Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:

Published byAshley Corcoran Modified over 10 years ago

Similar presentations

Presentation on theme: "A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:"— Presentation transcript:

1 A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive: http://eprint.iacr.org/2005/246

2 Agenda Motivation – anonymous communication Motivation – anonymous communication What is What is A shuffle? Homomorphic encryption? Zero- knowledge proofs? A shuffle? Homomorphic encryption? Zero- knowledge proofs? ZK proof for shuffle of known contents ZK proof for shuffle of known contents Tool: Homomorphic commitments Tool: Homomorphic commitments ZK proof for shuffle of homomorphic encryptions ZK proof for shuffle of homomorphic encryptions Comparison with other ZK proofs Comparison with other ZK proofs Efficiency improvements Efficiency improvements

3 Anonymous communication Mixer π m1m1 mnmn … … m π(1) m π(n) Sender 1 Sender n mix- servers

4 Encryption Rerandomization property E(m) E´(m) Threshold decryption property t mix-servers can decrypt t-1 mix-servers do not learn anything

5 Mix-net Mix-net π m1m1 mnmn … … E´(m π(1) )E´(m π(n) ) E(m 1 )E(m n ) Threshold-decryption … m π(1) m π(n) senders mix-servers at least t mix-servers

6 Mix-net Mix-server 1 π 1 … E´(m π 1 (1) )E´(m π 1 (n) ) E(m 1 )E(m n ) Mix-server N π N E´´´(m π(1) )E´´´(m π(n) ) π = π N... π 1

7 A shuffle π E´(m π(1) )E´(m π(n) ) E(m 1 )E(m n )

8 Agenda Motivation – anonymous communication Motivation – anonymous communication Mix-nets Mix-nets What is What is A shuffle? Homomorphic encryption? Zero- knowledge proofs? A shuffle? Homomorphic encryption? Zero- knowledge proofs? ZK proof for shuffle of known contents ZK proof for shuffle of known contents Tool: Homomorphic commitments Tool: Homomorphic commitments ZK proof for shuffle of homomorphic encryptions ZK proof for shuffle of homomorphic encryptions Comparison with other ZK proofs Comparison with other ZK proofs Efficiency improvements Efficiency improvements

9 Homomorphic encryption Homomorphic property E(m 1 m 2 ; R 1 +R 2 ) = E(m 1 ; R 1 ) E(m 2 ; R 2 ) Rerandomization E(m; R 1 +R 2 ) = E(m; R 1 ) E(1; R 2 ) Message space order Q no small prime factors Root extraction property see paper

10 ElGamal variant Keys Primes Q, P so P = 2Q +1 Random elements G, Y of order Q PK = (Q, P, G, Y) SK = (PK, x) so Y = G x Encryption E(m; (±1, ±1, R)) = (±G R mod P, ±Y R m mod P) Ciphertext verification (U, V) valid ciphertext if 0 < U < P and 0 < V < P

11 A shuffle of homomorphic encryptions π, R 1,...,R n e π(1) E(1;R 1 )e π(n) E(1;R n ) e1e1 enen

12 Verifiability? π, R 1,...,R n ? E1E1 E n e1e1 enen

13 Zero-knowledge proof Complete prover with π, R 1,...,R n can convince anybody of correctness of shuffle Complete prover with π, R 1,...,R n can convince anybody of correctness of shuffle Sound if not a valid shuffle impossible to convince others of correctness of shuffle Sound if not a valid shuffle impossible to convince others of correctness of shuffle Zero-knowledge prover does not reveal anything beyond correctness of shuffle Zero-knowledge prover does not reveal anything beyond correctness of shuffle

14 Statement: PK, e 1,..., e n, E 1,..., E n (and a little more) Real proof (π, R 1,...) Simulated proof (c 1,...) a 1 a 1 c 1 c 1 a 2 a 2...... (a 1, c 1, a 2,... ) indistinguishable from (a 1, c 1, a 2,...) Special honest verifier zero- knowledge (SHVZK)

15 Computational/statistical Soundness Soundness Unconditional: No adversary can make a valid proof for a false statement Unconditional: No adversary can make a valid proof for a false statement Computational: A polynomial time adversary cannot make a valid proof for a false statement Computational: A polynomial time adversary cannot make a valid proof for a false statement Special honest verifier zero-knowledge Special honest verifier zero-knowledge Statistical: No adversary can distinguish real proofs from simulated proofs Statistical: No adversary can distinguish real proofs from simulated proofs Computational: A polynomial time adversary cannot distinguish real proofs from simulated proofs Computational: A polynomial time adversary cannot distinguish real proofs from simulated proofs

