A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:  http://eprint.iacr.org/2005/246
Agenda <ul><li>Motivation – anonymous communication </li></ul><ul><li>What is </li></ul><ul><ul><li>A shuffle? Homomorphic...
Anonymous communication Mixer π m 1 m n … … m π (1) m π (n) Sender 1   Sender n mix-servers
Encryption Rerandomization property E(m)    E´(m) Threshold decryption property t mix-servers can decrypt t-1 mix-servers...
Mix-net Mix-net π m 1 m n … … E´(m π (1) ) E´(m π (n) ) E(m 1 ) E(m n ) Threshold-decryption … m π (1) m π (n) senders mix...
Mix-net Mix-server 1  π 1 … E´(m π 1 (1) ) E´(m π 1 (n) ) E(m 1 ) E(m n ) Mix-server N  π N E´´´(m π (1) ) E´´´(m π (n) ) ...
A shuffle π E´(m π (1) ) E´(m π (n) ) E(m 1 ) E(m n )
Agenda <ul><li>Motivation – anonymous communication </li></ul><ul><ul><li>Mix-nets </li></ul></ul><ul><li>What is </li></u...
Homomorphic encryption Homomorphic property E(m 1 m 2 ; R 1 +R 2 ) = E(m 1 ; R 1 ) E(m 2 ; R 2 ) Rerandomization E(m; R 1 ...
ElGamal variant Keys Primes Q, P so P = 2Q +1 Random elements G, Y of order Q PK = (Q, P, G, Y) SK = (PK, x) so Y = G x En...
A shuffle of homomorphic encryptions π , R 1 ,...,R n   e π (1) E(1;R 1 ) e π (n) E(1;R n ) e 1 e n
Verifiability? π , R 1 ,...,R n  ?  E 1 E n e 1 e n
Zero-knowledge proof <ul><li>Complete prover with  π , R 1 ,...,R n  can convince  anybody of correctness of shuffle </li>...
Special honest verifier zero-knowledge (SHVZK) Statement: PK, e 1 ,..., e n , E 1 , ..., E n   (and a little more) Real pr...
Computational/statistical <ul><li>Soundness </li></ul><ul><ul><li>Unconditional: No adversary can make a valid proof for a...
Main result A 7-round public coin SHVZK proof for correctness of a shuffle of homomorphic encryptions Optional - unconditi...
Agenda <ul><li>Motivation – anonymous communication </li></ul><ul><ul><li>Mix-nets </li></ul></ul><ul><li>What is </li></u...
Non-interactive commitment Public key Commitment c = commit(m; r) Opening given c, m, r check that c = commit(m; r)
Commitment <ul><li>Binding </li></ul><ul><ul><li>Unconditional: There is at most one way the comitter can open a commitmen...
Homomorphic commitment Homomorphic property com(m 1 +m 1 ´, ..., m n +m n ´; r 1 +r 2 )  = com(m 1 ,..., m n ; r 1 ) com(m...
Pedersen commitment variant Public key Primes q, p so p = kq+1 Random elements g 1 , ..., g n , h of order q pk = (q, p, g...
Shuffle of known content π , r com(m π (1) , ..., m π (n) ; r) m 1 m n ...
SHVZK proof for shuffle of known content A 4-round public coin SHVZK proof of knowledge for a commitment to a permutation ...
Knowledge of contents Common:  pk, c, m 1 ,..., m n Prover:  π , r so c = com(m π (1) , ..., m π (n) ; r) c d  = com(d 1 ,...
Special HVZK Common:  pk, c, m 1 ,..., m n Simulator: e    {0,1} ℓ c d  = com(f 1 ,...,f n ; z) c -e e f i      Z q , z ...
Knowledge Common:  pk, c, m 1 ,..., m n c d  = com(d 1 ,...,d n ; r d ) e, e´    {0,1} ℓ f i , z, f i ´, z´ c e c d  = co...
Idea (Neff 2001) Consider the polynomials  (m i -X) and  ( μ i -X) in  Z q [X] Are identical exactly when there exists  ...
Identical polynomials Common:  pk, c, m 1 ,..., m n x    {0,1} ℓ c d , c a , c Δ e    {0,1} ℓ f i , z, f Δ i , z Δ c e c...
Checking the polynomials f i  = e μ i  + d i  ,  f Δ i  = e α i  +  δ i Let F 1  = f 1 -ex = e( μ 1 -x)+ d 1 Let eF i+1  =...
