Advertisement

An Efficient Pairing-Based Shuffle Argument

  • Prastudy FauziEmail author
  • Helger Lipmaa
  • Janno Siim
  • Michał Zając
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10625)

Abstract

We construct the most efficient known pairing-based NIZK shuffle argument. It consists of three subarguments that were carefully chosen to obtain optimal efficiency of the shuffle argument:
  1. 1.

    A same-message argument based on the linear subspace QANIZK argument of Kiltz and Wee,

     
  2. 2.

    A (simplified) permutation matrix argument of Fauzi, Lipmaa, and Zając,

     
  3. 3.

    A (simplified) consistency argument of Groth and Lu.

     

We prove the knowledge-soundness of the first two subarguments in the generic bilinear group model, and the culpable soundness of the third subargument under a KerMDH assumption. This proves the soundness of the shuffle argument. We also discuss our partially optimized implementation that allows one to prove a shuffle of \(100\,000\) ciphertexts in less than a minute and verify it in less than 1.5 min.

Keywords

Common Reference String Generic group model Mix-net Shuffle argument Zero knowledge 

Notes

Acknowledgment

The majority of this work was done while the first author was working at the University of Tartu, Estonia. This work was supported by the European Union’s Horizon 2020 research and innovation programme under grant agreement No 653497 (project PANORAMIX) and grant agreement No 731583 (project SODA), by institutional research funding IUT2-1 of the Estonian Ministry of Education and Research, and by the Danish Independent Research Council, Grant-ID DFF-6108-00169.

