A Verifiable Secret Shuffle of Homomorphic. encryptions.

Transcription

1 A Verfable Secret Shuffle of Homomorphc Encryptons Jens Groth 1 Department of Computer Scence, UCLA 3531A Boelter Hall Los Angeles, CA USA [email protected] Abstract. A shuffle conssts of a permutaton and re-encrypton of a set of nput cphertexts. One applcaton of shuffles s to buld mx-nets. We suggest an honest verfer zero-knowledge argument for the correctness of a shuffle of homomorphc encryptons. Our scheme s more effcent than prevous schemes both n terms of communcaton and computaton. The honest verfer zero-knowledge argument has a sze that s ndependent of the actual cryptosystem beng used and wll typcally be smaller than the sze of the shuffle tself. Moreover, our scheme s well suted for the use of mult-exponentaton and batch-verfcaton technques. Addtonally, we suggest a more effcent honest verfer zero-knowledge argument for a commtment contanng a permutaton of a set of publcly known messages. We also suggest an honest verfer zero-knowledge argument for the correctness of a combned shuffle-and-decrypt operaton that can be used n connecton wth decryptng mx-nets based on ElGamal encrypton. All our honest verfer zero-knowledge arguments can be turned nto honest verfer zero-knowledge proofs. We use homomorphc commtments as an essental part of our schemes. When the commtment scheme s statstcally hdng we obtan statstcal honest verfer zero-knowledge arguments; when the commtment scheme s statstcally bndng we obtan computatonal honest verfer zero-knowledge proofs. Keywords: Shuffle, honest verfer zero-knowledge argument, homomorphc encrypton, mx-net. 1 Introducton SHUFFLE. A shuffle of cphertexts e 1,..., e n s a new set of cphertexts E 1,..., E n wth the same plantexts n permuted order. We wll consder homomorphc publc-key cryptosystems n ths paper. Informally 1, we have for publc key pk, messages m 1, m 2 and randomzers r 1, r 2 that the encrypton functon satsfes E pk (m 1 m 2 ; r 1 + r 2 ) = E pk (m 1 ; r 1 )E pk (m 2 ; r 2 ). Part of the work done whle at BRICS, Unversty of Aarhus and Cryptomathc. 1 See Secton 2.2 for a formal defnton of homomorphc encrypton as well as a descrpton of a few more requred propertes.

2 If the cryptosystem s homomorphc we may shuffle e 1,..., e n by selectng a permutaton π Σ n and randomzers R 1,..., R n and settng E 1 = e π(1) E pk (1; R 1 ),..., E n = e π(n) E pk (1; R n ). If the cryptosystem s semantcally secure, publshng E 1,..., E n reveals nothng about the permutaton. On the other hand, ths also means that nobody else can verfy drectly whether the shuffle s correct or ncorrect. It could for nstance be the case that some cphertexts had been substtuted for other cphertexts. Our goal s to construct effcent honest verfer zero-knowledge (HVZK) arguments for the correctness of a shuffle. These arguments wll make t possble to verfy that a shuffle s correct (soundness) but wll not reveal the permutaton or the randomzers used n the re-encrypton step (honest verfer zero-knowledge). APPLICATIONS. Shufflng s the key buldng block n most mx-nets. A mx-net [8] s a mult-party protocol run by a group of mx-servers to shuffle elements so that nobody knows the permutaton lnkng the nput and output. To mx cphertexts we may let the mx-servers one after another make a shuffle wth a randomly chosen permutaton. If at least one mx-server s honest and chooses a random permutaton, t s mpossble to lnk the nput and output. In ths role, shufflng consttutes an mportant buldng block n anonymzaton protocols and votng schemes. In a mx-net t s problematc f a mx-server does not shuffle correctly. In a votng scheme t would for nstance be dsastrous f a mx-server could substtute some nput votes for other votes of ts own choosng. HVZK arguments for correctness of a shuffle are therefore useful to ensure that mx-servers follow the protocol. Each mx-server can after makng a shuffle prove to the other mx-servers or any ndependent verfers that the shuffle s correct. The soundness of the HVZK argument guarantees that the shuffle s correct. The honest verfer zero-knowledge property ensures that the HVZK argument does not leak the permutaton, the randomzers or any other nformaton pertanng to the shuffle. Shuffle arguments have also found use as sub-protocols n more complex protocols or zero-knowledge arguments [32, 26, 7]. RELATED WORK. Chaum nvented mx-nets n [8]. Whle hs mx-net was based on shufflng, he dd not suggest any method to guarantee correctness of the shuffles. Subsequent papers on mx-nets [6, 49, 28, 22, 31, 15, 29, 43, 30, 47] have tred n many ways to guarantee correctness of a shuffle, most of whch have been partally or fully broken [3, 39, 54, 50]. Remanng are suggestons [15, 49, 28, 53], whch have varous drawbacks. Desmedt and Kurosawa [15] requre that at most a small fracton of the mx-servers s corrupt. Peng et al. [49] requre that a fracton of the senders producng the nput to the mx-net s honest and restrct the class of possble permutatons. Jakobsson, Juels and Rvest [28] allow mx-servers to compromse the prvacy of a few senders and/or modfy a few messages although they rsk beng caught. The mx-net by Wkström [53] s less effcent than what one can buld usng the shuffle arguments n the present paper. Mx-nets based on shufflng and zero-knowledge arguments of correctness of a shuffle do not have these drawbacks. Several papers have suggested zero-knowledge arguments for correctness of a shuffle, usually shufflng ElGamal cphertexts [16]. Sako and Klan [51] use cut-and-choose

3 methods and s thus not very effcent. Abe [1](corrected by Abe and Hoshno [2]) uses permutaton networks and obtans reasonable effcency. Currently there are two man paradgms that yeld practcal HVZK arguments for correctness of a shuffle. Furukawa and Sako [20] suggest a paradgm based on permutaton matrces n the common reference strng model. In ths type of constructon, we make a commtment to a permutaton matrx, argue that we have commtted to a permutaton matrx and argue that the cphertexts have been shuffled accordng to ths permutaton. It turns out that ther protocol s not honest verfer zero-knowledge [19], but t does hde the permutaton [41]. Furukawa [18] develops the permutaton matrx dea further and obtans a practcal HVZK argument for correctness of a shuffle. A couple of other works [41, 45] also use the permutaton matrx dea to obtan HVZK arguments for correctness of a shuffle of Paller cphertexts [46]. Followng ths paradgm we also have Furukawa et al. [19, 18] suggestng arguments for correctness of a combned shuffle-and-decrypt operaton, an operaton that s used n some decryptng mx-nets. The other paradgm for verfyng correctness of shuffles s due to Neff [36] and s based on polynomals beng dentcal under permutaton of ther roots. Subsequent versons of that work [37, 38] correct some flaws and at the same tme obtan hgher effcency. Unlke the Furukawa-Sako paradgm based arguments, Neff obtans an HVZK proof,.e., soundness s uncondtonal but the zero-knowledge property s computatonal. Further, Neff s proof does not requre a common reference strng; although t does rely on the cryptosystem beng generated such that the decson Dffe-Hellman (DDH) assumpton holds. OUR CONTRIBUTION. We suggest a 7-move publc con HVZK argument for the correctness of a shuffle of homomorphc encryptons. We follow the Neff paradgm, basng the shuffle on nvarance of polynomals under permutaton of ther roots. Our HVZK argument has a common reference strng, whch contans a publc key for a homomorphc commtment scheme. If nstantated wth a statstcally hdng commtment we obtan a statstcal HVZK argument for correctness of a shuffle, where soundness holds computatonally. On the other hand, f nstantated wth a statstcally bndng commtment scheme we obtan an HVZK proof of correctness of a shuffle wth uncondtonal soundness but computatonal honest verfer zero-knowledge. The resultng HVZK argument s the most effcent HVZK argument for correctness of a shuffle that we know of both n terms of computaton and communcaton. The scheme s well suted for mult-exponentaton technques as well as randomzed batch-verfcaton gvng us even hgher effcency. Unlke the permutaton-matrx based approach, t s possble to work wth a short publc key for the commtment scheme, whereas key generaton can be a sgnfcant cost n the permutaton matrx paradgm. The only dsadvantage of our scheme s the round-complexty. We use 7 rounds and the Furukawa-Sako paradgm can be used to obtan 3 round HVZK arguments for correctness of a shuffle. Improvng on the early verson of the paper [23] we enable shufflng of most known homomorphc cryptosystems. The sze of the argument s almost ndependent of the cryptosystem that s beng shuffled. Furthermore, the commtment scheme we use does not have to be based on a group of the same order as the cryptosystem.

4 In Secton 7, we gve a more detaled comparson of our scheme and the other effcent HVZK arguments for correctness of a shuffle suggested n the lterature. As a buldng block, we use a shuffle of known contents and a correspondng argument of correctness of a shuffle of known contents. That s, gven publc messages m 1,..., m n, we can form a commtment to a permutaton of these messages c com ck (m π(1),..., m π(n) ). We present an argument of knowledge for c contanng a permutaton of these messages. Ths has ndependent nterest, for nstance [26] uses an argument of correctness of a shuffle of known contents; t s not necessary to use a full-blown argument of correctness of a shuffle. We also show how to modfy our scheme nto an HVZK argument of correctness of a shuffle-and-decrypt operaton. Ths operaton can be useful n decryptng mx-nets, t can save computatonal effort to combne the shuffle and decrypton operatons nstead of performng each one of them by tself. Furukawa et al. [19, 18] already suggest arguments for the correctness of a shuffle-and-decrypt operaton, however, whle ther arguments hde the permutaton they are not HVZK. We obtan a more effcent argument that at the same tme s HVZK. 2 Prelmnares In ths secton, we defne the three key concepts of ths paper. We defne homomorphc cryptosystems, snce we wll be shufflng homomorphc cphertexts. We defne homomorphc commtments, snce they consttute an mportant buldng block n our schemes. Fnally, we defne honest verfer zero-knowledge (HVZK) arguments, snce ths paper s about HVZK arguments for the correctness of a shuffle. 2.1 Notaton All algorthms n protocols n ths paper are envsoned as nteractve probablstc polynomal tme unform Turng machnes. Adversares are modeled as nteractve nonunform polynomal tme or unbounded Turng machnes. The dfferent partes and algorthms get a securty parameter κ as nput; sometmes we omt wrtng ths securty parameter explctly. For an algorthm A, we wrte y A(x) for the process of selectng randomness r and makng the assgnment y = A(x; r). A functon ν : N [0; 1] s neglgble f for all constants δ > 0 we have for all suffcently large κ that ν(κ) < κ δ. For two functons f 1, f 2 we wrte f 1 f 2 f f 1 f 2 s neglgble. We defne securty n terms of probabltes that become neglgble as functons of a securty parameter κ. 2.2 Homomorphc Encrypton We use a probablstc polynomal tme key generaton algorthm to generate a publc key and a secret key. The publc key belongs to a key space K enc and specfes a message space M pk, a randomzer space R pk and a cphertext space C pk. It also specfes an effcently computable encrypton algorthm E : M pk R pk C pk. The secret key specfes an effcently computable decrypton algorthm D : C pk M pk {nvald}.

