s encrypted usng the publc key of the last mx server. Then, n a second step, the resultng cphertext s encrypted usng the publc key of the second to last mx server. Ths s repeated untl fnally an encrypton of the prevous cphertext, usng the frst mx server s publc key s performed. These encrypton steps are performed by the player who wshes to have the message (the plantext above) output by the mx network. All of the encrypton steps make use of probablstc encrypton [12], thereby preventng an attacker from matchng nput and outputs by applyng the encrypton functon to outputs and matchng the results aganst nputs. The fnal cphertext that s submtted to the mx network, along wth other cphertexts generated n the same manner, potentally by dfferent users. After all cphertexts have been receved, they are processed by the frst mx server, who decrypts them all (usng hs secret key) and permutes the results be-

2 fore handng these to the second server, who n turn decrypts and permutes, etc. Fnally, the last mx server decrypts, permutes, and outputs what wll correspond to all the ntal plantexts, assumng everythng went well. By straghtforward envelopng technques,.e., combnaton of publc-key and symmetrc-key encrypton, t s easy to see how plantexts of arbtary length can be effcently accommodated n ths constructon. We refer to ths basc Chauman mx network and other mx networks smlarly amenable to such conmbnaton of publc-key and symmetrc-key technques as hybrd mx networks. What could most notably go wrong n the Chauman mx network s that one of the mx servers replaces one or more partally decrypted cphertexts. In a robust scheme, such a replacement attempt would not go unnotced, and the remanng servers (all but those who were caught cheatng) would replace the cheaters and re-execute the mxng operaton. (Ths wll be explaned n more detal later.) Subsequently proposed mx network schemes, known as publc-key mxes, have focused on achevng robustness, typcally through heavy relance on publc-key operatons [1, 2, 7, 14, 15, 16, 22, 23]. At ther best, these proposals enable robustness aganst any mnorty coalton of corrupt servers. Ther drawback s that they are n general substantally less effcent than ther hybrd predecessors. Indeed, on long nputs, such mx networks are very slow, requrng that nput elements be dvded nto segments, each one of whch s processed as an ndvdual asymmetrc cphertext. The approaches used to acheve robustness n publc-key based mxes relate to so-called zero-knowledge proofs. Such proof allows a player to convnce one or more other players that some relaton between two or more elements holds, but wthout leakng nformaton about the elements. In partcular, t s possble to prove that a set of nput elements correspond to a set of output elements, and that ther relaton s that of decrypton (usng the secret key correspondng to a partcular publc key) and permutaton. Ths would be done wthout leakng ether the secret key or the secret permutaton. Note that ths s crucal n a mx network. It s also of mportance to allow the replacement of cheaters to be able to perform the desred actons of one mx server (that has been found to cheat) by collaboraton between suffcently many honest mx servers. In other words, the computaton should be possble to dstrbute, whle mantanng all desred securty and prvacy propertes. The dffculty n producng a robust hybrd mx les n that one must combne the use of symmetrc cphers wth dstrbuted computaton and proofs of correctness. Due to ther structure, symmetrc-key algorthms are nherently dffcult to dstrbute, and entrely mpractcal to perform zeroknowledge proofs on. It s therefore a challenge to construct an effcent and secure mx protocol that s nherently dstrbuted. Recent work by Ohkubo and Abe [24] demonstrates that t s possble to construct a mx network wth both the robustness property and effcent use of symmetrckey encrypton, usng duplcaton of computatonal ablty nstead of dstrbuton of the same. Ther scheme, as a result of takng ths approach, only acheves robustness aganst n corrupt servers out of a total of n. Thsssosncetsbased on the archtecture suggested n [7], n whch each layer of decrypton s performed by a quorum of partcpants, none of whch due to requrements of prvacy may partcpate n any other layer. 1.2 Our work In ths paper, we descrbe a hybrd mx network wth optmal robustness,.e.,robustnessaganstanycoaltonoffewer than n/2 servers. Our noton of robustness, however, s somewhat weaker than the standard noton: In our scheme t s possble for a corrupt server colludng wth a corrupt user to modfy the cphertext element derved from the cphertext of the corrupt user durng one stage of the mx process. On the other hand, t s not possble for the colludng partes to modfy elements derved from honest users; nor s t possble to modfy any element after learnng any porton of the output of the mx network. Thus, ths beauty flaw amounts merely to makng t possble for the adversary to delay makng up hs mnd, and t does not allow her to alter the dstrbuton of the output, nor does t reduce the prvacy of the scheme. For most practcal purposes, ths weaker noton of robustness s therefore bengn. Our scheme accepts cphertexts derved from plantexts of any polynomal sze. The (addtve) overhead assocated wth encrypton of plantexts s proportonal to the number of encrypton steps, equalng, n turn, the number of actve mx servers, namely n. Inpractcalterms, thsexpanson s margnal, and n partcular for long nputs, whch s the type of nputs on whch hybrd encrypton n general s well suted. Our scheme has per-server asymptotc worst-case and expected computatonal costs of O(Nn 2 )ando(nn) modular exponentatons respectvely, where N s the number of nput elements to the mx, and n s the total number of mx servers. (We dsregard the cost of symmetrc-key operatons, whch are generally small by comparson.) Our worstcase asymptotc cost s the same as the expected asymptotc cost of [24] when the costs are consdered as functons of the number of mx servers the scheme s reslent aganst. Our expected costs the costs ncurred n the absence of an actve adversary are lower. Comparng our constructon to some non-hybrd schemes, we see that t s not as effcent as some of these. In partcular, t s not as effcent as the constructon of Jakobsson [15], or the repared verson of ths protocol by Mtomo and Kurosawa [22], whose asymptotc per-server costs n terms of the number of modular exponentatons are O(N) ntheexpectedando(nn)ntheworst case. For large N, theassocatedconstantsarequtelow. 1 Ths cost analyss, however, assumes nput elements short enough to be represented as a sngle cphertext. Long nput elements thus requre ether a naïve expanson of the modulus sze or decomposton nto many cphertexts, wth modfcatons made to the mx archtecture (no technques for whch are actually descrbed n the lterature). Thus for long nput elements, t may be expected that the concrete costs for the mx network proposed here are much lower. As a frst approach to buldng a hybrd mx, one mght try to ntroduce robustness nto the basc Chaum mx by appendng a checksum to each layer of a gven cphertext nput. Thus, when the th server decrypts a layer for some message, t reveals a checksum, for whch t can verfy the correctness. If the 1 st server ntroduces naïve (or unntentonal) errors nto ts output, these are lkely to be detected. In partcular, the ( 1) st server does not the checksum n the cphertext beng passed to the th server, so t s unlkely to be able to determne a way of, e.g., flppng afewbtswthoutbengdetected. Ontheotherhand,the 1 The assessment of these costs n [7, 22] are n terms of the number of modular arthmetc operatons of any knd, ncludng modular addtons, and thus somewhat msleadng.

