A Verifiable Secret Shuffle of Homomorphic. encryptions.

Transcription

1 A Verfable Secret Shuffle of Homomorphc Encryptons Jens Groth 1 Department of Computer Scence, UCLA 3531A Boelter Hall Los Angeles, CA USA jg@cs.ucla.edu Abstract. A shuffle conssts of a permutaton and re-encrypton of a set of nput cphertexts. One applcaton of shuffles s to buld mx-nets. We suggest an honest verfer zero-knowledge argument for the correctness of a shuffle of homomorphc encryptons. Our scheme s more effcent than prevous schemes both n terms of communcaton and computaton. The honest verfer zero-knowledge argument has a sze that s ndependent of the actual cryptosystem beng used and wll typcally be smaller than the sze of the shuffle tself. Moreover, our scheme s well suted for the use of mult-exponentaton and batch-verfcaton technques. Addtonally, we suggest a more effcent honest verfer zero-knowledge argument for a commtment contanng a permutaton of a set of publcly known messages. We also suggest an honest verfer zero-knowledge argument for the correctness of a combned shuffle-and-decrypt operaton that can be used n connecton wth decryptng mx-nets based on ElGamal encrypton. All our honest verfer zero-knowledge arguments can be turned nto honest verfer zero-knowledge proofs. We use homomorphc commtments as an essental part of our schemes. When the commtment scheme s statstcally hdng we obtan statstcal honest verfer zero-knowledge arguments; when the commtment scheme s statstcally bndng we obtan computatonal honest verfer zero-knowledge proofs. Keywords: Shuffle, honest verfer zero-knowledge argument, homomorphc encrypton, mx-net. 1 Introducton SHUFFLE. A shuffle of cphertexts e 1,..., e n s a new set of cphertexts E 1,..., E n wth the same plantexts n permuted order. We wll consder homomorphc publc-key cryptosystems n ths paper. Informally 1, we have for publc key pk, messages m 1, m 2 and randomzers r 1, r 2 that the encrypton functon satsfes E pk (m 1 m 2 ; r 1 + r 2 ) = E pk (m 1 ; r 1 )E pk (m 2 ; r 2 ). Part of the work done whle at BRICS, Unversty of Aarhus and Cryptomathc. 1 See Secton 2.2 for a formal defnton of homomorphc encrypton as well as a descrpton of a few more requred propertes.

2 If the cryptosystem s homomorphc we may shuffle e 1,..., e n by selectng a permutaton π Σ n and randomzers R 1,..., R n and settng E 1 = e π(1) E pk (1; R 1 ),..., E n = e π(n) E pk (1; R n ). If the cryptosystem s semantcally secure, publshng E 1,..., E n reveals nothng about the permutaton. On the other hand, ths also means that nobody else can verfy drectly whether the shuffle s correct or ncorrect. It could for nstance be the case that some cphertexts had been substtuted for other cphertexts. Our goal s to construct effcent honest verfer zero-knowledge (HVZK) arguments for the correctness of a shuffle. These arguments wll make t possble to verfy that a shuffle s correct (soundness) but wll not reveal the permutaton or the randomzers used n the re-encrypton step (honest verfer zero-knowledge). APPLICATIONS. Shufflng s the key buldng block n most mx-nets. A mx-net [8] s a mult-party protocol run by a group of mx-servers to shuffle elements so that nobody knows the permutaton lnkng the nput and output. To mx cphertexts we may let the mx-servers one after another make a shuffle wth a randomly chosen permutaton. If at least one mx-server s honest and chooses a random permutaton, t s mpossble to lnk the nput and output. In ths role, shufflng consttutes an mportant buldng block n anonymzaton protocols and votng schemes. In a mx-net t s problematc f a mx-server does not shuffle correctly. In a votng scheme t would for nstance be dsastrous f a mx-server could substtute some nput votes for other votes of ts own choosng. HVZK arguments for correctness of a shuffle are therefore useful to ensure that mx-servers follow the protocol. Each mx-server can after makng a shuffle prove to the other mx-servers or any ndependent verfers that the shuffle s correct. The soundness of the HVZK argument guarantees that the shuffle s correct. The honest verfer zero-knowledge property ensures that the HVZK argument does not leak the permutaton, the randomzers or any other nformaton pertanng to the shuffle. Shuffle arguments have also found use as sub-protocols n more complex protocols or zero-knowledge arguments [32, 26, 7]. RELATED WORK. Chaum nvented mx-nets n [8]. Whle hs mx-net was based on shufflng, he dd not suggest any method to guarantee correctness of the shuffles. Subsequent papers on mx-nets [6, 49, 28, 22, 31, 15, 29, 43, 30, 47] have tred n many ways to guarantee correctness of a shuffle, most of whch have been partally or fully broken [3, 39, 54, 50]. Remanng are suggestons [15, 49, 28, 53], whch have varous drawbacks. Desmedt and Kurosawa [15] requre that at most a small fracton of the mx-servers s corrupt. Peng et al. [49] requre that a fracton of the senders producng the nput to the mx-net s honest and restrct the class of possble permutatons. Jakobsson, Juels and Rvest [28] allow mx-servers to compromse the prvacy of a few senders and/or modfy a few messages although they rsk beng caught. The mx-net by Wkström [53] s less effcent than what one can buld usng the shuffle arguments n the present paper. Mx-nets based on shufflng and zero-knowledge arguments of correctness of a shuffle do not have these drawbacks. Several papers have suggested zero-knowledge arguments for correctness of a shuffle, usually shufflng ElGamal cphertexts [16]. Sako and Klan [51] use cut-and-choose

