490 likes | 622 Views
A Verifiable Secret Shuffle of Homomorphic Encryptions. Jens Groth UCLA. On ePrint archive: http://eprint.iacr.org/2005/246. Agenda. Motivation – anonymous communication What is A shuffle? Homomorphic encryption? Zero-knowledge proofs? ZK proof for shuffle of known contents
E N D
A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive: http://eprint.iacr.org/2005/246
Agenda • Motivation – anonymous communication • What is • A shuffle? Homomorphic encryption? Zero-knowledge proofs? • ZK proof for shuffle of known contents • Tool: Homomorphic commitments • ZK proof for shuffle of homomorphic encryptions • Comparison with other ZK proofs • Efficiency improvements
Anonymous communication Sender 1 Sender n m1 mn … Mixer π mix-servers … mπ(1) mπ(n)
Encryption Rerandomization property E(m) E´(m) Threshold decryption property t mix-servers can decrypt t-1 mix-servers do not learn anything
Mix-net m1 mn senders … E(m1) E(mn) Mix-net π mix-servers at least t mix-servers … E´(mπ(1)) E´(mπ(n)) Threshold-decryption … mπ(1) mπ(n)
Mix-net E(m1) E(mn) Mix-server 1 π1 E´(mπ1(1)) E´(mπ1(n)) … Mix-server N πN E´´´(mπ(1)) E´´´(mπ(n)) π = πN ◦...◦ π1
A shuffle E(m1) E(mn) π E´(mπ(1)) E´(mπ(n))
Agenda • Motivation – anonymous communication • Mix-nets • What is • A shuffle? Homomorphic encryption? Zero-knowledge proofs? • ZK proof for shuffle of known contents • Tool: Homomorphic commitments • ZK proof for shuffle of homomorphic encryptions • Comparison with other ZK proofs • Efficiency improvements
Homomorphic encryption Homomorphic property E(m1m2; R1+R2) = E(m1; R1) E(m2; R2) Rerandomization E(m; R1+R2) = E(m; R1) E(1; R2) Message space order Q no small prime factors Root extraction property see paper
ElGamal variant Keys Primes Q, P so P = 2Q +1 Random elements G, Y of order Q PK = (Q, P, G, Y) SK = (PK, x) so Y = Gx Encryption E(m; (±1, ±1, R)) = (±GR mod P, ±YRm mod P) Ciphertext verification (U, V) valid ciphertext if 0 < U < P and 0 < V < P
A shuffle of homomorphic encryptions e1 en π, R1,...,Rn eπ(1)E(1;R1) eπ(n)E(1;Rn)
Verifiability? e1 en π, R1,...,Rn ? E1 En
Zero-knowledge proof • Complete prover with π, R1,...,Rn can convince anybody of correctness of shuffle • Sound if not a valid shuffle impossible to convince others of correctness of shuffle • Zero-knowledge prover does not reveal anything beyond correctness of shuffle
Special honest verifier zero-knowledge (SHVZK) Statement: PK, e1,..., en, E1, ..., En (and a little more) Real proof (π, R1,...) Simulated proof (c1,...) a1 a1 c1 c1 a2 a2 ... ... (a1, c1, a2, ... ) indistinguishable from (a1, c1, a2, ...)