5 We requre that the cryptosystem has perfect decrypton: (pk, m, r) K enc M pk R pk : D sk (E pk (m; r)) = m. We requre the message, randomzer and cphertext spaces to be fnte abelan groups (M pk,, 1), (R pk, +, 0) and (C pk,, 1), where t s easy to compute group operatons and decde membershp. The encrypton functon must be homomorphc: pk K enc (m 0, r 0 ), (m 1, r 2 ) M pk R pk : E pk (m 0 m 1 ; r 0 + r 1 ) = E pk (m 0 ; r 0 )E pk (m 1 ; r 1 ). In ths paper, we also demand that the order of the message space s dvsble only by large prme-factors. More precsely, t must be the case that M pk has no prme factors smaller than 2 le, where l e s a securty parameter specfed n Secton 2.6. We need a root extracton property, whch says that f a cphertext rased to a nontrval exponent encrypts 1, then the cphertext tself encrypts 1. More precsely, we assume there s a root extracton algorthm RootExt that gven pk K enc, R R pk, E C pk, e Z so gcd(e, M pk ) and E e = E pk (1; R) outputs r R pk so E = E pk (1; r). Ths property suffces for provng soundness, however, for provng wtness-extended emulaton, we further requre that the root extracton algorthm runs n polynomal tme. Varous cryptosystems [46, 13, 14, 44, 16, 10, 42] have the propertes mentoned n ths secton or can be tweaked nto cryptosystems wth these propertes. In partcular, Paller encrypton [46] and ElGamal encrypton [16] have the propertes mentoned above and have polynomal tme root extracton. 2.3 Homomorphc Commtment We use a probablstc polynomal tme key generaton algorthm to generate a publc commtment key ck belongng to a key space K comck. The commtment key specfes a message space M ck, a randomzer space R ck and a commtment space C ck as well as an effcently computable commtment functon com ck : M ck R ck C ck. There s also a probablty dstrbuton on R ck and we wrte c com ck (m) for the operaton r R ck ; c = com ck (m; r). We say the commtment scheme s hdng f a commtment does not reveal whch message s nsde. We defne ths by demandng that for all non-unform polynomal tme adversares A we have [ ] Pr ck K com (1 κ ); (m 0, m 1 ) A(ck); c com ck (m 0 ) : m 0, m 1 M ck and A(c) = 1 [ ] Pr ck K com (1 κ ); (m 0, m 1 ) A(ck); c com ck (m 1 ) : m 0, m 1 M ck and A(c) = 1. If ths also holds for unbounded A, we call the commtment statstcally hdng. We say the commtment scheme s bndng f a commtment can be opened n one way only. For all non-unform polynomal tme adversares A we have [ Pr ck K com (1 κ ); (m 0, r 0, m 1, r 1 ) A(ck) : ] (m 0, r 0 ), (m 1, r 1 ) M ck R ck, m 0 m 1 and com ck (m 0, r 0 ) = com ck (m 1 ; r 1 ) 0.

6 If ths also holds for unbounded A, we call the commtment statstcally bndng. We wll use commtment schemes where the message, randomzer and commtment spaces are abelan groups (M ck, +, 0), (R ck, +, 0), (C ck,, 1). We requre that we can effcently compute group operatons and decde membershp. The choce of addtve or multplcatve notaton s not mportant, what matters s just that they are abelan groups. The commtment functon must be homomorphc,.e., ck K com (m 0, r 0 ), (m 1, r 1 ) M ck R ck we have com ck (m 0 + m 1 ; r 0 + r 1 ) = com ck (m 0 ; r 0 )com ck (m 1 ; r 1 ). For our purposes, we use a homomorphc commtment scheme wth message space Z n q, where q s a prme. Other choces are possble, for nstance lettng q be a composte or usng homomorphc nteger commtments [17, 12, 25] wth message space Z n. The reason we choose q to be prme s that t smplfes the presentaton slghtly and s the most realstc choce n practce. In partcular, wth q beng prme we know that any non-trval n-degree polynomal P (X) Z q [X] has at most n roots, whch wll be useful later on. We need a root extracton property, whch says t s nfeasble to create an openng of a commtment rased to a non-trval exponent wthout beng able to open the commtment tself. More precsely, we assume there s a polynomal tme root extracton algorthm RootExt that gven ck K com, M M ck, R R ck, c C ck, e Z q so c e = com ck (M; R) outputs a vald openng (m, r) of c. Examples. As an example of a statstcally hdng commtment scheme wth these propertes, we offer the followng varaton of Pedersen s commtment scheme [48]. We select prmes q, p so p = kq + 1 and k, q are coprme. The commtment key s (q, p, g 1,..., g n, h), where g 1,..., g n, h are randomly chosen elements of order q. Let G k be the multplcatve group of elements u such that 1 = u k mod p. We have M ck = Z n q, R ck = G k Z q, C ck = Z p. To commt to (m 1,..., m n ) Z n q usng randomness (u, r) G k Z q we compute c = ug m1 1 gn mn h r mod p. For the statstcal hdng property to hold we can always choose u = 1 and smply pck r Z q at random. The bndng property holds computatonally assumng the dscrete logarthm problem s hard n the order q subgroup of Z p. The commtment scheme s homomorphc and has the root extracton property. Our lttle twst of the Pedersen commtment scheme, addng the u-factor from G k, ensures we do not have to worry about what happens n the order k subgroup of Z p and makes t extremely effcent to test membershp of C ck ; we just have to verfy 0 < c < p. As an example of a statstcally bndng commtment scheme, consder selectng the commtment key (q, p, g 1,..., g n, h) as descrbed above. The message space s M ck = Z n q, the randomzer space s G n+1 k Z q, and the commtment space s C ck = (Z p) n+1. We commt to (m 1,..., m n ) Z n q usng randomzer (u 1,..., u n, u, r) G n+1 k Z q as c = (u 1 g r+m1 1,..., u n gn r+mn, uh r ). We can smply use u 1 = = u n = u = 1 when makng the commtments; the hdng property holds computatonally f the DDH problem s hard n the order q subgroup of Z p.

7 2.4 Specal Honest Verfer Zero-Knowledge Arguments of Knowledge Consder a par of probablstc polynomal tme nteractve algorthms (P, V ) called the prover and the verfer. They may have access to a common reference strng σ generated by a probablstc polynomal tme key generaton algorthm K. We consder a polynomal tme decdable relaton R, whch may depend on the common reference strng σ. For an element x we call w a wtness f (σ, x, w) R. We defne a correspondng language L σ consstng of elements that have a wtness. We wrte tr P (x), V (y) for the publc transcrpt produced by P and V when nteractng on nputs x and y. Ths transcrpt ends wth V ether acceptng or rejectng. We sometmes shorten the notaton by sayng P (x), V (y) = b f V ends by acceptng, b = 1, or rejectng, b = 0. Defnton 1 (Argument). The trple (K, P, V ) s called an argument for relaton R f for all non-unform polynomal tme nteractve adversares A we have Completeness: [ ] Pr σ K(1 κ ); (x, w) A(σ) : (σ, x, w) / R or P (σ, x, w), V (σ, x) = 1 1. Soundness: Pr [ ] σ K(1 κ ); x A(σ) : x / L σ and A, V (σ, x) = 1 0. We call (K, P, V ) a proof f soundness holds for unbounded adversares. In ths paper t wll sometmes be convenent to restrct the class of adversares for whch we have soundness. In that case, we wll say we have soundness for a class of adversares ADV, f the defnton above holds for all A ADV. Defnton 2 (Publc con). An argument (K, P, V ) s sad to be publc con, f the verfer s messages are chosen unformly at random ndependently of the messages sent by the prover. We defne specal honest verfer zero-knowledge (SHVZK) [9] for a publc con argument as the ablty to smulate the transcrpt for any set of challenges wthout access to the wtness. Defnton 3 (Specal honest verfer zero-knowledge). The publc con argument (K, P, V ) s called a specal honest verfer zero-knowledge argument for R f there exsts a smulator S such that for all non-unform polynomal tme adversares A we have [ Pr σ K(1 κ ); (x, w, ρ) A(σ); ] tr P (σ, x, w), V (σ, x; ρ) : (σ, x, w) R and A(tr) = 1 [ Pr σ K(1 κ ); (x, w, ρ) A(σ); ] tr S(σ, x, ρ) : (σ, x, w) R and A(tr) = 1. We say (K, P, V ) has statstcal SHVZK f the SHVZK property holds for unbounded adversares.

8 We remark that a weaker defnton of SHVZK arguments, where ρ s chosen unformly at random nstead of chosen by the adversary s common n the lterature. We also remark that there are effcent technques to convert SHVZK arguments nto zeroknowledge arguments for arbtrary verfers n the common reference strng model [11, 21, 24]. WITNESS-EXTENDED EMULATION. The standard defnton of a system for proof of knowledge by Bellare and Goldrech [4] does not work n our settng snce the adversary may have non-zero probablty of computng some trapdoor pertanng to the common reference strng and use that nformaton n the argument [12]. In ths case, t s possble that there exsts a prover wth 100% probablty of makng a convncng argument, where we nonetheless cannot extract a wtness. We shall defne an argument of knowledge through wtness-extended emulaton, the name taken from Lndell [35]. Lndell s defnton pertans to proofs of knowledge n the plan model, we wll adapt hs defnton to the settng of publc con arguments n the common reference strng model. Informally, our defnton says: gven an adversary that produces an acceptable argument wth probablty ɛ, there exsts an emulator that produces a smlar argument wth probablty ɛ, but at the same tme provdes a wtness. Defnton 4 (Wtness-extended emulaton). We say the publc con argument (K, P, V ) has wtness-extended emulaton f for all determnstc polynomal tme P there exsts an expected polynomal tme emulator E such that for all non-unform polynomal tme adversares A we have [ ] Pr σ K(1 κ ); (x, s) A(σ); tr P (σ, x, s), V (σ, x) : A(tr) = 1 [ Pr σ K(1 κ ); (x, s) A(σ); (tr, w) E P (σ,x,s),v (σ,x) (σ, x) : ] A(tr) = 1 and f tr s acceptng then (σ, x, w) R, where E has access to a transcrpt oracle P (σ, x, s), V (σ, x) that can be rewound to a partcular round and run agan wth the verfer choosng fresh random cons. We thnk of s as beng the state of P, ncludng the randomness. Then we have an argument of knowledge n the sense that the emulator can extract a wtness whenever P s able to make a convncng argument. Ths shows that the defnton mples soundness. We remark that the verfer s cons are part of the transcrpt and the prover s determnstc. So combnng the emulated transcrpt wth σ, x, s gves us the vew of both prover and verfer and at the same tme gves us the wtness. Our defnton of wtness-extended emulaton treats both prover and verfer n a black-box manner. The emulator therefore only has access to an oracle that gves t transcrpts wth a determnstc prover and an honest probablstc verfer. Treatng not only the prover but also the verfer n a black-box manner makes the Fat-Shamr heurstc descrbed n the end of the secton more convncng; we avod the emulator queryng the prover on eschewed challenges or challenges wth mplanted trapdoors. In the paper t wll sometmes be necessary to restrct the class of adversares for whch we have wtness-extended emulaton. In that case, we wll say we have wtnessextended emulaton for a class of adversares ADV, f the defnton above holds for all A ADV.

