A Commitment-Consistent Proof of a Shuffle

Transcription

1 A Commtment-Consstent Proof of a Shuffle Douglas Wkström CSC KTH Stockholm, Sweden dog@csc.kth.se Aprl 2, 2011 Abstract We ntroduce a pre-computaton technque that drastcally reduces the onlne computatonal complexty of mx-nets based on homomorphc cryptosystems. More precsely, we show that there s a permutaton commtment scheme that allows a mx-server to: (1) commt to a permutaton and effcently prove knowledge of dong so correctly n the offlne phase, and (2) shuffle ts nput and gve an extremely effcent commtment-consstent proof of a shuffle n the onlne phase. We prove our result for a general class of shuffle maps that generalze all known types of shuffles, and even allows shufflng cphertexts of dfferent cryptosystems n parallel. 1 Introducton Consder a stuaton where N senders S 1,..., S N each have some nput and wsh to compute the sorted lst of ther nputs wthout revealng who submtted whch message. A trusted party can do ths by watng untl all senders have submtted some nput, and then sort and output the lst of all nputs. A protocol that emulates the trusted party s called a mx-net and the partes M 1,..., M k that execute the protocol are referred to as mx-servers. As long as a certan fracton of the mx-servers are honest, the result should be correct and nobody should learn the correspondence between nput cphertexts and output messages. The obvous applcaton for mx-nets s to conduct electronc electons, and ths s also one of the applcatons Chaum [6] had n mnd when he ntroduced mx-nets. Many constructons of mx-nets are proposed n the lterature, but few have provable securty propertes and many are actually flawed. The basc approach of all mx-nets wth provable propertes are based on deas of Sako and Klan [27]. The frst rgorous defnton of securty was gven by Abe and Ima [1], but they dd not construct a scheme satsfyng ther constructon. Wkström [29] gves the frst defnton of a unversally composable (UC) mx-net, the frst UC-secure constructon, and also a more effcent UC-secure scheme [30]. An mportant buldng block n the constructon of a mx-net s A conference verson of ths paper was presented at ACISP

2 a so called proof of a shuffle that allows the mx-servers to prove that they follow the protocol. The frst effcent proofs of shuffles were gven by Neff [21] and Furukawa and Sako [14]. 1.1 Mx-Nets Based On Homomorphc Cryptosystems Recall the mx-net of Sako and Klan [27]. They present ther scheme n terms of the El Gamal cryptosystem [15], but the dea works for any homomorphc cryptosystem. A homomorphc cryptosystem CS = (Kg, E, D) that allows threshold decrypton s employed. A cryptosystem s sad to be homomorphc f for every publc key pk PK, the plantext space M pk, the randomness space R pk, and the cphertext space C pk are groups, and for every m 0, m 1 M pk and r 0, r 1 M pk : E pk (m 0, r 0 )E pk (m 1, r 1 ) = E pk (m 0 m 1, r 0 r 1 ). A jont publc key pk s generated somehow such that each mxserver holds a secret share of the correspondng secret key sk. Each sender S, holdng a message m, computes a cphertext c 0, = E pk (m ), and then somehow submts t to the mx-servers. The mx-servers then take turns at re-encryptng and permutng these cphertexts. Let L 0 = (c 0,1,..., c 0,N ) be the lst of submtted cphertexts. For j = 1,..., k, M j chooses a permutaton π and r j, R pk randomly, computes c j, = c j 1,π() E pk (1, r j,π() ) for = 1,..., N, and then publshes L j = (c j,1,..., c j,n ). In other words, each mx-server randomly re-encrypts each cphertext and then outputs the resultng cphertexts n random order. Then t proves, usng a proof of a shuffle, that t formed L j from L j 1 n ths way. Fnally, the mx-servers jontly threshold-decrypt L k and output the resultng lst of plantexts. The dea s that snce all mx-servers have randomly permuted the cphertexts and the cryptosystem s assumed secure, t s nfeasble to tell whch plantext corresponds to whch orgnal cphertext n L 0. The above descrpton s smplfed n that the senders submt homomorphc cphertexts drectly, whch s not secure [25]. In a provably secure constructon, the plantexts of corrupted senders must be extractable by the smulator wthout the secret key of the cryptosystem. Untl recently, all known submsson schemes were ether only heurstcally secure, or nvolved costly nteracton, but there s now a provably secure soluton to ths problem for several well known homomorphc cryptosystems [31]. Alternatve Constructons. In the scheme of Furukawa et al. [13], each mx-server not only re-encrypts and permutes ts nput, but also partally decrypts t. As a result, the fnal lst L k essentally contans the plantexts and no jont decrypton step s needed. In the scheme of Wkström [30], re-encrypton s also elmnated entrely,.e., each mxserver only partally decrypts and permutes ts nput. In a prelmnary unpublshed verson of Neff [21] a proof of a shuffle for the frst type of mx-net s descrbed as well [22]. These schemes have specal advantages over the above, but do not lend themselves well to pre-computaton, snce partal decrypton must be done sequentally. Very few other approaches to constructng mx-nets have any provable securty propertes [19] and several are actually flawed [1, 10, 28]. 2

3 1.2 Prevous Work On Improvng Effcency There are more or less obvous technques that can be used to reduce the computatonal complexty of a mx-net. If a threshold below k s used for the decrypton key, then all mx-servers do not need to take part n the mxng process. In the executon of a publc-con honest verfer proof of knowledge the random challenge of the honest verfer must be generated jontly by the mx-servers, whch s costly. But f unpredctablty suffces, then longer challenges can be extracted from a random seed usng a PRG. Precomputaton can also be used n the con-flppng protocols. The re-encrypton factors can also be pre-computed and batch proof technques [4] can be used to reduce the complexty of the proofs of correctness needed durng jont decrypton. If such optmzatons and pre-computatons are used, the man computatonal cost les n the proofs of shuffles. Thus, most prevous work on reducng the complexty, e.g. [21, 14, 18, 13, 30], focus on reducng the complexty of a partcular proof of a shuffle. Some parts of these proofs can easly be pre-computed as well. An alternatve approach s used by Adda and Wkström [3], who show that when the number of senders s relatvely small, deas from homomorphc electon schemes [5] can be used to construct a mx-net where the onlne phase only requres decrypton of a sngle cphertext. The publc-key obfuscated shuffle of Adda and Wkström [2] may also be vewed as a form of pre-computaton, but ther goal s not mproved effcency. In fact, ther scheme s qute neffcent. 1.3 Our Contrbuton We show how to splt a proof of a shuffle nto two protocols. The frst protocol s used by a mx-server n the offlne phase to prove knowledge of how to open a commtment to a permutaton. The second protocol s used by a mx-server n the onlne phase to prove that t uses the permutaton t commtted to also durng shufflng. The frst protocol s almost as effcent as the known proofs of shuffles; n fact t can be constructed from these, e.g., [21, 14, 18, 30]. Even wthout any standard optmzaton technques such as smultaneous exponentatons, the computatonal complexty of the second protocol s half an exponentaton per sender n the El Gamal case and has smlar propertes for other cryptosystems. Thus, our pre-computaton technque reduces the onlne computatonal complexty of vrtually all mx-nets. We also show that all known types of shuffles are nstances of a generalzed shuffle, where some homomorphc map φ pk : C pk R pk C pk s appled to each cphertext and randomzer par, and the resultng cphertexts are permuted. In fact, we prove our results for ths generalzed shuffle. The generalty of our result mmedately gves that cphertexts can be shuffled n parallel. Even cphertexts of dfferent cryptosystems can be shuffled n parallel, and dstnct homomorphc maps can be used for cphertexts of dfferent cryptosystems. The nspraton of ths work comes from both Neff [21] and Furukawa and Sako [14]. Neff wrtes as follows about hs smple shuffle : A sngle nstance of ths proof can be constructed to essentally commt a partcular permutaton, but we are unable to derve our results startng from hs commtment. On the other hand, the Pedersen 3

4 permutaton commtment scheme used mplctly n the proof of a shuffle of Furukawa and Sako s perfectly sutable for constructng a fast commtment-consstent proof of a shuffle. 1.4 Notaton Natural numbers and ntegers are denoted by N and Z respectvely. The rng of ntegers modulo n s denoted by Z n, Z n denotes ts multplcatve group, and SQ n denotes the subgroup of squares n Z n. We use κ as the man securty parameter, but also ntroduce several related parameters, e.g., the bt-sze of challenges κ c. We dentfy the set of κ-bt strngs and the set of postve ntegers n [0, 2 κ 1] when convenent. A functon ɛ(κ) s neglgble f for every constant c and suffcently large κ t holds that ɛ(κ) < κ c. A functon f(κ) s overwhelmng f 1 f(κ) s neglgble. We denote the set of N- permutatons by S N. We denote the set {1,..., l} by [l] and sometmes denote a lst of elements (a 1,..., a l ) by a [l]. The Dscrete Logarthm (DL) assumpton for a group G q wth generator g states that gven a random element y G q, t s nfeasble to compute x such that y = g x. The decson Dffe-Hellman (DDH) assumpton states that when x, y, r Z q are randomly chosen, then t s nfeasble to dstngush the dstrbutons of (g x, g y, g xy ) and (g x, g y, g r ). See Appendx F for formal defntons. We vew a commtment scheme as consstng of a parameter generaton algorthm Gen and a determnstc commtment algorthm Com. On nput 1 κ, Gen outputs a parameter ck whch defnes a message set M ck, a polynomally sampleable randomness space R ck, and a commtment space K ck. We wrte CK for the set of commtment parameters. On nput ck CK, m M ck, and r R ck, Com outputs a commtment. To open a commtment the message and randomness s revealed. We wrte CS = (Kg, E, D) for a homomorphc cryptosystem and M pk, R pk, and C pk for the abealan groups of messages, randomness, and cphertexts defned by a publc key pk. We let PK denote the set of all publc keys. A homomorphc cryptosystem satsfes E pk (m 1, r 1 )E pk (m 2, r 2 ) = E pk (m 1 m 2, r 1 r 2 ) for every pk PK, m 1, m 2 M pk, and r 1, r 2 R pk. Throughout we assume that the order of the largest cyclc subgroup of C pk, and the order of any groups on whch we base our commtment schemes, are bounded by 2 κ. 2 Background and Informal Descrpton Before we gve detals, t s worthwhle to recall some propertes of batch proofs of dscrete logarthms and proofs of shuffles. We also gve a bref nformal descrpton of our commtment-consstent proof of a shuffle. Batch Proofs. Consder a settng where many group elements y 1,..., y N n some prme order group G p wth generator g are gven, and the prover knows x Z p such that y = g x. It s expensve to prove knowledge of each logarthm x ndependently, 4

5 but the use of batchng [4] decreases ths cost substantally as the followng example shows, where P and V denotes the prover and verfer. 1. V pcks e 1,..., e N Z p randomly and hands them to prover. 2. Both partes compute y = N =1 ye. 3. P shows that t knows the logarthm w such that y = g w usng a standard honest verfer zero-knowledge proof of knowledge. The reason that ths s a proof of knowledge s that the extractor may rewnd the prover to the frst step several tmes untl t has found N lnearly ndependent vectors e j = (e j,1,..., e j,n ) n Z N p for j = 1,..., N and extracted logarthms w 1,..., w N such that N =1 ye j, = g w j. Note that lnear ndependence mply that for every l = 1,..., N there are d l,j such that N j=1 d l,je j s the lth standard unt vector n Z N p. Ths gves y l = N j=1 ( N =1 ye j, ) dl,j = N j=1 (gw j ) d j, = g N j=1 d l,jw j, whch means that the logarthm of every ndvdual element y l can be computed as x l = N j=1 d l,jw j. We remark that the components of the vectors can be chosen randomly n {0, 1} κe for a κ e much smaller than κ. From now on we use κ e to denote the bt-sze of components of random vectors as the above. Another mportant observaton, used to reduce the need for jontly generated randomness when the honest verfer s mplemented jontly by several partes, s that t suffces that the vectors are unpredctable, e.g., the verfer may nstead choose a random seed z for a PRG, hand t to the prover, and defne (e 1,..., e N ) = PRG(z). Proofs of Shuffles. We do not go nto the detals of any partcular proof of a shuffle, but we explan one of the deas that appear n dfferent forms n all known effcent schemes. Consder a homomorphc cryptosystem such that the order of every non-trval element n C pk equals a prme p. Gven are a publc key pk and cphertexts (c 1,..., c N ) and (c 1,..., c N ) that are related by c = c π()e pk (1, r π() ) for some permutaton π and randomness r 1,..., r N. A key observaton, frst made by Neff [21] and Furukawa and Sako [14], s that batch proofs are n some sense nvarant under permutaton and that ths means that we can use batch technques to construct an effcent proof of a shuffle. The dea can be descrbed as follows, where we use a PRG to expand a seed nto an unpredctable vector. 1. V pcks a seed z {0, 1} κ randomly and hands t to P. 2. Both compute c = N =1 ce, where (e 1,..., e N ) = PRG(z) and e [0, 2 κe 1]. 5

