Bilinear Pairing-Based Hybrid Mixnet with Anonymity Revocation

Bilinear Pairing-based Hybrid Mixnet with Anonymity Revocation

Andrea Huszti and Zita Kovacs´ Faculty of Informatics, University of Debrecen, Kassai street 26., Debrecen, Hungary

Keywords: Bilinear Pairings, Mix Network, Anonymity Revocation, Eligibility.

Abstract: A hybrid mix is presented providing anonymity and eligibility verification of senders, the possibility of anonymous reply and anonymity revocation, that are usually required in practice. Furthermore the proposed mix is capable of processing messages with arbitrarily length. In the process of design we applied bilinear pairings due to their good properties. We compared the time and space complexity of Zhong’s mix (Zhong, 2009) to our one, we achieved better efficiency. In the security evaluation we prove, that our mix is correct, provides anonymity and eligibility verification for senders.

1 INTRODUCTION AND 1997a) and location privacy (Federrath et al., 1996; PRELIMINARIES Syverson et al., 1997b; Golle et al., 2002; Huang et al., 2006). We propose a decryption/encryption-based mix, In recent decades, the widespread use of public chan- applying bilinear pairings. Let us review the def- nels has led to the development of network-based inition of the admissible bilinear map (Boneh and services, where it is necessary to manage the criti- Franklin, 2001). cal, confidential or personal information. Since these channels can be easily eavesdropped, you need to pay Definition 1.1. Let G1 and G2 be two groups of order attention to the transmitted information. Several cryp- q for some large prime q. A map e : G1 × G1 → G2 tographic primitives are developed to ensure the pro- is an admissible bilinear map if satisfies the following tection of confidential information from unauthorized properties: access. In some cases it may be important that the 1. Bilinear: We say that a map e : G1 × G1 → G2 is ab message can not be linked to the sender (for example bilinear if e(aP,bQ) = e(P,Q) for all P,Q ∈ G1 in electronic voting systems, the voter and the vote and all a,b ∈ Z. can not be linked). 2. Non-degenerate: The map does not send all pairs In 1981, Chaum (Chaum, 1981) proposed a cryp- in G1 × G1 to the identity in G2. Since G1,G2 are tographic construction called mix network which can groups of prime order, if P is a generator of G1 be used to hide senders’ identity. In case of mixnets then e(P,P) is a generator of G2. determining the identity of a sender, even if all mes- 3. Computable: There is an efficient algorithm to sages transferred are given is a hard problem. Each compute e(P,Q) for any P,Q ∈ G . mix server receives messages originating from multi- 1 ple senders, permutes them, performs cryptographic We should mention that bilinearity can be restated operations (decryption, encryption or re-encryption) to for all P,Q,R ∈ G1 e(P+Q,R) = e(P,R)e(Q,R) and and sends them to the next server. e(P,Q + R) = e(P,Q)e(P,R). We can find G1 and G2 This design was the basis for many applications, where these properties hold. The Weil and Tate pair- especially in the field of electronic voting (Sako and ings prove the existence of such constructions. Typi- Kilian, 1995; Michels and Horster, 1996; Neff, 2001; cally, G1 is an elliptic-curve group and G2 is a finite Jakobsson et al., 2002). Some further applications field. of mix networks: anonymous email (Parekh, 1996; Usually the security of cryptographic protocols Gulcu and Tsudik, 1996; Danezis et al., 2003), anony- applying bilinear maps is based on the problem of Bi- mous telecommunications (Pfitzmann et al., 1991; linear Diffie-Hellman Problem. Jerichow et al., 1998), anonymous internet commu- Definition 1.2. (Bilinear Diffie-Hellman Problem nications (Goldschlag et al., 1996; Syverson et al., (BDHP) in G1)

238 Huszti A. and Kovacs Z.. Bilinear Pairing-based Hybrid Mixnet with Anonymity Revocation. DOI: 10.5220/0005273002380245 In Proceedings of the 1st International Conference on Information Systems Security and Privacy (ICISSP-2015), pages 238-245 ISBN: 978-989-758-081-9 Copyright c 2015 SCITEPRESS (Science and Technology Publications, Lda.) BilinearPairing-basedHybridMixnetwithAnonymityRevocation

