# A Verifiable Secret Shuffle of Homomorphic Encryptions

- 410 Downloads
- 20 Citations

## Abstract

A shuffle consists of a permutation and re-encryption of a set of input ciphertexts. One application of shuffles is to build mix-nets. We suggest an honest verifier zero-knowledge argument for the correctness of a shuffle of homomorphic encryptions.

Our scheme is more efficient than previous schemes both in terms of communication and computation. The honest verifier zero-knowledge argument has a size that is independent of the actual cryptosystem being used and will typically be smaller than the size of the shuffle itself. Moreover, our scheme is well suited for the use of multi-exponentiation and batch-verification techniques.

Additionally, we suggest a more efficient honest verifier zero-knowledge argument for a commitment containing a permutation of a set of publicly known messages. We also suggest an honest verifier zero-knowledge argument for the correctness of a combined shuffle-and-decrypt operation that can be used in connection with decrypting mix-nets based on ElGamal encryption.

All our honest verifier zero-knowledge arguments can be turned into honest verifier zero-knowledge proofs. We use homomorphic commitments as an essential part of our schemes. When the commitment scheme is statistically hiding we obtain statistical honest verifier zero-knowledge arguments; when the commitment scheme is statistically binding, we obtain computational honest verifier zero-knowledge proofs.

## Key words

Shuffle Honest verifier zero-knowledge argument Homomorphic encryption Mix-net## Preview

Unable to display preview. Download preview PDF.

