Cryptographic%20Shuffles - PowerPoint PPT Presentation

About This Presentation
Title:

Cryptographic%20Shuffles

Description:

Cryptographic Shuffles Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA – PowerPoint PPT presentation

Number of Views:94
Avg rating:3.0/5.0
Slides: 49
Provided by: SimonB227
Category:

less

Transcript and Presenter's Notes

Title: Cryptographic%20Shuffles


1
Cryptographic Shuffles
  • Jens Groth
  • University College London

TexPoint fonts used in EMF. Read the TexPoint
manual before you delete this box. AAAAAAAAAAAAA
2
Voting
  • Voters cast secret votes
  • Authorities reveal votes in random permuted order

3
Mix-net

v1
v2
vN
Mix-net
4
Mix-net
Secure message submission
Mixing
Output of permuted messages
5
Secure message submission
  • Voters encrypt their votes to keep them secret
  • Use a public encryption key generated by election
    authorities running the mix-net
  • Pre-processing before mixing
  • Check voters are eligible
  • Voters sign their encrypted voters
  • Prevent copying or casting of related votes
  • May require additional evidence that voters know
    the encrypted votes they submit (without
    revealing the votes)

6
Mix-net
Epk(v1r1)
Epk(vNrN)
Epk(v2r2)

Mixing
Epk(v2s2)
Epk(v1s1)
Epk(vNsN)

7
Output of permuted messages
  • Election authorities decrypt the encrypted
    permuted messages and output them
  • Threshold decryption
  • The secret decryption key is shared between the
    election authorities
  • No single election authority or small group of
    election authorities can decrypt the incoming
    encrypted votes
  • Will only cooperate to decrypt the output from
    the mixing phase where the votes have been
    permuted

8
Homomorphic encryption
  • A public key encryption scheme is homomorphic if
    Epk(vr) Epk(ws) Epk(vwrs)
  • Rerandomization of ciphertext Epk(vr)
    Epk(1s) Epk(vt) trs
  • Example ElGamal encryption (gr,yrv)
    (gs,ysw) (grs,yrsvw)

9
Mix-net
vp(1)
vp(2)
vp(N)
Threshold decryption
? ?2?1
p2
v1
v2
vN
p1

10
Shuffle
C5
c1
c2
c3
c4
c5
cp(1)
cp(2)
cp(3)
cp(4)
cp(5)
C1
C2
C3
C4
  • Input ciphertexts c1,,cN
  • Permute to get cp(1),,cp(N)
  • Re-randomize them Ci cp(i) Epk(1si)
  • Output ciphertexts C1,...,CN

11
Security
  • Each mix-server acts in sequence
  • Shuffles the ciphertexts from the previous
    mix-server
  • Resulting permutation is random and secret if
  • All mix-servers follow the protocol
  • At least one mix-server keeps its permutation
    secret
  • The encryption scheme is semantically secure

12
Problem Corrupt mix-server
? ?2?1
vp(1)
vp(2)
vp(N)
Threshold decryption
p2
v1
v2
vN
p1

13
Zero-knowledge shuffle argument
Statement (pk,c1,...,cN,C1,...,CN)
Zero-knowledgeNothing but truth revealed
permutation is secret
?, r1,...,rN
SoundShuffle is correct
Prover Verifier
?
14
Solution zero-knowledge arguments
? ?2?1
vp(1)
vp(2)
vp(N)
Threshold decryption
Server 2 ZK argumentPermutation still
secret(zero-knowledge)
p2
Server 1 ZK argumentNo message
changed(soundness)
v1
v2
vN
p1

15
Public coin honest verifier zero-knowledge
Setup Common reference string
Statement (pk,c1,...,cN,C1,...,CN)
Honest verifier zero-knowledgeNothing but truth
revealed permutation secret
Public coin Random challenges from Zq
Prover Verifier
Can convert to standard zero-knowledge argument
16
Non-interactive zero-knowledge argument
Setup Common reference
string Statement (pk,c1,...,cN,C1,...,CN)
Fiat-Shamir 86 Compute challenges using
cryptographic hash-function
Prover Verifier
Anybody
17
Non-interactive zero-knowledge argument
Setup Common reference
string Statement (pk,c1,...,cN,C1,...,CN)
Prover
18
Universal verifiability
  • Each mix-server can publicize its shuffle and the
    corresponding NIZK argument
  • Now anybody can verify that the shuffles are
    correct (soundness)
  • At the same time the NIZK arguments do not reveal
    the secret permutations used by the mix-servers
    (zero-knowledge)

