A SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL

Size: px

Start display at page:

Download "A SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL"

Myron Booth
6 years ago
Views:

1 A SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL Prastudy Fauzi, Helger Lipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016

2 OUR RESULTS A new efficient CRS-based NIZK shuffle argument

3 OUR RESULTS A new efficient CRS-based NIZK shuffle argument Four+ times more efficient verification than in prior work

4 OUR RESULTS A new efficient CRS-based NIZK shuffle argument Four+ times more efficient verification than in prior work Verification time more critical

5 OUR RESULTS A new efficient CRS-based NIZK shuffle argument Four+ times more efficient verification than in prior work Verification time more critical Soundness proof in the Generic Bilinear Group Model

6 OUR RESULTS A new efficient CRS-based NIZK shuffle argument Four+ times more efficient verification than in prior work Verification time more critical Soundness proof in the Generic Bilinear Group Model Very complicated machine-assisted proof

7 OUR RESULTS A new efficient CRS-based NIZK shuffle argument Four+ times more efficient verification than in prior work Verification time more critical Soundness proof in the Generic Bilinear Group Model Very complicated machine-assisted proof Use computer algebra to solve systems of polyn. eq.

8 OUR RESULTS A new efficient CRS-based NIZK shuffle argument Four+ times more efficient verification than in prior work Verification time more critical Soundness proof in the Generic Bilinear Group Model Very complicated machine-assisted proof Use computer algebra to solve systems of polyn. eq. Esp. to find Gröbner bases

9 A BIT OF MOTIVATION: E-VOTING

10 A BIT OF MOTIVATION: E-VOTING

11 A BIT OF MOTIVATION: E-VOTING

12 A BIT OF MOTIVATION: E-VOTING Lesson from the past: It is not voters who counts, but who counts the votes - Can we get away with that? - I m 140% sure!

13 A BIT OF MOTIVATION: E-VOTING Lesson from the past: It is not voters who counts, but who counts the votes Anonymity Correctness - Can we get away with that? - I m 140% sure!

14 A BIT OF MOTIVATION: E-VOTING Lesson from the past: It is not voters who counts, but who counts the votes Anonymity Correctness Data is public (Data, source) is private - Can we get away with that? - I m 140% sure!

15 SIMPLE MIX-NETS

16 SIMPLE MIX-NETS c 1 =Enc pk (m 1 ) c 2 =Enc pk (m 2 ) c 3 =Enc pk (m 3 )

17 SIMPLE MIX-NETS c 1 =Enc pk (m 1 ) π, r d 1 =c π(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) c 3 =Enc pk (m 3 ) d 3 =c π(3) Encryption protects against eavesdropping on the Internet

18 SIMPLE MIX-NETS c 1 =Enc pk (m 1 ) π, r ψ,s d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) e 2 =d ψ(2) c 3 =Enc pk (m 3 ) d 3 =c π(3) e 3 =d ψ(3) Encryption protects against eavesdropping on the Internet

19 SIMPLE MIX-NETS π, r ψ,s sk c 1 =Enc pk (m 1 ) d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) e 2 =d ψ(2) m ψ(π(1)) m ψ(π(2)) c 3 =Enc pk (m 3 ) d 3 =c π(3) e 3 =d ψ(3) m ψ(π(3)) Encryption protects against eavesdropping on the Internet

20 SIMPLE MIX-NETS Anonymity π, r ψ,s sk c 1 =Enc pk (m 1 ) d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) e 2 =d ψ(2) m ψ(π(1)) m ψ(π(2)) c 3 =Enc pk (m 3 ) d 3 =c π(3) e 3 =d ψ(3) m ψ(π(3)) Encryption protects against eavesdropping on the Internet Private against each individual server

21 SIMPLE MIX-NETS Anonymity Correctness π, r ψ,s sk c 1 =Enc pk (m 1 ) d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) e 2 =d ψ(2) m ψ(π(1)) m ψ(π(2)) c 3 =Enc pk (m 3 ) d 3 =c π(3) e 3 =d ψ(3) m ψ(π(3)) Encryption protects against eavesdropping on the Internet Private against each individual server Not enough: what if a server cheats?

