Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California Los Angeles
Dec 17, 2015
Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle
Jens Groth
University College London
Yuval Ishai
Technion and University of California Los Angeles
Initial question
• Kilian 92 gave sub-linear size zero-knowledge argument for SAT
• Not practical though (SAT statement, PCP theorem, ... )
• Is there a practical sub-linear zero-knowledge argument?
• Yes! We will give sub-linear shuffle argument
Mix-net: Anonymous message broadcast
mπ(1) mπ(2) mπ(N)
…
π1
π2
π = π1π2
m1 m2 mN
Threshold decryption
Solution: Zero-knowledge argument
mπ(1) mπ(2) mπ(N)
…
π1
π2
π = π1π2
m1 m2 mN
Threshold decryption
Server 1 ZK argumentNo message changed
(soundness)
Server 2 ZK argumentPermutation still secret
(zero-knowledge)
ElGamal encryption
Setup: Group G of prime order q with generator g
Public key: pk = y = gx
Encryption: Epk(m; r) = (gr, yrm)
Decryption: Dx(u,v) = vu-x
Homomorphic:
Epk(m; r) × Epk(M; R) = Epk(mM; r+R)
Re-randomization:
Epk(m; r) × Epk(1; R) = Epk(m; r+R)
e1 e2 e3 e4 e5
Shuffle
e¼(1) e¼(2) e¼(3) e¼(4) e¼(5)E1 E2 E3 E4 E5
• Input ciphertexts e1,…,eN
• Permute to get eπ(1),…,eπ(N)
• Re-randomize them Ei = eπ(i) × Epk(1;Ri)
• Output ciphertexts E1,...,EN
Zero-knowledge shuffle argument
Statement: (pk,e1,...,eN,E1,...,EN)
Prover Verifier
, R1,...,RN
Sound:Shuffle is correct
Zero-knowledge:Nothing but truth revealed; permutation is secret
Public coin honest verifier zero-knowledge
Statement: (pk,e1,...,eN,E1,...,EN)
Prover Verifier
Setup: (G,q,g) and common random string
Public coin:
Random challenges from Zq
Honest verifier zero-knowledgeNothing but truth revealed; permutation secret
Can convert to standard zero-knowledge argument
Non-interactive zero-knowledge argument
Setup: (G,q,g) and common reference string
Statement: (pk,e1,...,eN,E1,...,EN)
Prover Verifier
Fiat-Shamir 86:
Compute challenges using cryptographic hash-function
Anybody
Non-interactive zero-knowledge argument
Setup: (G,q,g) and common reference string
Statement: (pk,e1,...,eN,E1,...,EN)
Prover
History
• Cut-and-choose O(Nks) bits• Abe 99 (Abe-Hoshino 01) O(N log(N)k) bits• Furukawa-Sako 01 O(Nk) bits
(Furukawa 05, Groth-Lu 07)• Neff 01 (Groth 03) O(Nk) bits• Others O(Nk) bits
• This work O(N2/3k) bits
Our contribution
• 7-move public coin honest verifier zero-knowledge argument for correctness of shuffle in common random string model
• Communication: O(m2+N/m)k bitsProver computation: O(mN) exposVerifier computation: O(N) expos
PreviousO(N)kO(N)O(N)
Fiat-Shamir heuristic: Prover only computes once
Concrete example
• Back-of-envelope estimates• ElGamal over elliptic curve (256 bit)• Shuffle N = 100,000 ciphertexts (88Mbits)• m = 10• Optimized with multi-exponentiation, batch-
verification, etc.• Estimated cost
Communication 8 MbitsProver comp. 143 sec.Verifier comp. 5 sec.
Groth 0377 Mbits18 sec.14 sec.