3 methods and s thus not very effcent. Abe [1](corrected by Abe and Hoshno [2]) uses permutaton networks and obtans reasonable effcency. Currently there are two man paradgms that yeld practcal HVZK arguments for correctness of a shuffle. Furukawa and Sako [20] suggest a paradgm based on permutaton matrces n the common reference strng model. In ths type of constructon, we make a commtment to a permutaton matrx, argue that we have commtted to a permutaton matrx and argue that the cphertexts have been shuffled accordng to ths permutaton. It turns out that ther protocol s not honest verfer zero-knowledge [19], but t does hde the permutaton [41]. Furukawa [18] develops the permutaton matrx dea further and obtans a practcal HVZK argument for correctness of a shuffle. A couple of other works [41, 45] also use the permutaton matrx dea to obtan HVZK arguments for correctness of a shuffle of Paller cphertexts [46]. Followng ths paradgm we also have Furukawa et al. [19, 18] suggestng arguments for correctness of a combned shuffle-and-decrypt operaton, an operaton that s used n some decryptng mx-nets. The other paradgm for verfyng correctness of shuffles s due to Neff [36] and s based on polynomals beng dentcal under permutaton of ther roots. Subsequent versons of that work [37, 38] correct some flaws and at the same tme obtan hgher effcency. Unlke the Furukawa-Sako paradgm based arguments, Neff obtans an HVZK proof,.e., soundness s uncondtonal but the zero-knowledge property s computatonal. Further, Neff s proof does not requre a common reference strng; although t does rely on the cryptosystem beng generated such that the decson Dffe-Hellman (DDH) assumpton holds. OUR CONTRIBUTION. We suggest a 7-move publc con HVZK argument for the correctness of a shuffle of homomorphc encryptons. We follow the Neff paradgm, basng the shuffle on nvarance of polynomals under permutaton of ther roots. Our HVZK argument has a common reference strng, whch contans a publc key for a homomorphc commtment scheme. If nstantated wth a statstcally hdng commtment we obtan a statstcal HVZK argument for correctness of a shuffle, where soundness holds computatonally. On the other hand, f nstantated wth a statstcally bndng commtment scheme we obtan an HVZK proof of correctness of a shuffle wth uncondtonal soundness but computatonal honest verfer zero-knowledge. The resultng HVZK argument s the most effcent HVZK argument for correctness of a shuffle that we know of both n terms of computaton and communcaton. The scheme s well suted for mult-exponentaton technques as well as randomzed batch-verfcaton gvng us even hgher effcency. Unlke the permutaton-matrx based approach, t s possble to work wth a short publc key for the commtment scheme, whereas key generaton can be a sgnfcant cost n the permutaton matrx paradgm. The only dsadvantage of our scheme s the round-complexty. We use 7 rounds and the Furukawa-Sako paradgm can be used to obtan 3 round HVZK arguments for correctness of a shuffle. Improvng on the early verson of the paper [23] we enable shufflng of most known homomorphc cryptosystems. The sze of the argument s almost ndependent of the cryptosystem that s beng shuffled. Furthermore, the commtment scheme we use does not have to be based on a group of the same order as the cryptosystem.

4 In Secton 7, we gve a more detaled comparson of our scheme and the other effcent HVZK arguments for correctness of a shuffle suggested n the lterature. As a buldng block, we use a shuffle of known contents and a correspondng argument of correctness of a shuffle of known contents. That s, gven publc messages m 1,..., m n, we can form a commtment to a permutaton of these messages c com ck (m π(1),..., m π(n) ). We present an argument of knowledge for c contanng a permutaton of these messages. Ths has ndependent nterest, for nstance [26] uses an argument of correctness of a shuffle of known contents; t s not necessary to use a full-blown argument of correctness of a shuffle. We also show how to modfy our scheme nto an HVZK argument of correctness of a shuffle-and-decrypt operaton. Ths operaton can be useful n decryptng mx-nets, t can save computatonal effort to combne the shuffle and decrypton operatons nstead of performng each one of them by tself. Furukawa et al. [19, 18] already suggest arguments for the correctness of a shuffle-and-decrypt operaton, however, whle ther arguments hde the permutaton they are not HVZK. We obtan a more effcent argument that at the same tme s HVZK. 2 Prelmnares In ths secton, we defne the three key concepts of ths paper. We defne homomorphc cryptosystems, snce we wll be shufflng homomorphc cphertexts. We defne homomorphc commtments, snce they consttute an mportant buldng block n our schemes. Fnally, we defne honest verfer zero-knowledge (HVZK) arguments, snce ths paper s about HVZK arguments for the correctness of a shuffle. 2.1 Notaton All algorthms n protocols n ths paper are envsoned as nteractve probablstc polynomal tme unform Turng machnes. Adversares are modeled as nteractve nonunform polynomal tme or unbounded Turng machnes. The dfferent partes and algorthms get a securty parameter κ as nput; sometmes we omt wrtng ths securty parameter explctly. For an algorthm A, we wrte y A(x) for the process of selectng randomness r and makng the assgnment y = A(x; r). A functon ν : N [0; 1] s neglgble f for all constants δ > 0 we have for all suffcently large κ that ν(κ) < κ δ. For two functons f 1, f 2 we wrte f 1 f 2 f f 1 f 2 s neglgble. We defne securty n terms of probabltes that become neglgble as functons of a securty parameter κ. 2.2 Homomorphc Encrypton We use a probablstc polynomal tme key generaton algorthm to generate a publc key and a secret key. The publc key belongs to a key space K enc and specfes a message space M pk, a randomzer space R pk and a cphertext space C pk. It also specfes an effcently computable encrypton algorthm E : M pk R pk C pk. The secret key specfes an effcently computable decrypton algorthm D : C pk M pk {nvald}.

5 We requre that the cryptosystem has perfect decrypton: (pk, m, r) K enc M pk R pk : D sk (E pk (m; r)) = m. We requre the message, randomzer and cphertext spaces to be fnte abelan groups (M pk,, 1), (R pk, +, 0) and (C pk,, 1), where t s easy to compute group operatons and decde membershp. The encrypton functon must be homomorphc: pk K enc (m 0, r 0 ), (m 1, r 2 ) M pk R pk : E pk (m 0 m 1 ; r 0 + r 1 ) = E pk (m 0 ; r 0 )E pk (m 1 ; r 1 ). In ths paper, we also demand that the order of the message space s dvsble only by large prme-factors. More precsely, t must be the case that M pk has no prme factors smaller than 2 le, where l e s a securty parameter specfed n Secton 2.6. We need a root extracton property, whch says that f a cphertext rased to a nontrval exponent encrypts 1, then the cphertext tself encrypts 1. More precsely, we assume there s a root extracton algorthm RootExt that gven pk K enc, R R pk, E C pk, e Z so gcd(e, M pk ) and E e = E pk (1; R) outputs r R pk so E = E pk (1; r). Ths property suffces for provng soundness, however, for provng wtness-extended emulaton, we further requre that the root extracton algorthm runs n polynomal tme. Varous cryptosystems [46, 13, 14, 44, 16, 10, 42] have the propertes mentoned n ths secton or can be tweaked nto cryptosystems wth these propertes. In partcular, Paller encrypton [46] and ElGamal encrypton [16] have the propertes mentoned above and have polynomal tme root extracton. 2.3 Homomorphc Commtment We use a probablstc polynomal tme key generaton algorthm to generate a publc commtment key ck belongng to a key space K comck. The commtment key specfes a message space M ck, a randomzer space R ck and a commtment space C ck as well as an effcently computable commtment functon com ck : M ck R ck C ck. There s also a probablty dstrbuton on R ck and we wrte c com ck (m) for the operaton r R ck ; c = com ck (m; r). We say the commtment scheme s hdng f a commtment does not reveal whch message s nsde. We defne ths by demandng that for all non-unform polynomal tme adversares A we have [ ] Pr ck K com (1 κ ); (m 0, m 1 ) A(ck); c com ck (m 0 ) : m 0, m 1 M ck and A(c) = 1 [ ] Pr ck K com (1 κ ); (m 0, m 1 ) A(ck); c com ck (m 1 ) : m 0, m 1 M ck and A(c) = 1. If ths also holds for unbounded A, we call the commtment statstcally hdng. We say the commtment scheme s bndng f a commtment can be opened n one way only. For all non-unform polynomal tme adversares A we have [ Pr ck K com (1 κ ); (m 0, r 0, m 1, r 1 ) A(ck) : ] (m 0, r 0 ), (m 1, r 1 ) M ck R ck, m 0 m 1 and com ck (m 0, r 0 ) = com ck (m 1 ; r 1 ) 0.