6 3. P computes c = N =1 (c )e π(), hands t to V, and convnces V that t s formed correctly. 4. P proves knowledge of r R pk such that c = ce pk (1, r). Note that the lnear ndependence argument used n the basc batch proof above carres over to the shuffle settng, despte that some of the exponents are permuted (see Proposton 17 n Secton A for detals). The above descrpton s smplfed n that the prover must blnd c to avod leakng knowledge. The problem of convncng the verfer that the orgnal exponents, re-ordered usng a fxed permutaton π, are used to form c s non-trval, and solved dfferently n the varous proofs of shuffles. If we gnore the cost of Step 3, then the above protocol s very effcent. 2.1 Commtment-Consstent Proofs of Shuffles We observe that we can desgn Step 3 n such a way that almost all of t can be moved to the offlne phase. Generators g 1,..., g N of a group G p of prme order p are gven as part of the setup of the proof of a shuffle, and t s assumed to be nfeasble to compute any non-trval relatons among these (ths follows from the DL assumpton). Suppose that each mx-server commts to a permutaton π usng Pedersen commtments [24] (a 1,..., a N ) = (g r 1 g π 1 (1),..., g r N g π 1 (N)) for random r 1,..., r N Z p, and also proves knowledge of the r and π such that (a 1,..., a N ) was formed n ths way. Then n the onlne phase the verfer can choose, and hand to the prover, a random seed z {0, 1} κ, set (e 1,..., e N ) = PRG(z), and compute a = N =1 ae = N =1 gr e g e π 1 () = gr N =1 ge π(), where r = N =1 r e. Note that a s of a perfect form for executng a standard proof of knowledge of equal exponents. More precsely, we may now replace Step 3 above n the onlne phase by: Prover computes c = N =1 (c )e π() and hands t to the verfer. Prover proves knowledge of r Z p and e 1,..., e N {0, 1}κe wth a = g r N =1 ge and c = N =1 (c ) e. The above s smplfed n that some blndng factors are mssng. The proof of knowledge of the exponents r, e 1,..., e N, combned wth the computatonal bndng property of mult-base Pedersen commtments mples that e = e π() for some permutaton π(). The computatonal complexty of the above protocol s very low, snce almost all exponents have very few bts also n the proof of knowledge of equal exponents. 6

7 3 A Commtment-Consstent Proof of a Shuffle In ths secton we frst gve more detals of the commtment scheme and explan how any of the known proofs of shuffles can be used to prove knowledge of an openng of the commtment to a permutaton. Then we present the commtment-consstent proof of a shuffle. 3.1 Permutaton Commtments We formalze the property we need from the Pedersen commtments above. A permutaton commtment should allow the commtter to compute a commtment Com (π) of a permutaton π, but obvously any strng commtment can be used to commt to a permutaton. The specal property of a permutaton commtment s that f the recever holds a lst (e 1,..., e N ), t can transform the permutaton commtment nto a commtment Com e (e π(1),..., e π(n) ), of another type, of the the lst elements, but n order defned by π. Here κ com denotes the maxmal bt sze of each component of a lst commtment. Defnton 1. Let (Gen, Com ) be a commtment scheme for S N and let (Gen e, Com e ) be a commtment scheme for [0, 2 κcom 1] N. The former s a κ com -permutaton commtment scheme of the latter f Gen = Gen e and there exst determnstc polynomal tme algorthms Map and Rand s.t. for every ck CK, r R ck, π S N and e = (e 1,..., e N ) [0, 2 κcom 1] N Map ck (Com ck (π, r ), e) = Com e ck ((e π(1),..., e π(n) ), Rand(r, e)). Constructon 2 (Pedersen Commtment). The generaton algorthm Gen outputs random generators g 1,..., g N G q, where G q s a cyclc group of known order q = t =1 p wth p 2 κcom. On nput π S N and r 1,..., r N Z q, the commtment algorthm Com computes a = g r g π 1 (), and outputs (a 1,..., a N ). The parameter algorthm Gen e s dentcal to Gen. On nput (e 1,..., e N ) [0, 2 κcom 1] N and r Z q, the algorthm Com e computes a = g r N, and outputs a. =1 ge The dea of usng (generalzed) Pedersen commtments [24] to commt to permutatons s not novel, e.g., t s used mplctly n [14], but the observaton that a commtment of the frst knd can be transformed nto a commtment of the second knd seems new. Proposton 3. Both (Gen, Com ) and (Gen e, Com e ) of Constructon 2 are perfectly hdng and computatonally bndng under the DL assumpton. The former s a permutaton commtment of the latter. The proof of the bndng property s well known for prme order groups. A proof s gven n Appendx A. We wll later make use of the followng relaton that corresponds to breakng a commtment scheme,.e., fndng two dfferent ways to open a commtment. Defnton 4. The relaton Rck twn conssts of all pars ( ck, (s [l], s 0, s [l], s 0 )) such that s [l] s [l] and Come ck (s [l], s 0 ) = Com e ck (s [l], s 0 ). 7

8 Suppose a commtter produces a permutaton commtment a and the verfer computes a = Map ck (a, (e 1,..., e N )). Then we expect that the commtter only can open a as (e π(1),..., e π(n) ) for a fxed permutaton π,.e., f we repeat ths procedure wth dfferent lsts (e 1,..., e N ) the same permutaton must be used by the commtter every tme. We can not prove ths, but t s easy to see that f t also can open a to a permutaton π, then t must use ths permutaton every tme. Recall that n our applcaton, each mx-server proves knowledge of how to open a durng the offlne phase. Thus, f a wtness for the followng relaton can be extracted n the onlne phase we reach a contradcton. Ths suffces to prove the overall securty of a mx-net. Defnton 5. The relaton R perm ck that conssts of all pars ( ck, (a, s [N], s 0, s [N], s 0 )) such Map ck (a, s [N] ) = Com e ck ((s π(1),..., s π(n) ), s 0 ), Map ck (a, s [N] ) = Come ck ((s π (1),..., s π (N) ), s 0), π π, and s s j and s s j for all j. 3.2 Proof of Knowledge of Openng We now explan how we can construct, from any proof of a shuffle of El Gamal cphertexts over a prme order group G p, a proof of knowledge that a Pedersen permutaton commtment ndeed s a commtment to a permutaton. Defnton 6. The relaton R open ck conssts of all pars ( (ck, a ), (π, r ) ) such that a = Com ck (π, r ). Protocol 7 (Proof of Knowledge of Correct Openng). Common Input: Pedersen commtment parameters g, g 1,..., g N G p and a commtment (a 1,..., a N ) G N p. Prvate Input: Permutaton π S N and exponents r 1,..., r N Z p such that a = g r g π 1 (). 1. P chooses r Z p and h G p randomly, computes a = gr a and b = h r+r, and hands (a 1,..., a N ) and (h, b 1,..., b N ) to V. 2. P proves to V that t knows r such that a = gr a. 3. P and V vew (h, g) as an El Gamal publc key, and P uses ts random commtment exponents r 1 +r 1,..., r N +r N to gve a proof of a shuffle that the lst (b 1, a 1),..., (b N, a N ) s a re-encrypton and permutaton of the lst of trval cphertexts (1, g 1 ),..., (1, g N ) usng the publc key (h, g),.e., t proves that t knows some r such that (b, a ) = (h r, g r gπ 1 ()). Proposton 8. The protocol nherts propertes of the proof of a shuffle. 1. If the proof of a shuffle s publc-con, overwhelmngly (computatonally) sound, and a proof of knowledge, then so s the protocol above. 8

