Post on 01-Apr-2015
Efficient Zero-Knowledge Argument for Correctness of a Shuffle
Stephanie Bayer
University College London
Jens Groth
University College London
Motivation – e-voting
• Voting: - Voter casts secret vote
- Authorities reveal votes in random permuted order
• E-voting: - voter casts secret votes on a computer
- The votes are sent to a server who sends all votes to the central authorities
- Authorities reveal votes in random permuted order
Background - ElGamal encryption
• Setup: Group G of prime order with generator
• Public key:
• Encryption: E() = ()
• Decryption: D() =
• Homomorphic:
E() × E() = E()
• Re-rencryption:
E() × E() = E()
Shuffle
c1 c2 c3 c N. . .
C1 C2 C3 CN. . .
Input ciphertexts
Permute to get
Re-encrypt them E()
Output ciphertexts
Mix-net:
m π ( 1) m π ( 2) m π (N )
…
π1
π2
π=π 1π2
m1 m2 mN
Threshold decryption
Problem: Corrupt mix-server
m π ( 1) m π ( 2) m π (N )′
…
π1
π2
π=π 1π2
m2 mN
Threshold decryption
Solution: Zero-knowledge argument
m π ( 1) m π ( 2)
…
m1 m2 N
Threshold decryption
ZK argumentNo message changed
(soundness)
ZK argumentPermutation still secret
(zero-knowledge)
π=π 1π2
π2
π1
Zero-Knowledge Argument
Requested Properties:– Soundness: The Verifier reject with overwhelming
probability if the Prover tries to cheat– Zero-Knowledge: Nothing but the truth is revealed;
permutation is secret– Efficient: Small computation and small communication
complexity
Prover Verifier
Statement: ()
The Shuffle was done correctly
π , r1 ,⋯ , rN
Public coin honest verifier zero-knowledge
Statement: ()
Prover Verifier
Setup: (G,,) and common reference string
Honest verifier zero-knowledgeNothing but truth revealed; permutation secret
Can convert to standard zero-knowledge argument
Our contribution
• 9-move public coin honest verifier zero-knowledge argument for correctness of shuffle in common reference string model
• For ciphertextsCommunication: O()k bitsProver’s computation: O() exposVerifier’s computation: O() expos
Comparison of ElGamal shuffles ()
|| = 1024|| = 160
Rounds Proverin expos
Verifierin expos
Sizein kbits
Furukawa-Sako 01 3 8 10 5.3
FMMOS 02 5 9 10 5.3
Furukawa 05 (GL07) 3 7 8 1.5
Terelius-Wikström 10 5 9 11 3.7
Neff 01,04 7 8 12 7.7
Groth 03,10 7 6 6 0.6
Groth-Ishai 08 7 3 4 3 + 0.5
Bayer-Groth 11 9 2 4 11 + 0.8
Bayer-Groth 11 O() 4 11 + 0.8
Commitments
• Commit to a column vector Z as A=com ()
– Length reducing– Computational binding– Perfectly hiding– Homomorphic
com(;)*com(; ) = com(; )
• Pedersen Commitment: com(; ) =
Techniques - Sublinear cost
• Length reducing commitments • Batch verification
Sublinear communication cost
• Structured Vandermonde challenges
Shuffle argument
• Given public keys and • Given ciphertexts and • Prover knows permutation and randomizers and
wants to convince the verifier
E() E()
Shuffle argument
1. The prover commits to a permutation by committing to
Verifier sends challenge Z
2. The prover commits to
3. The prover gives an argument that both commitments are constructed using the same permutation
4. The prover demonstrates that the input ciphertexts are permuted using the same permutation and knowledge of the randomizers used in the re-encryption.
• Prover gives product argument for A, B such that =
• Prover commits to as A=com()=com()
and after receiving challenge Z to B= com() =com(s)
Shuffle argument
InexpensiveSee full paper
ExpensiveWill sketch idea
• Sketch idea focusing on soundness• Ignore ZK (easy and cheap to add)• Will also for simplicity assume randomness
Both polynomials are equal, only the roots are permuted
Notation
• Arrange ciphertexts in matrix =
• Define inner product = to simplify the statement as
• B contains commitments B, , B where
B= com=com(), , B= com ()
Multi-exponentiation argument idea
3. Verifier computes and checks
Verifier sends challenge Z
1. Prover sends
2. Prover opens
to
Multi-exponentiation argument
elements in Zq
2 ciphertexts
ciphertext expos
ciphertext expos
ciphertext expos
Communicaton:O() elements
Verifier computation: + O() expos
Prover’s computation
Computing this matrix costs m2n = mN ciphertext expos
Reducing the prover’s computation
• Do not compute entire matrix• Instead use techniques for multiplication of
polynomials “in the exponent” of ciphertexts• Fast Fourier Transform
– O(N log m) exponentiations O (1) rounds
• Interaction– O (N) exponentiations O (log m) rounds
Implementation
• Implementation in C++ using the NTL library and the GMP library
• Different levels of optimization– Multi-exponentiation techniques– Fast Fourier Transform– Extra Interaction and Toom-Cook
Comparison
Single argument Argument Size
Verificatum 5 min 37.7 MB
Toom-Cook, 2 min 0.7 MB
• Runtime comparison of Verificatum (Wikström) to our shuffle argument
• MacBook Pro; CPU: 2.54 GHZ, RAM: 4GB• , 60 • ciphertexts,
Thank You