3 th server can smply replace acphertextntsoutputwth an entrely new one, computng each layer and the assocated checksums from scratch. Thus, ths method of addng checksums does not n tself provde robustness. In our constructon, however, we employ a related dea. Instead of a checksum, we append a MAC to each layer n the mx. Wth ths approach, we change the task of the attacker: now, n order to alter a message, the attacker must alter the correspondng MAC. To ensure robustness, our goal now resolves to that of protectng the MAC keys themselves. The central n our constructon s to protect MAC keys by means of publc-key-based encrypton. In partcular, the MACng key k,usedbyserver to check the ntegrty of a gven nput, s encrypted n such a way that t s only avalable to server tself, and not to any of the other servers. Hence, none of the prevous servers can determne k or alter or replace cphertexts so as to deceve server. Ths ntegrty protecton on MAC keys s accomplshed by provng that the product of MAC keys nput to a gven server s correct (or, more precsely, a publc-key encrypton thereof). Each server processes these encrypted MAC keys to extract the keys for ts own use and to create new encryptons (of related MAC keys) for the next server. Note that f we prove that the correct relaton holds between the product of two sets of MAC keys, such a proof s ndependent of the permutaton appled to these keys and the assocated messages. Ths smplfes the proof consderably, and s one of the crtcal elements enablng us to buld an effcent mx constructon. It s mportant to note that s s possble for an attacker wth control of one or more servers to modfy a set of encrypted MAC keys so long as the product remans correct. Such an attacker can then replace a number of cphertexts and compute correct MACs for these spurous cphertexts. In order to cause the product of the full set of MAC keys to be correct, however, ths attacker must ntroduce at least one MAC key that the attacker cannot feasbly choose tself. The attacker wll be able to learn a cphertext on ths MAC key but, as we prove, cannot learn the key tself. In consequence, the attacker wll wth overwhelmng probablty produce an nput to an honest server contanng an ncorrect MAC, and wll thus be detected. In presentng our new hybrd mx constructon, we ntroduce and employ a few technques of potental ndependent value. Two of these are sketched above: Frst, the use of MACs for purposes of correctness checks n mult-party protocols; second, the careful separaton of the ablty to verfy amacandtoperformdecrypton(whchsmportantn order to allow one to be performed by a quorum, wthout allowng the other to also be performed as a result). We employ a thrd mportant technque n the last stage of the mx. In partcular, we smulate the last server n the mx by means of dstrbuted executon nvolvng a quorum of partcpatng mx servers. The purpose of ths last step s to guarantee that no errors are ntroduced nto the fnal output. Organzaton We begn n secton 2 by defnng the desred propertes of our scheme. In secton 3, we descrbe the setup for our scheme and the underlyng cryptographc prmtves. We present our mx network constructon and related clams n secton 4. Due to lack of space, we omt a detaled securty analyss from the body of ths extended abstract, relegatng proofs and proof sketches to the appendx. 2 Defntons As for prevous mx networks, we have two types of partcpants: The users U = {U } N =1 (where we assume for smplcty that U posts a unque nput cphertext I to the mx); and the servers S = {S } n =1, whocomputeanoutput vector O from the nput vector I. The sets U and S may overlap. We consder securty aganst a statc adversary A that controls some proper subset Û of U, andalsoamnorty subset of S,.e.,asubsetofszeatmostt, denotedbyŝ. All partcpants can be modelled by polynomal-tme Turng Machnes. Whle we keep wth the sprt of prevous work n terms of our defntons for prvacy and robustness, we modfy these slghtly to allow for actve nvolvement by corrupt users Û n the mx protocol. Let I be the set of nputs provded by U, letî be that porton provded by the corrupt users Û, andleti be the set provded by honest users,.e., I = I Î. LetO be the set of messages output from the mx network. (Note that there may be fewer outputs than nputs, as nvald nputs are eventually elmnated by the servers.) We begn wth the followng, straghtforward defnton of correct decrypton by a server S.Here,D k denotes symmetrc decrypton under key k. Defnton 1 We say that a trple C =(y,c,µ ) represents a correct decrypton of trple C =(y, c, µ) by server S f c = D k [c], wherek = y β, y = y,andµ equals MAC y γ [c,i] for a nonce I. Here,,β, and γ are prvate keys of server S. Ths defnton means that S has followed the decrypton procedure n the protocol correctly for cphertext C, as shown below. We extend the defnton naturally to decrypton by multple servers. In other words, f C represents nput to S and C represents output by S j for some j, we say that C represents a correct decrypton of C f t results n the obvous way from C after a chan of correct decryptons. We also descrbe a group of cphertext outputs from S j as representng a correct decrypton of a group of cphertext nputs to S. Also mportant to our analyss s the somewhat unorthodox noton of correct renderng, defnedasfollows. Defnton 2 We say that a trple C =(y,c,µ ) represents a correct renderng of trple C =(y, c, µ) by server S f y = y,andµ equals MAC y γ [c,i], foranoncei, and where and γ are prvate keys of server S as defned above. It s mportant to note how ths defnton s unusual. In the straghtforward mx server executon, the par (c,µ ) represents a correct decrypton of c under the decrypton key y β,whereβ s a prvate key of server S. Our term renderng, however, mples that there may be a substtuton for the straghtforwardly decrypted value f accompaned by acorrectmac.indeed,asstatedbefore,aservernourprotocol can collaborate wth the user who posted an nput to change t n md-executon. Let I be a set of nput messages to a gven mx server S. Let O represent the output of server S. (Note that for n, theseto wll contan cphertexts, n contrast to O, whchcomprsesplantexts.) Letusextendtheterm corresponds n the obvous manner to these sets.