Let e : G1 × G1 → G2 be a bilinear map on and Juels, 2001). They used MAC keys for providing ∗ (G1,G2). The problem is for every a,b,c ∈ Zq , given the robustness and in their paper they described these P,aP,bP,cP, computing e(P,P)abc. properties of correctness, privacy, robustness and in- BDHP is closely related to the Computational distinguishability (Jakobsson and Juels, 2001). Diffie-Hellman Problem. For simplicity we give the In 2009, Zhong proposed an identity-based mix definition in G1. network (Zhong, 2009), which is based on bilinear maps. His construction is a re-encryption mix, that Definition 1.3. (Computational Diffie-Hellman Prob- is suitable only for sending short messages, since it lem (CDHP) in G1) proceeds only asymmetric encryptions. The problem is for every a,b ∈ Z∗, given P,aP,bP, q There are solutions that provide anonymous re- computing abP. ply. In (Chaum, 1981) Chaum proposed untrace- Hardness of the BDHP implies the hardness of the able return addresses which allow the receiver to send CDHP in both G1 and G2. Note, that the Decisional a reply message without knowing senders’ identity. Diffie-Hellman Problem (DDHP) in G1 can be effi- Another example is the Mixminion (Danezis et al., ciently solved. 2003) which is an anonymous remailer protocol and Definition 1.4. (Decisional Diffie-Hellman Problem it supports Single-Use Reply Blocks (or SURBs) to (DDHP) in G1) allow anonymous recipients. In these schemes the ∗ The problem is for every a,b,c ∈ Zq , given P,aP,bP sender recursively encrypts the return address block and cP, deciding whether cP = abP. and sends it in the body of the message. These en- By computing e(P,cP) = e(P,P)c and e(aP,bP) = cryptions are necessary, even if the receiver does not e(P,P)ab, one can decide whether cP = abP holds, intend to reply. ab c since e(P,P) = e(P,P) if and only if abP = cP. G1 is a Gap Diffie-Hellman (GDH) group, if the DDHP is easy and the CDHP is hard in G1. 3 OUR HYBRID MIX Assuming that BDHP is hard, a one-round three- party key agreement protocol is constructed (Joux, 2000; Verheul, 2001). There are three participants, A hybrid mix uses both asymmetric and symmetric ∗ operations. It applies asymmetric cryptographic so- each possesses a secret value a,b,c ∈ Zq , and publishes aP,bP,cP, respectively. With the given e : G × lutions for the key exchange and symmetric ones for 1 encrypting plaintexts. Therefore a hybrid mix effi- G1 → G2 bilinear map the common secret key K can be easily calculated by K = e(bP,cP)a = e(aP,cP)b = ciently handles long messages as well as short ones. e(aP,bP)c. We designed a hybrid mix that is based on admissable bilinear maps due to their good properties. As far as we know, our construction is the first hybrid mixnet, which is based on bilinear maps. 2 RELATED WORK Usually, in case of anonymous communication the receiver needs to know whether the sender is allowed Chaum’s proposal called forth several designs of to send a message, i.e. is eligible for it. One can anonymous communication channels. One can read think of an e-exam or an e-voting scheme. In both a nice survey by Sampigethaya in (Sampigethaya and cases there are requirements for participating. In case Poovendran, 2006). of e-exams we should verify whether the students ac- A hybrid mix is capable of handling arbitrar- complished all the prerequisites of an exam, in case ily long input messages. There is a hybrid mix of e-voting whether the voters are citizens and have a proposed by Ohkubo and Abe (Ohkubo and Abe, clean record etc. should be checked. Usually eligibil- 2000), that is based on the intractability of the De- ity is not provided for mix networks built in, cryptog- cision Diffie-Hellman problem and realizes length- raphers have to solve this problem. flexibility, length-invariance and provable security (in There are situations, when the receiver needs to terms of anonymity). send messages back to the anonymous sender in a way Subsequenlty proposed mix network schemes, that the sender remains anonymous. For example, in known as public-key mixes, have focused on achiev- case of e-tender systems, many times the anonymous ing robustness, typically through heavy reliance on applicants have to make up supplements. These cases public-key operations (Jakobsson, 1998; Markus and a mix network should provide anonymous reply. In Ari, 1999; Desmedt and Kurosawa, 2000; Mitomo our construction cryptographic operations are needed and Kurosawa, 2000). Jakobsson and Juels presented only if the receiver sends messages back, hence we an optimally robust hybrid mix network (Jakobsson increased efficiency.

