Post on 28-Mar-2015
A Verifiable Secret A Verifiable Secret Shuffle of Shuffle of
Homomorphic Homomorphic EncryptionsEncryptions
Jens GrothJens Groth
UCLAUCLA
On ePrint archive: http://eprint.iacr.org/2005/246
AgendaAgenda Motivation – anonymous Motivation – anonymous
communicationcommunication What isWhat is
A shuffle? Homomorphic encryption? Zero-A shuffle? Homomorphic encryption? Zero-knowledge proofs?knowledge proofs?
ZK proof for shuffle of known contentsZK proof for shuffle of known contents Tool: Homomorphic commitmentsTool: Homomorphic commitments
ZK proof for shuffle of homomorphic ZK proof for shuffle of homomorphic encryptionsencryptions
Comparison with other ZK proofsComparison with other ZK proofs Efficiency improvementsEfficiency improvements
Anonymous Anonymous communicationcommunication
Mixerπ
m1 mn…
…mπ(1) mπ(n)
Sender 1 Sender n
mix-servers
EncryptionEncryption
Rerandomization property
E(m) E´(m)
Threshold decryption property
t mix-servers can decryptt-1 mix-servers do not learn
anything
Mix-netMix-net
Mix-netπ
m1 mn…
…E´(mπ(1))
E´(mπ(n))
E(m1
)E(mn
)
Threshold-decryption
…mπ(1) mπ(n)
senders
mix-servers
at least t mix-servers
Mix-netMix-net
Mix-server 1 π1
…
E´(mπ1(1))
E´(mπ1(n))
E(m1
)E(mn
)
Mix-server N πN
E´´´(mπ(1))
E´´´(mπ(n)) π = πN ◦...◦ π1
A shuffleA shuffle
π
E´(mπ(1))
E´(mπ(n))
E(m1
)E(mn
)
AgendaAgenda Motivation – anonymous Motivation – anonymous
communicationcommunication Mix-netsMix-nets
What isWhat is A shuffle? Homomorphic encryption? A shuffle? Homomorphic encryption?
Zero-knowledge proofs?Zero-knowledge proofs? ZK proof for shuffle of known contentsZK proof for shuffle of known contents
Tool: Homomorphic commitmentsTool: Homomorphic commitments ZK proof for shuffle of homomorphic ZK proof for shuffle of homomorphic
encryptionsencryptions Comparison with other ZK proofsComparison with other ZK proofs Efficiency improvementsEfficiency improvements
Homomorphic encryptionHomomorphic encryption
Homomorphic property
E(m1m2; R1+R2) = E(m1; R1) E(m2; R2)
Rerandomization
E(m; R1+R2) = E(m; R1) E(1; R2)
Message space order Q no small prime factors
Root extraction propertysee paper
ElGamal variantElGamal variantKeys
Primes Q, P so P = 2Q +1
Random elements G, Y of order Q
PK = (Q, P, G, Y)
SK = (PK, x) so Y = Gx
Encryption
E(m; (±1, ±1, R)) = (±GR mod P, ±YRm mod P)
Ciphertext verification(U, V) valid ciphertext if 0 < U < P and 0
< V < P
A shuffle of homomorphic A shuffle of homomorphic encryptionsencryptions
π, R1,...,Rn
eπ(1)E(1;R1
)eπ(n)E(1;Rn
)
e1 en
Verifiability?Verifiability?
π, R1,...,Rn ?
E1 En
e1 en
Zero-knowledge proofZero-knowledge proof
CompleteCompleteprover with prover with ππ, R, R11,...,R,...,Rnn can can
convince convince anybody of correctness of anybody of correctness of shuffleshuffle
SoundSoundif not a valid shuffle impossible to if not a valid shuffle impossible to
convince convince others of correctness of others of correctness of shuffleshuffle
Zero-knowledgeZero-knowledgeprover does not reveal anything prover does not reveal anything
beyond beyond correctness of shufflecorrectness of shuffle
Statement: PK, e1,..., en, E1, ..., En (and a little more)
Real proof (π, R1,...) Simulated proof (c1,...)
a1 a1
c1 c1
a2 a2
... ...