Completeness F i  = e  i ( μ j -x) +  Δ i F 1  = f 1 -ex = e(m π (1) -x) + d 1 Δ 1  = d 1 eF i+1  = F i (f i+1 -ex) + f Δ...
SHVZK proof for known content <ul><li>4-round public coin protocol </li></ul><ul><li>Soundness – computational/uncondition...
Agenda <ul><li>Motivation – anonymous communication </li></ul><ul><ul><li>Mix-nets </li></ul></ul><ul><li>What is </li></u...
A shuffle of homomorphic encryptions π , R 1 ,...,R n   e π (1) E(1;R 1 ) e π (n) E(1;R n ) e 1 e n
Idea Want to show that e 1 ,..., e n  and E 1 , ..., E n  have the same plaintexts 1. Reveal  π 2. Receive random challeng...
Idea <ul><li>Commit to  π , commit to d 1 ,...,d n    {0,1} ℓ+80 </li></ul><ul><li>Form E d  = E(1;R d )  E i -d i </li>...
Idea <ul><li>1. Commit to  π  and d 1 ,...,d n   c = com( π (1),..., π (n); r) c d  = com(-d 1 ,...,-d n ; r d ) </li></ul...
Full protocol Common: pk, PK, e 1 ,...,e n  and E 1 ,...,E n Prover:  π , R 1 ,...,R n c, c d , E d t 1 ,...,t n    {0,1}...
Properties of shuffle proof <ul><li>7-round public coin protocol </li></ul><ul><li>Soundness – computational/unconditional...
Implementation (Stamer 2005) <ul><li>Pedersen commitment |p| = 1024, |q| = 160 </li></ul><ul><li>ElGamal encryption |P| = ...
Agenda <ul><li>Motivation – anonymous communication </li></ul><ul><ul><li>Mix-nets </li></ul></ul><ul><li>What is </li></u...
Other shuffle proofs <ul><li>Invariance of roots of polynomials </li></ul><ul><li>Neff CCS01, Groth PKC03, Neff 03, Groth ...
Comparison of approaches Pedersen, ElGamal |p|= 1024, |q| = 160 Roots of poly Permutation matrix Rounds 7  3 Soundness unc...
Agenda <ul><li>Motivation – anonymous communication </li></ul><ul><ul><li>Mix-nets </li></ul></ul><ul><li>What is </li></u...
Adjusting the key length Suggested Pedersen commitment variant had public key (q, p, g 1 ,..., g n , h) Assume wlog n = kl...
Randomization c e c d  = com(f 1 ,...,f n ; z) c a e c Δ  = com(f Δ 1 ,...,f Δ n-1 ,0; z Δ ) Pick  α  {0,1} ℓ  at random ...
On-line/off-line computation <ul><li>Prover can precompute most values off-line (and in a mix-net also precompute the rera...
Picking the challenges <ul><li>Verifier picks seed for pseudorandom number generator and sends it to prover </li></ul><ul>...
Multi-exponentiation (Lim 00) Computing a product   g i e i  can be done in |e|n/(log n – log log n) multiplications Prov...
