arxiv: v1 [cs.cr] 24 Jan 2019

Transcription

1 A Descrpton and Proof of a Generalsed and Optmsed Varant of Wkström s Mxnet Thomas Hanes arxv: v [cs.cr] 24 Jan 209 Introducton Polyas GmbH In ths paper, we descrbe an optmsed varant of Wkström s mxnet whch shuffles vectors of ElGamal cphertexts n parallel. We then show n detal that ths constructon s secure. A verfable shuffle takes a packet of cphertexts, whch t re-encrypts and shuffles to produce an output packet. More specfcally, a cryptographc shuffle of ElGamal encryptons e=e,...,e ) s another lst of ElGamal encryptons e =e,...,e ), whch contans the same plantexts m n permuted order. Gven e and e we may wsh to prove that they have ths relatonshp, ths called a proof of shuffle. Wkström s verfable mxnet as we refer to t here was frst presented n Proofs of Restrcted Shuffles by Terelus and Wkström[2], buldng on Wkström s prevous work n [3]. Specfcally we take the optmsed varant for ElGamal whch appears to be n common use; for nstance, t s presented n Haenn et al s pseudo-code algorthms for mplementng Wkström s verfable mxnet []. We extend the mxnet to support parallel shuffles, where each e and e are themselves vectors of related cphertexts. The possblty of dong ths s proven by the Wkström s result but we wsh to show that ths partcular nstance wth ts optmsatons s secure.) 2 otaton G q s a cyclc group of prme order q n whch both the decsonal and computatonal Dffe-Hellman problems are hard. We wll use the multplcatve notaton for the group operaton. As usually, byz q we denote the feld of ntegers modulo q. A s the set of vectors of length contanng elements of A. We wll denote vectors n bold, for nstance a. We wll denote the th element usng subscrpt; for nstance as a. Smlarly, A s the set of square matrces of order contanng elements of A. We wll denote matrces usng upper case letters, for nstance M. We wll denote the th column of M as M and the element th row and th column as M,. A matrx M, contanng only 0 and values, s a permutaton matrx, f every column and every row contans exactly one.

2 PC h,h m,r), for m,r Z q and h,h G q, s defned as h r h m note that h and h are group elements and hence the multplcaton here denotes the group multplcaton). PC h,h m,r) s known as a Pedersen commtment. EPC h,h,...,h m,r), for m Z q and r Z q, s defned as h r = hm otherwse known as an extended Pedersen commtment). C h,h,...,h M,r), for M Z q and r Z q, s c,...,c n ) where c = h r = hm,, whch means that c s the extended Pedersen commtment to the th column of M. Enc g,pk m,r) for m G q and r Z q sg r, pk r m) the ElGamal encrypton of the group element m) ReEnc g,pk e,r), for e G 2 q and r Z q se g r,e 2 pk r ). Enc g,pk m,r), for m G w q and r Z w q, s Enc g,pk m,r ),...,Enc g,pk m w,r w ) ReEnc g,pk e,r), for e G 2 q) w and r Z w q, s ReEnc g,pk e,r ),...,ReEnc g,pk e w,r w ) a,b, for a Z q and b Z q s = a b mod q. AB, for A Z n m q and B Z m w q th column s equal m k= A,kB k,, s a matrx nz n w where the value n the th row and Mx, for M Zq M and x Z q, s a vector of length M where th poston s equal to = M, x. ote that both ths and the next defnton are consstent wth treatng x as a column, and row vector respectvely, and applyng the defnton of matrx multplcaton defnton from above. xm, for M Z M q and x Z q, s a vector of length M where the th poston s equal to = x M,. ax, for a Z q and x Z q, s a vector of length where th poston s equal to ax. x a, for a Z q and x Z q, s a vector of length where th poston s equal to x a. For two vectors x,y Z q we some sometmes abuse notaton by wrtng x+y, x y, and x y to denote the parwse addton, multplcaton, and exponentaton of the vectors respectvely. For a matrx M, by π M we denote the permutaton of the set {,...,} defned by M, that s such a permutaton that for each vector x we have x=y π),...,y π) ), where y=mx. A bnary relaton R for a set statements of S and wtnesses W s a subset of the cartesan product of S and W. For two bnary relatons R and R, we denote by R R a relaton betweens S ) and W W ) the cartesan product of the statements and wtness of R and R. The relaton s sad to hold when both the subrelatons hold. For two bnary relatons R and R, we denote by R R a relaton betweens S ) and W W ). The relaton s sad to hold when ether subrelatons holds. For two bnary relatons R and R where W = W, we denote by R R a relaton between S S ) and W). The relaton s sad to hold when both the subrelatons hold. We wll abuse notaton by wrtng R R when W W but are both cartesan products wth subgroups n common. 2 q

