1 / 23

Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle

Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle. Jens Groth University College London Yuval Ishai Technion and University of California Los Angeles. TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A A A A A A A A A A.

kyle
Download Presentation

Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California Los Angeles TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA

  2. Initial question • Kilian 92 gave sub-linear size zero-knowledge argument for SAT • Not practical though (SAT statement, PCP theorem, ... ) • Is there a practical sub-linear zero-knowledge argument? • Yes! We will give sub-linear shuffle argument

  3. Mix-net: Anonymous message broadcast Threshold decryption mπ(1) mπ(2) mπ(N) π = π1π2 π2 m1 m2 mN π1 …

  4. Problem: Corrupt mix-server Threshold decryption mπ(1) mπ(2) m´π(N) π = π1π2 π2 m1 m2 mN π1 …

  5. Solution: Zero-knowledge argument Threshold decryption mπ(1) mπ(2) mπ(N) π = π1π2 Server 2 ZK argumentPermutation still secret(zero-knowledge) π2 Server 1 ZK argumentNo message changed(soundness) m1 m2 mN π1 …

  6. ElGamal encryption Setup: Group G of prime order q with generator g Public key: pk = y = gx Encryption: Epk(m; r) = (gr, yrm) Decryption: Dx(u,v) = vu-x Homomorphic: Epk(m; r) × Epk(M; R) = Epk(mM; r+R) Re-randomization: Epk(m; r) × Epk(1; R) = Epk(m; r+R)

  7. E E E E E e e e e e e e e e e ( ( ( ( ( ) ) ) ) ) 1 5 4 2 3 3 1 4 2 5 4 1 3 5 2 ¼ ¼ ¼ ¼ ¼ Shuffle • Input ciphertexts e1,…,eN • Permute to get eπ(1),…,eπ(N) • Re-randomize them Ei = eπ(i)× Epk(1;Ri) • Output ciphertexts E1,...,EN

  8. Zero-knowledge shuffle argument Statement: (pk,e1,...,eN,E1,...,EN) Zero-knowledge:Nothing but truth revealed; permutation is secret , R1,...,RN Sound:Shuffle is correct Prover Verifier 

  9. Public coin honest verifier zero-knowledge Setup: (G,q,g) and common random string Statement: (pk,e1,...,eN,E1,...,EN) Honest verifier zero-knowledgeNothing but truth revealed; permutation secret Public coin: Random challenges from Zq Prover Verifier Can convert to standard zero-knowledge argument

  10. Non-interactive zero-knowledge argument Setup: (G,q,g) and common reference string Statement: (pk,e1,...,eN,E1,...,EN) Fiat-Shamir 86: Compute challenges using cryptographic hash-function Prover Verifier Anybody

  11. Non-interactive zero-knowledge argument Setup: (G,q,g) and common reference string Statement: (pk,e1,...,eN,E1,...,EN) Prover

  12. History • Cut-and-choose O(Nks) bits • Abe 99 (Abe-Hoshino 01) O(N log(N)k) bits • Furukawa-Sako 01 O(Nk) bits(Furukawa 05, Groth-Lu 07) • Neff 01 (Groth 03) O(Nk) bits • Others O(Nk) bits • This work O(N2/3k) bits

  13. Our contribution • 7-move public coin honest verifier zero-knowledge argument for correctness of shuffle in common random string model • Communication: O(m2+N/m)k bitsProver computation: O(mN) exposVerifier computation: O(N) expos Previous O(N)k O(N) O(N) Fiat-Shamir heuristic: Prover only computes once

  14. Concrete example • Back-of-envelope estimates • ElGamal over elliptic curve (256 bit) • Shuffle N = 100,000 ciphertexts (88Mbits) • m = 10 • Optimized with multi-exponentiation, batch-verification, etc. • Estimated cost Communication 8 Mbits Prover comp. 143 sec. Verifier comp. 5 sec. Groth 0377 Mbits18 sec.14 sec.

  15. Tools • Inspired by [IKO07] we will not use full-blown PCPs • Pedersen commitment to multiple messages • Batch verification using Schwartz-Zippel lemmawith probability at most d/q

  16. HVZK shuffle argument Setup: Statement: Prover Verifier

  17. HVZK shuffle argument Prover Verifier Schwartz-Zippel lemma implies or else only probability 2/q of polynomial equality

  18. HVZK shuffle argument Setup: Statement: Prover Verifier

  19. The second HVZK argument Setup: Statement:

  20. Main idea Schwartz-Zippel lemma implies

  21. Argument for correct shuffle of ElGamal ciphertexts • Honest verifier zero-knowledge • Argument of knowledge • Random string model • 7-moves • Public coin • Cost Communication O(m2+N/m)k bits Prover computation O(mN) expos Verifier computation O(N) expos • Generalizations - Homomorphic cryptosystems (e.g. Paillier) - 8-move zero-knowledge argument of knowledge for correctness of a shuffle in plain model

  22. Future work: Beyond shuffling • Can generalize techniques to arithmetic circuits.Public coin honest verifier zero-knowledge argument for arithmetic circuit over Zq of size O(|C|2/3k)

  23. Thanks Questions?

More Related