239 ICISSP2015-1stInternationalConferenceonInformationSystemsSecurityandPrivacy

In order to prevent illegal activities anonymity re- where x is never calculated explicitly. R also out- vocation is needed. There are circumstances when puts xNP public key for providing anonymous re- the identity of the anonymous sender should be reply. trieved. We provide eligibility and anonymity revocation with the help of a registry authority and the 3.2 Registration mixnet. We take advantages of bilinear maps, since they provide great services for three party protocols. We consider the situation, when there are several For anonymity revocation besides the encrypted iden- senders and only one receiver. In practise, often there tities, we also use commitment values. By verifying is only one receiver, one can think of an e-voting, e- these values a receiver makes sure, that after the dead- tender or an e-survey scheme. Senders send messages line senders’ anonymity can be revoked. These val- anonymously to a (not anonymous) receiver. During ues are based on user-specific, registry-specific and registration RA verifies the eligibility of each sender mixnet-specific elements. Bilinear maps make pos- and blindly authorizes their messages. We applied sible for the three participants to verify (share) these blind short signatures (Boldyreva, 2003) with a small values easily. modification. Considering practical aspects of a mixnet, it is usually used in a situation, where besides sender’s 1. Let us denote the message by msg, that sender Si anonymity, eligibility verification, possibility to re- would like to send to receiver R. Si generates an (i) ∗ ply to an anonymous sender and anonymity revoca- u ∈ Zq random value. tion are also required. We have designed a mix net- 2. Si authenticates himself to RA and asks for au- work, that provides all these requirements built in. thorization by sending his identification number (i) with bit length l and H1(msg) + u P on a secret, 3.1 Preparation authenticated channel. S We use the following notation for the participants. We 3. RA verifies whether i is eligible for sending R S denote senders by S , where i = 1,...,n, the publicly messages to . If i is eligible, then RA blindly i H (msg) + u(i)P s(H (msg) + known receiver by R, the registry authority by RA, signs 1 and sends 1 u(i)P) to S . also calculates a commitment mix servers by Mi, where i = 1,...,N (the last mix i RA value µ for verification purposes and ε , that is server is the receiver, i.e. R=MN) and the bulletin i i board by ββ. Our proposed protocol can be built on the sender’s identity number encrypted. any G1,G2 groups, where G1 is a Gap Diffie-Hellman (i) s µi = e(mP,H1(msg) + u P) group and G2 is a multiplicative group. We assume, (i) s that Gap Diffie-Hellman problem is hard. εi = Si ⊗ H2(e(xmP,H1(msg) + u P) )

1. RA generates system parameters: groups G1, G2, 2 4. Si calculates sH1(msg) with the knowledge bilinear map e : G1 → G2, generator element P (i) ∗ of u sP and generates msg||sH1(msg), where of G1, hash functions H1 : {0,1} → G1 and H2 : l sH1(msg) is RA’s signature on msg. Si also veri- G2 → {0,1} . All parameters are made public. ﬁes e(sH1(msg),P) = e(sP,H1(msg)). 2. Furthermore RA creates a random secret value s ∈ Z∗ and outputs sP public key. RA makes (µi,εi) pairs public in a permuted order q on ββ. 3. Each Mi generates random, secret, composite value mi and outputs 3.3 Message Submission and Mixing i mkP. ∗ ∏ Si generates a secret, random value: asi ∈ Zq that is k=1 necessary for the reply and calculates the following Finally R chooses random, secret mN and calcu- plaintext: N lates mP = ∏k=1 mkP. This value is used for gen- erating commitment values. p = msg||sH1(msg)||asi P ∗ 4. Each Mi chooses random, secret values xi ∈ Zq , Si generates the following symmetric encryption PK = x i m P then calculates and publishes Mi i ∏ j=1 j keys: i and ∏ j= x jm jP values. (i) 1 K(i) = H (e(PK ,sP)u ), j = ,...,N − ∗ j 2 M j where 1 1 5. R also chooses xN ∈ Zq and publishes PKR = N N (i) u(i) xN ∏ j=1 m jP = xNmP and ∏ j=1 x jm jP = xmP KR = H2(e(PKR,sP) )