9 Damgård and Fujsak [12] have suggested an alternatve defnton of an argument of knowledge n the presence of a common reference strng. Wtness-extended emulaton as defned above mples knowledge soundness as defned by them [24]. THE FIAT-SHAMIR HEURISTIC. The Fat-Shamr heurstc can be used to make publc con SHVZK arguments non-nteractve. In the Fat-Shamr heurstc the verfer s challenges are computed by applyng a cryptographc hash-functon to the transcrpt of the protocol. Securty can be argued heurstcally n the random oracle model by Bellare and Rogaway [5]. In the random oracle model, the hash-functon s modeled as a random oracle that returns a random strng on each nput t has not been quered before. 2.5 Setup We wll construct a 7-round publc con SHVZK argument for the relaton { R = σ, (pk, e 1,..., e n, E 1,..., E n ), (π, R 1,..., R n ) } π Σ n R 1,..., R n R pk : E = e π() E pk (1; R ). The relaton gnores σ, so ths s a standard NP-relaton. For soundness and wtnessextended emulaton, we restrct ourselves to the class of adversares that produce vald pk K enc. For some cryptosystems, t s straghtforward to check whether pk K enc. For ElGamal encrypton, valdty of a key can be decded n polynomal tme. For Paller encrypton, all we need to verfy s that there are no small prme factors n the modulus, whch can be checked n heurstc polynomal tme usng Lenstra s [33] ellptc curve factorzaton method. For other homomorphc cryptosystems, t may not be easy to decde whether the key s correct, however, we may be workng n a scenaro, where t s correctly setup. For nstance, n a mx-net t may be the case that the mxservers use a mult-party computaton protocol to generate the encrypton key and f a majorty s honest then we are guaranteed that the key s correct. In the SHVZK argument we wll suggest, the common reference strng wll be generated as a publc key for a homomorphc commtment scheme for n elements as descrbed n Secton 2.3. Dependng on the applcatons, there are many possble choces for who generates the commtment key and how they do t. For use n a mx-net, we could for nstance magne that there s a setup phase, where the mx-servers run a mult-party computaton protocol to generate the commtment key. It s possble to let the generaton of the common reference strng happen n the protocol tself. An uncondtonally bndng commtment scheme wll gve us statstcal soundness. If we use a commtment scheme, where t s possble to verfy that t s uncondtonally bndng, we can let the prover generate the commtment key and obtan a SHVZK proof. A statstcally hdng commtment scheme, wll gve us statstcal SHVZK. If t s possble to verfy whether a commtment key s statstcally hdng, we can let the verfer pck the common reference strng. Ths wll gve us a statstcal SHVZK argument. The statstcal SHVZK argument wll be publc con, f a random strng can be used to specfy a statstcally hdng commtment key.

10 2.6 Parameters The verfer wll select publc con challenges from {0, 1} le. l e wll be a suffcently large securty parameter so the rsk of breakng soundness s neglgble. In practce a choce of l e = 80 suffces for nteractve protocols. If we make the SHVZK argument non-nteractve usng the Fat-Shamr heurstc, l e = 160 may be suffcent. Another securty parameter s l s. Here we requre that for any a of length l a, we have that d and a + d are statstcally ndstngushable, when d s chosen at random from {0, 1} la+ls. Ths only leaks nformaton about a n the unlkely stuaton that a + d < 2 la or 2 la+l d a + d. In practce l s = 80 wll be suffcent. We set up the commtment scheme wth message space Z n q. We demand that 2 le+ls < q. The reason for ths choce s to make q large enough to avod overflows that requre a modular reducton n Secton 4 and 5. When the cryptosystem has a message space where m q = 1 for all messages, ths requrement can be waved, see Secton 6 for detals. For notatonal convenence, we assume that the randomzer space of the commtment scheme s Z q, but other choces are possble. 3 SHVZK Argument for Shuffle of Known Contents Before lookng nto the queston of shufflng cphertexts, we nvestgate a smpler problem that wll be used as a buldng block. We have messages m 1,..., m n and a commtment c. The problem s to prove knowledge of a permutaton π and a randomzer r such that c = com ck (m π(1),..., m π(n) ; r). In ths secton, we present an SHVZK argument for a commtment contanng a permutaton of a set of known messages. The man dea s from Neff [36], namely that a polynomal p(x) = n (m X) s stable under permutaton of the roots,.e., for any permutaton π we have p(x) = n (m π() X). We wll prove knowledge of µ 1,..., µ n, r so c = com ck (µ 1,..., µ n ; r) and prove that (m X) = (µ X). Snce we are workng over a feld Z q, ths equalty mples the exstence of a permutaton π so µ = m π(). To prove that the two polynomals are dentcal, we wll let the verfer choose x Z q at random and demonstrate that n (m x) = n (µ x). A degree n polynomal n Z q [X] can have at most n roots, so there s overwhelmng probablty of falng the test unless ndeed n (m X) = n (µ X). Usng ths dea, we formulate the followng plan for argung knowledge of c contanng a permutaton of the messages m 1,..., m n. 1. Use a standard SHVZK argument wth randomly chosen challenge e to argue knowledge of an openng µ 1,..., µ n, r of c. In ths SHVZK argument of knowledge we get values f = eµ + d, where d s commtted to by the prover before recevng the random e from the verfer.

11 2. In the frst round of the argument, the verfer wll choose an evaluaton pont x Z q at random. Once the prover sends out the values f 1,..., f n, t s straghtforward to compute f ex = e(µ x) + d. 3. We have n (f ex) = e n n (µ x) + p n 1 (e), where p n 1 ( ) s a polynomal of degree n 1. We wll argue that n (f ex) = e n n (m x) + p n 1 (e). Snce e s chosen at random, ths means n (µ x) = n (m x) as we wanted. 4. To argue that n (f ex) = e n n (m x) + p n 1 (e) the prover wll send F 1,..., F n of the form F j = e j (µ x) + j to the verfer, where 2,..., n 1 are chosen by the prover before recevng the random challenge e. We use 1 = d 1 so F 1 = f 1 ex. We also use n = 0 so F n = e n (m x), whch can be tested drectly by the verfer. We wll have equaltes ef +1 = F (f +1 ex) + f, where the f s are lnear n e. From the verfer s pont of vew these equaltes mply that e n n (m x) = e n 1 F n = (f ex) p n 1 (e), where p n 1 s a degree n 1 polynomal n e. Wth overwhelmng probablty over e ths mples n (m x) = n (µ x). Theorem 1. The protocol n Fgure 1 s a 4-move publc con specal honest verfer zero-knowledge argument wth wtness-extended emulaton for c beng a commtment to a permutaton of the messages m 1,..., m n. If the commtment scheme s statstcally hdng then the argument s statstcal honest verfer zero-knowledge. If the commtment scheme s statstcally bndng, then we have uncondtonal soundness,.e., the protocol s an SHVZK proof. Proof. It s obvous that we are dealng wth a 4-move publc con protocol. Perfect completeness s straghtforward to verfy. Remanng s to prove specal honest verfer zero-knowledge and wtness-extended emulaton. SPECIAL HONEST VERIFIER ZERO-KNOWLEDGE. Fgure 2 descrbes how the smulator acts gven challenges x, e. The smulator does not use any knowledge of π, r. It frst selects f 1,..., f n, z, F 2,..., F n 1, z and c a com ck (0,..., 0) at random and then adjusts all other parts of the argument to ft these values. In the same fgure, we descrbe a hybrd smulator that acts just as the smulator except when generatng c a. In the generaton of c a, the hybrd smulator does use knowledge of π to compute d, a, values. It then produces c a n the same manner as a real prover would do t usng those values. Fnally, for comparson we have the real prover s protocol n an unordered fashon. The smulated argument and the hybrd argument dffer only n the content of c a. The hdng property of the commtment scheme therefore gves us ndstngushablty between hybrd arguments and smulated arguments. If the commtment scheme s statstcally hdng then the arguments are statstcally ndstngushable. A hybrd argument s statstcally ndstngushable from a real argument. The only dfference s that a real prover starts out by pckng d,, r d, r at random,

12 Shuffle of Known Content Argument Prover Common nput Verfer ck c, m 1,..., m n Prover s nput π, r so c = com ck (m π(1),..., m π(n) ; r) x x {0, 1} le d 1,..., d n Z q, r d, r Z q 1 = d 1, 2,..., n 1 Z q, n = 0 a = (m π(j) x), r a Z q c d = com ck (d 1,..., d n; r d ) c = com ck ( 1d 2,..., n 1d n; r ) c a = com ck ( 2 (m π(2) x) 1 a 1d 2,..., n (m π(n) x) n 1 a n 1d n; r a) c d, c, c a e e {0, 1} le f = em π() + d, z = er + r d f = e( +1 (m π(+1) x) a d +1) d +1, z = er a + r f 1,..., f n, z f 1,..., f n 1, z Check c d, c a, c C ck Check f 1,..., f n, z, f 1,..., f n 1, z Z q Check c e c d = com ck (f 1,..., f n; z) Check c e ac = com ck (f 1,..., f n 1 ; z ) Defne F 1,..., F n so F 1 = f 1 ex, ef 2 = F 1(f 2 ex) + f 1,..., ef n = F n 1(f n ex) + f n 1 Check F n = e n (m x) Fg. 1. Argument of Knowledge of Shuffle of Known Content. however, n both protocols ths gves us f, f, z, z randomly dstrbuted over Z q. Gven these values, the commtment c a s computed n the same way by both protocols. Moreover, n both protocols we get c d = com ck (d 1,..., d n ; r d ) and c = com ck ( 1 d 2,..., n 1 d n ; r ). WITNESS-EXTENDED EMULATION. The emulator E frst runs P, V to get a transcrpt tr. Ths s the transcrpt E wll output and by constructon t s perfectly ndstngushable from a real SHVZK argument. If the transcrpt s rejectng, then E halts wth (tr, ). However, f the transcrpt s acceptng then E must try to fnd a wtness w = (π, r). To extract a wtness E rewnds and runs P, V agan on the same challenge x untl t gets another acceptable argument. Call the two arguments (x, c d, c, c a, e, f 1,..., f n, z, f 1,..., f n 1, z ) and

13 Smulator Hybrd Prover f Z q, z Z q f = em π() + d, z = er + r d F Z q, z Z q F = ea +, z = er a + r F 1 = f 1 ex, F n = e n (m x) f = ef +1 F (f +1 ex) d = f em π() d Z q, r d Z q a = (m π(j) x),r a Z q = F ea Z q, r Z q c a com ck (0,..., 0) c a com ck ( 2 (m π(2) x) 1 a 1d 2,..., n (m π(n) x) n 1 a n 1d n; r a) c d = com ck (f 1,..., f n; z)c e c d = com ck (d 1,..., d n; r d ) c = com ck (f 1,..., f n 1 ; z )c e a c = com ck ( 1d 2,... ; r ) Fg. 2. Smulaton of Known Shuffle Argument. (x, c d, c, c a, e, f 1,..., f n, z, f 1,..., f n 1, z ). We have ce c d = com ck (f 1,..., f n ; z) and c e c d = com ck (f 1,..., f n; z ). Ths gves us c e e = com ck (f 1 f 1,..., f n f n; z z ). If e e, E can run the root extracton algorthm to get an openng µ 1,..., µ n, r of c. Let us at ths pont argue that E runs n expected polynomal tme. If P s n a stuaton where t has probablty ɛ > 0 of makng the verfer accept on challenge x, then the expected number of runs to get an acceptable transcrpt s 1 ɛ. Of course f P fals, then we do not need to sample a second run. We therefore get a total expectaton of 2 queres to P, V. A consequence of E usng an expected polynomal number of queres to P s that there s only neglgble probablty of endng n a run where e = e or any other event wth neglgble probablty occurs, e.g., breakng the bndng property of the commtment scheme. Therefore, wth overwhelmng probablty, ether we do not need a wtness or we have found an openng µ 1,..., µ n, r of c. We need to argue that the probablty for extractng an openng of c, such that µ 1,..., µ n s not a permutaton of m 1,..., m n s neglgble. Assume there s a constant δ > 0 such that P has more than κ δ chance of producng a convncng argument. In that case we can run t wth a random challenge x and rewnd to get three random challenges e, e, e. Wth probablty at least κ 3δ P manages to create acceptng arguments on all three of these challenges. Call the frst two arguments (x, c d, c, c a, e, f 1,..., f n, z, f 1,..., f n 1, z ) and (x, c d, c, c a, e, f 1,..., f n, z, f 1,..., f n 1, z ). We have ce ac = com ck (f 1,..., f n 1 ; z ) and c e a c = com ck (f 1,..., f n 1 ; z ) so c e e a = com ck (f 1 f 1,..., f n 1 f n 1 ; z z ). From ths, we can extract an openng α 1,..., α n 1, r a of c a. Ths also gves us an openng δ 1,..., δ n 1, r of c, where δ = f eα, r = z er a. Snce we know an openng of c, we also have an openng d 1,..., d n, r d of c d wth d = f eµ, r d = z er. Consder now the thrd challenge e. Snce we know openngs of c, c d we have f = e µ + d, and snce we know openngs of c a, c we have f = e α + δ.