19
Parameters for zero-knowledge argument
  • Communication complexity
  • Verifiers computation
  • Provers computation
  • Importance decreases when using Fiat-Shamir
    heuristic
  • Round complexity
  • Not important if using the Fiat-Shamir heuristic

20
Cut-and-choose (Sako-Kilian 95)
Cic?(i)Epk(1ri)
(pk,c1,...,cN,C1,...,CN)
Ei c?0(i)Epk(1r0i) C?1(i)Epk(1r1i)
E1,...,EN
b?0,1
?b, rb1,...,rbN
Prover Verifier
21
Cut-and-choose (Sako-Kilian)
  • Soundness
  • If c1,,cN and C1,,CN not shuffle then E1,,EN
    not shuffle of c1,,cNor E1,,EN not shuffle
    of C1,,CN
  • The verifier has 50 chance of catching cheating
    prover
  • Repeat s times to get 2-s risk of cheating prover
  • Honest verifier zero-knowledge
  • Verifier can simulate argument by picking b?0,1
    and computing E1,,EN as the corresponding
    shuffle of c1,,cN or C1,,CN himself
  • Cost
  • O(Ns) ciphertexts and with ElGamal O(Ns) expos

22
Permutation Networks (Abe 99,AH01)
v1
v1
v2
v2
v5
v2
v2
v2
v2
v1
v1
v2
v3
v3
v3
v3
v3
v3
v7
v5
v5
v4
v4
v4
v4
v8
v8
v8
v5
v5
v5
v5
v3
v1
v1
v6
v6
v6
v6
v1
v4
v4
v7
v7
v8
v8
v4
v6
v6
v8
v8
v7
v7
v6
v7
v7
  • Cost O(N log N) elements and O(N log N) expos

23
Permutation matrix (Furukawa-Sako 01)
  • Demonstrate there is permutation matrix such that
  • Permutation matrix has size N2 but is sparse and
    has only N non-zero entries
  • Cost O(N) elements and O(N) expos

 
24
Polynomial invariance under permutation of roots
(Neff 01)
  •  

25
Sub-linear size arguments (Groth-Ishai 08)
  • Polynomial invariance under permutation of roots
  • Organize ciphertexts in m?n matrix
  • Apply Hadamard code techniques from PCPs
  • Cost
  • Size O(m2n)
  • Prover computation O(Nm) exponentiations
  • Verifier computation O(N) exponentiations

26
Sub-linear size arguments (Bayer-Groth 11)
  • Polynomial invariance under permutation of roots
  • Organize ciphertext in m?n matrix
  • Apply polynomial multiplication techniques
  • Cost
  • Size O(mn)
  • Prover computation O(N log(m)) exponentiations
  • Verifier computation O(N) exponentiations

27
Comparison of ElGamal shuffles (Nmn)
p 1024q 160 Rounds Proverin expos Verifierin expos Sizein kbits
Sako-Kilian 95 3 O(s) N O(s) N O(s)
Abe 99 (AH01) 3 O(log(N)) N O(log(N)) O(log N) N
Furukawa-Sako 01 3 8N 10N 5.3N
FMMOS 02 5 9N 10N 5.3N
Furukawa 05 (GL07) 3 7N 8N 1.5N
Terelius-Wikström 10 5 9N 11N 3.7N
Neff 01,04 7 8N 12N 7.7N
Groth 03,10 7 6N 6N 0.6N
Groth-Ishai 08 7 3mN 4N 3m2 0.5n
Bayer-Groth 11 9 2 log(m) N 4N 11m 0.8n
28
New sub-linear size shuffle argument
  • Joint work with
  • Stephanie BayerUniversity College London

TexPoint fonts used in EMF. Read the TexPoint
manual before you delete this box. AAAAAAAAAAAAA
29
Commitments
  •  

