Chapter

Advances in Cryptology – EUROCRYPT 2012

Volume 7237 of the series Lecture Notes in Computer Science pp 263-280

Efficient Zero-Knowledge Argument for Correctness of a Shuffle

  • Stephanie BayerAffiliated withLancaster UniversityUniversity College London
  • , Jens GrothAffiliated withLancaster UniversityUniversity College London

* Final gross prices may vary according to local VAT.

Get Access

Abstract

Mix-nets are used in e-voting schemes and other applications that require anonymity. Shuffles of homomorphic encryptions are often used in the construction of mix-nets. A shuffle permutes and re-encrypts a set of ciphertexts, but as the plaintexts are encrypted it is not possible to verify directly whether the shuffle operation was done correctly or not. Therefore, to prove the correctness of a shuffle it is often necessary to use zero-knowledge arguments.

We propose an honest verifier zero-knowledge argument for the correctness of a shuffle of homomorphic encryptions. The suggested argument has sublinear communication complexity that is much smaller than the size of the shuffle itself. In addition the suggested argument matches the lowest computation cost for the verifier compared to previous work and also has an efficient prover. As a result our scheme is significantly more efficient than previous zero-knowledge schemes in literature.

We give performance measures from an implementation where the correctness of a shuffle of 100,000 ElGamal ciphertexts is proved and verified in around 2 minutes.

Keywords

Shuffle zero-knowledge ElGamal encryption mix-net voting anonymous broadcast