3 3 Shuffle Proof - Descrpton and Proof Algorthm : Interactve ZK-Proof of Extended Shuffle Common Input :A group generator g G q, publc key pk G q, matrx commtment c G q, commtment parameters h,h,...,h G q, cphertext vectors e,...,e G 2 q) w and e,...,e G2 q) w. Prvate Input :Permutaton matrx M Zq, randomness r Z q and randomness R Zw q, such that c= C h,h,...,h M,r) and e = ReEnc g,pke πm ),R πm )). V chooses u Z q randomly and hands u to P. 2 P computes u = Mu. Then P chooses ˆr Z q at random and computes r = r + + r, r= r,u, ) r = ˆr + ˆr u, r = Ru = =+ P randomly chooses ˆω, ω Z q, ω,ω 2,ω 3 Z q, and ω 4 Z w q, and hands the followng values to V: ĉ 0 = h, ĉ = hˆr ĉ u {,...,}) t = h ω t 2 = h ω 2 t 3 = h ω 3 = hω t 4 = ReEnc g,pk = e ω, ω 4 ) ˆt = h ˆω ĉ ω {,...,}) 3 V chooses a challenge c Z q at random and sends t to P. 4 P then responds, s = ω + c r s 2 = ω 2 + c r s 3 = ω 3 + c r s 4 = ω 4 + c r ŝ= ˆω+ c ˆr s = ω + c u 5 V accepts f and only f t = = c / = h ) c h s t 2 =ĉ /h = u ) c h s 2 t 3 = = cu ) c h s 3 = hs t 4 = ReEnc g,pk = eu ) c = e s, s 4 ) ˆt = ĉ c hŝĉ s 3

4 Formal Securty Statement In the securty statement for the presented shuffle algorthm, we wll use the followng notaton. R com h,h,...,h )m,r,m,r ) s a relatonshp between the commtment parameters h,h,...,h ) andm,m Z q r,r Z q ) whch holds f and only f EPCm,r) = EPCm,r ) and m m. R π h,h,...,h,c)m,r) s the relatonshp between the commtment parametersh,h,...,h ), a commtment c G q, a permutaton matrx M Z q, and r Z q whch holds f C h,h,...,h M,r)=c. R shu f ReEnc g,pk g, pk,e,...,e ),e,...,e ))π M,r,...,r )), where π M s a permutaton of the set {,... }, s the relaton whch holds f an only f e = ReEnc g,pke πm ),r π M ) ). Proposton. Algorthm 2 s a perfectly complete, sound, and statstcal honest verfer zero-knowledge 4-message proof of the relatonshp R com R π R shu f ReEnc g,pk ). Snce t s nfeasble under the dscrete logarthm assumpton to fnd a par satsfyng R com. Thus, the proposton computatonally mples a proof of knowledge of R π R shu f ReEnc g,pk. That s for a statementh,h,...,h,c,g, pk,e,...,e ),e,...,e )) we can extract a wtness M,r,r,...,r )) such that R πh,h,...,h,c)m,r) and R shu f ReEnc g,pk g, pk,e,...,e ),e,...,e )) π M,r,...,r )), unless we fnd a dscrete log. To prove the proposton, one needs to show the correctness, the zero-knowledge, and the soundness propertes. For completeness of the presentaton, we demonstrate those propertes n the followng subsectons. Zero-knowledge The honest-verfer zero-knowledge smulator chooses ĉ,...,ĉ G q, ŝ,s,u Z q, s 4 Z w q, and s,s 2,s 3,c Z q randomly and defnes t,t 2,t 3,t 4,,ˆt by the equatons n step fve. We can observer that the statstcal dstance between a real and a smulated transcrpt s neglgble n q: u are dstrbuted unformly n Z q n both. ĉ,...,ĉ are dstrbuted unformly n both transcrpts. In the smulated one, t s easly seen by constructon. In the real transcrpt ĉ = gˆrĉ u, where ˆr R Z q, whch randomly dstrbutes them n G q as well. The challenge c s unformly dstrbuted n both In both transcrpts, S = s,s 2,s 3,s 4,ŝ,s are dstrbuted unformly n ther domans by ther defntons n the smulated transcrpt t s readly vsble; n the real transcrpt, t s because ω s are dstrbuted unformly). In both transcrpts, the above values determne the values of t,t 2,t 3,t 4,ˆt by the equatons of Step 5. 4

