A SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL

A SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL Prastudy Fauzi, Helger Lipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016

OUR RESULTS A new efficient CRS-based NIZK shuffle argument

OUR RESULTS A new efficient CRS-based NIZK shuffle argument Four+ times more efficient verification than in prior work

OUR RESULTS A new efficient CRS-based NIZK shuffle argument Four+ times more efficient verification than in prior work Verification time more critical

OUR RESULTS A new efficient CRS-based NIZK shuffle argument Four+ times more efficient verification than in prior work Verification time more critical Soundness proof in the Generic Bilinear Group Model Very complicated machine-assisted proof

A BIT OF MOTIVATION: E-VOTING

A BIT OF MOTIVATION: E-VOTING Lesson from the past: It is not voters who counts, but who counts the votes - Can we get away with that? - I m 140% sure!

A BIT OF MOTIVATION: E-VOTING Lesson from the past: It is not voters who counts, but who counts the votes Anonymity Correctness - Can we get away with that? - I m 140% sure!

A BIT OF MOTIVATION: E-VOTING Lesson from the past: It is not voters who counts, but who counts the votes Anonymity Correctness Data is public (Data, source) is private - Can we get away with that? - I m 140% sure!

SIMPLE MIX-NETS

SIMPLE MIX-NETS c 1 =Enc pk (m 1 ) c 2 =Enc pk (m 2 ) c 3 =Enc pk (m 3 )

SIMPLE MIX-NETS c 1 =Enc pk (m 1 ) π, r d 1 =c π(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) c 3 =Enc pk (m 3 ) d 3 =c π(3) Encryption protects against eavesdropping on the Internet

SIMPLE MIX-NETS c 1 =Enc pk (m 1 ) π, r ψ,s d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) e 2 =d ψ(2) c 3 =Enc pk (m 3 ) d 3 =c π(3) e 3 =d ψ(3) Encryption protects against eavesdropping on the Internet

SIMPLE MIX-NETS π, r ψ,s sk c 1 =Enc pk (m 1 ) d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) e 2 =d ψ(2) m ψ(π(1)) m ψ(π(2)) c 3 =Enc pk (m 3 ) d 3 =c π(3) e 3 =d ψ(3) m ψ(π(3)) Encryption protects against eavesdropping on the Internet

SIMPLE MIX-NETS Anonymity π, r ψ,s sk c 1 =Enc pk (m 1 ) d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) e 2 =d ψ(2) m ψ(π(1)) m ψ(π(2)) c 3 =Enc pk (m 3 ) d 3 =c π(3) e 3 =d ψ(3) m ψ(π(3)) Encryption protects against eavesdropping on the Internet Private against each individual server

SIMPLE MIX-NETS Anonymity Correctness π, r ψ,s sk c 1 =Enc pk (m 1 ) d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) e 2 =d ψ(2) m ψ(π(1)) m ψ(π(2)) c 3 =Enc pk (m 3 ) d 3 =c π(3) e 3 =d ψ(3) m ψ(π(3)) Encryption protects against eavesdropping on the Internet Private against each individual server Not enough: what if a server cheats?

ACCOUNTABLE MIX-NETS pk, π, r pk, ψ,s sk c 1 =Enc pk (m 1 ) d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) e 2 =d ψ(2) m ψ(π(1)) m ψ(π(2)) c 3 =Enc pk (m 3 ) d 3 =c π(3) e 3 =d ψ(3) m ψ(π(3))

ACCOUNTABLE MIX-NETS proof pk, π, r pk, ψ,s sk c 1 =Enc pk (m 1 ) d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) e 2 =d ψ(2) m ψ(π(1)) m ψ(π(2)) c 3 =Enc pk (m 3 ) Prove that shuffling was correct, send proof to the next server d 3 =c π(3) e 3 =d ψ(3) m ψ(π(3))

ACCOUNTABLE MIX-NETS proof proof c 1 =Enc pk (m 1 ) pk, π, r pk, ψ,s sk d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) c 3 =Enc pk (m 3 ) Prove that shuffling was correct, send proof to the next server d 2 =c π(2) d 3 =c π(3) Verify all previous proofs, shuffle, create your own proof e 2 =d ψ(2) e 3 =d ψ(3) m ψ(π(1)) m ψ(π(2)) m ψ(π(3))

