Noname manuscript No. (will be inserted by the editor) Verifiable Shuffles: A Formal Model and a Paillier-based Efficient Construction with Provable Security ⋆ Lan Nguyen 1 , Rei Safavi-Naini 1 , Kaoru Kurosawa 2 1 School of Information Technology and Computer Science University of Wollongong, Wollongong 2522, Australia e-mail: {ldn01,rei}@uow.edu.au 2 Department of Computer and Information Sciences Ibaraki University 4-12-1 Nakanarusawa, Hitachi, Ibaraki, 316-8511, Japan e-mail: kurosawa@cis.ibaraki.ac.jp The date of receipt and acceptance will be inserted by the editor Abstract We propose a formal model for security of verifiable shuffles and a new efficient verifiable shuffle system based on the Paillier encryption scheme, and prove its security in the proposed model. The model is general, so it can be extended to verifiable shuffle decryption and provides a direction for provable security of mix-nets. Key words privacy, verifiable shuffles, formal security model, mix-nets, Paillier public-key system. 1 Introduction A shuffle takes an input list of ciphertexts and outputs a permuted and re-encrypted version of the input list. Re-encryption of a ciphertext can be defined for encryption systems such as the El Gamal and Paillier encryption systems, and allows generation of ciphertexts c ′ from a given ciphertext c such that both ciphertexts correspond to the same plaintext m under the same public key. The main application (motivation for the study) of shuffles is to con- struct mix-nets, a cryptographic system introduced by Chaum [8] for pro- viding communication unlinkability and anonymity. Mix-nets are among the most widely used systems for providing communication privacy, and have found applications in anonymous email systems [8], Web browsing ⋆ This paper is the extended version of the paper [35] presented at ACNS ’04.