Download presentation
Presentation is loading. Please wait.
Published byAshley Corcoran Modified over 10 years ago
1
A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive: http://eprint.iacr.org/2005/246
2
Agenda Motivation – anonymous communication Motivation – anonymous communication What is What is A shuffle? Homomorphic encryption? Zero- knowledge proofs? A shuffle? Homomorphic encryption? Zero- knowledge proofs? ZK proof for shuffle of known contents ZK proof for shuffle of known contents Tool: Homomorphic commitments Tool: Homomorphic commitments ZK proof for shuffle of homomorphic encryptions ZK proof for shuffle of homomorphic encryptions Comparison with other ZK proofs Comparison with other ZK proofs Efficiency improvements Efficiency improvements
3
Anonymous communication Mixer π m1m1 mnmn … … m π(1) m π(n) Sender 1 Sender n mix- servers
4
Encryption Rerandomization property E(m) E´(m) Threshold decryption property t mix-servers can decrypt t-1 mix-servers do not learn anything
5
Mix-net Mix-net π m1m1 mnmn … … E´(m π(1) )E´(m π(n) ) E(m 1 )E(m n ) Threshold-decryption … m π(1) m π(n) senders mix-servers at least t mix-servers
6
Mix-net Mix-server 1 π 1 … E´(m π 1 (1) )E´(m π 1 (n) ) E(m 1 )E(m n ) Mix-server N π N E´´´(m π(1) )E´´´(m π(n) ) π = π N... π 1
7
A shuffle π E´(m π(1) )E´(m π(n) ) E(m 1 )E(m n )
8
Agenda Motivation – anonymous communication Motivation – anonymous communication Mix-nets Mix-nets What is What is A shuffle? Homomorphic encryption? Zero- knowledge proofs? A shuffle? Homomorphic encryption? Zero- knowledge proofs? ZK proof for shuffle of known contents ZK proof for shuffle of known contents Tool: Homomorphic commitments Tool: Homomorphic commitments ZK proof for shuffle of homomorphic encryptions ZK proof for shuffle of homomorphic encryptions Comparison with other ZK proofs Comparison with other ZK proofs Efficiency improvements Efficiency improvements
9
Homomorphic encryption Homomorphic property E(m 1 m 2 ; R 1 +R 2 ) = E(m 1 ; R 1 ) E(m 2 ; R 2 ) Rerandomization E(m; R 1 +R 2 ) = E(m; R 1 ) E(1; R 2 ) Message space order Q no small prime factors Root extraction property see paper
10
ElGamal variant Keys Primes Q, P so P = 2Q +1 Random elements G, Y of order Q PK = (Q, P, G, Y) SK = (PK, x) so Y = G x Encryption E(m; (±1, ±1, R)) = (±G R mod P, ±Y R m mod P) Ciphertext verification (U, V) valid ciphertext if 0 < U < P and 0 < V < P
11
A shuffle of homomorphic encryptions π, R 1,...,R n e π(1) E(1;R 1 )e π(n) E(1;R n ) e1e1 enen
12
Verifiability? π, R 1,...,R n ? E1E1 E n e1e1 enen
13
Zero-knowledge proof Complete prover with π, R 1,...,R n can convince anybody of correctness of shuffle Complete prover with π, R 1,...,R n can convince anybody of correctness of shuffle Sound if not a valid shuffle impossible to convince others of correctness of shuffle Sound if not a valid shuffle impossible to convince others of correctness of shuffle Zero-knowledge prover does not reveal anything beyond correctness of shuffle Zero-knowledge prover does not reveal anything beyond correctness of shuffle
14
Statement: PK, e 1,..., e n, E 1,..., E n (and a little more) Real proof (π, R 1,...) Simulated proof (c 1,...) a 1 a 1 c 1 c 1 a 2 a 2...... (a 1, c 1, a 2,... ) indistinguishable from (a 1, c 1, a 2,...) Special honest verifier zero- knowledge (SHVZK)
15
