Lecture 20: Verifiable Mix­nets Two­by­two Verifiable Mixes

Observed that the above expression is a conjunction of four disjunctions. We will give a protocol which allows the prover to prove a single disjunction. The prover can then prove the entire expression by separately proving that each of the four disjunctions is true. First we recall from last lecture the Chaum­Pedersen honest zero knowledge protocol for proving that two El Gamal ciphertexts, C1 = (α1, β1) = (g,m1 · yt) and C � = (α1 , β1 ) 1 = (g,m1 · yu) have the same plaintext (where the prover knows the re­encryption factor, v = u− t).2 Let (a1, a2, b1, b2) be the quadruple (g, y, (α1 /α1), (β1 /β1)) = (g, y, g Then m1 v , (m1 � /m1)· yv ). = m2 if and only if loga1 (b1) = loga2 (b2) = v. (Proof left as an easy exercise.) To prove equality, use the following protocol: