Cryptographic Shuffles Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA
Voting Voters cast secret votes Authorities reveal votes in random permuted order
Mix-net … v1v1 v2v2 vNvN
Mixing Secure message submission Output of permuted messages
Secure message submission Voters encrypt their votes to keep them secret –Use a public encryption key generated by election authorities running the mix-net Pre-processing before mixing –Check voters are eligible Voters sign their encrypted voters –Prevent copying or casting of related votes May require additional evidence that voters know the encrypted votes they submit (without revealing the votes)
Mix-net Mixing E pk (v 1 ;r 1 )E pk (v N ;r N ) E pk (v 2 ;r 2 )… E pk (v 2 ;s 2 )E pk (v 1 ;s 1 ) E pk (v N ;s N )…
Output of permuted messages Election authorities decrypt the encrypted permuted messages and output them Threshold decryption –The secret decryption key is shared between the election authorities –No single election authority or small group of election authorities can decrypt the incoming encrypted votes –Will only cooperate to decrypt the output from the mixing phase where the votes have been permuted
Homomorphic encryption A public key encryption scheme is homomorphic if E pk (v;r) ∙ E pk (w;s) = E pk (v ∙ w;r+s) Rerandomization of ciphertext E pk (v;r) ∙ E pk (1;s) = E pk (v;t)t=r+s Example: ElGamal encryption (g r,y r v) ∙ (g s,y s w) = (g r+s,y r+s vw)
Mix-net v π (1) v π (2) v π (N) … π1π1 π2π2 = 2 1 v1v1 v2v2 vNvN Threshold decryption
Input ciphertexts c 1,…,c N Permuteto get c π (1),…,c π (N) Re-randomize themC i = c π (i) ∙ E pk (1;s i ) Output ciphertextsC 1,...,C N c1c1 c 2 c 3 c 4 c 5 Shuffle c π (1) c π (2) c π (3) c π (4) c π (5) C1C1 C 2 C 3 C 4 C 5
Security Each mix-server acts in sequence –Shuffles the ciphertexts from the previous mix-server Resulting permutation is random and secret if –All mix-servers follow the protocol –At least one mix-server keeps its permutation secret –The encryption scheme is semantically secure
Problem: Corrupt mix-server v π (1) v π (2) v´ π (N) … π1π1 π2π2 v1v1 v2v2 vNvN Threshold decryption = 2 1
Zero-knowledge shuffle argument Statement: (pk,c 1,...,c N,C 1,...,C N ) ProverVerifier , r 1,...,r N Sound: Shuffle is correct Zero-knowledge: Nothing but truth revealed; permutation is secret
Solution: zero-knowledge arguments v π (1) v π (2) v π (N) … π1π1 π2π2 v1v1 v2v2 vNvN Threshold decryption = 2 1 Server 1 ZK argument No message changed (soundness) Server 2 ZK argument Permutation still secret (zero-knowledge)
Public coin honest verifier zero-knowledge Statement: (pk,c 1,...,c N,C 1,...,C N ) ProverVerifier Setup: Common reference string Public coin: Random challenges from Z q Honest verifier zero-knowledge Nothing but truth revealed; permutation secret Can convert to standard zero-knowledge argument
Non-interactive zero-knowledge argument Setup: Common reference string Statement: (pk,c 1,...,c N,C 1,...,C N ) ProverVerifier Fiat-Shamir 86: Compute challenges using cryptographic hash-function Anybody
Non-interactive zero-knowledge argument Setup: Common reference string Statement: (pk,c 1,...,c N,C 1,...,C N ) Prover
Universal verifiability Each mix-server can publicize its shuffle and the corresponding NIZK argument Now anybody can verify that the shuffles are correct (soundness) At the same time the NIZK arguments do not reveal the secret permutations used by the mix- servers (zero-knowledge)
Parameters for zero-knowledge argument Communication complexity Verifier’s computation Prover’s computation –Importance decreases when using Fiat-Shamir heuristic Round complexity –Not important if using the Fiat-Shamir heuristic
Cut-and-choose (Sako-Kilian 95) ProverVerifier (pk,c 1,...,c N,C 1,...,C N ) E 1,...,E N b {0,1} b, r b1,...,r bN C i =c (i) E pk (1;r i ) E i = c 0 (i) E pk (1;r 0i ) = C 1 (i) E pk (1;r 1i )
Cut-and-choose (Sako-Kilian) Soundness: –If c 1,…,c N and C 1,…,C N not shuffle then E 1,…,E N not shuffle of c 1,…,c N or E 1,…,E N not shuffle of C 1,…,C N –The verifier has 50% chance of catching cheating prover –Repeat s times to get 2 -s risk of cheating prover Honest verifier zero-knowledge: –Verifier can simulate argument by picking b {0,1} and computing E 1,…,E N as the corresponding shuffle of c 1,…,c N or C 1,…,C N himself Cost –O(Ns) ciphertexts and with ElGamal O(Ns) expos
