The following is a selection of the implemented protocols. The implementation borrows techniques and ideas from many other research papers. We list only the papers that contain what we consider to be the key ideas for our implementation.
Random devices. We use /dev/urandom
by
default, which means different things on different
platforms, but any device can be used, e.g., a hardware
random number generator.
Pseudo-random Generators. We use SHA-256 on a random seed concatenated with a counter by default, but optionally one can use a provably secure pseudo-random generator based on the Decision Diffie-Hellman assumption in a multiplicative group. (Neither is patented.)
Default Signature Scheme. We use standard RSA signatures with SHA-256 as defined in PKCS #1 v2.1: RSA Cryptography Standard, but this is merely because we use the built-in library of the JDK. (Patent has expired.)
Default Cryptosystem for Secret Channels. We use Naor and Yung, Public-key Cryptosystems Provably Secure against Chosen Ciphertext Attacks, STOC 1990 to implement secret channels between the mix-servers. We use this as a labeled CCA2 secure cryptosystem in the random oracle model. (Any patent has expired.)
Joint key generation. This is done by direct use of Feldman, A practical scheme for non-interactive verifiable secret sharing, 28th FOCS, 1987. (Any patent has expired.)
(As explained in Gennaro, Jarecki, Krawczyk, Rabin, Secure Distributed Key Generation for Discrete-Log Based Cryptosystems, Journal of Cryptology 2007, this gives a slightly biased key, but this works fine.)
Threshold El Gamal. We use Yvo Desmedt, Yair Frankel: Threshold Cryptosystems, Crypto '89 to implement threshold decryption for El Gamal. We use C P Schnorr, Efficient identification and signatures for smart cards, Crypto '89, to make it secure against active adversaries. (Any patents on these have expired.)
Batch Proofs of Decryption. We use a form of the batching technique of Bellare, Garay, and Rabin, Batch Verification with Applications to Cryptography and Checking, LATIN '98, to speed up the proofs needed for verifiable decryption. (Not patented.)
Parallelization of Decryption. We also use a technique to optimistically fold the proofs for all parties into one before batch verification.
Joint Coin-Flipping. This is done by the standard share-and-recover protocol based on Pedersen, Non-interactive and information-theoretic secure verifiable secret sharing, Crypto '91. (Any patent on this has expired.)
Re-encryption Mix-Net. We use the re-encryption mix-net approach introduced by Park, Itoh, and Kurosawa, Efficient Anonymous Channel and All/Nothing Election Scheme, Eurocrypt '93, but our own proof of a shuffle. (Any patent has expired.)
Proofs of shuffles. We use the proof of a shuffle of Terelius and Wikström, Proofs of Restricted Shuffles, Africacrypt 2010. (Not patented.)
Pre-computed Proofs of shuffles. We optionally use the pre-computation technique from Wikström, Commitment-Consistent Proofs of Shuffles, ACISP 2009 to divide the Terelius-Wikström proof of a shuffle into a pre-computation part and an online part. (Not patented.)
Universal Verifiability (Fiat-Shamir Heuristic). We use Amos Fiat and Adi Shamir, How to Prove Yourself: Practical Solutions to Identification and Signature Problems Crypto '86 to turn interactive proofs into non-interactive ones. (Any patent has expired.)