Title: Cryptographic%20Shuffles
1Cryptographic Shuffles
- Jens Groth
- University College London
TexPoint fonts used in EMF. Read the TexPoint
manual before you delete this box. AAAAAAAAAAAAA
2Voting
- Voters cast secret votes
- Authorities reveal votes in random permuted order
3Mix-net
v1
v2
vN
Mix-net
4Mix-net
Secure message submission
Mixing
Output of permuted messages
5Secure message submission
- Voters encrypt their votes to keep them secret
- Use a public encryption key generated by election
authorities running the mix-net - Pre-processing before mixing
- Check voters are eligible
- Voters sign their encrypted voters
- Prevent copying or casting of related votes
- May require additional evidence that voters know
the encrypted votes they submit (without
revealing the votes)
6Mix-net
Epk(v1r1)
Epk(vNrN)
Epk(v2r2)
Mixing
Epk(v2s2)
Epk(v1s1)
Epk(vNsN)
7Output of permuted messages
- Election authorities decrypt the encrypted
permuted messages and output them - Threshold decryption
- The secret decryption key is shared between the
election authorities - No single election authority or small group of
election authorities can decrypt the incoming
encrypted votes - Will only cooperate to decrypt the output from
the mixing phase where the votes have been
permuted
8Homomorphic encryption
- A public key encryption scheme is homomorphic if
Epk(vr) Epk(ws) Epk(vwrs) - Rerandomization of ciphertext Epk(vr)
Epk(1s) Epk(vt) trs - Example ElGamal encryption (gr,yrv)
(gs,ysw) (grs,yrsvw)
9Mix-net
vp(1)
vp(2)
vp(N)
Threshold decryption
? ?2?1
p2
v1
v2
vN
p1
10Shuffle
C5
c1
c2
c3
c4
c5
cp(1)
cp(2)
cp(3)
cp(4)
cp(5)
C1
C2
C3
C4
- Input ciphertexts c1,,cN
- Permute to get cp(1),,cp(N)
- Re-randomize them Ci cp(i) Epk(1si)
- Output ciphertexts C1,...,CN
11Security
- Each mix-server acts in sequence
- Shuffles the ciphertexts from the previous
mix-server - Resulting permutation is random and secret if
- All mix-servers follow the protocol
- At least one mix-server keeps its permutation
secret - The encryption scheme is semantically secure
12Problem Corrupt mix-server
? ?2?1
vp(1)
vp(2)
vp(N)
Threshold decryption
p2
v1
v2
vN
p1
13Zero-knowledge shuffle argument
Statement (pk,c1,...,cN,C1,...,CN)
Zero-knowledgeNothing but truth revealed
permutation is secret
?, r1,...,rN
SoundShuffle is correct
Prover Verifier
?
14Solution zero-knowledge arguments
? ?2?1
vp(1)
vp(2)
vp(N)
Threshold decryption
Server 2 ZK argumentPermutation still
secret(zero-knowledge)
p2
Server 1 ZK argumentNo message
changed(soundness)
v1
v2
vN
p1
15Public coin honest verifier zero-knowledge
Setup Common reference string
Statement (pk,c1,...,cN,C1,...,CN)
Honest verifier zero-knowledgeNothing but truth
revealed permutation secret
Public coin Random challenges from Zq
Prover Verifier
Can convert to standard zero-knowledge argument
16Non-interactive zero-knowledge argument
Setup Common reference
string Statement (pk,c1,...,cN,C1,...,CN)
Fiat-Shamir 86 Compute challenges using
cryptographic hash-function
Prover Verifier
Anybody
17Non-interactive zero-knowledge argument
Setup Common reference
string Statement (pk,c1,...,cN,C1,...,CN)
Prover
18Universal verifiability
- Each mix-server can publicize its shuffle and the
corresponding NIZK argument - Now anybody can verify that the shuffles are
correct (soundness) - At the same time the NIZK arguments do not reveal
the secret permutations used by the mix-servers
(zero-knowledge)
19Parameters for zero-knowledge argument
- Communication complexity
- Verifiers computation
- Provers computation
- Importance decreases when using Fiat-Shamir
heuristic - Round complexity
- Not important if using the Fiat-Shamir heuristic
20Cut-and-choose (Sako-Kilian 95)
Cic?(i)Epk(1ri)
(pk,c1,...,cN,C1,...,CN)
Ei c?0(i)Epk(1r0i) C?1(i)Epk(1r1i)
E1,...,EN
b?0,1
?b, rb1,...,rbN
Prover Verifier
21Cut-and-choose (Sako-Kilian)
- Soundness
- If c1,,cN and C1,,CN not shuffle then E1,,EN
not shuffle of c1,,cNor E1,,EN not shuffle
of C1,,CN - The verifier has 50 chance of catching cheating
prover - Repeat s times to get 2-s risk of cheating prover
- Honest verifier zero-knowledge
- Verifier can simulate argument by picking b?0,1
and computing E1,,EN as the corresponding
shuffle of c1,,cN or C1,,CN himself - Cost
- O(Ns) ciphertexts and with ElGamal O(Ns) expos
22Permutation Networks (Abe 99,AH01)
v1
v1
v2
v2
v5
v2
v2
v2
v2
v1
v1
v2
v3
v3
v3
v3
