Presentation is loading. Please wait.

Presentation is loading. Please wait.

Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.

Published bySade Gillott Modified over 10 years ago

Similar presentations

Presentation on theme: "Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London."— Presentation transcript:

1 Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London

2 Motivation – e-voting Voting:- Voter casts secret vote - Authorities reveal votes in random permuted order E-voting:- voter casts secret votes on a computer -The votes are sent to a server who sends all votes to the central authorities -Authorities reveal votes in random permuted order

3 Background - ElGamal encryption

4 Shuffle...

5 Mix-net: … Threshold decryption

6 Problem: Corrupt mix-server … Threshold decryption

7 Solution: Zero-knowledge argument … Threshold decryption ZK argument No message changed (soundness) ZK argument Permutation still secret (zero-knowledge)

8 Zero-Knowledge Argument Requested Properties: –Soundness: The Verifier reject with overwhelming probability if the Prover tries to cheat –Zero-Knowledge: Nothing but the truth is revealed; permutation is secret –Efficient: Small computation and small communication complexity ProverVerifier The Shuffle was done correctly

9 Public coin honest verifier zero-knowledge ProverVerifier Honest verifier zero-knowledge Nothing but truth revealed; permutation secret Can convert to standard zero-knowledge argument

10 Our contribution 9-move public coin honest verifier zero-knowledge argument for correctness of shuffle in common reference string model

11 RoundsProver in expos Verifier in expos Size in kbits Furukawa-Sako 013 FMMOS 025 Furukawa 05 (GL07)3 Terelius-Wikström 105 Neff 01,047 Groth 03,107 Groth-Ishai 087 Bayer-Groth 119

12 Commitments – Length reducing – Computational binding – Perfectly hiding

13 Techniques - Sublinear cost Length reducing commitments Batch verification Sublinear communication cost

14 Shuffle argument

15 3.The prover gives an argument that both commitments are constructed using the same permutation 4.The prover demonstrates that the input ciphertexts are permuted using the same permutation and knowledge of the randomizers used in the re-encryption.

16 Shuffle argument Inexpensive See full paper Expensive Will sketch idea Both polynomials are equal, only the roots are permuted

17 Notation

18 Multi-exponentiation argument idea

19 Multi-exponentiation argument

20 Prover’s computation Computing this matrix costs m 2 n = mN ciphertext expos

21 Reducing the prover’s computation Do not compute entire matrix Instead use techniques for multiplication of polynomials “in the exponent” of ciphertexts Fast Fourier Transform – O(N log m) exponentiations O (1) rounds Interaction – O (N) exponentiations O (log m) rounds

22 Implementation Implementation in C++ using the NTL library and the GMP library Different levels of optimization –Multi-exponentiation techniques –Fast Fourier Transform –Extra Interaction and Toom-Cook

23 Comparison Single argumentArgument Size Verificatum5 min37.7 MB 2 min0.7 MB

24 Thank You

Download ppt "Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London."

Similar presentations

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.

Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.
Short Non-interactive Zero-Knowledge Proofs

Short Non-interactive Zero-Knowledge Proofs
A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:

A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
Sublinear Algorithms 1 3 2 … Lecture 23: April 20.

Sublinear Algorithms … Lecture 23: April 20.
Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.

Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.

1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.

Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.

Similar presentations

Ads by Google