16 Main result A 7-round public coin SHVZK proof for correctness of a shuffle of homomorphic encryptions Optional - unconditional soundness or statistical SHVZK - key length vs efficiency

17 Agenda Motivation – anonymous communication Motivation – anonymous communication Mix-nets Mix-nets What is What is A shuffle? Homomorphic encryption? Zero- knowledge proofs? A shuffle? Homomorphic encryption? Zero- knowledge proofs? ZK proof for shuffle of known contents ZK proof for shuffle of known contents Tool: Homomorphic commitments Tool: Homomorphic commitments ZK proof for shuffle of homomorphic encryptions ZK proof for shuffle of homomorphic encryptions Comparison with other ZK proofs Comparison with other ZK proofs Efficiency improvements Efficiency improvements

18 Non-interactive commitment Public key Commitment c = commit(m; r) Opening given c, m, r check that c = commit(m; r)

19 Commitment Binding Binding Unconditional: There is at most one way the comitter can open a commitment c Unconditional: There is at most one way the comitter can open a commitment c Computational: A polynomial time adversary cannot find c, m 1, r 1, m 2, r 2 so c = commit(m 1 ; r 1 ) = commit(m 2 ; r 2 ) and m 1 m 2 Computational: A polynomial time adversary cannot find c, m 1, r 1, m 2, r 2 so c = commit(m 1 ; r 1 ) = commit(m 2 ; r 2 ) and m 1 m 2 Hiding Hiding Statistical: Commitments to m and 0 have the same distribution Statistical: Commitments to m and 0 have the same distribution Computational: A polynomial time adversary cannot distinguish a random commitment to m 0 from a random commitment to 0 Computational: A polynomial time adversary cannot distinguish a random commitment to m 0 from a random commitment to 0

20 Homomorphic commitment Homomorphic property com(m 1 +m 1 ´,..., m n +m n ´; r 1 +r 2 ) = com(m 1,..., m n ; r 1 ) com(m 1 ´,..., m n ´; r 2 ) Message space Z q n with q prime Root extraction property given c, m 1,...,m n, r, e so gcd(e,q) = 1 and c e = com(m 1,...,m n ; r) we can efficiently compute r´ so c = com(m 1 /e,...,m n /e; r´)

21 Pedersen commitment variant Public key Primes q, p so p = kq+1 Random elements g 1,..., g n, h of order q pk = (q, p, g 1,..., g n, h) Commitment com(m 1,..., m n ; (u,r)) = ug 1 m 1 …g n m n h r mod p, where 1 = u k mod p Commitment verification Valid if 0 < c < p

22 Shuffle of known content π, r com(m π(1),..., m π(n) ; r) m 1 m n...

23 SHVZK proof for shuffle of known content A 4-round public coin SHVZK proof of knowledge for a commitment to a permutation of publicly known messages m 1,...,m n Optional - unconditional soundness or statistical SHVZK - key length vs efficiency

24 Knowledge of contents Common: pk, c, m 1,..., m n Prover: π, r so c = com(m π(1),..., m π(n) ; r) c d = com(d 1,...,d n ; r d ) e {0,1} f i = em π(1) + d i, z = er+r d Check c e c d = com(f 1,...,f n ; z)

25 Special HVZK Common: pk, c, m 1,..., m n Simulator: e {0,1} c d = com(f 1,...,f n ; z) c -e e f i Z q, z Z q Check c e c d = com(f 1,...,f n ; z)

26 Knowledge Common: pk, c, m 1,..., m n c d = com(d 1,...,d n ; r d ) e, e´ {0,1} f i, z, f i ´, z´ c e c d = com(f 1,...,f n ; z) c e´ c d = com(f 1 ´,...,f n ´; z´) c e-e´ = com(f 1 -f 1 ´,...,f n -f n ´; z-z´) Root extraction: c = com(μ 1,...,μ n ; r)

27 Idea (Neff 2001) Consider the polynomials (m i -X)and (μ i -X)in Z q [X] Are identical exactly when there exists π so μ i = m π(i) Pick x at random and demonstrate (m i -x) = (μ i -x) mod q With overwhelming probability not the case unless π exists

