Efficient Zero-Knowledge Argument for Correctness of a Shuffle

Stephanie Bayer

University College London

Jens Groth

University College London

Motivation – e-voting

• Voting: - Voter casts secret vote

- Authorities reveal votes in random permuted order

• E-voting: - voter casts secret votes on a computer

- The votes are sent to a server who sends all votes to the central authorities

- Authorities reveal votes in random permuted order

Background - ElGamal encryption

• Setup: Group G of prime order with generator

• Public key:

• Encryption: E() = ()

• Decryption: D() =

• Homomorphic:

E() × E() = E()

• Re-rencryption:

E() × E() = E()

Shuffle

c1 c2 c3 c N. . .

C1 C2 C3 CN. . .

Input ciphertexts

Permute to get

Re-encrypt them E()

Output ciphertexts

Mix-net:

m π ( 1) m π ( 2) m π (N )

…

π1

π2

π=π 1π2

m1 m2 mN

Threshold decryption

Problem: Corrupt mix-server

m π ( 1) m π ( 2) m π (N )′

…

π1

π2

π=π 1π2

m2 mN

Threshold decryption

Solution: Zero-knowledge argument

m π ( 1) m π ( 2)

…

m1 m2 N

Threshold decryption

ZK argumentNo message changed

(soundness)

ZK argumentPermutation still secret

(zero-knowledge)

π=π 1π2

π2

π1

Zero-Knowledge Argument

Requested Properties:– Soundness: The Verifier reject with overwhelming

probability if the Prover tries to cheat– Zero-Knowledge: Nothing but the truth is revealed;

permutation is secret– Efficient: Small computation and small communication

complexity

Prover Verifier

Statement: ()

The Shuffle was done correctly

π , r1 ,⋯ , rN

Public coin honest verifier zero-knowledge

Statement: ()

Prover Verifier

Setup: (G,,) and common reference string

Honest verifier zero-knowledgeNothing but truth revealed; permutation secret

Can convert to standard zero-knowledge argument

 

Our contribution

• 9-move public coin honest verifier zero-knowledge argument for correctness of shuffle in common reference string model

• For ciphertextsCommunication: O()k bitsProver’s computation: O() exposVerifier’s computation: O() expos

Comparison of ElGamal shuffles ()

|| = 1024|| = 160

Rounds Proverin expos

Verifierin expos

Sizein kbits

Furukawa-Sako 01 3 8 10 5.3

FMMOS 02 5 9 10 5.3

Furukawa 05 (GL07) 3 7 8 1.5

Terelius-Wikström 10 5 9 11 3.7

Neff 01,04 7 8 12 7.7

Groth 03,10 7 6 6 0.6

Groth-Ishai 08 7 3 4 3 + 0.5

Bayer-Groth 11 9 2 4 11 + 0.8

Bayer-Groth 11 O() 4 11 + 0.8

Commitments

• Commit to a column vector Z as A=com ()

– Length reducing– Computational binding– Perfectly hiding– Homomorphic

com(;)*com(; ) = com(; )

• Pedersen Commitment: com(; ) =

Techniques - Sublinear cost

• Length reducing commitments • Batch verification

Sublinear communication cost

• Structured Vandermonde challenges

Shuffle argument

• Given public keys and • Given ciphertexts and • Prover knows permutation and randomizers and

wants to convince the verifier

E() E()

Shuffle argument

1. The prover commits to a permutation by committing to

Verifier sends challenge Z

2. The prover commits to

3. The prover gives an argument that both commitments are constructed using the same permutation

4. The prover demonstrates that the input ciphertexts are permuted using the same permutation and knowledge of the randomizers used in the re-encryption.

• Prover gives product argument for A, B such that =

• Prover commits to as A=com()=com()

and after receiving challenge Z to B= com() =com(s)

Shuffle argument

InexpensiveSee full paper

ExpensiveWill sketch idea

• Sketch idea focusing on soundness• Ignore ZK (easy and cheap to add)• Will also for simplicity assume randomness

Both polynomials are equal, only the roots are permuted

Notation

• Arrange ciphertexts in matrix =

• Define inner product = to simplify the statement as

• B contains commitments B, , B where

B= com=com(), , B= com ()

Multi-exponentiation argument idea

 

 

 

3. Verifier computes and checks

Verifier sends challenge Z

1. Prover sends

2. Prover opens

to

Multi-exponentiation argument

elements in Zq

2 ciphertexts

ciphertext expos

ciphertext expos

ciphertext expos

Communicaton:O() elements

Verifier computation: + O() expos

Prover’s computation

  

Computing this matrix costs m2n = mN ciphertext expos

 

Reducing the prover’s computation

• Do not compute entire matrix• Instead use techniques for multiplication of

polynomials “in the exponent” of ciphertexts• Fast Fourier Transform

– O(N log m) exponentiations O (1) rounds

• Interaction– O (N) exponentiations O (log m) rounds

Implementation

• Implementation in C++ using the NTL library and the GMP library

• Different levels of optimization– Multi-exponentiation techniques– Fast Fourier Transform– Extra Interaction and Toom-Cook

Comparison

Single argument Argument Size

Verificatum 5 min 37.7 MB

Toom-Cook, 2 min 0.7 MB

• Runtime comparison of Verificatum (Wikström) to our shuffle argument

• MacBook Pro; CPU: 2.54 GHZ, RAM: 4GB• , 60 • ciphertexts,

Thank You