A Verifiable Secret A Verifiable Secret Shuffle of Shuffle of

Homomorphic Homomorphic EncryptionsEncryptions

Jens GrothJens Groth

UCLAUCLA

On ePrint archive: http://eprint.iacr.org/2005/246

AgendaAgenda Motivation – anonymous Motivation – anonymous

communicationcommunication What isWhat is

A shuffle? Homomorphic encryption? Zero-A shuffle? Homomorphic encryption? Zero-knowledge proofs?knowledge proofs?

ZK proof for shuffle of known contentsZK proof for shuffle of known contents Tool: Homomorphic commitmentsTool: Homomorphic commitments

ZK proof for shuffle of homomorphic ZK proof for shuffle of homomorphic encryptionsencryptions

Comparison with other ZK proofsComparison with other ZK proofs Efficiency improvementsEfficiency improvements

Anonymous Anonymous communicationcommunication

Mixerπ

m1 mn…

…mπ(1) mπ(n)

Sender 1 Sender n

mix-servers

EncryptionEncryption

Rerandomization property

E(m) E´(m)

Threshold decryption property

t mix-servers can decryptt-1 mix-servers do not learn

anything

Mix-netMix-net

Mix-netπ

m1 mn…

…E´(mπ(1))

E´(mπ(n))

E(m1

)E(mn

)

Threshold-decryption

…mπ(1) mπ(n)

senders

mix-servers

at least t mix-servers

Mix-netMix-net

Mix-server 1 π1

…

E´(mπ1(1))

E´(mπ1(n))

E(m1

)E(mn

)

Mix-server N πN

E´´´(mπ(1))

E´´´(mπ(n)) π = πN ◦...◦ π1

A shuffleA shuffle

π

E´(mπ(1))

E´(mπ(n))

E(m1

)E(mn

)

AgendaAgenda Motivation – anonymous Motivation – anonymous

communicationcommunication Mix-netsMix-nets

What isWhat is A shuffle? Homomorphic encryption? A shuffle? Homomorphic encryption?

Zero-knowledge proofs?Zero-knowledge proofs? ZK proof for shuffle of known contentsZK proof for shuffle of known contents

Tool: Homomorphic commitmentsTool: Homomorphic commitments ZK proof for shuffle of homomorphic ZK proof for shuffle of homomorphic

encryptionsencryptions Comparison with other ZK proofsComparison with other ZK proofs Efficiency improvementsEfficiency improvements

Homomorphic encryptionHomomorphic encryption

Homomorphic property

E(m1m2; R1+R2) = E(m1; R1) E(m2; R2)

Rerandomization

E(m; R1+R2) = E(m; R1) E(1; R2)

Message space order Q no small prime factors

Root extraction propertysee paper

ElGamal variantElGamal variantKeys

Primes Q, P so P = 2Q +1

Random elements G, Y of order Q

PK = (Q, P, G, Y)

SK = (PK, x) so Y = Gx

Encryption

E(m; (±1, ±1, R)) = (±GR mod P, ±YRm mod P)

Ciphertext verification(U, V) valid ciphertext if 0 < U < P and 0

< V < P

A shuffle of homomorphic A shuffle of homomorphic encryptionsencryptions

π, R1,...,Rn

eπ(1)E(1;R1

)eπ(n)E(1;Rn

)

e1 en

Verifiability?Verifiability?

π, R1,...,Rn ?

E1 En

e1 en

Zero-knowledge proofZero-knowledge proof

CompleteCompleteprover with prover with ππ, R, R11,...,R,...,Rnn can can

convince convince anybody of correctness of anybody of correctness of shuffleshuffle

SoundSoundif not a valid shuffle impossible to if not a valid shuffle impossible to

convince convince others of correctness of others of correctness of shuffleshuffle

Zero-knowledgeZero-knowledgeprover does not reveal anything prover does not reveal anything

beyond beyond correctness of shufflecorrectness of shuffle

Statement: PK, e1,..., en, E1, ..., En (and a little more)

Real proof (π, R1,...) Simulated proof (c1,...)

a1 a1

c1 c1

a2 a2

... ...

