A Verifiable Secret Shuffle of Homomorphic Encryptions

A shuffle consists of a permutation and re-encryption of a set of input ciphertexts. One application of shuffles is to build mix-nets. We suggest an honest verifier zero-knowledge argument for the correctness of a shuffle of homomorphic encryptions.Our scheme is more efficient than previous schemes both in terms of communication and computation. The honest verifier zero-knowledge argument has a size that is independent of the actual cryptosystem being used and will typically be smaller than the size of the shuffle itself. Moreover, our scheme is well suited for the use of multi-exponentiation and batch-verification techniques.Additionally, we suggest a more efficient honest verifier zero-knowledge argument for a commitment containing a permutation of a set of publicly known messages. We also suggest an honest verifier zero-knowledge argument for the correctness of a combined shuffle-and-decrypt operation that can be used in connection with decrypting mix-nets based on ElGamal encryption.All our honest verifier zero-knowledge arguments can be turned into honest verifier zero-knowledge proofs. We use homomorphic commitments as an essential part of our schemes. When the commitment scheme is statistically hiding we obtain statistical honest verifier zero-knowledge arguments; when the commitment scheme is statistically binding, we obtain computational honest verifier zero-knowledge proofs.

[1]  Tatsuaki Okamoto,et al.  Statistical Zero Knowledge Protocols to Prove Modular Polynomial Relations , 1997, CRYPTO.

[2]  Dan Boneh,et al.  Almost entirely correct mixing with applications to voting , 2002, CCS '02.

[3]  Masayuki Abe,et al.  Remarks on Mix-Network Based on Permutation Networks , 2001, Public Key Cryptography.

[4]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[5]  Jens Groth A Verifiable Secret Shuffle of Homomorphic Encryptions , 2003, Public Key Cryptography.

[6]  Yvo Desmedt,et al.  How to Break a Practical MIX and Design a New One , 2000, EUROCRYPT.

[7]  Yehuda Lindell,et al.  Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation , 2001, Journal of Cryptology.

[8]  Ari Juels,et al.  Parallel mixing , 2004, CCS '04.

[9]  Jun Furukawa Efficient and Verifiable Shuffling and Shuffle-Decryption , 2005, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[10]  Jens Groth,et al.  Verifiable Shuffle of Large Size Ciphertexts , 2007, Public Key Cryptography.

[11]  Ivan Damgård,et al.  An Integer Commitment Scheme based on Groups with Hidden Order , 2001, IACR Cryptol. ePrint Arch..

[12]  Reihaneh Safavi-Naini,et al.  Verifiable Shuffles: A Formal Model and a Paillier-Based Efficient Construction with Provable Security , 2004, ACNS.

[13]  Douglas Wikström,et al.  The Security of a Mix-Center Based on a Semantically Secure Cryptosystem , 2002, INDOCRYPT.

[14]  Markus Jakobsson,et al.  A Practical Mix , 1998, EUROCRYPT.

[15]  H. W. Lenstra,et al.  Factoring integers with elliptic curves , 1987 .

[16]  Reihaneh Safavi-Naini,et al.  Verifiable shuffles: a formal model and a Paillier-based three-round construction with provable security , 2006, International Journal of Information Security.

[17]  Jens Groth,et al.  Non-interactive Zero-Knowledge Arguments for Voting , 2005, ACNS.

[18]  Kaoru Kurosawa,et al.  Efficient Anonymous Channel and All/Nothing Election Scheme , 1994, EUROCRYPT.

[19]  Markus Jakobsson,et al.  Making Mix Nets Robust for Electronic Voting by Randomized Partial Checking , 2002, USENIX Security Symposium.

[20]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[21]  Ed Dawson,et al.  A Public Key Cryptosystem Based on the Subgroup Membership Problem , 2001, ICICS.

[22]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[23]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[24]  C. Andrew Neff,et al.  A verifiable secret shuffle and its application to e-voting , 2001, CCS '01.

[25]  Juan A. Garay,et al.  Strengthening Zero-Knowledge Protocols Using Signatures , 2003, Journal of Cryptology.

[26]  Masayuki Abe,et al.  A Length-Invariant Hybrid Mix , 2000, ASIACRYPT.