ACCOUNTABLE MIX-NETS Anonymity Correctness proof proof c 1 =Enc pk (m 1 ) pk, π, r pk, ψ,s sk d 1 =c π(1) e 1 =d ψ(1) c 2 =Enc pk (m 2 ) d 2 =c π(2) e 2 =d ψ(2) m ψ(π(1)) m ψ(π(2)) c 3 =Enc pk (m 3 ) Prove that shuffling was correct, send proof to the next server d 3 =c π(3) Verify all previous proofs, shuffle, create your own proof e 3 =d ψ(3) Verify all proofs m ψ(π(3))

SHUFFLE ARGUMENT Shuffle argument: efficient zero knowledge argument of correctness of shuffling Mix-server permutes ciphertexts, re-encrypt them and provides a proof that he has done it correctly.

SHUFFLE ARGUMENT Shuffle argument: efficient zero knowledge argument of correctness of shuffling Mix-server permutes ciphertexts, re-encrypt them and provides a proof that he has done it correctly. Existing CRS model arguments not very efficient

CRS-BASED SHUFFLE ARGUMENTS Assumption proposed in that paper, proof in GBGM Assmpt. proposed 2010+, but not in that paper, proof in GBGM Lipmaa-Zhang (2012) Fauzi-Lipmaa (2016) This paper CRS length 7n + 6 8n + 17 3n + 14 Communic. 12n + 11 9n + 2 7n + 3 P comp. (units) 36 19.8 24.3 V comp. (units) 196 126 36.3 GBGM? PSDL, DLIN (comp.) TSDH, PCDH, PSP (comp.) Pure GBGM Soundness KE, PKE (knowledge) Full 2x PKE (knowledge) Culpable Full n: number of ciphertexts (say 100,000) 1 unit = n million machine cycles According to speed records on BN curves

ZERO KNOWLEDGE: CRS MODEL crs

ZERO KNOWLEDGE: CRS MODEL x, w crs

ZERO KNOWLEDGE: CRS MODEL crs x, w x

ZERO KNOWLEDGE: CRS MODEL crs x, w x P(crs,x,w)=π: Proof of x L

ZERO KNOWLEDGE: CRS MODEL crs x, w x P(crs,x,w)=π: Proof of x L V(crs,x,π): Accepts or rejects

ZERO KNOWLEDGE: CRS MODEL td crs x, w x P(crs,x,w)=π: Proof of x L V(crs,x,π): Accepts or rejects

ZERO KNOWLEDGE: CRS MODEL td crs Sim(crs,td,x)=π: Proof of x L x, w x P(crs,x,w)=π: Proof of x L V(crs,x,π): Accepts or rejects

ZERO KNOWLEDGE: CRS MODEL Correctness Soundness Zero knowledge crs td Sim(crs,td,x)=π: Proof of x L x, w x P(crs,x,w)=π: Proof of x L V(crs,x,π): Accepts or rejects

BILINEAR PAIRINGS

BILINEAR PAIRINGS Three cyclic groups of the same order q: G 1, G 2, G T

BILINEAR PAIRINGS Three cyclic groups of the same order q: G 1, G 2, G T Generators g 1 of G 1, g 2 of G 2, g T of G T

BILINEAR PAIRINGS Three cyclic groups of the same order q: G 1, G 2, G T Generators g 1 of G 1, g 2 of G 2, g T of G T Bilinear map: e: G 1 x G 2 G T

BILINEAR PAIRINGS Three cyclic groups of the same order q: G 1, G 2, G T Generators g 1 of G 1, g 2 of G 2, g T of G T Bilinear map: e: G 1 x G 2 G T Requirements: Efficiently computable Non-degeneracy: e (g 1, g 2 ) 1 Bilinearity: e (g 1a, g 2b ) = e (g 1, g 2 ) ab

ASSUMPTIONS & PAIRINGS Inverting pairings should be hard

ASSUMPTIONS & PAIRINGS Inverting pairings should be hard Given e (A, B), compute either A or B

ASSUMPTIONS & PAIRINGS Inverting pairings should be hard Given e (A, B), compute either A or B Analogous to DL: given g a, compute a

ASSUMPTIONS & PAIRINGS Inverting pairings should be hard Given e (A, B), compute either A or B Analogous to DL: given g a, compute a What else should be hard?