(a1, c1, a2, ... ) indistinguishable from (a1, c1, a2, ...)

Special honest verifier zero-Special honest verifier zero-knowledge (SHVZK)knowledge (SHVZK)

Computational/statisticalComputational/statistical

SoundnessSoundness Unconditional: No adversary can make a Unconditional: No adversary can make a

valid proof for a false statement valid proof for a false statement Computational: A polynomial time adversary Computational: A polynomial time adversary

cannot make a valid proof for a false cannot make a valid proof for a false statementstatement

Special honest verifier zero-knowledgeSpecial honest verifier zero-knowledge Statistical: No adversary can distinguish real Statistical: No adversary can distinguish real

proofs from simulated proofsproofs from simulated proofs Computational: A polynomial time adversary Computational: A polynomial time adversary

cannot distinguish real proofs from cannot distinguish real proofs from simulated proofssimulated proofs

Main resultMain result

A 7-round public coin SHVZK proof for correctness of a shuffle of homomorphic encryptions

Optional- unconditional soundness or statistical SHVZK- key length vs efficiency

AgendaAgenda Motivation – anonymous communicationMotivation – anonymous communication

Mix-netsMix-nets What isWhat is

A shuffle? Homomorphic encryption? Zero-A shuffle? Homomorphic encryption? Zero-knowledge proofs?knowledge proofs?

ZK proof for shuffle of known ZK proof for shuffle of known contentscontents Tool: Homomorphic commitmentsTool: Homomorphic commitments

ZK proof for shuffle of homomorphic ZK proof for shuffle of homomorphic encryptionsencryptions

Comparison with other ZK proofsComparison with other ZK proofs Efficiency improvementsEfficiency improvements

Non-interactive Non-interactive commitmentcommitment

Public key

Commitment

c = commit(m; r)

Opening

given c, m, r check that c = commit(m; r)

CommitmentCommitment BindingBinding

Unconditional: There is at most one way the Unconditional: There is at most one way the comitter can open a commitment ccomitter can open a commitment c

Computational: A polynomial time adversary Computational: A polynomial time adversary cannot find c, mcannot find c, m11, r, r11, m, m22, r, r22 so c = commit(m so c = commit(m11; ; rr11) = commit(m) = commit(m22; r; r22) and m) and m11 ≠ m ≠ m22

HidingHiding Statistical: Commitments to m and 0 have the Statistical: Commitments to m and 0 have the

same distributionsame distribution Computational: A polynomial time adversary Computational: A polynomial time adversary

cannot distinguish a random commitment to cannot distinguish a random commitment to m ≠ 0 from a random commitment to 0m ≠ 0 from a random commitment to 0

Homomorphic Homomorphic commitmentcommitment

Homomorphic property

com(m1+m1´, ..., mn+mn´; r1+r2) = com(m1,..., mn; r1) com(m1´,..., mn´;

r2)

Message space Zqn with q prime

Root extraction propertygiven c, m1,...,mn, r, e so gcd(e,q) = 1and ce = com(m1,...,mn; r) we can

efficientlycompute r´ so c = com(m1/e,...,mn/e;

r´)

Pedersen commitment Pedersen commitment variantvariantPublic key

Primes q, p so p = kq+1

Random elements g1, ..., gn, h of order q

pk = (q, p, g1, ..., gn, h)

Commitment

com(m1,..., mn; (u,r)) = ug1m1…gn

mnhr mod p,

where 1 = uk mod p

Commitment verificationValid if 0 < c < p

Shuffle of known contentShuffle of known content

π, r

com(mπ(1), ..., mπ(n); r)

m1 mn...