30
Homomorphic commitments
  •  

31
Shuffle argument
  • Given public keys pk and ck
  • Given shuffle c1,,cN and C1,,CN
  • Prover knows permutation ? and randomizers
    r1,,rN and wants to convince the
    verifier C1c?(1)Epk(1r1)
    CNc?(N)Epk(1rN)

32
Zero-knowledgePerfectly hiding
  •  

Zero-knowledgePerfectly hiding
Zero-knowledgeReveals nothing (ZK)
 
Zero-knowledgeReveals nothing (ZK)
 
33
Soundness
  •  

34
Soundness
  •  

35
The underlying ZK arguments
InexpensiveSee full paper
  •  

ExpensiveWill sketch idea
36
Multi-exponentiation argument
  •  

37
The commitment B and useful notation
  •  

38
Product argument idea
  •  

 
 
 
39
Product argument
  •  

40
Explanation
  •  

 
 
 
41
Explanation
 
  •  

 
 
 
42
Efficiency
  •  

CommunicatonO(mn) elements Verifier
computation4N O(mn) expos
2m ciphertexts
 
N ciphertext expos
N ciphertext expos
Short argument is cheap 2m ciphertext expos
43
Provers computation
Computing this matrix costs m2n mN ciphertext
expos
  •  

 
 
 
44
Reducing the provers computation
  • Do not compute entire matrix
  • Instead use techniques for multiplication of
    polynomials in the exponent of ciphertexts
  • Fast Fourier Transform
  • O(N log m) exponentiations O(1) rounds
  • Interaction
  • O(N) exponentiations O(log m) rounds

45
Comparison of ElGamal shuffles (Nmn)
p 1024q 160 Rounds Proverin expos Verifierin expos Sizein kbits
Sako-Kilian 95 3 O(s) N O(s) N O(s)
Abe 99 (AH01) 3 O(log(N)) N O(log(N)) O(log N) N
Furukawa-Sako 01 3 8N 10N 5.3N
FMMOS 02 5 9N 10N 5.3N
Furukawa 05 (GL07) 3 7N 8N 1.5N
Terelius-Wikström 10 5 9N 11N 3.7N
Neff 01,04 7 8N 12N 7.7N
Groth 03,10 7 6N 6N 0.6N
Groth-Ishai 08 7 3mN 4N 3m2 0.5n
Bayer-Groth 11 9 2 log(m) N 4N 11m 0.8n
Bayer-Groth 11 log m O(N) 4N 11m 0.8n
46
Asymptotic vs concrete complexity
  • Turns out that for practical choices of N mn
    interaction comes for free
  • The multi-exponentiation argument has smaller
    round complexity than the product argument
  • Can use interaction technique for a couple of
    rounds without increasing round complexity
  • Takes a long time before asymptotic behavior of
    Fast Fourier Transform kicks in
  • For small m better to use Toom-Cook methods

47
Implementation
  • Looked at shuffling 100,000 ElGamal ciphertexts
  • p1024 bits, q160 bits
  • Most efficient implementation uses N100,000 m6
    4 n1563
  • Cost
  • Rounds 9
  • Prover 12N exponentiations
  • Verifier 4N exponentiations
  • Communication 0.7 MB

Core2Duo 2.53GHz91 seconds 18 seconds
48
Summary
p 1024q 160 Rounds Proverin expos Verifierin expos Sizein kbits
Sako-Kilian 95 3 O(s) N O(s) N O(s) N
Abe 99 (AH01) 3 O(log(N)) N O(log(N)) O(log N) N
Furukawa-Sako 01 3 8N 10N 5.3N
FMMOS 02 5 300 sec. 300 sec. 66.0MB
Furukawa 05 (GL07) 3 7N 8N 1.5N
Terelius-Wikström 10 5 300 sec. 300 sec. 37.7MB
Neff 01,04 7 8N 12N 7.7N
Groth 03,10 7 6N 6N 0.6N
Groth-Ishai 08 7 3mN 4N 3m2 0.5n
Bayer-Groth 11 9 91 sec. 18 sec. 0.7MB
Write a Comment
User Comments (0)
About PowerShow.com