Tools
• Inspired by [IKO07] we will not use full-blown PCPs• Pedersen commitment to multiple messages
• Batch verification using Schwartz-Zippel lemma
with probability at most d/q
ck = (g;h1; : : : ;hn)
commitck(m1; : : :;mn;r) = grnY
i=1
hmii
poly1(x;y;: : : ;z) = poly2(x;y;: : :;z)
HVZK shuffle argument
Setup:
Statement:
Prover Verifier
commitck(¼)
s1; : : : ;sm;t1; : : :; tn à Zq
ai j := si tj
(G;q;g;ck)³pk;
nei jom;n
i ;j =1;nE i j
om;n
i ;j =1
´whereN =mn
HVZK³ m;nY
i ;j =1
eai ji j =Epk(1;R)m;nY
i ;j =1
Ea¼( i j )i j
´
HVZK shuffle argument
Prover Verifier
HVZK³ m;nY
i ;j =1
eai ji j =Epk(1;R)m;nY
i ;j =1
Ea¼( i j )i j
´
commitck(¼)
s1; : : : ;sm;t1; : : :; tn à Zq
ai j := si tj
m;nY
i ;j =1
mai ji j =1¢
m;nY
i ;j =1
Ma¼( i j )i j =
m;nY
i ;j =1
M ai j¼¡ 1(i j )
m;nX
i ;j =1
log(mi j )si tj =m;nX
i ;j
log(M¼¡ 1(i j ))si tj
Schwartz-Zippel lemma implies
or else only probability 2/q of polynomial equality
8i; j : mi j =M¼¡ 1(i j )
HVZK shuffle argument
Setup:
Statement:
Prover Verifier
HVZK³ m;nY
i ;j =1
eai ji j =Epk(1;R)m;nY
i ;j =1
Ea¼( i j )i j
´
commitck(¼)
s1; : : : ;sm;t1; : : :; tn à Zq
ai j := si tj
(G;q;g;ck)³pk;
nei jom;n
i ;j =1;nE i j
om;n
i ;j =1
´whereN =mn
cà commitck(: : :;a¼(i j ); : : :)
HVZK³commitment to®i j so®i j = a¼(i j )
´
HVZK³ m;nY
i ;j =1
eai ji j = Epk(1;R)m;nY
i ;j =1
E®i ji j
´
³pk;c;
nei jom;n
i ;j =1;nE i j
om;n
i ;j =1
´whereN =mn
³pk;A1; : : : ;Am;E ;
nE i j
om;n
i ;j =1
´whereN =mn
The second HVZK argument
c= commitck(: : :;®i j ; : : :)
HVZK³ m;nY
i ;j =1
eai ji j =Epk(1;R)m;nY
i ;j =1
E®i ji j
´
A1 = commitck(®11; : : :;®1n ;r1)...
Am = commitck(®m1; : : : ;®mn ;rm)
HVZK³E = Epk(1;R)
m;nY
i ;j =1
E®i ji j
´
Setup:
Statement:
(G;q;g;ck)
c= commitck(: : : ;®i j ; : : :)
HVZK³E = Epk(1;R)
m;nY
i ;j =1
E®i ji j
´
Main idea
D11 :=Qnj =1 E
®1j1j ¢¢¢ D1m :=
Qnj =1 E
®1jmj
... ...Dm1 :=
Qnj =1 E
®mj1j ¢¢¢ Dmm :=
Qnj =1 E
®mjmj
E =m;nY
i ;j =1
E®i ji j =
mY
i=1
D i i
c1; : : : ;cm à ZqmY
i=1
Acii = commitck(mX
i=1
ci®i1; : : : ;mX
i=1
ci®in)
81 · ` · m :nY
j =1
EP m
i =1ci®i j
`j =mY
i=1
Dcii `
mY
i=1
³ nY
j =1
E®i j`j
´ci=
mY
i=1
Dcii `
A1 = commitck(®11; : : : ;®1n ;r1)...
Am = commitck(®m1; : : : ;®mn ; rm)
HVZK³E =
m;nY
i ;j =1
E®i ji j
´
Schwartz-Zippel lemma implies
8i;` : Di ` =nY
j =1
E®i j`j
Argument for correct shuffle of ElGamal ciphertexts
• Honest verifier zero-knowledge• Argument of knowledge • Random string model• 7-moves• Public coin• Cost
Communication O(m2+N/m)k bitsProver computation O(mN) exposVerifier computation O(N) expos
• Generalizations - Homomorphic cryptosystems (e.g. Paillier) - 8-move zero-knowledge argument of knowledge for
correctness of a shuffle in plain model
Future work: Beyond shuffling
• Can generalize techniques to arithmetic circuits.
Public coin honest verifier zero-knowledge argument for arithmetic circuit over Zq of size O(|C|2/3k)