240 BilinearPairing-basedHybridMixnetwithAnonymityRevocation

encrypts plaintext p: 3.5 Anonymous Reply (i) M1 = Enc (i) (Enc (i) (...Enc (i) (p))), In case receiver R is willing to send a mes- K1 K2 KR sage t back to the anonymous sender Si, then (i) (i) (i) (i) (i) ∗ randomly chooses u1 ,u2 such that u = u1 · u2 chooses a random value rsi ∈ Zq and calculates (i) (i) (i) (i) (i) (i) and sends v1 = u1 P||w1 = u2 sP||M1 to M1. d −1 xN KR = H2(e(rsi asi P,rsi sP) ) symmetric key, and Mix server j receives three values concatenated M (i) (i) (i) (i) (i) (i) d encrypts message t: M1 = Enc (i) (t). R sends v j ||w j ||M j for each Si. Values v j and w j are nec- Kd essary for symmetric key generation and the third one R −1 d(i) is the encrypted message. Each mix collects all mes- rsi asi P||rsi sP||M1 for each sender to M1. Each mix sages from each Si, where i = 1,...,n, hence receives: c(i) d(i) d(i) server M j after receiving v j ||w j ||M j , where j−1 v(i) = a(i) · u(i)P where j = 2,...,N − 1 j−1 j−1 j ∏ k 1 vc(i) = a(i) · r a P, wd(i) = b(i) · r−1sP. k=1 j ∏ k si si j ∏ k si j−1 k=1 k=1 (i) (i) (i) w j = ∏ bk · u2 sP where j = 2,...,N − 1. calculates k=1 d(i) (i) c(i) d(i) (i) d(i) (i) (i) (i) (i) (i) (i) v j+1 = a j · v j , w j+1 = b j · w j M j calculates v j+1 = a j · v j , w j+1 = b j · w j , (i) (i) ∗ where a j ,b j ∈ Zq randomly chosen, such that d(i) d(i) d(i) x j [(i) d(i) Kj = H2(e(v j+1,w j+1) ), M j+1 = Enc (i) (M j ). (i) (i) Kd m j = a j · b j , then gets randomized symmetric keys j (i) (i) (i) x j (i) (i) Kj = H2(e(v j+1,w j+1) ). M j decrypts cipher- Values a j and b j are chosen randomly such that (i) (i) (i) (i) (i) (i) (i) texts M j+1 = Dec (i) (M j ), then permutes the list of d d [ Kj m j = a j · b j , and sends v j+1||w j+1||M j+1 to M j+1. (i) (i) (i) Server MN−1 outputs all the calculated values with triplets v j+1||w j+1||M j+1, where i = 1,...,n and outputs them to mix . [(i) M j+1 H1(KN−1) to ββ. Si calculates keys 3.4 Receiving the Message d(i) as Kj = H2(e(PK ,sP) i ),where j = 1,...,N − 1 (i) (i) (i) M j R receives v ||w ||M from each Si, calcu- N N N (i) (i) (i) (i) d asi xN KR = H2(e(xNP,sP) ). lates KR = H2(e(vN ,mN · wN ) ) and de- (i) crypts p = Dec (i) (M ). We repeat that (i) K N [ R and looks for H1(KN−1) on ββ, accesses all data and p = msg||sH (msg)||a P. R examines, whether 1 si d(i) the message p came from an eligible sender by decrypts the proper MN with the keys above. Si gets R (i) verifying the signature of RA. Hence confirms t = Dec (Dec (...Dec (M[))) plaintext. d(i) d(i) [(i) N whether: KR K1 KN−1 e(sH1(msg),P) = e(sP,H1(msg)) 3.6 Anonymity Revocation R also checks whether the commitment value (i) (i) There are several applications, when after a certain µi = e(vN ,mN · wN ) · e(sH1(msg),mP) deadline the identity of the anonymous sender should be revealed. We could think of either an e-tender or exists on ββ. If R finds µi, then Si sent the correct (i) an e-exam scheme. In general, anonymity revocation uP and H1(msg) + u P to the first mix and RA. That means the sender’s encrypted identity can be de- should be provided even if the sender is not willing to crypted by the mix servers and R after the deadline. reveal his identity (e.g. an examinee does not want to For eligible senders R stores: get a bad grade). Our solution determines senders’ real identity

µi||msg||sH1(msg)||asi P. with the help of the mixnet. Receiver R sends xN value µi to the ﬁrst mix. Each server M j power We will use µi for anonymity revocation and as P to i the received value to x j and sends it to the next reply to the anonymous sender. x x server. Finally, µi is given. After H2(µi ) =