4 Defnton 3 (Correctness) We say that the output set O of server S s correct wth respect to I f the followng hold: (a) Let I I be the full set of nputs contanng correct decryptons of elements n I. Then there s a set O O that contans a unque correct decrypton of every element n I. (b) Let Î represent the set of remanng nputs. There s asetô that contans a unque correct renderng of every element n ths vald nput set. (c) There are no other addtonal elements n O. We extend ths defnton n the obvous manner to respectve nput and output sets I and O to defnecorrect output for the full mx network. In partcular, correct output ncludes unque correct decryptons of all the nputs from honest users, and unque correct renderngs of all other vald nputs, where unque smply means that no duplcates are nserted. As wth tradtonal defntons of correctness, ours ensures that the adversary s unable to alter the nputs and correspondng outputs of honest players. Our defnton of correctness, however, s unusual n two respects. Frst, by ncludng the noton of renderng, t allows for players to collude wth servers to make substtutons durng the protocol executon (as mentoned above). Second, our defnton assumes the elmnaton of nvald nput elements, whle correctness defntons very often treat all nputs as vald. Because of the noton of renderng, correctness n our protocol does not guarantee robustness n the tradtonal sense. In partcular, dshonest users may try to alter ther nputs based on those of honest users, or dshonest users and servers may collude to change nput or output values n the mddle of a mx network executon based on nput values and ntermedate transcrpts. In a payment scheme, for example, the adversary mght try to rg dshonest submssons n the mddle of the mx executon to duplcate honest submssons. Thus, n addton to requrng correctness, our robustness defnton must ensure aganst the possblty of the adversary creatng a correlaton between the outputs of dshonest users and those of honest users. Our robustness defnton ensures aganst ths possblty n clause (c). Note that clause (c) s n fact crtcal for prvacy as well as full robustness: f the adversary A s able to correlate nputs of dshonest users wth those of honest users, she may be able to trace the nputs of honest users. Defnton 4 (Robustness) Amxprotocolsrobust f, for nput set I, andnthepresenceofastatc,actveadversary A as descrbed above: (a) The protocol termnates n polynomal tme n N,n and all securty parameters. (b) The output of the protocol s correct wth overwhelmng probablty over the con flps of all partcpants. (c) Let O represent the set of plantext outputs that are correct decryptons of I, and Ô = O O the plantext renderngs of nputs from dshonest users. Then Ô s computatonally ndependent of the output plantext set O of honest users. Clause (c) may be stated more formally as follows. We consder the followng experment. The adversary chooses a par (O 0,O 1), where O 0 and O 1 are two dstnct assgnments to the plantext set O of honest users. A secret con s then flpped to yeld a bt b; thenputseti s selected unformly at random to yeld output plantext set O b.thssetsthem pecewse encrypted accordng to the method of encryptng plantexts for the mx network, and the resultng cphertexts are fed to the mx network, along wth other nput elements, submtted by the adversary. Now the adversary A partcpates n the executon of the mx network, but does not see O (or the assocated decrypton and MAC keys). Clause (c) of our robustness defnton s satsfed f no such adversary can guess b wth probablty non-neglgbly greater than 1/2. Fnally, we consder the property of prvacy. Our defnton states nformally that the adversary cannot determne whch nput elements provded by the honest user correspond to a gven plantext m sgnfcantly better than by makng a guess at random. Defnton 5 (Prvacy) We say that a mx network has the property of prvacy aganst an actve adversary A f the followng holds. Let us suppose that the set of nputs I provded by honest users contans r nstances of cphertexts correspondng to plantext m. Then the adversary s ncapable wth probablty non-neglgble greater than r/ I of fndng an element C I such that C corresponds to m. 3 Setup and buldng blocks 3.1 System parameters and setup Publc keys n our scheme are drawn from a cyclc group G of order q, forsomelarge,publshedprmeq. A typcal choce would be a subgroup of order q of Z p,wherep s a large prme such that q (p 1). We let g denote a publshed generator for G. Thesecurtyofthepublc-keyoperatons n our scheme depends upon the hardness of the Decson Dffe-Hellman (DDH) problem over G. Our scheme nvolves the partcpaton of an odd number n = 2t +1 of servers, denoted S 1,S 2,...,S n. Let Y 0 = g. As a prelmnary to the mxng operaton, each server S selects three prvate keys,,β,γ U Z q,where U denotes unform, random selecton. It then publshes atrple(y,k,z )ofcorrespondngpublckeyssuchthat Y = Y β 1, K = Y γ 1,andZ = Y 1. Each server proves knowledge of hs prvate keys. Then, all three prvate keys of each server are dstrbuted among the full set of servers usng a (t +1,n)-threshold scheme. Ths key setup may be performed n a dstrbuted manner usng verfable secret sharng (VSS) technques. (We omt detals, but refer the reader to [11] for an overvew and mportant caveat.) Observe the somewhat unusual feature that the keys (Y,K,Z )ofservers depend upon the key Y 1 of server S 1. Whle ths dependence enforces a strct order on the key setup, t does not alter the basc technques for accomplshng t. Servers addtonally perform a jont, (t +1,n)-threshold generaton of prvate keys (β n+1,γ n+1) for a smulated server S n+1, wthcorrespondngpublckeys (K n+1,z n+1) usng,e.g.,technquesfrom[11]. Let n+1, and γ n+1, denote the respectve shares of the prvate keys held by S. We assume the exstence of a bulletn board. Thssa publcly shared pece of memory to whch all players have read access and appendve, sequental wrte access wth authentcaton. 2 We assume further that all wrtes to the 2 Abulletnboardmaybesmulatedorreplacedbyanauthentcated broadcast channel or Byzantne agreement protocol [21]. In an asynchronous network, the latter s only robust aganst an adversary actvely corruptng fewer than one-thrd of the servers, and alters the securty of our mx constructon accordngly.

