Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.

Published byMalcolm Montgomery Modified over 9 years ago

Similar presentations

Presentation on theme: "Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California."— Presentation transcript:

1 Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California Los Angeles TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A AAAAA A A A A A A

2 Initial question Kilian 92 gave sub-linear size zero-knowledge argument for SAT Not practical though (SAT statement, PCP theorem,... ) Is there a practical sub-linear zero-knowledge argument? Yes! We will give sub-linear shuffle argument

3 Mix-net: Anonymous message broadcast m π (1) m π (2) m π (N) … π1π1 π2π2 π = π 1 π 2 m1m1 m2m2 mNmN Threshold decryption

4 Problem: Corrupt mix-server m π (1) m π (2) m´ π (N) … π1π1 π2π2 π = π 1 π 2 m1m1 m2m2 mNmN Threshold decryption

5 Solution: Zero-knowledge argument m π (1) m π (2) m π (N) … π1π1 π2π2 π = π 1 π 2 m1m1 m2m2 mNmN Threshold decryption Server 1 ZK argument No message changed (soundness) Server 2 ZK argument Permutation still secret (zero-knowledge)

6 ElGamal encryption Setup:Group G of prime order q with generator g Public key:pk = y = g x Encryption:E pk (m; r) = (g r, y r m) Decryption:D x (u,v) = vu -x Homomorphic: E pk (m; r) × E pk (M; R) = E pk (mM; r+R) Re-randomization: E pk (m; r) × E pk (1; R) = E pk (m; r+R)

7 e 1 e 2 e 3 e 4 e 5 Shuffle e ¼ ( 1 ) e ¼ ( 2 ) e ¼ ( 3 ) e ¼ ( 4 ) e ¼ ( 5 ) E 1 E 2 E 3 E 4 E 5 Input ciphertexts e 1,…,e N Permuteto get e π (1),…,e π (N) Re-randomize themE i = e π (i) × E pk (1;R i ) Output ciphertextsE 1,...,E N

8 Zero-knowledge shuffle argument Statement: (pk,e 1,...,e N,E 1,...,E N ) ProverVerifier , R 1,...,R N  Sound: Shuffle is correct Zero-knowledge: Nothing but truth revealed; permutation is secret

9 Public coin honest verifier zero-knowledge Statement: (pk,e 1,...,e N,E 1,...,E N ) ProverVerifier Setup: (G,q,g) and common random string Public coin: Random challenges from Z q Honest verifier zero-knowledge Nothing but truth revealed; permutation secret Can convert to standard zero-knowledge argument

10 Non-interactive zero-knowledge argument Setup: (G,q,g) and common reference string Statement: (pk,e 1,...,e N,E 1,...,E N ) ProverVerifier Fiat-Shamir 86: Compute challenges using cryptographic hash-function Anybody

11 Non-interactive zero-knowledge argument Setup: (G,q,g) and common reference string Statement: (pk,e 1,...,e N,E 1,...,E N ) Prover

12 History Cut-and-chooseO(Nks) bits Abe 99 (Abe-Hoshino 01)O(N log(N)k) bits Furukawa-Sako 01O(Nk) bits (Furukawa 05, Groth-Lu 07) Neff 01 (Groth 03)O(Nk) bits OthersO(Nk) bits This workO(N 2/3 k) bits

13 Our contribution 7-move public coin honest verifier zero-knowledge argument for correctness of shuffle in common random string model Communication:O(m 2 +N/m)k bits Prover computation:O(mN) expos Verifier computation:O(N) expos Previous O(N)k O(N) Fiat-Shamir heuristic: Prover only computes once

14 Concrete example Back-of-envelope estimates ElGamal over elliptic curve (256 bit) Shuffle N = 100,000 ciphertexts (88Mbits) m = 10 Optimized with multi-exponentiation, batch- verification, etc. Estimated cost Communication8 Mbits Prover comp. 143 sec. Verifier comp.5 sec. Groth 03 77 Mbits 18 sec. 14 sec.

15 Tools Inspired by [IKO07] we will not use full-blown PCPs Pedersen commitment to multiple messages Batch verification using Schwartz-Zippel lemma with probability at most d/q

16 HVZK shuffle argument Setup: Statement: Prover Verifier

17 HVZK shuffle argument ProverVerifier Schwartz-Zippel lemma implies or else only probability 2/q of polynomial equality

18 HVZK shuffle argument Setup: Statement: Prover Verifier

19 The second HVZK argument Setup: Statement:

20 Main idea Schwartz-Zippel lemma implies

21 Argument for correct shuffle of ElGamal ciphertexts Honest verifier zero-knowledge Argument of knowledge Random string model 7-moves Public coin Cost CommunicationO(m 2 +N/m)k bits Prover computationO(mN) expos Verifier computationO(N) expos Generalizations -Homomorphic cryptosystems (e.g. Paillier) -8-move zero-knowledge argument of knowledge for correctness of a shuffle in plain model

22 Future work: Beyond shuffling Can generalize techniques to arithmetic circuits. Public coin honest verifier zero-knowledge argument for arithmetic circuit over Z q of size O(|C| 2/3 k)

23 Thanks Questions?

Download ppt "Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California."

Similar presentations

Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.

Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.
Short Non-interactive Zero-Knowledge Proofs

Short Non-interactive Zero-Knowledge Proofs
A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:

A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
Multi-Query Computationally-Private Information Retrieval with Constant Communication Rate Jens Groth, University College London Aggelos Kiayias, University.

Multi-Query Computationally-Private Information Retrieval with Constant Communication Rate Jens Groth, University College London Aggelos Kiayias, University.
Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.

Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.
Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.

Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs Jens Groth University College London TexPoint fonts used.

Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs Jens Groth University College London TexPoint fonts used.
Auditable Privacy: On Tamper-Evident Mix Networks Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research.

Auditable Privacy: On Tamper-Evident Mix Networks Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.

Similar presentations

Ads by Google