How to Shuffle in Public

Size: px

Start display at page:

Download "How to Shuffle in Public"

Samuel Hunt
6 years ago
Views:

1 How to Shuffle in Public Ben Adida Harvard (work done at MIT) Douglas Wikström ETH Zürich TCC 27 February 24th, 27

2 How to Shuffle in Public Ben Adida Harvard (work done at MIT) Douglas Wikström ETH Zürich TCC 27 February 24th, 27

4 Rogers precinct, with more than 1 percent voter turnout, alarmed both of them.

5 Rogers precinct, with more than 1 percent voter turnout, alarmed both of them.

6 Rogers precinct, with more than 1 percent voter turnout, alarmed both of them.

7 Rogers precinct, with more than 1 percent voter turnout, alarmed both of them.

8 Voting with Cryptographic Verification (1) Alice verifies her vote. (2) Everyone verifies tallying. (3) Alice cannot be coerced by Eve. [Chaum81], [Benaloh85], [PIK93], [BenalohTuinstra92], [SK94], [Abe98], [CFSY96], [CGS97], [BFPSP21], [Neff21], [FS21],[Chaum24], [Neff24], [Ryan24], [Chaum25], [W24], [W25], [WG25], [MN26]

9 Verification Ballot Data Flow

10 Alice Bridget encryption Encrypted Votes Verification Ballot Data Flow

11 Alice Bridget encryption Encrypted Votes Verification Ballot Data Flow

12 Alice Bridget encryption Encrypted Votes anonymization Verification Ballot Data Flow

13 decryption Alice Bridget encryption Encrypted Votes anonymization Verification Ballot Data Flow

14 decryption Alice Bridget encryption Encrypted Votes anonymization Tally Results Verification Ballot Data Flow

15 decryption Alice Bridget encryption Encrypted Votes anonymization Tally Registration Database Results Verification Ballot Data Flow

16 decryption Alice Bridget encryption Encrypted Votes anonymization Tally Registration Database Results Verification Ballot Data Flow

17 Mixnet [Chaum81, PP9, PIK93, SK94,..]

18 Mixnet [Chaum81, PP9, PIK93, SK94,..] George

19 Mixnet [Chaum81, PP9, PIK93, SK94,..] George Jacques

20 Mixnet [Chaum81, PP9, PIK93, SK94,..] George Jacques Mahmoud

21 Mixnet [Chaum81, PP9, PIK93, SK94,..] George Jacques Mahmoud Each mix server shuffles and reencrypts (or partially decrypts) inputs.

22 Proving the Mix [Neff21, FS21, ] c 1 c 2 c 1 c 2 c i = Reenc(c π(i), r i ) c N George c N

23 Proving the Mix [Neff21, FS21, ] c 1 c 2 c 1 c 2 c i = Reenc(c π(i), r i ) c N George c N ZKPoK [π, {r i }]

24 Proving the Mix [Neff21, FS21, ] c 1 c 2 c 1 c 2 c i = Reenc(c π(i), r i ) c N George c N ZKPoK [π, {r i }] George can t cheat.

25 Proving the Mix [Neff21, FS21, ] c 1 c 2 c 1 c 2 c i = Reenc(c π(i), r i ) c N George c N ZKPoK [π, {r i }] George can t cheat. π and{r i } stay private.

26 Private vs. Public Private Public c 1 c 2 c 1 c 2 c N c N

27 Private vs. Public Private π, {r i} Public c 1 c 2 c 1 c 2 c N c N

28 Private vs. Public Private π, {r i} Public c 1 c 2 c 1 c 2 c N c N what if we could replace the private mixnet with a public program?

29 Private vs. Public Private π, {r i} Public c 1 c 2 c 1 c 2 c N c N what if we could replace the private mixnet with a public program?

30 Private vs. Public Private π, {r i} Public c 1 c 2 P c 1 c 2 c N c N what if we could replace the private mixnet with a public program?

31 Private vs. Public Private π, {r i} Public c 1 c 2 P c 1 c 2 c N c N what if we could replace the private mixnet with a public program?