NON-GENERIC APPROACH Protocol

NON-GENERIC APPROACH Assumption 1 (known) Protocol Assumption m (known)

NON-GENERIC APPROACH Assumption 1 (known) Protocol Assumption m (known) Assumption m+1 (new) Assumption m+m (new)

NON-GENERIC APPROACH Assumption 1 (known) Protocol Assumption m (known) Assumption m+1 (new) Assumption m+m (new) Generic Model

NON-GENERIC APPROACH Assumption 1 (known) Protocol Assumption m (known) Assumption m+1 (new) Assumption m+m (new) Generic Model Pro: nice if m is not big, or most assumptions are well-known, or

NON-GENERIC APPROACH Assumption 1 (known) Protocol Assumption m (known) Assumption m+1 (new) Assumption m+m (new) Generic Model Pro: nice if m is not big, or most assumptions are well-known, or Con: each arrow might mean a loss in efficiency

GENERIC MODEL APPROACH Protocol Generic Model Con: proof in GGM is only for restricted adversaries Pro: only one arrow, thus smaller loss in efficiency

GENERIC BILINEAR GROUP MODEL Meta-Assumption: adversary only has access to

GENERIC BILINEAR GROUP MODEL Meta-Assumption: adversary only has access to group operations, bilinear map, equality tests

GENERIC BILINEAR GROUP MODEL Meta-Assumption: adversary only has access to group operations, bilinear map, equality tests Each computed element in G i (i=1, 2) is given by group operation of two already known elements Recursively, DL of each computed element is a known polynomial of some indeterminates

SOUNDNESS IN GBGM

SOUNDNESS IN GBGM X 1 X s Random variables (TTP)

SOUNDNESS IN GBGM Polynomials (TTP knows X) X 1 [X] = g X {[f 1i (X)] 1 } {[f 2i (X)] 2 } X s Random variables (TTP) CRS (TTP)

SOUNDNESS IN GBGM Polynomials (TTP knows X) Linear combinations (only group operation) X 1 [X] = g X {[f 1i (X)] 1 } {[g 1i (X) =Σ i a 1i f 1i (X)] 1 } {[f 2i (X)] 2 } {[g 2i (X) =Σ i a 2i f 2i (X)] 1 } X s Random variables (TTP) CRS (TTP) Outputs in argument (adversary)

SOUNDNESS IN GBGM Polynomials (TTP knows X) Linear combinations (only group operation) Quadratic tests (can use bilinear map) X 1 [X] = g X V 1 (X)=Σ ij b 1ij h 1i (X) h 2i (X)=0 {[f 1i (X)] 1 } {[g 1i (X) =Σ i a 1i f 1i (X)] 1 } {[f 2i (X)] 2 } {[g 2i (X) =Σ i a 2i f 2i (X)] 1 } V u (X)=Σ ij b uij h 1i (X) h 2i (X)=0 X s Random variables (TTP) CRS (TTP) Outputs in argument (adversary) Verifications (verifier) {h ji } = {f ji, h ji }

SOUNDNESS IN GBGM jth verification equation ascertains V j (X) = 0

SOUNDNESS IN GBGM jth verification equation ascertains V j (X) = 0 Solve system of polynomial equations {V j (X) = 0} in coefficients a ji chosen by the adversary

SOUNDNESS IN GBGM jth verification equation ascertains V j (X) = 0 Solve system of polynomial equations {V j (X) = 0} in coefficients a ji chosen by the adversary Show that solution s coefficients are nice

INTUITION: CONSTRUCTING ARGUMENT Decomposing:

INTUITION: CONSTRUCTING ARGUMENT Decomposing: Write down main building blocks you need to prove in argument

INTUITION: CONSTRUCTING ARGUMENT Decomposing: Write down main building blocks you need to prove in argument Each subargument should be efficiently verifiable (by a single pairing)