9 2. If the proof of a shuffle s honest verfer (computatonally under assumpton A) zero-knowledge, then the above protocol s computatonally zero-knowledge under the DDH assumpton (and assumpton A). A proof s gven n Appendx A. Wthout the blndng exponent r the protocol s not even computatonally zero-knowledge, snce the adversary could n prncple know r. Some proofs of shuffles do not satsfy the standard computatonal versons of soundness, proof of knowledge, and zero-knowledge. In those cases the correspondngly more complcated securty propertes are also nherted, but we use the above proposton for smplcty. Readers wth deeper understandng of proofs of shuffles should note that the basc prncples of any proof of a shuffle can be used drectly to construct a more effcent protocol, but ths s not our focus here. We stress that the above smple soluton s presented for completeness and ease of presentaton. It s non-trval to extend the above result to groups of composte order such as those consdered n Constructon Proof of Knowledge of Equal Exponents Recall from our sketch n Secton 2.1 that n our commtment-consstent proof of a shuffle, the prover essentally hands the product N =1 (c )e π() to the verfer and shows that the exponents used are those commtted to n a commtment Com e (e π(1),..., e π(n) ). More precsely, we assume that: {h 1,..., h k } s a generator set of the group C pk of cphertexts, ck s a commtment parameter, and that the prover hands N =1 (c )e π() to the verfer n blnded form,.e., t hands ( Com e ck (s [k], s 0 ), k =1 hs N ) =1 (c )e π() to the verfer for random exponents s [k] (and s 0 R ck ), and then proves that t knows all of these exponents and that they are consstent wth the exponents commtted to n Com e ck ((e π(1),..., e π(n) ), e 0 ) for some e 0 R ck. Thus, we construct a protocol for the followng relaton. Defnton 9. From a scheme (Gen e, Com e ) for [0, 2 κcom 1] N, a commtment parameter ck output by Gen e, and a publc key pk PK we defne R eq ck,pk to consst of all ( (pk, ck, h [k], c [N], a, b 1, b 2 ), (e 0, e [N], s 0, s [N] ) ) satsfyng a = Com e ck (e [N], e 0 ), b 1 = Com e ck (s [k], s 0 ), and b 2 = k =1 hs N =1 ce. If the largest cyclc subgroup of C pk has order q = t =1 p wth p 2 κc, and a group G q of order q s avalable for whch the DL problem s hard, then a sgma protocol wth the challenge chosen from [0, 2 κc 1], can be constructed usng farly standard methods. For completeness we gve such a protocol n Appendx B. Otherwse, we can ether use Pedersen commtments over some prme order group G p and use a proof of equal exponents over groups of dfferent orders usng a Fujsak- Okamoto commtment [12] as a brdge, or we can replace the permutaton commtment by a correspondng Fujsak-Okamoto commtment drectly. It s not hard to derve a shuffle of such commtments from Wkström s shuffle [30]. The drawback of usng Fujsak-Okamoto commtments s that they are based on the use of an RSA modulus, and such modul are costly to generate n a dstrbuted settng. We detal both solutons n the appendx. 9

10 3.4 Shuffle-Frendly Maps To randomly shuffle a lst of homomorphc cphertexts (c 1,..., c N ) usually means that each cphertext s randomly re-encrypted and the resultng cphertexts randomly permuted, but there are other possble shuffles. For the El Gamal cryptosystem, one can also partally decrypt durng shufflng [13], or f a specal key set-up s used one can avod random re-encrypton entrely [30]. There are also at least two types of shuffles of (varants of) Paller [23] cphertexts. A careful look at these shuffles reveal that they are all defned by evaluatng a homomorphc map and permutng the result. Defnton 10. A map φ pk s shuffle-frendly for a publc key pk PK of a homomorphc cryptosystem f t defnes a homomorphc map φ pk : C pk R pk C pk. Example 11. Usng the El Gamal cryptosystem over a group G p wth publc key pk = (g, y), where y = g x and x s the secret key, we have M pk = G p, R pk = Z p, and C pk = G p G p. Then φ (g,y) ((u, v), r) = (g r u, y r v) descrbes re-encrypton when r Z p s randomly chosen. If y = g x, y = y 1 y 2 y 3, and x = x 1 + x 2 + x 3, then φ x 1 (g,y) ((u, v), r) = (gr u, (y/y 1 ) r u x 1 v) denotes partal decrypton and re-encrypton usng the secret share x 1 and randomness r. The decrypton shuffle n [30] can be descrbed smlarly. Example 12. Usng the Paller cryptosystem wth a publc key pk = n consstng of a random RSA modulus, we have M pk = Z n, R pk = Z n, and C pk = Z n 2 wth encrypton defned by E pk (m, r) = (1 + n) m r n mod n 2. Re-encrypton s then defned by φ n (c, r) = cr n mod n 2. Suppose we wsh to prove that a cphertext c s the result of nvokng a partcular shuffle-frendly map φ pk on another cphertext c. If the shuffle-frendly map φ pk s publc, e.g., t represents re-encrypton, then what s needed s a proof that there exsts some randomness r such that φ pk (c, r) = c. If the shuffle-frendly map tself s not publc, e.g., re-encrypton and partal decrypton, then the map φ pk must then be defned by some hdden parameters. Wthout loss we assume that the map s defned by some relaton to the publc key. In the typcal cases, the publc key defnes a secret key and the shuffle-frendly map s defned by the secret key. We consder a stuaton where the output cphertext c s commtted to as (Com e ck ((s 1,..., s k ), s 0 ), c k =1 hs ), and defne a relaton for a shuffle-frendly map as follows. Defnton 13 (Shuffle-Frendly Relaton). Let pk PK, let φ pk be a shuffle-frendly map for pk and let ck be a commtment parameter. We defne R map φ pk to consst of all pars ( (pk, ck, h [k], c, b 1, b 2 ), (r, s 0, s [k] ) ) such that b 1 = Com e ck (s [k], s 0 ) and b 2 = φ pk (c, r) k =1 hs. Example 14 (Example 11 contnued). Note that C pk = G p G p s generated by h 1 = (g, 1) and h 2 = (1, g) wth component-wse multplcaton. If we consder a re-encrypton and permutaton shuffle and use Pedersen commtments over the group G p wth commtment parameter ck = (g 1, g 2 ), then the relaton conssts of all pars 10