5 Correctness We wll now show the above protocol s correct, whch means that n an honest run, the verfer accepts the proof. We frst show the shape of honest ĉ. ĉ = hˆr h u by defnton of ĉ and ĉ 0 ĉ 2 = hˆr 2 c u 2 by defnton of ĉ 2 ĉ 2 = hˆr 2 hˆr h u )u 2 by defnton of ĉ ĉ 2 = hˆr 2+ˆr u 2 h u u 2 by algebrac manpulaton ĉ 2 = hˆr 2+ 2 = ˆr 2 =+ u h 2 = u by algebrac manpulaton ow we wll contnue by nducton: ĉ α = hˆrα ĉ u α α ĉ α = hˆr α hˆr α + α 2 = ˆr α =+ u h α = u by defnton of ĉ α ) u α by defnton of ĉ α nd. hypothess) ĉ α = hˆr α h α = ˆr α =+ u h α = u by algebrac manpulaton ĉ α = hˆr α+ α = ˆr α =+ u h α = u by algebrac manpulaton ow on to the man thng. ote that n the followng, we use the fact that c s a commtment to a permutaton matrx M and we wll use the defnton of a permutaton matrx). h = r = = c / h / = = t? = = c / h ω? = h ω? = = = h ) c? = h c r c / c / h ) c? = h c = r h c = r = h c = r = = = h ) c h s verfcaton defnton Step 5) h ) c h s by defnton of t h ) c h ω +c r by defnton of s by algebrac manpulaton by defnton of c and r by algebrac manpulaton 5

6 t 2? =ĉ /h = u ) c h s 2 verfcaton defnton h ω 2 h ω 2? =ĉ /h = u ) c h s 2 by defnton of t 2? =ĉ /h = u ) c h ω 2+c r by defnton of s 2 ĉ /h = u ) c? = h c r by algebrac manpulaton hˆr + = ˆr =+ u h = u /h = u ) c? = h c r by the propertes of ĉ h c ˆr + = ˆr =+ u )? = h c r by algebrac manpulaton and defnton of u h c ˆr + = ˆr =+ u ) = h c ˆr + = ˆr =+ u ) by defnton r = = = h ω 3 = h ω 3? t 3 = c u ) c h s 3 = h ω h ω = c u =? =? = c u = c u = ) c? = h c r = ) c h s 3 = = h s ) c h ω 3+c r h c u EPCM,r ) u ) c? = EPCc u,c r) Verfcaton defnton h s By defnton of t 3 = EPCM,r ) u ) c? = EPCc u,c r,u ) EPCu M,r,u )) c? = EPCc u,c r,u ) EPCMu, r,u )) c? = EPCc u,c r,u ) EPCc Mu,c r,u )? = EPCc u,c r,u ) h ω +c u By defnton of s 3 and s By algebrac manpulaton By defnton of c By defnton of r By algebrac manpulaton By algebrac manpulaton By algebrac manpulaton EPCc Mu,c r,u )=EPCc Mu,c r,u ) By defnton u 6

7 ReEnc = = =? t 4 = ReEnc e u ) c = e ω, ω 4 )? = ReEnc e ω Enc, ω 4 )? = e ω Enc, ω 4 )? = = = = = e u = e u = e ω? = e u = e ω? = e u = e u = ) c ) c ) c e s = e s = ) c = ) c = e s e s = e s = ), s 4 ) )Enc, s 4 ) Verfcaton defnton ), s 4 ) By defnton of t 4 By defnton of ReEnc )Enc, ω 4 c r ) By defnton of s 4 )Enc, c r ) e ω +c u By algebrac manpulaton, )Enc, c r ) By defnton of s e u ) c? = = e u ) c Enc, c r ) By algebrac manpulaton e u ) c? = e Enc,R )) u ) c Enc, c r ) By defnton of e and u = Enc,c r )? = = Enc pk,r ) u ) c Enc,c r )? = Enc,c Ru) Enc,c r )=Enc,c r ) By algebrac manpulaton By algebrac manpulaton By defnton of r h ˆωĉ ω h ˆωĉ ω ˆt? = ĉ c ĉ c? = ĉ c? = ĉ c hŝĉ s hŝĉ s? = h c ˆrĉ c u hˆrĉ u )c? = h c ˆrĉ c u h c ˆrĉ c u = hc ˆrĉ c u h ˆω +c ˆrĉ ω +c u Verfcaton defnton By defnton of ˆt By defnton of ŝ and s By algebrac manpulaton By defnton of ĉ By algebrac manpulaton Soundness We follow the structure of the orgnal proof, as presented n [2], and present the extractor n two parts. Frst, we show that, for two dfferent transcrpts wth the same u but dfferent c, we can extract wtness for certan sub-statements. In the extended extractor 7