5 bulletn board proceed n synchronous tme steps. 3.2 Publc-key algorthms Proof of equvalence of dscrete logs. An mportant buldng block n our schemes s a protocol for provng of a quadruple (a, b, y, z) G 4 that log a b =log y z = x, wheretheprover knows x. Ths may be accomplshed usng standard proofof-knowledge technques. In partcular, the prover demonstrates knowledge of log a b and log y z relatve to a common challenge c, asfollows. Sheselectsr U G, computescommtments w 1 = a r and w 2 = y r,andsendsthesetotheverfer. The verfer returns a challenge c U Z q. The prover provdes response s = cx + r mod q. The verfer checks that w 1b c = a s and w 2z c = y s.theverfermay,ofcourse, consst of a coalton of servers, provded that the challenge s carefully generated. The scheme s honest-verfer zeroknowledge wth soundness dependent on the dscrete log problem. The protocol may be rendered non-nteractve usng the Fat-Shamr heurstc [8]. In ths case, c s computed through applcaton of a sutable hash functon to w 1 and w 2,andsecurtyproofsdependaddtonallyontherandom oracle model. See [4, 5, 6] for further detals. We denote a proof on the tuple (a, b, y, z) byeqdl[a, b, y, z]. Compressed key schedulng. We ntroduce and make use of an encrypton method that we refer to as compressed key schedulng, and whch s a generalzaton of a method recently and ndependently ntroduced n [24]. Our compressed key schedulng s essentally a publckey encrypton scheme whereby a sender encrypts a set of (random) keys {k } n+1 =1 for all servers as a sngle cphertext y 0.Todoso,thesenderselectsarandomexponentρ Z q, and constructs the cphertext y 0 = Y ρ 0. The set of keys {k } n+1 =1 s defned as k = Kρ, for 1 n +1 and prevously defned K.Observethatthesendermayherself easly compute {k } n+1 =1. To extract ther respectve keys, the servers do as follows. On recept of y 1, servers computes (y,k,z )= (y β 1,y γ 1,y 1 )whchequals (Y ρ,k ρ,z ρ ). Server S then sends y to server S +1. Ths enables server S +1 smlarly to compute ts keys. At the end of the protocol, each server S has derved keys y,k,z, where the frst s passed on to the next server and the second s used for decrypton after havng checked the correctness of the ncomng cphertext usng the thrd one. We note that no coalton of fewer than t +1 servers, not ncludng S,canfeasblylearnthedecryptonkeyk. Compressed key schedulng may be rendered robust by havng each server S post y to the bulletn board, along wth a proof of correct exponentaton EQDL[y 1,y,Y 1,Y ]. In the case where server S fals to publsh y correctly, a group of t+1 other servers can compute y dstrbutvely wthout revealng the prvate keys of S.Gventhesmlartyoftechnquesheretothosenvolved n threshold sgnature schemes, such as those for DSS, we do not consder detals here. We nstead refer the reader to, e.g., [10]. It s possble to use more straghtforward technques to acheve essentally the same functonalty as compressed key schedulng. The advantage of ths new constructon les n ts effcency. Frst, the sender need only provde a sngle key for many servers. Second, as we shall see, t s possble to batch the assocated EQDL proofs n a manner that acheves a very hgh degree of computatonal and communcaton effcency. 3.3 Symmetrc-key algorthms We employ a symmetrc encrypton scheme n our constructon. Addtonally, n order to defend aganst attacks n whch prevously posted cphertexts are posted agan or altered by malcous servers, we use a symmetrc-key varaton of the standard method (see [14]) of augmentng the cphertext wth a proof of knowledge, makng ths proof relatve to the cphertext and some sesson-specfc nonce I. Message authentcaton code (MAC). Let k Gbe a symmetrc key shared by a sender and recever. 3 We denote by MAC k [m] themessageauthentcatoncodeunderkeyk of message m for any m {0, 1}. We denote by l MAC asecurty parameter specfyng the bt-length of the output of the MAC. The essental securty property we rely on for our constructon s ths. Suppose an adversary wthout any knowledge of k s gven message authentcaton codes MAC k [m 1],MAC k [m 2],...,MAC k [m u]forsomeu that s polynomal n l MAC. Itsnfeasblefortheadversarytoproduce MAC k [m] onanymessagem {m } u =1. We explore ths securty requrement more formally n the appendx. Symmetrc-key encrypton. Agan, let k Gbe a symmetrc key shared by a sender and recever. We denote by E k [m]the cphertext on m under key k, andbyd k [c], the decrypton of cphertext c under key k. Letl enc be a securty parameter on the encrypton scheme. We denote the cpher by (E,D). We make use of the followng ndstngushablty assumpton on the symmetrc-key cpher for our scheme. Assumpton 1 (Indstngushablty) Let the keys k 0,k 1 U G be ndependently generated. Consder the followng experment. An adversary wth resources polynomally bounded n l enc selects equal-length plantexts m 0,m 1 {0, 1}. For a random bt b U {0, 1}, theadversary s gven cphertexts c 0 = E k0 [m b ] and c 1 = E k1 [m 1 b ]. The adversary outputs a bt b. The ndstngushablty property states that there s no adversary such that b = b wth probablty 1/2+ɛ for postve ɛ non-neglgble n l enc. If E s stream cpher based on a pseudo-random generator (PRNG), then ths assumpton may be based on the ndstngushablty property of the PRNG. See [20] for a comprehensve treatment of PRNGs. 4 Mx scheme Our am now s to fuse components descrbed above n secton 3 so as to combne the robustness of the underlyng threshold publc-key cryptosystem wth the effcency of the symmetrc-key protocols. The central dea s to have players construct nputs to the mx network as sequences of concentrc cphertext layers, along wth assocated compressed key schedules. For a gven nput, each server S derves the keys assocated wth the th layer and removes t. Havng 3 Typcally, one does not use an element k Gas a MAC key n practce. It s easy, however, to convert k to the more conventonal form of symmetrc key, such as a short btstrng. One possble means s approprate applcaton of a hash functon to k.

6 removed the th layer from all nputs, server S passes the resultng cphertexts to the next server. The crtcal element n our constructon s the ablty of aservertoprovethatthascorrectlyremovedagvenlayer. Ths s accomplshed by havng each cphertext nclude a MAC n each encrypton layer. In partcular, the ( +1) st encrypton layer of a gven nput ncludes a MAC employng a key dervable by server S +1 from the compressed key schedule. Snce server S does not have access to these MAC keys, t s nfeasble for her to make substtutons or alteratons to the mx elements wthout beng detected by or colludng wth server S +1. Another useful method s what we call open smulaton. Aserversopenlysmulatedbyaquorumofplayersfthese perform some or all of ts computaton, wthout dsclosng the long-term secrets of the smulated player, but wth no regard for the secrecy of temporary secrets (such as the permutaton of values, f any.) Open smulaton s used both to trace cheaters and to fnsh off the mxng process. Yet another mportant element s the threshold dstrbuton of the prvate keys of each server. In the case that server S +1 clams that server S cheated, a coalton of the other servers can verfy the proof sent from S to S +1 and reconstruct the MAC keys of S +1 to verfy her clam. The latter s performed usng open smulaton of the MAC verfcaton done by S +1. Addtonally,fanyserverS fals to remove the th encrypton layer correctly from some cphertext, the other servers can perform the removal (decrypton) n a dstrbuted manner, by open smulaton of the decrypton step of ths player. Note that when a server complans, t need not reveal ts state, and thus an honest server cannot have ts prvate nformaton extracted even f sandwched by adjacent malcous servers. Ths s so snce not all of a server s computaton s openly smulated. As the last server n ths chan may tself be corrupt, we nclude a fnal step n whch servers jontly verfy the correctness of the fnal output, and decrypt those elements that are determned to be correct. (Note that ths forces server S n to commt to hs computaton by postng hs output before any server learns of the output plantexts.) We