11 of the form ( ((g, y), (g 1, g 2 ), (u, v), b 1, b 2 ), (r, s 0, s 1, s 2 ) ) such that b 1 = g s 0 g s 1 1 gs 2 2 and b 2 = h s 1 1 hs 2 2 (gr u, y r v). For the typcal shuffle-frendly maps of the El Gamal and Paller cryptosystems, t s well known how to construct sgma protocols [7] for the correspondng shuffle-frendly relaton usng standard methods. We gve some examples n Appendx E. 3.5 Detals of the Commtment-Consstent Proof of a Shuffle Next we gve a detaled descrpton of the protocol that allows a mx-server to prove n the onlne phase that t re-encrypted and permuted ts nput and that the permutaton used s the same permutaton t commtted to n the offlne phase. We denote by κ r a parameter that decdes how well the commtments hde the commtted values. The two subprotocols can be executed n parallel and the second step of the protocol can be combned wth the frst move of the combned subprotocols. Protocol 15 (Commtment-Consstent Proof of a Shuffle). Common Input: A publc key pk of a cryptosystem CS, a generatng set {h 1,..., h k } of C pk, a commtment parameter ck, a permutaton commtment a K π ck, cphertexts (c 1,..., c N ) C N pk, and (c 1,..., c N ) CN pk. Prvate Input: Permutaton π S N, s R ck and r 1,..., r N R pk such that a = Com ck (π, s ), and c = φ pk (c π(), r π() ). 1. V chooses a seed z {0, 1} κ randomly and hands t to P. Then both partes set (e 1,..., e N ) = PRG(z), where e {0, 1} κe, and computes a = Map ck (a, (e 1,..., e N )). 2. P chooses t 0 R ck and t 1,..., t k [0, 2 κ+κr 1] randomly, and computes and hands to V b 1 = Com e ck ((t 1,..., t k ), t 0 ) and b 2 = k =1 ht N =1 (c ) e π(). 3. P proves, usng a proof of equal exponents, that t knows exponents t 0,..., t k, (e 1,..., e N ) (computed as (e π(1),..., e π(n) )), and e 0 (computed as Rand(s, (e 1,..., e N ))) such that b 1 = Com e ck ((t 1,..., t k ), t 0 ), b 2 = k a = Com e ck ((e 1,..., e N), e 0 ). =1 ht N =1 (c ) e, and 4. P proves, usng a proof of a shuffle map, that t knows exponents t 0,..., t k and r (computed as N ) such that =1 re b 1 = Com e ck ((t 1,..., t k ), t 0 ) and b 2 = k =1 ht φ pk ( N ) =1 ce, r. Note that the protocol and the proposton below are qute general; they apply for all the usual homomorphc cryptosystems, any shuffle-frendly map, and any number of cphertexts shuffled n parallel (ths s consdered as a separate case n [21]). It even 11

12 apples to mxed settngs where cphertexts from dfferent cryptosystems are shuffled n parallel. To state the securty propertes of the protocol we need to defne a relaton that captures a shuffle. Defnton 16. Let pk PK, let φ pk be a shuffle-frendly map for pk. Then we defne the shuffle relaton R shuf φ pk to consst of all pars of the form ( (pk, c [N], c [N] ), (π, r [N]) ) wth c = φ pk(c π(), r π() ). In the proposton we consder the relaton R shuf φ pk Rck twn R perm ck. In general, for two relatons R 1 and R 2, the relaton R 1 R 2 denotes the relaton consstng of all pars ((x 1, x 2 ), w) such that (x 1, w) R 1 or (x 2, w) R 2. Proposton 17. Let the subprotocols be overwhelmngly complete sgma protocols for the relatons R eq ck,pk Rtwn ck and R map φ pk respectvely, and let the commtment scheme be statstcally hdng. Then for every pk PK and ck CK, the protocol s a publc-con honest verfer statstcal zero-knowledge proof of the relaton R shuf φ pk Rck twn R perm ck wth neglgble soundness error, and t s overwhelmngly complete for wtnesses of R shuf φ pk. It ( s a proof of knowledge wth neglgble knowledge error of a strng w such that R shuf φ pk (pk, c[n], c [N] ), (w, r [N]) ) = 1, Rck twn (ck, w) = 1, or Rperm ck (ck, w) = 1, s satsfed for some randomness r [N] R pk, where we use the notaton for nputs to the protocol as defned above. Remark 18. It s observed n [30] that t does not suffce that a proof of a re-encrypton and permutaton shuffle s sound to be used n a provably secure mx-net. The permutaton used by the mx-server to shuffle must also be extractable. However, extractng the permutaton suffces. A proof of the proposton s gven n Appendx A. The basc dea s explaned already n Secton 2.1, except that n the general case the order q of the maxmal cyclc subgroup of C pk may not be prme or may even be unknown. Note that f q s not prme, then the random vectors are n fact defned over a rng and not over a feld, and consequently they are not vectors at all. Thus, not all elements are nvertble, whch potentally s a problem when tryng to fnd a lnear combnaton of the random vectors equal to any standard unt vector, whch s needed to extract a wtness. Snce we assume that all factors of the order of C pk are large and all elements that must be nverted are random, ths s not a problem and a wtness can be extracted. However, f t s nfeasble to compute the factorzaton of the order of C pk, or f the order tself s unknown, then ths seems dffcult. Fortunately, t suffces for the overall securty of the mx-net that only the permutaton can be extracted. 4 Applcaton To Mx-Nets At ths pont the reader should be comfortable wth the dea that a proof of a shuffle can be splt nto a relatvely costly offlne part (Protocol 7) and a very effcent onlne part (Protocol 15), but how exactly do they ft nto a mx-net? 12

13 Below we gve a bref nformal descrpton of a mx-net based on the El Gamal cryptosystem over a group G p of prme order p. Ths llustrates how our protocols are used and gves an dea of the complexty of a complete mx-net usng our approach. Offlne Phase. 1. The mx-servers, M 1,..., M k, run a dstrbuted key generaton protocol to generate a jont publc key (g, y) such that the correspondng secret key x, wth y = g x, s secret shared among the mx-servers. 2. M j chooses r j, Z p randomly and computes (g r j,, y r j, ) for = 1,..., N. 3. M j chooses a random permutaton π j S N, publshes a permutaton commtment a j = Com (π j ), and proves knowledge of the commtted permutaton usng Protocol 7 (and verfes the proofs of knowledge of all other mx-servers). Onlne Phase. 4. S chooses r Z p randomly, computes (u 0,, v 0, ) = E (g,y) (m, r ), where m Z p s ts message, and publshes ths cphertext. 5. Let L 0 = (u 0,, v 0, ) N =1 be the nput cphertexts. For l = 1,..., k: (a) If l = j, then M j computes (u j,, v j, ) = (g r j, u j 1,πj (), y r j, v j 1,πj ()), publshes L j = (u j,, v j, ) N =1, and proves usng Protocol 15 that L j 1 and L j are consstent wth a j. (b) If l j, then M j verfes the proof of M l,.e., that L l 1 and L l are consstent wth a l. 6. The mx-servers perform a threshold decrypton of L k usng ther shares of x and output the lst of plantexts (m π(1),..., m π(n) ), where π = π k π 1. The random challenges needed n the subprotocols are generated jontly usng a conflppng protocol over a broadcast channel or bulletn board. Thus, all verfers jontly ether accept or reject proofs. It s natural to ask why the securty property of our commtment-consstent proof suffces, snce t s sound for R shuf φ pk Rck twn R perm ck and not for R shuf φ pk. Ths follows from the proof of knowledge property. For any successful prover there exsts an extractor that outputs: a vald permutaton π used to shuffle, a wtness for Rck twn, or a wtness for Rperm ck. The second type of output drectly contradcts the securty of the commtment scheme. The thrd type of output combned wth knowledge of how to open a j (such an openng can be extracted durng the offlne phase), also contradcts the securty of the commtment scheme. Thus, n a smulaton the extractor outputs the permutaton wth overwhelmng probablty, whch suffces to prove the overall securty of the mx-net. Dependng on the secret sharng threshold, all mx-servers may not need to shuffle the cphertexts, and there are obvous ways to avod the assumpton that all senders submt an nput. Many detals are of course mssng from the above descrpton, but n the El Gamal case all subprotocols mssng from the descrpton are avalable. Dstrbuted 13

