Download presentation
Presentation is loading. Please wait.
Published byLeslie Anderson Modified over 8 years ago
1
Cryptographic Shuffles Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA
2
Voting Voters cast secret votes Authorities reveal votes in random permuted order
3
Mix-net … v1v1 v2v2 vNvN
4
Mixing Secure message submission Output of permuted messages
5
Secure message submission Voters encrypt their votes to keep them secret –Use a public encryption key generated by election authorities running the mix-net Pre-processing before mixing –Check voters are eligible Voters sign their encrypted voters –Prevent copying or casting of related votes May require additional evidence that voters know the encrypted votes they submit (without revealing the votes)
6
Mix-net Mixing E pk (v 1 ;r 1 )E pk (v N ;r N ) E pk (v 2 ;r 2 )… E pk (v 2 ;s 2 )E pk (v 1 ;s 1 ) E pk (v N ;s N )…
7
Output of permuted messages Election authorities decrypt the encrypted permuted messages and output them Threshold decryption –The secret decryption key is shared between the election authorities –No single election authority or small group of election authorities can decrypt the incoming encrypted votes –Will only cooperate to decrypt the output from the mixing phase where the votes have been permuted
8
Homomorphic encryption A public key encryption scheme is homomorphic if E pk (v;r) ∙ E pk (w;s) = E pk (v ∙ w;r+s) Rerandomization of ciphertext E pk (v;r) ∙ E pk (1;s) = E pk (v;t)t=r+s Example: ElGamal encryption (g r,y r v) ∙ (g s,y s w) = (g r+s,y r+s vw)
9
Mix-net v π (1) v π (2) v π (N) … π1π1 π2π2 = 2 1 v1v1 v2v2 vNvN Threshold decryption
10
Input ciphertexts c 1,…,c N Permuteto get c π (1),…,c π (N) Re-randomize themC i = c π (i) ∙ E pk (1;s i ) Output ciphertextsC 1,...,C N c1c1 c 2 c 3 c 4 c 5 Shuffle c π (1) c π (2) c π (3) c π (4) c π (5) C1C1 C 2 C 3 C 4 C 5
11
Security Each mix-server acts in sequence –Shuffles the ciphertexts from the previous mix-server Resulting permutation is random and secret if –All mix-servers follow the protocol –At least one mix-server keeps its permutation secret –The encryption scheme is semantically secure
12
Problem: Corrupt mix-server v π (1) v π (2) v´ π (N) … π1π1 π2π2 v1v1 v2v2 vNvN Threshold decryption = 2 1
13
Zero-knowledge shuffle argument Statement: (pk,c 1,...,c N,C 1,...,C N ) ProverVerifier , r 1,...,r N Sound: Shuffle is correct Zero-knowledge: Nothing but truth revealed; permutation is secret
14
Solution: zero-knowledge arguments v π (1) v π (2) v π (N) … π1π1 π2π2 v1v1 v2v2 vNvN Threshold decryption = 2 1 Server 1 ZK argument No message changed (soundness) Server 2 ZK argument Permutation still secret (zero-knowledge)
15
Public coin honest verifier zero-knowledge Statement: (pk,c 1,...,c N,C 1,...,C N ) ProverVerifier Setup: Common reference string Public coin: Random challenges from Z q Honest verifier zero-knowledge Nothing but truth revealed; permutation secret Can convert to standard zero-knowledge argument
16
Non-interactive zero-knowledge argument Setup: Common reference string Statement: (pk,c 1,...,c N,C 1,...,C N ) ProverVerifier Fiat-Shamir 86: Compute challenges using cryptographic hash-function Anybody
17
Non-interactive zero-knowledge argument Setup: Common reference string Statement: (pk,c 1,...,c N,C 1,...,C N ) Prover
18
Universal verifiability Each mix-server can publicize its shuffle and the corresponding NIZK argument Now anybody can verify that the shuffles are correct (soundness) At the same time the NIZK arguments do not reveal the secret permutations used by the mix- servers (zero-knowledge)
19
Parameters for zero-knowledge argument Communication complexity Verifier’s computation Prover’s computation –Importance decreases when using Fiat-Shamir heuristic Round complexity –Not important if using the Fiat-Shamir heuristic
20
Cut-and-choose (Sako-Kilian 95) ProverVerifier (pk,c 1,...,c N,C 1,...,C N ) E 1,...,E N b {0,1} b, r b1,...,r bN C i =c (i) E pk (1;r i ) E i = c 0 (i) E pk (1;r 0i ) = C 1 (i) E pk (1;r 1i )
21
Cut-and-choose (Sako-Kilian) Soundness: –If c 1,…,c N and C 1,…,C N not shuffle then E 1,…,E N not shuffle of c 1,…,c N or E 1,…,E N not shuffle of C 1,…,C N –The verifier has 50% chance of catching cheating prover –Repeat s times to get 2 -s risk of cheating prover Honest verifier zero-knowledge: –Verifier can simulate argument by picking b {0,1} and computing E 1,…,E N as the corresponding shuffle of c 1,…,c N or C 1,…,C N himself Cost –O(Ns) ciphertexts and with ElGamal O(Ns) expos