22 ACCOUNTABLE MIX-NETS pk, π, r pk, ψ,s sk c 1 =Enc pk (m 1 ) d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) e 2 =d ψ(2) m ψ(π(1)) m ψ(π(2)) c 3 =Enc pk (m 3 ) d 3 =c π(3) e 3 =d ψ(3) m ψ(π(3))

23 ACCOUNTABLE MIX-NETS proof pk, π, r pk, ψ,s sk c 1 =Enc pk (m 1 ) d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) e 2 =d ψ(2) m ψ(π(1)) m ψ(π(2)) c 3 =Enc pk (m 3 ) Prove that shuffling was correct, send proof to the next server d 3 =c π(3) e 3 =d ψ(3) m ψ(π(3))

24 ACCOUNTABLE MIX-NETS proof proof c 1 =Enc pk (m 1 ) pk, π, r pk, ψ,s sk d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) c 3 =Enc pk (m 3 ) Prove that shuffling was correct, send proof to the next server d 2 =c π(2) d 3 =c π(3) Verify all previous proofs, shuffle, create your own proof e 2 =d ψ(2) e 3 =d ψ(3) m ψ(π(1)) m ψ(π(2)) m ψ(π(3))

25 ACCOUNTABLE MIX-NETS proof proof c 1 =Enc pk (m 1 ) pk, π, r pk, ψ,s sk d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) c 3 =Enc pk (m 3 ) Prove that shuffling was correct, send proof to the next server d 2 =c π(2) d 3 =c π(3) Verify all previous proofs, shuffle, create your own proof e 2 =d ψ(2) e 3 =d ψ(3) Verify all proofs m ψ(π(1)) m ψ(π(2)) m ψ(π(3))

=Enc pk (m 3 ) Prove that shuffling was correct, send proof to the next server d 3 =c π(3)

26 ACCOUNTABLE MIX-NETS Anonymity Correctness proof proof c 1 =Enc pk (m 1 ) pk, π, r pk, ψ,s sk d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) e 2 =d ψ(2) m ψ(π(1)) m ψ(π(2)) c 3 =Enc pk (m 3 ) Prove that shuffling was correct, send proof to the next server d 3 =c π(3) Verify all previous proofs, shuffle, create your own proof e 3 =d ψ(3) Verify all proofs m ψ(π(3))

27 SHUFFLE ARGUMENT Shuffle argument: efficient zero knowledge argument of correctness of shuffling Mix-server permutes ciphertexts, re-encrypt them and provides a proof that he has done it correctly.

28 SHUFFLE ARGUMENT Shuffle argument: efficient zero knowledge argument of correctness of shuffling Mix-server permutes ciphertexts, re-encrypt them and provides a proof that he has done it correctly. Existing CRS model arguments not very efficient

29 CRS-BASED SHUFFLE ARGUMENTS Assumption proposed in that paper, proof in GBGM Assmpt. proposed 2010+, but not in that paper, proof in GBGM Lipmaa-Zhang (2012) Fauzi-Lipmaa (2016) This paper CRS length 7n + 6 8n n + 14 Communic. 12n n + 2 7n + 3 P comp. (units) V comp. (units) GBGM? PSDL, DLIN (comp.) TSDH, PCDH, PSP (comp.) Pure GBGM Soundness KE, PKE (knowledge) Full 2x PKE (knowledge) Culpable Full n: number of ciphertexts (say 100,000) 1 unit = n million machine cycles According to speed records on BN curves

30 ZERO KNOWLEDGE: CRS MODEL crs

31 ZERO KNOWLEDGE: CRS MODEL x, w crs

32 ZERO KNOWLEDGE: CRS MODEL crs x, w x

33 ZERO KNOWLEDGE: CRS MODEL crs x, w x P(crs,x,w)=π: Proof of x L

34 ZERO KNOWLEDGE: CRS MODEL crs x, w x P(crs,x,w)=π: Proof of x L V(crs,x,π): Accepts or rejects

35 ZERO KNOWLEDGE: CRS MODEL td crs x, w x P(crs,x,w)=π: Proof of x L V(crs,x,π): Accepts or rejects

36 ZERO KNOWLEDGE: CRS MODEL td crs Sim(crs,td,x)=π: Proof of x L x, w x P(crs,x,w)=π: Proof of x L V(crs,x,π): Accepts or rejects

