Survey, analysis and re-evaluation - How efficient and secure a mix network can be

Abstract

The recent shuffling schemes usually claim strong security and much higher efficiency than their predecessors. It is illustrated that some of them are not so secure as they claim. Some of them are incomplete in correctness and may fail even if all the participants are honest and strictly follow the shuffling protocols. Moreover, all of the recent shuffling schemes employ some efficiency improving mechanisms (e.g. in parameter setting and choice of underlying primitives). Although the efficiency improving mechanisms are general techniques and are appliable to previous shuffling schemes, the recent shuffling schemes assume that only they themselves can employ the efficiency improving mechanisms while the previous shuffling schemes cannot use them. This assumption is obviously unfair. Moreover, some recent shuffling schemes even ignore very costly and necessary operations to claim high efficiency. The unfair efficiency analysis in the recent shuffling schemes raises a question: exactly how much of their efficiency advantage is due to their more advanced techniques (e.g. in shuffling proof) and how much of their efficiency advantage is achieved through unfair comparison with the previous shuffling schemes. As shuffling is the building block of mix network, our discovery leads to a question: exactly how secure and efficient a mix network can be. In this paper, we re-evaluate the shuffling schemes to answer this question.