Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.

Slides:



Advertisements
Similar presentations
Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Advertisements

Perfect Non-interactive Zero-Knowledge for NP
Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.
Short Non-interactive Zero-Knowledge Proofs
A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
Sublinear Algorithms … Lecture 23: April 20.
Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Secure Evaluation of Multivariate Polynomials
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.
Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.
Information Security for Sensors Overwhelming Random Sequences and Permutations Shlomi Dolev, Niv Gilboa, Marina Kopeetsky, Giuseppe Persiano, and Paul.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
1 Adapted from Oded Goldreich’s course lecture notes.
10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.
Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung.
Lecturer: Moni Naor Foundations of Cryptography Lecture 12: Commitment and Zero-Knowledge.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
Privacy-Preserving Computation and Verification of Aggregate Queries on Outsourced Databases Brian Thompson 1, Stuart Haber 2, William G. Horne 2, Tomas.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
Zero Knowledge Proofs. Interactive proof An Interactive Proof System for a language L is a two-party game between a verifier and a prover that interact.
Sub-linear Size Pairing-Based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint.
K-Anonymous Message Transmission Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.
Linear Algebra with Sub-linear Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before.
Fine-Tuning Groth-Sahai Proofs Alex Escala Scytl Secure Electronic Voting Jens Groth University College London.
Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.
Optimistic Mixing for Exit-Polls Philippe Golle, Stanford Sheng Zhong, Yale Dan Boneh, Stanford Markus Jakobsson, RSA Labs Ari Juels, RSA Labs.
Efficient Zero-Knowledge Proofs Jens Groth University College London.
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
SANDRA GUASCH CASTELLÓ PHD EVOTING WORKSHOP LUXEMBOURG, 15-16/10/2012 SUPERVISOR: PAZ MORILLO BOSCH Verifiable Mixnets.
Privacy and Anonymity Using Mix Networks* Slides borrowed from Philippe Golle, Markus Jacobson.
Zero-Knowledge Argument for Polynomial Evaluation with Applications to Blacklists Stephanie Bayer Jens Groth University College London TexPoint fonts used.
A Brief Introduction to Mix Networks Ari Juels RSA Laboratories © 2001, RSA Security Inc.
Almost Entirely Correct Mixing With Applications to Voting Philippe Golle Dan Boneh Stanford University.
Pairing-Based Non-interactive Zero-Knowledge Proofs Jens Groth University College London Based on joint work with Amit Sahai.
Complexity 24-1 Complexity Andrei Bulatov Interactive Proofs.
Zero-Knowledge Proofs Ben Hosp. Classical Proofs A proof is an argument for the truth or correctness of an assertion. A classical proof is an unambiguous.
Usable Security Lab Crypto Lab Efficiency Comparison of Various Approaches in E-Voting Protocols Oksana Kulyk, Melanie Volkamer.
Cryptographic Shuffles Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
Zero Knowledge r Two parties:  All powerful prover P  Polynomially bounded verifier V r P wants to prove a statement to V with the following properties:
Topic 36: Zero-Knowledge Proofs
On the Size of Pairing-based Non-interactive Arguments
MPC and Verifiable Computation on Committed Data
Some slides borrowed from Philippe Golle, Markus Jacobson
Secure and Insecure Mixing
Committed MPC Multiparty Computation from Homomorphic Commitments
Linear Algebra with Sub-linear Zero-Knowledge Arguments
Helger Lipmaa University of Tartu, Estonia
cryptographic protocols 2014, lecture 12 Getting full zero knowledge
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Short Pairing-based Non-interactive Zero-Knowledge Arguments
Helen: Maliciously Secure Coopetitive Learning for Linear Models
Impossibility of SNARGs
Jens Groth and Mary Maller University College London
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Presentation transcript:

Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London

Motivation – e-voting Voting:- Voter casts secret vote - Authorities reveal votes in random permuted order E-voting:- voter casts secret votes on a computer -The votes are sent to a server who sends all votes to the central authorities -Authorities reveal votes in random permuted order

Background - ElGamal encryption

Shuffle...

Mix-net: … Threshold decryption

Problem: Corrupt mix-server … Threshold decryption

Solution: Zero-knowledge argument … Threshold decryption ZK argument No message changed (soundness) ZK argument Permutation still secret (zero-knowledge)

Zero-Knowledge Argument Requested Properties: –Soundness: The Verifier reject with overwhelming probability if the Prover tries to cheat –Zero-Knowledge: Nothing but the truth is revealed; permutation is secret –Efficient: Small computation and small communication complexity ProverVerifier The Shuffle was done correctly

Public coin honest verifier zero-knowledge ProverVerifier Honest verifier zero-knowledge Nothing but truth revealed; permutation secret Can convert to standard zero-knowledge argument

Our contribution 9-move public coin honest verifier zero-knowledge argument for correctness of shuffle in common reference string model

RoundsProver in expos Verifier in expos Size in kbits Furukawa-Sako 013 FMMOS 025 Furukawa 05 (GL07)3 Terelius-Wikström 105 Neff 01,047 Groth 03,107 Groth-Ishai 087 Bayer-Groth 119

Commitments – Length reducing – Computational binding – Perfectly hiding

Techniques - Sublinear cost Length reducing commitments Batch verification Sublinear communication cost

Shuffle argument

3.The prover gives an argument that both commitments are constructed using the same permutation 4.The prover demonstrates that the input ciphertexts are permuted using the same permutation and knowledge of the randomizers used in the re-encryption.

Shuffle argument Inexpensive See full paper Expensive Will sketch idea Both polynomials are equal, only the roots are permuted

Notation

Multi-exponentiation argument idea

Multi-exponentiation argument

Prover’s computation Computing this matrix costs m 2 n = mN ciphertext expos

Reducing the prover’s computation Do not compute entire matrix Instead use techniques for multiplication of polynomials “in the exponent” of ciphertexts Fast Fourier Transform – O(N log m) exponentiations O (1) rounds Interaction – O (N) exponentiations O (log m) rounds

Implementation Implementation in C++ using the NTL library and the GMP library Different levels of optimization –Multi-exponentiation techniques –Fast Fourier Transform –Extra Interaction and Toom-Cook

Comparison Single argumentArgument Size Verificatum5 min37.7 MB 2 min0.7 MB

Thank You

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.