1 / 49

A Verifiable Secret Shuffle of Homomorphic Encryptions

A Verifiable Secret Shuffle of Homomorphic Encryptions. Jens Groth UCLA. On ePrint archive: http://eprint.iacr.org/2005/246. Agenda. Motivation – anonymous communication What is A shuffle? Homomorphic encryption? Zero-knowledge proofs? ZK proof for shuffle of known contents

osric
Download Presentation

A Verifiable Secret Shuffle of Homomorphic Encryptions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive: http://eprint.iacr.org/2005/246

  2. Agenda • Motivation – anonymous communication • What is • A shuffle? Homomorphic encryption? Zero-knowledge proofs? • ZK proof for shuffle of known contents • Tool: Homomorphic commitments • ZK proof for shuffle of homomorphic encryptions • Comparison with other ZK proofs • Efficiency improvements

  3. Anonymous communication Sender 1 Sender n m1 mn … Mixer π mix-servers … mπ(1) mπ(n)

  4. Encryption Rerandomization property E(m)  E´(m) Threshold decryption property t mix-servers can decrypt t-1 mix-servers do not learn anything

  5. Mix-net m1 mn senders … E(m1) E(mn) Mix-net π mix-servers at least t mix-servers … E´(mπ(1)) E´(mπ(n)) Threshold-decryption … mπ(1) mπ(n)

  6. Mix-net E(m1) E(mn) Mix-server 1 π1 E´(mπ1(1)) E´(mπ1(n)) … Mix-server N πN E´´´(mπ(1)) E´´´(mπ(n)) π = πN ◦...◦ π1

  7. A shuffle E(m1) E(mn) π E´(mπ(1)) E´(mπ(n))

  8. Agenda • Motivation – anonymous communication • Mix-nets • What is • A shuffle? Homomorphic encryption? Zero-knowledge proofs? • ZK proof for shuffle of known contents • Tool: Homomorphic commitments • ZK proof for shuffle of homomorphic encryptions • Comparison with other ZK proofs • Efficiency improvements

  9. Homomorphic encryption Homomorphic property E(m1m2; R1+R2) = E(m1; R1) E(m2; R2) Rerandomization E(m; R1+R2) = E(m; R1) E(1; R2) Message space order Q no small prime factors Root extraction property see paper

  10. ElGamal variant Keys Primes Q, P so P = 2Q +1 Random elements G, Y of order Q PK = (Q, P, G, Y) SK = (PK, x) so Y = Gx Encryption E(m; (±1, ±1, R)) = (±GR mod P, ±YRm mod P) Ciphertext verification (U, V) valid ciphertext if 0 < U < P and 0 < V < P

  11. A shuffle of homomorphic encryptions e1 en π, R1,...,Rn eπ(1)E(1;R1) eπ(n)E(1;Rn)

  12. Verifiability? e1 en π, R1,...,Rn ? E1 En

  13. Zero-knowledge proof • Complete prover with π, R1,...,Rn can convince anybody of correctness of shuffle • Sound if not a valid shuffle impossible to convince others of correctness of shuffle • Zero-knowledge prover does not reveal anything beyond correctness of shuffle

  14. Special honest verifier zero-knowledge (SHVZK) Statement: PK, e1,..., en, E1, ..., En (and a little more) Real proof (π, R1,...) Simulated proof (c1,...) a1 a1 c1 c1 a2 a2 ... ... (a1, c1, a2, ... ) indistinguishable from (a1, c1, a2, ...)

  15. Computational/statistical • Soundness • Unconditional: No adversary can make a valid proof for a false statement • Computational: A polynomial time adversary cannot make a valid proof for a false statement • Special honest verifier zero-knowledge • Statistical: No adversary can distinguish real proofs from simulated proofs • Computational: A polynomial time adversary cannot distinguish real proofs from simulated proofs

  16. Main result A 7-round public coin SHVZK proof for correctness of a shuffle of homomorphic encryptions Optional- unconditional soundness or statistical SHVZK- key length vs efficiency

  17. Agenda • Motivation – anonymous communication • Mix-nets • What is • A shuffle? Homomorphic encryption? Zero-knowledge proofs? • ZK proof for shuffle of known contents • Tool: Homomorphic commitments • ZK proof for shuffle of homomorphic encryptions • Comparison with other ZK proofs • Efficiency improvements

  18. Non-interactive commitment Public key Commitment c = commit(m; r) Opening given c, m, r check that c = commit(m; r)

  19. Commitment • Binding • Unconditional: There is at most one way the comitter can open a commitment c • Computational: A polynomial time adversary cannot find c, m1, r1, m2, r2 so c = commit(m1; r1) = commit(m2; r2) and m1 ≠ m2 • Hiding • Statistical: Commitments to m and 0 have the same distribution • Computational: A polynomial time adversary cannot distinguish a random commitment to m ≠ 0 from a random commitment to 0