14 From the way we buld up F n and from F n = e n (m x) we deduce n (e ) n (m x) = (e ) n 1 F n = (e ) n (µ x) p n 1 (e ), where p n 1 ( ) s a polynomal of degree n 1. Snce e s chosen at random ths mples wth overwhelmng probablty that n (µ x) = n (m x). We now have two polynomals evaluatng to the same value n a random pont x. Wth overwhelmng probablty, they must be dentcal. Ths n turn mples that µ 1,..., µ n s a permutaton of m 1,..., m n as we wanted to show. If the commtment scheme s statstcally bndng, then even an unbounded adversary s stuck wth the values that have been commtted to, wthout any ablty to change them. Wth x, e chosen at random by the verfer, even an unbounded adversary has neglgble chance of cheatng. 4 SHVZK Argument for Shuffle of Homomorphc Encryptons A set of cphertexts e 1,..., e n can be shuffled by selectng a permutaton π, selectng randomzers R 1,..., R n, and settng E 1 = e π(1) E pk (1; R 1 ),..., E n = e π(n) E pk (1; R n ). The task for the prover s to argue that some permutaton π exsts so that the plantexts of E 1,..., E n and e π(1),..., e π(n) are dentcal. As a frst step, we thnk of the followng naïve proof system. The prover nforms the verfer of the permutaton π. The verfer pcks at random t 1,..., t n, computes n et and n Et π(1). Fnally, the prover proves that the two resultng cphertexts have the same plantext. Unless π really corresponds to a parng of cphertexts wth dentcal plantexts the prover wll be caught wth overwhelmng probablty. An obvous problem wth ths dea s the lack of zero-knowledge. We remedy t n the followng way [20, 36]: 1. The prover commts to the permutaton π as c com ck (π(1),..., π(n)). He makes an SHVZK argument of knowledge of c contanng a permutaton of the numbers 1,..., n. At ths step, the prover s bound to some permutaton he knows, but the permutaton remans hdden. 2. The prover creates a commtment c d com ck ( d 1,..., d n ) to random d s. The verfer selects at random t 1,..., t n and the prover permutes them accordng to π. The prover wll at some pont reveal values f = t π() + d, but snce the d s are random ths does not reveal the permutaton π. As part of the argument, we wll argue that the f s have been formed correctly, usng the same permutaton π that we used to form c. 3. Fnally, the prover uses standard SHVZK arguments of knowledge of multplcatve relatonshp and equvalence to show that the products n et dffer only by a factor E d = n Ed and n Ef E pk(1; R) for some randomzer R wthout revealng anythng else. Ths last step corresponds to carryng out the naïve proof system n zero-knowledge usng a secret permutaton π that was fxed before recevng the t s.

15 To carry out ths process we need to convnce the verfer that c and f 1,..., f n contan respectvely 1,..., n and t 1,..., t n permuted n the same order. It seems lke we have just traded one shuffle problem wth another. The dfference s that the supposed contents of the commtments are known to both the prover and the verfer, whereas we cannot expect ether to know the contents of the cphertexts beng shuffled. The SHVZK argument of knowledge for a shuffle of known content can therefore be used. To see that the pars (, t ) match we let the verfer pck λ at random, and let the prover demonstrate that c λ c d com ck (f 1,..., f n ; 0) contans a shuffle of λ+t 1,..., λn+ t n. If a par (, t ) does not appear n the same spot n respectvely c and f 1,..., f n, then wth hgh lkelhood over the choce of λ the shuffle argument wll fal. Shuffle of Homomorphc Cphertexts Prover Common nput Verfer ck pk, e 1,..., e n, E 1,..., E n Prover s nput π, R 1,..., R n so E = e π() E pk (1; R ) r Z q, R d R pk d 1,..., d n {0, 1} le+ls, r d Z q c = com ck (π(1),..., π(n); r) c d = com ck ( d 1,..., d n; r d ) E d = n E d E pk (1; R d ) c, c d, E d t 1,..., t n t {0, 1} le f = t π() + d Z = n t π()r + R d f 1,..., f n, Z λ λ {0, 1} le Arg(π, ρ c λ c d com ck (f 1,..., f n; 0) = com ck (λπ(1) + t π(1),..., λπ(n) + t π(n) ; ρ)) a Check c, c d C ck, E d C pk and 2 le f 1,..., f n < 2 le+ls, Z R pk Verfy Arg(π, ρ) Check n e t n Ef E d = E pk (1; Z) a Gven m 1,..., m n, c we wrte Arg(π, ρ c = com ck (m π(1),..., m π(n) ; ρ)) as a shorthand for carryng out the SHVZK argument n Fgure 1 of knowledge of π, ρ such that c = com ck (m π(1),..., m π(n) ; ρ). Fg. 3. Argument of Shuffle of Homomorphc Cphertexts.

16 Theorem 2. The protocol n Fgure 3 s a 7-move publc con specal honest verfer zero-knowledge argument for correctness of a shuffle of homomorphc cphertexts. If the cryptosystem has polynomal tme root extracton, then the argument has wtnessextended emulaton. If the commtment scheme s statstcally hdng, then the argument s statstcal SHVZK. If the commtment scheme s statstcally bndng, then the scheme s an SHVZK proof of a shuffle. Proof. Usng the 4-move argument of knowledge for shuffle of known contents from ths paper the protocol s a 7-move publc con protocol. Wth suffcently large l s we have wth overwhelmng probablty that 2 le t π() + d < 2 le+ls < q when added as ntegers. Wth ths n mnd, t s straghtforward to verfy completeness. It remans to prove that we have specal honest verfer zero-knowledge and wtness-extended emulaton. SPECIAL HONEST VERIFIER ZERO-KNOWLEDGE. Gven challenges t 1,..., t n, λ as well as challenges for the known shuffle we wsh to smulate a transcrpt that s ndstngushable from a real argument. We descrbe n Fgure 4 a smulator that smulates the argument wthout access to the permutaton π or the randomzers R 1,..., R n. It pcks c, c d, f 1,..., f n, Z at random and fts the other parts of the protocol to these values. In the same fgure, we also nclude a hybrd argument that works lke the smulator except for generatng c, c d correctly usng knowledge of π. Fnally, we nclude for comparson the real prover n a somewhat unordered descrpton. Smulator Hybrd Prover c com ck (0,..., 0) c com ck (π(1),..., π(n)) d = f t π() d Z q c d com ck (0,..., 0) c d com ck ( d 1,..., d n) f {0, 1} le+ls f = t π() + d Z R pk E d = E pk (1; Z) n et n E f E d = n E d R d R pk, Z = n t π()r + R d E pk (1; R d ) Smulate Arg(π, ρ Arg(π, ρ c λ c d com ck (f 1,..., f n; 0) c λ c d com ck (f 1,..., f n; 0) = com ck (λπ(1) + t π(1), = com ck (λπ(1) + t π(1),..., λπ(n) + t π(n) ; ρ)..., λπ(n) + t π(n) ; ρ) Fg. 4. Smulaton of Shuffle Argument. Smulated arguments and hybrd arguments only dffer n the content of c and c d. The hdng property of the commtment scheme therefore mples ndstngushablty between smulated arguments and hybrd arguments. If the commtment scheme s statstcally hdng, then the two types of arguments are statstcally ndstngushable. Snce q > l e + l s there s overwhelmng probablty that we do not need to make any modular reductons when computng the d s and f s and that the f s are at least 2 le. Under ths condton, we have for the prover that n E pk (1; R d ) = E pk (1; Z) n et n E f E d, so there s no dfference n the way E d s computed by

17 respectvely the hybrd smulator and the prover. The only remanng dfference s that the hybrd argument contans a smulated argument of knowledge of shuffle of known content, whereas the prover makes a real proof. The SHVZK property of ths argument gves us ndstngushablty between hybrd arguments and real arguments, and statstcal SHVZK gves us statstcal ndstngushablty. SOUNDNESS AND WITNESS-EXTENDED EMULATION. The proof of soundness wll follow from the proof of wtness-extended emulaton, so let us start wth descrbng the emulator. We frst run P, V to gve us a transcrpt tr = (c, c d, E d, t 1,..., t n, f 1,..., f n, Z, λ, tr known ), where tr known s the transcrpt of the 4-move argument for a shuffle of known contents. If P fals to produce an acceptable argument, then we output (tr, ). On the other hand, f the argument s acceptable, then we must extract wtness π, R 1,..., R n for E 1,..., E n beng a shuffle of e 1,..., e n. In the followng we let ɛ be the probablty of P outputtng an acceptable argument. In order to extract a wtness, we rewnd P, V to get more transcrpts wth randomly chosen challenges t 1,..., t n, λ and use the wtness-extended emulator for the argument of shuffle of known contents to get openngs of c λ c d com ck (f 1,..., f n, 0). We do ths untl we have obtaned n + 3 acceptable arguments. If we have probablty ɛ for gettng an acceptable transcrpt on random challenges t 1,..., t n, λ then we expect to use n+2 ɛ attempts to sample n+2 extra transcrpts. Snce we only need to extract a wtness when the transcrpt s acceptng, we have an expected number of n +3 runs. One has to be careful when combnng expected polynomal tme algorthms, snce the composed algorthm may not be expected polynomal tme. In our case, however, we wll run the wtness-extended emulator on transcrpts that have the same dstrbuton as real arguments, n partcular the nputs to the wtness-extended emulator wll always have a sze that s polynomal n the securty parameter, so we do really get expected polynomal tme for the emulator. Snce the wtness-extended emulator uses expected polynomal tme there s overwhelmng probablty that ether we do not get an acceptable argument; or alternatvely we do get an acceptable argument but no event wth neglgble probablty occurs. In partcular, wth overwhelmng probablty we do not break the bndng property of the commtment scheme or have collsons among the randomly chosen challenges. From the samplng process we have two acceptable arguments c, c d, E d, t 1,..., t n, f 1,..., f n, Z, λ and c, c d, E d, t 1,..., t n, f 1,..., f n, Z, λ as well as wtnesses π, r and π, r for c λ c d com ck (f 1,..., f n ; 0) and c λ c d com ck (f 1,..., f n; 0) contanng shuffles of respectvely λ + t and λ + t. Ths gves us c λ λ = com ck (f 1 f 1 + λπ(1) + t π(1) λ π (1) t π (1),..., f n f n + λπ(n) + t π(n) λ π (n) t π (n) ; r r ). We run the root extractor to get an openng s 1,..., s n, r of c. Gven ths openng we can compute an openng d 1,..., d n, r d of c d wth d = λπ() + t π() λs f and 0 d < q. We wll now argue that s 1,..., s n s a permutaton of 1,..., n. Suppose for some constant δ > 0 that P has more than κ δ chance of producng a vald argument for an nfnte number of κ N and that we are lookng at such a securty parameter k.