may vew ths as the open smulaton of a server S n+1 responsble for authentcatng the output of server S n.ths smulated server makes use of the prvate keys (β n+1,γ n+1) and the correspondng publc keys (K n+1,z n+1), whch were jontly generated by the servers durng the key generaton phase of the protocol. If any server s found to have cheated, he s expelled and smulated by a quorum of at least t +1 of the remanng servers, who are capable of reconstructng hs prvate keys. The computaton s rewound to openly smulate the executon of the cheatng server n ts entrely. plantexts may be padded out to s bts.) These parameters are used n the generaton of a concentrc cphertext. Input: Plantext m {0, 1} s. Output: Cphertext (c 0,µ 0,y 0). We refer to c 0 as the base cphertext, µ 0 as the base MAC, andy 0 as the compressed key schedule. procedure Concentrc Encrypt 1. Compressed Key Schedule Generaton. The player selects a prvate key ρ U Z q.shecomputes { ρ k = K 0 n +1 ρ z = Z 1 n +1. She computes the compressed key schedule as y 0 = Y 0 ρ. 2. Message Encrypton. The player encrypts the message m by computng { cn = E kn+1 [m] c = E k+1 [c +1 µ +1] 0 n 1 µ = MAC z+1 [c I] 0 n. In the mx network protocol, players post equal-length nput cphertexts to the bulletn board untl some trggerng event occurs. For example, servers may set a predetermned lmt on the number of nput tems to the mx, or else a deadlne for the postng of nput tems. We denote the number of cphertexts by N, anddenotetheorderedsetofcphertexts by {(c (j) 0,µ(j) 0,y(j) 0 )}N j= Mx network for honest-but-curous servers For ease of exposton, we frst present a smplfed mx network constructon wthout robustness, but wth prvacy aganst an honest-but-curous adversary. Inputs are encrypted usng the concentrc encrypton protocol presented above. Servers remove any duplcate nputs at the begnnng of the protocol. Input: Concentrc cphertext sequence {(c (j) 0,µ(j) 0,y(j) 0 )}N j=1 on equal-length plantexts {m (j) } N j=1. Output: Plantext sequence {m π(j) } N j=1, forsecretpermutaton π. 4.1 Concentrc encrypton We begn by descrbng the algorthm used by a player to construct a cphertext nput to the mx network. Ths, the reader wll recall, conssts of a sequence of concentrc layers of encrypton, a concept frst consdered n ts basc form n [3]. We refer to the encrypton algorthm descrbed here as concentrc encrypton and the resultng cphertext as a concentrc cphertext. At the begnnng of a gven mxng round, the servers jontly generate and publsh a random nonce I of length l nonce. Addtonally, they publsh an nteger s descrbng the permtted length of plantext nputs to the mx. (Shorter

7 Protocol Honest Hybrd Mx 1. Compressed Key Schedule Generaton. Server S takes nput (c (j) 1,µ(j) 1,y(j) 1 ), for 1 N, andcomputes ts keys as follows for 1 j N. { ỹ (j) 1 ) k (j) 1 )β 2. Message Decrypton. Server S performs the decrypton: ( c (j) µ (j) ) D (j) k [c (j) 1 ] 3. Permutaton. S randomly permutes the ordered set {( c (j), µ (j), ỹ (j) )} N j=1. In partcular, the server S selects a permutaton π on N elements unformly at random, and sets (c (j),µ (j),y (j) ) = ( c (π (j)), µ (π (j)) ỹ (π (j)) ). The set of decrypted and permuted trplets {(c (j),µ (j),y (j) )} N j=1 s posted to the bulletn board. Server S n+1 s openly smulated by all the other servers. The output of server S n+1 s taken here to be the output of the mx network. Note that the MACs are not used here because of the assumpton that the adversary s strctly passve. Apart from the presence of the MACs and the use of key compresson, ths constructon s somewhat smlar n sprt to prevous non-robust hybrd constructons, such as those descrbed n [3, 29]. The prvacy of the constructon may be seen to depend upon two thngs. Frst, the ndstngushablty property of the symmetrc-key cpher, whch ensures the prvacy of the mx. Second, the DDH problem. In partcular, an adversary should be unable to lnk y (j) 1 wth y π (j). An addtonal securty element resdes n the nonce I the use of MACs. Ths ensures aganst re-use of cphertext components, and ensures the non-malleablty of posted cphertexts. 4.3 Full protocol We now present the full hybrd mx network constructon, wth robustness aganst any numbers of users and any mnorty coalton of corrupt servers. We begn by recallng that the prvate keys of each server are dstrbuted among the other servers accordng to a (t +1,n)-threshold scheme. Thus, any coalton of t +1 servers can smulate the operatons of a gven server S wthout the partcpaton of S. Ths means that they can verfy that server S processed a gven nput tem correctly by reconstructng the assocated keys. Lkewse, such a coalton of servers can remove server S from the current nvocaton of the mx network by reconstructng all of ts keys for the current batch of nput tems. We use these observatons to acheve robustness n the full protocol Hybrd Mx, butdonotdescrbetherelevant protocols n detal, as they are farly standard. Another mportant element n the full protocol s the method server S uses to prove that t has extracted the keys {y (j) } N =1 correctly. Recall from above that y π (j) = (y (j) 1 ).ServerS could straghforwardly prove ths equalty for each j usng EQDL were t not for the prvacy requrements. Instead of usng any of the methods of exstng mx networks, we provde a new and more effcent soluton. Let P = N j=1 y(j),andletservers prove that P = P 1. Ths s not suffcent n tself to demonstrate that y π (j) 1 ) for all j. In combnaton wth the checks afforded by symmetrc-key operatons n the mx, however, ths batch proof method does ndeed ensure that ndvdual keys have been correctly extracted, as we show n the appendx. In the followng, we assume that should a mx server refuse to cooperate or produce ncorrect outputs and thus be expelled, then a quorum of the other servers can smulate the absentee. For practcal purposes, there would be a tme lmt assocated wth each step, after whch an nactve server s consdered absent. We also assume that any dentcal duplcates of nput elements are removed before the begnnng of the protocol. Fnally, we note that N, thecardnalty of the set of cphertexts n the mx, may dmnsh as nvald cphertexts are elmnated. For smplcty, we do not note ths explctly n our protocol descrpton. Input: Concentrc cphertext sequence {(c (j) 0,µ(j) 0,y(j) 0 )}N j=1 on equal-length plantexts {m (j) } N j=1. Output: Plantext sequence {m π(j) } N j=1, forsecretpermutaton π. Protocol Hybrd Mx 1. Each server S obtans nput the ordered set {c (j) 1,µ(j) 1,y(j) 1 }N,andperformsthefollowngsteps: j=1 (a) Key Regeneraton. Server S computes ts keys as follows for 1 j N. ỹ (j) k (j) z (j) 1 ) 1 )β 1 )γ (b) MAC verfcaton. Server S verfes that µ (j) 1 = (j)[c MAC z (j) 1 I] forall1 j N. If the MAC s ncorrect for any j, thenservers nvokes the procedure Verfy Complant(, j) detaled below. (c) Message Decrypton. Server S performs the decrypton: ( c (j) µ (j) ) D k(j) [c (j) 1 ] (d) Permutaton. Server S randomly permutes {( c (j), µ (j), ỹ (j) )} N j=1. In partcular, S selects a permutaton π on N elements unformly at random, sets (c (j),µ (j),y (j) )= ( c (π (j)), µ (π (j)) ỹ (π (j)) ), and posts to the bulletn board the ordered set {(c (j),µ (j),y (j) )} N j=1.

