Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptographic Shuffles Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA.

Published byLeslie Anderson Modified over 8 years ago

Similar presentations

Presentation on theme: "Cryptographic Shuffles Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA."— Presentation transcript:

1 Cryptographic Shuffles Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA

2 Voting Voters cast secret votes Authorities reveal votes in random permuted order

3 Mix-net … v1v1 v2v2 vNvN

4 Mixing Secure message submission Output of permuted messages

5 Secure message submission Voters encrypt their votes to keep them secret –Use a public encryption key generated by election authorities running the mix-net Pre-processing before mixing –Check voters are eligible Voters sign their encrypted voters –Prevent copying or casting of related votes May require additional evidence that voters know the encrypted votes they submit (without revealing the votes)

6 Mix-net Mixing E pk (v 1 ;r 1 )E pk (v N ;r N ) E pk (v 2 ;r 2 )… E pk (v 2 ;s 2 )E pk (v 1 ;s 1 ) E pk (v N ;s N )…

7 Output of permuted messages Election authorities decrypt the encrypted permuted messages and output them Threshold decryption –The secret decryption key is shared between the election authorities –No single election authority or small group of election authorities can decrypt the incoming encrypted votes –Will only cooperate to decrypt the output from the mixing phase where the votes have been permuted

8 Homomorphic encryption A public key encryption scheme is homomorphic if E pk (v;r) ∙ E pk (w;s) = E pk (v ∙ w;r+s) Rerandomization of ciphertext E pk (v;r) ∙ E pk (1;s) = E pk (v;t)t=r+s Example: ElGamal encryption (g r,y r v) ∙ (g s,y s w) = (g r+s,y r+s vw)

9 Mix-net v π (1) v π (2) v π (N) … π1π1 π2π2  =  2  1 v1v1 v2v2 vNvN Threshold decryption

10 Input ciphertexts c 1,…,c N Permuteto get c π (1),…,c π (N) Re-randomize themC i = c π (i) ∙ E pk (1;s i ) Output ciphertextsC 1,...,C N c1c1 c 2 c 3 c 4 c 5 Shuffle c π (1) c π (2) c π (3) c π (4) c π (5) C1C1 C 2 C 3 C 4 C 5

11 Security Each mix-server acts in sequence –Shuffles the ciphertexts from the previous mix-server Resulting permutation is random and secret if –All mix-servers follow the protocol –At least one mix-server keeps its permutation secret –The encryption scheme is semantically secure

12 Problem: Corrupt mix-server v π (1) v π (2) v´ π (N) … π1π1 π2π2 v1v1 v2v2 vNvN Threshold decryption  =  2  1

13 Zero-knowledge shuffle argument Statement: (pk,c 1,...,c N,C 1,...,C N ) ProverVerifier , r 1,...,r N  Sound: Shuffle is correct Zero-knowledge: Nothing but truth revealed; permutation is secret

14 Solution: zero-knowledge arguments v π (1) v π (2) v π (N) … π1π1 π2π2 v1v1 v2v2 vNvN Threshold decryption  =  2  1 Server 1 ZK argument No message changed (soundness) Server 2 ZK argument Permutation still secret (zero-knowledge)

15 Public coin honest verifier zero-knowledge Statement: (pk,c 1,...,c N,C 1,...,C N ) ProverVerifier Setup: Common reference string Public coin: Random challenges from Z q Honest verifier zero-knowledge Nothing but truth revealed; permutation secret Can convert to standard zero-knowledge argument

16 Non-interactive zero-knowledge argument Setup: Common reference string Statement: (pk,c 1,...,c N,C 1,...,C N ) ProverVerifier Fiat-Shamir 86: Compute challenges using cryptographic hash-function Anybody

17 Non-interactive zero-knowledge argument Setup: Common reference string Statement: (pk,c 1,...,c N,C 1,...,C N ) Prover

18 Universal verifiability Each mix-server can publicize its shuffle and the corresponding NIZK argument Now anybody can verify that the shuffles are correct (soundness) At the same time the NIZK arguments do not reveal the secret permutations used by the mix- servers (zero-knowledge)

