Your SlideShare is downloading. ×
presentation
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

presentation

258
views

Published on


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
258
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive: http://eprint.iacr.org/2005/246
  • 2. Agenda
    • Motivation – anonymous communication
    • What is
      • A shuffle? Homomorphic encryption? Zero-knowledge proofs?
    • ZK proof for shuffle of known contents
      • Tool: Homomorphic commitments
    • ZK proof for shuffle of homomorphic encryptions
    • Comparison with other ZK proofs
    • Efficiency improvements
  • 3. Anonymous communication Mixer π m 1 m n … … m π (1) m π (n) Sender 1 Sender n mix-servers
  • 4. Encryption Rerandomization property E(m)  E´(m) Threshold decryption property t mix-servers can decrypt t-1 mix-servers do not learn anything
  • 5. Mix-net Mix-net π m 1 m n … … E´(m π (1) ) E´(m π (n) ) E(m 1 ) E(m n ) Threshold-decryption … m π (1) m π (n) senders mix-servers at least t mix-servers
  • 6. Mix-net Mix-server 1 π 1 … E´(m π 1 (1) ) E´(m π 1 (n) ) E(m 1 ) E(m n ) Mix-server N π N E´´´(m π (1) ) E´´´(m π (n) ) π = π N ◦...◦ π 1
  • 7. A shuffle π E´(m π (1) ) E´(m π (n) ) E(m 1 ) E(m n )
  • 8. Agenda
    • Motivation – anonymous communication
      • Mix-nets
    • What is
      • A shuffle? Homomorphic encryption? Zero-knowledge proofs?
    • ZK proof for shuffle of known contents
      • Tool: Homomorphic commitments
    • ZK proof for shuffle of homomorphic encryptions
    • Comparison with other ZK proofs
    • Efficiency improvements
  • 9. Homomorphic encryption Homomorphic property E(m 1 m 2 ; R 1 +R 2 ) = E(m 1 ; R 1 ) E(m 2 ; R 2 ) Rerandomization E(m; R 1 +R 2 ) = E(m; R 1 ) E(1; R 2 ) Message space order Q no small prime factors Root extraction property see paper
  • 10. ElGamal variant Keys Primes Q, P so P = 2Q +1 Random elements G, Y of order Q PK = (Q, P, G, Y) SK = (PK, x) so Y = G x Encryption E(m; ( ±1, ±1, R)) = (±G R mod P, ±Y R m mod P) Ciphertext verification (U, V) valid ciphertext if 0 < U < P and 0 < V < P
  • 11. A shuffle of homomorphic encryptions π , R 1 ,...,R n e π (1) E(1;R 1 ) e π (n) E(1;R n ) e 1 e n
  • 12. Verifiability? π , R 1 ,...,R n ? E 1 E n e 1 e n
  • 13. Zero-knowledge proof
    • Complete prover with π , R 1 ,...,R n can convince anybody of correctness of shuffle
    • Sound if not a valid shuffle impossible to convince others of correctness of shuffle
    • Zero-knowledge prover does not reveal anything beyond correctness of shuffle
  • 14. Special honest verifier zero-knowledge (SHVZK) Statement: PK, e 1 ,..., e n , E 1 , ..., E n (and a little more) Real proof ( π , R 1 ,...) Simulated proof (c 1 ,...) a 1 a 1 c 1 c 1 a 2 a 2 ... ... (a 1 , c 1 , a 2 , ... ) indistinguishable from (a 1 , c 1 , a 2 , ...)
  • 15. Computational/statistical
    • Soundness
      • Unconditional: No adversary can make a valid proof for a false statement
      • Computational: A polynomial time adversary cannot make a valid proof for a false statement
    • Special honest verifier zero-knowledge
      • Statistical: No adversary can distinguish real proofs from simulated proofs
      • Computational: A polynomial time adversary cannot distinguish real proofs from simulated proofs
  • 16. Main result A 7-round public coin SHVZK proof for correctness of a shuffle of homomorphic encryptions Optional - unconditional soundness or statistical SHVZK - key length vs efficiency
  • 17. Agenda
    • Motivation – anonymous communication
      • Mix-nets
    • What is
      • A shuffle? Homomorphic encryption? Zero-knowledge proofs?