INTUITION: CONSTRUCTING ARGUMENT Decomposing: Write down main building blocks you need to prove in argument Each subargument should be efficiently verifiable (by a single pairing) Ascertain each subargument is sound independently

INTUITION: CONSTRUCTING ARGUMENT

INTUITION: CONSTRUCTING ARGUMENT Soundness check: Is the composed protocol sound? Subarguments get extra inputs in CRS If not: introduce new random variables that guarantee CRS elements are used in only correct subarguments, reiterate

SUBARGUMENTS Permutation matrix argument :

SUBARGUMENTS Permutation matrix argument : Prover commits to permutation; proves this is done correctly

SUBARGUMENTS Permutation matrix argument : Prover commits to permutation; proves this is done correctly Consistency argument :

SUBARGUMENTS Permutation matrix argument : Prover commits to permutation; proves this is done correctly Consistency argument : Prover proves she used the committed permutation to shuffle ciphertexts

SUBARGUMENTS Permutation matrix argument : Prover commits to permutation; proves this is done correctly Consistency argument : Prover proves she used the committed permutation to shuffle ciphertexts Validity argument : Prover proves each ciphertext has been formed correctly

PERMUTATION MATRIX ARGUMENT Lemma. A matrix is permutation matrix iff 1. It is stochastic // rows sum to (1,, 1) 2. Each row is 1-sparse At most one coefficient is non-zero

1-SPARSITY ARGUMENT Commitment:

1-SPARSITY ARGUMENT Commitment: Pi (X) are linearly independent, well-chosen polynomials [A i (X)] i = [a I P I (X) + rx ρ ] i // i = 1, 2

1-SPARSITY ARGUMENT Commitment: Pi (X) are linearly independent, well-chosen polynomials [A i (X)] i = [a I P I (X) + rx ρ ] i // i = 1, 2 Argument: // square span programs

1-SPARSITY ARGUMENT Commitment: Pi (X) are linearly independent, well-chosen polynomials [A i (X)] i = [a I P I (X) + rx ρ ] i // i = 1, 2 Argument: // square span programs [π(x)] 1 = [((a I P I (X) + P 0 (X) + rx ρ ) 2-1) / X ρ ] 1

1-SPARSITY ARGUMENT Commitment: [A i (X)] i = [a I P I (X) + rx ρ ] i // i = 1, 2 Argument: // square span programs [π(x)] 1 = [((a I P I (X) + P 0 (X) + rx ρ ) 2-1) / X ρ ] 1 Verification equation: Pi (X) are linearly independent, well-chosen polynomials

honest prover: [A i (X)] i = [a I P I (X) + rx ρ ] i SOUNDNESS PROOF: IDEA

honest prover: [A i (X)] i = [a I P I (X) + rx ρ ] i SOUNDNESS PROOF: IDEA In GBGM we know constants a 1i, A 1ρ,, s.t. for X = (X, X ρ, X α, X β, X γ, X sk )

honest prover: [A i (X)] i = [a I P I (X) + rx ρ ] i SOUNDNESS PROOF: IDEA In GBGM we know constants a 1i, A 1ρ,, s.t. for X = (X, X ρ, X α, X β, X γ, X sk ) A 1 (X) = Σ a 1i P i (X) + A 1ρ X ρ + A 1α (X α + P 0 (X)) + A 11 P 0 (X) + A 2 (X) = Σ a 2i P i (X) + A 2ρ X ρ + A 2α (-X α + P 0 (X)) + A 21 + π (X) = Σ π i P i (X) + π ρ X ρ + π α (X α + P 0 (X)) + π 1 P 0 (X) + CRS: ({[P i (X)] 1 } i, [X ρ ] 1, [X α +P 0 (X)] 1, [P 0 (X)] 1,, ({[P i (X)] 2 } i, [X ρ ] 2, [-X α +P 0 (X)] 2, [1] 2, )