14 key generaton can be done usng Feldman and Pedersen secret sharng [11, 24]. The submsson of nputs must allow extracton of the plantexts of corrupt senders wthout usng the secret key of the cryptosystem. Ths can be done [31] based on the Cramer- Shoup cryptosystem [8] n such a way that each mx-server essentally pays the cost of checkng the valdty of N Cramer-Shoup cphertexts. Batch technques [4] can be used to reduce ths further f most cphertexts are expected to be vald, and valdty checks can be done concurrently wth recevng new cphertexts. Random challenges can be generated usng Pedersen verfable secret sharng [24]. The sharng phase of many cons can be pre-computed, but snce we only need a small number of bts n each challenge ths type of optmzaton does not gve much. Fnally, durng threshold decrypton each mx-server must exponentate N group elements to decrypt, but provng that ths was done correctly can be done usng batch proofs [4]. To summarze, the onlne runnng tme of the mx-net s roughly the tme to: valdate N Cramer-Shoup cphertexts, run the prover or verfer of k commtment-consstent proofs of shuffles of lsts of cphertexts of length N, decrypt N El Gamal cphertexts, and prove or verfy correctness of jont decrypton, whch s done usng a batch proof. Recall that κ e denotes the bt-sze of elements n random vectors, κ c denotes the bt-sze of challenges, and κ r decdes the statstcal error n smulatons and also the completeness of our subprotocols. For practcal securty parameters, e.g., κ = 1024, κ e = κ c = 80 and κ r = 20, we estmate the complexty of our protocol to N/2 squareand-multply exponentatons. Ths can be reduced by a factor of 1/5 f smultaneous exponentaton [20] s used, gvng a complexty correspondng to N/10 square-and-multply exponentatons (see Appendx C for detals). Thus, our commtment-consstent proof of a shuffle s several tmes faster n the onlne phase than any of the known proofs of shuffles. As far as we know ths makes our mx-net faster n the onlne phase than any prevous mx-net. 5 Acknowledgments We thank Jun Furukawa and Andy Neff for helpful comments. References [1] M. Abe and H. Ima. Flaws n some robust optmstc mx-nets. In Australasan Conference on Informaton Securty and Prvacy ACISP 2003, volume 2727 of Lecture Notes n Computer Scence, pages Sprnger Verlag, [2] B. Adda and D. Wkström. How to shuffle n publc. In 4th Theory of Cryptography Conference (TCC), volume 4392 of Lecture Notes n Computer Scence, pages Sprnger Verlag, [3] B. Adda and D. Wkström. Offlne/onlne mxng. In 34th Internatonal Colloquum on Automata, Languages and Programmng (ICALP), volume 4596 of Lecture Notes n Computer Scence, pages Sprnger Verlag,

15 [4] M. Bellare, J.A. Garay, and T. Rabn. Batch verfcaton wth applcatons to cryptography and checkng. In LATIN, volume 1380 of Lecture Notes n Computer Scence, pages Sprnger Verlag, [5] J. Benaloh and D. Tunstra. Recept-free secret-ballot electons. In 26th ACM Symposum on the Theory of Computng (STOC), pages ACM Press, [6] D. Chaum. Untraceable electronc mal, return addresses and dgtal pseudo-nyms. Communcatons of the ACM, 24(2):84 88, [7] R. Cramer, I. Damgård, and B. Schoenmakers. Proofs of partal knowledge and smplfed desgn of wtness hdng protocols. In Advances n Cryptology Crypto 94, volume 839 of Lecture Notes n Computer Scence, pages Sprnger Verlag, [8] R. Cramer and V. Shoup. A practcal publc key cryptosystem provably secure aganst adaptve chosen cphertext attack. In Advances n Cryptology Crypto 98, volume 1462 of Lecture Notes n Computer Scence, pages Sprnger Verlag, [9] I. Damgård and E. Fujsak. A statstcally-hdng nteger commtment scheme based on groups wth hdden order. In Advances n Cryptology Asacrypt 2002, volume 2501 of Lecture Notes n Computer Scence, pages Sprnger Verlag, [10] Y. Desmedt and K. Kurosawa. How to break a practcal MIX and desgn a new one. In Advances n Cryptology Eurocrypt 2000, volume 1807 of Lecture Notes n Computer Scence, pages Sprnger Verlag, [11] P. Feldman. A practcal scheme for non-nteractve verfable secret sharng. In 28th IEEE Symposum on Foundatons of Computer Scence (FOCS), pages IEEE Computer Socety Press, [12] E. Fujsak and T. Okamoto. Statstcal zero knowledge protocols to prove modular polynomal relatons. In Advances n Cryptology Crypto 97, volume 1294 of Lecture Notes n Computer Scence, pages Sprnger Verlag, [13] J. Furukawa, H. Myauch, K. Mor, S. Obana, and K. Sako. An mplementaton of a unversally verfable electronc votng scheme based on shufflng. In Fnancal Cryptography 2002, volume 2357 of Lecture Notes n Computer Scence, pages Sprnger Verlag, [14] J. Furukawa and K. Sako. An effcent scheme for provng a shuffle. In Advances n Cryptology Crypto 2001, volume 2139 of Lecture Notes n Computer Scence, pages Sprnger Verlag, [15] T. El Gamal. A publc key cryptosystem and a sgnture scheme based on dscrete logarthms. IEEE Transactons on Informaton Theory, 31(4): ,

