 Hello everyone, welcome to this talk for QQC 2020! I am Chloe Eubon and I will present a new construction of Mixnet from Linearly Homomorphic Signature. This is the join work with Dongya Fan and David Procheval. To begin, what is a Mixnet? You are a saver and you receive different hypertexts. You mix them together and output the result. You already obtain a Mixnet. But the name comes from mixed network and it's more interesting when you have successive saver applying mixes because the goal is to hide the global permutation between the first input and the last output. To work, at least one Mixver must be honest. This paper proposes a new construction of a scalable Mixnet which we define by a verification cost of permutation independent on the number of mixsevers. The most famous use case of Mixnet is the electronic potting scheme. So you have a voter who encrypts his vote and puts it in a ballot box. Then the ballot box is sealed and mixed. As no link between a voter and his vote is now possible, you can decrypt all the votes and publish the result. Of course, one needs some guarantees. Only authorized voters must be able to vote and the ballot must be enforceable. The second property is that two ballots in a ballot box must be indistinguishable, that means one cannot recognize the vote of someone. As the ballot box must be sealed, one cannot add, delete or modify a ballot after the voting phase. Finally, the result must be publicly verifiable. For the mix, this implies two security notions which are the soundness which corresponds to the correctness of the scheme and the amicability property which represents the anonymous part. For the soundness, one needs to have the guarantee that the last output is actually a permutation of the first input. Whereas for the amicability, we ask two ciphertexts in an input of a mixsever are amicable to two ciphertexts in the output of the mixsever and thus in the input of the next mixsever. Now, I will present the IDs beyond our construction. I will present the ballot. Informally, it must contain the right to vote of a voter, the vote and the signature of the vote by the voter. In practice, the right to vote will be a signature by an authority of the public key of the vote. So, the voter have SKI and VKI and the signature of VXSIGMA and VKI is obtained by the authority. Then, the voter encrypts his vote with a common public encryption key and signs it with this secret key. So, CI is the encryption of MI and the signature little SIGMA on CI is signed with SKI. The ballot is thus composed of VKI, VXSIGMA-I, CI and LXSIGMA-I where CI is the message of the signature little SIGMA and VKI is the message of the signature big SIGMA. At the same time, it is a verification key of LXSIGMA. The initial ballot box is simply composed of all the ballots. The mix is composed in two steps. In the first one, all the parts of the ballot must be modified so that it cannot link the votes to the I anymore. It is the randomization part. Then, the mix-over chooses the permutation and mixes all the randomized ballots together. The output of the mix-over is then the combination of the randomization and the permutation. Go back to our ballot. To randomize it, one must read VKI prime, big SIGMA-I, C-I and LXSIGMA-I. It will be in three steps. The simplest one is by using a randomizable ciphertext as a gamel, for example, one can randomize CI into C-I. And as the signatures we use for LXSIGMA and BIG SIGMA are linearly homomorphic signatures, LXSIGMA can be adapted according to the operations we have made for CI. Similarly, we will randomize VKI into VKI prime-I and update BIG SIGMA accordingly by homomorphism. The last step concerns LXSIGMA because it is a signature of CI and the SK-I of the voter. If I change VKI into VKI prime-I, one must be able to transform LXSIGMA-I into a signature of C-I, but it's already done by the first point. And an implicit SK-I, which means verifiable wish with VKI prime-I. Let's see some details. To randomize the ballot, one needs randomizable ciphertext such as LXSIGMA and adaptable signatures such as linearly homomorphic signatures. I will now present these two elements. By combining an encryption of M and an encryption of 1, it can be possible to obtain a fresh encryption of M. In L-Gamal, the encryption of M is GR M times EKR and the encryption of 1 is GR prime EKR prime. Thus, the product between an encryption of M and an encryption of 1 is a new encryption of M. CI will thus be an L-Gamal encryption of the vote and C0 will be a global parameter common to all the ballots. For the signature, we will use linearly homomorphic signatures because they can have interesting properties. I will not enter in details, but just give a flavor of the relation one needs to adapt little sigma and big sigma in our construction. The two classical properties are message homomorphism and key homomorphism. The first one is given a valid signature of M, the signature up to alpha is a valid signature of M up to alpha. And the second property, given a valid signature verifiable with VKI, the signature up to beta is also a valid signature with VKI up to beta as verification key. Suppose you have M a vector M1 to Mn and a secret key SK SK1 to SKN and the signature sigma is the product M of all the MI up to SKI. If you construct sigma up to alpha, then you obtain a signature still under SKI but this time on the message M up to alpha. But you can also have a signature up to beta which is a signature of M but this time on the secret key beta SKI. These two properties are message homomorphism for the first one and the key homomorphism for the second one. In our ballot prime one must construct C prime I and little sigma prime I is in two parts because now we have also the signature CI0 of C0 under the secret key of the voter. I recall the C0 can be viewed as a global parameter. The encryption vote is an Elgamal encryption and C prime I is CI times C0 up to alpha. The first