(a1, c1, a2, ... ) indistinguishable from (a1, c1, a2, ...)
Special honest verifier zero-Special honest verifier zero-knowledge (SHVZK)knowledge (SHVZK)
Computational/statisticalComputational/statistical
SoundnessSoundness Unconditional: No adversary can make a Unconditional: No adversary can make a
valid proof for a false statement valid proof for a false statement Computational: A polynomial time adversary Computational: A polynomial time adversary
cannot make a valid proof for a false cannot make a valid proof for a false statementstatement
Special honest verifier zero-knowledgeSpecial honest verifier zero-knowledge Statistical: No adversary can distinguish real Statistical: No adversary can distinguish real
proofs from simulated proofsproofs from simulated proofs Computational: A polynomial time adversary Computational: A polynomial time adversary
cannot distinguish real proofs from cannot distinguish real proofs from simulated proofssimulated proofs
Main resultMain result
A 7-round public coin SHVZK proof for correctness of a shuffle of homomorphic encryptions
Optional- unconditional soundness or statistical SHVZK- key length vs efficiency
AgendaAgenda Motivation – anonymous communicationMotivation – anonymous communication
Mix-netsMix-nets What isWhat is
A shuffle? Homomorphic encryption? Zero-A shuffle? Homomorphic encryption? Zero-knowledge proofs?knowledge proofs?
ZK proof for shuffle of known ZK proof for shuffle of known contentscontents Tool: Homomorphic commitmentsTool: Homomorphic commitments
ZK proof for shuffle of homomorphic ZK proof for shuffle of homomorphic encryptionsencryptions
Comparison with other ZK proofsComparison with other ZK proofs Efficiency improvementsEfficiency improvements
Non-interactive Non-interactive commitmentcommitment
Public key
Commitment
c = commit(m; r)
Opening
given c, m, r check that c = commit(m; r)
CommitmentCommitment BindingBinding
Unconditional: There is at most one way the Unconditional: There is at most one way the comitter can open a commitment ccomitter can open a commitment c
Computational: A polynomial time adversary Computational: A polynomial time adversary cannot find c, mcannot find c, m11, r, r11, m, m22, r, r22 so c = commit(m so c = commit(m11; ; rr11) = commit(m) = commit(m22; r; r22) and m) and m11 ≠ m ≠ m22
HidingHiding Statistical: Commitments to m and 0 have the Statistical: Commitments to m and 0 have the
same distributionsame distribution Computational: A polynomial time adversary Computational: A polynomial time adversary
cannot distinguish a random commitment to cannot distinguish a random commitment to m ≠ 0 from a random commitment to 0m ≠ 0 from a random commitment to 0
Homomorphic Homomorphic commitmentcommitment
Homomorphic property
com(m1+m1´, ..., mn+mn´; r1+r2) = com(m1,..., mn; r1) com(m1´,..., mn´;
r2)
Message space Zqn with q prime
Root extraction propertygiven c, m1,...,mn, r, e so gcd(e,q) = 1and ce = com(m1,...,mn; r) we can
efficientlycompute r´ so c = com(m1/e,...,mn/e;
r´)
Pedersen commitment Pedersen commitment variantvariantPublic key
Primes q, p so p = kq+1
Random elements g1, ..., gn, h of order q
pk = (q, p, g1, ..., gn, h)
Commitment
com(m1,..., mn; (u,r)) = ug1m1…gn
mnhr mod p,
where 1 = uk mod p
Commitment verificationValid if 0 < c < p
Shuffle of known contentShuffle of known content
π, r
com(mπ(1), ..., mπ(n); r)
m1 mn...