    • ZK proof for shuffle of known contents
      • Tool: Homomorphic commitments
    • ZK proof for shuffle of homomorphic encryptions
    • Comparison with other ZK proofs
    • Efficiency improvements
  • 18. Non-interactive commitment Public key Commitment c = commit(m; r) Opening given c, m, r check that c = commit(m; r)
  • 19. Commitment
    • Binding
      • Unconditional: There is at most one way the comitter can open a commitment c
      • Computational: A polynomial time adversary cannot find c, m 1 , r 1 , m 2 , r 2 so c = commit(m 1 ; r 1 ) = commit(m 2 ; r 2 ) and m 1 ≠ m 2
    • Hiding
      • Statistical: Commitments to m and 0 have the same distribution
      • Computational: A polynomial time adversary cannot distinguish a random commitment to m ≠ 0 from a random commitment to 0
  • 20. Homomorphic commitment Homomorphic property com(m 1 +m 1 ´, ..., m n +m n ´; r 1 +r 2 ) = com(m 1 ,..., m n ; r 1 ) com(m 1 ´,..., m n ´; r 2 ) Message space Z q n with q prime Root extraction property given c, m 1 ,...,m n , r, e so gcd(e,q) = 1 and c e = com(m 1 ,...,m n ; r) we can efficiently compute r´ so c = com(m 1 /e,...,m n /e; r´)
  • 21. Pedersen commitment variant Public key Primes q, p so p = kq+1 Random elements g 1 , ..., g n , h of order q pk = (q, p, g 1 , ..., g n , h) Commitment com(m 1 ,..., m n ; (u,r)) = ug 1 m 1 …g n m n h r mod p, where 1 = u k mod p Commitment verification Valid if 0 < c < p
  • 22. Shuffle of known content π , r com(m π (1) , ..., m π (n) ; r) m 1 m n ...
  • 23. SHVZK proof for shuffle of known content A 4-round public coin SHVZK proof of knowledge for a commitment to a permutation of publicly known messages m 1 ,...,m n Optional - unconditional soundness or statistical SHVZK - key length vs efficiency
  • 24. Knowledge of contents Common: pk, c, m 1 ,..., m n Prover: π , r so c = com(m π (1) , ..., m π (n) ; r) c d = com(d 1 ,...,d n ; r d ) e  {0,1} ℓ f i = em π (1) + d i , z = er+r d Check c e c d = com(f 1 ,...,f n ; z)
  • 25. Special HVZK Common: pk, c, m 1 ,..., m n Simulator: e  {0,1} ℓ c d = com(f 1 ,...,f n ; z) c -e e f i  Z q , z  Z q Check c e c d = com(f 1 ,...,f n ; z)
  • 26. Knowledge Common: pk, c, m 1 ,..., m n c d = com(d 1 ,...,d n ; r d ) e, e´  {0,1} ℓ f i , z, f i ´, z´ c e c d = com(f 1 ,...,f n ; z) c e´ c d = com(f 1 ´,...,f n ´; z´) c e-e´ = com(f 1 -f 1 ´,...,f n -f n ´; z-z´) Root extraction: c = com( μ 1 ,..., μ n ; r)
  • 27. Idea (Neff 2001) Consider the polynomials  (m i -X) and  ( μ i -X) in Z q [X] Are identical exactly when there exists π so μ i = m π (i) Pick x at random and demonstrate  (m i -x) =  ( μ i -x) mod q With overwhelming probability not the case unless π exists
  • 28. Identical polynomials Common: pk, c, m 1 ,..., m n x  {0,1} ℓ c d , c a , c Δ e  {0,1} ℓ f i , z, f Δ i , z Δ c e c d = com(f 1 ,...,f n ; z) c a e c Δ = com(f Δ 1 ,...,f Δ n-1 ; z Δ ) f i = e μ i + d i , f Δ i = e α i + δ i
  • 29. Checking the polynomials f i = e μ i + d i , f Δ i = e α i + δ i Let F 1 = f 1 -ex = e( μ 1 -x)+ d 1 Let eF i+1 = F i (f i+1 -ex) + f Δ i e i F i+1 = e i-1 F i (f i+1 -ex) + f Δ i = e i (  i ( μ j -x) + poly i-1 (e)) (e( μ i+1 -x)+ d i+1 ) + e i-1 (e α i + δ i ) = e i+1  i+1 ( μ j -x) + poly i (e) Check F n = e  (m i -x) meaning e n  ( μ j -x) + poly n-1 (e) = e n  (m i -x)