8 (e) Batch proof of correctness of output keys. Server S proves the correctness of the set {y (j) } N j=1, as follows. Server S proves that P = P 1 as EQDL[P 1,P,Y 1,Y ], where P = N j=1 y(j). If S +1 determnes that the proof s ncorrect, then S +1 nvokes Verfy Complant. 2. The output of S n s {(c (j) n,µ (j) n,y n (j) )} N j=1. Serverssmulate server S n+1 as follows. Players jontly compute z (j) n+1 for 1 j N, and then check the MACs on all messages output by S n. If the MAC for message j s ncorrect, then servers nvoke the procedure Verfy Complant(n + 1, j), otherwse the servers jontly compute k (j) n+1 and m(j) = D (j) k [c (j) n ]. n+1 The procedure Verfy Complant(, j) s used to nvestgate a complant made by server S that the nput trple (c (j) 1,µ(j) 1,y(j) 1 ) s nvald. By smulatng processng of the message n queston by S and, f need be, by S 1, servers can determne whch of the followng three possbltes holds: (1) The complant of server S s nvald; (2) Server S 1 devated from the protocol; or (3) The cphertext was nvald as posted. The servers jontly expel any corrupt server from the protocol or else remove the nput trple from the mx f t s determned to be nvald. If a server s expelled, a replacement server s selected from a pool of players that have not yet been nvolved n the mxng (but only votng). If a trple s removed, t s purged from all prevous steps (whch can be done by each server revealng what nput t corresponded to, and revealng the correspondng keys for verfcaton purposes). The value N s modfed accordngly. Procedure Verfy Complant(, j) Servers compute z (j) usng ther shares of γ ; If µ (j) 1 = (j)[c MAC z (j) 1 I] andtheproof EQDL[P 2,P 1,Y 2,Y 1] scorrect,then Servers expel S ( false alarm ); else f =1,then Servers remove (c (j) 0,µ(j) 0,y(j) 0 )fromthemx ( bad nput ); else Server S 1 publshes j = π 1 1 (j); If j {1, 2,...,N}, then Servers expel and smulate S 1 ( cheater ); else Servers compute k (j ) usng ther shares of β 1; If ( c (j) 1 µ(j) 1 ) D k (j ) 1 from ) y(j 2 1 [c (j ) 2 ] ( ncorrect decrypton ) or µ (j ) 1 MAC z (j )[c (j ) 1 I] or EQDL[P 2,P 1,Y 2,Y 1] swrong ( should have complaned ), then Servers expel and smulate S 1 ( cheater ); else Servers remove (c (j) 1,µ(j) 1,y(j) 1 ) from the mx ( bad nput ). Remark on broadcast assumptons. It wll be observed that pror to the smulaton of S n+1, fserverssgn ther outputs, the protocol does not requre the use of broadcast untl and unless servers msbehave. The smulaton of S n+1 can n fact be modfed to enable a smlar elmnaton of broadcast assumptons. We brefly sketch the dea here. When t has fnshed ts computaton, server S n sends {c (j) n,µ (j) n,y n (j) } N j=1 to all servers. Each server S n turn sends {(z n (j) ) γ n+1, } N j=1 to all other servers, along wth non-nteractve proofs that these shares are correctly constructed. Ths enables servers to compute {z (j) n+1 }N j=1 through LaGrange nterpolaton, after whch the MACs can be verfed. Servers may smlarly compute k (j) n+1 for all cphertexts c (j) n wth vald MACs, allowng decrypton of these cphertexts. If, at any pont n the protocol, some server does not send ts results pror to an establshed tme-out, or else some server detects an error, then t becomes necessary to make use of a broadcast channel. 4.4 Protocol effcency and securty Let us brefly descrbe the asymptotc effcency of Hybrd Mx, assumng that all proof protocols are nonnteractve and thus wth securty dependent on both the DDH and random oracle assumptons. In the optmstc case,.e., assumng honest behavor by all servers, each server must perform computaton equvalent to O(N + n) modular exponentatons and O(Nn)modularmultplcatons as a total for all nputs. In the presence of malcous behavor, costs rse to O(Nn)modularexponentatonsper server. These talles exclude the costs of symmetrc-key operatons. Note that t s the batch verfcaton procedure that renders the optmstc costs lower than those for the malcous case. The aggregate broadcast complexty s O(snN) bts plus O(Nn)groupelementsforboththeoptmstcand malcous cases, where s s the length of the plantexts correspondng to the nputs. Adrawbacktoourconstructonsthecostofconstructng an nput cphertext by means of Concentrc Encrypt. Ths requres O(n) modularexponentatons, n addton to the cost of the symmetrc-key operatons. Our protocol s robust and also prvate accordng to our defntons n secton 2. 5 Open Problems It remans to be seen how to acheve publc verfablty for an effcent hybrd mx. Whle ths s theoretcally straghforward usng general mult-party computaton technques, nether [24] nor ths paper succeeds n reachng ths goal wthout nvocaton of such methods. It s the authors belef that careful use of dgtal sgnatures, rather than MACs, may n fact enable publc verfablty to be acheved wthn the protocol framework outlned here.

9 Acknowledgments The authors wsh to thank Masayuk Abe, Ran Canett, and Phl MacKenze for ther very helpful suggestons and feedback. References [1] M. Abe. Unversally verfable mx-net wth verfcaton work ndependent of the number of mx-servers. In K. Nyberg, edtor, EUROCRYPT 98, pages Sprnger-Verlag, LNCS No [2] M. Abe. A mx-network on permutaton networks. In K.Y. Lam, C. Xng, and E. Okamoto, edtors, ASI- ACRYPT 99, pages ,1999. LNCSno [3] D. Chaum. Untraceable electronc mal, return addresses, and dgtal pseudonyms. Communcatons of the ACM, 24(2):84 88,1981. [4] D. Chaum and T.P. Pedersen. Wallet databases wth observers. In E.F. Brckell, edtor, CRYPTO 92, pages Sprnger-Verlag, LNCS no [5] R. Cramer, I. Damgård, and B. Schoenmakers. Proofs of partal knowledge and smplfed desgn of wtness hdng protocols. In CRYPTO 94, pages Sprnger-Verlag, LNCS No [6] A. de Sants, G. d Crescenzo, G. Persano, and M. Yung. On monotone formula closure of SZK. In FOCS 94, pages IEEEPress,1994. [7] Y. Desmedt and K. Kurosawa. How to break a practcal mx and desgn a new one. In B. Preneel, edtor, EU- ROCRYPT 00, pages Sprnger-Verlag,2000. LNCS no [8] A. Fat and A. Shamr. How to prove yourself: Practcal solutons to dentfcaton and sgnature problems. In J. L. Massey, edtor, EUROCRYPT 86, pages Sprnger-Verlag, LNCS no [9] E. Gabber, P. Gbbons, Y. Matas, and A. Mayer. How to make personalzed Web browsng smple, secure, and anonymous. In R. Hrschfeld, edtor, Fnancal Cryptography 97, pages17 31,1997. [10] R. Gennaro, S. Jareck, H. Krawczyk, and T. Rabn. Robust threshold DSS sgnatures. In U. Maurer, edtor, EUROCRYPT 96, pages Sprnger- Verlag, LNCS no [11] R. Gennaro, S. Jareck, H. Krawczyk, and T. Rabn. The (n)securty of dstrbuted key generaton n dlog-based cryptosystems. In J. Stern, edtor, EU- ROCRYPT 99, pages Sprnger-Verlag,1999. LNCS no [12] S. Goldwasser and S. Mcal. Probablstc encrypton. J. Comp. Sys. Sc, 28(1): ,1984. [13] M. Hrt and K. Sako. Effcent recept-free votng based on homomorphc encrypton. In B. Preneel, edtor, EU- ROCRYPT 00, pages