Computational/statistical • Soundness • Unconditional: No adversary can make a valid proof for a false statement • Computational: A polynomial time adversary cannot make a valid proof for a false statement • Special honest verifier zero-knowledge • Statistical: No adversary can distinguish real proofs from simulated proofs • Computational: A polynomial time adversary cannot distinguish real proofs from simulated proofs
Main result A 7-round public coin SHVZK proof for correctness of a shuffle of homomorphic encryptions Optional- unconditional soundness or statistical SHVZK- key length vs efficiency
Agenda • Motivation – anonymous communication • Mix-nets • What is • A shuffle? Homomorphic encryption? Zero-knowledge proofs? • ZK proof for shuffle of known contents • Tool: Homomorphic commitments • ZK proof for shuffle of homomorphic encryptions • Comparison with other ZK proofs • Efficiency improvements
Non-interactive commitment Public key Commitment c = commit(m; r) Opening given c, m, r check that c = commit(m; r)
Commitment • Binding • Unconditional: There is at most one way the comitter can open a commitment c • Computational: A polynomial time adversary cannot find c, m1, r1, m2, r2 so c = commit(m1; r1) = commit(m2; r2) and m1 ≠ m2 • Hiding • Statistical: Commitments to m and 0 have the same distribution • Computational: A polynomial time adversary cannot distinguish a random commitment to m ≠ 0 from a random commitment to 0
Homomorphic commitment Homomorphic property com(m1+m1´, ..., mn+mn´; r1+r2) = com(m1,..., mn; r1) com(m1´,..., mn´; r2) Message space Zqn with q prime Root extraction property given c, m1,...,mn, r, e so gcd(e,q) = 1 and ce = com(m1,...,mn; r) we can efficiently compute r´ so c = com(m1/e,...,mn/e; r´)
Pedersen commitment variant Public key Primes q, p so p = kq+1 Random elements g1, ..., gn, h of order q pk = (q, p, g1, ..., gn, h) Commitment com(m1,..., mn; (u,r)) = ug1m1…gnmnhr mod p, where 1 = uk mod p Commitment verification Valid if 0 < c < p
Shuffle of known content m1 ... mn π, r com(mπ(1), ..., mπ(n); r)
SHVZK proof for shuffle of known content A 4-round public coin SHVZK proof of knowledge for a commitment to a permutation of publicly known messages m1,...,mn Optional- unconditional soundness or statistical SHVZK- key length vs efficiency
Knowledge of contents Common: pk, c, m1,..., mn Prover: π, r so c = com(mπ(1), ..., mπ(n); r)cd = com(d1,...,dn; rd) e {0,1}ℓ fi = emπ(1) + di, z = er+rd Check cecd = com(f1,...,fn; z)
Special HVZK Common: pk, c, m1,..., mn Simulator: e {0,1}ℓcd = com(f1,...,fn; z) c-e e fi Zq, z Zq Check cecd = com(f1,...,fn; z)
Knowledge Common: pk, c, m1,..., mn cd = com(d1,...,dn; rd) e, e´ {0,1}ℓ fi, z, fi´, z´ cecd = com(f1,...,fn; z) ce´cd = com(f1´,...,fn´; z´) ce-e´ = com(f1-f1´,...,fn-fn´; z-z´) Root extraction: c = com(μ1,...,μn; r)
Idea (Neff 2001) Consider the polynomials (mi-X) and (μi-X) in Zq[X] Are identical exactly when there exists π so μi = mπ(i)Pick x at random and demonstrate (mi-x) = (μi-x) mod q With overwhelming probability not the case unless π exists
Identical polynomials Common: pk, c, m1,..., mn x {0,1}ℓ cd, ca, cΔ e {0,1}ℓ fi, z, fΔi, zΔ cecd = com(f1,...,fn; z) caecΔ = com(fΔ1,...,fΔn-1; zΔ) fi = eμi + di , fΔi = eαi + δi
Checking the polynomials fi = eμi + di , fΔi = eαi + δi Let F1 = f1-ex = e(μ1-x)+ d1 Let eFi+1 = Fi(fi+1-ex) + fΔi ei Fi+1= ei-1 Fi(fi+1-ex) + fΔi = ei(i(μj-x) + polyi-1(e)) (e(μi+1-x)+ di+1) + ei-1(eαi + δi) = ei+1 i+1(μj-x) + polyi(e) Check Fn = e(mi-x) meaning en (μj-x) + polyn-1(e) = en (mi-x)
Completeness Fi = ei(μj-x) + Δi F1 = f1-ex = e(mπ(1)-x) + d1Δ1 = d1 eFi+1 = Fi(fi+1-ex) + fΔi eαi + δi = e2i+1(mπ(j)-x) + eΔi+1 - e(i(mπ(j)-x) + Δi)(e(mπ(i+1)-x) + di+1) = e(Δi+1 - i(mπ(j)-x) di+1 - Δi (mπ(i+1)-x)) - Δidi+1 Fn = e(mi-x) Δn = 0
SHVZK proof for known content • 4-round public coin protocol • Soundness – computational/unconditional • SHVZK – statistical/computational With Pedersen commitment variant Prover 3n expos 2|q|n bits Verifier 2n expos