  • 30. Completeness F i = e  i ( μ j -x) + Δ i F 1 = f 1 -ex = e(m π (1) -x) + d 1 Δ 1 = d 1 eF i+1 = F i (f i+1 -ex) + f Δ i e α i + δ i = e 2  i+1 (m π (j) -x) + e Δ i+1 - e(  i (m π (j) -x) + Δ i )(e(m π (i+1) -x) + d i+1 ) = e( Δ i+1 -  i (m π (j) -x) d i+1 - Δ i (m π (i+1) -x)) - Δ i d i+1 F n = e  (m i -x) Δ n = 0
  • 31. SHVZK proof for known content
    • 4-round public coin protocol
    • Soundness – computational/unconditional
    • SHVZK – statistical/computational
    With Pedersen commitment variant Prover 3n expos 2|q|n bits Verifier 2n expos
  • 32. Agenda
    • Motivation – anonymous communication
      • Mix-nets
    • What is
      • A shuffle? Homomorphic encryption? Zero-knowledge proofs?
    • ZK proof for shuffle of known contents
      • Tool: Homomorphic commitments
    • ZK proof for shuffle of homomorphic encryptions
    • Comparison with other ZK proofs
    • Efficiency improvements
  • 33. A shuffle of homomorphic encryptions π , R 1 ,...,R n e π (1) E(1;R 1 ) e π (n) E(1;R n ) e 1 e n
  • 34. Idea Want to show that e 1 ,..., e n and E 1 , ..., E n have the same plaintexts 1. Reveal π 2. Receive random challenges t 1 ,...,t n  {0,1} ℓ 3. Release Z so E(1;Z)  e i t i =  E i t π (i)  m i t i =  M i t π (i)  1 =  (M i /m π (i) ) t π (i) Since Q has no small prime factors M i = m π (i)
  • 35. Idea
    • Commit to π , commit to d 1 ,...,d n  {0,1} ℓ+80
    • Form E d = E(1;R d )  E i -d i
    • 2. Receive challenges t 1 ,...,t n  {0,1} ℓ
    • 3. Release f 1 ,...,f n , Z so f i = t π (i) + d i and
    • E(1;Z)  e i t i = E d  E i f i
    •  m i t i = (M d  M i d i )  M i t π (i)
    • Z = R d + ∑t π (i) R i
  • 36. Idea
    • 1. Commit to π and d 1 ,...,d n c = com( π (1),..., π (n); r) c d = com(-d 1 ,...,-d n ; r d )
    • 2. Receive challenges t 1 ,...,t n
    • 3. Send f 1 ,...,f n |q|> ℓ + 80
    • 4. Receive challenge λ
    • 5. Make SHVZK proof of known content for c λ c d com(f 1 ,...,f n ; 0) containing a permutation of λ + t 1 , ..., λ n + t n
    Exists π so λμ i + f i - d i = λ π (i) + t π (i) With overwhelming probability over λ we have μ i = π (i) and f i = t π (i) + d i
  • 37. Full protocol Common: pk, PK, e 1 ,...,e n and E 1 ,...,E n Prover: π , R 1 ,...,R n c, c d , E d t 1 ,...,t n  {0,1} ℓ f 1 ,...,f n , Z λ  {0,1} ℓ SHVZK proof Verify SHVZK proof Check E(1;Z)  e i t i = E d  E i f i
  • 38. Properties of shuffle proof
    • 7-round public coin protocol
    • Soundness – computational/unconditional
    • SHVZK – statistical/computational
    • With Pedersen commitment and ElGamal variants
    • Prover 4n p-expos, 2n P-expos 3|q|n bits
    • Verifier 2n p-expos, 4n P-expos
  • 39. Implementation (Stamer 2005)
    • Pedersen commitment |p| = 1024, |q| = 160
    • ElGamal encryption |P| = 1024, |Q| =160
    • SHVZK proof of correct shuffle of 1024 ElGamal
    • ciphertexts on AMD Duron 1.3 GHz
    • Prover 14 seconds
    • Verifier 5 seconds
  • 40. Agenda
    • Motivation – anonymous communication
      • Mix-nets
    • What is
      • A shuffle? Homomorphic encryption? Zero-knowledge proofs?