Computational/statistical Soundness Soundness Unconditional: No adversary can make a valid proof for a false statement Unconditional: No adversary can make a valid proof for a false statement Computational: A polynomial time adversary cannot make a valid proof for a false statement Computational: A polynomial time adversary cannot make a valid proof for a false statement Special honest verifier zero-knowledge Special honest verifier zero-knowledge Statistical: No adversary can distinguish real proofs from simulated proofs Statistical: No adversary can distinguish real proofs from simulated proofs Computational: A polynomial time adversary cannot distinguish real proofs from simulated proofs Computational: A polynomial time adversary cannot distinguish real proofs from simulated proofs
16
Main result A 7-round public coin SHVZK proof for correctness of a shuffle of homomorphic encryptions Optional - unconditional soundness or statistical SHVZK - key length vs efficiency
17
Agenda Motivation – anonymous communication Motivation – anonymous communication Mix-nets Mix-nets What is What is A shuffle? Homomorphic encryption? Zero- knowledge proofs? A shuffle? Homomorphic encryption? Zero- knowledge proofs? ZK proof for shuffle of known contents ZK proof for shuffle of known contents Tool: Homomorphic commitments Tool: Homomorphic commitments ZK proof for shuffle of homomorphic encryptions ZK proof for shuffle of homomorphic encryptions Comparison with other ZK proofs Comparison with other ZK proofs Efficiency improvements Efficiency improvements
18
Non-interactive commitment Public key Commitment c = commit(m; r) Opening given c, m, r check that c = commit(m; r)
19
Commitment Binding Binding Unconditional: There is at most one way the comitter can open a commitment c Unconditional: There is at most one way the comitter can open a commitment c Computational: A polynomial time adversary cannot find c, m 1, r 1, m 2, r 2 so c = commit(m 1 ; r 1 ) = commit(m 2 ; r 2 ) and m 1 m 2 Computational: A polynomial time adversary cannot find c, m 1, r 1, m 2, r 2 so c = commit(m 1 ; r 1 ) = commit(m 2 ; r 2 ) and m 1 m 2 Hiding Hiding Statistical: Commitments to m and 0 have the same distribution Statistical: Commitments to m and 0 have the same distribution Computational: A polynomial time adversary cannot distinguish a random commitment to m 0 from a random commitment to 0 Computational: A polynomial time adversary cannot distinguish a random commitment to m 0 from a random commitment to 0
20
Homomorphic commitment Homomorphic property com(m 1 +m 1 ´,..., m n +m n ´; r 1 +r 2 ) = com(m 1,..., m n ; r 1 ) com(m 1 ´,..., m n ´; r 2 ) Message space Z q n with q prime Root extraction property given c, m 1,...,m n, r, e so gcd(e,q) = 1 and c e = com(m 1,...,m n ; r) we can efficiently compute r´ so c = com(m 1 /e,...,m n /e; r´)
21
Pedersen commitment variant Public key Primes q, p so p = kq+1 Random elements g 1,..., g n, h of order q pk = (q, p, g 1,..., g n, h) Commitment com(m 1,..., m n ; (u,r)) = ug 1 m 1 …g n m n h r mod p, where 1 = u k mod p Commitment verification Valid if 0 < c < p
22
Shuffle of known content π, r com(m π(1),..., m π(n) ; r) m 1 m n...
23
SHVZK proof for shuffle of known content A 4-round public coin SHVZK proof of knowledge for a commitment to a permutation of publicly known messages m 1,...,m n Optional - unconditional soundness or statistical SHVZK - key length vs efficiency
24
Knowledge of contents Common: pk, c, m 1,..., m n Prover: π, r so c = com(m π(1),..., m π(n) ; r) c d = com(d 1,...,d n ; r d ) e {0,1} f i = em π(1) + d i, z = er+r d Check c e c d = com(f 1,...,f n ; z)
25
Special HVZK Common: pk, c, m 1,..., m n Simulator: e {0,1} c d = com(f 1,...,f n ; z) c -e e f i Z q, z Z q Check c e c d = com(f 1,...,f n ; z)
26
Knowledge Common: pk, c, m 1,..., m n c d = com(d 1,...,d n ; r d ) e, e´ {0,1} f i, z, f i ´, z´ c e c d = com(f 1,...,f n ; z) c e´ c d = com(f 1 ´,...,f n ´; z´) c e-e´ = com(f 1 -f 1 ´,...,f n -f n ´; z-z´) Root extraction: c = com(μ 1,...,μ n ; r)