Questions? Thank you
Upcoming SlideShare
Loading in...5
×

presentation

294

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
294
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

presentation

  1. 1. A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive: http://eprint.iacr.org/2005/246
  2. 2. Agenda <ul><li>Motivation – anonymous communication </li></ul><ul><li>What is </li></ul><ul><ul><li>A shuffle? Homomorphic encryption? Zero-knowledge proofs? </li></ul></ul><ul><li>ZK proof for shuffle of known contents </li></ul><ul><ul><li>Tool: Homomorphic commitments </li></ul></ul><ul><li>ZK proof for shuffle of homomorphic encryptions </li></ul><ul><li>Comparison with other ZK proofs </li></ul><ul><li>Efficiency improvements </li></ul>
  3. 3. Anonymous communication Mixer π m 1 m n … … m π (1) m π (n) Sender 1 Sender n mix-servers
  4. 4. Encryption Rerandomization property E(m)  E´(m) Threshold decryption property t mix-servers can decrypt t-1 mix-servers do not learn anything
  5. 5. Mix-net Mix-net π m 1 m n … … E´(m π (1) ) E´(m π (n) ) E(m 1 ) E(m n ) Threshold-decryption … m π (1) m π (n) senders mix-servers at least t mix-servers
  6. 6. Mix-net Mix-server 1 π 1 … E´(m π 1 (1) ) E´(m π 1 (n) ) E(m 1 ) E(m n ) Mix-server N π N E´´´(m π (1) ) E´´´(m π (n) ) π = π N ◦...◦ π 1
  7. 7. A shuffle π E´(m π (1) ) E´(m π (n) ) E(m 1 ) E(m n )
  8. 8. Agenda <ul><li>Motivation – anonymous communication </li></ul><ul><ul><li>Mix-nets </li></ul></ul><ul><li>What is </li></ul><ul><ul><li>A shuffle? Homomorphic encryption? Zero-knowledge proofs? </li></ul></ul><ul><li>ZK proof for shuffle of known contents </li></ul><ul><ul><li>Tool: Homomorphic commitments </li></ul></ul><ul><li>ZK proof for shuffle of homomorphic encryptions </li></ul><ul><li>Comparison with other ZK proofs </li></ul><ul><li>Efficiency improvements </li></ul>
  9. 9. Homomorphic encryption Homomorphic property E(m 1 m 2 ; R 1 +R 2 ) = E(m 1 ; R 1 ) E(m 2 ; R 2 ) Rerandomization E(m; R 1 +R 2 ) = E(m; R 1 ) E(1; R 2 ) Message space order Q no small prime factors Root extraction property see paper
  10. 10. ElGamal variant Keys Primes Q, P so P = 2Q +1 Random elements G, Y of order Q PK = (Q, P, G, Y) SK = (PK, x) so Y = G x Encryption E(m; ( ±1, ±1, R)) = (±G R mod P, ±Y R m mod P) Ciphertext verification (U, V) valid ciphertext if 0 < U < P and 0 < V < P
  11. 11. A shuffle of homomorphic encryptions π , R 1 ,...,R n e π (1) E(1;R 1 ) e π (n) E(1;R n ) e 1 e n
  12. 12. Verifiability? π , R 1 ,...,R n ? E 1 E n e 1 e n
  13. 13. Zero-knowledge proof <ul><li>Complete prover with π , R 1 ,...,R n can convince anybody of correctness of shuffle </li></ul><ul><li>Sound if not a valid shuffle impossible to convince others of correctness of shuffle </li></ul><ul><li>Zero-knowledge prover does not reveal anything beyond correctness of shuffle </li></ul>
  14. 14. Special honest verifier zero-knowledge (SHVZK) Statement: PK, e 1 ,..., e n , E 1 , ..., E n (and a little more) Real proof ( π , R 1 ,...) Simulated proof (c 1 ,...) a 1 a 1 c 1 c 1 a 2 a 2 ... ... (a 1 , c 1 , a 2 , ... ) indistinguishable from (a 1 , c 1 , a 2 , ...)
  15. 15. Computational/statistical <ul><li>Soundness </li></ul><ul><ul><li>Unconditional: No adversary can make a valid proof for a false statement </li></ul></ul><ul><ul><li>Computational: A polynomial time adversary cannot make a valid proof for a false statement </li></ul></ul><ul><li>Special honest verifier zero-knowledge </li></ul><ul><ul><li>Statistical: No adversary can distinguish real proofs from simulated proofs </li></ul></ul><ul><ul><li>Computational: A polynomial time adversary cannot distinguish real proofs from simulated proofs </li></ul></ul>