  20. Homomorphic commitment Homomorphic property com(m1+m1´, ..., mn+mn´; r1+r2) = com(m1,..., mn; r1) com(m1´,..., mn´; r2) Message space Zqn with q prime Root extraction property given c, m1,...,mn, r, e so gcd(e,q) = 1 and ce = com(m1,...,mn; r) we can efficiently compute r´ so c = com(m1/e,...,mn/e; r´)

  21. Pedersen commitment variant Public key Primes q, p so p = kq+1 Random elements g1, ..., gn, h of order q pk = (q, p, g1, ..., gn, h) Commitment com(m1,..., mn; (u,r)) = ug1m1…gnmnhr mod p, where 1 = uk mod p Commitment verification Valid if 0 < c < p

  22. Shuffle of known content m1 ... mn π, r com(mπ(1), ..., mπ(n); r)

  23. SHVZK proof for shuffle of known content A 4-round public coin SHVZK proof of knowledge for a commitment to a permutation of publicly known messages m1,...,mn Optional- unconditional soundness or statistical SHVZK- key length vs efficiency

  24. Knowledge of contents Common: pk, c, m1,..., mn Prover: π, r so c = com(mπ(1), ..., mπ(n); r)cd = com(d1,...,dn; rd) e  {0,1}ℓ fi = emπ(1) + di, z = er+rd Check cecd = com(f1,...,fn; z)

  25. Special HVZK Common: pk, c, m1,..., mn Simulator: e  {0,1}ℓcd = com(f1,...,fn; z) c-e e fi Zq, z  Zq Check cecd = com(f1,...,fn; z)

  26. Knowledge Common: pk, c, m1,..., mn cd = com(d1,...,dn; rd) e, e´  {0,1}ℓ fi, z, fi´, z´ cecd = com(f1,...,fn; z) ce´cd = com(f1´,...,fn´; z´) ce-e´ = com(f1-f1´,...,fn-fn´; z-z´) Root extraction: c = com(μ1,...,μn; r)

  27. Idea (Neff 2001) Consider the polynomials (mi-X) and (μi-X) in Zq[X] Are identical exactly when there exists π so μi = mπ(i)Pick x at random and demonstrate (mi-x) = (μi-x) mod q With overwhelming probability not the case unless π exists

  28. Identical polynomials Common: pk, c, m1,..., mn x  {0,1}ℓ cd, ca, cΔ e  {0,1}ℓ fi, z, fΔi, zΔ cecd = com(f1,...,fn; z) caecΔ = com(fΔ1,...,fΔn-1; zΔ) fi = eμi + di , fΔi = eαi + δi

  29. Checking the polynomials fi = eμi + di , fΔi = eαi + δi Let F1 = f1-ex = e(μ1-x)+ d1 Let eFi+1 = Fi(fi+1-ex) + fΔi ei Fi+1= ei-1 Fi(fi+1-ex) + fΔi = ei(i(μj-x) + polyi-1(e)) (e(μi+1-x)+ di+1) + ei-1(eαi + δi) = ei+1 i+1(μj-x) + polyi(e) Check Fn = e(mi-x) meaning en (μj-x) + polyn-1(e) = en (mi-x)

  30. Completeness Fi = ei(μj-x) + Δi F1 = f1-ex = e(mπ(1)-x) + d1Δ1 = d1 eFi+1 = Fi(fi+1-ex) + fΔi eαi + δi = e2i+1(mπ(j)-x) + eΔi+1 - e(i(mπ(j)-x) + Δi)(e(mπ(i+1)-x) + di+1) = e(Δi+1 - i(mπ(j)-x) di+1 - Δi (mπ(i+1)-x)) - Δidi+1 Fn = e(mi-x) Δn = 0

  31. SHVZK proof for known content • 4-round public coin protocol • Soundness – computational/unconditional • SHVZK – statistical/computational With Pedersen commitment variant Prover 3n expos 2|q|n bits Verifier 2n expos

  32. Agenda • Motivation – anonymous communication • Mix-nets • What is • A shuffle? Homomorphic encryption? Zero-knowledge proofs? • ZK proof for shuffle of known contents • Tool: Homomorphic commitments • ZK proof for shuffle of homomorphic encryptions • Comparison with other ZK proofs • Efficiency improvements

  33. A shuffle of homomorphic encryptions e1 en π, R1,...,Rn eπ(1)E(1;R1) eπ(n)E(1;Rn)

  34. Idea Want to show that e1,..., en and E1, ..., En have the same plaintexts 1. Reveal π 2. Receive random challenges t1,...,tn{0,1}ℓ 3. Release Z so E(1;Z) eiti = Eitπ(i) miti = Mitπ(i)  1 = (Mi/mπ(i))tπ(i) Since Q has no small prime factors Mi = mπ(i)

