A prototypical implementation of a protocol for mixing networks that allows a consortium of trusted parties to recover the identities of anonymized users.
The consortium uses threshold cryptography to decrypt deanonymization secrets published by the mix peers providing the mixing service.
During the mixing operation, the mix peers prove the validity of the encrypted deanonymization secrets by performing a number of zero-knowledge proofs of knowledge (ZKPoK). An important building block in our proof construction is A commitment-consistent proof of a shuffle by D. Wikström (2009).
The protocol is applicable to partially dishonest mixing networks (and consortiums):
For any
Aside from the python packages in requirements.txt (install using $ pip install -r requirements.txt), the following packages must be installed beforehand (as they are required for installing gmpy2):
$ sudo apt-get install -y python3.8-dev libmpfr-dev libmpc-dev libgmp-dev (for modern Ubuntu systems)
Package names should be similar for other distributions.
The script mixnet_execution.sh performs a full execution of the protocol:
- Consortium: Perform distributed key generation (DKG)
- Mixing Network: Initialize and perform DKG
- Mixing Network: Submit user inputs
- Mixing Network: Perform shuffle and decrypt permuted outputs
- Consortium: Recover original user inputs using deanonymization secrets escrowed by mix peers
Several parameters for the consortium and the mixing network can be controlled via environment variables:
NUM_CONSORTIUMPEERS: Number of peers in the consortium network (default = 4)NUM_MIXPEERS: Number of mix peers participating in the shuffle (default = 4)NUM_INPUTS: Number of user inputs submitted to the mixing network (default = 4)NUM_MALICIOUS_DKG: Number of malicious peers to simulate during the execution of the DKG protocols (consortium & mixing network, default = 0)NUM_MALICIOUS_THRES: Number of malicious peers to simulate during the threshold decryption steps (consortium & mixing network, default = 0)SINGLE_RECOVERY: If set, enables a special mode that allows the deanonymization of a single user (default = off)SKIP_CONSORTIUM_DKG: If set, use precomputed keys for the consortium (for up to 47 peers, default = off)
| Module | Description |
|---|---|
| zkps.py | Contains methods for producing ZKPoK's used in our proof construction. |
| shuffle.py | An implementation of Wikström's Commitment-Consistent Proof of a Shuffle, as well as our construction for a Proof of Escrow. |
| elgamal.py | Convenience functions for working with ElGamal Ciphertexts. |
| dkg.py | Implements the protocol for distributed key generation and threshold decryption (based on ElGamal). |
| mixnet.py | Protocol logic for the mix peers. |
| consortium.py | Protocol logic for the consortium. |
| settings.py | Contains public cryptographic parameters shared by the consortium & mix peers. |
The communication with and between peers is handled by the modules peer.py, mixnet_web.py and consortium_web.py. A CLI tool provided in mixnet_cli.py aids in issuing commands and submitting input to the peers.
Additional scripts in eval.py, aggregate.py and plot.py were used to run evaluations, aggregate timing data and generate plots for different configurations.
This work is licensed under a Creative Commons Attribution 4.0 International License.