[27]  Mihir Bellare,et al.  On Defining Proofs of Knowledge , 1992, CRYPTO.

[28]  Taher ElGamal,et al.  A public key cyryptosystem and signature scheme based on discrete logarithms , 1985 .

[29]  Tatsuaki Okamoto,et al.  A New Public-Key Cryptosystem as Secure as Factoring , 1998, EUROCRYPT.

[30]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[31]  C. A. Neff Verifiable Mixing (Shuffling) of ElGamal Pairs , 2004 .

[32]  Ivan Damgård,et al.  A Statistically-Hiding Integer Commitment Scheme Based on Groups with Hidden Order , 2002, ASIACRYPT.

[33]  Kazue Sako,et al.  Receipt-Free Mix-Type Voting Scheme - A Practical Solution to the Implementation of a Voting Booth , 1995, EUROCRYPT.

[34]  Jun Furukawa,et al.  Efficient, Verifiable Shuffle Decryption and Its Requirement of Unlinkability , 2004, Public Key Cryptography.

[35]  Ivan Damgård,et al.  A Generalisation, a Simplification and Some Applications of Paillier's Probabilistic Public-Key System , 2001, Public Key Cryptography.

[36]  J. Markus,et al.  Millimix: Mixing in Small Batches , 1999 .

[37]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[38]  I. Damgård,et al.  A Generalisation, a Simplification and some Applications of Paillier’s Probabilistic Public-Key System , 2000 .

[39]  Ivan Damgård,et al.  Efficient Concurrent Zero-Knowledge in the Auxiliary String Model , 2000, EUROCRYPT.

[40]  Reihaneh Safavi-Naini,et al.  A Provably Secure and Efficient Verifiable Shuffle based on a Variant of the Paillier Cryptosystem , 2005, J. Univers. Comput. Sci..

[41]  Kazue Sako,et al.  An Efficient Scheme for Proving a Shuffle , 2001, CRYPTO.

[42]  Felix Brandt,et al.  Efficient Cryptographic Protocol Design Based on Distributed El Gamal Encryption , 2005, ICISC.

[43]  Markus Jakobsson,et al.  Flash mixing , 1999, PODC '99.

[44]  Heiko Stamer Efficient Electronic Gambling: An Extended Implementation of the Toolbox for Mental Card Games , 2005, WEWoRC.

[45]  Douglas Wikström,et al.  Five Practical Attacks for "Optimistic Mixing for Exit-Polls" , 2003, Selected Areas in Cryptography.

[46]  Jens Groth,et al.  Cryptography in Subgroups of Zn , 2005, TCC.

[47]  Jens Groth,et al.  Cryptography in Subgroups of Z ∗ n , 2005 .

[48]  Reihaneh Safavi-Naini,et al.  Breaking and Mending Resilient Mix-Nets , 2003, Privacy Enhancing Technologies.

[49]  Hideki Imai,et al.  Flaws in Some Robust Optimistic Mix-Nets , 2003, ACISP.

[50]  Keisuke Tanaka,et al.  Shufle for Paillier's Encryption Scheme , 2005, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[51]  Ed Dawson,et al.  A Public Key Cryptosystem Based On A Subgroup Membership Problem , 2005, Des. Codes Cryptogr..

[52]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[53]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[54]  Masayuki Abe,et al.  Universally Verifiable Mix-net with Verification Work Indendent of the Number of Mix-servers , 1998, EUROCRYPT.

[55]  Aggelos Kiayias,et al.  The Vector-Ballot e-Voting Approach , 2004, Financial Cryptography.

[56]  Ed Dawson,et al.  A Correct, Private, and Efficient Mix Network , 2004, Public Key Cryptography.

[57]  Ivan Damgård,et al.  A Length-Flexible Threshold Cryptosystem with Applications , 2003, ACISP.

[58]  Birgit Pfitzmann,et al.  How to Break the Direct RSA-Implementation of Mixes , 1990, EUROCRYPT.

[59]  Satoshi Obana,et al.  An Implementation of a Universally Verifiable Electronic Voting Scheme based on Shuffling , 2002, Financial Cryptography.