37 ZERO KNOWLEDGE: CRS MODEL Correctness Soundness Zero knowledge crs td Sim(crs,td,x)=π: Proof of x L x, w x P(crs,x,w)=π: Proof of x L V(crs,x,π): Accepts or rejects

38 BILINEAR PAIRINGS

39 BILINEAR PAIRINGS Three cyclic groups of the same order q: G 1, G 2, G T

40 BILINEAR PAIRINGS Three cyclic groups of the same order q: G 1, G 2, G T Generators g 1 of G 1, g 2 of G 2, g T of G T

41 BILINEAR PAIRINGS Three cyclic groups of the same order q: G 1, G 2, G T Generators g 1 of G 1, g 2 of G 2, g T of G T Bilinear map: e: G 1 x G 2 G T

42 BILINEAR PAIRINGS Three cyclic groups of the same order q: G 1, G 2, G T Generators g 1 of G 1, g 2 of G 2, g T of G T Bilinear map: e: G 1 x G 2 G T Requirements: Efficiently computable Non-degeneracy: e (g 1, g 2 ) 1 Bilinearity: e (g 1a, g 2b ) = e (g 1, g 2 ) ab

43 ASSUMPTIONS & PAIRINGS Inverting pairings should be hard

44 ASSUMPTIONS & PAIRINGS Inverting pairings should be hard Given e (A, B), compute either A or B

45 ASSUMPTIONS & PAIRINGS Inverting pairings should be hard Given e (A, B), compute either A or B Analogous to DL: given g a, compute a

46 ASSUMPTIONS & PAIRINGS Inverting pairings should be hard Given e (A, B), compute either A or B Analogous to DL: given g a, compute a What else should be hard?

47 NON-GENERIC APPROACH Protocol

48 NON-GENERIC APPROACH Assumption 1 (known) Protocol Assumption m (known)

49 NON-GENERIC APPROACH Assumption 1 (known) Protocol Assumption m (known) Assumption m+1 (new) Assumption m+m (new)

50 NON-GENERIC APPROACH Assumption 1 (known) Protocol Assumption m (known) Assumption m+1 (new) Assumption m+m (new) Generic Model

51 NON-GENERIC APPROACH Assumption 1 (known) Protocol Assumption m (known) Assumption m+1 (new) Assumption m+m (new) Generic Model Pro: nice if m is not big, or most assumptions are well-known, or

52 NON-GENERIC APPROACH Assumption 1 (known) Protocol Assumption m (known) Assumption m+1 (new) Assumption m+m (new) Generic Model Pro: nice if m is not big, or most assumptions are well-known, or Con: each arrow might mean a loss in efficiency

53 GENERIC MODEL APPROACH Protocol Generic Model Con: proof in GGM is only for restricted adversaries Pro: only one arrow, thus smaller loss in efficiency

54 GENERIC BILINEAR GROUP MODEL Meta-Assumption: adversary only has access to

55 GENERIC BILINEAR GROUP MODEL Meta-Assumption: adversary only has access to group operations, bilinear map, equality tests

56 GENERIC BILINEAR GROUP MODEL Meta-Assumption: adversary only has access to group operations, bilinear map, equality tests Each computed element in G i (i=1, 2) is given by group operation of two already known elements

57 GENERIC BILINEAR GROUP MODEL Meta-Assumption: adversary only has access to group operations, bilinear map, equality tests Each computed element in G i (i=1, 2) is given by group operation of two already known elements Recursively, DL of each computed element is a known polynomial of some indeterminates