SHVZK proof for shuffle of SHVZK proof for shuffle of known contentknown content
A 4-round public coin SHVZK proof of knowledge for a commitment to a permutation of publicly known messages m1,...,mn
Optional- unconditional soundness or statistical SHVZK- key length vs efficiency
Knowledge of contentsKnowledge of contents
Common: pk, c, m1,..., mn
Prover: π, r so c = com(mπ(1), ..., mπ(n); r)
cd = com(d1,...,dn; rd)
e {0,1}ℓ
fi = emπ(1) + di, z = er+rd
Check cecd = com(f1,...,fn; z)
Special HVZKSpecial HVZK
Common: pk, c, m1,..., mn
Simulator: e {0,1}ℓ
cd = com(f1,...,fn; z) c-e
e
fi Zq, z Zq
Check cecd = com(f1,...,fn; z)
KnowledgeKnowledge
Common: pk, c, m1,..., mn
cd = com(d1,...,dn; rd)
e, e´ {0,1}ℓ
fi, z, fi´, z´
cecd = com(f1,...,fn; z)
ce´cd = com(f1´,...,fn
´; z´)
ce-e´ = com(f1-f1´,...,fn-fn´; z-z´)
Root extraction: c = com(μ1,...,μn; r)
Idea (Neff 2001)Idea (Neff 2001)
Consider the polynomials
(mi-X) and (μi-X) in Zq[X]
Are identical exactly when there exists π so μi = mπ(i)
Pick x at random and demonstrate
(mi-x) = (μi-x) mod q
With overwhelming probability not the case unless π exists
Identical polynomialsIdentical polynomials
Common: pk, c, m1,..., mn
x {0,1}ℓ
cd, ca, cΔ
e {0,1}ℓ
fi, z, fΔi, zΔ
cecd = com(f1,...,fn; z)ca
ecΔ = com(fΔ1,...,fΔn-
1; zΔ)
fi = eμi + di , fΔi = eαi + δi
Checking the Checking the polynomialspolynomials
fi = eμi + di , fΔi = eαi + δi
Let F1 = f1-ex = e(μ1-x)+ d1
Let eFi+1 = Fi(fi+1-ex) + fΔi
ei Fi+1= ei-1 Fi(fi+1-ex) + fΔi = ei(i(μj-x) + polyi-1(e))
(e(μi+1-x)+ di+1) + ei-
1(eαi + δi) = ei+1 i+1(μj-x) + polyi(e)
Check Fn = e(mi-x) meaning en (μj-x) + polyn-1(e) = en (mi-x)
CompletenessCompleteness
Fi = ei(μj-x) + Δi
F1 = f1-ex = e(mπ(1)-x) + d1 Δ1 = d1
eFi+1 = Fi(fi+1-ex) + fΔi
eαi + δi = e2i+1(mπ(j)-x) + eΔi+1
- e(i(mπ(j)-x) + Δi)(e(mπ(i+1)-x) + di+1)
= e(Δi+1 - i(mπ(j)-x) di+1 - Δi (mπ(i+1)-x)) - Δidi+1
Fn = e(mi-x) Δn = 0
SHVZK proof for known SHVZK proof for known contentcontent
4-round public coin protocol4-round public coin protocol Soundness – Soundness –
computational/unconditionalcomputational/unconditional SHVZK – statistical/computationalSHVZK – statistical/computational
With Pedersen commitment variant
Prover 3n expos 2|q|n bits
Verifier 2n expos
AgendaAgenda Motivation – anonymous Motivation – anonymous
communicationcommunication Mix-netsMix-nets
What isWhat is A shuffle? Homomorphic encryption? Zero-A shuffle? Homomorphic encryption? Zero-
knowledge proofs?knowledge proofs? ZK proof for shuffle of known contentsZK proof for shuffle of known contents
Tool: Homomorphic commitmentsTool: Homomorphic commitments ZK proof for shuffle of ZK proof for shuffle of
homomorphic encryptionshomomorphic encryptions Comparison with other ZK proofsComparison with other ZK proofs Efficiency improvementsEfficiency improvements
A shuffle of homomorphic A shuffle of homomorphic encryptionsencryptions
π, R1,...,Rn
eπ(1)E(1;R1
)eπ(n)E(1;Rn
)
e1 en
IdeaIdeaWant to show that e1,..., en and E1, ..., En have the same plaintexts
1. Reveal π
2. Receive random challenges t1,...,tn {0,1}ℓ
3. Release Z so E(1;Z) eiti = Ei
tπ(i)
miti = Mi
tπ(i)
1 = (Mi/mπ(i))tπ(i)
Since Q has no small prime factors Mi = mπ(i)
IdeaIdea
1.Commit to π, commit to d1,...,dn {0,1} +80ℓ
Form Ed = E(1;Rd)Ei-di
2. Receive challenges t1,...,tn {0,1}ℓ
