efficient zero knowledge argument for correctness of a shuffle n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Efficient Zero-Knowledge Argument for Correctness of a Shuffle PowerPoint Presentation
Download Presentation
Efficient Zero-Knowledge Argument for Correctness of a Shuffle

Loading in 2 Seconds...

play fullscreen
1 / 24

Efficient Zero-Knowledge Argument for Correctness of a Shuffle - PowerPoint PPT Presentation


  • 87 Views
  • Uploaded on

Efficient Zero-Knowledge Argument for Correctness of a Shuffle. Stephanie Bayer University College London Jens Groth University College London. Motivation – e-voting. Voting: - Voter casts secret vote - Authorities reveal votes in random permuted order

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Efficient Zero-Knowledge Argument for Correctness of a Shuffle' - elisha


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
efficient zero knowledge argument for correctness of a shuffle

Efficient Zero-Knowledge Argument for Correctness of a Shuffle

Stephanie Bayer

University College London

Jens Groth

University College London

motivation e voting
Motivation – e-voting
  • Voting: - Voter casts secret vote

- Authorities reveal votes in random permuted order

  • E-voting: - voter casts secret votes on a computer
  • The votes are sent to a server who sends all votes to the central authorities
  • Authorities reveal votes in random permuted order
background elgamal encryption
Background - ElGamal encryption
  • Setup: Group G of prime order with generator
  • Public key:
  • Encryption: E() = ()
  • Decryption: D() =
  • Homomorphic:
  • E() ×E() = E()
  • Re-rencryption:
  • E() ×E() = E()
shuffle
Shuffle

. . .

Input ciphertexts

Permute to get

Re-encrypt them E()

Output ciphertexts

. . .

mix net
Mix-net:

Threshold decryption

slide6

Problem: Corrupt mix-server

Threshold decryption

solution zero knowledge argument
Solution: Zero-knowledge argument

Threshold decryption

ZK argumentPermutation still secret(zero-knowledge)

ZK argumentNo message changed(soundness)

N

zero knowledge argument
Zero-Knowledge Argument

Statement: ()

Prover

Verifier

The Shuffle was done correctly

Requested Properties:

  • Soundness: The Verifier reject with overwhelming probability if the Prover tries to cheat
  • Zero-Knowledge: Nothing but the truth is revealed; permutation is secret
  • Efficient: Small computation and small communication complexity
slide9

Public coin honest verifier zero-knowledge

Setup: (G,,) and common reference string

Statement: ()

Honest verifier zero-knowledgeNothing but truth revealed; permutation secret

Prover Verifier

Can convert to standard zero-knowledge argument

our contribution
Our contribution
  • 9-move public coin honest verifier zero-knowledge argument for correctness of shuffle in common reference string model
  • For ciphertexts
  • Communication: O()k bitsProver’s computation: O() exposVerifier’s computation: O() expos
commitments
Commitments
  • Commit to a column vector Z as A=com()
  • Length reducing
  • Computational binding
  • Perfectly hiding
  • Homomorphic
  • com(;)*com(;) = com(; )
  • Pedersen Commitment: com(;) =
techniques s ublinear cost
Techniques - Sublinear cost
  • Length reducing commitments
  • Batch verification
  • Structured Vandermonde challenges

Sublinear communication cost

shuffle argument
Shuffle argument
  • Given public keys and
  • Given ciphertexts and
  • Prover knows permutation and randomizers and wants to convince the verifierE() E()
shuffle argument1
Shuffle argument

The prover commits to a permutation by committing to

  • Verifier sends challenge Z

The prover commits to

The prover gives an argument that both commitments are constructed using the same permutation

The proverdemonstrates that the input ciphertexts are permuted using the same permutation and knowledge of the randomizers used in the re-encryption.

shuffle argument2
Shuffleargument
  • Prover commits to as
  • A=com()=com()
  • and after receiving challenge Z to
  • B= com() =com(s)

Both polynomials are equal, only the roots are permuted

InexpensiveSee full paper

  • Prover gives product argument for A, B such that
  • =

ExpensiveWill sketch idea

  • Sketch idea focusing on soundness
  • Ignore ZK (easy and cheap to add)
  • Will also for simplicity assume randomness
n otation
Notation
  • B contains commitments B, , Bwhere
  • B= com=com(), , B= com ()
  • Arrange ciphertexts in matrix
    • =
  • Define inner product = to simplify the statement as
multi exponentiation argument
Multi-exponentiation argument

Communicaton:O() elements

Verifier computation: + O() expos

Prover sends

2ciphertexts

  • Verifier sends challenge Z
  • Prover opens
  • to

elements in Zq

ciphertext expos

  • Verifier computes and checks

ciphertext expos

ciphertext expos

prover s computation
Prover’s computation

Computingthis matrix costs m2n = mNciphertextexpos

reducing the prover s computation
Reducing the prover’s computation
  • Do not compute entire matrix
  • Instead use techniques for multiplication of polynomials “in the exponent” of ciphertexts
  • Fast Fourier Transform
    • O(N log m) exponentiations O (1) rounds
  • Interaction
    • O (N) exponentiations O (log m) rounds
implementation
Implementation
  • Implementation in C++ using the NTL library and the GMP library
  • Different levels of optimization
    • Multi-exponentiation techniques
    • Fast Fourier Transform
    • Extra Interaction and Toom-Cook
comparison
Comparison
  • Runtime comparison of Verificatum (Wikström) to our shuffle argument
  • MacBook Pro; CPU: 2.54 GHZ, RAM: 4GB
  • , 60
  • ciphertexts,