27
Idea (Neff 2001) Consider the polynomials (m i -X)and (μ i -X)in Z q [X] Are identical exactly when there exists π so μ i = m π(i) Pick x at random and demonstrate (m i -x) = (μ i -x) mod q With overwhelming probability not the case unless π exists
28
Identical polynomials Common: pk, c, m 1,..., m n x {0,1} c d, c a, c Δ e {0,1} f i, z, f Δi, z Δ c e c d = com(f 1,...,f n ; z) c a e c Δ = com(f Δ1,...,f Δn-1 ; z Δ ) f i = eμ i + d i, f Δi = eα i + δ i
29
Checking the polynomials f i = eμ i + d i, f Δi = eα i + δ i Let F 1 = f 1 -ex = e(μ 1 -x)+ d 1 Let eF i+1 = F i (f i+1 -ex) + f Δi e i F i+1 = e i-1 F i (f i+1 -ex) + f Δi = e i ( i (μ j -x) + poly i-1 (e)) (e(μ i+1 -x)+ d i+1 ) + e i-1 (eα i + δ i ) = e i+1 i+1 (μ j -x) + poly i (e) Check F n = e (m i -x) meaning e n (μ j -x) + poly n-1 (e) = e n (m i -x)
30
Completeness F i = e i (μ j -x) + Δ i F 1 = f 1 -ex = e(m π(1) -x) + d 1 Δ 1 = d 1 eF i+1 = F i (f i+1 -ex) + f Δi eα i + δ i = e 2 i+1 (m π(j) -x) + eΔ i+1 - e( i (m π(j) -x) + Δ i )(e(m π(i+1) -x) + d i+1 ) = e(Δ i+1 - i (m π(j) -x) d i+1 - Δ i (m π(i+1) -x)) - Δ i d i+1 F n = e (m i -x) Δ n = 0
31
SHVZK proof for known content 4-round public coin protocol 4-round public coin protocol Soundness – computational/unconditional Soundness – computational/unconditional SHVZK – statistical/computational SHVZK – statistical/computational With Pedersen commitment variant Prover3n expos2|q|n bits Verifier2n expos
32
Agenda Motivation – anonymous communication Motivation – anonymous communication Mix-nets Mix-nets What is What is A shuffle? Homomorphic encryption? Zero- knowledge proofs? A shuffle? Homomorphic encryption? Zero- knowledge proofs? ZK proof for shuffle of known contents ZK proof for shuffle of known contents Tool: Homomorphic commitments Tool: Homomorphic commitments ZK proof for shuffle of homomorphic encryptions ZK proof for shuffle of homomorphic encryptions Comparison with other ZK proofs Comparison with other ZK proofs Efficiency improvements Efficiency improvements
33
A shuffle of homomorphic encryptions π, R 1,...,R n e π(1) E(1;R 1 )e π(n) E(1;R n ) e1e1 enen
34
Idea Want to show that e 1,..., e n and E 1,..., E n have the same plaintexts 1. Reveal π 2. Receive random challenges t 1,...,t n {0,1} 3. Release Z so E(1;Z) e i t i = E i t π(i) m i t i = M i t π(i) 1 = (M i /m π(i) ) t π(i) Since Q has no small prime factors M i = m π(i)
35
Idea 1.Commit to π, commit to d 1,...,d n {0,1} +80 Form E d = E(1;R d ) E i -d i 2. Receive challenges t 1,...,t n {0,1} 3. Release f 1,...,f n, Z so f i = t π(i) + d i and E(1;Z) e i t i = E d E i f i m i t i = (M d M i d i ) M i t π(i) Z = R d + t π(i) R i
36
Idea 1. Commit to π and d 1,...,d n c = com(π(1),...,π(n); r) c d = com(-d 1,...,-d n ; r d ) 2. Receive challenges t 1,...,t n 3. Send f 1,...,f n |q|> + 80 4. Receive challenge λ 5. Make SHVZK proof of known content for c λ c d com(f 1,...,f n ; 0) containing a permutation of λ + t 1,..., λn + t n π so π(i) + t π(i) With overwhelming probability over we have π(i) Exists π so λμ i + f i - d i = λ π(i) + t π(i) With overwhelming probability over λ we have μ i = π(i) and f i = t π(i) + d i
37
Full protocol Common:pk, PK, e 1,...,e n and E 1,...,E n Prover: π, R 1,...,R n c, c d, E d t 1,...,t n {0,1} f 1,...,f n, Z λ {0,1} SHVZK proof Verify SHVZK proof Check E(1;Z) e i t i = E d E i f i
38
Properties of shuffle proof 7-round public coin protocol 7-round public coin protocol Soundness – computational/unconditional Soundness – computational/unconditional SHVZK – statistical/computational SHVZK – statistical/computational With Pedersen commitment and ElGamal variants Prover4n p-expos, 2n P-expos 3|q|n bits Verifier2n p-expos, 4n P-expos