3. Release f1,...,fn, Z so fi = tπ(i) + di and
E(1;Z) eiti = Ed Ei
fi
miti = (Md Mi
di) Mi
tπ(i)
Z = Rd + ∑tπ(i)Ri
IdeaIdea1. Commit to 1. Commit to ππ and d and d11,...,d,...,dnn c = com(c = com(ππ(1),...,(1),...,ππ(n); r)(n); r)ccdd = com(-d = com(-d11,...,-d,...,-dnn; r; rdd))
2. Receive challenges t2. Receive challenges t11,...,t,...,tnn
3. Send f3. Send f11,...,f,...,fnn |q|> + 80ℓ|q|> + 80ℓ
4. Receive challenge 4. Receive challenge λλ
5. Make SHVZK proof of known content for 5. Make SHVZK proof of known content for ccλλccdd com(f com(f11,...,f,...,fnn; 0) containing a ; 0) containing a permutation ofpermutation ofλλ + t + t11, ..., , ..., λλn + tn + tnn
Exists ππ so so λμi + fi - di = λππ(i) + t(i) + tππ(i)(i)
With overwhelming probability over With overwhelming probability over λ we have we have
μi = ππ(i) (i) and fi = tπ(i) + di
Full protocolFull protocol
Common: pk, PK, e1,...,en and E1,...,En
Prover: π, R1,...,Rn
c, cd, Ed
t1,...,tn {0,1}ℓ
f1,...,fn, Z λ {0,1}ℓ
SHVZK proof
Verify SHVZK proofCheck E(1;Z) ei
ti = Ed Ei
fi
Properties of shuffle Properties of shuffle proofproof
7-round public coin protocol7-round public coin protocol Soundness – computational/unconditionalSoundness – computational/unconditional SHVZK – statistical/computationalSHVZK – statistical/computational
With Pedersen commitment and ElGamal With Pedersen commitment and ElGamal variantsvariants
ProverProver 4n p-expos, 2n P-expos4n p-expos, 2n P-expos 3|q|n 3|q|n bitsbits
VerifierVerifier 2n p-expos, 4n P-expos2n p-expos, 4n P-expos
Implementation (Stamer Implementation (Stamer 2005)2005)
Pedersen commitment |p| = 1024, |q| = Pedersen commitment |p| = 1024, |q| = 160160
ElGamal encryptionElGamal encryption |P| = 1024, |Q| |P| = 1024, |Q| =160=160
SHVZK proof of correct shuffle of 1024 SHVZK proof of correct shuffle of 1024 ElGamalElGamal
ciphertexts on AMD Duron 1.3 GHzciphertexts on AMD Duron 1.3 GHz
Prover 14 secondsProver 14 seconds
Verifier 5 secondsVerifier 5 seconds
AgendaAgenda Motivation – anonymous Motivation – anonymous
communicationcommunication Mix-netsMix-nets
What isWhat is A shuffle? Homomorphic encryption? Zero-A shuffle? Homomorphic encryption? Zero-
knowledge proofs?knowledge proofs? ZK proof for shuffle of known contentsZK proof for shuffle of known contents
Tool: Homomorphic commitmentsTool: Homomorphic commitments ZK proof for shuffle of homomorphic ZK proof for shuffle of homomorphic
encryptionsencryptions Comparison with other ZK proofsComparison with other ZK proofs Efficiency improvementsEfficiency improvements
Other shuffle proofsOther shuffle proofs
Invariance of roots of polynomialsInvariance of roots of polynomialsNeff CCS01, Groth PKC03, Neff 03, Neff CCS01, Groth PKC03, Neff 03, Groth 05Groth 05
Permutation matricesPermutation matricesFurukawa & Sako Crypto01, Furukawa Furukawa & Sako Crypto01, Furukawa IEICE05IEICE05
Integer commitmentsInteger commitmentsWikström Asiacrypt05Wikström Asiacrypt05
Linear ignorance assumptionLinear ignorance assumptionPeng et al. Crypto05Peng et al. Crypto05
Comparison of Comparison of approachesapproaches
Pedersen, ElGamal |p|= 1024, |q| = 160Pedersen, ElGamal |p|= 1024, |q| = 160Roots of polyRoots of poly Permutation matrixPermutation matrix
RoundsRounds 77 3 3SoundnessSoundness uncond./comp.uncond./comp.