6 If ths also holds for unbounded A, we call the commtment statstcally bndng. We wll use commtment schemes where the message, randomzer and commtment spaces are abelan groups (M ck, +, 0), (R ck, +, 0), (C ck,, 1). We requre that we can effcently compute group operatons and decde membershp. The choce of addtve or multplcatve notaton s not mportant, what matters s just that they are abelan groups. The commtment functon must be homomorphc,.e., ck K com (m 0, r 0 ), (m 1, r 1 ) M ck R ck we have com ck (m 0 + m 1 ; r 0 + r 1 ) = com ck (m 0 ; r 0 )com ck (m 1 ; r 1 ). For our purposes, we use a homomorphc commtment scheme wth message space Z n q, where q s a prme. Other choces are possble, for nstance lettng q be a composte or usng homomorphc nteger commtments [17, 12, 25] wth message space Z n. The reason we choose q to be prme s that t smplfes the presentaton slghtly and s the most realstc choce n practce. In partcular, wth q beng prme we know that any non-trval n-degree polynomal P (X) Z q [X] has at most n roots, whch wll be useful later on. We need a root extracton property, whch says t s nfeasble to create an openng of a commtment rased to a non-trval exponent wthout beng able to open the commtment tself. More precsely, we assume there s a polynomal tme root extracton algorthm RootExt that gven ck K com, M M ck, R R ck, c C ck, e Z q so c e = com ck (M; R) outputs a vald openng (m, r) of c. Examples. As an example of a statstcally hdng commtment scheme wth these propertes, we offer the followng varaton of Pedersen s commtment scheme [48]. We select prmes q, p so p = kq + 1 and k, q are coprme. The commtment key s (q, p, g 1,..., g n, h), where g 1,..., g n, h are randomly chosen elements of order q. Let G k be the multplcatve group of elements u such that 1 = u k mod p. We have M ck = Z n q, R ck = G k Z q, C ck = Z p. To commt to (m 1,..., m n ) Z n q usng randomness (u, r) G k Z q we compute c = ug m1 1 gn mn h r mod p. For the statstcal hdng property to hold we can always choose u = 1 and smply pck r Z q at random. The bndng property holds computatonally assumng the dscrete logarthm problem s hard n the order q subgroup of Z p. The commtment scheme s homomorphc and has the root extracton property. Our lttle twst of the Pedersen commtment scheme, addng the u-factor from G k, ensures we do not have to worry about what happens n the order k subgroup of Z p and makes t extremely effcent to test membershp of C ck ; we just have to verfy 0 < c < p. As an example of a statstcally bndng commtment scheme, consder selectng the commtment key (q, p, g 1,..., g n, h) as descrbed above. The message space s M ck = Z n q, the randomzer space s G n+1 k Z q, and the commtment space s C ck = (Z p) n+1. We commt to (m 1,..., m n ) Z n q usng randomzer (u 1,..., u n, u, r) G n+1 k Z q as c = (u 1 g r+m1 1,..., u n gn r+mn, uh r ). We can smply use u 1 = = u n = u = 1 when makng the commtments; the hdng property holds computatonally f the DDH problem s hard n the order q subgroup of Z p.

7 2.4 Specal Honest Verfer Zero-Knowledge Arguments of Knowledge Consder a par of probablstc polynomal tme nteractve algorthms (P, V ) called the prover and the verfer. They may have access to a common reference strng σ generated by a probablstc polynomal tme key generaton algorthm K. We consder a polynomal tme decdable relaton R, whch may depend on the common reference strng σ. For an element x we call w a wtness f (σ, x, w) R. We defne a correspondng language L σ consstng of elements that have a wtness. We wrte tr P (x), V (y) for the publc transcrpt produced by P and V when nteractng on nputs x and y. Ths transcrpt ends wth V ether acceptng or rejectng. We sometmes shorten the notaton by sayng P (x), V (y) = b f V ends by acceptng, b = 1, or rejectng, b = 0. Defnton 1 (Argument). The trple (K, P, V ) s called an argument for relaton R f for all non-unform polynomal tme nteractve adversares A we have Completeness: [ ] Pr σ K(1 κ ); (x, w) A(σ) : (σ, x, w) / R or P (σ, x, w), V (σ, x) = 1 1. Soundness: Pr [ ] σ K(1 κ ); x A(σ) : x / L σ and A, V (σ, x) = 1 0. We call (K, P, V ) a proof f soundness holds for unbounded adversares. In ths paper t wll sometmes be convenent to restrct the class of adversares for whch we have soundness. In that case, we wll say we have soundness for a class of adversares ADV, f the defnton above holds for all A ADV. Defnton 2 (Publc con). An argument (K, P, V ) s sad to be publc con, f the verfer s messages are chosen unformly at random ndependently of the messages sent by the prover. We defne specal honest verfer zero-knowledge (SHVZK) [9] for a publc con argument as the ablty to smulate the transcrpt for any set of challenges wthout access to the wtness. Defnton 3 (Specal honest verfer zero-knowledge). The publc con argument (K, P, V ) s called a specal honest verfer zero-knowledge argument for R f there exsts a smulator S such that for all non-unform polynomal tme adversares A we have [ Pr σ K(1 κ ); (x, w, ρ) A(σ); ] tr P (σ, x, w), V (σ, x; ρ) : (σ, x, w) R and A(tr) = 1 [ Pr σ K(1 κ ); (x, w, ρ) A(σ); ] tr S(σ, x, ρ) : (σ, x, w) R and A(tr) = 1. We say (K, P, V ) has statstcal SHVZK f the SHVZK property holds for unbounded adversares.