Sprnger-Verlag,2000. LNCS no [14] M. Jakobsson. A practcal mx. In K. Nyberg, edtor, EUROCRYPT 98, pages Sprnger-Verlag, LNCS No [15] M. Jakobsson. Flash mxng. In PODC 99, pages ACM, [16] M. Jakobsson and A. Juels. Mllmx: Mxng n small batches, DIMACS Techncal Report [17] M. Jakobsson and A. Juels. Mx and match: Secure functon evaluaton va cphertexts. In T. Okamoto, edtor, ASIACRYPT 00, pages , LNCS No [18] M. Jakobsson and D. M Raïh. Mx-based electronc payments. In E. Tavares S and H.Mejer, edtors, SAC 98, pages Sprnger-Verlag,1998. LNCS no [19] A. Juels. Targeted advertsng and prvacy too. In D. Naccache, edtor, RSA Conference Cryptographers Track,2001.Toappear. [20] M. Luby. Pseudorandomness and Cryptographc Applcatons. PrncetonUnv.Press,1996. [21] N. Lynch. Dstrbuted Algorthms. MorganKaufmann, [22] M. Mtomo and K. Kurosawa. Attack for flash mx. In T. Okamoto, edtor, ASIACRYPT 00, pages , LNCS No [23] W. Ogata, K. Kurosawa, K. Sako, and K. Takatan. Fault tolerant anonymous channel. In Proc. ICICS 97, pages , LNCS No [24] M. Ohkubo and M. Abe. A length-nvarant hybrd mx. In T. Okamoto, edtor, ASIACRYPT 00, pages , LNCS No [25] C. Park, K. Itoh, and K. Kurosawa. All/nothng electon scheme and anonymous channel. In T. Helleseth, edtor, EUROCRYPT 93, pages Sprnger- Verlag, LNCS No [26] A. Pftzmann and B. Pftzmann. How to break the drect RSA-mplementaton of MIXes. In J.-J. Qusquater and J. Vandewalle, edtors, EUROCRYPT 89, pages Sprnger-Verlag, LNCS No [27] A. Pftzmann, B. Pftzmann, and M. Wadner. ISDN-MIXes: Untraceable communcaton wth very small bandwdth overhead. In Info. Securty, Proc. IFIP/Sec 91, pages ,1991. [28] K. Sako and J. Klan. Recept-free mx-type votng scheme - a practcal soluton to the mplementaton of a votng booth. In L.C. Gullou and J.-J. Qusquater, edtors, EUROCRYPT 95. Sprnger-Verlag, LNCS No [29] P. Syverson, D. Goldschlag, and M. Reed. Anonymous connectons and onon routng. In Proc. of 18th Annual Symposum on Securty and Prvacy, pages IEEE Press, 1997.

10 A Proofs A.1 Robustness Assumpton 2 (MAC-of-knowledge) Consder a polynomal-tme player T modeled as a nonerasng, probablstc Turng machne wth nput tape Q 1, work tape Q 2, and output tape Q 3. Let x Z q be a fxed nteger. The player T receves as nput a sequence of trples {(y j,m j,mac zj [m j,i])} J j=1 such that y j,z j Gand z j = y j γ for 1 j J and a known nonce I. IfT outputs a trple (y,m, MAC z[m, I]) dfferent from all ts nputs, and such that z = y γ,thenthereexstsapolynomal-tmealgorthm A as follows. A takes as nputs Q 1,Q 2 and Q 3,and outputs z and m wth overwhelmng probablty over the con flps of T. Observe that our assumpton here s weaker than a random oracle assumpton on the MAC algorthm. In partcular, we mght satsfy the MAC-of-knowledge assumpton by assumng that MACs are computable only by an oracle that takes as nput the MACng key z and the message m. In ths case, f a player produces a correct (prevously unseen) MAC of the form MAC z[m], she may be assumed to know z and m explctly. Lemma 1 Suppose that the adversary A controls server S but not S +1. Suppose that gven (arbtrary) correct nput I to server S,theadversaryscapablewthnon-neglgble probablty of producng output O that s ncorrect n a manner undetectable by S +1. Then there s a polynomal-tme algorthm A DDH that can break the DDH assumpton (usng A as a black box). Proof: We shall construct an algorthm A DDH that takes aquadruple(g,w, h = g x,u)asnput,anddecdeswhether u = w x wth non-neglgble probablty. We assume wthout loss of generalty that S s the frst server that yelds ncorrect output. Thus we may construct our algorthm A DDH such that t smulates all servers up to S +1 excludng server S. Snce server S provdes ZK POKs of each of ts prvate keys, the smulator can extract these prvate keys pror to the key setup step for server S +1. Thus, the smulator can determne l such that Y = g l pror to choosng Y +1. The smulator chooses +1 unformly at random for server S +1, and lets Y +1 = Y +1. The smulator lets Z = h l +1 =(g l +1 ) x = Y x +1. Hence, we have γ +1 = x as the secret key for MACs of server S +1. Ths value x s not known to the smulator. Now the smulator smulates polynomal P mxng rounds for message sets drawn from some dstrbuton d selected by the adversary, and also ncludng messages explctly selected by the adversary. Note that the smulator can smulate these rounds wthout knowledge of γ +1 = x. Snce messages selected by the adversary are posted wth ZK POKs, the smulator can rewnd A and extract the seed exponents for these messages. For messages t has tself created, the smulator of course knows these exponents to begn wth. After the smulaton of P mxng rounds, the smulator prepares a fnal round smlar to the prevous ones, but wth a specally constructed nput trple ncluded n I n a unformly random poston. The smulator constructs ths specal nput message as a trple C0 =(c 0,µ 0,y0)asfollows. Thesmulatorhasknowledge of the prvate keys of all servers, ncludng those of server S,whchtcanextractfromthecorrespondngZK POKs. Thus, the smulator can select y0 such that y = w. (Note here that y s the key schedule that should be output by server S f t behaves correctly. We make no assumpton that ths s actually gong to be what the server outputs.) It selects a message set for I from the dstrbuton d, and selects a message m unformly at random from ths message set. It then constructs the unque nput cphertext that s vald gven underlyng message m and key schedule y0. Ths cphertext s, n fact, vald n all repects except one. Snce the adversary does not know γ +1, tcannotcomputez =(y0) γ +1 correctly, and therefore cannot compute µ = MAC z [c ]correctly. Instead, the smulator selects a MAC key κ unformly at random and sets µ = MAC κ[c ]. Agan, the smulator nserts the specal nput message (c 0,µ 0,y0)ntoI n a unform, random poston. Note that snce z s determned by γ +1, whch the adversary knows only from the publc key Z,the adversary cannot detect the presence of the specal nput message under the DDH assumpton. We do not provde detals here, but remark that t straghtforward to show that f the adversary can ndeed detect ths, then a dfferent smulator can be constructed to break DDH. Let us denote by Ce =(c e,µ e,ye )thecorrectrenderngofc0 by server S e. Let us denote the correct output of server S on I by {(c (j),µ (j),y (j) )} N j=1, anddenotetsactualoutputbyo = {ĉ (j), ˆµ (j), ŷ (j) } N j=1. (Note that we may have N <N,as the adversary may have provded nvald nputs that were subsequently elmnated from the mx.) Let us suppose that S provdes ncorrect output that appears as correct to server S +1. For ths valdty check, the trple C s accepted by S +1, eventhoughthemacµ s lkely to be ncorrect. Let us suppose, wthout loss of generalty, that the frst b outputs n O are ncorrect. Let us call ths set Ô = {(ĉ (j), ˆµ (j), ŷ (j) )} b j=1. (Note that