  35. Idea • Commit to π, commit to d1,...,dn{0,1}ℓ+80 • Form Ed = E(1;Rd)Ei-di • 2. Receive challenges t1,...,tn {0,1}ℓ • 3. Release f1,...,fn, Z so fi = tπ(i) + di and • E(1;Z) eiti = EdEifi • miti = (MdMidi) Mitπ(i) • Z = Rd + ∑tπ(i)Ri

  36. 1. Commit to π and d1,...,dn c = com(π(1),...,π(n); r) cd = com(-d1,...,-dn; rd) 2. Receive challenges t1,...,tn 3. Send f1,...,fn |q|> ℓ + 80 4. Receive challenge λ 5. Make SHVZK proof of known content for cλcd com(f1,...,fn; 0) containing a permutation ofλ + t1, ..., λn + tn Idea Exists π so λμi + fi - di = λπ(i) + tπ(i)With overwhelming probability over λ we have μi = π(i) and fi = tπ(i) + di

  37. Full protocol Common: pk, PK, e1,...,en and E1,...,En Prover: π, R1,...,Rn c, cd, Ed t1,...,tn{0,1}ℓf1,...,fn, Zλ  {0,1}ℓ SHVZK proof Verify SHVZK proof Check E(1;Z) eiti = EdEifi

  38. Properties of shuffle proof • 7-round public coin protocol • Soundness – computational/unconditional • SHVZK – statistical/computational With Pedersen commitment and ElGamal variants Prover 4n p-expos, 2n P-expos 3|q|n bits Verifier 2n p-expos, 4n P-expos

  39. Implementation (Stamer 2005) Pedersen commitment |p| = 1024, |q| = 160 ElGamal encryption |P| = 1024, |Q| =160 SHVZK proof of correct shuffle of 1024 ElGamal ciphertexts on AMD Duron 1.3 GHz Prover 14 seconds Verifier 5 seconds

  40. Agenda • Motivation – anonymous communication • Mix-nets • What is • A shuffle? Homomorphic encryption? Zero-knowledge proofs? • ZK proof for shuffle of known contents • Tool: Homomorphic commitments • ZK proof for shuffle of homomorphic encryptions • Comparison with other ZK proofs • Efficiency improvements

  41. Other shuffle proofs Invariance of roots of polynomials Neff CCS01, Groth PKC03, Neff 03, Groth 05 Permutation matrices Furukawa & Sako Crypto01, Furukawa IEICE05 Integer commitments Wikström Asiacrypt05 Linear ignorance assumption Peng et al. Crypto05

  42. Comparison of approaches Pedersen, ElGamal |p|= 1024, |q| = 160 Roots of poly Permutation matrix Rounds 7 3 Soundness uncond./comp. computational SHVZK comp./statistical statistical Prover expos 6n 8n (6n) Prover sends 480n bits 1344n bits Verifier expos 6n 8n (7n) Key length flexible (e.g. O(√n)) 1024n bits

  43. Agenda • Motivation – anonymous communication • Mix-nets • What is • A shuffle? Homomorphic encryption? Zero-knowledge proofs? • ZK proof for shuffle of known contents • Tool: Homomorphic commitments • ZK proof for shuffle of homomorphic encryptions • Comparison with other ZK proofs • Efficiency improvements

  44. Adjusting the key length Suggested Pedersen commitment variant had public key (q, p, g1,..., gn, h) Assume wlog n = kl then we can instead use public key (q, p, g1,..., gk, h) and commit as c = (c1,...,cl)  (com(m1,...,mk), com(mk+1,...,m2k), ...)

  45. Randomization cecd = com(f1,...,fn; z)caecΔ = com(fΔ1,...,fΔn-1,0; zΔ) Pick α{0,1}ℓ at random and check (cecd)α caecΔ = com(αf1+fΔ1,..., αfn+0; αz+zΔ) Many other randomization/batch verification possibilities

  46. On-line/off-line computation • Prover can precompute most values off-line (and in a mix-net also precompute the rerandomization of the ciphertexts) • Only needs to compute Ed and ca on-line

  47. Verifier picks seed for pseudorandom number generator and sends it to prover Prover generates t1,...,tn from this seed If Q = q verifier can simply send challenge t and let prover use t1 = t1 mod q,..., tn = tn mod q Picking the challenges

  48. Multi-exponentiation (Lim 00) Computing a product giei can be done in |e|n/(log n – log log n) multiplications Prover, Verifier ≈ 0.5n naïve single expos each for shuffling 100,000 ElGamal ciphertexts

  49. Questions? Thank you

More Related