22
Permutation Networks (Abe 99,AH01) Cost: O(N log N) elements and O(N log N) expos v1v1 v2v2 v3v3 v4v4 v5v5 v6v6 v7v7 v8v8 v1v1 v2v2 v3v3 v4v4 v5v5 v6v6 v7v7 v8v8 v2v2 v1v1 v3v3 v4v4 v5v5 v6v6 v8v8 v7v7 v2v2 v1v1 v3v3 v4v4 v5v5 v6v6 v8v8 v7v7 v2v2 v3v3 v5v5 v8v8 v1v1 v4v4 v6v6 v7v7 v2v2 v3v3 v5v5 v8v8 v1v1 v4v4 v6v6 v7v7 v5v5 v2v2 v7v7 v8v8 v3v3 v1v1 v4v4 v6v6
23
Permutation matrix (Furukawa-Sako 01) Demonstrate there is permutation matrix such that Permutation matrix has size N 2 but is sparse and has only N non-zero entries Cost: O(N) elements and O(N) expos
24
Polynomial invariance under permutation of roots (Neff 01)
25
Sub-linear size arguments (Groth-Ishai 08) Polynomial invariance under permutation of roots Organize ciphertexts in m n matrix Apply Hadamard code techniques from PCPs Cost: –Size: O(m 2 +n) –Prover computation: O(Nm) exponentiations –Verifier computation: O(N) exponentiations
26
Sub-linear size arguments (Bayer-Groth 11) Polynomial invariance under permutation of roots Organize ciphertext in m n matrix Apply polynomial multiplication techniques Cost: –Size: O(m+n) –Prover computation: O(N log(m)) exponentiations –Verifier computation: O(N) exponentiations
27
Comparison of ElGamal shuffles (N=mn) |p| = 1024 |q| = 160 RoundsProver in expos Verifier in expos Size in kbits Sako-Kilian 953O(s) N O(s) Abe 99 (AH01)3O(log(N)) NO(log(N))O(log N) N Furukawa-Sako 0138N10N5.3N FMMOS 0259N10N5.3N Furukawa 05 (GL07)37N8N1.5N Terelius-Wikström 1059N11N3.7N Neff 01,0478N12N7.7N Groth 03,1076N 0.6N Groth-Ishai 0873mN4N3m 2 + 0.5n Bayer-Groth 1192 log(m) N4N11m + 0.8n
28
New sub-linear size shuffle argument Joint work with Stephanie Bayer University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA
29
Commitments
30
Homomorphic commitments
31
Shuffle argument Given public keys pk and ck Given shuffle c 1,…,c N and C 1,…,C N Prover knows permutation and randomizers r 1,…,r N and wants to convince the verifier C 1 =c (1) E pk (1;r 1 ) … C N =c (N) E pk (1;r N )
32
Zero-knowledge: Perfectly hiding Zero-knowledge: Reveals nothing (ZK)
33
Soundness
34
Soundness
35
The underlying ZK arguments Inexpensive See full paper Expensive Will sketch idea
36
Multi-exponentiation argument
37
The commitment B and useful notation
38
Product argument idea
39
Product argument
40
Explanation
41
Explanation
42
Efficiency 2m ciphertexts N ciphertext expos Short argument is cheap 2m ciphertext expos Communicaton: O(m+n) elements Verifier computation: 4N + O(m+n) expos
43
Prover’s computation Computing this matrix costs m 2 n = mN ciphertext expos
44
Reducing the prover’s computation Do not compute entire matrix Instead use techniques for multiplication of polynomials “in the exponent” of ciphertexts Fast Fourier Transform –O(N log m) exponentiationsO(1) rounds Interaction –O(N) exponentiationsO(log m) rounds
45
Comparison of ElGamal shuffles (N=mn) |p| = 1024 |q| = 160 RoundsProver in expos Verifier in expos Size in kbits Sako-Kilian 953O(s) N O(s) Abe 99 (AH01)3O(log(N)) NO(log(N))O(log N) N Furukawa-Sako 0138N10N5.3N FMMOS 0259N10N5.3N Furukawa 05 (GL07)37N8N1.5N Terelius-Wikström 1059N11N3.7N Neff 01,0478N12N7.7N Groth 03,1076N 0.6N Groth-Ishai 0873mN4N3m 2 + 0.5n Bayer-Groth 1192 log(m) N4N11m + 0.8n Bayer-Groth 11log mO(N)4N11m + 0.8n
46
Asymptotic vs concrete complexity Turns out that for practical choices of N = mn interaction comes for free –The multi-exponentiation argument has smaller round complexity than the product argument –Can use interaction technique for a couple of rounds without increasing round complexity Takes a long time before asymptotic behavior of Fast Fourier Transform kicks in –For small m better to use Toom-Cook methods
47
Implementation Looked at shuffling 100,000 ElGamal ciphertexts –|p|=1024 bits, |q|=160 bits Most efficient implementation uses N=100,000m=64n=1563 Cost: –Rounds: 9 –Prover: 12N exponentiations –Verifier: 4N exponentiations –Communication: 0.7 MB Core2Duo 2.53GHz 91 seconds 18 seconds
48
Summary |p| = 1024 |q| = 160 RoundsProver in expos Verifier in expos Size in kbits Sako-Kilian 953O(s) N Abe 99 (AH01)3O(log(N)) NO(log(N))O(log N) N Furukawa-Sako 0138N10N5.3N FMMOS 025~300 sec.66.0MB Furukawa 05 (GL07)37N8N1.5N Terelius-Wikström 105~300 sec.37.7MB Neff 01,0478N12N7.7N Groth 03,1076N 0.6N Groth-Ishai 0873mN4N3m 2 + 0.5n Bayer-Groth 11991 sec.18 sec.0.7MB
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.