18 In the thrd transcrpt, we have run P wth randomly chosen challenges t 1,..., t n, λ and from the wtness-extended emulator we get a permutaton π so λs d + f = λπ()+t π(). Snce f s sent by the prover before recevng λ ths has neglgble chance of happenng unless s = π(). We conclude that ndeed s 1,..., s n s a permutaton of 1,..., n. Ths n turn tells us that f = t π() + d mod q for the argument to go through wth more than neglgble probablty. Snce 2 le f < 2 l+ls < q the equalty f = t π() + d holds over the ntegers as well. The last n + 1 acceptable transcrpts we enumerate j = 1,..., n + 1. Call the t 1,..., t n used n the j th argument for t (j) 1,..., t(j) n. We have correspondng answers f (j) = t (j) π() + d, Z (j). Consder the nteger vectors (t (j) 1,..., t(j) n, 1) and the correspondng matrx T contanng these as row vectors. For any prme p dvdng M pk, there s overwhelmng probablty that the vectors are lnearly ndependent modulo p snce M pk only has large prme dvsors. Ths means gcd(det(t ), p) = 1 for all p dvdng the order of M pk and thus gcd(det(t ), M pk ) = 1. Let A be the transposed cofactor matrx of T, then we have AT = det(t )I. Callng the entres of A for a kj, we have n+1 a kj (t (j) 1,..., t(j) n, 1) = (0,..., 0, det(t ), 0,..., 0), where det(t ) s placed n poston k. For all j the verfcaton gves us e t(j) E t(j) π() ( For all k = 1,..., n we have (e 1 k E π 1 (k)) det(t ) = = = = E d E d) 1 = e t(j) (e 1 E π 1 ()) n+1 a kjt (j) ( n+1 n+1 e n+1 a kjt (j) ( n e t(j) E f (j) E d = E pk (1; Z (j) ). n+1 E a kjt (j) π() ( E t(j) π() ( n+1 E pk (1; Z (j) ) a kj = E pk (1; E d E d) n+1 a kj1 E d E d) 1) a kj a kj Z (j) ). E d E d) n+1 a kj1 We now know from the root extracton property that there exsts an R π 1 (k) so e 1 k E π 1 (k) = E pk (1; R π 1 (k)), whch shows that the argument s sound. If the commtment scheme s statstcally bndng we get statstcal soundness; where we recall that the SHVZK argument for shuffle of known content has statstcal soundness when

19 the commtment s statstcally bndng. If the cryptosystem has polynomal tme root extracton, we can run the root extractor to fnd the randomzers R 1,..., R n, so we have wtness-extended emulaton. We remark that the proof of soundness shows that the SHVZK argument for correctness of a shuffle s an argument of knowledge of π. However, we may not have full wtness-extended emulaton where we also learn the rerandomzaton factors R 1,..., R n, unless the cryptosystem has polynomal tme root extracton. 5 Combnng Shufflng and Decrypton For effcency reasons t may be desrable to combne shufflng and decrypton nto one operaton. Consder for nstance the case where we are usng ElGamal encrypton and share the secret key addtvely between the mx-servers. Instead of frst mxng and then threshold decryptng, t makes sense to combne the shuffle operatons and the decrypton operatons. Ths saves computaton and each mx-server only has to be actvated once nstead of twce. Whle restrctng the choce of parameters, namely we must use an ElGamal lke cryptosystem and we must share the secret key addtvely between all the mx-servers, ths s a realstc real-lfe scenaro. The publc key s of the form (g, y 1,..., y N ), where y j = g xj and x j s the secret key of server j. Inputs to the mx-net are ElGamal encryptons under the key (g, N y j) of the form (g r, ( N y j) r m). The frst server shuffles and decrypts wth respect to ts own key. Ths leaves us wth encryptons under the key (g, N j=2 y j) that the second server can shuffle and decrypt, etc. Once the last server shuffles and decrypts we get the plantexts out. Server s gets nput cphertexts of the form (u 1, v 1 ),..., (u n, v n ) under the key (g, N j=s y j). It selects a permutaton π at random, as well as randomzers R 1,..., R n. The output s (U 1, V 1 ),..., (U n, V n ) under the key (g, Y = N j=s+1 y j), where U = g R u π() and V = Y R v π() u xs π(). What we need s an SHVZK argument of knowledge for correctness of such a shuffleand-decrypt operaton. A couple of papers have already nvestgated ths problem [19, 18], but ther arguments are not SHVZK. Instead, they use a weaker securty noton sayng that an adversary does not learn anythng about the permutaton. We wll suggest an argument that s SHVZK and at the same tme s more effcent n terms of computaton and communcaton but has worse round-complexty. Neff [38] has ndependently of ths work also nvestgated the combnaton of shuffle and decrypton operatons. The argument s essentally the same as the SHVZK argument for correctness of a shuffle of cphertexts; we have wrtten out everythng usng the ElGamal notaton n ths secton. The only dfference from the shuffle argument s that we add some extras to also argue correctness of the partal decrypton. We prove knowledge of the secret key x s and argue that t has been used to make partal decryptons. For ths purpose, we the prover sends an ntal message D = g dx n the frst round. Later, the prover wll receve a challenge e and respond wth f = ex s + d x. We use the hdden x s n f

20 to ensure that u xs s removed as ntended from the output cphertexts. The e-factor n f and the d x -part that s used to hde x s forces us to add some extra elements to the protocol. The full argument can be seen n Fgure 5. The cryptosystem s ElGamal encrypton over a group of prme order Q. We nclude n the common reference strng a publc key CK for an addtonal homomorphc commtment scheme COM CK, whch has Z Q as message space. For notatonal convenence, we assume the randomzers for these commtments are chosen at random from Z Q. The commtment key CK ncludes a generator g for the group G Q of order Q over whch we do the ElGamal encrypton. The ElGamal encrypton key contans y s and Y from G Q. Theorem 3. The protocol n Fgure 5 s a 7-move publc con specal honest verfer zero-knowledge argument for correctness of a shuffle and partal decrypton of ElGamal cphertexts wth wtness-extended emulaton. If the commtment schemes are statstcally hdng, then the entre argument s statstcal SHVZK. If the commtment schemes are statstcally bndng, then the entre argument s an SHVZK proof. Sketch of proof. Obvously, we have a 7-move publc con protocol. Completeness s straghtforward to verfy. SPECIAL HONEST VERIFIER ZERO-KNOWLEDGE. To argue specal honest verfer zero-knowledge we descrbe a smulator that runs wthout knowledge of π, R 1,..., R n, x s and also a hybrd smulator that does use knowledge of these secret values. The smulator gets the challenges t 1,..., t n, λ, e as well as challenges for the argument of knowledge of a shuffle of known contents as nput. It selects at random f 1,..., f n {0, 1} le+ls, Z, f, f V, z V Z Q, c, c d com ck (0,..., 0), C 1 COM CK (0) and V d G Q. It computes U d = g Z n n ut U f, U = n V f Y ez g f V ( n u t COM CK (f V ; z V )C1 e ) f ( n v t V d ) e, D = g f ys e and C 2 =. It also smulates the argument of knowledge of shuffle of known contents. The hybrd smulator also selects f 1,..., f n {0, 1} le+ls, Z, f, f V, z V Z Q. It computes c com ck (π(1),..., π(n)), d f t π(), c d com ck ( d 1,..., d n ). It selects r V Z Q and C 1 COM CK (r V ). It sets V d = Y Z ( n u t ) xs n n vt V f g r V. As the smulator t computes U d = g Z n n ut U f, U = Y ez g f V ( n u t ) f ( n n v t V f V d ) e, D = g f ys e and C 2 = COM CK (f V ; z V )C1 e and smulates the argument of knowledge of shuffle of known contents. Let us argue that smulated arguments and hybrd arguments are ndstngushable. In both dstrbutons, V d s random. In the smulaton t s random because V d s selected at random; n the hybrd argument t s random because of the g r V factor. The only dfference between the two types of arguments s the way we compute the commtments c, c d, C 1. In the smulated argument we compute c, c d, C 1 as commtments to 0, whle n the hybrd argument we compute them as commtments to respectvely π(1),..., π(n), d 1,..., d n and r V. The hdng propertes of the two commtment schemes gve us

21 Shuffle and Decrypton of ElGamal Cphertexts Prover Common nput Verfer ck, CK pk = (Q, G Q, g, y s, Y ) (u 1, v 1),..., (u n, v n) (U 1, V 1),..., (U n, V n) Prover s nput π, x s, R 1,..., R n so y s = g xs and (U, V ) = (g R u π(), Y R v π() u xs π() ) r Z q, R d R pk d 1,..., d n Z q, r d Z q c = com ck (π(1),..., π(n); r) c d = com ck ( d 1,..., d n; r d ) U d = n U d g R d V d = n V d Y R d g r V d x, r V, d V, r 1, r 2 Z Q, D = g dx C 1 = COM CK(r V ; r 1), C 2 = COM CK(d V ; r 2) c, c d, U d, V d, D, C 1, C 2 t 1,..., t n t {0, 1} le f = t π() + d, Z = n t π()r + R d U = g d V ( n u t ) dx f 1,..., f n, Z, U λ, e λ, e {0, 1} le Arg(π, ρ c λ c d com ck (f 1,..., f n; 0) = com ck (λπ(1) + t π(1),..., λπ(n) + t π(n) ; ρ)) a f = ex s + d x, f V = er V + d V, z V = er 1 + r 2 f, f V, z V Check c, c d C ck, U d, V d, D, U G Q and C 1, C 2 C CK and 2 le f 1,..., f n < 2 le+ls, Z, f, f V, z V Z Q Verfy Arg(π, ρ) Check n u t n U f U d = g Z Check ( n u t ) f ( n v t n V f V d ) e U = Y ez g f V Check ysd e = g f and C1C e 2 = COM CK(f V ; z V ) a Gven m 1,..., m n, c we wrte Arg(π, ρ c = com ck (m π(1),..., m π(n) ; ρ)) as a shorthand for carryng out the SHVZK argument n Fgure 1 of knowledge of π, ρ such that c = com ck (m π(1),..., m π(n) ; ρ). Fg. 5. Argument of Shuffle and Decrypton of ElGamal Cphertexts.

22 ndstngushablty between smulated arguments and hybrd arguments. Furthermore, f both commtment schemes are statstcally hdng, then we have statstcal ndstngushablty between smulated arguments and hybrd arguments. Next, we argue that hybrd arguments and real arguments are ndstngushable. Frst, we note that f 1,..., f n, Z, f, f V, z V have the same dstrbuton n the two arguments. Let r 1 be the randomness used n formng C 1. In the hybrd argument we can compute d = f t π(), d V = f V er V, r 2 = z V er 1, R d = Z n t π()r, d x = f ex s. These values have the same dstrbuton as they would have f chosen by a real prover. Furthermore, t s straghtforward to verfy that c, c d, U d, V d, D, U, C 1, C 2 attan the same values as computed by a real prover. The only dfference between hybrd arguments and real arguments s therefore n the smulaton of the argument of knowledge of a shuffle of known contents. The SHVZK property of ths argument of shuffle of known contents mples ndstngushablty between hybrd arguments and real arguments. Moreover, f the argument of shuffle of known contents s statstcal SHVZK then hybrd arguments and real arguments are statstcally ndstngushable. WITNESS-EXTENDED EMULATION. As n the proof of Theorem 2 we use an emulator that runs P, V and outputs the transcrpt. In case the argument s acceptable the emulator rewnds and runs P, V untl t has n + 3 acceptable arguments. As n the proof of Theorem 2 we can prove that ths emulator runs n expected polynomal tme. As n the proof of Theorem 2, we can extract openngs of c and c d. As argued there we can fnd a permutaton π so c contans π(1),..., π(n). We call the openng of c d for d 1,..., d n. Ths gves us f 1,..., f n of the form f = t π() + d. From the equatons ysd e = g f and ys e D = g f we get ys e e = g f f. If e e we then have y s = g xs, where x s = (f f )(e e ) 1. Ths also means D = g f ys e = g f exs, so D = g dx, where d x = f ex s. We now have π and x s, but stll need to extract the randomzers R 1,..., R n. We also have C1C e 2 = COM CK (f V ; z V ) and C1 e C 2 = COM CK (f V ; z V ) so C1 e e = COM CK (f V f V ; z V z V ). By rasng both sdes to (e e ) 1 mod Q we perform a root extracton and get an openng r V, r 1 of C 1. From the openng of C 1, we can compute an openng d V, r 2 of C 2. Wth overwhelmng probablty the prover must use f V = er V + d V when formng acceptable arguments. As n the proof of Theorem 2 we form the matrx T contanng challenge rows of the form (t (j) 1,..., t(j) n, 1) for j = 1,..., n + 1. Callng the entres of the transposed cofactor matrx a kj, we have n+1 a kj (t (j) 1,..., t(j) n, 1) = (0,..., 0, det(t ), 0,..., 0), where det(t ) s placed n poston k. For all j, the verfcaton gves us u t(j) U t(j) π() ( U d U d ) 1 = u t(j) U f (j) U d = g Z(j).