8 We remark that a weaker defnton of SHVZK arguments, where ρ s chosen unformly at random nstead of chosen by the adversary s common n the lterature. We also remark that there are effcent technques to convert SHVZK arguments nto zeroknowledge arguments for arbtrary verfers n the common reference strng model [11, 21, 24]. WITNESS-EXTENDED EMULATION. The standard defnton of a system for proof of knowledge by Bellare and Goldrech [4] does not work n our settng snce the adversary may have non-zero probablty of computng some trapdoor pertanng to the common reference strng and use that nformaton n the argument [12]. In ths case, t s possble that there exsts a prover wth 100% probablty of makng a convncng argument, where we nonetheless cannot extract a wtness. We shall defne an argument of knowledge through wtness-extended emulaton, the name taken from Lndell [35]. Lndell s defnton pertans to proofs of knowledge n the plan model, we wll adapt hs defnton to the settng of publc con arguments n the common reference strng model. Informally, our defnton says: gven an adversary that produces an acceptable argument wth probablty ɛ, there exsts an emulator that produces a smlar argument wth probablty ɛ, but at the same tme provdes a wtness. Defnton 4 (Wtness-extended emulaton). We say the publc con argument (K, P, V ) has wtness-extended emulaton f for all determnstc polynomal tme P there exsts an expected polynomal tme emulator E such that for all non-unform polynomal tme adversares A we have [ ] Pr σ K(1 κ ); (x, s) A(σ); tr P (σ, x, s), V (σ, x) : A(tr) = 1 [ Pr σ K(1 κ ); (x, s) A(σ); (tr, w) E P (σ,x,s),v (σ,x) (σ, x) : ] A(tr) = 1 and f tr s acceptng then (σ, x, w) R, where E has access to a transcrpt oracle P (σ, x, s), V (σ, x) that can be rewound to a partcular round and run agan wth the verfer choosng fresh random cons. We thnk of s as beng the state of P, ncludng the randomness. Then we have an argument of knowledge n the sense that the emulator can extract a wtness whenever P s able to make a convncng argument. Ths shows that the defnton mples soundness. We remark that the verfer s cons are part of the transcrpt and the prover s determnstc. So combnng the emulated transcrpt wth σ, x, s gves us the vew of both prover and verfer and at the same tme gves us the wtness. Our defnton of wtness-extended emulaton treats both prover and verfer n a black-box manner. The emulator therefore only has access to an oracle that gves t transcrpts wth a determnstc prover and an honest probablstc verfer. Treatng not only the prover but also the verfer n a black-box manner makes the Fat-Shamr heurstc descrbed n the end of the secton more convncng; we avod the emulator queryng the prover on eschewed challenges or challenges wth mplanted trapdoors. In the paper t wll sometmes be necessary to restrct the class of adversares for whch we have wtness-extended emulaton. In that case, we wll say we have wtnessextended emulaton for a class of adversares ADV, f the defnton above holds for all A ADV.

9 Damgård and Fujsak [12] have suggested an alternatve defnton of an argument of knowledge n the presence of a common reference strng. Wtness-extended emulaton as defned above mples knowledge soundness as defned by them [24]. THE FIAT-SHAMIR HEURISTIC. The Fat-Shamr heurstc can be used to make publc con SHVZK arguments non-nteractve. In the Fat-Shamr heurstc the verfer s challenges are computed by applyng a cryptographc hash-functon to the transcrpt of the protocol. Securty can be argued heurstcally n the random oracle model by Bellare and Rogaway [5]. In the random oracle model, the hash-functon s modeled as a random oracle that returns a random strng on each nput t has not been quered before. 2.5 Setup We wll construct a 7-round publc con SHVZK argument for the relaton { R = σ, (pk, e 1,..., e n, E 1,..., E n ), (π, R 1,..., R n ) } π Σ n R 1,..., R n R pk : E = e π() E pk (1; R ). The relaton gnores σ, so ths s a standard NP-relaton. For soundness and wtnessextended emulaton, we restrct ourselves to the class of adversares that produce vald pk K enc. For some cryptosystems, t s straghtforward to check whether pk K enc. For ElGamal encrypton, valdty of a key can be decded n polynomal tme. For Paller encrypton, all we need to verfy s that there are no small prme factors n the modulus, whch can be checked n heurstc polynomal tme usng Lenstra s [33] ellptc curve factorzaton method. For other homomorphc cryptosystems, t may not be easy to decde whether the key s correct, however, we may be workng n a scenaro, where t s correctly setup. For nstance, n a mx-net t may be the case that the mxservers use a mult-party computaton protocol to generate the encrypton key and f a majorty s honest then we are guaranteed that the key s correct. In the SHVZK argument we wll suggest, the common reference strng wll be generated as a publc key for a homomorphc commtment scheme for n elements as descrbed n Secton 2.3. Dependng on the applcatons, there are many possble choces for who generates the commtment key and how they do t. For use n a mx-net, we could for nstance magne that there s a setup phase, where the mx-servers run a mult-party computaton protocol to generate the commtment key. It s possble to let the generaton of the common reference strng happen n the protocol tself. An uncondtonally bndng commtment scheme wll gve us statstcal soundness. If we use a commtment scheme, where t s possble to verfy that t s uncondtonally bndng, we can let the prover generate the commtment key and obtan a SHVZK proof. A statstcally hdng commtment scheme, wll gve us statstcal SHVZK. If t s possble to verfy whether a commtment key s statstcally hdng, we can let the verfer pck the common reference strng. Ths wll gve us a statstcal SHVZK argument. The statstcal SHVZK argument wll be publc con, f a random strng can be used to specfy a statstcally hdng commtment key.

10 2.6 Parameters The verfer wll select publc con challenges from {0, 1} le. l e wll be a suffcently large securty parameter so the rsk of breakng soundness s neglgble. In practce a choce of l e = 80 suffces for nteractve protocols. If we make the SHVZK argument non-nteractve usng the Fat-Shamr heurstc, l e = 160 may be suffcent. Another securty parameter s l s. Here we requre that for any a of length l a, we have that d and a + d are statstcally ndstngushable, when d s chosen at random from {0, 1} la+ls. Ths only leaks nformaton about a n the unlkely stuaton that a + d < 2 la or 2 la+l d a + d. In practce l s = 80 wll be suffcent. We set up the commtment scheme wth message space Z n q. We demand that 2 le+ls < q. The reason for ths choce s to make q large enough to avod overflows that requre a modular reducton n Secton 4 and 5. When the cryptosystem has a message space where m q = 1 for all messages, ths requrement can be waved, see Secton 6 for detals. For notatonal convenence, we assume that the randomzer space of the commtment scheme s Z q, but other choces are possble. 3 SHVZK Argument for Shuffle of Known Contents Before lookng nto the queston of shufflng cphertexts, we nvestgate a smpler problem that wll be used as a buldng block. We have messages m 1,..., m n and a commtment c. The problem s to prove knowledge of a permutaton π and a randomzer r such that c = com ck (m π(1),..., m π(n) ; r). In ths secton, we present an SHVZK argument for a commtment contanng a permutaton of a set of known messages. The man dea s from Neff [36], namely that a polynomal p(x) = n (m X) s stable under permutaton of the roots,.e., for any permutaton π we have p(x) = n (m π() X). We wll prove knowledge of µ 1,..., µ n, r so c = com ck (µ 1,..., µ n ; r) and prove that (m X) = (µ X). Snce we are workng over a feld Z q, ths equalty mples the exstence of a permutaton π so µ = m π(). To prove that the two polynomals are dentcal, we wll let the verfer choose x Z q at random and demonstrate that n (m x) = n (µ x). A degree n polynomal n Z q [X] can have at most n roots, so there s overwhelmng probablty of falng the test unless ndeed n (m X) = n (µ X). Usng ths dea, we formulate the followng plan for argung knowledge of c contanng a permutaton of the messages m 1,..., m n. 1. Use a standard SHVZK argument wth randomly chosen challenge e to argue knowledge of an openng µ 1,..., µ n, r of c. In ths SHVZK argument of knowledge we get values f = eµ + d, where d s commtted to by the prover before recevng the random e from the verfer.

