Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle

Jens Groth

University College London

Yuval Ishai

Technion and University of California Los Angeles

Initial question

• Kilian 92 gave sub-linear size zero-knowledge argument for SAT

• Not practical though (SAT statement, PCP theorem, ... )

• Is there a practical sub-linear zero-knowledge argument?

• Yes! We will give sub-linear shuffle argument

Mix-net: Anonymous message broadcast

mπ(1) mπ(2) mπ(N)

…

π1

π2

π = π1π2

m1 m2 mN

Threshold decryption

Problem: Corrupt mix-server

mπ(1) mπ(2) m´π(N)

…

π1

π2

π = π1π2

m1 m2 mN

Threshold decryption

Solution: Zero-knowledge argument

mπ(1) mπ(2) mπ(N)

…

π1

π2

π = π1π2

m1 m2 mN

Threshold decryption

Server 1 ZK argumentNo message changed

(soundness)

Server 2 ZK argumentPermutation still secret

(zero-knowledge)

ElGamal encryption

Setup: Group G of prime order q with generator g

Public key: pk = y = gx

Encryption: Epk(m; r) = (gr, yrm)

Decryption: Dx(u,v) = vu-x

Homomorphic:

Epk(m; r) × Epk(M; R) = Epk(mM; r+R)

Re-randomization:

Epk(m; r) × Epk(1; R) = Epk(m; r+R)

e1 e2 e3 e4 e5

Shuffle

e¼(1) e¼(2) e¼(3) e¼(4) e¼(5)E1 E2 E3 E4 E5

• Input ciphertexts e1,…,eN

• Permute to get eπ(1),…,eπ(N)

• Re-randomize them Ei = eπ(i) × Epk(1;Ri)

• Output ciphertexts E1,...,EN

Zero-knowledge shuffle argument

Statement: (pk,e1,...,eN,E1,...,EN)

Prover Verifier

, R1,...,RN

Sound:Shuffle is correct

Zero-knowledge:Nothing but truth revealed; permutation is secret

Public coin honest verifier zero-knowledge

Statement: (pk,e1,...,eN,E1,...,EN)

Prover Verifier

Setup: (G,q,g) and common random string

Public coin:

Random challenges from Zq

Honest verifier zero-knowledgeNothing but truth revealed; permutation secret

Can convert to standard zero-knowledge argument

Non-interactive zero-knowledge argument

Setup: (G,q,g) and common reference string

Statement: (pk,e1,...,eN,E1,...,EN)

Prover Verifier

Fiat-Shamir 86:

Compute challenges using cryptographic hash-function

Anybody

Non-interactive zero-knowledge argument

Setup: (G,q,g) and common reference string

Statement: (pk,e1,...,eN,E1,...,EN)

Prover

History

• Cut-and-choose O(Nks) bits• Abe 99 (Abe-Hoshino 01) O(N log(N)k) bits• Furukawa-Sako 01 O(Nk) bits

(Furukawa 05, Groth-Lu 07)• Neff 01 (Groth 03) O(Nk) bits• Others O(Nk) bits

• This work O(N2/3k) bits

Our contribution

• 7-move public coin honest verifier zero-knowledge argument for correctness of shuffle in common random string model

• Communication: O(m2+N/m)k bitsProver computation: O(mN) exposVerifier computation: O(N) expos

PreviousO(N)kO(N)O(N)

Fiat-Shamir heuristic: Prover only computes once

Concrete example

• Back-of-envelope estimates• ElGamal over elliptic curve (256 bit)• Shuffle N = 100,000 ciphertexts (88Mbits)• m = 10• Optimized with multi-exponentiation, batch-

verification, etc.• Estimated cost

Communication 8 MbitsProver comp. 143 sec.Verifier comp. 5 sec.

Groth 0377 Mbits18 sec.14 sec.