241 ICISSP2015-1stInternationalConferenceonInformationSystemsSecurityandPrivacy

(i) s (i) (i) (i) (i) (i) H2(e(xmP,H1(msg) + u P) ) is calculated, identity (Note that mk = ak · bk and u = u1 · u2 .) The number Si is received with the help of εi. receiver R receives a set of the triplets from MN−1: We should mention, that if the sender is willing σ(i) σ(i) σ(i) to participate in the revocation process, then the real (vN ||wN ||MN ) identity can be determined without the mix servers in where σ(i) is the permutation of i = 1,...,n and gets: an easier and lower-cost way. If the sender provides the secret value u(i), RA can retrieve the sender’s σ(i) σ(i) σ(i) (i) s (vN ||mN · wN ||MN ) identity by calculating H2(e(xmP,H1(msg) + u P) . The receiver in order to get the plaintexts does the ( j) following calculations for all MN :

4 SECURITY EVALUATION 0 ( j) p j = Dec ( j) (MN ) = Dec ( j) (Enc (i) (pi)) KR KR KR In this section we show that our mix provides security where j = 1,...,n, i = σ( j) and requirements of correctness, anonymity and eligibility. ( j) ( j) ( j) xN KR = H2(e(vN ,mN · wN ) ) 4.1 Correctness N−1 N−1 ( j) (i) ( j) (i) xN = H2(e( ∏ ak u1 P,mN ∏ bk u2 sP) ) k=1 k=1 First we prove that our scheme is correct concerning the mix process, the anonymous reply and also the and the symmetric key for R calculated by the sender process of anonymity revocation. Si: (i) u u(i) Definition 4.1. We call our mixnet correct, if for ev- KR = H2(e(PKR,sP) ) = H2(e(xNmP,sP) ) ery plaintext calculated by the receiver there is a cor- responding ciphertext in the input list of the mixnet. Thus using the bilinear property of mapping e the ( j) This means that every plaintext is a multiple decryp- receiver able to get a plaintext if and only if KR = tion of a ciphertext, and no two plaintexts are the mul- (i) 0 KR and then the plaintext of p j is pi. tiple decryptions of the same ciphertext. The anonymous reply works similarly to the The following theorem states that our mixnet is cor- message submission. In this case the sender is rect. R and the anonymous receiver is the sender Si Theorem 4.1. The proposed mix protocol is operat- who sent the message msg that is stored with ing correctly. asi P. In order to send the reply message Si cal- [(i) a culates H (K ) = H (H (e(PK ,sP) si )) = Proof. Each sender Si (where i = 1,...,n) sends a 1 N−1 1 2 MN−1 (i) (i) (i) (i) (i) N−1 as H1(H2(e(xN−1 ∏ m jP,sP) i )) and searches this triplet (v1 = u1 P||w1 = u2 sP||M1 ) to the first mix j=1 (i) on ββ. The list of messages contains values server M1. The third value M1 is an N-times encryption of the plaintext p which contains the mes- N−1 c(i) (i) sage msg of Si. M1 receives n triplets and M j (where vN = ∏ ak rsi asi P, j = 2,...,N − 1) receives a permutation of modified k=1 triplets from M j−1. The sender calculates the sym- N−1 metric keys for secure communication with all mix wd(i) = b(i)r−1sP, N ∏ k si server M j: k=1 j Md(i) = Enc (...(Enc (Enc (t)))) (i) u(i) u(i) N (i) (i) (i) K = H (e(PK ,sP) ) = H (e(x m P,sP) ) K[ Kd Kd j 2 M j 2 j ∏ k N−1 1 R k=1 (i) (i) (i) d j j −1 x j where Kj = H2(e(∏k=1 ak rsi asi P,∏k=1 bk rs sP) ) where j = 1,...,N − 1 and the mix server MJ (where i J = 1,...,N − 1) calculates this symmetric key: calculated by mix server M j. Due to the bilinear property of e these keys are the same J J keys as the sender Si calculates for M j: (i) (i) (i) (i) (i) xJ K = H2(e( a u P, b u sP) ) a j a J ∏ k 1 ∏ k 2 H (e(PK ,sP) si ) = H (e(x m P,sP) si ). k=1 k=1 2 M j 2 j ∏k=1 k Furthermore R calculates the symmetric key: Because of the bilinear property of mapping e the cor- −1 xN responding keys are the same if and only if j = J. KdR1 = H2(e(rsi asi P,rsi sP) )