58 GENERIC BILINEAR GROUP MODEL Meta-Assumption: adversary only has access to group operations, bilinear map, equality tests Each computed element in G i (i=1, 2) is given by group operation of two already known elements Recursively, DL of each computed element is a known polynomial of some indeterminates Note: we do not handle G T as a generic group

59 SOUNDNESS IN GBGM

60 SOUNDNESS IN GBGM X 1 X s Random variables (TTP)

61 SOUNDNESS IN GBGM Polynomials (TTP knows X) X 1 [X] = g X {[f 1i (X)] 1 } {[f 2i (X)] 2 } X s Random variables (TTP) CRS (TTP)

62 SOUNDNESS IN GBGM Polynomials (TTP knows X) Linear combinations (only group operation) X 1 [X] = g X {[f 1i (X)] 1 } {[g 1i (X) =Σ i a 1i f 1i (X)] 1 } {[f 2i (X)] 2 } {[g 2i (X) =Σ i a 2i f 2i (X)] 1 } X s Random variables (TTP) CRS (TTP) Outputs in argument (adversary)

63 SOUNDNESS IN GBGM Polynomials (TTP knows X) Linear combinations (only group operation) Quadratic tests (can use bilinear map) X 1 [X] = g X V 1 (X)=Σ ij b 1ij h 1i (X) h 2i (X)=0 {[f 1i (X)] 1 } {[g 1i (X) =Σ i a 1i f 1i (X)] 1 } {[f 2i (X)] 2 } {[g 2i (X) =Σ i a 2i f 2i (X)] 1 } V u (X)=Σ ij b uij h 1i (X) h 2i (X)=0 X s Random variables (TTP) CRS (TTP) Outputs in argument (adversary) Verifications (verifier) {h ji } = {f ji, h ji }

64 SOUNDNESS IN GBGM jth verification equation ascertains V j (X) = 0

65 SOUNDNESS IN GBGM jth verification equation ascertains V j (X) = 0 Solve system of polynomial equations {V j (X) = 0} in coefficients a ji chosen by the adversary

66 SOUNDNESS IN GBGM jth verification equation ascertains V j (X) = 0 Solve system of polynomial equations {V j (X) = 0} in coefficients a ji chosen by the adversary Show that solution s coefficients are nice

67 SOUNDNESS IN GBGM jth verification equation ascertains V j (X) = 0 Solve system of polynomial equations {V j (X) = 0} in coefficients a ji chosen by the adversary Show that solution s coefficients are nice = restricted to be as in the honest case

68 INTUITION: CONSTRUCTING ARGUMENT Decomposing:

69 INTUITION: CONSTRUCTING ARGUMENT Decomposing: Write down main building blocks you need to prove in argument

70 INTUITION: CONSTRUCTING ARGUMENT Decomposing: Write down main building blocks you need to prove in argument Each subargument should be efficiently verifiable (by a single pairing)

71 INTUITION: CONSTRUCTING ARGUMENT Decomposing: Write down main building blocks you need to prove in argument Each subargument should be efficiently verifiable (by a single pairing) Ascertain each subargument is sound independently

72 INTUITION: CONSTRUCTING ARGUMENT Decomposing: Write down main building blocks you need to prove in argument Each subargument should be efficiently verifiable (by a single pairing) Ascertain each subargument is sound independently CRS composition:

73 INTUITION: CONSTRUCTING ARGUMENT Decomposing: Write down main building blocks you need to prove in argument Each subargument should be efficiently verifiable (by a single pairing) Ascertain each subargument is sound independently CRS composition: Compose CRS-s of individual subarguments together, getting one big CRS

74 INTUITION: CONSTRUCTING ARGUMENT

75 INTUITION: CONSTRUCTING ARGUMENT

76 INTUITION: CONSTRUCTING ARGUMENT Soundness check: Is the composed protocol sound? Subarguments get extra inputs in CRS If not: introduce new random variables that guarantee CRS elements are used in only correct subarguments, reiterate