  16. 16. Main result A 7-round public coin SHVZK proof for correctness of a shuffle of homomorphic encryptions Optional - unconditional soundness or statistical SHVZK - key length vs efficiency
  17. 17. Agenda <ul><li>Motivation – anonymous communication </li></ul><ul><ul><li>Mix-nets </li></ul></ul><ul><li>What is </li></ul><ul><ul><li>A shuffle? Homomorphic encryption? Zero-knowledge proofs? </li></ul></ul><ul><li>ZK proof for shuffle of known contents </li></ul><ul><ul><li>Tool: Homomorphic commitments </li></ul></ul><ul><li>ZK proof for shuffle of homomorphic encryptions </li></ul><ul><li>Comparison with other ZK proofs </li></ul><ul><li>Efficiency improvements </li></ul>
  18. 18. Non-interactive commitment Public key Commitment c = commit(m; r) Opening given c, m, r check that c = commit(m; r)
  19. 19. Commitment <ul><li>Binding </li></ul><ul><ul><li>Unconditional: There is at most one way the comitter can open a commitment c </li></ul></ul><ul><ul><li>Computational: A polynomial time adversary cannot find c, m 1 , r 1 , m 2 , r 2 so c = commit(m 1 ; r 1 ) = commit(m 2 ; r 2 ) and m 1 ≠ m 2 </li></ul></ul><ul><li>Hiding </li></ul><ul><ul><li>Statistical: Commitments to m and 0 have the same distribution </li></ul></ul><ul><ul><li>Computational: A polynomial time adversary cannot distinguish a random commitment to m ≠ 0 from a random commitment to 0 </li></ul></ul>
  20. 20. Homomorphic commitment Homomorphic property com(m 1 +m 1 ´, ..., m n +m n ´; r 1 +r 2 ) = com(m 1 ,..., m n ; r 1 ) com(m 1 ´,..., m n ´; r 2 ) Message space Z q n with q prime Root extraction property given c, m 1 ,...,m n , r, e so gcd(e,q) = 1 and c e = com(m 1 ,...,m n ; r) we can efficiently compute r´ so c = com(m 1 /e,...,m n /e; r´)
  21. 21. Pedersen commitment variant Public key Primes q, p so p = kq+1 Random elements g 1 , ..., g n , h of order q pk = (q, p, g 1 , ..., g n , h) Commitment com(m 1 ,..., m n ; (u,r)) = ug 1 m 1 …g n m n h r mod p, where 1 = u k mod p Commitment verification Valid if 0 < c < p
  22. 22. Shuffle of known content π , r com(m π (1) , ..., m π (n) ; r) m 1 m n ...
  23. 23. SHVZK proof for shuffle of known content A 4-round public coin SHVZK proof of knowledge for a commitment to a permutation of publicly known messages m 1 ,...,m n Optional - unconditional soundness or statistical SHVZK - key length vs efficiency
  24. 24. Knowledge of contents Common: pk, c, m 1 ,..., m n Prover: π , r so c = com(m π (1) , ..., m π (n) ; r) c d = com(d 1 ,...,d n ; r d ) e  {0,1} ℓ f i = em π (1) + d i , z = er+r d Check c e c d = com(f 1 ,...,f n ; z)
  25. 25. Special HVZK Common: pk, c, m 1 ,..., m n Simulator: e  {0,1} ℓ c d = com(f 1 ,...,f n ; z) c -e e f i  Z q , z  Z q Check c e c d = com(f 1 ,...,f n ; z)
  26. 26. Knowledge Common: pk, c, m 1 ,..., m n c d = com(d 1 ,...,d n ; r d ) e, e´  {0,1} ℓ f i , z, f i ´, z´ c e c d = com(f 1 ,...,f n ; z) c e´ c d = com(f 1 ´,...,f n ´; z´) c e-e´ = com(f 1 -f 1 ´,...,f n -f n ´; z-z´) Root extraction: c = com( μ 1 ,..., μ n ; r)
  27. 27. Idea (Neff 2001) Consider the polynomials  (m i -X) and  ( μ i -X) in Z q [X] Are identical exactly when there exists π so μ i = m π (i) Pick x at random and demonstrate  (m i -x) =  ( μ i -x) mod q With overwhelming probability not the case unless π exists
