A Verifiable Secret Shuffle of Homomorphic Encryptions

1
A Verifiable Secret Shuffle of Homomorphic
Encryptions

• Jens Groth
• UCLA

On ePrint archive http//eprint.iacr.org/2005/246
2
Agenda

• Motivation anonymous communication
• What is
• A shuffle? Homomorphic encryption? Zero-knowledge
  proofs?
• ZK proof for shuffle of known contents
• Tool Homomorphic commitments
• ZK proof for shuffle of homomorphic encryptions
• Comparison with other ZK proofs
• Efficiency improvements

3
Anonymous communication
Sender 1 Sender n
m1
mn

Mixer p
mix-servers

mp(1)
mp(n)
4
Encryption
Rerandomization property E(m) ?
E(m) Threshold decryption property t
mix-servers can decrypt t-1 mix-servers do not
learn anything
5
Mix-net
m1
mn
senders

E(m1)
E(mn)
Mix-net p
mix-servers at least t mix-servers

E(mp(1))
E(mp(n))
Threshold-decryption

mp(1)
mp(n)
6
Mix-net
E(m1)
E(mn)
Mix-server 1 p1
E(mp1(1))
E(mp1(n))

Mix-server N pN
E(mp(1))
E(mp(n))
p pN ?...? p1
7
A shuffle
E(m1)
E(mn)
p
E(mp(1))
E(mp(n))
8
Agenda

• Motivation anonymous communication
• Mix-nets
• What is
• A shuffle? Homomorphic encryption? Zero-knowledge
  proofs?
• ZK proof for shuffle of known contents
• Tool Homomorphic commitments
• ZK proof for shuffle of homomorphic encryptions
• Comparison with other ZK proofs
• Efficiency improvements

9
Homomorphic encryption
Homomorphic property E(m1m2 R1R2) E(m1 R1)
E(m2 R2) Rerandomization E(m R1R2) E(m R1)
E(1 R2) Message space order Q no small prime
factors Root extraction property see paper
10
ElGamal variant
Keys Primes Q, P so P 2Q 1 Random elements
G, Y of order Q PK (Q, P, G, Y) SK (PK, x)
so Y Gx Encryption E(m (1, 1, R)) (GR
mod P, YRm mod P) Ciphertext verification (U,
V) valid ciphertext if 0 lt U lt P and 0 lt V lt P
11
A shuffle of homomorphic encryptions
e1
en
p, R1,...,Rn
ep(1)E(1R1)
ep(n)E(1Rn)
12
Verifiability?
e1
en
p, R1,...,Rn ?
E1
En
13
Zero-knowledge proof

• Complete prover with p, R1,...,Rn can convince
  anybody of correctness of shuffle
• Sound if not a valid shuffle impossible to
  convince others of correctness of shuffle
• Zero-knowledge prover does not reveal anything
  beyond correctness of shuffle

14
Special honest verifier zero-knowledge (SHVZK)
Statement PK, e1,..., en, E1, ..., En (and a
little more) Real proof (p, R1,...)
Simulated proof (c1,...) a1 a1
c1 c1 a2 a2 ... ... (a1, c1,
a2, ... ) indistinguishable from (a1, c1, a2, ...)
15
Computational/statistical

• Soundness
• Unconditional No adversary can make a valid
  proof for a false statement
• Computational A polynomial time adversary cannot
  make a valid proof for a false statement
• Special honest verifier zero-knowledge
• Statistical No adversary can distinguish real
  proofs from simulated proofs
• Computational A polynomial time adversary cannot
  distinguish real proofs from simulated proofs

16
Main result
A 7-round public coin SHVZK proof for correctness
of a shuffle of homomorphic encryptions Optional
- unconditional soundness or statistical SHVZK-
key length vs efficiency
17
Agenda

• Motivation anonymous communication
• Mix-nets
• What is
• A shuffle? Homomorphic encryption? Zero-knowledge
  proofs?
• ZK proof for shuffle of known contents
• Tool Homomorphic commitments
• ZK proof for shuffle of homomorphic encryptions
• Comparison with other ZK proofs
• Efficiency improvements

18
Non-interactive commitment
Public key Commitment c commit(m
r) Opening given c, m, r check that c
commit(m r)
19
Commitment

• Binding
• Unconditional There is at most one way the
  comitter can open a commitment c
• Computational A polynomial time adversary cannot
  find c, m1, r1, m2, r2 so c commit(m1 r1)
  commit(m2 r2) and m1 ? m2
• Hiding
• Statistical Commitments to m and 0 have the same
  distribution
• Computational A polynomial time adversary cannot
  distinguish a random commitment to m ? 0 from a
  random commitment to 0