32 So What? π, {r i} public program anyone can run it c 1 c 2 c N P c 1 c 2 c N pre-proven all proofs before mixing interesting! to obfuscate such a functionality

33 So What? π, {r i} public program anyone can run it c 1 c 2 c N P c 1 c 2 c N pre-proven all proofs before mixing interesting! to obfuscate such a functionality Can it really be done? [BGIRSVY21, GT-K25]

34 Our Results horribly inefficient generic construction (somewhat) efficient public-shuffle constructions using either BGN or Paillier cryptosystem (somewhat) efficient distributed generation of a public shuffle program a new class of obfuscatable programs under [OS25] or [BGIRSVY21]

35 A Generic Construction Two homomorphic cryptosystems Message Space of first contains Ciphertext Space of second Inefficient and less interesting than specific constructions (esp. decryption)

36 [BGN25] BGN Cryptosystem G 1, G 2, order n = p 1 p 2 e : G 1 G 1 G 2 e(g a, h b ) = e(g, h) ab g a h b e Z ab G 1 G 2

37 [BGN25] BGN Cryptosystem G 1, G 2, order n = p 1 p 2 e : G 1 G 1 G 2 e(g a, h b ) = e(g, h) ab g a h b e Z ab G 1 G 2 pk = (n, g, h = u p 1 ) sk = p 2

38 [BGN25] BGN Cryptosystem G 1, G 2, order n = p 1 p 2 e : G 1 G 1 G 2 e(g a, h b ) = e(g, h) ab g a h b e Z ab G 1 G 2 pk = (n, g, h = u p 1 ) sk = p 2 Enc pk (m) = g m h r Dec sk (c) = log g p 2 (c p 2 )

39 [BGN25] BGN Cryptosystem G 1, G 2, order n = p 1 p 2 e : G 1 G 1 G 2 e(g a, h b ) = e(g, h) ab g a h b e Z ab G 1 G 2 pk = (n, g, h = u p 1 ) sk = p 2 Enc pk (m) = g m h r Dec sk (c) = log g (c p 2 ) p 2 Enc pk (m 1 ) Enc pk (m 2 ) = Enc pk (m 1 + m 2 )

40 [BGN25] BGN Cryptosystem G 1, G 2, order n = p 1 p 2 e : G 1 G 1 G 2 e(g a, h b ) = e(g, h) ab g a h b e Z ab G 1 G 2 pk = (n, g, h = u p 1 ) sk = p 2 Enc Dec sk (c) = log g (c p 2 pk (m) = g m h r ) p 2 Enc pk (m 1 ) Enc pk (m 2 ) = Enc pk (m 1 + m 2 ) e(enc pk (m 1 ), Enc pk (m 2 )) = Enc pk (m 1 m 2 )

41 Oblivious Cancellation / Selection Enc pk (m) Enc pk () = Enc pk () Enc pk (m) Enc pk (1) = Enc pk (m) Enc pk () and Enc pk (1) are indistinguishable

42 Oblivious Cancellation / Selection Enc pk (m) Enc pk () = Enc pk () Enc pk (m) Enc pk (1) = Enc pk (m) Enc pk () and Enc pk (1) are indistinguishable Clearly Useful for PIR and OT [BGN25]. In fact, it s more powerful still.

43 Matrix Multiplication a a 1l a a 2l..... b b 1n b b 2n..... = c c 1n c c 2n..... a n1... a nl b l1... b ln c m1... c mn c ij = l a ik b kj k=1 Degree is exactly 2: only one multiplication!

44 Homomorphic MM m 1 m 2 m 3 m 4 m 5 = m 3 m 1 m 5 m 2 m 4

45 Homomorphic MM m 1 m 2 m 3 m 4 m 5 = m 3 m 1 m 5 m 2 m 4 Homomorphic matrix multiplication by an encrypted permutation matrix = Shuffling in Public!