77 SUBARGUMENTS Permutation matrix argument :

78 SUBARGUMENTS Permutation matrix argument : Prover commits to permutation; proves this is done correctly

79 SUBARGUMENTS Permutation matrix argument : Prover commits to permutation; proves this is done correctly Consistency argument :

80 SUBARGUMENTS Permutation matrix argument : Prover commits to permutation; proves this is done correctly Consistency argument : Prover proves she used the committed permutation to shuffle ciphertexts

81 SUBARGUMENTS Permutation matrix argument : Prover commits to permutation; proves this is done correctly Consistency argument : Prover proves she used the committed permutation to shuffle ciphertexts Validity argument :

82 SUBARGUMENTS Permutation matrix argument : Prover commits to permutation; proves this is done correctly Consistency argument : Prover proves she used the committed permutation to shuffle ciphertexts Validity argument : Prover proves each ciphertext has been formed correctly

83 SUBARGUMENTS Permutation matrix argument : Prover commits to permutation; proves this is done correctly Consistency argument : Prover proves she used the committed permutation to shuffle ciphertexts Validity argument : Prover proves each ciphertext has been formed correctly Correctly: so that the soundness proof goes through

84 SUBARGUMENTS Permutation matrix argument : Prover commits to permutation; proves this is done correctly Consistency argument : Prover proves she used the committed permutation to shuffle ciphertexts Validity argument : Prover proves each ciphertext has been formed correctly Correctly: so that the soundness proof goes through

85 PERMUTATION MATRIX ARGUMENT Lemma. A matrix is permutation matrix iff 1. It is stochastic // rows sum to (1,, 1) 2. Each row is 1-sparse At most one coefficient is non-zero

86 PERMUTATION MATRIX ARGUMENT Lemma. A matrix is permutation matrix iff 1. It is stochastic // rows sum to (1,, 1) 2. Each row is 1-sparse At most one coefficient is non-zero

87 1-SPARSITY ARGUMENT Commitment:

88 1-SPARSITY ARGUMENT Commitment: Pi (X) are linearly independent, well-chosen polynomials [A i (X)] i = [a I P I (X) + rx ρ ] i // i = 1, 2

89 1-SPARSITY ARGUMENT Commitment: Pi (X) are linearly independent, well-chosen polynomials [A i (X)] i = [a I P I (X) + rx ρ ] i // i = 1, 2 Argument: // square span programs

90 1-SPARSITY ARGUMENT Commitment: Pi (X) are linearly independent, well-chosen polynomials [A i (X)] i = [a I P I (X) + rx ρ ] i // i = 1, 2 Argument: // square span programs [π(x)] 1 = [((a I P I (X) + P 0 (X) + rx ρ ) 2-1) / X ρ ] 1

91 1-SPARSITY ARGUMENT Commitment: [A i (X)] i = [a I P I (X) + rx ρ ] i // i = 1, 2 Argument: // square span programs [π(x)] 1 = [((a I P I (X) + P 0 (X) + rx ρ ) 2-1) / X ρ ] 1 Verification equation: Pi (X) are linearly independent, well-chosen polynomials

92 1-SPARSITY ARGUMENT Commitment: [A i (X)] i = [a I P I (X) + rx ρ ] i // i = 1, 2 Argument: // square span programs [π(x)] 1 = [((a I P I (X) + P 0 (X) + rx ρ ) 2-1) / X ρ ] 1 Verification equation: Pi (X) are linearly independent, well-chosen polynomials V (X) := (A 1 (X) + X α + P 0 (X)) (A 2 (X) - X α + P 0 (X)) - π(x) X ρ (1 - X α ) 2

93 1-SPARSITY ARGUMENT Commitment: [A i (X)] i = [a I P I (X) + rx ρ ] i // i = 1, 2 Argument: // square span programs [π(x)] 1 = [((a I P I (X) + P 0 (X) + rx ρ ) 2-1) / X ρ ] 1 Verification equation: Pi (X) are linearly independent, well-chosen polynomials V (X) := (A 1 (X) + X α + P 0 (X)) (A 2 (X) - X α + P 0 (X)) - π(x) X ρ (1 - X α ) 2 = 0

