Cryptographic Shuffles Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA.

Slides:



Advertisements
Similar presentations
Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Advertisements

Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)
Private Inference Control
Perfect Non-interactive Zero-Knowledge for NP
Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.
Short Non-interactive Zero-Knowledge Proofs
A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.
Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Secure Evaluation of Multivariate Polynomials
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
1 e-voting (requirements & protocols) 1) Aggelos Kiayias, Moti Yung: Self-tallying Elections and Perfect Ballot Secrecy 2) Jens Groth: Efficient Maximal.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs Jens Groth University College London TexPoint fonts used.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
Auditable Privacy: On Tamper-Evident Mix Networks Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research.
Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.
Jens Groth BRICS, University of Aarhus Cryptomathic
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.
Information Security for Sensors Overwhelming Random Sequences and Permutations Shlomi Dolev, Niv Gilboa, Marina Kopeetsky, Giuseppe Persiano, and Paul.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin Jens Groth University College London Markulf Kohlweiss Microsoft Research TexPoint fonts.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung.

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
Efficient Maximal Privacy in Boardroom Voting and Anonymous Broadcast Jens Groth BRICS, University of Aarhus Cryptomathic A/S.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
Sub-linear Size Pairing-Based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint.
Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.
K-Anonymous Message Transmission Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.
A Brief History of Provable Security and PKE Alex Dent Information Security Group Royal Holloway, University of London.
Linear Algebra with Sub-linear Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before.
PRESENTED BY CHRIS ANDERSON JULY 29, 2009 Using Zero Knowledge Proofs to Validate Electronic Votes.
Fine-Tuning Groth-Sahai Proofs Alex Escala Scytl Secure Electronic Voting Jens Groth University College London.
Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.
Impossibility and Feasibility Results for Zero Knowledge with Public Keys Joël Alwen Tech. Univ. Vienna AUSTRIA Giuseppe Persiano Univ. Salerno ITALY Ivan.
Optimistic Mixing for Exit-Polls Philippe Golle, Stanford Sheng Zhong, Yale Dan Boneh, Stanford Markus Jakobsson, RSA Labs Ari Juels, RSA Labs.
Efficient Zero-Knowledge Proofs Jens Groth University College London.
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
SANDRA GUASCH CASTELLÓ PHD EVOTING WORKSHOP LUXEMBOURG, 15-16/10/2012 SUPERVISOR: PAZ MORILLO BOSCH Verifiable Mixnets.
1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.
Implementation Requirements for UK General Elections TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A A A Chris.
The Paillier Cryptosystem
Privacy and Anonymity Using Mix Networks* Slides borrowed from Philippe Golle, Markus Jacobson.
Zero-Knowledge Argument for Polynomial Evaluation with Applications to Blacklists Stephanie Bayer Jens Groth University College London TexPoint fonts used.
New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.
FHE Introduction Nigel Smart Avoncrypt 2015.
Data Integrity Proofs in Cloud Storage Author: Sravan Kumar R and Ashutosh Saxena. Source: The Third International Conference on Communication Systems.
A Brief Introduction to Mix Networks Ari Juels RSA Laboratories © 2001, RSA Security Inc.
Almost Entirely Correct Mixing With Applications to Voting Philippe Golle Dan Boneh Stanford University.
Pairing-Based Non-interactive Zero-Knowledge Proofs Jens Groth University College London Based on joint work with Amit Sahai.
Zero-Knowledge Proofs Ben Hosp. Classical Proofs A proof is an argument for the truth or correctness of an assertion. A classical proof is an unambiguous.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Usable Security Lab Crypto Lab Efficiency Comparison of Various Approaches in E-Voting Protocols Oksana Kulyk, Melanie Volkamer.
Topic 36: Zero-Knowledge Proofs
On the Size of Pairing-based Non-interactive Arguments
Secure and Insecure Mixing
Linear Algebra with Sub-linear Zero-Knowledge Arguments
Short Pairing-based Non-interactive Zero-Knowledge Arguments
Jens Groth and Mary Maller University College London
Presentation transcript:

Cryptographic Shuffles Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA

Voting Voters cast secret votes Authorities reveal votes in random permuted order

Mix-net … v1v1 v2v2 vNvN

Mixing Secure message submission Output of permuted messages

Secure message submission Voters encrypt their votes to keep them secret –Use a public encryption key generated by election authorities running the mix-net Pre-processing before mixing –Check voters are eligible Voters sign their encrypted voters –Prevent copying or casting of related votes May require additional evidence that voters know the encrypted votes they submit (without revealing the votes)

Mix-net Mixing E pk (v 1 ;r 1 )E pk (v N ;r N ) E pk (v 2 ;r 2 )… E pk (v 2 ;s 2 )E pk (v 1 ;s 1 ) E pk (v N ;s N )…