## References

- [1]M. Abe, Universally verifiable mix-net with verification work independent of the number of mix-servers, in
*EUROCRYPT*. Lecture Notes in Computer Science, vol. 1403 (Springer, Berlin, 1998), pp. 437–447 Google Scholar - [2]M. Abe, F. Hoshino, Remarks on mix-network based on permutation networks, in
*PKC*. Lecture Notes in Computer Science, vol. 1992 (Springer, Berlin, 2001), pp. 317–324 Google Scholar - [3]M. Abe, H. Imai, Flaws in some robust optimistic mix-nets, in
*ACISP*. Lecture Notes in Computer Science, vol. 2727 (Springer, Berlin, 2003), pp. 39–50 Google Scholar - [4]M. Bellare, O. Goldreich, On defining proofs of knowledge, in
*CRYPTO*. Lecture Notes in Computer Science, vol. 740 (Springer, Berlin, 1992), pp. 390–420 Google Scholar - [5]M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in
*ACM CCS*(1993), pp. 62–73 Google Scholar - [6]D. Boneh, P. Golle, Almost entirely correct mixing with applications to voting, in
*ACM CCS*(2002), pp. 68–77 Google Scholar - [7]F. Brandt, Efficient cryptographic protocol design based on distributed ElGamal encryption, in
*ICISC*. Lecture Notes in Computer Science, vol. 3935 (Springer, Berlin, 2006), pp. 32–47 Google Scholar - [8]D. Chaum, Untraceable electronic mail, return addresses, and digital pseudonyms.
*Commun. ACM***24**(2), 84–88 (1981) CrossRefGoogle Scholar - [9]R. Cramer, V. Shoup, Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack, in
*CRYPTO*. Lecture Notes in Computer Science, vol. 1462 (Springer, Berlin, 1998), pp. 13–25 Google Scholar - [10]R. Cramer, I. Damgård, B. Schoenmakers, Proofs of partial knowledge and simplified design of witness hiding protocols, in
*CRYPTO*. Lecture Notes in Computer Science, vol. 893 (Springer, Berlin, 1994), pp. 174–187 Google Scholar - [11]I. Damgård, Efficient concurrent zero-knowledge in the auxiliary string model, in
*EUROCRYPT*. Lecture Notes in Computer Science, vol. 1807 (Springer, Berlin, 2000), pp. 418–430 Google Scholar - [12]I. Damgård, E. Fujisaki, A statistically-hiding integer commitment scheme based on groups with hidden order, in
*ASIACRYPT*. Lecture Notes in Computer Science, vol. 2501 (Springer, Berlin, 2002), pp. 125–142 Google Scholar - [13]I. Damgård, M.J. Jurik, A generalisation, a simplification and some applications of Paillier’s probabilistic public-key system, in
*PKC*. Lecture Notes in Computer Science, vol. 1992 (Springer, Berlin, 2001) Google Scholar - [14]I. Damgård, M.J. Jurik, A length-flexible threshold cryptosystem with applications, in
*ACISP*. Lecture Notes in Computer Science, vol. 2727 (Springer, Berlin, 2003), pp. 350–364 Google Scholar - [15]Y. Desmedt, K. Kurosawa, How to break a practical MIX and design a new one, in
*EUROCRYPT*. Lecture Notes in Computer Science, vol. 1807 (Springer, Berlin, 2000), pp. 557–572 Google Scholar - [16]T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms.
*IEEE Trans. Inf. Theory***31**(4), 469–472 (1985) zbMATHCrossRefMathSciNetGoogle Scholar - [17]J. Furukawa, Efficient and verifiable shuffling and shuffle-decryption.
*IEICE Trans. Fundam. Electron. Commun. Comput. Sci.***88-A**(1), 172–188 (2005) CrossRefGoogle Scholar - [18]E. Fujisaki, T. Okamoto, Statistical zero knowledge protocols to prove modular polynomial relations, in
*CRYPTO*. Lecture Notes in Computer Science, vol. 1294 (Springer, Berlin, 1997), pp. 16–30 Google Scholar - [19]J. Furukawa, H. Miyauchi, K. Mori, S. Obana, K. Sako, An implementation of a universally verifiable electronic voting scheme based on shuffling, in
*Financial Cryptography*. Lecture Notes in Computer Science, vol. 2357 (Springer, Berlin, 2002), pp. 16–30 CrossRefGoogle Scholar - [20]J. Furukawa, K. Sako, An efficient scheme for proving a shuffle, in
*CRYPTO*. Lecture Notes in Computer Science, vol. 2139 (Springer, Berlin, 2001), pp. 368–387 Google Scholar - [21]J.A. Garay, P.D. MacKenzie, K. Yang, Strengthening zero-knowledge protocols using signatures.
*J. Cryptol.***19**(2), 169–209 (2006) zbMATHCrossRefMathSciNetGoogle Scholar - [22]P. Golle, A. Juels, Parallel mixing, in
*ACM CCS*(2004), pp. 220–226, Google Scholar - [23]J. Groth, A verifiable secret shuffle of homomorphic encryptions, in
*PKC*. Lecture Notes in Computer Science, vol. 2567 (Springer, Berlin, 2003), pp. 145–160 Google Scholar - [24]J. Groth, Honest verifier zero-knowledge arguments applied. Dissertation Series DS-04-3, BRICS (2004). Ph.D. thesis, pp. xii+119 Google Scholar
- [25]J. Groth, Cryptography in subgroups of \(\mathbb{Z}_{n}^{*}\), in
*TCC*. Lecture Notes in Computer Science, vol. 3378 (Springer, Berlin, 2005), pp. 50–65 Google Scholar - [26]J. Groth, Non-interactive zero-knowledge arguments for voting, in