94 honest prover: [A i (X)] i = [a I P I (X) + rx ρ ] i SOUNDNESS PROOF: IDEA

95 honest prover: [A i (X)] i = [a I P I (X) + rx ρ ] i SOUNDNESS PROOF: IDEA In GBGM we know constants a 1i, A 1ρ,, s.t. for X = (X, X ρ, X α, X β, X γ, X sk )

96 honest prover: [A i (X)] i = [a I P I (X) + rx ρ ] i SOUNDNESS PROOF: IDEA In GBGM we know constants a 1i, A 1ρ,, s.t. for X = (X, X ρ, X α, X β, X γ, X sk ) A 1 (X) = Σ a 1i P i (X) + A 1ρ X ρ + A 1α (X α + P 0 (X)) + A 11 P 0 (X) + CRS: ({[P i (X)] 1 } i, [X ρ ] 1, [X α +P 0 (X)] 1, [P 0 (X)] 1,, ({[P i (X)] 2 } i, [X ρ ] 2, [-X α +P 0 (X)] 2, [1] 2, )

97 honest prover: [A i (X)] i = [a I P I (X) + rx ρ ] i SOUNDNESS PROOF: IDEA In GBGM we know constants a 1i, A 1ρ,, s.t. for X = (X, X ρ, X α, X β, X γ, X sk ) A 1 (X) = Σ a 1i P i (X) + A 1ρ X ρ + A 1α (X α + P 0 (X)) + A 11 P 0 (X) + A 2 (X) = Σ a 2i P i (X) + A 2ρ X ρ + A 2α (-X α + P 0 (X)) + A 21 + CRS: ({[P i (X)] 1 } i, [X ρ ] 1, [X α +P 0 (X)] 1, [P 0 (X)] 1,, ({[P i (X)] 2 } i, [X ρ ] 2, [-X α +P 0 (X)] 2, [1] 2, )

98 honest prover: [A i (X)] i = [a I P I (X) + rx ρ ] i SOUNDNESS PROOF: IDEA In GBGM we know constants a 1i, A 1ρ,, s.t. for X = (X, X ρ, X α, X β, X γ, X sk ) A 1 (X) = Σ a 1i P i (X) + A 1ρ X ρ + A 1α (X α + P 0 (X)) + A 11 P 0 (X) + A 2 (X) = Σ a 2i P i (X) + A 2ρ X ρ + A 2α (-X α + P 0 (X)) + A 21 + π (X) = Σ π i P i (X) + π ρ X ρ + π α (X α + P 0 (X)) + π 1 P 0 (X) + CRS: ({[P i (X)] 1 } i, [X ρ ] 1, [X α +P 0 (X)] 1, [P 0 (X)] 1,, ({[P i (X)] 2 } i, [X ρ ] 2, [-X α +P 0 (X)] 2, [1] 2, )

99 honest prover: [A i (X)] i = [a I P I (X) + rx ρ ] i SOUNDNESS PROOF: IDEA In GBGM we know constants a 1i, A 1ρ,, s.t. for X = (X, X ρ, X α, X β, X γ, X sk ) A 1 (X) = Σ a 1i P i (X) + A 1ρ X ρ + A 1α (X α + P 0 (X)) + A 11 P 0 (X) + A 2 (X) = Σ a 2i P i (X) + A 2ρ X ρ + A 2α (-X α + P 0 (X)) + A 21 + π (X) = Σ π i P i (X) + π ρ X ρ + π α (X α + P 0 (X)) + π 1 P 0 (X) + Verification equation states CRS: ({[P i (X)] 1 } i, [X ρ ] 1, [X α +P 0 (X)] 1, [P 0 (X)] 1,, ({[P i (X)] 2 } i, [X ρ ] 2, [-X α +P 0 (X)] 2, [1] 2, )