23 For all k = 1,..., n we have (u 1 k U π 1 (k)) det(t ) = = = = (u 1 U π 1 ()) n+1 a kjt (j) ( n+1 n+1 u n+1 a kjt (j) ( n u t(j) n+1 U a kjt (j) π() ( U t(j) π() ( g Z(j) a kj = g n+1 a kjz (j). U d U d ) n+1 a kj1 U d U d ) 1) a kj U d U d ) n+1 a kj1 Defne R k = ( n+1 a kjz (j) ) det(t ) 1. Then we have U π 1 (k) = g R π 1 (k) uk. The fnal part of the proof s to show that for all we have V = Y R v π() u xs π(). From the equatons we get ( u t(j) ) f (j) ( ( n (v u xs ) t(j) v t(j) V f (j) V d g r V V f (j) V d ) e(j) U (j) = Y e(j) Z (j) g f (j) V, ) e (j) n u dxt(j) U (j) g d V = Y e(j) Z (j). Gven any challenge t (j) 1,..., t(j) n there s neglgble probablty over e (j) of producng an acceptable argument unless (v u xs ) t(j) V f (j) V d g r V = Y Z(j). Usng the same matrx T as before we get for k = 1,..., n (v 1 k uxs k V π 1 (k)) det(t ) = (v 1 u xs k V π 1 ()) n+1 a kjt (j) ( = = = (v u xs n+1 n+1 ) n+1 n+1 a kjt (j) V a kjt (j) π() ( n (v u xs ) t(j) ( V t(j) π() ( Y Z(j) a kj = Y n+1 a kjz (j). V d V d g r V ) n+1 a kj1 V d V d g r V ) n+1 a kj1 V d V d g r V ) 1) a kj

24 We then have V π 1 (k) = Y R π 1 (k) vk u xs k. Fnally, f the commtment schemes are statstcally bndng and then the shuffle of known content s statstcally sound wth statstcal wtness-extended emulaton and we have an SHVZK proof of a shuffle wth statstcal wtness-extended emulaton. 6 Speed, Space and Trcks ADJUSTING THE KEY LENGTH OF THE COMMITMENT SCHEME. When carryng out the shuffle argument we use a homomorphc commtment scheme. If for nstance we use the Pedersen commtment scheme, then the publc key for the commtment scheme contans n + 1 elements and the cost of makng a commtment s a mult-exponentaton of those n + 1 elements. Dependng on the group szes, t may be costly to compute and dstrbute such a long key. It s possble to trade off key length and computatonal cost when makng a commtment. Assume for smplcty n the followng that n = kl. Assume furthermore that we have a homomorphc commtment scheme that allows us to commt to k elements at once. We can now commt to n elements m 1,..., m n by settng ) ( ) c = (c 1,..., c l com ck (m 1,..., m k ),..., com ck (m k(l 1)+1,..., m kl ). Usng the Pedersen commtment scheme, ths forces us to make l mult-exponentatons of k + 1 elements when makng a commtment, but permts a shorter publc key. BATCH VERIFICATION. In the verfcaton phase, the argument of shuffle of known contents has us checkng c e c d = com ck (f 1,..., f n ; z) and c e ac d = com ck (f 1,..., f n 1, 0; z ). Here we have mplemented the latter commtment, whch s a commtment to n 1 elements, by usng the n-element commtment and addng a dummy zero. We note that the mportant thng here s not the fact that z s the randomzer, but rather that we know some randomzer such that the above equatons hold. If we use one of the commtment schemes suggested n Secton 2.3 we can verfy both commtments at once usng randomzaton technques. Namely, pck α {0, 1} le at random and verfy (c e c d ) α c e ac = com ck (αf 1 + f 1,..., αf n + 0; αz + z ). Suppose, ths equalty holds for two dfferent α, α, then ((c e c d ) 1 com ck (f 1,..., f n ; z)) α α = com ck (0,..., 0; 0). We can now run the root extractor to fnd u so (c e ac d ) 1 com ck (f 1 ;..., f n ; z) = com ck (0,..., 0; u). In other words, we have an openng f 1,..., f n, z u of c e ac d. We also have an openng f 1,..., f n 1, 0, αu + z of c e ac. Ths means that wth overwhelmng probablty we can fnd openngs of c e c d and c e d c to respectvely f 1,..., f n and f 1,..., f n 1.

25 The randomzaton method generalzes to the case where we have multple commtment equatons to verfy. As the number of commtment equatons to be verfed ncreases, the cost for each verfcaton goes down. Moreover, f we use a key wth k+1 elements for the commtments, then we have l commtments that we can verfy wth these technques. We have c = (c 1,..., c l ), c d = (c d,1,..., c d,l ), c a = (c a,1,..., c a,l ), c = (c,1,..., c,l ). We pck α 1,..., α l, β 1,..., β l {0, 1} l and verfy ( l c αj j cβj a,j )e l ( l c αj d,j cβj,j = com ck (α j f k(j 1)+1 + β j f,k(j 1)+1 ),..., l (α j f kj + β j f,kj ); l ) (α j z j + β j z,j ). Ths costs 4l+k+2 exponentatons, mostly to l e -bt exponents. If for nstance k n, then the prce s approxmately 5 n exponentatons. Usng the straghtforward nonrandomzed approach, we would end up makng 2n + 4l exponentatons. Randomzaton can also brng down the cost of cphertext exponentaton n the verfcaton process. Suppose for nstance we are usng the shuffle n a mx-net; then the output cphertexts from one shuffle wll be the nput cphertexts of another shuffle. Callng the output cphertexts of shuffle j for E 1,j,..., E n,j, we have to check for all j that E t,j,j 1 E f,j,j E d,j = E pk (1; Z j ). Assume the order of the cphertext space has no prme dvsors smaller than 2 l. Suppose we perform a total of N shuffles. Pckng α 0 = 0, α N+1 = 0 and α 1,..., α N {0, 1} l at random we can check N ( E αjt,j,j 1 j=0 N E αjf,j,j E αj d,j ) = ( E αj+1t,j+1+αjf,j,j E αj d,j ) = E pk(1; Ths test has at most probablty 2 l of passng f ether of the N equatons s false. The straghtforward approach calls for N mult-exponentatons of 2n cphertexts. Wth the randomzed method, we only make one mult-exponentaton of N(n + 1) cphertexts. Even though the exponents are l bts longer, ths s a sgnfcant gan. N α j Z j ). ONLINE/OFFLINE. Many of the prover s computatons can be pre-computed. We can select R 1,..., R n n advance and compute the rerandomzaton factors E pk (1; R 1 ),..., E pk (1; R n ). Ths way the shuffle tself can be done very quckly. In the argument of shuffle of known contents we can compute c d, c n advance, and n the argument of shuffle of homomorphc cphertexts we can compute c and c d n advance. Ths leaves us wth the task of computng c a n the argument of correctness of known contents, and n the shuffle of homomorphc cphertexts we need to compute E d. MULTI-EXPONENTIATION TECHNIQUES. Whle pre-computaton and randomzaton lessens the burden for respectvely the prover and the verfer, there s stll somethng

26 that remans. The prover has to compute E d = n E d E pk (1; R d ), contanng a mult-exponentaton of n cphertexts. Lkewse, the verfer wll also have to compute a mult-exponentaton of many cphertexts. These are typcally the most expensve operatons the prover, respectvely the verfer, wll run nto. Whle most mult-exponentaton technques focus on relatvely few elements, our stuaton s dfferent. Frst, all the cphertexts are dfferent and cannot be guessed beforehand so pre-computaton s not that useful. Second, we have a huge number of cphertexts. Lm [34] has suggested a method for precsely ths stuaton that uses relatvely few multplcatons. Usng hs methods, the cost of the mult-exponentaton corresponds to O(n/ log n) sngle exponentatons of cphertexts. Mult-exponentaton technques can of course also be appled when computng the commtments and n any pre-computaton phase. REDUCING THE LENGTH OF THE EXPONENTS. The easest case s when both the commtment scheme and the cryptosystem have a message space of the same order. Suppose for nstance that we are shufflng ElGamal cphertexts where the message space has prme order q. As a commtment scheme, we can then pck the Pedersen commtment scheme wth message space Z q. Ths allows us to reduce all exponents modulo q. In some cases, votng for nstance, t may be mportant that the messages be protected for a long tme nto the future. For ths reason, we may for nstance select ElGamal encrypton wth a large modulus as the cryptosystem. However, the verfcaton of the argument may be somethng that takes place rght away so soundness only has to hold a short tme nto the future. Snce the Pedersen commtment scheme s statstcally hdng, we get a statstcally hdng argument for the correctness of a shuffle and do not need to worry about the argument tself revealng the messages or the permutaton. We can therefore use a Pedersen commtment scheme wth a relatvely short modulus. The only mportant thng here s that the orders of the message spaces match. Of course, there may be stuatons where we have a huge message space for the cryptosystem. In ths case, the cost of a correspondngly large message space for the commtment scheme may be prohbtve. If we are usng the Fat-Shamr heurstc to compute the challenges, another trck may brng down the length of the exponents. Recall, we choose l s to be large enough so d and a+d are statstcally ndstngushable when d s chosen as a random a + l s -bt number. A reasonable choce would be l s = 80. However, n the Fat-Shamr heurstc we may get by wth a much smaller l s, for nstance l s = 20. The dea s to check that we do not create an underflow or overflow that reveals the number we are tryng to hde. Therefore, f we are tryng to hde message a {0, 1} la, then we choose d as a random l a + l s -bt number and compute a + d. However, f a + d / [2 la ; 2 la+ls ) we start over agan. Ths dstrbuton hdes a perfectly, but does of course ncrease the rsk of havng to start over agan f at some pont we do not end up wthn the nterval. However, wth a sutable choce of l s the gan we get from havng shorter exponents outwegh the small rsk of havng to start over agan. PICKING THE CHALLENGES. The mportant part when we pck t 1,..., t n s that n + 1 random vectors of the form (t (j) 1,..., t(j) n, 1) should have overwhelmng chance of beng lnearly ndependent. Ths s the property that makes the proof of wtness-extended emulaton go through.