19 Parameters for zero-knowledge argument Communication complexity Verifier’s computation Prover’s computation –Importance decreases when using Fiat-Shamir heuristic Round complexity –Not important if using the Fiat-Shamir heuristic

20 Cut-and-choose (Sako-Kilian 95) ProverVerifier (pk,c 1,...,c N,C 1,...,C N ) E 1,...,E N b  {0,1}  b, r b1,...,r bN C i =c  (i) E pk (1;r i ) E i = c  0 (i) E pk (1;r 0i ) = C  1 (i) E pk (1;r 1i )

21 Cut-and-choose (Sako-Kilian) Soundness: –If c 1,…,c N and C 1,…,C N not shuffle then E 1,…,E N not shuffle of c 1,…,c N or E 1,…,E N not shuffle of C 1,…,C N –The verifier has 50% chance of catching cheating prover –Repeat s times to get 2 -s risk of cheating prover Honest verifier zero-knowledge: –Verifier can simulate argument by picking b  {0,1} and computing E 1,…,E N as the corresponding shuffle of c 1,…,c N or C 1,…,C N himself Cost –O(Ns) ciphertexts and with ElGamal O(Ns) expos

22 Permutation Networks (Abe 99,AH01) Cost: O(N log N) elements and O(N log N) expos v1v1 v2v2 v3v3 v4v4 v5v5 v6v6 v7v7 v8v8 v1v1 v2v2 v3v3 v4v4 v5v5 v6v6 v7v7 v8v8 v2v2 v1v1 v3v3 v4v4 v5v5 v6v6 v8v8 v7v7 v2v2 v1v1 v3v3 v4v4 v5v5 v6v6 v8v8 v7v7 v2v2 v3v3 v5v5 v8v8 v1v1 v4v4 v6v6 v7v7 v2v2 v3v3 v5v5 v8v8 v1v1 v4v4 v6v6 v7v7 v5v5 v2v2 v7v7 v8v8 v3v3 v1v1 v4v4 v6v6

23 Permutation matrix (Furukawa-Sako 01) Demonstrate there is permutation matrix such that Permutation matrix has size N 2 but is sparse and has only N non-zero entries Cost: O(N) elements and O(N) expos

24 Polynomial invariance under permutation of roots (Neff 01)

25 Sub-linear size arguments (Groth-Ishai 08) Polynomial invariance under permutation of roots Organize ciphertexts in m  n matrix Apply Hadamard code techniques from PCPs Cost: –Size: O(m 2 +n) –Prover computation: O(Nm) exponentiations –Verifier computation: O(N) exponentiations

26 Sub-linear size arguments (Bayer-Groth 11) Polynomial invariance under permutation of roots Organize ciphertext in m  n matrix Apply polynomial multiplication techniques Cost: –Size: O(m+n) –Prover computation: O(N log(m)) exponentiations –Verifier computation: O(N) exponentiations

27 Comparison of ElGamal shuffles (N=mn) |p| = 1024 |q| = 160 RoundsProver in expos Verifier in expos Size in kbits Sako-Kilian 953O(s) N O(s) Abe 99 (AH01)3O(log(N)) NO(log(N))O(log N) N Furukawa-Sako 0138N10N5.3N FMMOS 0259N10N5.3N Furukawa 05 (GL07)37N8N1.5N Terelius-Wikström 1059N11N3.7N Neff 01,0478N12N7.7N Groth 03,1076N 0.6N Groth-Ishai 0873mN4N3m 2 + 0.5n Bayer-Groth 1192 log(m) N4N11m + 0.8n

28 New sub-linear size shuffle argument Joint work with Stephanie Bayer University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA

29 Commitments

30 Homomorphic commitments

31 Shuffle argument Given public keys pk and ck Given shuffle c 1,…,c N and C 1,…,C N Prover knows permutation  and randomizers r 1,…,r N and wants to convince the verifier C 1 =c  (1) E pk (1;r 1 ) … C N =c  (N) E pk (1;r N )