Tools

• Inspired by [IKO07] we will not use full-blown PCPs• Pedersen commitment to multiple messages

• Batch verification using Schwartz-Zippel lemma

with probability at most d/q

ck = (g;h1; : : : ;hn)

commitck(m1; : : :;mn;r) = grnY

i=1

hmii

poly1(x;y;: : : ;z) = poly2(x;y;: : :;z)

HVZK shuffle argument

Setup:

Statement:

Prover Verifier

commitck(¼)

s1; : : : ;sm;t1; : : :; tn à Zq

ai j := si tj

(G;q;g;ck)³pk;

nei jom;n

i ;j =1;nE i j

om;n

i ;j =1

´whereN =mn

HVZK³ m;nY

i ;j =1

eai ji j =Epk(1;R)m;nY

i ;j =1

Ea¼( i j )i j

´

HVZK shuffle argument

Prover Verifier

HVZK³ m;nY

i ;j =1

eai ji j =Epk(1;R)m;nY

i ;j =1

Ea¼( i j )i j

´

commitck(¼)

s1; : : : ;sm;t1; : : :; tn à Zq

ai j := si tj

m;nY

i ;j =1

mai ji j =1¢

m;nY

i ;j =1

Ma¼( i j )i j =

m;nY

i ;j =1

M ai j¼¡ 1(i j )

m;nX

i ;j =1

log(mi j )si tj =m;nX

i ;j

log(M¼¡ 1(i j ))si tj

Schwartz-Zippel lemma implies

or else only probability 2/q of polynomial equality

8i; j : mi j =M¼¡ 1(i j )

HVZK shuffle argument

Setup:

Statement:

Prover Verifier

HVZK³ m;nY

i ;j =1

eai ji j =Epk(1;R)m;nY

i ;j =1

Ea¼( i j )i j

´

commitck(¼)

s1; : : : ;sm;t1; : : :; tn à Zq

ai j := si tj

(G;q;g;ck)³pk;

nei jom;n

i ;j =1;nE i j

om;n

i ;j =1

´whereN =mn

cà commitck(: : :;a¼(i j ); : : :)

HVZK³commitment to®i j so®i j = a¼(i j )

´

HVZK³ m;nY

i ;j =1

eai ji j = Epk(1;R)m;nY

i ;j =1

E®i ji j

´

³pk;c;

nei jom;n

i ;j =1;nE i j

om;n

i ;j =1

´whereN =mn

³pk;A1; : : : ;Am;E ;

nE i j

om;n

i ;j =1

´whereN =mn

The second HVZK argument

c= commitck(: : :;®i j ; : : :)

HVZK³ m;nY

i ;j =1

eai ji j =Epk(1;R)m;nY

i ;j =1

E®i ji j

´

A1 = commitck(®11; : : :;®1n ;r1)...

Am = commitck(®m1; : : : ;®mn ;rm)

HVZK³E = Epk(1;R)

m;nY

i ;j =1

E®i ji j

´

Setup:

Statement:

(G;q;g;ck)

c= commitck(: : : ;®i j ; : : :)

HVZK³E = Epk(1;R)

m;nY

i ;j =1

E®i ji j

´

Main idea

D11 :=Qnj =1 E

®1j1j ¢¢¢ D1m :=

Qnj =1 E

®1jmj

... ...Dm1 :=

Qnj =1 E

®mj1j ¢¢¢ Dmm :=

Qnj =1 E

®mjmj

E =m;nY

i ;j =1

E®i ji j =

mY

i=1

D i i

c1; : : : ;cm à ZqmY

i=1

Acii = commitck(mX

i=1

ci®i1; : : : ;mX

i=1

ci®in)

81 · ` · m :nY

j =1

EP m

i =1ci®i j

`j =mY

i=1

Dcii `

mY

i=1

³ nY

j =1

E®i j`j

´ci=

mY

i=1

Dcii `

A1 = commitck(®11; : : : ;®1n ;r1)...

Am = commitck(®m1; : : : ;®mn ; rm)

HVZK³E =

m;nY

i ;j =1

E®i ji j

´

Schwartz-Zippel lemma implies

8i;` : Di ` =nY

j =1

E®i j`j

Argument for correct shuffle of ElGamal ciphertexts

• Honest verifier zero-knowledge• Argument of knowledge • Random string model• 7-moves• Public coin• Cost

Communication O(m2+N/m)k bitsProver computation O(mN) exposVerifier computation O(N) expos

• Generalizations - Homomorphic cryptosystems (e.g. Paillier) - 8-move zero-knowledge argument of knowledge for

correctness of a shuffle in plain model

Future work: Beyond shuffling

• Can generalize techniques to arithmetic circuits.

Public coin honest verifier zero-knowledge argument for arithmetic circuit over Zq of size O(|C|2/3k)

Thanks

Questions?