28 Identical polynomials Common: pk, c, m 1,..., m n x {0,1} c d, c a, c Δ e {0,1} f i, z, f Δi, z Δ c e c d = com(f 1,...,f n ; z) c a e c Δ = com(f Δ1,...,f Δn-1 ; z Δ ) f i = eμ i + d i, f Δi = eα i + δ i

29 Checking the polynomials f i = eμ i + d i, f Δi = eα i + δ i Let F 1 = f 1 -ex = e(μ 1 -x)+ d 1 Let eF i+1 = F i (f i+1 -ex) + f Δi e i F i+1 = e i-1 F i (f i+1 -ex) + f Δi = e i ( i (μ j -x) + poly i-1 (e)) (e(μ i+1 -x)+ d i+1 ) + e i-1 (eα i + δ i ) = e i+1 i+1 (μ j -x) + poly i (e) Check F n = e (m i -x) meaning e n (μ j -x) + poly n-1 (e) = e n (m i -x)

30 Completeness F i = e i (μ j -x) + Δ i F 1 = f 1 -ex = e(m π(1) -x) + d 1 Δ 1 = d 1 eF i+1 = F i (f i+1 -ex) + f Δi eα i + δ i = e 2 i+1 (m π(j) -x) + eΔ i+1 - e( i (m π(j) -x) + Δ i )(e(m π(i+1) -x) + d i+1 ) = e(Δ i+1 - i (m π(j) -x) d i+1 - Δ i (m π(i+1) -x)) - Δ i d i+1 F n = e (m i -x) Δ n = 0

31 SHVZK proof for known content 4-round public coin protocol 4-round public coin protocol Soundness – computational/unconditional Soundness – computational/unconditional SHVZK – statistical/computational SHVZK – statistical/computational With Pedersen commitment variant Prover3n expos2|q|n bits Verifier2n expos

32 Agenda Motivation – anonymous communication Motivation – anonymous communication Mix-nets Mix-nets What is What is A shuffle? Homomorphic encryption? Zero- knowledge proofs? A shuffle? Homomorphic encryption? Zero- knowledge proofs? ZK proof for shuffle of known contents ZK proof for shuffle of known contents Tool: Homomorphic commitments Tool: Homomorphic commitments ZK proof for shuffle of homomorphic encryptions ZK proof for shuffle of homomorphic encryptions Comparison with other ZK proofs Comparison with other ZK proofs Efficiency improvements Efficiency improvements

33 A shuffle of homomorphic encryptions π, R 1,...,R n e π(1) E(1;R 1 )e π(n) E(1;R n ) e1e1 enen

34 Idea Want to show that e 1,..., e n and E 1,..., E n have the same plaintexts 1. Reveal π 2. Receive random challenges t 1,...,t n {0,1} 3. Release Z so E(1;Z) e i t i = E i t π(i) m i t i = M i t π(i) 1 = (M i /m π(i) ) t π(i) Since Q has no small prime factors M i = m π(i)

35 Idea 1.Commit to π, commit to d 1,...,d n {0,1} +80 Form E d = E(1;R d ) E i -d i 2. Receive challenges t 1,...,t n {0,1} 3. Release f 1,...,f n, Z so f i = t π(i) + d i and E(1;Z) e i t i = E d E i f i m i t i = (M d M i d i ) M i t π(i) Z = R d + t π(i) R i

36 Idea 1. Commit to π and d 1,...,d n c = com(π(1),...,π(n); r) c d = com(-d 1,...,-d n ; r d ) 2. Receive challenges t 1,...,t n 3. Send f 1,...,f n |q|> + 80 4. Receive challenge λ 5. Make SHVZK proof of known content for c λ c d com(f 1,...,f n ; 0) containing a permutation of λ + t 1,..., λn + t n π so π(i) + t π(i) With overwhelming probability over we have π(i) Exists π so λμ i + f i - d i = λ π(i) + t π(i) With overwhelming probability over λ we have μ i = π(i) and f i = t π(i) + d i

37 Full protocol Common:pk, PK, e 1,...,e n and E 1,...,E n Prover: π, R 1,...,R n c, c d, E d t 1,...,t n {0,1} f 1,...,f n, Z λ {0,1} SHVZK proof Verify SHVZK proof Check E(1;Z) e i t i = E d E i f i