Agenda • Motivation – anonymous communication • Mix-nets • What is • A shuffle? Homomorphic encryption? Zero-knowledge proofs? • ZK proof for shuffle of known contents • Tool: Homomorphic commitments • ZK proof for shuffle of homomorphic encryptions • Comparison with other ZK proofs • Efficiency improvements
A shuffle of homomorphic encryptions e1 en π, R1,...,Rn eπ(1)E(1;R1) eπ(n)E(1;Rn)
Idea Want to show that e1,..., en and E1, ..., En have the same plaintexts 1. Reveal π 2. Receive random challenges t1,...,tn{0,1}ℓ 3. Release Z so E(1;Z) eiti = Eitπ(i) miti = Mitπ(i) 1 = (Mi/mπ(i))tπ(i) Since Q has no small prime factors Mi = mπ(i)
Idea • Commit to π, commit to d1,...,dn{0,1}ℓ+80 • Form Ed = E(1;Rd)Ei-di • 2. Receive challenges t1,...,tn {0,1}ℓ • 3. Release f1,...,fn, Z so fi = tπ(i) + di and • E(1;Z) eiti = EdEifi • miti = (MdMidi) Mitπ(i) • Z = Rd + ∑tπ(i)Ri
1. Commit to π and d1,...,dn c = com(π(1),...,π(n); r) cd = com(-d1,...,-dn; rd) 2. Receive challenges t1,...,tn 3. Send f1,...,fn |q|> ℓ + 80 4. Receive challenge λ 5. Make SHVZK proof of known content for cλcd com(f1,...,fn; 0) containing a permutation ofλ + t1, ..., λn + tn Idea Exists π so λμi + fi - di = λπ(i) + tπ(i)With overwhelming probability over λ we have μi = π(i) and fi = tπ(i) + di
Full protocol Common: pk, PK, e1,...,en and E1,...,En Prover: π, R1,...,Rn c, cd, Ed t1,...,tn{0,1}ℓf1,...,fn, Zλ {0,1}ℓ SHVZK proof Verify SHVZK proof Check E(1;Z) eiti = EdEifi
Properties of shuffle proof • 7-round public coin protocol • Soundness – computational/unconditional • SHVZK – statistical/computational With Pedersen commitment and ElGamal variants Prover 4n p-expos, 2n P-expos 3|q|n bits Verifier 2n p-expos, 4n P-expos
Implementation (Stamer 2005) Pedersen commitment |p| = 1024, |q| = 160 ElGamal encryption |P| = 1024, |Q| =160 SHVZK proof of correct shuffle of 1024 ElGamal ciphertexts on AMD Duron 1.3 GHz Prover 14 seconds Verifier 5 seconds
Agenda • Motivation – anonymous communication • Mix-nets • What is • A shuffle? Homomorphic encryption? Zero-knowledge proofs? • ZK proof for shuffle of known contents • Tool: Homomorphic commitments • ZK proof for shuffle of homomorphic encryptions • Comparison with other ZK proofs • Efficiency improvements
Other shuffle proofs Invariance of roots of polynomials Neff CCS01, Groth PKC03, Neff 03, Groth 05 Permutation matrices Furukawa & Sako Crypto01, Furukawa IEICE05 Integer commitments Wikström Asiacrypt05 Linear ignorance assumption Peng et al. Crypto05
Comparison of approaches Pedersen, ElGamal |p|= 1024, |q| = 160 Roots of poly Permutation matrix Rounds 7 3 Soundness uncond./comp. computational SHVZK comp./statistical statistical Prover expos 6n 8n (6n) Prover sends 480n bits 1344n bits Verifier expos 6n 8n (7n) Key length flexible (e.g. O(√n)) 1024n bits
Agenda • Motivation – anonymous communication • Mix-nets • What is • A shuffle? Homomorphic encryption? Zero-knowledge proofs? • ZK proof for shuffle of known contents • Tool: Homomorphic commitments • ZK proof for shuffle of homomorphic encryptions • Comparison with other ZK proofs • Efficiency improvements
Adjusting the key length Suggested Pedersen commitment variant had public key (q, p, g1,..., gn, h) Assume wlog n = kl then we can instead use public key (q, p, g1,..., gk, h) and commit as c = (c1,...,cl) (com(m1,...,mk), com(mk+1,...,m2k), ...)
Randomization cecd = com(f1,...,fn; z)caecΔ = com(fΔ1,...,fΔn-1,0; zΔ) Pick α{0,1}ℓ at random and check (cecd)α caecΔ = com(αf1+fΔ1,..., αfn+0; αz+zΔ) Many other randomization/batch verification possibilities
On-line/off-line computation • Prover can precompute most values off-line (and in a mix-net also precompute the rerandomization of the ciphertexts) • Only needs to compute Ed and ca on-line
Verifier picks seed for pseudorandom number generator and sends it to prover Prover generates t1,...,tn from this seed If Q = q verifier can simply send challenge t and let prover use t1 = t1 mod q,..., tn = tn mod q Picking the challenges
Multi-exponentiation (Lim 00) Computing a product giei can be done in |e|n/(log n – log log n) multiplications Prover, Verifier ≈ 0.5n naïve single expos each for shuffling 100,000 ElGamal ciphertexts
Questions? Thank you