ABSTRACT
Mix net is the most frequently used secure MPC (multi-party computation) application in the real world, where multiple routers cooperates to anonymise a batch of data. It builds an important network security mechanism to implement anonymous communication and has a wide range of applications like AI training and online services. So far, security of mix nets is only analysed in theoretic cryptographic models, and their security in real-world systems has not drawn enough attention from researchers. In this paper, several popular commercial mix net services are surveyed and they have a common strategy: developing an academic shuffling scheme into a real-world mix net system and assuming that its theoretic security properties can guarantee robustness of the systems in practical usages. Our analysis illustrates that the straightforward assumption is not reliable and a mix net has to face various challenges and attackers beyond their academic prototypes estimate. Especially, we show that in practice some users of a mix net may collude with the service providers to compromise reliability of the mix net, which is a realistic environment factor usually ignored in cryptographic protocol design. So, the anonymous communication services based on mix net in practical usage are not so reliable as widely believed and their applications in network security have non-negligible vulnerabilities or risks.
- [1] M Abe. Mix-networks on permutation net-works. In ASIACRYPT ’98, pages 258–273.Google Scholar
- [2] M Abe and F Hoshino. Remarks on mix-network based on permutation networks. In PKC ’01, pages 317–324.Google Scholar
- [3] R Granchib, F Martinellib, M Petrocchib, F Baiardia, A Fallenib and A Vaccarellib. Seas, a secure e-voting protocol: Design and implementationstar, open. In Computers & Security, Volume 24, Issue 8, November 2005, pages 642–652.Google ScholarDigital Library
- [4] S Bayer and J Groth. Efficient zero-knowledge argument for correctness of a shuffle. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 263–280. Springer, 2012.Google Scholar
- [5] M Bellare, J Garay, and T Rabin. Fast batch verification for modular exponentiation and digital signatures.Google Scholar
- [6] F Boudot. Efficient proofs that a committed number lies in an interval. In EUROCRYPT ’00, pages 431–444.Google ScholarCross Ref
- [7] C Boyd and C Pavlovski. Attacking and repairing batch verification schemes. In ASIACRYPT ’00, pages 58–71.Google ScholarCross Ref
- [8] J Camenisch, R Chaabouni, and A Shelat. Efficient protocols for set membership and range proofs. In ASIACRYPT ’08, pages 234–252.Google Scholar
- [9] R Chaabouni, H Lipmaa, and A Shelat. Additive Combinatorics and Discrete Logarithm Based Range Protocols. In ACISP ’10, pages 336-351.Google Scholar
- [10] D Chaum and T Pedersen. Wallet databases with observers. In CRYPTO ’92, pages 89–105.Google Scholar
- [11] C Deng, J Fan, Z Wang, Y Luo, Y Zheng, Y Li, and J Ding. A survey on range proof and its applications on blockchain. In CyberC ’09, pages 1–8. IEEE, 2019.Google Scholar
- [12] R Dingledine, N Mathewson, and P Syverson. Tor: The second-generation onion router. In USENIX SecuritySymposium, pages 303–320, 2004.Google Scholar
- [13] E Morais, T Koens, C Wijk, and A Koren. A survey on zero knowledge range proofs and applications. SN Applied Sciences, 1(8), 1-17. 2019.Google ScholarCross Ref
- [14] J Furukawa and K Sako. An efficient scheme for proving a shuffle. In CRYPTO ’01, pages 368–387.Google Scholar
- [15] J Furukawa, H Miyauchi, K Mori, S Obana, and K Sako. An implementation of a universally verifiable electronic voting scheme based on shuffling. In Fc’02, pages 16–30.Google Scholar
- [16] GDPR Recital 26. In General Data Protection Regulation. Available as https://gdpr.eu/recital-26-not-applicable-to-anonymous-data/Google Scholar
- [17] J Groth. Non-interactive zero-knowledge arguments for voting. In ACNS ’05, pages 467–482. Springer-Verlag.Google Scholar
- [18] J Groth and Y Ishai. Sub-linear zero-knowledge argument for correctness of a shuffle. In EUROCRYPT ’08, pages 379–396.Google Scholar
- [19] J Groth and S Lu. Verifiable shuffle of large size ciphertexts. In PKC ’07, pages 377–392.Google Scholar
- [20] J Groth. A verifiable secret shuffle of homomorphic encryptions. In Public Key Cryptography 2003, volume 2567 of Lecture Notes in Computer Science, pages 145–160, Berlin, 2003. Springer-Verlag.Google ScholarCross Ref
- [21] J Groth. A verifiable secret shuffle of homomorphic encryptions. Journal of Cryptology, 23(4):546–579, 2010.Google ScholarDigital Library
- [22] N Sastry C Karlof and D Wagner. Cryptographic voting protocols: A systems perspective. In USENIX Security Symposium ’05, pages 33–50.Google Scholar
- [23] A Kiayias T Zacharias and B Zhang. DEMOS-2: Scalable E2E Verifiable Elections without Random Oracles. In ACM CCS ’15, pages 352–363.Google Scholar
- [24] H Lipmaa. On diophantine complexity and statistical zero-knowledge arguments. In ASIACRYPT ’03, pages 398–415.Google Scholar
