Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle

A shuffle of a set of ciphertexts is a new set of ciphertexts with the same plaintexts in permuted order. Shuffles of homomorphic encryptions are a key component in mix-nets, which in turn are used in protocols for anonymization and voting. Since the plaintexts are encrypted it is not directly verifiable whether a shuffle is correct, and it is often necessary to prove the correctness of a shuffle using a zero-knowledge proof or argument. In previous zero-knowledge shuffle arguments from the literature the communication complexity grows linearly with the number of ciphertexts in the shuffle. We suggest the first practical shuffle argument with sub-linear communication complexity. Our result stems from combining previous work on shuffle arguments with ideas taken from probabilistically checkable proofs.

[1]  Tatsuaki Okamoto,et al.  Public Key Cryptography - PKC 2007, 10th International Conference on Practice and Theory in Public-Key Cryptography, Beijing, China, April 16-20, 2007, Proceedings , 2007, Public Key Cryptography.

[2]  Yehuda Lindell,et al.  Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation , 2001, Journal of Cryptology.

[3]  Jun Furukawa Efficient and Verifiable Shuffling and Shuffle-Decryption , 2005, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[4]  Douglas Wikström,et al.  A Sender Verifiable Mix-Net and a New Proof of a Shuffle , 2005, ASIACRYPT.

[5]  Jacques Stern,et al.  Advances in Cryptology — EUROCRYPT ’99 , 1999, Lecture Notes in Computer Science.

[6]  David Chaum,et al.  Minimum Disclosure Proofs of Knowledge , 1988, J. Comput. Syst. Sci..

[7]  Jens Groth,et al.  Verifiable Shuffle of Large Size Ciphertexts , 2007, Public Key Cryptography.

[8]  Jens Groth,et al.  A Verifiable Secret Shuffle of Homomorphic Encryptions , 2003, Journal of Cryptology.

[9]  Mihir Bellare,et al.  Fast Batch Verification for Modular Exponentiation and Digital Signatures , 1998, IACR Cryptol. ePrint Arch..

[10]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[11]  Juan A. Garay,et al.  Strengthening Zero-Knowledge Protocols Using Signatures , 2003, EUROCRYPT.

[12]  Kaisa Nyberg,et al.  Advances in Cryptology — EUROCRYPT'98 , 1998 .

[13]  Andrew Odlyzko,et al.  Advances in Cryptology — CRYPTO’ 86 , 2000, Lecture Notes in Computer Science.

[14]  C. A. Neff Verifiable Mixing (Shuffling) of ElGamal Pairs , 2004 .

[15]  Ivan Damgård,et al.  A Statistically-Hiding Integer Commitment Scheme Based on Groups with Hidden Order , 2002, ASIACRYPT.

[16]  Rafail Ostrovsky,et al.  Efficient Arguments without Short PCPs , 2007, Twenty-Second Annual IEEE Conference on Computational Complexity (CCC'07).

[17]  R. Cramer,et al.  Linear Zero-Knowledgde. A Note on Efficient Zero-Knowledge Proofs and Arguments , 1996 .

[18]  Silvio Micali,et al.  The Knowledge Complexity of Interactive Proof Systems , 1989, SIAM J. Comput..

[19]  Silvio Micali,et al.  Computationally Sound Proofs , 2000, SIAM J. Comput..

[20]  Arto Salomaa,et al.  Public-Key Cryptography , 1991, EATCS Monographs on Theoretical Computer Science.

[21]  Aggelos Kiayias,et al.  Self Protecting Pirates and Black-Box Traitor Tracing , 2001, CRYPTO.

[22]  Keisuke Tanaka,et al.  Shufle for Paillier's Encryption Scheme , 2005, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[23]  Masayuki Abe,et al.  Remarks on Mix-Network Based on Permutation Networks , 2001, Public Key Cryptography.

[24]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[25]  Yael Tauman Kalai,et al.  On the (In)security of the Fiat-Shamir paradigm , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[26]  C. Andrew Neff,et al.  A verifiable secret shuffle and its application to e-voting , 2001, CCS '01.

[27]  Mihir Bellare,et al.  On Defining Proofs of Knowledge , 1992, CRYPTO.

[28]  Taher ElGamal,et al.  A public key cyryptosystem and signature scheme based on discrete logarithms , 1985 .

[29]  Yvo Desmedt Public Key Cryptography — PKC 2003 , 2002, Lecture Notes in Computer Science.

[30]  Reihaneh Safavi-Naini,et al.  A Provably Secure and Efficient Verifiable Shuffle based on a Variant of the Paillier Cryptosystem , 2005, J. Univers. Comput. Sci..

[31]  Sanjeev Arora,et al.  Probabilistic checking of proofs; a new characterization of NP , 1992, Proceedings., 33rd Annual Symposium on Foundations of Computer Science.

[32]  Jean-Jacques Quisquater,et al.  Advances in Cryptology — EUROCRYPT ’95 , 2001, Lecture Notes in Computer Science.

[33]  Yuliang Zheng,et al.  Advances in Cryptology — ASIACRYPT 2002 , 2002, Lecture Notes in Computer Science.

[34]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[35]  Carsten Lund,et al.  Proof verification and the hardness of approximation problems , 1998, JACM.

[36]  Satoshi Obana,et al.  An Implementation of a Universally Verifiable Electronic Voting Scheme based on Shuffling , 2002, Financial Cryptography.

[37]  Ivan Damgård,et al.  Efficient Concurrent Zero-Knowledge in the Auxiliary String Model , 2000, EUROCRYPT.

[38]  Joan Feigenbaum,et al.  Advances in Cryptology-Crypto 91 , 1992 .

[39]  Ernest F. Brickell,et al.  Advances in Cryptology — CRYPTO’ 92 , 2001, Lecture Notes in Computer Science.

[40]  Kazue Sako,et al.  An Efficient Scheme for Proving a Shuffle , 2001, CRYPTO.

[41]  S. Goldwasser The Knowledge Complexity of Interactive Proof System , 1989 .

[42]  Bart Preneel,et al.  Advances in cryptology - EUROCRYPT 2000 : International Conference on the Theory and Application of Cryptographic Techniques, Bruges, Belgium, May 14-18, 2000 : proceedings , 2000 .

[43]  Yvo Desmedt,et al.  Advances in Cryptology — CRYPTO ’94 , 2001, Lecture Notes in Computer Science.

[44]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[45]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[46]  Masayuki Abe,et al.  Universally Verifiable Mix-net with Verification Work Indendent of the Number of Mix-servers , 1998, EUROCRYPT.

[47]  A. Maximov,et al.  Fast computation of large distributions and its cryptographic applications , 2005 .

[48]  Reihaneh Safavi-Naini,et al.  Verifiable shuffles: a formal model and a Paillier-based three-round construction with provable security , 2006, International Journal of Information Security.

[49]  Eli Ben-Sasson,et al.  Short PCPs verifiable in polylogarithmic time , 2005, 20th Annual IEEE Conference on Computational Complexity (CCC'05).

[50]  Kazue Sako,et al.  Receipt-Free Mix-Type Voting Scheme - A Practical Solution to the Implementation of a Voting Booth , 1995, EUROCRYPT.