100 honest prover: [A i (X)] i = [a I P I (X) + rx ρ ] i SOUNDNESS PROOF: IDEA In GBGM we know constants a 1i, A 1ρ,, s.t. for X = (X, X ρ, X α, X β, X γ, X sk ) A 1 (X) = Σ a 1i P i (X) + A 1ρ X ρ + A 1α (X α + P 0 (X)) + A 11 P 0 (X) + A 2 (X) = Σ a 2i P i (X) + A 2ρ X ρ + A 2α (-X α + P 0 (X)) + A 21 + π (X) = Σ π i P i (X) + π ρ X ρ + π α (X α + P 0 (X)) + π 1 P 0 (X) + Verification equation states V(X) = (A 1 (X) + X α + P 0 (X)) (A 2 (X) - X α + P 0 (X)) - π(x) X ρ (1 - X α ) 2 = 0 CRS: ({[P i (X)] 1 } i, [X ρ ] 1, [X α +P 0 (X)] 1, [P 0 (X)] 1,, ({[P i (X)] 2 } i, [X ρ ] 2, [-X α +P 0 (X)] 2, [1] 2, )

101 honest prover: [A i (X)] i = [a I P I (X) + rx ρ ] i SOUNDNESS PROOF: IDEA In GBGM we know constants a 1i, A 1ρ,, s.t. for X = (X, X ρ, X α, X β, X γ, X sk ) A 1 (X) = Σ a 1i P i (X) + A 1ρ X ρ + A 1α (X α + P 0 (X)) + A 11 P 0 (X) + A 2 (X) = Σ a 2i P i (X) + A 2ρ X ρ + A 2α (-X α + P 0 (X)) + A 21 + π (X) = Σ π i P i (X) + π ρ X ρ + π α (X α + P 0 (X)) + π 1 P 0 (X) + Verification equation states V(X) = (A 1 (X) + X α + P 0 (X)) (A 2 (X) - X α + P 0 (X)) - π(x) X ρ (1 - X α ) 2 = 0 Goal: find coefficients s.t. verification equation is satisfied CRS: ({[P i (X)] 1 } i, [X ρ ] 1, [X α +P 0 (X)] 1, [P 0 (X)] 1,, ({[P i (X)] 2 } i, [X ρ ] 2, [-X α +P 0 (X)] 2, [1] 2, )

102 SOLVING SYSTEM OF POL. EQUATIONS

103 SOLVING SYSTEM OF POL. EQUATIONS Goal: find coefficients s.t. V (X) = 0

104 SOLVING SYSTEM OF POL. EQUATIONS Goal: find coefficients s.t. V (X) = 0 Step 1: V (X) = 0 iff each coefficient [X α j X ρ k ] V (X) = 0

105 SOLVING SYSTEM OF POL. EQUATIONS Goal: find coefficients s.t. V (X) = 0 Step 1: V (X) = 0 iff each coefficient [X α j X ρ k ] V (X) = 0 This is a system of polynomial equations and a nasty one of more than 20 polynomial equations

106

107 SOLVING

108 SOLVING Used a mixture of computer algebra system and manual labor

109 SOLVING Used a mixture of computer algebra system and manual labor 1. Use linear independence of P i (X) to split some coefficients

110 SOLVING Used a mixture of computer algebra system and manual labor 1. Use linear independence of P i (X) to split some coefficients 2. Construct Gröbner basis of system of polynomial equations Needs(?) a CAS

111 SOLVING Used a mixture of computer algebra system and manual labor 1. Use linear independence of P i (X) to split some coefficients 2. Construct Gröbner basis of system of polynomial equations Needs(?) a CAS 3. Solve the Gröbner basis Can be done manually or by using CAS

112 SOLVING Used a mixture of computer algebra system and manual labor 1. Use linear independence of P i (X) to split some coefficients 2. Construct Gröbner basis of system of polynomial equations Needs(?) a CAS 3. Solve the Gröbner basis Can be done manually or by using CAS Obtain that A i (X) = a I P I (X) => Sound

113 THANK YOU!

Prastudy Fauzi, HelgerLipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016

Prastudy Fauzi, HelgerLipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016 A new efficient CRS-based NIZK shuffle argument Four+ times more efficient verification than in prior work Verification