  28. 28. Identical polynomials Common: pk, c, m 1 ,..., m n x  {0,1} ℓ c d , c a , c Δ e  {0,1} ℓ f i , z, f Δ i , z Δ c e c d = com(f 1 ,...,f n ; z) c a e c Δ = com(f Δ 1 ,...,f Δ n-1 ; z Δ ) f i = e μ i + d i , f Δ i = e α i + δ i
  29. 29. Checking the polynomials f i = e μ i + d i , f Δ i = e α i + δ i Let F 1 = f 1 -ex = e( μ 1 -x)+ d 1 Let eF i+1 = F i (f i+1 -ex) + f Δ i e i F i+1 = e i-1 F i (f i+1 -ex) + f Δ i = e i (  i ( μ j -x) + poly i-1 (e)) (e( μ i+1 -x)+ d i+1 ) + e i-1 (e α i + δ i ) = e i+1  i+1 ( μ j -x) + poly i (e) Check F n = e  (m i -x) meaning e n  ( μ j -x) + poly n-1 (e) = e n  (m i -x)
  30. 30. Completeness F i = e  i ( μ j -x) + Δ i F 1 = f 1 -ex = e(m π (1) -x) + d 1 Δ 1 = d 1 eF i+1 = F i (f i+1 -ex) + f Δ i e α i + δ i = e 2  i+1 (m π (j) -x) + e Δ i+1 - e(  i (m π (j) -x) + Δ i )(e(m π (i+1) -x) + d i+1 ) = e( Δ i+1 -  i (m π (j) -x) d i+1 - Δ i (m π (i+1) -x)) - Δ i d i+1 F n = e  (m i -x) Δ n = 0
  31. 31. SHVZK proof for known content <ul><li>4-round public coin protocol </li></ul><ul><li>Soundness – computational/unconditional </li></ul><ul><li>SHVZK – statistical/computational </li></ul>With Pedersen commitment variant Prover 3n expos 2|q|n bits Verifier 2n expos
  32. 32. Agenda <ul><li>Motivation – anonymous communication </li></ul><ul><ul><li>Mix-nets </li></ul></ul><ul><li>What is </li></ul><ul><ul><li>A shuffle? Homomorphic encryption? Zero-knowledge proofs? </li></ul></ul><ul><li>ZK proof for shuffle of known contents </li></ul><ul><ul><li>Tool: Homomorphic commitments </li></ul></ul><ul><li>ZK proof for shuffle of homomorphic encryptions </li></ul><ul><li>Comparison with other ZK proofs </li></ul><ul><li>Efficiency improvements </li></ul>
  33. 33. A shuffle of homomorphic encryptions π , R 1 ,...,R n e π (1) E(1;R 1 ) e π (n) E(1;R n ) e 1 e n
  34. 34. Idea Want to show that e 1 ,..., e n and E 1 , ..., E n have the same plaintexts 1. Reveal π 2. Receive random challenges t 1 ,...,t n  {0,1} ℓ 3. Release Z so E(1;Z)  e i t i =  E i t π (i)  m i t i =  M i t π (i)  1 =  (M i /m π (i) ) t π (i) Since Q has no small prime factors M i = m π (i)
  35. 35. Idea <ul><li>Commit to π , commit to d 1 ,...,d n  {0,1} ℓ+80 </li></ul><ul><li>Form E d = E(1;R d )  E i -d i </li></ul><ul><li>2. Receive challenges t 1 ,...,t n  {0,1} ℓ </li></ul><ul><li>3. Release f 1 ,...,f n , Z so f i = t π (i) + d i and </li></ul><ul><li> E(1;Z)  e i t i = E d  E i f i </li></ul><ul><li>  m i t i = (M d  M i d i )  M i t π (i) </li></ul><ul><li>Z = R d + ∑t π (i) R i </li></ul>
  36. 36. Idea <ul><li>1. Commit to π and d 1 ,...,d n c = com( π (1),..., π (n); r) c d = com(-d 1 ,...,-d n ; r d ) </li></ul><ul><li>2. Receive challenges t 1 ,...,t n </li></ul><ul><li>3. Send f 1 ,...,f n |q|> ℓ + 80 </li></ul><ul><li>4. Receive challenge λ </li></ul><ul><li>5. Make SHVZK proof of known content for c λ c d com(f 1 ,...,f n ; 0) containing a permutation of λ + t 1 , ..., λ n + t n </li></ul>Exists π so λμ i + f i - d i = λ π (i) + t π (i) With overwhelming probability over λ we have μ i = π (i) and f i = t π (i) + d i
  37. 37. Full protocol Common: pk, PK, e 1 ,...,e n and E 1 ,...,E n Prover: π , R 1 ,...,R n c, c d , E d t 1 ,...,t n  {0,1} ℓ f 1 ,...,f n , Z λ  {0,1} ℓ SHVZK proof Verify SHVZK proof Check E(1;Z)  e i t i = E d  E i f i
  38. 38. Properties of shuffle proof <ul><li>7-round public coin protocol </li></ul><ul><li>Soundness – computational/unconditional </li></ul><ul><li>SHVZK – statistical/computational </li></ul><ul><li>With Pedersen commitment and ElGamal variants </li></ul><ul><li>Prover 4n p-expos, 2n P-expos 3|q|n bits </li></ul><ul><li>Verifier 2n p-expos, 4n P-expos </li></ul>