16 [16] T. Granlund. Gnu multple precson arthmetc lbrary (GMP). Software avalable at March [17] T. Granlund. Prvate communcaton., March [18] J. Groth. A verfable secret shuffle of homomorphc encryptons. In Publc Key Cryptography PKC 2003, volume 2567 of Lecture Notes n Computer Scence, pages Sprnger Verlag, [19] M. Jakobsson, A. Juels, and R. Rvest. Makng mx nets robust for electronc votng by randomzed partal checkng. In 11th USENIX Securty Symposum, pages USENIX, [20] A. Menezes, P. Oorschot, and S. Vanstone. Handbook of Appled Cryptography. CRC Press, [21] A. Neff. A verfable secret shuffle and ts applcaton to e-votng. In 8th ACM Conference on Computer and Communcatons Securty (CCS), pages ACM Press, [22] A. Neff. Prvate communcaton., May [23] P. Paller. Publc-key cryptosystems based on composte degree resduosty classes. In Advances n Cryptology Eurocrypt 99, volume 1592 of Lecture Notes n Computer Scence, pages Sprnger Verlag, [24] T. P. Pedersen. Non-nteractve and nformaton-theoretc secure verfable secret sharng. In Advances n Cryptology Crypto 91, volume 576 of Lecture Notes n Computer Scence, pages Sprnger Verlag, [25] B. Pftzmann. Breakng an effcent anonymous channel. In Advances n Cryptology Eurocrypt 94, volume 950 of Lecture Notes n Computer Scence, pages Sprnger Verlag, [26] D. Pontcheval and J. Stern. Securty arguments for dgtal sgnatures and blnd sgnatures. Journal of Cryptology, 13(3): , [27] K. Sako and J. Kllan. Recept-free mx-type votng scheme. In Advances n Cryptology Eurocrypt 95, volume 921 of Lecture Notes n Computer Scence, pages Sprnger Verlag, [28] D. Wkström. Fve practcal attacks for optmstc mxng for ext-polls. In Selected Areas n Cryptography SAC 2003, volume 3006 of Lecture Notes n Computer Scence, pages Sprnger Verlag, [29] D. Wkström. A unversally composable mx-net. In 1st Theory of Cryptography Conference (TCC), volume 2951 of Lecture Notes n Computer Scence, pages Sprnger Verlag,

17 [30] D. Wkström. A sender verfable mx-net and a new proof of a shuffle. In Advances n Cryptology Asacrypt 2005, volume 3788 of Lecture Notes n Computer Scence, pages Sprnger Verlag, [31] Douglas Wkström. Smplfed submsson of nputs to protocols. Cryptology eprnt Archve, Report 2006/259,

18 A Omtted Proofs Proof of Proposton 3. In both schemes, f two dstnct vald openngs can be computed, then we can wrte g b N =1 gb = 1 for some b, b 1,..., b N Z p, where not all are zero. It s well known and easy to see that ths contradcts the DL assumpton. For a commtment (a 1,..., a N ) = Com ck (π, (r 1,..., r N )), where ck = (g 1,..., g N ), we have N =1 ae = g N =1 r e N =1 ge π() whch equals a commtment computed as Com e ck ((e π(1),..., e π(n) ), N =1 r e ). Ths proves the second clam. Proof of Proposton 8. The frst clam s obvous. The zero-knowledge smulator pcks b 1,..., b N G p randomly and then nvokes the smulators of the batch proof and the proof of a shuffle. A standard hybrd argument shows that the resultng dstrbuton s polynomally ndstngushable from the dstrbuton of a real nteracton, under the DDH assumpton. Proof of Proposton 17. The zero-knowledge smulator chooses z randomly as n the protocol, chooses t 0 R e ck and b 1 C pk randomly, computes b 1 = Com e ck ((0,..., 0), t 0), and then nvokes the statstcal zero-knowledge smulators of the subprotocols. Due to the statstcal zero-knowledge of the commtment scheme the resultng dstrbuton s statstcally close to the dstrbuton of a real nteracton. Suppose that we, by repeatedly nvokng the extractors of the subprotocols, manage to extract N dfferent e j = (e j,1,..., e j,n ) wth dstnct components and exponents t j,0,..., t j,k, and e j,0,..., e j,n, satsfyng b j,1 = Com e ck ((t j,1,..., t j,k ), t j,0 ), b j,2 = k a j = Com e ck ((e j,1,..., e j,n), e j,0), =1 ht j, N =1 (c ) e j,, and where a j = Map ck (a, (e j,1,..., e j,n )), and exponents t j,0,..., t j,k, and r j satsfyng b j,1 = Com e ck ((t j,1,..., t j,k ), t j,0) and b j,2 = ( k N ) φ pk =1 ce j,, r j =1 ht j,, for j = 1,..., N. The wtness extracted from a subprotocol may be a wtness of Rck twn, n whch case we are done. From now on we assume that ths s not the case. If t s not the case that (t j,1,..., t j,k ) = (t j,1,..., t j,k ) for all j = 1,..., N, then we have found two dstnct openngs of a commtment b j,1,.e., a wtness for ck wth respect to the relaton Rck twn. Thus, we may drop the prme symbol and smply wrte (t j,1,..., t j,k ). If t s not the case that e j, = e j,π() for some fxed permutaton π and all j = 1,..., N and = 1,..., N, then we have found a wtness for ck wth respect to the relaton R perm ck. Thus, we assume that the same permutaton π appears for every lst and smply wrte (e j,π(1),..., e j,π(n) ) nstead of (e j,1,..., e j,n ). 18

19 We conclude that N =1 (c ) e j,π() = φ pk ( N =1 ce j,, r j ) for j = 1,..., N. We have now extracted a permutaton π (the extractor only needs to extract a sngle lst (e j,π(1),..., e j,π(n) ) to fnd π). It remans to prove that wth overwhelmng probablty there exsts (r 1,..., r N ) such that (π, r 1,..., r N ) s a wtness for R shuf φ pk. Suppose that for every l = 1,..., N, there exst x l,1,..., x l,n Z q, where q s the order of the maxmal cyclc subgroup of C pk, such that N j=1 x l,je j s the lth standard unt vector n Z N q (snce Z q s not a feld, ths s not a vector space). We conclude that c π 1 (l) = ( t N ) xl,j j=1 =1 (c ) e j,π() = ( ( t N )) xl,j φ pk j=1 =1 ce j,, r j ( t ( N ) xl,j = φ pk j=1 =1 ce j,, ) t j=1 rx l,j j ( = φ pk c l, t ), j=1 rx l,j j where the thrd equalty follows from the lnearty of the shuffle map φ pk. Thus, we have c l = φ pk(c π(l), r π(l) ) for some r π(l), l = 1,..., N as expected. We stress that we do not clam that the x l, values can be computed. In fact, when the order q of the largest cyclc subgroup of C pk s not known, then t seems very hard to compute such values. To prove soundness and that the knowledge error s neglgble, t remans to show that we can extract the values descrbed at the begnnng of the proof wth hgh probablty. Frst we note that wthout loss we can combne the two subprotocols nto a sngle protocol by explotng ther specal soundness and zero-knowledge propertes,.e., we may use the same challenge for both protocols. Consder the followng thought experment. For any prover P, we construct a new prover P + that honestly chooses (e 1,..., e N ) nstead of the verfer, and then nvokes P. The new prover obvously takes part n a dfferent protocol, but we can stll consder the problem of extractng two acceptng nteractons wth dstnct challenges from P +. A standard rewndng argument (see for example Lemma 8 n [26]), shows that there exsts a polynomal T (κ) and an extractor X 0 such that f the success probablty of P s at least δ(κ), then X 0 outputs, n expected tme O(T (κ)/(δ(κ) 2 κc )), a lst (e j,1,..., e j,n ), t j,0,..., t j,k, and r j, satsfyng our requrements for j = 1,..., N. We let the extractor X 1 nvoke the extractor X 0 exactly N tmes and output the extracted set of values. It s clear that X 1 runs n expected tme O(N T (κ)/(δ(κ) 2 κc )). We clam that f δ(κ) s not too small, then wth postve probablty the lsts (e j,1,..., e j,n ) output by X 0 determnes a wtness of R map φ pk. We remnd the reader that we do not clam that such a wtness can be extracted effcently, only that t exsts, and we prove that t exsts by showng that there exsts a non-effcent extracton procedure that outputs t wth hgh probablty. 19