References

  1. 1.
    Barbulescu, R., Duquesne, S.: Updating Key Size Estimations for Pairings. Technical Report 2017/334, IACR (2017). http://eprint.iacr.org/2017/334. Revision from 26 April 2017
  2. 2.
    Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006).  https://doi.org/10.1007/11693383_22 CrossRefGoogle Scholar
  3. 3.
    Bayer, S., Groth, J.: Efficient zero-knowledge argument for correctness of a shuffle. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 263–280. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29011-4_17 CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Garay, J.A., Rabin, T.: Batch verification with applications to cryptography and checking. In: Lucchesi, C.L., Moura, A.V. (eds.) LATIN 1998. LNCS, vol. 1380, pp. 170–191. Springer, Heidelberg (1998).  https://doi.org/10.1007/BFb0054320 CrossRefGoogle Scholar
  5. 5.
    Ben-Sasson, E., Chiesa, A., Green, M., Tromer, E., Virza, M.: Secure sampling of public parameters for succinct zero knowledge proofs. In: IEEE SP 2015, pp. 287–304 (2015)Google Scholar
  6. 6.
    Ben-Sasson, E., Chiesa, A., Tromer, E., Virza, M.: Succinct non-interactive zero knowledge for a von Neumann architecture. In: USENIX 2014, pp. 781–796 (2014)Google Scholar
  7. 7.
    Bitansky, N., Canetti, R., Paneth, O., Rosen, A.: On the existence of extractable one-way functions. In: STOC 2014, pp. 505–514 (2014)Google Scholar
  8. 8.
    Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications. In: STOC 1988, pp. 103–112 (1988)Google Scholar
  9. 9.
    Chaum, D.: Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM 24(2), 84–88 (1981)CrossRefGoogle Scholar
  10. 10.
    Damgård, I.: Towards practical public key systems secure against chosen ciphertext attacks. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 445–456. Springer, Heidelberg (1992).  https://doi.org/10.1007/3-540-46766-1_36 Google Scholar
  11. 11.
    Danezis, G., Fournet, C., Groth, J., Kohlweiss, M.: Square span programs with applications to succinct NIZK arguments. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 532–550. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45611-8_28 Google Scholar
  12. 12.
    Elgamal, T.: A public key cryptosystem and a signature scheme based on discretelogarithms. IEEE Trans. Inf. Theor. 31(4), 469–472 (1985)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Escala, A., Herold, G., Kiltz, E., Ràfols, C., Villar, J.L.: An algebraic framework for Diffie-Hellman assumptions. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 129–147. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40084-1_8 CrossRefGoogle Scholar
  14. 14.
    Fauzi, P., Lipmaa, H.: Efficient culpably sound NIZK shuffle argument without random oracles. In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 200–216. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-29485-8_12 CrossRefGoogle Scholar
  15. 15.
    Fauzi, P., Lipmaa, H., Zając, M.: A shuffle argument secure in the generic model. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 841–872. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53890-6_28 CrossRefGoogle Scholar
  16. 16.
    Furukawa, J., Sako, K.: An efficient scheme for proving a shuffle. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 368–387. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44647-8_22 CrossRefGoogle Scholar
  17. 17.
    Galbraith, S.D., Paterson, K.G., Smart, N.P.: Pairings for cryptographers. Discrete Appl. Math. 156(16), 3113–3121 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof-systems. In: STOC 1985, pp. 291–304 (1985)Google Scholar
  19. 19.
    Golle, P., Jarecki, S., Mironov, I.: Cryptographic primitives enforcing communication and storage complexity. In: Blaze, M. (ed.) FC 2002. LNCS, vol. 2357, pp. 120–135. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-36504-4_9 CrossRefGoogle Scholar
  20. 20.
    González, A., Ráfols, C.: New techniques for non-interactive shuffle and range arguments. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 427–444. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-39555-5_23 Google Scholar
  21. 21.
    Groth, J.: Simulation-sound NIZK proofs for a practical language and constant size group signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 444–459. Springer, Heidelberg (2006).  https://doi.org/10.1007/11935230_29 CrossRefGoogle Scholar
  22. 22.
    Groth, J.: A verifiable secret shuffle of homomorphic encryptions. J. Cryptol. 23(4), 546–579 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    Groth, J.: Short pairing-based non-interactive zero-knowledge arguments. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 321–340. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-17373-8_19 CrossRefGoogle Scholar
  24. 24.
    Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 305–326. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49896-5_11 CrossRefGoogle Scholar
  25. 25.
    Groth, J., Lu, S.: A non-interactive shuffle with pairing based verifiability. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 51–67. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-76900-2_4 CrossRefGoogle Scholar
  26. 26.
    Groth, J., Ostrovsky, R., Sahai, A.: New techniques for noninteractive zero-knowledge. J. ACM 59(3), 11 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    Hess, F., Smart, N.P., Vercauteren, F.: The Eta pairing revisited. IEEE Trans. Inf. Theor. 52(10), 4595–4602 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    Jutla, C.S., Roy, A.: Shorter quasi-adaptive NIZK proofs for linear subspaces. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8269, pp. 1–20. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-42033-7_1 CrossRefGoogle Scholar
  29. 29.
    Jutla, C.S., Roy, A.: Switching lemma for bilinear tests and constant-size NIZK proofs for linear subspaces. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 295–312. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-44381-1_17 CrossRefGoogle Scholar
  30. 30.
    Kiltz, E., Wee, H.: Quasi-adaptive NIZK for linear subspaces revisited. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 101–128. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46803-6_4 Google Scholar
  31. 31.
    Kim, T., Barbulescu, R.: Extended tower number field sieve: a new complexity for the medium prime case. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 543–571. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53018-4_20 CrossRefGoogle Scholar
  32. 32.
    Lipmaa, H.: Progression-free sets and sublinear pairing-based non-interactive zero-knowledge arguments. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 169–189. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-28914-9_10 CrossRefGoogle Scholar
  33. 33.
    Lipmaa, H.: Prover-efficient commit-and-prove zero-knowledge SNARKs. In: Pointcheval, D., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2016. LNCS, vol. 9646, pp. 185–206. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-31517-1_10 CrossRefGoogle Scholar
  34. 34.
    Lipmaa, H., Zhang, B.: A more efficient computationally sound non-interactive zero-knowledge shuffle argument. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 477–502. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-32928-9_27 CrossRefGoogle Scholar
  35. 35.
    Maurer, U.M.: Abstract models of computation in cryptography. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 1–12. Springer, Heidelberg (2005).  https://doi.org/10.1007/11586821_1 CrossRefGoogle Scholar
  36. 36.
    Morillo, P., Ràfols, C., Villar, J.L.: The kernel matrix Diffie-Hellman assumption. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 729–758. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53887-6_27 CrossRefGoogle Scholar
  37. 37.
    Pereira, G.C.C.F., Simplício Jr., M.A., Naehrig, M., Barreto, P.S.L.M.: A family of implementation-friendly BN elliptic curves. J. Syst. Softw. 84(8), 1319–1326 (2011)CrossRefGoogle Scholar
  38. 38.
    Schwartz, J.T.: Fast probabilistic algorithms for verification of polynomial identities. J. ACM 27(4), 701–717 (1980)MathSciNetCrossRefzbMATHGoogle Scholar
  39. 39.
    Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997).  https://doi.org/10.1007/3-540-69053-0_18 CrossRefGoogle Scholar
  40. 40.
    Zippel, R.: Probabilistic algorithms for sparse polynomials. In: Ng, E.W. (ed.) Symbolic and Algebraic Computation. LNCS, vol. 72, pp. 216–226. Springer, Heidelberg (1979).  https://doi.org/10.1007/3-540-09519-5_73 CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  • Prastudy Fauzi
    • 1
    Email author
  • Helger Lipmaa
    • 2
  • Janno Siim
    • 2
    • 3
  • Michał Zając
    • 2
  1. 1.Aarhus UniversityAarhusDenmark
  2. 2.Institute of Computer ScienceUniversity of TartuTartuEstonia
  3. 3.STACCTartuEstonia

Personalised recommendations