11 2. In the frst round of the argument, the verfer wll choose an evaluaton pont x Z q at random. Once the prover sends out the values f 1,..., f n, t s straghtforward to compute f ex = e(µ x) + d. 3. We have n (f ex) = e n n (µ x) + p n 1 (e), where p n 1 ( ) s a polynomal of degree n 1. We wll argue that n (f ex) = e n n (m x) + p n 1 (e). Snce e s chosen at random, ths means n (µ x) = n (m x) as we wanted. 4. To argue that n (f ex) = e n n (m x) + p n 1 (e) the prover wll send F 1,..., F n of the form F j = e j (µ x) + j to the verfer, where 2,..., n 1 are chosen by the prover before recevng the random challenge e. We use 1 = d 1 so F 1 = f 1 ex. We also use n = 0 so F n = e n (m x), whch can be tested drectly by the verfer. We wll have equaltes ef +1 = F (f +1 ex) + f, where the f s are lnear n e. From the verfer s pont of vew these equaltes mply that e n n (m x) = e n 1 F n = (f ex) p n 1 (e), where p n 1 s a degree n 1 polynomal n e. Wth overwhelmng probablty over e ths mples n (m x) = n (µ x). Theorem 1. The protocol n Fgure 1 s a 4-move publc con specal honest verfer zero-knowledge argument wth wtness-extended emulaton for c beng a commtment to a permutaton of the messages m 1,..., m n. If the commtment scheme s statstcally hdng then the argument s statstcal honest verfer zero-knowledge. If the commtment scheme s statstcally bndng, then we have uncondtonal soundness,.e., the protocol s an SHVZK proof. Proof. It s obvous that we are dealng wth a 4-move publc con protocol. Perfect completeness s straghtforward to verfy. Remanng s to prove specal honest verfer zero-knowledge and wtness-extended emulaton. SPECIAL HONEST VERIFIER ZERO-KNOWLEDGE. Fgure 2 descrbes how the smulator acts gven challenges x, e. The smulator does not use any knowledge of π, r. It frst selects f 1,..., f n, z, F 2,..., F n 1, z and c a com ck (0,..., 0) at random and then adjusts all other parts of the argument to ft these values. In the same fgure, we descrbe a hybrd smulator that acts just as the smulator except when generatng c a. In the generaton of c a, the hybrd smulator does use knowledge of π to compute d, a, values. It then produces c a n the same manner as a real prover would do t usng those values. Fnally, for comparson we have the real prover s protocol n an unordered fashon. The smulated argument and the hybrd argument dffer only n the content of c a. The hdng property of the commtment scheme therefore gves us ndstngushablty between hybrd arguments and smulated arguments. If the commtment scheme s statstcally hdng then the arguments are statstcally ndstngushable. A hybrd argument s statstcally ndstngushable from a real argument. The only dfference s that a real prover starts out by pckng d,, r d, r at random,

12 Shuffle of Known Content Argument Prover Common nput Verfer ck c, m 1,..., m n Prover s nput π, r so c = com ck (m π(1),..., m π(n) ; r) x x {0, 1} le d 1,..., d n Z q, r d, r Z q 1 = d 1, 2,..., n 1 Z q, n = 0 a = (m π(j) x), r a Z q c d = com ck (d 1,..., d n; r d ) c = com ck ( 1d 2,..., n 1d n; r ) c a = com ck ( 2 (m π(2) x) 1 a 1d 2,..., n (m π(n) x) n 1 a n 1d n; r a) c d, c, c a e e {0, 1} le f = em π() + d, z = er + r d f = e( +1 (m π(+1) x) a d +1) d +1, z = er a + r f 1,..., f n, z f 1,..., f n 1, z Check c d, c a, c C ck Check f 1,..., f n, z, f 1,..., f n 1, z Z q Check c e c d = com ck (f 1,..., f n; z) Check c e ac = com ck (f 1,..., f n 1 ; z ) Defne F 1,..., F n so F 1 = f 1 ex, ef 2 = F 1(f 2 ex) + f 1,..., ef n = F n 1(f n ex) + f n 1 Check F n = e n (m x) Fg. 1. Argument of Knowledge of Shuffle of Known Content. however, n both protocols ths gves us f, f, z, z randomly dstrbuted over Z q. Gven these values, the commtment c a s computed n the same way by both protocols. Moreover, n both protocols we get c d = com ck (d 1,..., d n ; r d ) and c = com ck ( 1 d 2,..., n 1 d n ; r ). WITNESS-EXTENDED EMULATION. The emulator E frst runs P, V to get a transcrpt tr. Ths s the transcrpt E wll output and by constructon t s perfectly ndstngushable from a real SHVZK argument. If the transcrpt s rejectng, then E halts wth (tr, ). However, f the transcrpt s acceptng then E must try to fnd a wtness w = (π, r). To extract a wtness E rewnds and runs P, V agan on the same challenge x untl t gets another acceptable argument. Call the two arguments (x, c d, c, c a, e, f 1,..., f n, z, f 1,..., f n 1, z ) and