Permutation Networks (Abe 99,AH01) Cost: O(N log N) elements and O(N log N) expos v1v1 v2v2 v3v3 v4v4 v5v5 v6v6 v7v7 v8v8 v1v1 v2v2 v3v3 v4v4 v5v5 v6v6 v7v7 v8v8 v2v2 v1v1 v3v3 v4v4 v5v5 v6v6 v8v8 v7v7 v2v2 v1v1 v3v3 v4v4 v5v5 v6v6 v8v8 v7v7 v2v2 v3v3 v5v5 v8v8 v1v1 v4v4 v6v6 v7v7 v2v2 v3v3 v5v5 v8v8 v1v1 v4v4 v6v6 v7v7 v5v5 v2v2 v7v7 v8v8 v3v3 v1v1 v4v4 v6v6
Permutation matrix (Furukawa-Sako 01) Demonstrate there is permutation matrix such that Permutation matrix has size N 2 but is sparse and has only N non-zero entries Cost: O(N) elements and O(N) expos
Polynomial invariance under permutation of roots (Neff 01)
Sub-linear size arguments (Groth-Ishai 08) Polynomial invariance under permutation of roots Organize ciphertexts in m n matrix Apply Hadamard code techniques from PCPs Cost: –Size: O(m 2 +n) –Prover computation: O(Nm) exponentiations –Verifier computation: O(N) exponentiations
Sub-linear size arguments (Bayer-Groth 11) Polynomial invariance under permutation of roots Organize ciphertext in m n matrix Apply polynomial multiplication techniques Cost: –Size: O(m+n) –Prover computation: O(N log(m)) exponentiations –Verifier computation: O(N) exponentiations
Comparison of ElGamal shuffles (N=mn) |p| = 1024 |q| = 160 RoundsProver in expos Verifier in expos Size in kbits Sako-Kilian 953O(s) N O(s) Abe 99 (AH01)3O(log(N)) NO(log(N))O(log N) N Furukawa-Sako 0138N10N5.3N FMMOS 0259N10N5.3N Furukawa 05 (GL07)37N8N1.5N Terelius-Wikström 1059N11N3.7N Neff 01,0478N12N7.7N Groth 03,1076N 0.6N Groth-Ishai 0873mN4N3m n Bayer-Groth 1192 log(m) N4N11m + 0.8n
New sub-linear size shuffle argument Joint work with Stephanie Bayer University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA
Commitments
Homomorphic commitments
Shuffle argument Given public keys pk and ck Given shuffle c 1,…,c N and C 1,…,C N Prover knows permutation and randomizers r 1,…,r N and wants to convince the verifier C 1 =c (1) E pk (1;r 1 ) … C N =c (N) E pk (1;r N )
Zero-knowledge: Perfectly hiding Zero-knowledge: Reveals nothing (ZK)
Soundness
Soundness
The underlying ZK arguments Inexpensive See full paper Expensive Will sketch idea
Multi-exponentiation argument
The commitment B and useful notation
Product argument idea
Product argument
Explanation
Explanation
Efficiency 2m ciphertexts N ciphertext expos Short argument is cheap 2m ciphertext expos Communicaton: O(m+n) elements Verifier computation: 4N + O(m+n) expos
Prover’s computation Computing this matrix costs m 2 n = mN ciphertext expos
Reducing the prover’s computation Do not compute entire matrix Instead use techniques for multiplication of polynomials “in the exponent” of ciphertexts Fast Fourier Transform –O(N log m) exponentiationsO(1) rounds Interaction –O(N) exponentiationsO(log m) rounds
Comparison of ElGamal shuffles (N=mn) |p| = 1024 |q| = 160 RoundsProver in expos Verifier in expos Size in kbits Sako-Kilian 953O(s) N O(s) Abe 99 (AH01)3O(log(N)) NO(log(N))O(log N) N Furukawa-Sako 0138N10N5.3N FMMOS 0259N10N5.3N Furukawa 05 (GL07)37N8N1.5N Terelius-Wikström 1059N11N3.7N Neff 01,0478N12N7.7N Groth 03,1076N 0.6N Groth-Ishai 0873mN4N3m n Bayer-Groth 1192 log(m) N4N11m + 0.8n Bayer-Groth 11log mO(N)4N11m + 0.8n
Asymptotic vs concrete complexity Turns out that for practical choices of N = mn interaction comes for free –The multi-exponentiation argument has smaller round complexity than the product argument –Can use interaction technique for a couple of rounds without increasing round complexity Takes a long time before asymptotic behavior of Fast Fourier Transform kicks in –For small m better to use Toom-Cook methods
Implementation Looked at shuffling 100,000 ElGamal ciphertexts –|p|=1024 bits, |q|=160 bits Most efficient implementation uses N=100,000m=64n=1563 Cost: –Rounds: 9 –Prover: 12N exponentiations –Verifier: 4N exponentiations –Communication: 0.7 MB Core2Duo 2.53GHz 91 seconds 18 seconds
Summary |p| = 1024 |q| = 160 RoundsProver in expos Verifier in expos Size in kbits Sako-Kilian 953O(s) N Abe 99 (AH01)3O(log(N)) NO(log(N))O(log N) N Furukawa-Sako 0138N10N5.3N FMMOS 025~300 sec.66.0MB Furukawa 05 (GL07)37N8N1.5N Terelius-Wikström 105~300 sec.37.7MB Neff 01,0478N12N7.7N Groth 03,1076N 0.6N Groth-Ishai 0873mN4N3m n Bayer-Groth sec.18 sec.0.7MB