SHVZK proof for shuffle of SHVZK proof for shuffle of known contentknown content

A 4-round public coin SHVZK proof of knowledge for a commitment to a permutation of publicly known messages m1,...,mn

Optional- unconditional soundness or statistical SHVZK- key length vs efficiency

Knowledge of contentsKnowledge of contents

Common: pk, c, m1,..., mn

Prover: π, r so c = com(mπ(1), ..., mπ(n); r)

cd = com(d1,...,dn; rd)

e {0,1}ℓ

fi = emπ(1) + di, z = er+rd

Check cecd = com(f1,...,fn; z)

Special HVZKSpecial HVZK

Common: pk, c, m1,..., mn

Simulator: e {0,1}ℓ

cd = com(f1,...,fn; z) c-e

e

fi Zq, z Zq

Check cecd = com(f1,...,fn; z)

KnowledgeKnowledge

Common: pk, c, m1,..., mn

cd = com(d1,...,dn; rd)

e, e´ {0,1}ℓ

fi, z, fi´, z´

cecd = com(f1,...,fn; z)

ce´cd = com(f1´,...,fn

´; z´)

ce-e´ = com(f1-f1´,...,fn-fn´; z-z´)

Root extraction: c = com(μ1,...,μn; r)

Idea (Neff 2001)Idea (Neff 2001)

Consider the polynomials

(mi-X) and (μi-X) in Zq[X]

Are identical exactly when there exists π so μi = mπ(i)

Pick x at random and demonstrate

(mi-x) = (μi-x) mod q

With overwhelming probability not the case unless π exists

Identical polynomialsIdentical polynomials

Common: pk, c, m1,..., mn

x {0,1}ℓ

cd, ca, cΔ

e {0,1}ℓ

fi, z, fΔi, zΔ

cecd = com(f1,...,fn; z)ca

ecΔ = com(fΔ1,...,fΔn-

1; zΔ)

fi = eμi + di , fΔi = eαi + δi

Checking the Checking the polynomialspolynomials

fi = eμi + di , fΔi = eαi + δi

Let F1 = f1-ex = e(μ1-x)+ d1

Let eFi+1 = Fi(fi+1-ex) + fΔi

ei Fi+1= ei-1 Fi(fi+1-ex) + fΔi = ei(i(μj-x) + polyi-1(e))

(e(μi+1-x)+ di+1) + ei-

1(eαi + δi) = ei+1 i+1(μj-x) + polyi(e)

Check Fn = e(mi-x) meaning en (μj-x) + polyn-1(e) = en (mi-x)

CompletenessCompleteness

Fi = ei(μj-x) + Δi

F1 = f1-ex = e(mπ(1)-x) + d1 Δ1 = d1

eFi+1 = Fi(fi+1-ex) + fΔi

eαi + δi = e2i+1(mπ(j)-x) + eΔi+1

- e(i(mπ(j)-x) + Δi)(e(mπ(i+1)-x) + di+1)

= e(Δi+1 - i(mπ(j)-x) di+1 - Δi (mπ(i+1)-x)) - Δidi+1

Fn = e(mi-x) Δn = 0

SHVZK proof for known SHVZK proof for known contentcontent

4-round public coin protocol4-round public coin protocol Soundness – Soundness –

computational/unconditionalcomputational/unconditional SHVZK – statistical/computationalSHVZK – statistical/computational

With Pedersen commitment variant

Prover 3n expos 2|q|n bits

Verifier 2n expos

AgendaAgenda Motivation – anonymous Motivation – anonymous

communicationcommunication Mix-netsMix-nets

What isWhat is A shuffle? Homomorphic encryption? Zero-A shuffle? Homomorphic encryption? Zero-

knowledge proofs?knowledge proofs? ZK proof for shuffle of known contentsZK proof for shuffle of known contents

Tool: Homomorphic commitmentsTool: Homomorphic commitments ZK proof for shuffle of ZK proof for shuffle of

homomorphic encryptionshomomorphic encryptions Comparison with other ZK proofsComparison with other ZK proofs Efficiency improvementsEfficiency improvements