Output of permuted messages Election authorities decrypt the encrypted permuted messages and output them Threshold decryption –The secret decryption key is shared between the election authorities –No single election authority or small group of election authorities can decrypt the incoming encrypted votes –Will only cooperate to decrypt the output from the mixing phase where the votes have been permuted

Homomorphic encryption A public key encryption scheme is homomorphic if E pk (v;r) ∙ E pk (w;s) = E pk (v ∙ w;r+s) Rerandomization of ciphertext E pk (v;r) ∙ E pk (1;s) = E pk (v;t)t=r+s Example: ElGamal encryption (g r,y r v) ∙ (g s,y s w) = (g r+s,y r+s vw)

Mix-net v π (1) v π (2) v π (N) … π1π1 π2π2  =  2  1 v1v1 v2v2 vNvN Threshold decryption

Input ciphertexts c 1,…,c N Permuteto get c π (1),…,c π (N) Re-randomize themC i = c π (i) ∙ E pk (1;s i ) Output ciphertextsC 1,...,C N c1c1 c 2 c 3 c 4 c 5 Shuffle c π (1) c π (2) c π (3) c π (4) c π (5) C1C1 C 2 C 3 C 4 C 5

Security Each mix-server acts in sequence –Shuffles the ciphertexts from the previous mix-server Resulting permutation is random and secret if –All mix-servers follow the protocol –At least one mix-server keeps its permutation secret –The encryption scheme is semantically secure

Problem: Corrupt mix-server v π (1) v π (2) v´ π (N) … π1π1 π2π2 v1v1 v2v2 vNvN Threshold decryption  =  2  1

Zero-knowledge shuffle argument Statement: (pk,c 1,...,c N,C 1,...,C N ) ProverVerifier , r 1,...,r N  Sound: Shuffle is correct Zero-knowledge: Nothing but truth revealed; permutation is secret

Solution: zero-knowledge arguments v π (1) v π (2) v π (N) … π1π1 π2π2 v1v1 v2v2 vNvN Threshold decryption  =  2  1 Server 1 ZK argument No message changed (soundness) Server 2 ZK argument Permutation still secret (zero-knowledge)

Public coin honest verifier zero-knowledge Statement: (pk,c 1,...,c N,C 1,...,C N ) ProverVerifier Setup: Common reference string Public coin: Random challenges from Z q Honest verifier zero-knowledge Nothing but truth revealed; permutation secret Can convert to standard zero-knowledge argument

Non-interactive zero-knowledge argument Setup: Common reference string Statement: (pk,c 1,...,c N,C 1,...,C N ) ProverVerifier Fiat-Shamir 86: Compute challenges using cryptographic hash-function Anybody

Non-interactive zero-knowledge argument Setup: Common reference string Statement: (pk,c 1,...,c N,C 1,...,C N ) Prover

Universal verifiability Each mix-server can publicize its shuffle and the corresponding NIZK argument Now anybody can verify that the shuffles are correct (soundness) At the same time the NIZK arguments do not reveal the secret permutations used by the mix- servers (zero-knowledge)

Parameters for zero-knowledge argument Communication complexity Verifier’s computation Prover’s computation –Importance decreases when using Fiat-Shamir heuristic Round complexity –Not important if using the Fiat-Shamir heuristic

Cut-and-choose (Sako-Kilian 95) ProverVerifier (pk,c 1,...,c N,C 1,...,C N ) E 1,...,E N b  {0,1}  b, r b1,...,r bN C i =c  (i) E pk (1;r i ) E i = c  0 (i) E pk (1;r 0i ) = C  1 (i) E pk (1;r 1i )

Cut-and-choose (Sako-Kilian) Soundness: –If c 1,…,c N and C 1,…,C N not shuffle then E 1,…,E N not shuffle of c 1,…,c N or E 1,…,E N not shuffle of C 1,…,C N –The verifier has 50% chance of catching cheating prover –Repeat s times to get 2 -s risk of cheating prover Honest verifier zero-knowledge: –Verifier can simulate argument by picking b  {0,1} and computing E 1,…,E N as the corresponding shuffle of c 1,…,c N or C 1,…,C N himself Cost –O(Ns) ciphertexts and with ElGamal O(Ns) expos

Permutation Networks (Abe 99,AH01) Cost: O(N log N) elements and O(N log N) expos v1v1 v2v2 v3v3 v4v4 v5v5 v6v6 v7v7 v8v8 v1v1 v2v2 v3v3 v4v4 v5v5 v6v6 v7v7 v8v8 v2v2 v1v1 v3v3 v4v4 v5v5 v6v6 v8v8 v7v7 v2v2 v1v1 v3v3 v4v4 v5v5 v6v6 v8v8 v7v7 v2v2 v3v3 v5v5 v8v8 v1v1 v4v4 v6v6 v7v7 v2v2 v3v3 v5v5 v8v8 v1v1 v4v4 v6v6 v7v7 v5v5 v2v2 v7v7 v8v8 v3v3 v1v1 v4v4 v6v6

