Traceable mixnets

05/14/2023
by   Prashant Agrawal, et al.
0

We introduce the notion of traceable mixnets. In a traditional mixnet, multiple mix-servers jointly permute and decrypt a list of ciphertexts to produce a list of plaintexts, along with a proof of correctness, such that the association between individual ciphertexts and plaintexts remains completely hidden. However, in many applications, the privacy-utility tradeoff requires answering some specific queries about this association, without revealing any information beyond the query result. We consider queries of the following type: a) given a ciphertext in the mixnet input list, whether it encrypts one of a given subset of plaintexts in the output list, and b) given a plaintext in the mixnet output list, whether it is a decryption of one of a given subset of ciphertexts in the input list. Traceable mixnets allow the mix-servers to jointly prove answers to the above queries to a querier such that neither the querier nor a threshold number of mix-servers learn any information beyond the query result. If the querier is not corrupted, the corrupted mix-servers do not even learn the query result. We propose a construction of a traceable mixnet using novel distributed zero-knowledge proofs of set membership and a related primitive we introduce called reverse set membership. Although the set membership problem has been studied in the single-prover setting, the main challenge in our distributed setting lies in making sure that none of the mix-servers learn the association between ciphertexts and plaintexts during the proof. Our construction is faster than existing techniques by at least one order of magnitude.

READ FULL TEXT

Please sign up or login with your details

Forgot password? Click here to reset