A shuffle of homomorphic A shuffle of homomorphic encryptionsencryptions

π, R1,...,Rn

eπ(1)E(1;R1

)eπ(n)E(1;Rn

)

e1 en

IdeaIdeaWant to show that e1,..., en and E1, ..., En have the same plaintexts

1. Reveal π

2. Receive random challenges t1,...,tn {0,1}ℓ

3. Release Z so E(1;Z) eiti = Ei

tπ(i)

miti = Mi

tπ(i)

1 = (Mi/mπ(i))tπ(i)

Since Q has no small prime factors Mi = mπ(i)

IdeaIdea

1.Commit to π, commit to d1,...,dn {0,1} +80ℓ

Form Ed = E(1;Rd)Ei-di

2. Receive challenges t1,...,tn {0,1}ℓ

3. Release f1,...,fn, Z so fi = tπ(i) + di and

E(1;Z) eiti = Ed Ei

fi

miti = (Md Mi

di) Mi

tπ(i)

Z = Rd + ∑tπ(i)Ri

IdeaIdea1. Commit to 1. Commit to ππ and d and d11,...,d,...,dnn c = com(c = com(ππ(1),...,(1),...,ππ(n); r)(n); r)ccdd = com(-d = com(-d11,...,-d,...,-dnn; r; rdd))

2. Receive challenges t2. Receive challenges t11,...,t,...,tnn

3. Send f3. Send f11,...,f,...,fnn |q|> + 80ℓ|q|> + 80ℓ

4. Receive challenge 4. Receive challenge λλ

5. Make SHVZK proof of known content for 5. Make SHVZK proof of known content for ccλλccdd com(f com(f11,...,f,...,fnn; 0) containing a ; 0) containing a permutation ofpermutation ofλλ + t + t11, ..., , ..., λλn + tn + tnn

Exists ππ so so λμi + fi - di = λππ(i) + t(i) + tππ(i)(i)

With overwhelming probability over With overwhelming probability over λ we have we have

μi = ππ(i) (i) and fi = tπ(i) + di

Full protocolFull protocol

Common: pk, PK, e1,...,en and E1,...,En

Prover: π, R1,...,Rn

c, cd, Ed

t1,...,tn {0,1}ℓ

f1,...,fn, Z λ {0,1}ℓ

SHVZK proof

Verify SHVZK proofCheck E(1;Z) ei

ti = Ed Ei

fi

Properties of shuffle Properties of shuffle proofproof

7-round public coin protocol7-round public coin protocol Soundness – computational/unconditionalSoundness – computational/unconditional SHVZK – statistical/computationalSHVZK – statistical/computational

With Pedersen commitment and ElGamal With Pedersen commitment and ElGamal variantsvariants

ProverProver 4n p-expos, 2n P-expos4n p-expos, 2n P-expos 3|q|n 3|q|n bitsbits

VerifierVerifier 2n p-expos, 4n P-expos2n p-expos, 4n P-expos

Implementation (Stamer Implementation (Stamer 2005)2005)

Pedersen commitment |p| = 1024, |q| = Pedersen commitment |p| = 1024, |q| = 160160

ElGamal encryptionElGamal encryption |P| = 1024, |Q| |P| = 1024, |Q| =160=160

SHVZK proof of correct shuffle of 1024 SHVZK proof of correct shuffle of 1024 ElGamalElGamal

ciphertexts on AMD Duron 1.3 GHzciphertexts on AMD Duron 1.3 GHz

Prover 14 secondsProver 14 seconds

Verifier 5 secondsVerifier 5 seconds

AgendaAgenda Motivation – anonymous Motivation – anonymous

communicationcommunication Mix-netsMix-nets

What isWhat is A shuffle? Homomorphic encryption? Zero-A shuffle? Homomorphic encryption? Zero-

knowledge proofs?knowledge proofs? ZK proof for shuffle of known contentsZK proof for shuffle of known contents