38 Properties of shuffle proof 7-round public coin protocol 7-round public coin protocol Soundness – computational/unconditional Soundness – computational/unconditional SHVZK – statistical/computational SHVZK – statistical/computational With Pedersen commitment and ElGamal variants Prover4n p-expos, 2n P-expos 3|q|n bits Verifier2n p-expos, 4n P-expos

39 Implementation (Stamer 2005) Pedersen commitment |p| = 1024, |q| = 160 ElGamal encryption|P| = 1024, |Q| =160 SHVZK proof of correct shuffle of 1024 ElGamal ciphertexts on AMD Duron 1.3 GHz Prover 14 seconds Verifier 5 seconds

40 Agenda Motivation – anonymous communication Motivation – anonymous communication Mix-nets Mix-nets What is What is A shuffle? Homomorphic encryption? Zero- knowledge proofs? A shuffle? Homomorphic encryption? Zero- knowledge proofs? ZK proof for shuffle of known contents ZK proof for shuffle of known contents Tool: Homomorphic commitments Tool: Homomorphic commitments ZK proof for shuffle of homomorphic encryptions ZK proof for shuffle of homomorphic encryptions Comparison with other ZK proofs Comparison with other ZK proofs Efficiency improvements Efficiency improvements

41 Other shuffle proofs Invariance of roots of polynomials Neff CCS01, Groth PKC03, Neff 03, Groth 05 Permutation matrices Furukawa & Sako Crypto01, Furukawa IEICE05 Integer commitments Wikström Asiacrypt05 Linear ignorance assumption Peng et al. Crypto05

42 Comparison of approaches Pedersen, ElGamal |p|= 1024, |q| = 160 Roots of polyPermutation matrix Rounds7 3 Soundnessuncond./comp. computational SHVZKcomp./statistical statistical Prover expos6n7n Prover sends 480n bits 1344n bits Verifier expos6n8n Key lengthflexible (e.g. O(n)) 1024n bits

43 Agenda Motivation – anonymous communication Motivation – anonymous communication Mix-nets Mix-nets What is What is A shuffle? Homomorphic encryption? Zero- knowledge proofs? A shuffle? Homomorphic encryption? Zero- knowledge proofs? ZK proof for shuffle of known contents ZK proof for shuffle of known contents Tool: Homomorphic commitments Tool: Homomorphic commitments ZK proof for shuffle of homomorphic encryptions ZK proof for shuffle of homomorphic encryptions Comparison with other ZK proofs Comparison with other ZK proofs Efficiency improvements Efficiency improvements

44 Adjusting the key length Suggested Pedersen commitment variant had public key (q, p, g 1,..., g n, h) Assume wlog n = kl then we can instead use public key (q, p, g 1,..., g k, h) and commit as c = (c 1,...,c l ) (com(m 1,...,m k ), com(m k+1,...,m 2k ),...)

45 Randomization c e c d = com(f 1,...,f n ; z) c a e c Δ = com(f Δ1,...,f Δn-1,0; z Δ ) Pick α {0,1} at random and check (c e c d ) α c a e c Δ = com(αf 1 +f Δ1,..., αf n +0; αz+z Δ ) Many other randomization/batch verification possibilities

46 On-line/off-line computation Prover can precompute most values off-line (and in a mix-net also precompute the rerandomization of the ciphertexts) Prover can precompute most values off-line (and in a mix-net also precompute the rerandomization of the ciphertexts) Only needs to compute E d and c a on-line Only needs to compute E d and c a on-line

47 Picking the challenges Verifier picks seed for pseudorandom number generator and sends it to prover Verifier picks seed for pseudorandom number generator and sends it to prover Prover generates t 1,...,t n from this seed If Q = q verifier can simply send challenge t and let prover use t 1 = t 1 mod q,..., t n = t n mod q If Q = q verifier can simply send challenge t and let prover use t 1 = t 1 mod q,..., t n = t n mod q

48 Multi-exponentiation (Lim 00) Computing a product g i e i can be done in |e|n/(log n – log log n) multiplications Prover, Verifier 0.5n naïve single expos each for shuffling 100,000 ElGamal ciphertexts

49 Questions? Thank you

Download ppt "A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:"

Similar presentations

Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.

Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.
Short Non-interactive Zero-Knowledge Proofs

Short Non-interactive Zero-Knowledge Proofs
Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.

Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.
Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.

Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Similar presentations

Ads by Google