v3
v3
v7
v5
v5
v4
v4
v4
v4
v8
v8
v8
v5
v5
v5
v5
v3
v1
v1
v6
v6
v6
v6
v1
v4
v4
v7
v7
v8
v8
v4
v6
v6
v8
v8
v7
v7
v6
v7
v7
- Cost O(N log N) elements and O(N log N) expos
23Permutation matrix (Furukawa-Sako 01)
- Demonstrate there is permutation matrix such that
- Permutation matrix has size N2 but is sparse and
has only N non-zero entries - Cost O(N) elements and O(N) expos
24Polynomial invariance under permutation of roots
(Neff 01)
25Sub-linear size arguments (Groth-Ishai 08)
- Polynomial invariance under permutation of roots
- Organize ciphertexts in m?n matrix
- Apply Hadamard code techniques from PCPs
- Cost
- Size O(m2n)
- Prover computation O(Nm) exponentiations
- Verifier computation O(N) exponentiations
26Sub-linear size arguments (Bayer-Groth 11)
- Polynomial invariance under permutation of roots
- Organize ciphertext in m?n matrix
- Apply polynomial multiplication techniques
- Cost
- Size O(mn)
- Prover computation O(N log(m)) exponentiations
- Verifier computation O(N) exponentiations
27Comparison of ElGamal shuffles (Nmn)
p 1024q 160 Rounds Proverin expos Verifierin expos Sizein kbits
Sako-Kilian 95 3 O(s) N O(s) N O(s)
Abe 99 (AH01) 3 O(log(N)) N O(log(N)) O(log N) N
Furukawa-Sako 01 3 8N 10N 5.3N
FMMOS 02 5 9N 10N 5.3N
Furukawa 05 (GL07) 3 7N 8N 1.5N
Terelius-Wikström 10 5 9N 11N 3.7N
Neff 01,04 7 8N 12N 7.7N
Groth 03,10 7 6N 6N 0.6N
Groth-Ishai 08 7 3mN 4N 3m2 0.5n
Bayer-Groth 11 9 2 log(m) N 4N 11m 0.8n
28New sub-linear size shuffle argument
- Joint work with
- Stephanie BayerUniversity College London
TexPoint fonts used in EMF. Read the TexPoint
manual before you delete this box. AAAAAAAAAAAAA
29Commitments
30Homomorphic commitments
31Shuffle argument
- Given public keys pk and ck
- Given shuffle c1,,cN and C1,,CN
- Prover knows permutation ? and randomizers
r1,,rN and wants to convince the
verifier C1c?(1)Epk(1r1)
CNc?(N)Epk(1rN)
32Zero-knowledgePerfectly hiding
Zero-knowledgePerfectly hiding
Zero-knowledgeReveals nothing (ZK)
Zero-knowledgeReveals nothing (ZK)
33Soundness
34Soundness
35The underlying ZK arguments
InexpensiveSee full paper
ExpensiveWill sketch idea
36Multi-exponentiation argument
37The commitment B and useful notation
38Product argument idea
39Product argument
40Explanation
41Explanation
42Efficiency
CommunicatonO(mn) elements Verifier
computation4N O(mn) expos
2m ciphertexts
N ciphertext expos
N ciphertext expos
Short argument is cheap 2m ciphertext expos
43Provers computation
Computing this matrix costs m2n mN ciphertext
expos
44Reducing the provers computation
- Do not compute entire matrix
- Instead use techniques for multiplication of
polynomials in the exponent of ciphertexts - Fast Fourier Transform
- O(N log m) exponentiations O(1) rounds
- Interaction
- O(N) exponentiations O(log m) rounds
45Comparison of ElGamal shuffles (Nmn)
p 1024q 160 Rounds Proverin expos Verifierin expos Sizein kbits
Sako-Kilian 95 3 O(s) N O(s) N O(s)
Abe 99 (AH01) 3 O(log(N)) N O(log(N)) O(log N) N
Furukawa-Sako 01 3 8N 10N 5.3N
FMMOS 02 5 9N 10N 5.3N
Furukawa 05 (GL07) 3 7N 8N 1.5N
Terelius-Wikström 10 5 9N 11N 3.7N
Neff 01,04 7 8N 12N 7.7N
Groth 03,10 7 6N 6N 0.6N
Groth-Ishai 08 7 3mN 4N 3m2 0.5n
Bayer-Groth 11 9 2 log(m) N 4N 11m 0.8n
Bayer-Groth 11 log m O(N) 4N 11m 0.8n
46Asymptotic vs concrete complexity
- Turns out that for practical choices of N mn
interaction comes for free - The multi-exponentiation argument has smaller
round complexity than the product argument - Can use interaction technique for a couple of
rounds without increasing round complexity - Takes a long time before asymptotic behavior of
Fast Fourier Transform kicks in - For small m better to use Toom-Cook methods
47Implementation
- Looked at shuffling 100,000 ElGamal ciphertexts
- p1024 bits, q160 bits
- Most efficient implementation uses N100,000 m6
4 n1563 - Cost
- Rounds 9
- Prover 12N exponentiations
- Verifier 4N exponentiations
- Communication 0.7 MB
Core2Duo 2.53GHz91 seconds 18 seconds
48Summary
p 1024q 160 Rounds Proverin expos Verifierin expos Sizein kbits
Sako-Kilian 95 3 O(s) N O(s) N O(s) N
Abe 99 (AH01) 3 O(log(N)) N O(log(N)) O(log N) N
Furukawa-Sako 01 3 8N 10N 5.3N
FMMOS 02 5 300 sec. 300 sec. 66.0MB
Furukawa 05 (GL07) 3 7N 8N 1.5N
Terelius-Wikström 10 5 300 sec. 300 sec. 37.7MB
Neff 01,04 7 8N 12N 7.7N
Groth 03,10 7 6N 6N 0.6N
Groth-Ishai 08 7 3mN 4N 3m2 0.5n
Bayer-Groth 11 9 91 sec. 18 sec. 0.7MB