Tool: Homomorphic commitmentsTool: Homomorphic commitments ZK proof for shuffle of homomorphic ZK proof for shuffle of homomorphic

encryptionsencryptions Comparison with other ZK proofsComparison with other ZK proofs Efficiency improvementsEfficiency improvements

Other shuffle proofsOther shuffle proofs

Invariance of roots of polynomialsInvariance of roots of polynomialsNeff CCS01, Groth PKC03, Neff 03, Neff CCS01, Groth PKC03, Neff 03, Groth 05Groth 05

Permutation matricesPermutation matricesFurukawa & Sako Crypto01, Furukawa Furukawa & Sako Crypto01, Furukawa IEICE05IEICE05

Integer commitmentsInteger commitmentsWikström Asiacrypt05Wikström Asiacrypt05

Linear ignorance assumptionLinear ignorance assumptionPeng et al. Crypto05Peng et al. Crypto05

Comparison of Comparison of approachesapproaches

Pedersen, ElGamal |p|= 1024, |q| = 160Pedersen, ElGamal |p|= 1024, |q| = 160Roots of polyRoots of poly Permutation matrixPermutation matrix

RoundsRounds 77 3 3SoundnessSoundness uncond./comp.uncond./comp.

computationalcomputationalSHVZKSHVZK comp./statisticalcomp./statistical statistical statisticalProver exposProver expos 6n6n 7n7nProver sendsProver sends 480n bits 480n bits 1344n bits 1344n bitsVerifier exposVerifier expos 6n6n 8n8nKey lengthKey length flexible (e.g. O(√n)) 1024n bitsflexible (e.g. O(√n)) 1024n bits

AgendaAgenda Motivation – anonymous Motivation – anonymous

communicationcommunication Mix-netsMix-nets

What isWhat is A shuffle? Homomorphic encryption? Zero-A shuffle? Homomorphic encryption? Zero-

knowledge proofs?knowledge proofs? ZK proof for shuffle of known contentsZK proof for shuffle of known contents

Tool: Homomorphic commitmentsTool: Homomorphic commitments ZK proof for shuffle of homomorphic ZK proof for shuffle of homomorphic

encryptionsencryptions Comparison with other ZK proofsComparison with other ZK proofs Efficiency improvementsEfficiency improvements

Adjusting the key lengthAdjusting the key length

Suggested Pedersen commitment variant had public key (q, p, g1,..., gn, h)

Assume wlog n = kl then we can instead use public key (q, p, g1,..., gk, h) and commit as

c = (c1,...,cl) (com(m1,...,mk), com(mk+1,...,m2k), ...)

RandomizationRandomization

cecd = com(f1,...,fn; z)ca

ecΔ = com(fΔ1,...,fΔn-1,0; zΔ)

Pick α{0,1}ℓ at random and check(cecd)α ca

ecΔ = com(αf1+fΔ1,..., αfn+0; αz+zΔ)

Many other randomization/batch verification possibilities

On-line/off-line On-line/off-line computationcomputation

Prover can precompute most values Prover can precompute most values off-line (and in a mix-net also off-line (and in a mix-net also precompute the rerandomization of precompute the rerandomization of the ciphertexts)the ciphertexts)

Only needs to compute EOnly needs to compute Edd and c and caa on- on-lineline

Picking the challengesPicking the challenges

Verifier picks seed for Verifier picks seed for pseudorandom number generator pseudorandom number generator and sends it to proverand sends it to prover

Prover generates tProver generates t11,...,t,...,tnn from this from this seedseed

If Q = q verifier can simply send If Q = q verifier can simply send challenge t and let prover use tchallenge t and let prover use t11 = t = t11 mod q,..., tmod q,..., tnn = t = tnn mod q mod q

Multi-exponentiation Multi-exponentiation (Lim 00)(Lim 00)

Computing a product giei can

be done in |e|n/(log n – log log n) multiplications

Prover, Verifier ≈ 0.5n naïve single expos each for shuffling 100,000 ElGamal ciphertexts

Questions?Questions?

Thank you