part of little sigma prime is the first part of little sigma up to beta times the second part up to alpha beta with beta the random used for the randomization of the verification key. We apply here the message and key homomorphism properties. Then the second part prime is simply the second part up to gamma so just the message homomorphism here. And for the verification key vk prime is vk I up to beta and we modify big sigma accordingly by the message homomorphism property. However big sigma corresponds to the right to vote so if I take two otherwise voters I can construct a new vk from them and treat the fake new authorized voter with a new big sigma. Of course it must not be possible and to avoid that we use linearly homomorphic signature with stats and now the combinations of signature are authorized only if they are on the same tag. This restriction applies on the two properties we have seen the message homomorphism and the tag the key homomorphism. But one needs to have a third property that we call tag randomizability by transforming the tag tau into tau prime one must be able to adapt big sigma. This is due to the presence of tau in the ballot one needs to randomize it to don't click the voter. In fact the tag will be in two parts a private one and a public one. The private one is only known by the authority to give the right to vote to a voters to a voter whereas the public tag is put in the ballot and must be randomized. Big sk is a secret key of the authority and it is simplified for this presentation but big sigma will be this time the product of all the mi and to ski times dot tilde. Thus big sigma up to delta can be viewed as a signature of m still under big sk but this time under delta to tilde. Up to our knowledge only one scheme was modifiable to allow the tag randomizability property and it was the structure preserving signatures on equivalent classes of push-bower answer as slamming and proved in the generic billionaire group model so our construction of magnet is proved in this model. Go back to the view of the ballot which is composed of big i, tau i, big sigma i, si and little sigma i. We have already seen that the transformation of a ballot is in three steps and now one needs to see the link between these steps and the presented properties of the two linearly homomorphic signature scheme. One with tags and one without. In the first step we randomize the ciphertext c i and we adapt little sigma i with the message homomorphism. Because the verification key corresponds to the message of big sigma in the second step we randomize the key and by message homomorphism one can adapt big sigma. But one also needs to randomize tag and we can adapt big sigma again with the tag randomizability property. Finally, by the key homomorphism property one can adapt little sigma so that little sigma will be valid with the verification key vk prime i. You can now pause the video if you want to see the figure of our i level construction. It was beautiful, I know, but this construction is not secure so practical construction was a little bit trigger. I will in this last part just give flavor of details we had to serve. We call the first one expanded vectors. Instead of signing the encryption of the both one must first add an element to break a simple attack. Indeed, with message homomorphism one can adapt little sigma from any combination of c i and c 0. But c i up to mu is no longer an encryption of m. So can we modify a vote after the voting phase? Of course, no. And to serve that we can consider c i as a vector of g and the L gamma L encryption of mi and c 0 as a concatenation of 1 and the encryption of 1. With that, if the first element of c prime i is a g then the power of c i was 1 and the vote was not modified. The same difficulty is called legitimate ballots. To be sure that the first mixer cannot modify a ballot of its choice by replacing it by a vote of someone else for example, even if it was authorized we add a deferment proof that the product of all the verification key in the output of a server is the power of the initial verification key present in the initial ballot box. Now the mixer cannot modify as you want the vote. The third point is multiple servers. For the soundness property we require that the last output is indeed a permutation of the first input. However, if the last mixer simply ignores the precious mixes and produces a permutation from the initial ballot box it knows the link between the voters and the result and the vote of the vote and breaks the anonymity. To avoid that, each mixer must sign his mix and at the end one can verify that all the chain of mixes was correct. Finally, the last point I want to present is called non-trivial transformation. During the talk I said for simplicity that vk prime i is equal to vk i up to beta. But as we work with pairing and vk i lives in g2 and little sigma is in g1 this two simple randomization cannot provide unlinkability. I refer to the paper to see how we solve this problem. The goal of this paper is to have a compact verification but during the problem section I say one needs different proofs and signature from the mixed servers. To have a cost of verification independent in the number of mixes a solution is to aggregate all the proof in a unique one. This can be done by using plot thread proofs. And for the mixed server signature by a second one one can create a global multi-signature for which a server accepts to cooperate if and only if his mix is considered in the chain. They can check that by verifying their signature. At the end the verification of a vote can be independent of the number of mixes. Just to recap we saw the definition of linear homomorphic signature schemes with three specific properties the message homomorphism the key homomorphism and the type randomizability. And without hope to construct a scalable mixnet. Thank you for watching this video stay safe and see you in a future conference. Bye.