honest prover: [A i (X)] i = [a I P I (X) + rx ρ ] i SOUNDNESS PROOF: IDEA In GBGM we know constants a 1i, A 1ρ,, s.t. for X = (X, X ρ, X α, X β, X γ, X sk ) A 1 (X) = Σ a 1i P i (X) + A 1ρ X ρ + A 1α (X α + P 0 (X)) + A 11 P 0 (X) + A 2 (X) = Σ a 2i P i (X) + A 2ρ X ρ + A 2α (-X α + P 0 (X)) + A 21 + π (X) = Σ π i P i (X) + π ρ X ρ + π α (X α + P 0 (X)) + π 1 P 0 (X) + Verification equation states CRS: ({[P i (X)] 1 } i, [X ρ ] 1, [X α +P 0 (X)] 1, [P 0 (X)] 1,, ({[P i (X)] 2 } i, [X ρ ] 2, [-X α +P 0 (X)] 2, [1] 2, )

honest prover: [A i (X)] i = [a I P I (X) + rx ρ ] i SOUNDNESS PROOF: IDEA In GBGM we know constants a 1i, A 1ρ,, s.t. for X = (X, X ρ, X α, X β, X γ, X sk ) A 1 (X) = Σ a 1i P i (X) + A 1ρ X ρ + A 1α (X α + P 0 (X)) + A 11 P 0 (X) + A 2 (X) = Σ a 2i P i (X) + A 2ρ X ρ + A 2α (-X α + P 0 (X)) + A 21 + π (X) = Σ π i P i (X) + π ρ X ρ + π α (X α + P 0 (X)) + π 1 P 0 (X) + Verification equation states V(X) = (A 1 (X) + X α + P 0 (X)) (A 2 (X) - X α + P 0 (X)) - π(x) X ρ (1 - X α ) 2 = 0 CRS: ({[P i (X)] 1 } i, [X ρ ] 1, [X α +P 0 (X)] 1, [P 0 (X)] 1,, ({[P i (X)] 2 } i, [X ρ ] 2, [-X α +P 0 (X)] 2, [1] 2, )

honest prover: [A i (X)] i = [a I P I (X) + rx ρ ] i SOUNDNESS PROOF: IDEA In GBGM we know constants a 1i, A 1ρ,, s.t. for X = (X, X ρ, X α, X β, X γ, X sk ) A 1 (X) = Σ a 1i P i (X) + A 1ρ X ρ + A 1α (X α + P 0 (X)) + A 11 P 0 (X) + A 2 (X) = Σ a 2i P i (X) + A 2ρ X ρ + A 2α (-X α + P 0 (X)) + A 21 + π (X) = Σ π i P i (X) + π ρ X ρ + π α (X α + P 0 (X)) + π 1 P 0 (X) + Verification equation states V(X) = (A 1 (X) + X α + P 0 (X)) (A 2 (X) - X α + P 0 (X)) - π(x) X ρ (1 - X α ) 2 = 0 Goal: find coefficients s.t. verification equation is satisfied CRS: ({[P i (X)] 1 } i, [X ρ ] 1, [X α +P 0 (X)] 1, [P 0 (X)] 1,, ({[P i (X)] 2 } i, [X ρ ] 2, [-X α +P 0 (X)] 2, [1] 2, )

SOLVING SYSTEM OF POL. EQUATIONS

SOLVING SYSTEM OF POL. EQUATIONS Goal: find coefficients s.t. V (X) = 0

SOLVING SYSTEM OF POL. EQUATIONS Goal: find coefficients s.t. V (X) = 0 Step 1: V (X) = 0 iff each coefficient [X α j X ρ k ] V (X) = 0

SOLVING SYSTEM OF POL. EQUATIONS Goal: find coefficients s.t. V (X) = 0 Step 1: V (X) = 0 iff each coefficient [X α j X ρ k ] V (X) = 0 This is a system of polynomial equations and a nasty one of more than 20 polynomial equations

SOLVING

SOLVING Used a mixture of computer algebra system and manual labor

SOLVING Used a mixture of computer algebra system and manual labor 1. Use linear independence of P i (X) to split some coefficients

SOLVING Used a mixture of computer algebra system and manual labor 1. Use linear independence of P i (X) to split some coefficients 2. Construct Gröbner basis of system of polynomial equations Needs(?) a CAS 3. Solve the Gröbner basis Can be done manually or by using CAS

THANK YOU!