39
Implementation (Stamer 2005) Pedersen commitment |p| = 1024, |q| = 160 ElGamal encryption|P| = 1024, |Q| =160 SHVZK proof of correct shuffle of 1024 ElGamal ciphertexts on AMD Duron 1.3 GHz Prover 14 seconds Verifier 5 seconds
40
Agenda Motivation – anonymous communication Motivation – anonymous communication Mix-nets Mix-nets What is What is A shuffle? Homomorphic encryption? Zero- knowledge proofs? A shuffle? Homomorphic encryption? Zero- knowledge proofs? ZK proof for shuffle of known contents ZK proof for shuffle of known contents Tool: Homomorphic commitments Tool: Homomorphic commitments ZK proof for shuffle of homomorphic encryptions ZK proof for shuffle of homomorphic encryptions Comparison with other ZK proofs Comparison with other ZK proofs Efficiency improvements Efficiency improvements
41
Other shuffle proofs Invariance of roots of polynomials Neff CCS01, Groth PKC03, Neff 03, Groth 05 Permutation matrices Furukawa & Sako Crypto01, Furukawa IEICE05 Integer commitments Wikström Asiacrypt05 Linear ignorance assumption Peng et al. Crypto05
42
Comparison of approaches Pedersen, ElGamal |p|= 1024, |q| = 160 Roots of polyPermutation matrix Rounds7 3 Soundnessuncond./comp. computational SHVZKcomp./statistical statistical Prover expos6n7n Prover sends 480n bits 1344n bits Verifier expos6n8n Key lengthflexible (e.g. O(n)) 1024n bits
43
Agenda Motivation – anonymous communication Motivation – anonymous communication Mix-nets Mix-nets What is What is A shuffle? Homomorphic encryption? Zero- knowledge proofs? A shuffle? Homomorphic encryption? Zero- knowledge proofs? ZK proof for shuffle of known contents ZK proof for shuffle of known contents Tool: Homomorphic commitments Tool: Homomorphic commitments ZK proof for shuffle of homomorphic encryptions ZK proof for shuffle of homomorphic encryptions Comparison with other ZK proofs Comparison with other ZK proofs Efficiency improvements Efficiency improvements
44
Adjusting the key length Suggested Pedersen commitment variant had public key (q, p, g 1,..., g n, h) Assume wlog n = kl then we can instead use public key (q, p, g 1,..., g k, h) and commit as c = (c 1,...,c l ) (com(m 1,...,m k ), com(m k+1,...,m 2k ),...)
45
Randomization c e c d = com(f 1,...,f n ; z) c a e c Δ = com(f Δ1,...,f Δn-1,0; z Δ ) Pick α {0,1} at random and check (c e c d ) α c a e c Δ = com(αf 1 +f Δ1,..., αf n +0; αz+z Δ ) Many other randomization/batch verification possibilities
46
On-line/off-line computation Prover can precompute most values off-line (and in a mix-net also precompute the rerandomization of the ciphertexts) Prover can precompute most values off-line (and in a mix-net also precompute the rerandomization of the ciphertexts) Only needs to compute E d and c a on-line Only needs to compute E d and c a on-line
47
Picking the challenges Verifier picks seed for pseudorandom number generator and sends it to prover Verifier picks seed for pseudorandom number generator and sends it to prover Prover generates t 1,...,t n from this seed If Q = q verifier can simply send challenge t and let prover use t 1 = t 1 mod q,..., t n = t n mod q If Q = q verifier can simply send challenge t and let prover use t 1 = t 1 mod q,..., t n = t n mod q
48
Multi-exponentiation (Lim 00) Computing a product g i e i can be done in |e|n/(log n – log log n) multiplications Prover, Verifier 0.5n naïve single expos each for shuffling 100,000 ElGamal ciphertexts
49
Questions? Thank you
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.