27 Instead of the verfer pckng all of t 1,..., t n at random, he may nstead pck a seed t for a pseudorandom number generator at random. Then t 1,..., t n are generated from ths number generator. There s overwhelmng probablty that n + 1 vectors (t (j) 1,..., t(j) n, 1) generated from seeds t (j) are lnearly ndependent. Furthermore, now we only have to pck a random seed and transmt ths nstead of pckng n elements t 1,..., t n as the challenge. In cases where the verfer s mplemented as a mult-party computaton, ths may be a sgnfcant smplfcaton of the protocol. In case the cryptosystem has message space of order q and the commtment scheme uses message space Z q we just need lnear ndependence over Z q. One way to obtan ths s by pckng t at random and settng t 1 = t 1,..., t n = t n. Vectors of the form (1, (t (j) ) 1,..., (t (j) ) n ) correspond to rows n a Vandermonde matrx. The vectors are ndependent, snce the determnant s non-zero, as long as the seeds t (0),..., t (n) are dstnct. If we are usng multparty computaton, then we can let each server pck a random nput to a collson-free hash functon. As long as one of them s honest, the collson-freeness of the hash functon ensures that many such runs would gve dfferent seeds t (0),..., t (n), and thus we would obtan the needed lnear ndependence. We can also use a hash-functon to pck x, λ and e, all we need s collson-freeness. Ths way we get wtness-extended emulaton, as long as at least one of the verfers s honest. However, we may not have a unform dstrbuton on the outputs of the hash-functon, so we may need to apply standard technques [24] to retan the zeroknowledge property. PARALLEL SHUFFLING. As observed by Neff [36], f we have many sets of cphertext that we want to shuffle usng the same permutaton we can recycle many parts of the protocol. We only need one set of challenges t 1,..., t n, λ, x, e, the argument for shuffle of known contents can be reused and so can c, c d, f 1,..., f n. The only extra work the prover needs to do s to compute a separate E d for each of the sets and correspondngly send a Z to the verfer for each of the sets. The verfer wll then for each of the sets n Ef E d = E pk (1; Z). The extra cost for the prover, for each verfy n e t addtonal set, s a mult-exponentaton of n cphertexts when computng E d. For the verfer, each addtonal set costs a mult-exponentaton of 2n cphertexts. SELECTING THE CRYPTOSYSTEM FOR A MIX-NET. Throughout the paper we have assumed that the nput and output cphertexts were vald cphertexts. When desgnng a mx-net, for nstance usng the shuffle arguments presented here, t s of course relevant to verfy that ndeed the nput and output cphertexts are vald. Attacks exst [54] that wll compromse the prvacy of the mx-net f ths check s not performed. We wll comment on how an ElGamal cryptosystem can be set up such that ths check of the cphertexts can be done effcently and be ntegrated wth the argument of correctness of a shuffle. Let p = 2qp 1... p k + 1, where q, p 1,..., p k are dstnct prmes larger than some bound 2 l. We let g be a randomly chosen generator of the unque subgroup G q of order q. We choose the secret key x Z q and set y = g x. To encrypt a message m G q we choose (b 1, b 2, r) { 1, 1} { 1, 1} Z q and return the cphertext (b 1 g r, b 2 y r m). Ths cryptosystem allows for an effcent batch-verfcaton of membershp n C pk = ±G q ±G q. Assume we have ElGamal cphertexts (u 1, v 1 ),..., (u n, v n ). We choose

28 α [0; 2 l ) and check whether ( n uα ) q = ±1 and ( n vα ) q = ±1. The tests have probablty 2 l of passng f any of the cphertexts does not belong to C pk. If we use l = l e we may use t 1,..., t n as our α 1,..., α n. We check n the shuffle argument that u t U f U d = ±g Z and v t V f V d = ±y Z. As a sde effect of these computatons we may get out n ut and n vt. It only costs a couple of exponentatons more to test ( n ut )q = ±1 and ( n vt )q = ±1. The test of valdty of the cphertexts therefore comes at a very low cost. Of course the output cphertexts can be ncorporated nto the verfcaton n a smlar manner. 7 Comparson of Shuffle Arguments The lterature contans several arguments and proofs for correctness of a shuffle. The most effcent arguments and proofs generally follow one of two paradgms. In the paradgm of Furukawa and Sako [20] we commt to a permutaton matrx and subsequently argue that ndeed we commtted to a permutaton matrx and furthermore that we have shuffled the cphertext usng the same permutaton. Ths dea was mproved by Furukawa [18]. The second paradgm, used n ths paper, was suggested by Neff [36]. In ths paradgm one uses the fact that polynomals are stable under permutaton of the roots. Both paradgms have ther merts, here we wll compare them and gve a rough gude to whch one to use. 7.1 SHVZK Proof The schemes based on permutaton matrces are arguments, and we see no way to turn them nto SHVZK proofs. If the stuaton calls for an SHVZK proof we therefore recommend followng the Neff paradgm. An unfortunate consequence s that ths paradgm leads to 7-move SHVZK proofs, so f both uncondtonal soundness and low round complexty s desrable then we are n trouble. It s an nterestng open problem to come up wth a hghly effcent 3-move SHVZK proof for correctness of a shuffle. Our shuffle argument can be used for many dfferent cryptosystems. Neff [36, 37] nvestgated the case of ElGamal encrypton, whch we wll look a lttle closer at now. For SHVZK proofs t s reasonable to use groups of the same sze both for the cryptosystem and for the commtment scheme, snce typcally they wll both be governed by the same securty parameter that s chosen so both the cryptosystem and the SHVZK proof wll keep the permutaton secret. Therefore, we do not need to dstngush between exponentatons for the cryptosystem and exponentatons for the commtments; ther cost s comparable. Neff [37] suggests an SHVZK proof where the prover uses 8n exponentatons and the verfer uses 12n exponentatons, where n s the number of cphertexts n the shuffle. Ths has been mproved to usng 8n exponentatons for the prover and 10n exponentatons for the verfer [38]. In comparson, n our scheme usng the statstcally bndng commtment scheme from Secton 2.3 the prover uses 7n

29 exponentatons and the verfer 9n exponentatons. However, whereas Neff s scheme only reles on a DDH group wheren hs cryptosystem s set, our scheme needs a common reference strng wth a commtment key to get ths knd of effcency. To make the settng completely comparable, we could let the prover select the uncondtonally bndng commtment key and send t to the verfer n the frst round. By makng adjustng the commtment key length to gvng a commtment key for commttng to n elements at a tme, we stll get slghtly better performance. 7.2 SHVZK Argument ELGAMAL ENCRYPTION. For ease of comparson wth other arguments for correctness of a shuffle n the lterature, we wll evaluate our scheme usng ElGamal encrypton and Pedersen commtments wth prmes q, p where q p 1, q = 160, p = Whether ths choce s reasonable depends on the applcaton of the shuffle. As argued earler when we use statstcally hdng commtments and the verfcaton takes place shortly after the shuffle, we only need from the argument that the soundness holds a short tme nto the future. In ths case the bndng property of the commtment scheme only needs to be temporarly so t s reasonable to choose a small securty parameter. For the commtment scheme p = 1024 may therefore be reasonable enough. For hgher effcency we mght also decde to use ellptc curve groups for the commtment scheme. On the other hand, n some cases we need strong guarantees that the cryptosystem does not reveal anythng about the messages many years nto the future. In such a case t would be reasonable to choose a larger securty parameter for the cryptosystem. The permutaton matrx based approach was suggested by Furukawa and Sako [20]. Ther scheme s not SHVZK [19], but t does satsfy a weaker securty noton called ndstngushablty under chosen permutaton attack, IND-CPA, as defned by Nguyen, Safav-Nan and Kurosawa [41]. 2 In Furukawa and Sako s argument the prover uses 8n exponentatons and the verfer 10n exponentatons. Furukawa [18] suggests a 3-move SHVZK argument where both the prover and the verfer uses 9n exponentatons. He observes that lettng q = 2 mod 3 allows a smplfcaton of the protocol. Groth and Lu [27] uses ths smplfcaton to get an SHVZK argument that for ElGamal encrypton t s very smlar to Furukawa s scheme. In that scheme the prover uses 7n exponentatons and the verfer 8n exponentatons. In comparson, our scheme uses 6n exponentatons for both the prover and verfer. In the earler verson [23] the communcaton complexty was hgher and the scheme 2 IND-CPA securty consders an adversary that does not know the secret key for the cryptosystem. The adversary chooses two permutatons and sees a shuffle under one of the permutatons and an argument for correctness of the shuffle. The argument s IND-CPA secure f the adversary cannot dstngush, whch permutaton was used.

30 was less ft for mult-exponentatons so we lst both results separately. Table summarzes the complextes of the varous arguments for correctness of shufflng ElGamal cphertexts wthout usng randomzaton or batchng n the verfcaton. Furukawa-Sako Groth Furukawa proposed [20] [23] [18, 27] Prover (sngle expo.) 8n 6n 7n 6n Verfer (sngle expo.) 10n 6n 8n 6n Prover s communcaton (bts) 5120n 1184n 1344n 480n Rounds Common reference strng (bts) 1024n adjustable 1024n adjustable Prvacy IND-CPA SHVZK SHVZK SHVZK Table 1. Comparson of shuffle arguments for ElGamal encrypton. Table 1 should of course be read wth care. More mportant than the number of sngle exponentatons s what happens when we use randomzaton, batchng and multexponentaton technques. As descrbed n Secton 6 our scheme s well suted to take advantage of such technques. We therefore obtan better effcency than the other schemes and more flexblty n terms of tradng off key length and computatonal effcency. PAILLIER ENCRYPTION. Several arguments for correctness of a shuffle of Paller cphertexts have also been suggested. Most of these arguments for correctness of a shuffle follow the Furukawa-Sako paradgm and yeld 3-round arguments. Nguyen, Safav- Nan and Kurosawa [41] were the frst to suggest a 3-round argument for correctness of a shuffle for Paller encrypton. They were followed by Onodera and Tanaka [45] that acheved much better effcency. Recently Groth and Lu [27] have suggested a shuffle argument based on homomorphc nteger commtments as well as one that uses deas from Furukawa [18]; we nclude the latter scheme n the table. In Table 2 we compare the arguments for correctness of a shuffle of Paller cphertexts. The parameters we have chosen are a 1024-bt Paller modulus, whch gves 2048-bt cphertexts, 160-bt challenges and for statstcal hdng we use l s = 80. We base our scheme on Pedersen commtment wth prmes p = 1024, q = 240. To measure the prover s and the verfer s computatonal loads we count the number of exponentatons wth 1024-bt exponents usng a 2048-bt modulus. We assume that the 3 Table 1 does not nclude the cost of shufflng tself; t only tabulates the cost of the SHVZK argument. 4 At frst glance t mght look lke the verfer should use 7n exponentatons to verfy the shuffle. However, the commtment to f 1,..., f n n the full SHVZK argument for a shuffle and the commtment to the f 1,..., f n n the SHVZK shuffle of known content can be combned such that only one commtment needs to be computed by the verfer. Ths saves us from makng n exponentatons and makes the verfer s computatonal complexty 6n exponentatons. 5 It s possble to reduce the communcaton complexty of our scheme further to 320n bts [24] by combnng parts of the argument of shuffle of known contents and the full shuffle argument.