20
Homomorphic commitment
Homomorphic property com(m1m1, ..., mnmn
r1r2) com(m1,..., mn r1) com(m1,..., mn
r2) Message space Zqn with q prime Root
extraction property given c, m1,...,mn, r, e so
gcd(e,q) 1 and ce com(m1,...,mn r) we can
efficiently compute r so c com(m1/e,...,mn/e
r)
21
Pedersen commitment variant
Public key Primes q, p so p kq1 Random
elements g1, ..., gn, h of order q pk (q, p,
g1, ..., gn, h) Commitment com(m1,..., mn
(u,r)) ug1m1gnmnhr mod p, where 1 uk mod
p Commitment verification Valid if 0 lt c lt p
22
Shuffle of known content
m1
mn
...
p, r
com(mp(1), ..., mp(n) r)
23
SHVZK proof for shuffle of known content
A 4-round public coin SHVZK proof of knowledge
for a commitment to a permutation of publicly
known messages m1,...,mn Optional-
unconditional soundness or statistical SHVZK-
key length vs efficiency
24
Knowledge of contents
Common pk, c, m1,..., mn Prover p, r so c
com(mp(1), ..., mp(n) r)cd com(d1,...,dn
rd) e ? 0,1l fi emp(1) di, z
errd Check cecd com(f1,...,fn z)
25
Special HVZK
Common pk, c, m1,..., mn Simulator e ?
0,1lcd com(f1,...,fn z) c-e e fi ?
Zq, z ? Zq Check cecd com(f1,...,fn z)
26
Knowledge
Common pk, c, m1,..., mn cd com(d1,...,dn
rd) e, e ? 0,1l fi, z, fi, z cecd
com(f1,...,fn z) cecd com(f1,...,fn
z) ce-e com(f1-f1,...,fn-fn z-z) Root
extraction c com(µ1,...,µn r)
27
Idea (Neff 2001)
Consider the polynomials ?(mi-X) and ?(µi-X) in
ZqX Are identical exactly when there exists p
so µi mp(i)Pick x at random and demonstrate
?(mi-x) ?(µi-x) mod q With overwhelming
probability not the case unless p exists
28
Identical polynomials
Common pk, c, m1,..., mn x ? 0,1l cd,
ca, c? e ? 0,1l fi, z, f?i, z? cecd
com(f1,...,fn z) caec? com(f?1,...,f?n-1
z?) fi eµi di , f?i eai di
29
Checking the polynomials
fi eµi di , f?i eai di Let F1 f1-ex
e(µ1-x) d1 Let eFi1 Fi(fi1-ex) f?i ei
Fi1 ei-1 Fi(fi1-ex) f?i ei(?i(µj-x)
polyi-1(e)) (e(µi1-x) di1)
ei-1(eai di) ei1 ?i1(µj-x)
polyi(e) Check Fn e?(mi-x) meaning en ?(µj-x)
polyn-1(e) en ?(mi-x)
30
Completeness
Fi e?i(µj-x) ?i F1 f1-ex e(mp(1)-x)
d1 ?1 d1 eFi1 Fi(fi1-ex) f?i eai di
e2?i1(mp(j)-x) e?i1 - e(?i(mp(j)-x)
?i)(e(mp(i1)-x) di1) e(?i1 -
?i(mp(j)-x) di1 - ?i (mp(i1)-x)) -
?idi1 Fn e?(mi-x) ?n 0
31
SHVZK proof for known content

• 4-round public coin protocol
• Soundness computational/unconditional
• SHVZK statistical/computational

With Pedersen commitment variant Prover 3n
expos 2qn bits Verifier 2n expos
32
Agenda

• Motivation anonymous communication
• Mix-nets
• What is
• A shuffle? Homomorphic encryption? Zero-knowledge
  proofs?
• ZK proof for shuffle of known contents
• Tool Homomorphic commitments
• ZK proof for shuffle of homomorphic encryptions
• Comparison with other ZK proofs
• Efficiency improvements

33
A shuffle of homomorphic encryptions
e1
en
p, R1,...,Rn
ep(1)E(1R1)
ep(n)E(1Rn)
34
Idea
Want to show that e1,..., en and E1, ..., En have
the same plaintexts 1. Reveal p 2. Receive random
challenges t1,...,tn ?0,1l 3. Release Z so
E(1Z) ?eiti ?Eitp(i) ?miti
?Mitp(i) ? 1 ?(Mi/mp(i))tp(i) Since
Q has no small prime factors Mi mp(i)
35
Idea

