Shorter Lattice-based Zero-Knowledge Proofs for the Correctness of a Shuffle

In an electronic voting procedure, mixing networks are used to ensure anonymity of the casted votes. Each node of the network reencrypts the input list of ciphertexts and randomly permutes it in a process named shuffle, and must prove (in zero-knowledge) that the process was applied honestly. To maintain security of such a process in a post-quantum scenario, new proofs are based on different mathematical assumptions, such as lattice-based problems. Nonetheless, the best lattice-based protocols to ensure verifiable shuffling have linear communication complexity on N , the number of shuffled ciphertexts. In this paper we propose the first sub-linear (on N) post-quantum zeroknowledge argument for the correctness of a shuffle, for which we have mainly used two ideas: arithmetic circuit satisfiability results from [5] and Beneš networks to model a permutation of N elements. The achieved communication complexity of our protocol with respect to N is O( √ N log2(N)), but we will also highlight its dependency on other important parameters of the underlying lattice ingredients.

[1]  Jens Groth,et al.  A Verifiable Secret Shuffle of Homomorphic Encryptions , 2003, Journal of Cryptology.

[2]  Xavier Boyen,et al.  A Verifiable and Practical Lattice-Based Decryption Mix Net with External Auditing , 2020, IACR Cryptol. ePrint Arch..

[3]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[4]  Masayuki Abe,et al.  Mix-Networks on Permutation Networks , 1999, ASIACRYPT.

[5]  Sourav Mukhopadhyay,et al.  Matrix-Based Nonblocking Routing Algorithm for Beneš Networks , 2009, 2009 Computation World: Future Computing, Service Computation, Cognitive, Adaptive, Content, Patterns.

[6]  Douglas Wikström,et al.  A Commitment-Consistent Proof of a Shuffle , 2009, ACISP.

[7]  Douglas Wikström,et al.  Proofs of Restricted Shuffles , 2010, AFRICACRYPT.

[8]  Peter W. Shor,et al.  Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 1995, SIAM Rev..

[9]  Vadim Lyubashevsky,et al.  A non-PCP Approach to Succinct Quantum-Safe Zero-Knowledge , 2020, IACR Cryptol. ePrint Arch..

[10]  Kazue Sako,et al.  Receipt-Free Mix-Type Voting Scheme - A Practical Solution to the Implementation of a Voting Booth , 1995, EUROCRYPT.

[11]  Xavier Boyen,et al.  Epoque: Practical End-to-End Verifiable Post-Quantum-Secure E-Voting , 2021, 2021 IEEE European Symposium on Security and Privacy (EuroS&P).

[12]  Johannes Müller,et al.  SoK: Techniques for Verifiable Mix Nets , 2020, 2020 IEEE 33rd Computer Security Foundations Symposium (CSF).

[13]  Jens Groth,et al.  Sub-Linear Lattice-Based Zero-Knowledge Arguments for Arithmetic Circuits , 2018, IACR Cryptol. ePrint Arch..

[14]  David Cash,et al.  Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems , 2009, CRYPTO.

[15]  Jens Groth,et al.  Efficient Zero-Knowledge Arguments for Arithmetic Circuits in the Discrete Log Setting , 2016, EUROCRYPT.

[16]  Dan Boneh,et al.  Bulletproofs: Short Proofs for Confidential Transactions and More , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[17]  C. Andrew Neff,et al.  A verifiable secret shuffle and its application to e-voting , 2001, CCS '01.

[18]  Masayuki Abe,et al.  Universally Verifiable Mix-net with Verification Work Indendent of the Number of Mix-servers , 1998, EUROCRYPT.

[19]  Masayuki Abe,et al.  Remarks on Mix-Network Based on Permutation Networks , 2001, Public Key Cryptography.

[20]  Rami G. Melhem,et al.  Arbitrary Size Benes Networks , 1997, Parallel Process. Lett..

[21]  Vadim Lyubashevsky,et al.  Lattice Signatures Without Trapdoors , 2012, IACR Cryptol. ePrint Arch..

[22]  今井 浩 20世紀の名著名論:Peter Shor : Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 2004 .

[23]  Paz Morillo,et al.  Lattice-based proof of a shuffle , 2019, IACR Cryptol. ePrint Arch..

[24]  Jens Groth,et al.  Verifiable Shuffle of Large Size Ciphertexts , 2007, Public Key Cryptography.

[25]  J. Markus,et al.  Millimix: Mixing in Small Batches , 1999 .

[26]  Gregory Neven,et al.  Practical Quantum-Safe Voting from Lattices , 2017, IACR Cryptol. ePrint Arch..

[27]  Paz Morillo,et al.  Proof of a Shuffle for Lattice-Based Cryptography , 2017, NordSec.

[28]  Kazue Sako,et al.  An Efficient Scheme for Proving a Shuffle , 2001, CRYPTO.

[29]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[30]  Serge Fehr,et al.  The Measure-and-Reprogram Technique 2.0: Multi-Round Fiat-Shamir and More , 2020, IACR Cryptol. ePrint Arch..

[31]  Gil Segev,et al.  Securing Abe's Mix-net Against Malicious Verifiers via Witness Indistinguishability , 2018, IACR Cryptol. ePrint Arch..

[32]  Kristian Gjøsteen,et al.  A Roadmap to Fully Homomorphic Elections: Stronger Security, Better Verifiability , 2017, Financial Cryptography Workshops.

[33]  Abraham Waksman,et al.  A Permutation Network , 1968, JACM.

[34]  Jens Groth A Verifiable Secret Shuffle of Homomorphic Encryptions , 2003, Public Key Cryptography.

[35]  Yuval Ishai,et al.  Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle , 2008, EUROCRYPT.

[36]  Diego F. Aranha,et al.  Lattice-Based Proof of Shuffle and Applications to Electronic Voting , 2021, IACR Cryptol. ePrint Arch..

[37]  Jens Groth,et al.  Efficient Zero-Knowledge Argument for Correctness of a Shuffle , 2012, EUROCRYPT.

[38]  Martin Strand,et al.  A verifiable shuffle for the GSW cryptosystem , 2018, IACR Cryptol. ePrint Arch..

[39]  Jun Furukawa Efficient and Verifiable Shuffling and Shuffle-Decryption , 2005, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..