8 we show that, gven wtnesses for these sub-statements whch hold for n dfferent u, we can extract wtness to the man statements. Basc extractor. Gven two acceptng transcrpts wth c c, the basc extractor computes u,ĉ,t,t 2,t 3,t 4,ˆt,c,s,s 2,s 3,s 4,ŝ,s ) u,ĉ,t,t 2,t 3,t 4,ˆt,c,s,s 2,s 3,s 4,ŝ,s ) r=s s )/c c ), r =s 2 s 2 )/c c ), r=s 3 s 3 )/c c ), r =s 4 s 4 )/c c ), ˆr=ŝ ŝ )/c c ), u =s s )/c c ). ote that we reuse symbols from the Algorthm. Whle they denote analogous enttes, they are not necessarly dentcal f the transcrpts have not been obtaned n the honest way). We wll prove that = c = EPC, r) c u = = EPCu, r) = e u = Enc pk,r ) = e u ĉ = PC h,ĉ u, ˆr ) ĉ = PC h,h The proof conssts of smple algebrac transformatons: = u,r ) = c ) c t = c ) c t h s / = h ) c h s / = h ) c ) c c = ) c c = h s s c c = h = = = = c c c EPC, s s c c )= c = EPC, r)= c = Tautology By the verfcaton defnton By algebrac manpulaton By defnton of EPC By defnton of r 8

9 = c u ) c t 3 = cu ) c t 3 h s 3 = hs h s 3 = h s h s 3 s 3 c c = h ) c c = ) c c = s s c c = = = = c u c u c u EPC s s c c, s 3 s 3 c c )= c u = EPCu, r)= c u = Tautology By verfcaton defnton By algebrac manpulaton By defnton of EPC By defnton of u and r = e ) u ) c t 4 = e ) u ) c t 4 = e )s Enc, s4 ) = e )s Enc, s 4 ) e s s c c = ) c c = = ) c c = = Enc, s 4 s 4 c c )= = e s s c c = = e u e u e u = Enc, s 4 s 4 c c ) = e u = Enc pk,r ) u e = e u Tautology By verfcaton defnton By algebrac manpulaton By algebrac manpulaton By defnton of r and u 9

10 ow, for each {,...,} ) ĉc c c ˆt = ĉ ˆt ĉ c h ŝĉ s hŝ ĉ s ) c c = ĉ h ŝ ŝ s s c c c c ĉ PC h,ĉ s s c c, ŝ ŝ c c )=ĉ PC h,ĉ u, ˆr )=ĉ Tautology By verfcaton defnton = ĉ By algebrac manpulatons By algebrac manpulatons By defnton of u and ˆr = u ĉc t 2 ĉ c t 2 h ) c h s 2 h = u ) c h s 2 ) c c = ĉ c c =ĉ Tautology By verfcaton defnton PC h s 2 s 2 c c h = u = ĉ By algebrac manpulaton = PC h,h u, s 2 s 2 c c )=ĉ = u,r )=ĉ By algebrac manpulaton By defnton of r Extended Extractor We now sketch the extended extractor whch, for a gven statement see the common nput n Algorthm ), for n dfferent wtnesses extracted by the basc extractor, produces the wtnesses to the man statement. Let the collectve output of the basc extractors be denoted as r,r, r Z n q, R Z W q the prmary challenges U Z q, and ˆR,U Z q extracted from. We denote by U the th column of U whch s the challenge vector from the th run of the basc extractor, and by U, the element of the challenge vector from the th run of the basc extractor. Frst note wth overwhelmng probablty the set of U s s lnearly ndependent, concretely the probablty s bounded by q 2 q. From lnear ndependence, t follows that ther exsts A Z q such that UA l s the lth standard unt vector nz q whch we wll denote by I l. A s the nverse of U. Clearly, 0

