Universal Re-encryption for Mixnets

  • Philippe Golle
  • Markus Jakobsson
  • Ari Juels
  • Paul Syverson
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2964)


We introduce a new cryptographic technique that we call universal re-encryption. A conventional cryptosystem that permits re-encryption, such as ElGamal, does so only for a player with knowledge of the public key corresponding to a given ciphertext. In contrast, universal re-encryption can be done without knowledge of public keys. We propose an asymmetric cryptosystem with universal re-encryption that is half as efficient as standard ElGamal in terms of computation and storage.

While technically and conceptually simple, universal re-encryption leads to new types of functionality in mixnet architectures. Conventional mixnets are often called upon to enable players to communicate with one another through channels that are externally anonymous, i.e., that hide information permitting traffic-analysis. Universal re-encryption lets us construct a mixnet of this kind in which servers hold no public or private keying material, and may therefore dispense with the cumbersome requirements of key generation, key distribution, and private-key management. We describe two practical mixnet constructions, one involving asymmetric input ciphertexts, and another with hybrid-ciphertext inputs.


anonymity mix networks private channels universal re-encryption 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bellare, M., Boldreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 566–582. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. 2.
    Boneh, D.: The Decision Diffie-Hellman problem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 48–63. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  3. 3.
    Chaum, D.: Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM 24(2), 84–88 (1981)CrossRefGoogle Scholar
  4. 4.
    Cottrell, L.: Mixmaster & remailer attacks (1995), Available on the web at
  5. 5.
    de Santis, A., di Crescenzo, G., Persiano, G., Yung, M.: On monotone formula closure of SZK. In: Proc. of FOCS 1994, pp. 454–465. IEEE Press, Los Alamitos (1994)Google Scholar
  6. 6.
    Furukawa, J., Sako, K.: An efficient scheme for proving a shuffle. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 368–387. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  7. 7.
    ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory 31, 469–472 (1985)zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comp. Sys. Sci 28(1), 270–299 (1984)zbMATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    Jakobsson, M., Juels, A.: Millimix: Mixing in small batches, DIMACS Technical Report 99-33 (June 1999)Google Scholar
  10. 10.
    Jakobsson, M., Juels, A.: An optimally robust hybrid mix network. In: Proc. of PODC 2001, pp. 284–292. ACM Press, New York (2001)CrossRefGoogle Scholar
  11. 11.
    Jakobsson, M., Juels, A., Rivest, R.: Making mix nets robust for electronic voting by randomized partial checking. In: Proc. of USENIX Security 2002, pp. 339–353 (2002)Google Scholar
  12. 12.
    Juels, A., Pappu, R.: Squealing euros: Privacy protection in RFID-enabled banknotes. In: Wright, R.N. (ed.) FC 2003. LNCS, vol. 2742, pp. 103–121. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  13. 13.
    Neff, A.: A verifiable secret shuffle and its application to e-voting. In: Proc. of ACM CCS 2001, pp. 116–125. ACM Press, New York (2001)Google Scholar
  14. 14.
    Reed, M., Syverson, P., Goldschlag, D.: Protocols using anonymous connections: mobile applications. In: Christianson, B., Lomas, M. (eds.) Security Protocols 1997. LNCS, vol. 1361, pp. 13–23. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  15. 15.
    Sarma, S.: Towards the five-cent tag. Technical Report MIT-AUTOID-WH-006, MIT Auto ID Center (2001), Available from
  16. 16.
    Sarma, S., Weis, S., Engels, D.: RFID systems and security and privacy implications. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 454–469. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  17. 17.
    Schnorr, C.-P.: Efficient signature generation by smart cards. Journal of Cryptology 4(3), 161–174 (1991)zbMATHCrossRefMathSciNetGoogle Scholar
  18. 18.
    Shoup, V.: A proposal for an iso standard for public key encryption (version 2.1) (December 20, 2001) (manuscript)Google Scholar
  19. 19.
    Tsiounis, Y., Yung, M.: On the security of ElGamal-based encryption. In: Imai, H., Zheng, Y. (eds.) PKC 1998. LNCS, vol. 1431, pp. 117–134. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  20. 20.
    Yoshida, J.: Euro bank notes to embed RFID chips by 2005. EE Times, December 19 (2001), Available at

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Philippe Golle
    • 1
  • Markus Jakobsson
    • 2
  • Ari Juels
    • 2
  • Paul Syverson
    • 3
  1. 1.Stanford University 
  2. 2.RSA LaboratoriesBedfordUSA
  3. 3.Naval Research Laboratory 

Personalised recommendations