32 Zero-knowledge: Perfectly hiding Zero-knowledge: Reveals nothing (ZK)

33 Soundness

34 Soundness

35 The underlying ZK arguments Inexpensive See full paper Expensive Will sketch idea

36 Multi-exponentiation argument

37 The commitment B and useful notation

38 Product argument idea

39 Product argument

40 Explanation

41 Explanation

42 Efficiency 2m ciphertexts N ciphertext expos Short argument is cheap 2m ciphertext expos Communicaton: O(m+n) elements Verifier computation: 4N + O(m+n) expos

43 Prover’s computation Computing this matrix costs m 2 n = mN ciphertext expos

44 Reducing the prover’s computation Do not compute entire matrix Instead use techniques for multiplication of polynomials “in the exponent” of ciphertexts Fast Fourier Transform –O(N log m) exponentiationsO(1) rounds Interaction –O(N) exponentiationsO(log m) rounds

45 Comparison of ElGamal shuffles (N=mn) |p| = 1024 |q| = 160 RoundsProver in expos Verifier in expos Size in kbits Sako-Kilian 953O(s) N O(s) Abe 99 (AH01)3O(log(N)) NO(log(N))O(log N) N Furukawa-Sako 0138N10N5.3N FMMOS 0259N10N5.3N Furukawa 05 (GL07)37N8N1.5N Terelius-Wikström 1059N11N3.7N Neff 01,0478N12N7.7N Groth 03,1076N 0.6N Groth-Ishai 0873mN4N3m 2 + 0.5n Bayer-Groth 1192 log(m) N4N11m + 0.8n Bayer-Groth 11log mO(N)4N11m + 0.8n

46 Asymptotic vs concrete complexity Turns out that for practical choices of N = mn interaction comes for free –The multi-exponentiation argument has smaller round complexity than the product argument –Can use interaction technique for a couple of rounds without increasing round complexity Takes a long time before asymptotic behavior of Fast Fourier Transform kicks in –For small m better to use Toom-Cook methods

47 Implementation Looked at shuffling 100,000 ElGamal ciphertexts –|p|=1024 bits, |q|=160 bits Most efficient implementation uses N=100,000m=64n=1563 Cost: –Rounds: 9 –Prover: 12N exponentiations –Verifier: 4N exponentiations –Communication: 0.7 MB Core2Duo 2.53GHz 91 seconds 18 seconds

48 Summary |p| = 1024 |q| = 160 RoundsProver in expos Verifier in expos Size in kbits Sako-Kilian 953O(s) N Abe 99 (AH01)3O(log(N)) NO(log(N))O(log N) N Furukawa-Sako 0138N10N5.3N FMMOS 025~300 sec.66.0MB Furukawa 05 (GL07)37N8N1.5N Terelius-Wikström 105~300 sec.37.7MB Neff 01,0478N12N7.7N Groth 03,1076N 0.6N Groth-Ishai 0873mN4N3m 2 + 0.5n Bayer-Groth 11991 sec.18 sec.0.7MB

Download ppt "Cryptographic Shuffles Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA."

Similar presentations

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)

Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)
Private Inference Control

Private Inference Control
Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.

Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.
Short Non-interactive Zero-Knowledge Proofs

Short Non-interactive Zero-Knowledge Proofs
A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:

A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.

Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.
Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.

Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
1 e-voting (requirements & protocols) 1) Aggelos Kiayias, Moti Yung: Self-tallying Elections and Perfect Ballot Secrecy 2) Jens Groth: Efficient Maximal.

1 e-voting (requirements & protocols) 1) Aggelos Kiayias, Moti Yung: Self-tallying Elections and Perfect Ballot Secrecy 2) Jens Groth: Efficient Maximal.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs Jens Groth University College London TexPoint fonts used.

Probabilistically checkable proofs, hidden random bits and non-interactive zero-knowledge proofs Jens Groth University College London TexPoint fonts used.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
Auditable Privacy: On Tamper-Evident Mix Networks Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research.

Auditable Privacy: On Tamper-Evident Mix Networks Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research.
Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.

Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.

Similar presentations

Ads by Google