computationalcomputationalSHVZKSHVZK comp./statisticalcomp./statistical statistical statisticalProver exposProver expos 6n6n 7n7nProver sendsProver sends 480n bits 480n bits 1344n bits 1344n bitsVerifier exposVerifier expos 6n6n 8n8nKey lengthKey length flexible (e.g. O(√n)) 1024n bitsflexible (e.g. O(√n)) 1024n bits
AgendaAgenda Motivation – anonymous Motivation – anonymous
communicationcommunication Mix-netsMix-nets
What isWhat is A shuffle? Homomorphic encryption? Zero-A shuffle? Homomorphic encryption? Zero-
knowledge proofs?knowledge proofs? ZK proof for shuffle of known contentsZK proof for shuffle of known contents
Tool: Homomorphic commitmentsTool: Homomorphic commitments ZK proof for shuffle of homomorphic ZK proof for shuffle of homomorphic
encryptionsencryptions Comparison with other ZK proofsComparison with other ZK proofs Efficiency improvementsEfficiency improvements
Adjusting the key lengthAdjusting the key length
Suggested Pedersen commitment variant had public key (q, p, g1,..., gn, h)
Assume wlog n = kl then we can instead use public key (q, p, g1,..., gk, h) and commit as
c = (c1,...,cl) (com(m1,...,mk), com(mk+1,...,m2k), ...)
RandomizationRandomization
cecd = com(f1,...,fn; z)ca
ecΔ = com(fΔ1,...,fΔn-1,0; zΔ)
Pick α{0,1}ℓ at random and check(cecd)α ca
ecΔ = com(αf1+fΔ1,..., αfn+0; αz+zΔ)
Many other randomization/batch verification possibilities
On-line/off-line On-line/off-line computationcomputation
Prover can precompute most values Prover can precompute most values off-line (and in a mix-net also off-line (and in a mix-net also precompute the rerandomization of precompute the rerandomization of the ciphertexts)the ciphertexts)
Only needs to compute EOnly needs to compute Edd and c and caa on- on-lineline
Picking the challengesPicking the challenges
Verifier picks seed for Verifier picks seed for pseudorandom number generator pseudorandom number generator and sends it to proverand sends it to prover
Prover generates tProver generates t11,...,t,...,tnn from this from this seedseed
If Q = q verifier can simply send If Q = q verifier can simply send challenge t and let prover use tchallenge t and let prover use t11 = t = t11 mod q,..., tmod q,..., tnn = t = tnn mod q mod q
Multi-exponentiation Multi-exponentiation (Lim 00)(Lim 00)
Computing a product giei can
be done in |e|n/(log n – log log n) multiplications
Prover, Verifier ≈ 0.5n naïve single expos each for shuffling 100,000 ElGamal ciphertexts
Questions?Questions?
Thank you