• Commit to p, commit to d1,...,dn ?0,1l80
• Form Ed E(1Rd)?Ei-di
• 2. Receive challenges t1,...,tn ?0,1l
• 3. Release f1,...,fn, Z so fi tp(i) di and
• E(1Z) ?eiti Ed ?Eifi
• ?miti (Md ?Midi) ?Mitp(i)
• Z Rd ?tp(i)Ri

36
Idea

• 1. Commit to p and d1,...,dn c
  com(p(1),...,p(n) r) cd com(-d1,...,-dn rd)
• 2. Receive challenges t1,...,tn
• 3. Send f1,...,fn qgt l 80
• 4. Receive challenge ?
• 5. Make SHVZK proof of known content for c?cd
  com(f1,...,fn 0) containing a permutation of?
  t1, ..., ?n tn

Exists p so ?µi fi - di ?p(i) tp(i)With
overwhelming probability over ? we have µi
p(i) and fi tp(i) di
37
Full protocol
Common pk, PK, e1,...,en and E1,...,En Prover
p, R1,...,Rn c, cd, Ed t1,...,tn
?0,1lf1,...,fn, Z ? ? 0,1l SHVZK
proof Verify SHVZK proof Check E(1Z) ?eiti
Ed ?Eifi
38
Properties of shuffle proof

• 7-round public coin protocol
• Soundness computational/unconditional
• SHVZK statistical/computational
• With Pedersen commitment and ElGamal variants
• Prover 4n p-expos, 2n P-expos 3qn bits
• Verifier 2n p-expos, 4n P-expos

39
Implementation (Stamer 2005)

• Pedersen commitment p 1024, q 160
• ElGamal encryption P 1024, Q 160
• SHVZK proof of correct shuffle of 1024 ElGamal
• ciphertexts on AMD Duron 1.3 GHz
• Prover 14 seconds
• Verifier 5 seconds

40
Agenda

• Motivation anonymous communication
• Mix-nets
• What is
• A shuffle? Homomorphic encryption? Zero-knowledge
  proofs?
• ZK proof for shuffle of known contents
• Tool Homomorphic commitments
• ZK proof for shuffle of homomorphic encryptions
• Comparison with other ZK proofs
• Efficiency improvements

41
Other shuffle proofs

• Invariance of roots of polynomials
• Neff CCS01, Groth PKC03, Neff 03, Groth 05
• Permutation matrices
• Furukawa Sako Crypto01, Furukawa IEICE05
• Integer commitments
• Wikström Asiacrypt05
• Linear ignorance assumption
• Peng et al. Crypto05

42
Comparison of approaches
Pedersen, ElGamal p 1024, q 160 Roots
of poly Permutation matrix Rounds 7
3 Soundness uncond./comp.
computational SHVZK comp./statistical
statistical Prover expos 6n 8n (6n) Prover
sends 480n bits 1344n bits Verifier
expos 6n 8n (7n) Key length flexible (e.g.
O(vn)) 1024n bits
43
Agenda

• Motivation anonymous communication
• Mix-nets
• What is
• A shuffle? Homomorphic encryption? Zero-knowledge
  proofs?
• ZK proof for shuffle of known contents
• Tool Homomorphic commitments
• ZK proof for shuffle of homomorphic encryptions
• Comparison with other ZK proofs
• Efficiency improvements

44
Adjusting the key length
Suggested Pedersen commitment variant had public
key (q, p, g1,..., gn, h) Assume wlog n kl then
we can instead use public key (q, p, g1,..., gk,
h) and commit as c (c1,...,cl) ?
(com(m1,...,mk), com(mk1,...,m2k), ...)
45
Randomization
cecd com(f1,...,fn z)caec?
com(f?1,...,f?n-1,0 z?) Pick a?0,1l at random
and check (cecd)a caec? com(af1f?1,..., afn0
azz?) Many other randomization/batch
verification possibilities
46
On-line/off-line computation

• Prover can precompute most values off-line (and
  in a mix-net also precompute the rerandomization
  of the ciphertexts)
• Only needs to compute Ed and ca on-line

47
Picking the challenges

• Verifier picks seed for pseudorandom number
  generator and sends it to prover
• Prover generates t1,...,tn from this seed
• If Q q verifier can simply send challenge t and
  let prover use t1 t1 mod q,..., tn tn mod q

48
Multi-exponentiation (Lim 00)
Computing a product ?giei can be done in
en/(log n log log n) multiplications Prover,
Verifier 0.5n naïve single expos each for
shuffling 100,000 ElGamal ciphertexts
49
Questions?
Thank you