Harvard Theory of Computation Seminar
How to Shuffle in Public
Ben Adida, Harvard
Place and Time: Monday, December 4, Maxwell Dworkin 319
Refreshments at 2:30pm, talk at 2:45pm
ABSTRACT
In open-audit election protocols, there is typically a publicly-verifiable
anonymization step, often implemented by a mixnet.
Identified encrypted votes are shuffled and re-randomized by a sequence of
mix servers. Each mix server performs its task in private and provides a
public proof of correct operation. Eventually, the mixnet produces
de-identified, decrypted votes.
In this work, we show how to shuffle in public: we obfuscate the
functionality of a mixnet in the public-key encryption setting, turning a
private shuffle into a public operation. Only verifiable decryption is left
as a private operation. We show implementations using distinct properties of
the BGN and Paillier cryptosystems.
Though not nearly as efficient as current mixnet protocols, shuffling in
public is particularly interesting for the process it enables: all
anonymization proofs can be carried out in advance, minimizing private
computation on election day. It is also interesting that a functionality as
complex as shuffling can be obfuscated at all.
(joint work with Douglas Wikström, ETH Zürich.)