Permutation matrix (Furukawa-Sako 01) Demonstrate there is permutation matrix such that Permutation matrix has size N 2 but is sparse and has only N non-zero entries Cost: O(N) elements and O(N) expos

Polynomial invariance under permutation of roots (Neff 01)

Sub-linear size arguments (Groth-Ishai 08) Polynomial invariance under permutation of roots Organize ciphertexts in m  n matrix Apply Hadamard code techniques from PCPs Cost: –Size: O(m 2 +n) –Prover computation: O(Nm) exponentiations –Verifier computation: O(N) exponentiations

Sub-linear size arguments (Bayer-Groth 11) Polynomial invariance under permutation of roots Organize ciphertext in m  n matrix Apply polynomial multiplication techniques Cost: –Size: O(m+n) –Prover computation: O(N log(m)) exponentiations –Verifier computation: O(N) exponentiations

Comparison of ElGamal shuffles (N=mn) |p| = 1024 |q| = 160 RoundsProver in expos Verifier in expos Size in kbits Sako-Kilian 953O(s) N O(s) Abe 99 (AH01)3O(log(N)) NO(log(N))O(log N) N Furukawa-Sako 0138N10N5.3N FMMOS 0259N10N5.3N Furukawa 05 (GL07)37N8N1.5N Terelius-Wikström 1059N11N3.7N Neff 01,0478N12N7.7N Groth 03,1076N 0.6N Groth-Ishai 0873mN4N3m n Bayer-Groth 1192 log(m) N4N11m + 0.8n

New sub-linear size shuffle argument Joint work with Stephanie Bayer University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA

Commitments

Homomorphic commitments

Shuffle argument Given public keys pk and ck Given shuffle c 1,…,c N and C 1,…,C N Prover knows permutation  and randomizers r 1,…,r N and wants to convince the verifier C 1 =c  (1) E pk (1;r 1 ) … C N =c  (N) E pk (1;r N )

Zero-knowledge: Perfectly hiding Zero-knowledge: Reveals nothing (ZK)

Soundness

Soundness

The underlying ZK arguments Inexpensive See full paper Expensive Will sketch idea

Multi-exponentiation argument

The commitment B and useful notation

Product argument idea

Product argument

Explanation

Explanation

Efficiency 2m ciphertexts N ciphertext expos Short argument is cheap 2m ciphertext expos Communicaton: O(m+n) elements Verifier computation: 4N + O(m+n) expos

Prover’s computation Computing this matrix costs m 2 n = mN ciphertext expos

Reducing the prover’s computation Do not compute entire matrix Instead use techniques for multiplication of polynomials “in the exponent” of ciphertexts Fast Fourier Transform –O(N log m) exponentiationsO(1) rounds Interaction –O(N) exponentiationsO(log m) rounds

Comparison of ElGamal shuffles (N=mn) |p| = 1024 |q| = 160 RoundsProver in expos Verifier in expos Size in kbits Sako-Kilian 953O(s) N O(s) Abe 99 (AH01)3O(log(N)) NO(log(N))O(log N) N Furukawa-Sako 0138N10N5.3N FMMOS 0259N10N5.3N Furukawa 05 (GL07)37N8N1.5N Terelius-Wikström 1059N11N3.7N Neff 01,0478N12N7.7N Groth 03,1076N 0.6N Groth-Ishai 0873mN4N3m n Bayer-Groth 1192 log(m) N4N11m + 0.8n Bayer-Groth 11log mO(N)4N11m + 0.8n

Asymptotic vs concrete complexity Turns out that for practical choices of N = mn interaction comes for free –The multi-exponentiation argument has smaller round complexity than the product argument –Can use interaction technique for a couple of rounds without increasing round complexity Takes a long time before asymptotic behavior of Fast Fourier Transform kicks in –For small m better to use Toom-Cook methods

Implementation Looked at shuffling 100,000 ElGamal ciphertexts –|p|=1024 bits, |q|=160 bits Most efficient implementation uses N=100,000m=64n=1563 Cost: –Rounds: 9 –Prover: 12N exponentiations –Verifier: 4N exponentiations –Communication: 0.7 MB Core2Duo 2.53GHz 91 seconds 18 seconds

Summary |p| = 1024 |q| = 160 RoundsProver in expos Verifier in expos Size in kbits Sako-Kilian 953O(s) N Abe 99 (AH01)3O(log(N)) NO(log(N))O(log N) N Furukawa-Sako 0138N10N5.3N FMMOS 025~300 sec.66.0MB Furukawa 05 (GL07)37N8N1.5N Terelius-Wikström 105~300 sec.37.7MB Neff 01,0478N12N7.7N Groth 03,1076N 0.6N Groth-Ishai 0873mN4N3m n Bayer-Groth sec.18 sec.0.7MB

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.