ths s a slghtly dfferent use of Ô than that n the defntons secton.) More formally, no element of Ô s a correct renderng of an nput element n I. By an extenson of our reasonng above, the adversary cannot dentfy C 1 as t appears n I. Thus, snce the server S corrupts at least one element n I,wth non-neglgble probablty, server S wll corrupt C,.e., the server does not render the specally planted message correctly. Let ζ denote the product N j=1 z(j),.e.,theproductof all of the correct MAC keys for the output O of S. Observe that the smulator cannot compute ζ, becausetcan t compute z = (y ) γ +1 = w x. Let ζ denote ζ/z,.e., the product of all of the correct MAC keys that should be output by S,exceptforz.ByourMAC-of-knowledgeassumpton, the smulator can compute ζ by extractng the consttuent MAC keys from the Turng tape of the MAC oracle. Let ˆζ denote the product b,.e.,theproductof j=1 ẑ(j) the MAC keys used by the adversary to produce Ô. Snce Ô does not nclude correctly rendered outputs, and because of our use of round-specfc nonces, we see that the adversary cannot prevously have seen any of the MACs {ˆµ (j) } b j=1 assocated wth Ô. Itfollowstherefore,aganbytheMACof-knowledge assumpton, that the smulator can compute ˆζ. Fnally, let ζ denote the product of the MAC keys for O Ô = {(ĉ(j), ˆµ (j), ŷ (j) )} N j=n. In other words, ζ s the product of the MAC keys for the correctly rendered outputs of server S.Observeagan,sncethecorrectlyrenderedout-

11 puts O Ô do not contan C,byourMAC-of-knowledge assumpton, the smulator can compute ζ. Recall that n order to have ts output accepted, S must prove that P = P 1. In other words, we must have N =1 ŷ = N y. Thus, ζ = ˆζζ. Snce the smluator =1 can compute ˆζ,ζ, and ζ,tcancomputeζ/ζ = z = w x. Thus, the smulator can determne whether u = w x,and thus we can construct a poly-tme algorthm A DDH to break the DDH problem. We present the followng corollary wthout proof. Corollary 1 Suppose that the adversary controls servers S,S +1,...,S j (where j <n/2 and j n). Suppose that gven (arbtrary) correct nput I to server S,theadversary s capable wth non-neglgble probablty of producng output O j that s ncorrect n a manner undetectable by S j+1. Then there s a polynomal-tme algorthm A DDH that can break the DDH assumpton (usng A as a black box). Lemma 2 The mx protocol termnates n polynomal tme n n, N and all securty parameters. Moreover, the mx protocol yelds correct output wth overwhelmng probablty over the con flps of all partcpants. Proof: [sketch] Consder the frst contguous sequence of servers S,S +1,...,S j controlled by A. By Corollary 1, f the output from S j s not correct, ths be detected by server S j+1 n the form of ether an ncorrect proof or an ncorrect MAC. Thus, server S j+1 wll nvoke Verfy Complant. The quorum of servers partcpatng n Verfy Complant wll affrm the correctness of the complant and expel and stmulate S j. Eventually, therefore, as there s a majorty of honest servers, dshonest servers wll be expelled and openly smulated untl the output from S j s correct. Ths argument apples to all contguous sequences of servers under the control of A. Byasmlarargument,allnvaldcphertextswll eventually be purged. Therefore, output from S n+1 wll be correct. Theorem 3 (Robustness) The protocol Hybrd Mx s robust under the DDH assumpton, the ndstngushablty assumpton, and the MAC-of-knowledge assumpton. Proof: [sketch] By Lemma 2, clauses (a) and (b) of our robustness defnton are satsfed. Recall, however, that a correct output may nvolve (a vald) alteraton of a cphertext submtted by one of the users controlled by A. Thus,to satsfy clause (c), we must show that such substtutons wll not enable A to create output dependent on plantexts of honest users. Recall that our defnton states that the adversary cannot choose canddate plantext sets O 0 and O 1 for honest players such that f O b s selected accordng to secret, random bt b, theadversarycanguessb wth probablty non-neglgbly greater than 1/2. Our experment here assumes that the adversary does not see the output of the honest players (nor the assocated decrypton or MAC keys). Suppose w.l.o.g. that substtutons are made n Ô durng the executon sequence of server S,thelastservern the sequence n control of the adversary. By the MAC-ofknowledge assumpton, the adversary can compute Ô and all ntermedate renderngs of Ô. Therefore, snce we assume that S s the last server n the control of the adversary, and snce the adversary does not see the outputs of honest users n our experment, the nformaton avalable to the adversary at the end of the protocol s dentcal to that avalable upon executon by S.Inconsequence,ftheadversarycan break the robustness assumpton by guessng the bt b at the end of the protocol, t can do so durng the executon of server S.Thus,wecanseethattheadversaryscapableof determnng b based on O and prevous transcrpts from the protocol. We can then show that the adversary s therefore capable of determnng b from O alone (snce, very loosely speakng, prevous transcrpts reveal no addtonal nformaton). It s possble, then, by a standard dagonalzaton argument to show that A can mount a chosen plantext attack successfully aganst a par of cphertexts n the mx. It s then straghtforward to show that ths results n the ablty of the adversary to break the DDH assumpton or the ndstngushablty assumpton. We omt a proof sketch for our fnal theorem, whch s proven usng a generalzaton of the ndstngushablty argument n the proof sketch for Theorem 3. Theorem 4 The protocol Hybrd Mx mantans prvacy under the DDH assumpton, the ndstngushablty assumpton, and the MAC-of-knowledge assumpton. Proof: [sketch] We consder an experment n whch the adversary selects a set of output plantexts O for honest users. The adversary also selects an orderng Z on correspondng nput cphertexts for the set O. We show that t s possble for a smulator to create a false mx transcrpt dstrbuton D random computatonally ndstngushable by the adversary from the dstrbuton of correct executons D correct,z over the set of nput cphertexts for O wth orderng Z. InD random,nputcphertextsofhonestusersare represented by random plantexts of the correct length. By Theorem 3, the protocol Hybrd Mx s robust, and thus ncludes at least one honest mx server S (whose mxng s prvate). In creatng a transcrpt n D random,thesmulator places correct cphertexts for the set O n the output of asmulatonofs (rather than decryptons on cphertexts correspondng to the ntal, random cphertexts). We show that under the DDH and ndstngushablty assumptons, t s computatonally nfeasble for the adversary to dstngush between the dstrbutons D random and D correct,z. It follows that t s computatonally nfeasble for the adversary to dstngush between two dstnct nput orderngs on the cphertexts of honest players. We can then show that Hybrd Mx satsfes our prvacy defnton.