Efficiently Shuffling in Public

We revisit shuffling in public [AW07a], a scheme which allows a shuffle to be precomputed. We show how to obfuscate a Paillier shuffle with O(N log(3.5) N) exponentiations, leading to a very robust and efficient mixnet: when distributed over O(N) nodes the mixnet achieves mixing in polylogarithmic time, independent of the level of privacy or verifiability required. Our construction involves the use of layered Paillier applied to permutation networks. With an appropriate network the shuffle may be confined to a particular subset of permutations, for example to rotations. While it is possible that the mixnet may produce biased output, we show that certain networks lead to an acceptable bias-efficiency tradeoff.