13 Smulator Hybrd Prover f Z q, z Z q f = em π() + d, z = er + r d F Z q, z Z q F = ea +, z = er a + r F 1 = f 1 ex, F n = e n (m x) f = ef +1 F (f +1 ex) d = f em π() d Z q, r d Z q a = (m π(j) x),r a Z q = F ea Z q, r Z q c a com ck (0,..., 0) c a com ck ( 2 (m π(2) x) 1 a 1d 2,..., n (m π(n) x) n 1 a n 1d n; r a) c d = com ck (f 1,..., f n; z)c e c d = com ck (d 1,..., d n; r d ) c = com ck (f 1,..., f n 1 ; z )c e a c = com ck ( 1d 2,... ; r ) Fg. 2. Smulaton of Known Shuffle Argument. (x, c d, c, c a, e, f 1,..., f n, z, f 1,..., f n 1, z ). We have ce c d = com ck (f 1,..., f n ; z) and c e c d = com ck (f 1,..., f n; z ). Ths gves us c e e = com ck (f 1 f 1,..., f n f n; z z ). If e e, E can run the root extracton algorthm to get an openng µ 1,..., µ n, r of c. Let us at ths pont argue that E runs n expected polynomal tme. If P s n a stuaton where t has probablty ɛ > 0 of makng the verfer accept on challenge x, then the expected number of runs to get an acceptable transcrpt s 1 ɛ. Of course f P fals, then we do not need to sample a second run. We therefore get a total expectaton of 2 queres to P, V. A consequence of E usng an expected polynomal number of queres to P s that there s only neglgble probablty of endng n a run where e = e or any other event wth neglgble probablty occurs, e.g., breakng the bndng property of the commtment scheme. Therefore, wth overwhelmng probablty, ether we do not need a wtness or we have found an openng µ 1,..., µ n, r of c. We need to argue that the probablty for extractng an openng of c, such that µ 1,..., µ n s not a permutaton of m 1,..., m n s neglgble. Assume there s a constant δ > 0 such that P has more than κ δ chance of producng a convncng argument. In that case we can run t wth a random challenge x and rewnd to get three random challenges e, e, e. Wth probablty at least κ 3δ P manages to create acceptng arguments on all three of these challenges. Call the frst two arguments (x, c d, c, c a, e, f 1,..., f n, z, f 1,..., f n 1, z ) and (x, c d, c, c a, e, f 1,..., f n, z, f 1,..., f n 1, z ). We have ce ac = com ck (f 1,..., f n 1 ; z ) and c e a c = com ck (f 1,..., f n 1 ; z ) so c e e a = com ck (f 1 f 1,..., f n 1 f n 1 ; z z ). From ths, we can extract an openng α 1,..., α n 1, r a of c a. Ths also gves us an openng δ 1,..., δ n 1, r of c, where δ = f eα, r = z er a. Snce we know an openng of c, we also have an openng d 1,..., d n, r d of c d wth d = f eµ, r d = z er. Consder now the thrd challenge e. Snce we know openngs of c, c d we have f = e µ + d, and snce we know openngs of c a, c we have f = e α + δ.

14 From the way we buld up F n and from F n = e n (m x) we deduce n (e ) n (m x) = (e ) n 1 F n = (e ) n (µ x) p n 1 (e ), where p n 1 ( ) s a polynomal of degree n 1. Snce e s chosen at random ths mples wth overwhelmng probablty that n (µ x) = n (m x). We now have two polynomals evaluatng to the same value n a random pont x. Wth overwhelmng probablty, they must be dentcal. Ths n turn mples that µ 1,..., µ n s a permutaton of m 1,..., m n as we wanted to show. If the commtment scheme s statstcally bndng, then even an unbounded adversary s stuck wth the values that have been commtted to, wthout any ablty to change them. Wth x, e chosen at random by the verfer, even an unbounded adversary has neglgble chance of cheatng. 4 SHVZK Argument for Shuffle of Homomorphc Encryptons A set of cphertexts e 1,..., e n can be shuffled by selectng a permutaton π, selectng randomzers R 1,..., R n, and settng E 1 = e π(1) E pk (1; R 1 ),..., E n = e π(n) E pk (1; R n ). The task for the prover s to argue that some permutaton π exsts so that the plantexts of E 1,..., E n and e π(1),..., e π(n) are dentcal. As a frst step, we thnk of the followng naïve proof system. The prover nforms the verfer of the permutaton π. The verfer pcks at random t 1,..., t n, computes n et and n Et π(1). Fnally, the prover proves that the two resultng cphertexts have the same plantext. Unless π really corresponds to a parng of cphertexts wth dentcal plantexts the prover wll be caught wth overwhelmng probablty. An obvous problem wth ths dea s the lack of zero-knowledge. We remedy t n the followng way [20, 36]: 1. The prover commts to the permutaton π as c com ck (π(1),..., π(n)). He makes an SHVZK argument of knowledge of c contanng a permutaton of the numbers 1,..., n. At ths step, the prover s bound to some permutaton he knows, but the permutaton remans hdden. 2. The prover creates a commtment c d com ck ( d 1,..., d n ) to random d s. The verfer selects at random t 1,..., t n and the prover permutes them accordng to π. The prover wll at some pont reveal values f = t π() + d, but snce the d s are random ths does not reveal the permutaton π. As part of the argument, we wll argue that the f s have been formed correctly, usng the same permutaton π that we used to form c. 3. Fnally, the prover uses standard SHVZK arguments of knowledge of multplcatve relatonshp and equvalence to show that the products n et dffer only by a factor E d = n Ed and n Ef E pk(1; R) for some randomzer R wthout revealng anythng else. Ths last step corresponds to carryng out the naïve proof system n zero-knowledge usng a secret permutaton π that was fxed before recevng the t s.

15 To carry out ths process we need to convnce the verfer that c and f 1,..., f n contan respectvely 1,..., n and t 1,..., t n permuted n the same order. It seems lke we have just traded one shuffle problem wth another. The dfference s that the supposed contents of the commtments are known to both the prover and the verfer, whereas we cannot expect ether to know the contents of the cphertexts beng shuffled. The SHVZK argument of knowledge for a shuffle of known content can therefore be used. To see that the pars (, t ) match we let the verfer pck λ at random, and let the prover demonstrate that c λ c d com ck (f 1,..., f n ; 0) contans a shuffle of λ+t 1,..., λn+ t n. If a par (, t ) does not appear n the same spot n respectvely c and f 1,..., f n, then wth hgh lkelhood over the choce of λ the shuffle argument wll fal. Shuffle of Homomorphc Cphertexts Prover Common nput Verfer ck pk, e 1,..., e n, E 1,..., E n Prover s nput π, R 1,..., R n so E = e π() E pk (1; R ) r Z q, R d R pk d 1,..., d n {0, 1} le+ls, r d Z q c = com ck (π(1),..., π(n); r) c d = com ck ( d 1,..., d n; r d ) E d = n E d E pk (1; R d ) c, c d, E d t 1,..., t n t {0, 1} le f = t π() + d Z = n t π()r + R d f 1,..., f n, Z λ λ {0, 1} le Arg(π, ρ c λ c d com ck (f 1,..., f n; 0) = com ck (λπ(1) + t π(1),..., λπ(n) + t π(n) ; ρ)) a Check c, c d C ck, E d C pk and 2 le f 1,..., f n < 2 le+ls, Z R pk Verfy Arg(π, ρ) Check n e t n Ef E d = E pk (1; Z) a Gven m 1,..., m n, c we wrte Arg(π, ρ c = com ck (m π(1),..., m π(n) ; ρ)) as a shorthand for carryng out the SHVZK argument n Fgure 1 of knowledge of π, ρ such that c = com ck (m π(1),..., m π(n) ; ρ). Fg. 3. Argument of Shuffle of Homomorphc Cphertexts.