20 In the protocol, the lst (e 1,..., e N ) s derved from a small random seed z usng a PRG. We frst analyze an dealzed settng where the output from the PRG s perfectly random and then show that usng a PRG s almost as good. If a lst (e 1,..., e N ) satsfes e e for all, then we say that t s nternally unque. It s easy to see that a randomly chosen lst (e 1,..., e N ) [0, 2 κe 1] N s not nternally unque wth probablty at most N 2 2 κe. We say that some lsts e 1,..., e j are n general poston, f the set of lnear combnatons of these lsts wth coeffcents n Z q contans lsts of the followng form e 1 = (1, 0, 0,..., 0, e 1,j+1,..., e 1,N) e 2 = (0, 1, 0,..., 0, e 2,j+1,..., e 2,N)... e j = (0, 0, 0,..., 1, e j,j+1,..., e 2,N). Suppose that some lsts e 1,..., e j n general poston are gven and consder the probablty that a randomly chosen lst e j+1 can be used to extend the set of lsts n general poston. By constructon, e j+1,j+1 s randomly chosen n [0, 2 κe 1], where 2 κe s smaller than any factor of q (the maxmal order of any cyclc subgroup of C pk ), and there are obvously at most κ/κ e factors n q. Thus, from ndependence we conclude that the probablty that e j+1,j+1 j l=1 e l,j+1e j+1,l s not nvertble modulo q s bounded by κ κ e 2 κe. Thus, the probablty that a randomly chosen lst can not be used to extend the sequence of lsts n general poston s bounded by κ κ e 2 κe. In the protocol, the lst (e 1,..., e N ) s derved from a random seed. If ths would change the probabltes derved above more than by a neglgble amount, then we could obvously break the PRG. Thus, usng a PRG, the probablty that the lst e j+1 s not nternally unque or does not extend the set of lsts n general poston s bounded by N(N + κ κ e )2 κe + ɛ 0 (κ) for some neglgble functon ɛ 0 ( ). Suppose now that the frst j calls to X 0 resulted n nternally unque lsts n general poston. Then durng the next call to the extractor X 0, the expected number of sampled lsts s bounded by X 0 s expected runnng tme O(T (κ)/(δ(κ) 2 κc )), whch means that the expected number of generated lsts that are ether not nternally unque or does not extend the already exstng set of lsts n general poston s bounded by O((N(N + κ/κ e )2 κe + ɛ 0 (κ))t (κ)/(δ(κ) 2 κc )). Thus, the probablty that some lst output by X 1 s not nternally unque, or that the lsts are not n general poston s upper bounded by O((N(N + κ/κ e )2 κe + ɛ 0 (κ))2 κe T (κ)/(δ(κ) 2 κc )). Ths s neglgble for a neglgble δ(κ), whch concludes the proof of soundness. B Proof of Equal Exponents For Pedersen Commtments We provde a detaled descrpton and analyss of the proof of equal exponents for the soluton based on Pedersen commtments. 20

21 Protocol 19 (Proof of Equal Exponents). Common Input: A publc key pk of a cryptosystem CS, a generatng set {h 1,..., h k } of C pk, a cyclc group G q that has the same order q as the largest cyclc subgroup of C pk, generators g, g 1,..., g N of G q, a commtment of exponents a G q, cphertexts (c 1,..., c N ) C pk, a commtment (b 1, b 2 ), where b 1 G q and b 2 C pk. Prvate Input: Exponents e 1,..., e N [0, 2 κe 1], s 0,..., s k, e 0 Z q such that: a = g e0 N =1 ge, b 1 = g s0 k =1 gs, and b 2 = k =1 hs N =1 ce. 1. P chooses t 1,..., t N [0, 2 κe+κc+κr 1] and t 0, l 0,..., l k Z q, randomly, and computes and hands to V the followng elements N α = g t0 =1 gt k, β 1 = g l0 =1 gl, and β 2 = k =1 hl N =1 ct. 2. V chooses a challenge c [0, 2 κc 1] randomly and hands t to P. 3. P computes and hands to V the followng reples d 0 = ce 0 + t 0 mod q, d = ce + t mod 2 κe+κc+κr, for = 1,..., N, and f = cs + l mod q, for = 0,..., k 4. V checks that g d0 N =1 gd = a c α, g f0 k =1 gf = b c 1β 1, and k =1 hf N =1 cd = b c 2β 2. (1) Note that the prover can pre-compute α and the cost of computng β 1 may be gnored when N s much larger than k. Thus, the prover must essentally compute β 2 n the onlne phase. The verfer on the other hand must perform ts verfcatons for both α and β 2 n the onlne phase. Proposton 20. Suppose that q = t =1 p wth p 2 κc. Then the protocol s an overwhelmngly complete sgma protocol for R eq ck,pk. Proof. The zero-knowledge smulator chooses c [0, 2 κc 1], d 0, f Z q for = 1,..., k, and d [0, 2 κe+κc+κr 1] for = 1,..., N randomly and defnes α, β 1 and β 2 by Equaton (1). The resultng smulaton s perfectly dstrbuted, but due to the reducton modulo 2 κe+κc+κr the protocol only has overwhelmng completeness. Suppose that acceptng nteractons: (α, β 1, β 2, c, d 0,..., d N, f 0,..., f k ) and (α, β 1, β 2, c, d 0,..., d N, f 0,..., f k ) wth c c are gven. By constructon c c 2 κc p for each factor p of q. Thus, c c s nvertble modulo q. Furthermore, snce q s the order of the largest cyclc subgroup of C q, the orders q a, q b1, and q b1 of a, b 1, and b 2 respectvely dvde q. Thus, ((c c ) 1 mod q) = (c c ) 1 mod q a and correspondngly for q b1, and q b1. Ths mples that we may set e = (c c ) 1 (d d ) mod q and s = (c c ) 1 (f f ) mod q, and conclude that a = g e 0 N =1 ge, b 1 = g s 0 k =1 gs, and b 2 = k =1 hs N =1 ce. 21