Efficient Zero-Knowledge Argument for Correctness of a Shuffle

  • Stephanie Bayer
  • Jens Groth
Conference paper

DOI: 10.1007/978-3-642-29011-4_17

Part of the Lecture Notes in Computer Science book series (LNCS, volume 7237)
Cite this paper as:
Bayer S., Groth J. (2012) Efficient Zero-Knowledge Argument for Correctness of a Shuffle. In: Pointcheval D., Johansson T. (eds) Advances in Cryptology – EUROCRYPT 2012. EUROCRYPT 2012. Lecture Notes in Computer Science, vol 7237. Springer, Berlin, Heidelberg


Mix-nets are used in e-voting schemes and other applications that require anonymity. Shuffles of homomorphic encryptions are often used in the construction of mix-nets. A shuffle permutes and re-encrypts a set of ciphertexts, but as the plaintexts are encrypted it is not possible to verify directly whether the shuffle operation was done correctly or not. Therefore, to prove the correctness of a shuffle it is often necessary to use zero-knowledge arguments.

We propose an honest verifier zero-knowledge argument for the correctness of a shuffle of homomorphic encryptions. The suggested argument has sublinear communication complexity that is much smaller than the size of the shuffle itself. In addition the suggested argument matches the lowest computation cost for the verifier compared to previous work and also has an efficient prover. As a result our scheme is significantly more efficient than previous zero-knowledge schemes in literature.

We give performance measures from an implementation where the correctness of a shuffle of 100,000 ElGamal ciphertexts is proved and verified in around 2 minutes.


Shuffle zero-knowledge ElGamal encryption mix-net voting anonymous broadcast 

Copyright information

© International Association for Cryptologic Research 2012

Authors and Affiliations

  • Stephanie Bayer
    • 1
  • Jens Groth
    • 1
  1. 1.University College LondonUK

Personalised recommendations