16 Theorem 2. The protocol n Fgure 3 s a 7-move publc con specal honest verfer zero-knowledge argument for correctness of a shuffle of homomorphc cphertexts. If the cryptosystem has polynomal tme root extracton, then the argument has wtnessextended emulaton. If the commtment scheme s statstcally hdng, then the argument s statstcal SHVZK. If the commtment scheme s statstcally bndng, then the scheme s an SHVZK proof of a shuffle. Proof. Usng the 4-move argument of knowledge for shuffle of known contents from ths paper the protocol s a 7-move publc con protocol. Wth suffcently large l s we have wth overwhelmng probablty that 2 le t π() + d < 2 le+ls < q when added as ntegers. Wth ths n mnd, t s straghtforward to verfy completeness. It remans to prove that we have specal honest verfer zero-knowledge and wtness-extended emulaton. SPECIAL HONEST VERIFIER ZERO-KNOWLEDGE. Gven challenges t 1,..., t n, λ as well as challenges for the known shuffle we wsh to smulate a transcrpt that s ndstngushable from a real argument. We descrbe n Fgure 4 a smulator that smulates the argument wthout access to the permutaton π or the randomzers R 1,..., R n. It pcks c, c d, f 1,..., f n, Z at random and fts the other parts of the protocol to these values. In the same fgure, we also nclude a hybrd argument that works lke the smulator except for generatng c, c d correctly usng knowledge of π. Fnally, we nclude for comparson the real prover n a somewhat unordered descrpton. Smulator Hybrd Prover c com ck (0,..., 0) c com ck (π(1),..., π(n)) d = f t π() d Z q c d com ck (0,..., 0) c d com ck ( d 1,..., d n) f {0, 1} le+ls f = t π() + d Z R pk E d = E pk (1; Z) n et n E f E d = n E d R d R pk, Z = n t π()r + R d E pk (1; R d ) Smulate Arg(π, ρ Arg(π, ρ c λ c d com ck (f 1,..., f n; 0) c λ c d com ck (f 1,..., f n; 0) = com ck (λπ(1) + t π(1), = com ck (λπ(1) + t π(1),..., λπ(n) + t π(n) ; ρ)..., λπ(n) + t π(n) ; ρ) Fg. 4. Smulaton of Shuffle Argument. Smulated arguments and hybrd arguments only dffer n the content of c and c d. The hdng property of the commtment scheme therefore mples ndstngushablty between smulated arguments and hybrd arguments. If the commtment scheme s statstcally hdng, then the two types of arguments are statstcally ndstngushable. Snce q > l e + l s there s overwhelmng probablty that we do not need to make any modular reductons when computng the d s and f s and that the f s are at least 2 le. Under ths condton, we have for the prover that n E pk (1; R d ) = E pk (1; Z) n et n E f E d, so there s no dfference n the way E d s computed by

17 respectvely the hybrd smulator and the prover. The only remanng dfference s that the hybrd argument contans a smulated argument of knowledge of shuffle of known content, whereas the prover makes a real proof. The SHVZK property of ths argument gves us ndstngushablty between hybrd arguments and real arguments, and statstcal SHVZK gves us statstcal ndstngushablty. SOUNDNESS AND WITNESS-EXTENDED EMULATION. The proof of soundness wll follow from the proof of wtness-extended emulaton, so let us start wth descrbng the emulator. We frst run P, V to gve us a transcrpt tr = (c, c d, E d, t 1,..., t n, f 1,..., f n, Z, λ, tr known ), where tr known s the transcrpt of the 4-move argument for a shuffle of known contents. If P fals to produce an acceptable argument, then we output (tr, ). On the other hand, f the argument s acceptable, then we must extract wtness π, R 1,..., R n for E 1,..., E n beng a shuffle of e 1,..., e n. In the followng we let ɛ be the probablty of P outputtng an acceptable argument. In order to extract a wtness, we rewnd P, V to get more transcrpts wth randomly chosen challenges t 1,..., t n, λ and use the wtness-extended emulator for the argument of shuffle of known contents to get openngs of c λ c d com ck (f 1,..., f n, 0). We do ths untl we have obtaned n + 3 acceptable arguments. If we have probablty ɛ for gettng an acceptable transcrpt on random challenges t 1,..., t n, λ then we expect to use n+2 ɛ attempts to sample n+2 extra transcrpts. Snce we only need to extract a wtness when the transcrpt s acceptng, we have an expected number of n +3 runs. One has to be careful when combnng expected polynomal tme algorthms, snce the composed algorthm may not be expected polynomal tme. In our case, however, we wll run the wtness-extended emulator on transcrpts that have the same dstrbuton as real arguments, n partcular the nputs to the wtness-extended emulator wll always have a sze that s polynomal n the securty parameter, so we do really get expected polynomal tme for the emulator. Snce the wtness-extended emulator uses expected polynomal tme there s overwhelmng probablty that ether we do not get an acceptable argument; or alternatvely we do get an acceptable argument but no event wth neglgble probablty occurs. In partcular, wth overwhelmng probablty we do not break the bndng property of the commtment scheme or have collsons among the randomly chosen challenges. From the samplng process we have two acceptable arguments c, c d, E d, t 1,..., t n, f 1,..., f n, Z, λ and c, c d, E d, t 1,..., t n, f 1,..., f n, Z, λ as well as wtnesses π, r and π, r for c λ c d com ck (f 1,..., f n ; 0) and c λ c d com ck (f 1,..., f n; 0) contanng shuffles of respectvely λ + t and λ + t. Ths gves us c λ λ = com ck (f 1 f 1 + λπ(1) + t π(1) λ π (1) t π (1),..., f n f n + λπ(n) + t π(n) λ π (n) t π (n) ; r r ). We run the root extractor to get an openng s 1,..., s n, r of c. Gven ths openng we can compute an openng d 1,..., d n, r d of c d wth d = λπ() + t π() λs f and 0 d < q. We wll now argue that s 1,..., s n s a permutaton of 1,..., n. Suppose for some constant δ > 0 that P has more than κ δ chance of producng a vald argument for an nfnte number of κ N and that we are lookng at such a securty parameter k.

18 In the thrd transcrpt, we have run P wth randomly chosen challenges t 1,..., t n, λ and from the wtness-extended emulator we get a permutaton π so λs d + f = λπ()+t π(). Snce f s sent by the prover before recevng λ ths has neglgble chance of happenng unless s = π(). We conclude that ndeed s 1,..., s n s a permutaton of 1,..., n. Ths n turn tells us that f = t π() + d mod q for the argument to go through wth more than neglgble probablty. Snce 2 le f < 2 l+ls < q the equalty f = t π() + d holds over the ntegers as well. The last n + 1 acceptable transcrpts we enumerate j = 1,..., n + 1. Call the t 1,..., t n used n the j th argument for t (j) 1,..., t(j) n. We have correspondng answers f (j) = t (j) π() + d, Z (j). Consder the nteger vectors (t (j) 1,..., t(j) n, 1) and the correspondng matrx T contanng these as row vectors. For any prme p dvdng M pk, there s overwhelmng probablty that the vectors are lnearly ndependent modulo p snce M pk only has large prme dvsors. Ths means gcd(det(t ), p) = 1 for all p dvdng the order of M pk and thus gcd(det(t ), M pk ) = 1. Let A be the transposed cofactor matrx of T, then we have AT = det(t )I. Callng the entres of A for a kj, we have n+1 a kj (t (j) 1,..., t(j) n, 1) = (0,..., 0, det(t ), 0,..., 0), where det(t ) s placed n poston k. For all j the verfcaton gves us e t(j) E t(j) π() ( For all k = 1,..., n we have (e 1 k E π 1 (k)) det(t ) = = = = E d E d) 1 = e t(j) (e 1 E π 1 ()) n+1 a kjt (j) ( n+1 n+1 e n+1 a kjt (j) ( n e t(j) E f (j) E d = E pk (1; Z (j) ). n+1 E a kjt (j) π() ( E t(j) π() ( n+1 E pk (1; Z (j) ) a kj = E pk (1; E d E d) n+1 a kj1 E d E d) 1) a kj a kj Z (j) ). E d E d) n+1 a kj1 We now know from the root extracton property that there exsts an R π 1 (k) so e 1 k E π 1 (k) = E pk (1; R π 1 (k)), whch shows that the argument s sound. If the commtment scheme s statstcally bndng we get statstcal soundness; where we recall that the SHVZK argument for shuffle of known content has statstcal soundness when