11 c l = c l = c l = c l = c l = c l = = c = U, A,l = c UA l ) snce UA l s I l = = = = = c l = EPC = c U, A,l ) c U, ) A,l EPCU, r ) A,l by defnton of UA l by algebrac manpulaton by algebrac manpulaton by some algebrac manpulaton and EPCU A,l, r A,l ) by algebrac manpulaton = c l = EPCU A l, r,a l ) U A,l, r,a l ) by algebrac manpulaton by algebrac manpulaton = c U, = EPCU, r ) Therefore, we can open c to the matrx M, where the lth column of M s U A l, wth randomness r,a l. In other words we open c= U A usng randomness ra. We expect M to be a permutaton matrx, but f t s not, then one can fnd a wtness to R com whch, as has been mentoned, can only happen wth neglgble probablty, under our securty assumptons). We extract n two dfferent ways dependng on whether M. Opton one If M, then let u = M and note that u and EPC, r )= = c = c = = EPCu, ra) n whch case we found a wtness breakng the commtment scheme. Opton two If M =, then recall Theorem from Proofs of Restrcted Shuffles, whch states that M s a permutaton matrx f and only f M= and = m,x = x = 0. Snce M = and M s not a permutaton matrx, then = m,x = x 0. The Schwartz Zppel says that f you sample, a non-zero polynomal, at a random pont the chance that t equals zero s neglgble n the order of the underlyng feld; hence, wth overwhelmng probablty there exsts {,...,} such = m,u = U, 0. Snce ths s true wth overwhelmng probablty, we requre t to be true and rewnd f ths s not

12 the case. Strctly speakng we should take + extractons from the basc extractor, f we recover a dfferent M we wn, f we get the same M then U l+ s actually ndependent of M and the lemma can be appled.) Let u = MU and note that u U Whch must be true snce U =, = =U, u = = U = = U follows from the base statements and = U = u by defnton of u and = m,u = U, 0. EPCU, r )= c U, = = EPCu, ra,u ) Ths completes the proof that M s a permutaton matrx or we have found a wtness to R com. The correctness of U We now show that U l = MU l for all l [,] or we can fnd a wtnesses to R com. Let u = MU l and by assumpton u U l. EPCU l, r l)= = c U,l = EPCu, ra,u l ) Extractng the randomness We havng shown that f M s not a permutaton matrx we can extract a wtness to R com. We now show that we can extract R Z w q such that e = 2

13 ReEnc pk e π),r π) ). = = e UA l ) snce UA l si l ) e = U, A,l by defnton of UA l 2) ) e U, A,l by algebrac manpulaton 3) = = A,l e = U, ) by algebrac manpulaton 4) = A,l e = U, Enc pk, R )) snce = e = U, A,l Enc pk, R A,l ) = = = = = = ) = e U, = = e U, Enc pk, R ) 5) by algebrac manpulaton 6) e = U, A,lEnc pk, R,A l ) by algebrac manpulaton 7) e U A l ) Enc pk, R,A l ) by algebrac manpulaton 8) e MUA l ) Enc pk, R,A l ) snce U = MU 9) e MI l ) Enc pk, R,A l ) snce UA l =I l 0) e M l ) Enc pk, R,A l ) snce MI l = M l ) e π M l)enc pk, R,A l ) by defnton of π M 2) We have now shown that ReEnc pk e l, R l,a l ) = e π l) ; hence, R l = R l,a l whch concludes the proof. 3) References. Rolf Haenn, Phlpp Locher, Reto Koeng, and Erc Dubus. Pseudo-code algorthms for verfable reencrypton mx-nets. In Internatonal Conference on Fnancal Cryptography and Data Securty, pages Sprnger,

14 2. Börn Terelus and Douglas Wkström. Proofs of Restrcted Shuffles. In Danel J. Bernsten and Tana Lange, edtors, Progress n Cryptology - AFRICACRYPT 200, Thrd Internatonal Conference on Cryptology n Afrca, volume 6055 of Lecture otes n Computer Scence, pages Sprnger, Douglas Wkström. A commtment-consstent proof of a shuffle. In Australasan Conference on Informaton Securty and Prvacy, pages Sprnger,