31 computatonal load grows lnearly n the length of the exponent and quadratcally n the length of the modulus. As for ElGamal encrypton the table should be read wth care snce mult-exponentaton and batch-verfcaton technques can mprove the performance of the schemes. Nguyen et al. Onodera-Tanako Groth-Lu proposed [41] [45] [27] Prover (sngle expo.) 9n 1.3n 0.7n 0.4n Verfer (sngle expo.) 8n 0.7n 0.7n 0.5n Prover s communcaton (bts) 9216n 2413n 1664n 720n Rounds Common reference strng (bts) 2048n 1024n 1024n adjustable Prvacy IND-CPA SHVZK SHVZK SHVZK Table 2. Comparson of shuffle arguments for Paller encrypton. CONCLUSION. For stuatons where round complexty matters, the permutaton matrx based approach gves us 3-move schemes and seems lke the best choce. In cases where round complexty s of less mportance the scheme we have suggested here s the best choce. As descrbed n Secton 6 we can adjust the length of the common reference strng, so the cost of commtment key generaton s not too large. Moreover, our scheme offers the best computatonal and communcatonal complextes. In partcular, f we are usng the Fat-Shamr heurstc to make the shuffle argument non-nteractve, then round complexty does not matter much and the present scheme s the superor choce. 7.3 SHVZK Argument for Shuffle of Known Contents We have suggested a 4-move SHVZK argument for shuffle of known contents. When mplemented wth Pedersen commtments ths argument requres the prover to make 3n exponentatons and the verfer to make 2n exponentatons. The communcaton complexty s 320n bts sent from the prover. If we mplement the argument wth the statstcally bndng commtment from Secton 2.3 the prover makes 3n exponentatons and the verfer makes 4n exponentatons. We do not know of other SHVZK arguments for shuffle of known contents n the lterature. In cases where we only need an SHVZK argument for shuffle of known contents [26] our scheme offers a sgnfcant savng n comparson wth a full shuffle argument. 7.4 Combned SHVZK Argument for Shuffle and Decrypton The 7-move SHVZK argument for a shuffle-and-decrypt operaton for ElGamal encrypton costs 6n exponentatons for the prover and 7n exponentatons for the verfer. The prover sends 480n bts to the verfer when makng the argument, f we use the parameters suggested earler.

32 In comparson, Furukawa [18] suggests a 5-move argument, whch s not SHVZK but nstead has a wtness hdng property. In hs argument the prover uses 6n exponentatons and 1344n bts of communcaton and the verfer uses 8n exponentatons. If we mplement our scheme as an SHVZK proof, then the prover uses 8n exponentatons and the verfer uses 10n exponentatons. 8 Acknowledgments We greatly apprecate dscussons we have had wth Heko Stamer and would lke to thank hm for sharng the nsghts ganed from hs mplementaton of the protocols n the paper [52]. We would also lke to thank C. Andrew Neff for sharng drafts of related work [38] wth us. References 1. Masayuk Abe. Unversally verfable mx-net wth verfcaton work ndendent of the number of mx-servers. In proceedngs of EUROCRYPT 98, LNCS seres, volume 1403, pages , Masayuk Abe and Fumtaka Hoshno. Remarks on mx-network based on permutaton networks. In proceedngs of PKC 01, LNCS seres, volume 1992, pages , Masayuk Abe and Hdek Ima. Flaws n some robust optmstc mx-nets. In proceedngs of ACISP 03, LNCS seres, volume 2727, pages 39 50, Mhr Bellare and Oded Goldrech. On defnng proofs of knowledge. In proocedngs of CRYPTO 92, LNCS seres, volume 740, pages , Mhr Bellare and Phllp Rogaway. Random oracles are practcal: A paradgm for desgnng effcent protocols. In ACM CCS 93, pages 62 73, Dan Boneh and Phlppe Golle. Almost entrely correct mxng wth applcatons to votng. In ACM CCS 02, pages 68 77, Felx Brandt. Effcent cryptographc protocol desgn based on dstrbuted El Gamal encrypton. In proceedngs of ICISC 05, LNCS seres, volume 3935, pages 32 47, Davd Chaum. Untraceable electronc mal, return addresses, and dgtal pseudonyms. Communcatons of the ACM, 24(2):84 88, Ronald Cramer, Ivan Damgård, and Berry Schoenmakers. Proofs of partal knowledge and smplfed desgn of wtness hdng protocols. In proceedngs of CRYPTO 94, LNCS seres, volume 893, pages , Ronald Cramer and Vctor Shoup. Desgn and analyss of practcal publc-key encrypton schemes secure aganst adaptve chosen cphertext attack. In proceedngs of CRYPTO 98, LNCS seres, volume 1462, pages 13 25, Full paper avalable at Ivan Damgård. Effcent concurrent zero-knowledge n the auxlary strng model. In proceedngs of EUROCRYPT 00, LNCS seres, volume 1807, pages , Ivan Damgård and Echro Fujsak. A statstcally-hdng nteger commtment scheme based on groups wth hdden order. In proceedngs of ASIACRYPT 02, LNCS seres, volume 2501, pages , Ivan Damgård and Mads J. Jurk. A generalsaton, a smplfcaton and some applcatons of paller s probablstc publc-key system. In proceedngs of PKC 01, LNCS seres, volume 1992, 2001.

33 14. Ivan Damgård and Mads J. Jurk. A length-flexble threshold cryptosystem wth applcatons. In proceedngs of ACISP 03, LNCS seres, volume 2727, pages , Yvo Desmedt and Kaoru Kurosawa. How to break a practcal MIX and desgn a new one. In n proceedngs of EUROCRYPT 00, LNCS seres, volume 1807, pages , Taher ElGamal. A publc key cryptosystem and a sgnature scheme based on dscrete logarthms. IEEE Transactons on Informaton Theory, 31(4): , Echro Fujsak and Tatsuak Okamoto. Statstcal zero knowledge protocols to prove modular polynomal relatons. In proceedngs of CRYPTO 97, LNCS seres, volume 1294, pages 16 30, Jun Furukawa. Effcent and verfable shufflng and shuffle-decrypton. IEICE Trans. Fundam. Electron. Commun. Comput. Sc., 88-A(1): , Jun Furukawa, Hrosh Myauch, Kengo Mor, Satosh Obana, and Kazue Sako. An mplementaton of a unversally verfable electronc votng scheme based on shufflng. In proceedngs of Fnancal Cryptography 02, LNCS seres, volume 2357, pages 16 30, Jun Furukawa and Kazue Sako. An effcent scheme for provng a shuffle. In proceedngs of CRYPTO 01, LNCS seres, volume 2139, pages , Juan A. Garay, Phlp D. MacKenze, and Ke Yang. Strengthenng zero-knowledge protocols usng sgnatures. Journal of Cryptology, 19(2): , Phlppe Golle and Ar Juels. Parallel mxng. In proceedngs of ACM CCS 04, pages , Jens Groth. A verfable secret shuffle of homomorphc encryptons. In proceedngs of PKC 03, LNCS seres, volume 2567, pages , Jens Groth. Honest verfer zero-knowledge arguments appled. Dssertaton Seres DS-04-3, BRICS, PhD thess. x+119 pp. 25. Jens Groth. Cryptography n subgroups of Z n. In proceedngs of TCC 05, LNCS seres, volume 3378, pages 50 65, Jens Groth. Non-nteractve zero-knowledge arguments for votng. In proceedngs of ACNS 05, LNCS seres, volume 3531, Jens Groth and Steve Lu. Verfable shuffle of large sze cphertexts. In proceedngs of Practce and Theory n Publc Key Cryptography - PKC 07, LNCS 4450, pages , Markus Jakobson, Ar Juels, and Ronald L. Rvest. Makng mx nets robust for electronc votng by randomzed partal checkng. In USENIX Securty 02, pages , Markus Jakobsson. A practcal mx. In proceedngs of EUROCRYPT 98, LNCS seres, volume 1403, pages , Markus Jakobsson. Flash mxng. In proceedngs of PODC 99, pages 83 89, Markus Jakobsson and Ar Juels. Mllmx: Mxng n small batches, DIMACS techncal report 99-33, Aggelos Kayas and Mot Yung. The vector-ballot e-votng approach. In proceedngs of Fnancal Cryptography 04, LNCS seres, volume 3110, pages 74 89, Hendrk W. Lenstra. Factorng ntegers wth ellptc curves. Ann. of Math., 126: , Chae Hoon Lm. Effcent mult-exponentaton and applcaton to batch verfcaton of dgtal sgnatures, chlm/pub/mult exp.ps. 35. Yehuda Lndell. Parallel con-tossng and constant-round secure two-party computaton. Journal of Cryptology, 16(3): , C. Andrew Neff. A verfable secret shuffle and ts applcaton to e-votng. In proceedngs of ACM CCS 01, pages , 2001.

34 37. C. Andrew Neff. Verfable mxng (shufflng) of ElGamal pars, C. Andrew Neff. Personal communcaton, Lan Nguyen and Rehaneh Safav-Nan. Breakng and mendng reslent mx-nets. In proceedngs of PET 03, LNCS seres, volume 2760, pages 66 80, Lan Nguyen, Rehaneh Safav-Nan, and Kaoru Kurosawa. A provably secure and effcent verfable shuffle based on a varant of the paller cryptosystem. Journal of Unversal Computer Scence, 11(6): , Lan Nguyen, Rehaneh Safav-Nan, and Kaoru Kurosawa. Verfable shuffles: a formal model and a paller-based three-round constructon wth provable securty. Internatonal Journal of Informatons Securty, 5(4): , Juan Manuel González Neto, Coln Boyd, and Ed Dawson. A publc key cryptosystem based on a subgroup membershp problem. Desgns, Codes and Cryptography, 36(3): , Myako Ohkubo and Masayuk Abe. A length-nvarant hybrd mx. In proceedngs of ASIACRYPT 00, LNCS seres, volume 1976, pages , Tatsuak Okamoto and Shgenor Uchyama. A new publc-key cryptosystem as secure as factorng. In proceedngs of EUROCRYPT 98, LNCS seres, volume 1403, pages , Takao Onodera and Kesuke Tanaka. Shufle for Paller s encrypton scheme. IEICE Trans. Fundam. Electron. Commun. Comput. Sc., E88-A(5): , Pascal Paller. Publc-key cryptosystems based on composte resduosty classes. In proceedngs of EUROCRYPT 99, LNCS seres, volume 1592, pages , Choonsk Park, Kazutomo Itoh, and Kaoru Kurosawa. Effcent anonymous channel and all/nothng electon scheme. In proceedngs of EUROCRYPT 93, LNCS seres, volume 765, pages , Torben P. Pedersen. Non-nteractve and nformaton-theoretc secure verfable secret sharng. In proceedngs of CRYPTO 91, LNCS seres, volume 576, pages , Kun Peng, Coln Boyd, Ed Dawson, and Kapalee Vswanathan. A correct, prvate, and effcent mx network. In proceedngs of PKC 04, LNCS seres, volume 2947, pages , Brgt Pftzmann and Andreas Pftzmann. How to break the drect RSA-mplementaton of mxes. In proceedngs of EUROCRYPT 89, LNCS seres, volume 434, pages , Kazue Sako and Joe Klan. Recept-free mx-type votng scheme - a practcal soluton to the mplementaton of a votng booth. In proceedngs of EUROCRYPT 95, LNCS seres, volume 921, pages , Heko Stamer. Effcent electronc gamblng: An extended mplementaton of the toolbox for mental card games. In Chrstopher Wolf, Stefan Lucks, and Po-Wah Yau, edtors, WEWoRC 2005, volume P-74 of Lecture Notes n Informatcs, pages Gesellschaft für Informatk e.v., Douglas Wkström. The securty of a mx-center based on a semantcally secure cryptosystem. In proceedngs of INDOCRYPT 02, LNCS seres, volume 2551, pages , Douglas Wkström. Fve practcal attacks for optmstc mxng for ext-polls. In proceedngs of SAC 03, LNCS seres, volume 3006, pages , 2003.