19 the commtment s statstcally bndng. If the cryptosystem has polynomal tme root extracton, we can run the root extractor to fnd the randomzers R 1,..., R n, so we have wtness-extended emulaton. We remark that the proof of soundness shows that the SHVZK argument for correctness of a shuffle s an argument of knowledge of π. However, we may not have full wtness-extended emulaton where we also learn the rerandomzaton factors R 1,..., R n, unless the cryptosystem has polynomal tme root extracton. 5 Combnng Shufflng and Decrypton For effcency reasons t may be desrable to combne shufflng and decrypton nto one operaton. Consder for nstance the case where we are usng ElGamal encrypton and share the secret key addtvely between the mx-servers. Instead of frst mxng and then threshold decryptng, t makes sense to combne the shuffle operatons and the decrypton operatons. Ths saves computaton and each mx-server only has to be actvated once nstead of twce. Whle restrctng the choce of parameters, namely we must use an ElGamal lke cryptosystem and we must share the secret key addtvely between all the mx-servers, ths s a realstc real-lfe scenaro. The publc key s of the form (g, y 1,..., y N ), where y j = g xj and x j s the secret key of server j. Inputs to the mx-net are ElGamal encryptons under the key (g, N y j) of the form (g r, ( N y j) r m). The frst server shuffles and decrypts wth respect to ts own key. Ths leaves us wth encryptons under the key (g, N j=2 y j) that the second server can shuffle and decrypt, etc. Once the last server shuffles and decrypts we get the plantexts out. Server s gets nput cphertexts of the form (u 1, v 1 ),..., (u n, v n ) under the key (g, N j=s y j). It selects a permutaton π at random, as well as randomzers R 1,..., R n. The output s (U 1, V 1 ),..., (U n, V n ) under the key (g, Y = N j=s+1 y j), where U = g R u π() and V = Y R v π() u xs π(). What we need s an SHVZK argument of knowledge for correctness of such a shuffleand-decrypt operaton. A couple of papers have already nvestgated ths problem [19, 18], but ther arguments are not SHVZK. Instead, they use a weaker securty noton sayng that an adversary does not learn anythng about the permutaton. We wll suggest an argument that s SHVZK and at the same tme s more effcent n terms of computaton and communcaton but has worse round-complexty. Neff [38] has ndependently of ths work also nvestgated the combnaton of shuffle and decrypton operatons. The argument s essentally the same as the SHVZK argument for correctness of a shuffle of cphertexts; we have wrtten out everythng usng the ElGamal notaton n ths secton. The only dfference from the shuffle argument s that we add some extras to also argue correctness of the partal decrypton. We prove knowledge of the secret key x s and argue that t has been used to make partal decryptons. For ths purpose, we the prover sends an ntal message D = g dx n the frst round. Later, the prover wll receve a challenge e and respond wth f = ex s + d x. We use the hdden x s n f

20 to ensure that u xs s removed as ntended from the output cphertexts. The e-factor n f and the d x -part that s used to hde x s forces us to add some extra elements to the protocol. The full argument can be seen n Fgure 5. The cryptosystem s ElGamal encrypton over a group of prme order Q. We nclude n the common reference strng a publc key CK for an addtonal homomorphc commtment scheme COM CK, whch has Z Q as message space. For notatonal convenence, we assume the randomzers for these commtments are chosen at random from Z Q. The commtment key CK ncludes a generator g for the group G Q of order Q over whch we do the ElGamal encrypton. The ElGamal encrypton key contans y s and Y from G Q. Theorem 3. The protocol n Fgure 5 s a 7-move publc con specal honest verfer zero-knowledge argument for correctness of a shuffle and partal decrypton of ElGamal cphertexts wth wtness-extended emulaton. If the commtment schemes are statstcally hdng, then the entre argument s statstcal SHVZK. If the commtment schemes are statstcally bndng, then the entre argument s an SHVZK proof. Sketch of proof. Obvously, we have a 7-move publc con protocol. Completeness s straghtforward to verfy. SPECIAL HONEST VERIFIER ZERO-KNOWLEDGE. To argue specal honest verfer zero-knowledge we descrbe a smulator that runs wthout knowledge of π, R 1,..., R n, x s and also a hybrd smulator that does use knowledge of these secret values. The smulator gets the challenges t 1,..., t n, λ, e as well as challenges for the argument of knowledge of a shuffle of known contents as nput. It selects at random f 1,..., f n {0, 1} le+ls, Z, f, f V, z V Z Q, c, c d com ck (0,..., 0), C 1 COM CK (0) and V d G Q. It computes U d = g Z n n ut U f, U = n V f Y ez g f V ( n u t COM CK (f V ; z V )C1 e ) f ( n v t V d ) e, D = g f ys e and C 2 =. It also smulates the argument of knowledge of shuffle of known contents. The hybrd smulator also selects f 1,..., f n {0, 1} le+ls, Z, f, f V, z V Z Q. It computes c com ck (π(1),..., π(n)), d f t π(), c d com ck ( d 1,..., d n ). It selects r V Z Q and C 1 COM CK (r V ). It sets V d = Y Z ( n u t ) xs n n vt V f g r V. As the smulator t computes U d = g Z n n ut U f, U = Y ez g f V ( n u t ) f ( n n v t V f V d ) e, D = g f ys e and C 2 = COM CK (f V ; z V )C1 e and smulates the argument of knowledge of shuffle of known contents. Let us argue that smulated arguments and hybrd arguments are ndstngushable. In both dstrbutons, V d s random. In the smulaton t s random because V d s selected at random; n the hybrd argument t s random because of the g r V factor. The only dfference between the two types of arguments s the way we compute the commtments c, c d, C 1. In the smulated argument we compute c, c d, C 1 as commtments to 0, whle n the hybrd argument we compute them as commtments to respectvely π(1),..., π(n), d 1,..., d n and r V. The hdng propertes of the two commtment schemes gve us