242 BilinearPairing-basedHybridMixnetwithAnonymityRevocation

and Si calculates the symmetric key: An adversary is able to connect messages of the calculate the secret symmetric as input lists, if he can KdR = H2(e(xNP,sP) i ) (i) (i) 2 key i.e. K = H (e(PK ,sP)u ) = , he can calculate j 2 M j Mapping e has bilinear property so i (i) (i) xi ∏ j=1 m j H2(e(u1 P,u2 sP) ),where j = 1,...,N. −1 x a K = H (e(r a P,r sP) N ) = H (e(x P,sP) si ) PK = dR1 2 si si si 2 N The adversary has access to the public key Mi i xi ∏ j=1 m jP and the messages = KdR2 holds. Let us note that from the anonymous participants (i) (i) v1 = u1 P, only Si is able to calculate the necessary keys, since (i) (i) the secret value asi is need. w1 = u2 sP,

that are sent by Si. Since the BDHP is hard, (i) 4.2 Anonymity the adversary is not able to calculate Kj = i (i) (i) xi ∏ j=1 m j H2(e(u1 P,u2 sP) ). We consider static adversary in a semi-honest model. An adversary can connect messages of the input A model is called semi-honest, if the dishonest users lists, if he is able to find a relationship between M(i) follow the protocol and also keep a record of all in- j (i+1) termediate results. An adversary is static, if corrupted and M j . Since the MFGP is hard, this is not pos- players are specified at the beginning of the protocol, sible. they stay corrupted during the whole process and no The third way to match messages is to connect the (i) (i) (i) (i) new ones stand in with them. The adversary observes pairs (v j ,w j ) and (v j+1,w j+1). Since the problem all public information and possesses all attacked play- given in Definition 4.2 is hard, the adversary is not ers’ secret information (i.e. keys, permutation). successful. The anonymity property of our system says that an adversary who has access to corrupt players’ se- 4.3 Eligibility cret data and observes all the public information of the protocol including views of the registry and mix We assume a threat model, where senders during reg- servers, input ciphertexts and the shuffled list of out- istration and message submission are in a controlled put messages, cannot tell which message was sent by room, i.e. corrupt, eligible senders are not allowed which sender. We also assume, that there is at least to send messages (e.g. msg,s(H1(msg)),u(i)) to the one mix server and two senders that are not corrupted adversary. This case, the adversary should choose by the adversary, i.e. the secret permutation and secret (i) (i) (i) values (v1 ,w1 ,M1 ) such that, after the mix pro- keys are not revealed to the adversary, furthermore the (i) (i) registry and the receiver do not collude. cess the receiver could find µi = e(vN ,mN · wN ) · (i) s In order to give the proof, we assume, that the follow- e(sH1(msg),mP) = e(mP,H1(msg) + u P) on ββ. ing problem in (G1,G2,e) is hard. Assuming that short signature generation without the Definition 4.2. For every r,r ,r ,r ,r ∈ Z∗ knowledge of the secret key is hard, the attacker can- 1 2 3 4 q not calculate the correct triplet, hence cannot submit given P,rP ∈ G and (V ,W ), (V ,W ), 1 0 0 1 1 messages to the mix network to be successful. (r1Vb,r2Wb),(r3Vb¯ ,r4Wb¯ ), where r1r2 = r3r4 = r, the problem is to output b ∈ {0,1}. Let us review the Matching Find-Guess Problem (MFGP) (Fujisaki and Okamoto, 1999). 5 PROPERTIES Definition 4.3. Matching Find-Guess (MFG) Prob- We also examined the time and space complexity of lem (Fujisaki and Okamoto, 1999) our solution and compared it to the identity-based For every plaintexts x0,x1 and for every symmetric scheme proposed by Zhong (Zhong, 2009). His keys K0,K1 given (EncK0 (x0),EncK1 (x1),xb,xb), the scheme is also based on bilinear pairings and imple- problem is to output b ∈ {0,1}. ments a mix network, as ours. We denoted the opera- Studying the proposed mix network, one can see, tions as follows: additions in G1 (ADD), scalar mul- that the identity of a sender cannot be retrieved, since tiplications of elements in G1 (SMU), multiplication the attacker cannot connect messages of the input lists in G2 (MUL), bilinear maps (BMP) and divisions in of Mi and Mi+1. because the attacker is not able to G2 (DIV). First we compare the number of that oper- solve the MFGP, or the BDHP or the problem given ations which provided by both systems: submitting, in Definition 4.2. mixing and receiving messages.