46 Shuffling in Public Private π Public

47 Shuffling in Public Private π Public

48 Shuffling in Public Private π {r i } 1... Public

49 Shuffling in Public Private π Public c 1 c {r i } c N 1...

50 Shuffling in Public Private π {r i } 1... Public c 1 c = c 1 c 2 c N 1... c N

51 Shuffling in Public Private π {r i } 1... Public c 1 c P = c 1 c 2 c N 1... c N

52 Why Did We Succeed? [BGIRSVY21, GT-K25] tell us generic obfuscation is hard. Functionality defined on the plaintexts; we re only dealing with ciphertexts under the covers of encryption

53 Why Did We Succeed? [BGIRSVY21, GT-K25] tell us generic obfuscation is hard. Functionality defined on the plaintexts; we re only dealing with ciphertexts under the covers of encryption We don t know that this is really a permutation matrix! We must prove correct functionality.

54 Proving the Matrix is an encrypted permutation matrix? Use Proof of Partial Knowledge [CDS94] to show that each element is either or 1. Homomorphically compute the row and column sums and prove that they re all equal to 1. N 2 proofs. Not so great.

55 Proving the Matrix (better)

56 Proving the Matrix (better) t 1... t N

57 Proving the Matrix (better) t 1 = c 1... t N c N

58 Proving the Matrix (better) t 1 = c 1... t N c N Proof by Random Vector Challenge

59 Proving the Matrix (better) t 1 = c 1... t N c N Proof by Random Vector Challenge Neff: O(N) proof.

60 Proving the Matrix (better) t 1 = c 1... t N c N Proof by Random Vector Challenge Neff: O(N) proof. N 2 computation, N proofs.

61 Mixing more than once? George Jacques

62 Mixing more than once? George Jacques Not with BGN bilinear map Only one multiplication.

63 Distributed Generation

64 Distributed Generation George

65 Distributed Generation George Jacques

66 Distributed Generation George Jacques Use a Mixnet to shuffle the matrix rows

67 Distributed Generation George Jacques Use a Mixnet to shuffle the matrix rows Prove each one using Random Vector Test

68 Encapsulated Mixing Capture the shuffle actions of the mix servers. Prove that everything went well. Replay them on the encrypted inputs when they re available.

69 [DJ21] Generalized Paillier Enc pk (m) = g m h r 2 mod n 2

70 [DJ21] Generalized Paillier Enc pk (m) = g m h r 2 mod n 2 Enc pk,2 (m) = g m h r 3 mod n 3

71 [DJ21] Generalized Paillier Enc pk (m) = g m h r 2 mod n 2 Enc pk,2 (m) = g m h r 3 mod n 3 generator of n 2 residues

72 [DJ21] Generalized Paillier Enc pk (m) = g m h r 2 mod n 2 Enc pk,2 (m) = g m h r 3 mod n 3 generator of n 2 residues Enc pk,2 (Enc pk (m)) = g gm h r 2 h s 3 mod n 3

73 GP Homomorphisms

74 GP Homomorphisms m = m =

75 GP Homomorphisms m = m = m = m = + m = m

76 GP Homomorphisms m = m = m = m = + m = m m = + m = m

77 GP Public Shuffle m 1 m 2 m 3 = m 4 m 5 m 31 m 12 m 53 m 2 m 4 m 4 m 5

78 GP Public Shuffle m 1 m 2 m 3 = m 4 m 5 m 31 m 12 m 53 m 2 m 4 m 4 m 5 Full-length plaintexts

79 GP Public Shuffle m 1 m 2 m 3 = m 4 m 5 m 31 m 12 m 53 m 2 m 4 m 4 m 5 Full-length plaintexts Faster computation (modexp vs. BM)

80 GP Public Shuffle m 1 m 2 m 3 = m 4 m 5 m 31 m 12 m 53 m 2 m 4 m 4 m 5 Full-length plaintexts Faster computation (modexp vs. BM) More complicated distributed generation