*ACNS*. Lecture Notes in Computer Science, vol. 3531 (Springer, Berlin, 2005) Google Scholar - [27]J. Groth, S. Lu, Verifiable shuffle of large size ciphertexts, in
*PKC*. Lecture Notes in Computer Science, vol. 4450 (Springer, Berlin, 2007), pp. 377–392 Google Scholar - [28]M. Jakobsson, A practical mix, in
*EUROCRYPT*. Lecture Notes in Computer Science, vol. 1403 (Springer, Berlin, 1998), pp. 448–461 Google Scholar - [29]M. Jakobsson, Flash mixing, in
*PODC*(1999), pp. 83–89 Google Scholar - [30]M. Jakobsson, A. Juels, Millimix: Mixing in small batches (1999) Google Scholar
- [31]M. Jakobson, A. Juels, R.L. Rivest, Making mix nets robust for electronic voting by randomized partial checking, in
*USENIX Security*(Springer, Berlin, 2002), pp. 339–353 Google Scholar - [32]A. Kiayias, M. Yung, The vector-ballot e-voting approach, in
*Financial Cryptography*. Lecture Notes in Computer Science, vol. 3110 (Springer, Berlin, 2004), pp. 74–89 CrossRefGoogle Scholar - [33]H.W. Lenstra, Factoring integers with elliptic curves.
*Ann. Math.***126**, 649–673 (1987) CrossRefMathSciNetGoogle Scholar - [34]C.H. Lim, Efficient multi-exponentiation and application to batch verification of digital signatures. Manuscript (2000) Google Scholar
- [35]Y. Lindell, Parallel coin-tossing and constant-round secure two-party computation.
*J. Cryptol.***16**(3), 143–184 (2003) zbMATHCrossRefMathSciNetGoogle Scholar - [36]C.A. Neff, A verifiable secret shuffle and its application to e-voting, in
*ACM CCS*(2001), pp. 116–125 Google Scholar - [37]C.A. Neff, Verifiable mixing (shuffling) of ElGamal pairs (2003) Google Scholar
- [38]C.A. Neff, Personal communication (2005) Google Scholar
- [39]L. Nguyen, R. Safavi-Naini, Breaking and mending resilient mix-nets, in
*PET*. Lecture Notes in Computer Science, vol. 2760 (Springer, Berlin, 2003), pp. 66–80 Google Scholar - [40]L. Nguyen, R. Safavi-Naini, K. Kurosawa, Verifiable shuffles: a formal model and a Paillier-based three-round construction with provable security.
*Int. J. Inf. Secur.***5**(4), 241–255 (2006) CrossRefGoogle Scholar - [41]J. Manuel González Nieto, C. Boyd, E. Dawson, A public key cryptosystem based on a subgroup membership problem.
*Des. Codes and Cryptogr.***36**(3), 301–316 (2005) zbMATHCrossRefMathSciNetGoogle Scholar - [42]M. Ohkubo, M. Abe, A length-invariant hybrid mix, in
*ASIACRYPT*. Lecture Notes in Computer Science, vol. 1976 (Springer, Berlin, 2000), pp. 178–191 Google Scholar - [43]T. Okamoto, S. Uchiyama, A new public-key cryptosystem as secure as factoring, in
*EUROCRYPT*. Lecture Notes in Computer Science, vol. 1403 (Springer, Berlin, 1998), pp. 308–318 Google Scholar - [44]T. Onodera, K. Tanaka, Shufle for Paillier’s encryption scheme.
*IEICE Trans. Fundam. Electron. Commun. Comput. Sci.***E88-A**(5), 1241–1248 (2005) CrossRefGoogle Scholar - [45]P. Paillier, Public-key cryptosystems based on composite residuosity classes, in
*EUROCRYPT*. Lecture Notes in Computer Science, vol. 1592 (Springer, Berlin, 1999), pp. 223–239 Google Scholar - [46]C. Park, K. Itoh, K. Kurosawa, Efficient anonymous channel and all/nothing election scheme, in
*EUROCRYPT*. Lecture Notes in Computer Science, vol. 765 (Springer, Berlin, 1993), pp. 248–259 Google Scholar - [47]T.P. Pedersen, Non-interactive and information-theoretic secure verifiable secret sharing, in
*CRYPTO*. Lecture Notes in Computer Science, vol. 576 (Springer, Berlin, 1991), pp. 129–140 Google Scholar - [48]K. Peng, C. Boyd, E. Dawson, K. Viswanathan, A correct, private, and efficient mix network, in
*PKC*. Lecture Notes in Computer Science, vol. 2947 (Springer, Berlin, 2004), pp. 439–454 Google Scholar - [49]B. Pfitzmann, A. Pfitzmann, How to break the direct RSA-implementation of mixes, in
*EUROCRYPT*. Lecture Notes in Computer Science, vol. 434 (Springer, Berlin, 1989), pp. 373–381 Google Scholar - [50]K. Sako, J. Kilian, Receipt-free mix-type voting scheme—a practical solution to the implementation of a voting booth, in
*EUROCRYPT*. Lecture Notes in Computer Science, vol. 921 (Springer, Berlin, 1995), pp. 393–403 Google Scholar - [51]H. Stamer, Efficient electronic gambling: an extended implementation of the toolbox for mental card games, in
*WEWoRC 2005*, ed. by C. Wolf, S. Lucks, P.-W. Yau. Lecture Notes in Informatics, vol. P-74 (Gesellschaft für Informatik e.V., 2005), pp. 1–12 Google Scholar - [52]D. Wikström, The security of a mix-center based on a semantically secure cryptosystem, in
*INDOCRYPT*. Lecture Notes in Computer Science, vol. 2551 (Springer, Berlin, 2002), pp. 368–381 Google Scholar - [53]D. Wikström, Five practical attacks for optimistic mixing for exit-polls, in
*SAC*. Lecture Notes in Computer Science, vol. 3006 (Springer, Berlin, 2003), pp. 160–175 Google Scholar