243 ICISSP2015-1stInternationalConferenceonInformationSystemsSecurityandPrivacy

The following tables contain the number of the calcu- 6 CONCLUSION AND FUTURE lations of the participants. WORK Sender (#n) SMU MUL BMP ADD IB mix 2 1 1 1 In this paper we proposed a bilinear pairing-based hy- Our mix 3 0 N 0 brid mix and its security and efficiency evaluation. Mix servers (#N − 1) ADD MUL SMU BMP We proved, that the participants could send messages IB mix n n 2n 2n in an anonymous way and if it is necessary the real Our mix 0 0 3n n identity can be revoked after a certain deadline by the Receiver ADD MUL SMU BMP DIV collaboration of the receiver and the mix servers. IB Mix n (n+N-1) 2n 2n n Our mix also provides the possibility of eligibil- Our mix 0 0 2n n 0 ity verification, that is an important service in case of In our system the sender performs more calcula- anonymous communication. tions, since symmetric keys are generated for encrypt- Furthermore, our mix network allows anonymous ing arbitrary long messages, that is not provided in reply, in a way that the sender’s identity still remains (Zhong, 2009). Nevertheless, both the receiver’s and secret. the mix calculations are more efficient in our case. Finally, this is a hybrid mix, making possible We should mention, that in case of cascade mixnets of transmitting messages with arbitrary length. We the first server starts its operation only if it receives could think of either an e-voting application where the enough number of messages. Basically, the efficiency messages are usually short, or an e-exam application of a mix depends on the computations made by the where the messages could be short or long, as well. servers and the receivers. In the future we plan to give a formal security evaluation for anonymity and eligibility and examine how Compare to Zhong’s system we provide additional our hybrid mix can be applied for one the most com- and optional services: anonymous reply, eligibility plicated applications, for an e-exam. and revocation. The process and the cost of the reply are similar to the message submission. In our solution the sender’s eligibility is provided by the signature of the registration authority RA and ACKNOWLEDGEMENT the value µi on ββ. The extra cost of eligibility verification is for the senders: 1 SMU, 2 BMP, 1 ADD and The publication was supported by the TAMOP-´ 1 ADDINV (additive inverse in G1) calculations, for 4.2.2.C-11/1/KONV-2012-0001 project. The project the registration authority: n SMU and 2n BMP cal- has been supported by the European Union, co- culations and for the receiver: 4n BMP calculations, financed by the European Social Fund. The author is n MUL and n SMU, (where n is the number of the also supported by the Hungarian National Foundation senders thus the number of the messages). for Scientific Research Grant No. NK 104208. We provide anonymity revocation, as well. If the senders are not cooperative, then the receiver R and the mix servers together retrieve the senders’ identi- REFERENCES ties, that costs n EXP (exponentiation in G2) calculations for the receiver and for each server. Boldyreva, A. (2003). Threshold signatures, multisigna- The overall space complexity of the communica- tures and blind signatures based on the gap-diffie- tion is the following: hellman-group signature scheme. In Proceedings of the 6th International Workshop on Theory and Prac- κ bits security params tice in Public Key Cryptography: Public Key Cryp- IB mix (3N − 2)κn tography, PKC ’03, pages 31–46, London, UK, UK. Our mix 3Nκn Springer-Verlag. It is shown that our mix is capable of handling ar- Boneh, D. and Franklin, M. K. (2001). Identity-based encryption from the weil pairing. In Proceedings of the bitrary long messages in an efficient way with 2κn 21st Annual International Cryptology Conference on extra space. Advances in Cryptology, CRYPTO ’01, pages 213– 229, London, UK, UK. Springer-Verlag. Chaum, D. L. (1981). Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM, 24(2):84–90. Danezis, G., Dingledine, R., Hopwood, D., and Mathewson, N. (2003). Mixminion: Design of a type iii anony-