81 GP Proof of Double Reenc

82 GP Proof of Double Reenc

83 GP Proof of Double Reenc

84 GP Proof of Double Reenc = + =

85 GP Proof of Double Reenc = + = DREEnc(c, r, s) = c hr 2 h s 3 mod n 3

86 GP Proof of Double Reenc = + = DREEnc(c, r, s) = c hr 2 h s 3 mod n 3 (r, s)

87 GP Proof of Double Reenc = + = DREEnc(c, r, s) = c hr 2 h s 3 mod n 3 (r, s) (r, s )

88 GP Proof of Double Reenc = + = DREEnc(c, r, s) = c hr 2 h s 3 mod n 3 (r, s) (r, s ) (r r, s s h r r 2 )

89 GP Proof of Double Reenc = + = DREEnc(c, r, s) = c hr 2 h s 3 mod n 3 (r, s) (r, s ) (r r, s s h r r 2 )

90 Dist. Gen. of Diagonal

91 Dist. Gen. of Diagonal

92 Dist. Gen. of Diagonal

93 Dist. Gen. of Matrix...

94 Dist. Gen. of Matrix

95 Dist. Gen. of Matrix

96 Dist. Gen. of Matrix

97 Dist. Gen. of Matrix Proof with Random Vector Test.

98 Obfuscation Model c 1 c 1 c 1 c 1 c 2 S P c 2 c 2 O(P) c 2 c N c N c N c N

99 Obfuscation Model c 1 c 1 c 1 c 1 c 2 S P c 2 c 2 O(P) c 2 c N c N c N c N [BGIRSVY21] and [GT-K25] Models

100 Obfuscation Model c 1 c 1 c 1 c 1 c 2 S P c 2 c 2 O(P) c 2 c N c N c N c N [BGIRSVY21] and [GT-K25] Models simulation by generation of a new, random encrypted permutation matrix, based on semantic security (IND-CPA)

101 Obfuscation Model c 1 c 1 c 1 c 1 c 2 S P c 2 c 2 O(P) c 2 c N c N c N c N [BGIRSVY21] and [GT-K25] Models simulation by generation of a new, random encrypted permutation matrix, based on semantic security (IND-CPA) still need to capture indistinguishability of two obfuscated shuffles.

102 Obfuscation Model (II): BGN c 1 c 2 O(P) c 1 c 2 Dec Dec m 1 m 2... c N c N Dec m N Indistinguishability

103 Obfuscation Model (II): BGN c 1 c 2 O(P) P c 1 c 2 Dec Dec m 1 m 2... c N c N Dec m N Indistinguishability

104 Obfuscation Model (II): BGN c 1 c 2 O(P) P c 1 c 2 Dec Dec m 1 m 2... c N c N Dec m N Indistinguishability [OS25]: public-key obfuscation

105 Obfuscation Model (II): BGN c 1 c 2 O(P) P c 1 c 2 Dec Dec m 1 m 2... c N c N Dec m N Indistinguishability [OS25]: public-key obfuscation with a twist: the program can depend on the cryptosystem: in this case the program decrypts

106 The Paillier Case c 1 c 2 O(P) c 1 c 2 Dec Dec c 1 c 2 Dec Dec m 1 m 2... c N c N Dec c n Dec m N Indistinguishability Reencryption Shuffle

107 The Paillier Case c 1 c 2 O(P) P c 1 c 2 Dec Dec c 1 c 2 Dec Dec m 1 m 2... c N c N Dec c n Dec m N Indistinguishability Reencryption Shuffle

108 Proof Ideas IND-CPA IND of encrypted matrices easy reduction using homomorphic properties UC Proof of Ideal Mixnet realization fill in corrupted inputs by extraction from simulation of F ZK fake decryption by using plaintexts returned by F MN indistinguishability of fake encrypted honest inputs given IND-CPA of cryptosystem (hybrid argument). indistinguishability of fake decryption by extraction of shuffle permutation (without SK) and correction of permutation by one honest mix server, given IND-CPA of cryptosystem (simulation of F CF ).

109 Shuffling in Public All proofs done prior to shuffling Shuffling becomes entirely deterministic Efficient enough for precinct-based elections

110 Shuffling in Public All proofs done prior to shuffling Shuffling becomes entirely deterministic Efficient enough for precinct-based elections Future Directions Better than O(N 2 )? Other obfuscations using unexpected homomorphic properties? Plugging in latest NIZK techniques

Evaluating 2-DNF Formulas on Ciphertexts

Evaluating 2-DNF Formulas on Ciphertexts Dan Boneh, Eu-Jin Goh, and Kobbi Nissim Theory of Cryptography Conference 2005 Homomorphic Encryption Enc. scheme is homomorphic to function f if from E[A], E[B],