Efficient Zero-Knowledge Argument for correctness of a Shuffle
advertisement
Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London Motivation – e-voting • Voting: - Voter casts secret vote - Authorities reveal votes in random permuted order • E-voting: - voter casts secret votes on a computer - The votes are sent to a server who sends all votes to the central authorities - Authorities reveal votes in random permuted order Background - ElGamal encryption • Setup: Group G of prime order q with generator g • Public key: pk = y = g x • Encryption: Epk(m; r) = (g r , y r m) • Decryption: Dx(u, v) = vu−x • Homomorphic: Epk(m; r) × Epk (M; R) = Epk(mM; r + R) • Re-rencryption: Epk(m; r) × Epk(1; R) = Epk(m; r + R) Shuffle c1 c2 c3 ... Input ciphertexts c1 , ⋯ , cN Permute to get cπ Re-encrypt them Ci = cπ i Epk(1; ri ) 1 , ⋯ , cπ cN N Output ciphertexts C1 , ⋯ , CN C1 C2 C3 ... CN Mix-net: Threshold decryption mπ 1 mπ 2 mπ N π = π1 π2 π2 m1 m2 mN … π1 Problem: Corrupt mix-server Threshold decryption mπ 1 mπ 2 m′π N π = π1 π2 π2 m1 m2 mN … π1 Solution: Zero-knowledge argument Threshold decryption mπ 1 mπ 2 mπ N ZK argument Permutation still secret (zero-knowledge) m1 m2 ZK argument No message changed mN (soundness) … π = π1 π2 π2 π1 Zero-Knowledge Argument Statement: π, r1 , ⋯ , rN (pk, c1 , ⋯ , cN , C1 , ⋯ , CN ) Prover Verifier The Shuffle was done correctly Requested Properties: – Soundness: The Verifier reject with overwhelming probability if the Prover tries to cheat – Zero-Knowledge: Nothing but the truth is revealed; permutation is secret – Efficient: Small computation and small communication complexity Public coin honest verifier zero-knowledge Setup: (G,q,g) and common reference string Statement: (pk, c1 , ⋯ , cN , C1 , ⋯ , CN ) Honest verifier zero-knowledge Nothing but truth revealed; permutation secret Prover Can convert to standard zero-knowledgeVerifier argument Our contribution • 9-move public coin honest verifier zero-knowledge argument for correctness of shuffle in common reference string model • For N = m × n ciphertexts Communication: O(m + n)k bits Prover’s computation: O(log(m) N) expos Verifier’s computation: O(N) expos Comparison of ElGamal shuffles (𝐍 = 𝐦𝐧) |𝐩| = 1024 |𝐪| = 160 Rounds Prover in expos Verifier in expos Size in kbits Furukawa-Sako 01 3 8N 10N 5.3N FMMOS 02 5 9N 10N 5.3N Furukawa 05 (GL07) 3 7N 8N 1.5N Terelius-Wikström 10 5 9N 11N 3.7N Neff 01,04 7 8N 12N 7.7N Groth 03,10 7 6N 6N 0.6N Groth-Ishai 08 7 3mN 4N 3m2 + 0.5n Bayer-Groth 11 9 2 log m N 4N 11m + 0.8n Bayer-Groth 11 log(m) O(N) 4N 11m + 0.8n Commitments • Commit to a column vector a1 , ⋯ , an A=comck ( a1 , ⋯ , an T ; r) T ∈ Zqn as – Length reducing – Computational binding – Perfectly hiding – Homomorphic comck(a;r)*comck(b; s) = comck(a + b; r + s) • Pedersen Commitment: comck(a; r) = hr n ai g i=1 i Techniques - Sublinear cost • Length reducing commitments • Batch verification • Structured Vandermonde challenges 1 x x2 ⋯ xN Sublinear communication cost Shuffle argument • Given public keys pk and ck • Given ciphertexts c1 , ⋯ , cN and C1 , ⋯ , CN • Prover knows permutation π and randomizers r1 , ⋯ , rN and wants to convince the verifier C1 = cπ 1 Epk(1; r1 ) ⋯ CN = cπ N Epk(1; rN ) Shuffle argument 1. The prover commits to a permutation π by committing to π 1 ,⋯,π N Verifier sends challenge x ∈ Zq 2. The prover commits to x π 1 , ⋯ , xπ N 3. The prover gives an argument that both commitments are constructed using the same permutation 4. The prover demonstrates that the input ciphertexts are permuted using the same permutation and knowledge of the randomizers used in the re-encryption. Shuffle argument • Prover commits to π as A=comck(π 1 , ⋯ , π N ; r)=comck(a1 , ⋯ , aN ; r) and after receiving challenge x ∈ Zq to Both polynomials are equal, only the Inexpensive π 1 π N B= comck(x ,⋯,x ; s) =comck(b1 ,roots ⋯ , bare N ;s) permuted See full paper • Prover gives product argument for A, B such that N N i − z) (a y + b − z) = (iy + x i i i=1 i=1 Expensive Will sketch idea • Sketch idea focusing on soundness • Ignore ZK (easy and cheap to add) • Will also for simplicity assume randomness ρ = 0 Notation • B contains commitments B1, ⋯ , Bm where xπ(1) ⋮ ; s1 =comck(b1 ; s1 ), ⋯ , Bm= comck (bm ; sm ) xπ(n) B1= comck • Arrange ciphertexts C1 , ⋯ , CN in m × n matrix C1 C1 ⋮ ⋮ = CN−n+1 Cm • Define inner as ⋯ ⋱ ⋯ Cn ⋮ CN bj b product Ci = nk=1 Cil jk bi N m bi C = i=1 i i=1 Ci = C to simplify the statement Multi-exponentiation argument idea Multi-exponentiation argument Communicaton: 1.O(m Prover sends E−m , ⋯ , E−1 , E1 , ⋯ , Em + n) elements Verifier sends challenge y ∈ Zq Verifier computation: 2.4NProver + O(m +opens n) expos m j=1 y−j Bj m = comck n elements in Z j=1 q m −j b y j j=1 to b = expos 3.N ciphertext Verifier computes C= Cb = C 2m ciphertexts m y −j bj ; y −j sj j=1 N ciphertext expos y i m i=1 Ci and checks expos −k ciphertext y2m yk m k=1 E−k Ek Prover’s computation Computing this matrix costs m2n = mN ciphertext expos Reducing the prover’s computation • Do not compute entire matrix • Instead use techniques for multiplication of polynomials “in the exponent” of ciphertexts • Fast Fourier Transform – O(N log m) exponentiations O (1) rounds • Interaction – O (N) exponentiations O (log m) rounds Implementation • Implementation in C++ using the NTL library and the GMP library • Different levels of optimization – Multi-exponentiation techniques – Fast Fourier Transform – Extra Interaction and Toom-Cook Comparison 𝐍 = 𝟏𝟎𝟎, 𝟎𝟎𝟎 Single argument Argument Size Verificatum 5 min 37.7 MB Toom-Cook, m = 64 2 min 0.7 MB • Runtime comparison of Verificatum (Wikström) to our shuffle argument • MacBook Pro; CPU: 2.54 GHZ, RAM: 4GB • p = 1024, q = 160 • N = 100,000 ciphertexts, m = 64, n = 1563 Thank You