244 BilinearPairing-basedHybridMixnetwithAnonymityRevocation

mous remailer protocol. In In Proceedings of the 2003 Mitomo, M. and Kurosawa, K. (2000). Attack for flash IEEE Symposium on Security and Privacy, pages 2– mix. In In Advances in Cryptology - ASIACRYPT 15. 2000, LNCS, pages 192–204. Springer-Verlag. Desmedt, Y. and Kurosawa, K. (2000). How to break a Neff, C. A. (2001). A verifiable secret shuffle and its ap- practical mix and design a new one. plication to e-voting. In Proceedings of the 8th ACM Federrath, H., Jerichow, A., and Pfitzmann, A. (1996). Conference on Computer and Communications Secu- Mixes in mobile communication systems: Location rity, CCS ’01, pages 116–125, New York, NY, USA. management with privacy. In Proceedings of the First ACM. International Workshop on Information Hiding, pages Ohkubo, M. and Abe, M. (2000). A length-invariant hybrid 121–135, London, UK, UK. Springer-Verlag. mix. In Okamoto, T., editor, ASIACRYPT, volume Fujisaki, E. and Okamoto, T. (1999). Secure integration 1976 of Lecture Notes in Computer Science, pages of asymmetric and symmetric encryption schemes. In 178–191. Springer. Proceedings of the 19th Annual International Cryptol- Parekh, S. (1996). Prospects for remailers. First Monday, ogy Conference on Advances in Cryptology, CRYPTO 1(2). ’99, pages 537–554, London, UK, UK. Springer- Pfitzmann, A., Pfitzmann, B., and Waidner, M. (1991). Verlag. Isdn-mixes: Untraceable communication with very Goldschlag, D. M., Reed, M. G., and Syverson, P. F. (1996). small bandwidth overhead. In In Proceedings of the Hiding routing information. In in Information Hiding, GI/ITG Conference on Communication in Distributed pages 137–150. Springer-Verlag. Systems, pages 451–463. Springer-Verlag. Golle, P., Jakobsson, M., Juels, A., and Syverson, P. Sako, K. and Kilian, J. (1995). Receipt-free mix-type voting (2002). Universal re-encryption for mixnets. In scheme: A practical solution to the implementation of IN PROCEEDINGS OF THE 2004 RSA CONFER- a voting booth. In Proceedings of the 14th Annual In- ENCE, CRYPTOGRAPHERS TRACK, pages 163– ternational Conference on Theory and Application of 178. Springer-Verlag. Cryptographic Techniques, EUROCRYPT’95, pages Gulcu, C. and Tsudik, G. (1996). Mixing email with babel. 393–403, Berlin, Heidelberg. Springer-Verlag. In Symposium on Network and Distributed System Se- Sampigethaya, K. and Poovendran, R. (2006). A survey on curity, pages 2–16. mix networks and their secure applications. Proceed- Huang, L., Yamane, H., Matsuura, K., and Sezaki, K. ings of the IEEE, 94(12):2142–2181. (2006). Silent cascade: Enhancing location privacy Syverson, P. F., Goldschlag, D. M., and Reed, M. G. without communication qos degradation. In Clark, (1997a). Anonymous connections and onion routing. J. A., Paige, R. F., Polack, F., and Brooke, P. J., edi- In Proceedings of the 1997 IEEE Symposium on Secu- tors, SPC, volume 3934 of Lecture Notes in Computer rity and Privacy, SP ’97, pages 44–, Washington, DC, Science, pages 165–180. Springer. USA. IEEE Computer Society. Jakobsson, M. (1998). A practical mix. In Advances in Syverson, P. F., Goldschlag, D. M., and Reed, M. G. Cryptology - EUROCRYPT ’98, International Confer- (1997b). Protocols using anonymous connections: ence on the Theory and Application of Cryptographic Mobile applications. In in Security Protocols: Techniques, Espoo, Finland, May 31 - June 4, 1998, Fifth International Workshop, pages 13–23. Springer- Proceeding, pages 448–461. Verlag. Jakobsson, M. and Juels, A. (2001). An optimally robust Verheul, E. R. (2001). Evidence that xtr is more secure hybrid mix network. PODC’01. than supersingular elliptic curve cryptosystems. In J. Jakobsson, M., Juels, A., and Rivest, R. L. (2002). Making Cryptology, pages 195–210. Springer-Verlag. mix nets robust for electronic voting by randomized Zhong, S. (2009). Identity-based mix: Anonymous commu- partial checking. In Proceedings of the 11th USENIX nications without public key certificates. Computers Security Symposium, pages 339–353, Berkeley, CA, & Electrical Engineering, (5):705–711. USA. USENIX Association. Jerichow, A., Mller, J., Pfitzmann, A., Pfitzmann, B., and Waidner, M. (1998). Real-time mixes: a bandwidth- efficient anonymity protocol. IEEE Journal on Se- lected Areas in Communications, pages 495–509. Joux, A. (2000). A one round protocol for tripartite diffie- hellman. In Proceedings of the 4th International Sym- posium on Algorithmic Number Theory, ANTS-IV, pages 385–394, London, UK, UK. Springer-Verlag. Markus, J. and Ari, J. (1999). Millimix: Mixing in small batches. Technical report. Michels, M. and Horster, P. (1996). Some remarks on a receipt-free and universally verifiable mix-type voting scheme. In Kim, K. and Matsumoto, T., editors, ASI- ACRYPT, volume 1163 of Lecture Notes in Computer Science, pages 125–132. Springer.

245