A certified-input mixnet introduced by Hébant et al.  (PKC ’20) employs homomorphically signed ciphertexts to reduce the complexity of shuffling arguments. However, the state-of-the-art construction relies on heavy Groth-Sahai proofs for key homomorphism, and only achieves honest-user security, limiting broader applicability. This work proposes a novel certified-input mixnet achieving stronger security guarantees, alongside better efficiency. This is achieved by introducing a tailored signature scheme, two-party mercurial signatures on randomizable ciphertexts, that allows users and an authority to jointly sign ciphertexts supporting key, ciphertext, and signature randomization without compromising integrity and privacy. We compare our approach to previous works that employ structured ciphertexts, implement our protocols, and provide performance benchmarks. Our results show that verifying the mixing process for 50,000 ciphertexts takes just 135 s on a commodity laptop using ten mixers, underscoring the practicality and efficiency of our approach.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

A Certified-Input Mixnet from Two-Party Mercurial Signatures on Randomizable Ciphertexts

  • Masayuki Abe,
  • Masaya Nanri,
  • Miyako Ohkubo,
  • Octavio Perez-Kempner,
  • Daniel Slamanig,
  • Mehdi Tibouchi

摘要

A certified-input mixnet introduced by Hébant et al.  (PKC ’20) employs homomorphically signed ciphertexts to reduce the complexity of shuffling arguments. However, the state-of-the-art construction relies on heavy Groth-Sahai proofs for key homomorphism, and only achieves honest-user security, limiting broader applicability. This work proposes a novel certified-input mixnet achieving stronger security guarantees, alongside better efficiency. This is achieved by introducing a tailored signature scheme, two-party mercurial signatures on randomizable ciphertexts, that allows users and an authority to jointly sign ciphertexts supporting key, ciphertext, and signature randomization without compromising integrity and privacy. We compare our approach to previous works that employ structured ciphertexts, implement our protocols, and provide performance benchmarks. Our results show that verifying the mixing process for 50,000 ciphertexts takes just 135 s on a commodity laptop using ten mixers, underscoring the practicality and efficiency of our approach.