- [25] M Luby. Pseudorandomness and cryptographic applications. Princeton University Press, 1996.Google Scholar
- [26] M McGaley and J Gibson. A critical analysis of the council of europe recommendations on e-voting. In USENIX/Accurate Electronic Voting Technology Workshop 2006, page 9.Google Scholar
- [27] C Neff. A verifiable secret shuffle and its application to e-voting. In ACM Conference on Computer and Communications Security 2001, pages 116–125, 2001.Google ScholarDigital Library
- [28] C Neff. Verifiable mixing (shuffling) of elgamal pairs. 2004. Available as http://theory.lcs.mit.edu/ rivest/voting/papers/Neff-2004-04-21-ElGamalShuffles.pdf.Google Scholar
- [29] C Neff. Verifiable mixing (shuffling) of elgamal pairs. vhti technical document, votehere, 2003.Google Scholar
- [30] C Neff. Verifiable, secret shuffles of encrypted data, such as elgamal encrypted data for secure multi-authority elections, September 27 2005. US Patent 6,950,948.Google Scholar
- [31] C Neff. Verifiable secret shuffles and their application to electronic voting, April 15 2008. US Patent 7,360,094.Google Scholar
- [32] L Nguyen, R Safavi-Naini, and K Kurosawa. Verifiable shuffles: A formal model and a paillier-based efficient construction with provable security. In ACNS 2004, pages 61–75.Google Scholar
- [33] L Nguyen, R Safavi-Naini, and K Kurosawa. A provably secure and effcient verifiable shuffle based on a variant of the paillier cryptosystem. In Journal of Universal Computer Science, 11(6), 2005, pages 986–1010.Google Scholar
- [34] K Peng, C Boyd, E Dawson, and K Viswanathan. A correct, private and efficient mix net. In PKC ’04, pages 439–454.Google Scholar
- [35] K Peng, C Boyd and E Dawson. Simple and efficient shuffling with provable correctness and ZK privacy. In CRYPTO ’05, pages 188–204.Google Scholar
- [36] K Peng, E Dawson and F Bao. Modification and optimisation of a shuffling scheme: stronger security, formal analysis and higher efficiency. In International Journal of Information Security, 2011 Volume 10, Number 1, pages 33–47.Google ScholarDigital Library
- [37] K Peng. How To Communicate Anonymously In A Network — Study And Optimisation Of Efficiency And Security Of Anonymous Communication Networks. In International Journal of Security and Networks, 2012 Volume 7, Number 3, pages 133–147.Google ScholarDigital Library
- [38] K Peng. Y Zhang. A Secure Mix Network with an Efficient Validity Verification Mechanism. In IDCS ’12, pages 85–96.Google Scholar
- [39] K Peng. A Secure and Efficient Mix Network Especially Suitable for E-Voting. In ICDKE ’12, pages 161–174.Google Scholar
- [40] K Peng. Theory and practice of secure e-voting systems. In Theory and Practice of Cryptography Solutions for Secure Information Systems, pages 428–498. 2013.Google Scholar
- [41] G Salomonsen and J Groth. Electronic voting systems, January 3 2008. US Patent App. 10/593,754.Google Scholar
- [42] C Schnorr. Efficient signature generation by smart cards. Journal of Cryptology, 4, 1991, pages 161–174, 1991.Google ScholarDigital Library
- [43] https://verificatum.org/. Available from https://github.com/verificatum.Google Scholar
- [44] https://votem.com. Available from https://github.com/votem/proof-of-vote.Google Scholar
- [45] D Wikstrom. A sender verifiable mix-net and a new proof of a shuffle. In ASIACRYPT ’05, pages 273–292.Google Scholar
- [46] D Wikstrom. A sender verifiable mix-net and a new proof of a shuffle. 2005. Available as http://eprint.iacr.org/2005/137.Google Scholar
Index Terms
- How Secure Are The Main Real-World Mix Networks — Case Studies To Explore Vulnerabilities And Usability
Recommendations
A Verifiable and Practical Lattice-Based Decryption Mix Net with External Auditing
Computer Security – ESORICS 2020AbstractMix nets are often used to provide privacy in modern security protocols, through shuffling. Some of the most important applications, such as secure electronic voting, require mix nets that are verifiable. In the literature, numerous techniques ...
Verification of OSPF vulnerabilities by colored Petri net
SIN '13: Proceedings of the 6th International Conference on Security of Information and NetworksRouters and routing protocols are critical parts of a network infrastructure. OSPF is one of the most important routing protocols, and therefore its vulnerabilities can be very destructive. This makes its security analysis critical. There are many ...
Detecting security vulnerabilities with vulnerability nets
Highlights- Vulnerability nets are special Petri nets for representing source code.
- Vulnerability nets are used to detect security vulnerabilities in programs.
- A graphical view can aid security analysts in manual audits.
- Taint analysis is ...
AbstractDetecting security vulnerabilities is a crucial part in secure software development. Many static analysis tools have proved to be effective in finding vulnerabilities, but generally there are some complex and subtle vulnerabilities that can ...
Comments