    • ZK proof for shuffle of known contents
      • Tool: Homomorphic commitments
    • ZK proof for shuffle of homomorphic encryptions
    • Comparison with other ZK proofs
    • Efficiency improvements
  • 41. Other shuffle proofs
    • Invariance of roots of polynomials
    • Neff CCS01, Groth PKC03, Neff 03, Groth 05
    • Permutation matrices
    • Furukawa & Sako Crypto01, Furukawa IEICE05
    • Integer commitments
    • Wikström Asiacrypt05
    • Linear ignorance assumption
    • Peng et al. Crypto05
  • 42. Comparison of approaches Pedersen, ElGamal |p|= 1024, |q| = 160 Roots of poly Permutation matrix Rounds 7 3 Soundness uncond./comp. computational SHVZK comp./statistical statistical Prover expos 6n 8n (6n) Prover sends 480n bits 1344n bits Verifier expos 6n 8n (7n) Key length flexible (e.g. O(√n)) 1024n bits
  • 43. Agenda
    • Motivation – anonymous communication
      • Mix-nets
    • What is
      • A shuffle? Homomorphic encryption? Zero-knowledge proofs?
    • ZK proof for shuffle of known contents
      • Tool: Homomorphic commitments
    • ZK proof for shuffle of homomorphic encryptions
    • Comparison with other ZK proofs
    • Efficiency improvements
  • 44. Adjusting the key length Suggested Pedersen commitment variant had public key (q, p, g 1 ,..., g n , h) Assume wlog n = kl then we can instead use public key (q, p, g 1 ,..., g k , h) and commit as c = (c 1 ,...,c l )  (com(m 1 ,...,m k ), com(m k+1 ,...,m 2k ), ...)
  • 45. Randomization c e c d = com(f 1 ,...,f n ; z) c a e c Δ = com(f Δ 1 ,...,f Δ n-1 ,0; z Δ ) Pick α  {0,1} ℓ at random and check (c e c d ) α c a e c Δ = com( α f 1 +f Δ 1 ,..., α f n +0; α z+z Δ ) Many other randomization/batch verification possibilities
  • 46. On-line/off-line computation
    • Prover can precompute most values off-line (and in a mix-net also precompute the rerandomization of the ciphertexts)
    • Only needs to compute E d and c a on-line
  • 47. Picking the challenges
    • Verifier picks seed for pseudorandom number generator and sends it to prover
    • Prover generates t 1 ,...,t n from this seed
    • If Q = q verifier can simply send challenge t and let prover use t 1 = t 1 mod q,..., t n = t n mod q
  • 48. Multi-exponentiation (Lim 00) Computing a product  g i e i can be done in |e|n/(log n – log log n) multiplications Prover, Verifier ≈ 0.5n naïve single expos each for shuffling 100,000 ElGamal ciphertexts
  • 49. Questions? Thank you