  39. 39. Implementation (Stamer 2005) <ul><li>Pedersen commitment |p| = 1024, |q| = 160 </li></ul><ul><li>ElGamal encryption |P| = 1024, |Q| =160 </li></ul><ul><li>SHVZK proof of correct shuffle of 1024 ElGamal </li></ul><ul><li>ciphertexts on AMD Duron 1.3 GHz </li></ul><ul><li>Prover 14 seconds </li></ul><ul><li>Verifier 5 seconds </li></ul>
  40. 40. Agenda <ul><li>Motivation – anonymous communication </li></ul><ul><ul><li>Mix-nets </li></ul></ul><ul><li>What is </li></ul><ul><ul><li>A shuffle? Homomorphic encryption? Zero-knowledge proofs? </li></ul></ul><ul><li>ZK proof for shuffle of known contents </li></ul><ul><ul><li>Tool: Homomorphic commitments </li></ul></ul><ul><li>ZK proof for shuffle of homomorphic encryptions </li></ul><ul><li>Comparison with other ZK proofs </li></ul><ul><li>Efficiency improvements </li></ul>
  41. 41. Other shuffle proofs <ul><li>Invariance of roots of polynomials </li></ul><ul><li>Neff CCS01, Groth PKC03, Neff 03, Groth 05 </li></ul><ul><li>Permutation matrices </li></ul><ul><li>Furukawa & Sako Crypto01, Furukawa IEICE05 </li></ul><ul><li>Integer commitments </li></ul><ul><li>Wikström Asiacrypt05 </li></ul><ul><li>Linear ignorance assumption </li></ul><ul><li>Peng et al. Crypto05 </li></ul>
  42. 42. Comparison of approaches Pedersen, ElGamal |p|= 1024, |q| = 160 Roots of poly Permutation matrix Rounds 7 3 Soundness uncond./comp. computational SHVZK comp./statistical statistical Prover expos 6n 8n (6n) Prover sends 480n bits 1344n bits Verifier expos 6n 8n (7n) Key length flexible (e.g. O(√n)) 1024n bits
  43. 43. Agenda <ul><li>Motivation – anonymous communication </li></ul><ul><ul><li>Mix-nets </li></ul></ul><ul><li>What is </li></ul><ul><ul><li>A shuffle? Homomorphic encryption? Zero-knowledge proofs? </li></ul></ul><ul><li>ZK proof for shuffle of known contents </li></ul><ul><ul><li>Tool: Homomorphic commitments </li></ul></ul><ul><li>ZK proof for shuffle of homomorphic encryptions </li></ul><ul><li>Comparison with other ZK proofs </li></ul><ul><li>Efficiency improvements </li></ul>
  44. 44. Adjusting the key length Suggested Pedersen commitment variant had public key (q, p, g 1 ,..., g n , h) Assume wlog n = kl then we can instead use public key (q, p, g 1 ,..., g k , h) and commit as c = (c 1 ,...,c l )  (com(m 1 ,...,m k ), com(m k+1 ,...,m 2k ), ...)
  45. 45. Randomization c e c d = com(f 1 ,...,f n ; z) c a e c Δ = com(f Δ 1 ,...,f Δ n-1 ,0; z Δ ) Pick α  {0,1} ℓ at random and check (c e c d ) α c a e c Δ = com( α f 1 +f Δ 1 ,..., α f n +0; α z+z Δ ) Many other randomization/batch verification possibilities
  46. 46. On-line/off-line computation <ul><li>Prover can precompute most values off-line (and in a mix-net also precompute the rerandomization of the ciphertexts) </li></ul><ul><li>Only needs to compute E d and c a on-line </li></ul>
  47. 47. Picking the challenges <ul><li>Verifier picks seed for pseudorandom number generator and sends it to prover </li></ul><ul><li>Prover generates t 1 ,...,t n from this seed </li></ul><ul><li>If Q = q verifier can simply send challenge t and let prover use t 1 = t 1 mod q,..., t n = t n mod q </li></ul>
  48. 48. Multi-exponentiation (Lim 00) Computing a product  g i e i can be done in |e|n/(log n – log log n) multiplications Prover, Verifier ≈ 0.5n naïve single expos each for shuffling 100,000 ElGamal ciphertexts
  49. 49. Questions? Thank you
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×