On Publicly-Accountable Zero-Knowledge and Small Shuffle Arguments

Constructing interactive zero-knowledge arguments from simple assumptions with small communication complexity and good computational efficiency is an important, but difficult problem. In this work, we study interactive arguments with noticeable soundness error in their full generality and for the specific purpose of constructing concretely efficient shuffle arguments. To counterbalance the effects of a larger soundness error, we show how to transform such three-move arguments into publicly-accountable ones which allow the verifier to convince third parties of detected misbehavior by a cheating prover. This may be particularly interesting for applications where a malicious prover has to balance the profits it can make from cheating successfully and the losses it suffers from being caught. We construct interactive, public-coin, zero-knowledge arguments with noticeable soundness error for proving that a target vector of commitments is a pseudorandom permutation of a source vector. Our arguments do not rely on any trusted setup and only require the existence of collision-resistant hash functions. The communication complexity of our arguments is independent of the length of the shuffled vector. For a soundness error of 2−5 = 1/32, the communication cost is 153 bytes without and 992 bytes with public accountability, meaning that our arguments are shorter than shuffle arguments realized using Bulletproofs (IEEE S&P 2018) and even competitive in size with SNARKs, despite only relying on simple assumptions.

[1]  Masayuki Abe,et al.  Mix-Networks on Permutation Networks , 1999, ASIACRYPT.

[2]  Kazue Sako,et al.  Receipt-Free Mix-Type Voting Scheme - A Practical Solution to the Implementation of a Voting Booth , 1995, EUROCRYPT.

[3]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[4]  Yehuda Lindell,et al.  Security Against Covert Adversaries: Efficient Protocols for Realistic Adversaries , 2007, Journal of Cryptology.

[5]  Jens Groth A Verifiable Secret Shuffle of Homomorphic Encryptions , 2003, Public Key Cryptography.

[6]  Yuval Ishai,et al.  Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle , 2008, EUROCRYPT.

[7]  Ivan Damgård,et al.  Black-Box Transformations from Passive to Covert Security with Public Verifiability , 2020, IACR Cryptol. ePrint Arch..

[8]  C. Andrew Neff,et al.  A verifiable secret shuffle and its application to e-voting , 2001, CCS '01.

[9]  Jens Groth,et al.  A Verifiable Secret Shuffle of Homomorphic Encryptions , 2003, Journal of Cryptology.

[10]  Gilad Asharov,et al.  Calling out Cheaters: Covert Security With Public Verifiability , 2012, IACR Cryptol. ePrint Arch..

[11]  Kai-Min Chung,et al.  From Weak to Strong Zero-Knowledge and Applications , 2015, TCC.

[12]  Oded Goldreich,et al.  How to construct constant-round zero-knowledge proof systems for NP , 1996, Journal of Cryptology.

[13]  Vinod Vaikuntanathan,et al.  Constrained Key-Homomorphic PRFs from Standard Lattice Assumptions - Or: How to Secretly Embed a Circuit in Your PRF , 2015, TCC.

[14]  Jens Groth,et al.  On the Size of Pairing-Based Non-interactive Arguments , 2016, EUROCRYPT.

[15]  Silvio Micali,et al.  CS Proofs (Extended Abstracts) , 1994, FOCS 1994.

[16]  Tibor Jager,et al.  Session Resumption Protocols and Efficient Forward Security for TLS 1.3 0-RTT , 2019, IACR Cryptol. ePrint Arch..

[17]  Shafi Goldwasser,et al.  Functional Signatures and Pseudorandom Functions , 2014, Public Key Cryptography.

[18]  Kazue Sako,et al.  An Efficient Scheme for Proving a Shuffle , 2001, CRYPTO.

[19]  Masayuki Abe,et al.  Remarks on Mix-Network Based on Permutation Networks , 2001, Public Key Cryptography.

[20]  Yehuda Lindell,et al.  How To Simulate It - A Tutorial on the Simulation Proof Technique , 2016, IACR Cryptol. ePrint Arch..

[21]  Daniele Micciancio,et al.  Simpler Statistically Sender Private Oblivious Transfer from Ideals of Cyclotomic Integers , 2020, IACR Cryptol. ePrint Arch..

[22]  Silvio Micali,et al.  How to Construct Random Functions (Extended Abstract) , 1984, FOCS.

[23]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[24]  Brent Waters,et al.  Constrained Pseudorandom Functions and Their Applications , 2013, ASIACRYPT.

[25]  Rafail Ostrovsky,et al.  Zero-knowledge from secure multiparty computation , 2007, STOC '07.

[26]  Brent Waters,et al.  A Framework for Efficient and Composable Oblivious Transfer , 2008, CRYPTO.

[27]  Henry de Valence,et al.  The ristretto255 and decaf448 Groups , 2000 .

[28]  Aggelos Kiayias,et al.  Delegatable pseudorandom functions and applications , 2013, IACR Cryptol. ePrint Arch..

[29]  Morris J. Dworkin,et al.  SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions , 2015 .

[30]  Jens Groth,et al.  Linear Algebra with Sub-linear Zero-Knowledge Arguments , 2009, CRYPTO.

[31]  Yehuda Lindell,et al.  Security Against Covert Adversaries: Efficient Protocols for Realistic Adversaries , 2007, TCC.

[32]  Jens Groth,et al.  Efficient Zero-Knowledge Argument for Correctness of a Shuffle , 2012, EUROCRYPT.

[33]  Yuval Ishai,et al.  Ligero: Lightweight Sublinear Arguments Without a Trusted Setup , 2017, Designs, Codes and Cryptography.

[34]  Jeremy Clark,et al.  Provisions: Privacy-preserving Proofs of Solvency for Bitcoin Exchanges , 2015, CCS.

[35]  Jens Groth,et al.  Verifiable Shuffle of Large Size Ciphertexts , 2007, Public Key Cryptography.

[36]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[37]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[38]  Dan Boneh,et al.  Bulletproofs: Short Proofs for Confidential Transactions and More , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[39]  Yuval Ishai,et al.  Efficient Two-Round OT Extension and Silent Non-Interactive Secure Computation , 2019, IACR Cryptol. ePrint Arch..

[40]  J. Wishart Statistical tables , 2018, Global Education Monitoring Report.

[41]  Craig Gentry,et al.  Separating succinct non-interactive arguments from all falsifiable assumptions , 2011, STOC '11.

[42]  Joe Kilian,et al.  A note on efficient zero-knowledge proofs and arguments (extended abstract) , 1992, STOC '92.

[43]  Oded Goldreich,et al.  A uniform-complexity treatment of encryption and zero-knowledge , 1993, Journal of Cryptology.

[44]  Masayuki Abe,et al.  Universally Verifiable Mix-net with Verification Work Indendent of the Number of Mix-servers , 1998, EUROCRYPT.

[45]  Sarah Meiklejohn,et al.  QuisQuis: A New Design for Anonymous Cryptocurrencies , 2019, IACR Cryptol. ePrint Arch..

[46]  Andrew Miller,et al.  Instantaneous Decentralized Poker , 2017, ASIACRYPT.

[47]  Srinivas Devadas,et al.  Riffle: An Efficient Communication System With Strong Anonymity , 2016, Proc. Priv. Enhancing Technol..