Verifiable Elections That Scale for Free Melissa Chase (MSR Redmond) - PowerPoint PPT Presentation

Outline Definitions Malleable proofs [CKLM12] Definitions Shuffling and decrypting Compact shuffles [CKLM12] Threshold decryption A voting scheme Conclusions 5

Malleability for proofs [CKLM12] 6

Malleability for proofs [CKLM12] Example: take a proof π 1 that b 1 is a bit and a proof π 2 that b 2 is a bit, and “maul” them somehow to get a proof that b 1 ⋅ b 2 is a bit 6

Malleability for proofs [CKLM12] Example: take a proof π 1 that b 1 is a bit and a proof π 2 that b 2 is a bit, and “maul” them somehow to get a proof that b 1 ⋅ b 2 is a bit More generally, a proof is malleable with respect to T if there exists an algorithm Eval that on input (T,{x i , π i }), outputs a proof π for T({x i }) 6

Malleability for proofs [CKLM12] Example: take a proof π 1 that b 1 is a bit and a proof π 2 that b 2 is a bit, and “maul” them somehow to get a proof that b 1 ⋅ b 2 is a bit More generally, a proof is malleable with respect to T if there exists an algorithm Eval that on input (T,{x i , π i }), outputs a proof π for T({x i }) • E.g., T = × , x i = “b i is a bit” 6

Malleability for proofs [CKLM12] Example: take a proof π 1 that b 1 is a bit and a proof π 2 that b 2 is a bit, and “maul” them somehow to get a proof that b 1 ⋅ b 2 is a bit More generally, a proof is malleable with respect to T if there exists an algorithm Eval that on input (T,{x i , π i }), outputs a proof π for T({x i }) • E.g., T = × , x i = “b i is a bit” Can define zero knowledge in the usual way as long as proofs are malleable only with respect to operations under which the language is closed 6

Malleability for proofs [CKLM12] Example: take a proof π 1 that b 1 is a bit and a proof π 2 that b 2 is a bit, and “maul” them somehow to get a proof that b 1 ⋅ b 2 is a bit More generally, a proof is malleable with respect to T if there exists an algorithm Eval that on input (T,{x i , π i }), outputs a proof π for T({x i }) • E.g., T = × , x i = “b i is a bit” Can define zero knowledge in the usual way as long as proofs are malleable only with respect to operations under which the language is closed But how to define a strong notion of soundness like extractability? 6

Controlled-malleable proofs (cm-NIZKs) [CKLM12] 7

Controlled-malleable proofs (cm-NIZKs) [CKLM12] Consider an allowable set of transformations T 7

Controlled-malleable proofs (cm-NIZKs) [CKLM12] Consider an allowable set of transformations T High-level idea: extractor can pull out either a witness (fresh proof), or a previously queried instance and a transformation in T from that instance to the new one (validly transformed proof) 7

Controlled-malleable proofs (cm-NIZKs) [CKLM12] Consider an allowable set of transformations T High-level idea: extractor can pull out either a witness (fresh proof), or a previously queried instance and a transformation in T from that instance to the new one (validly transformed proof) A bit more formally: from (x, π ) the extractor outputs (w,x ′ ,T) such that either (1) (x,w) ∈ R or (2) x ′ was queried (to simulator) and x = T(x ′ ) for T ∈ T 7

Controlled-malleable proofs (cm-NIZKs) [CKLM12] Consider an allowable set of transformations T High-level idea: extractor can pull out either a witness (fresh proof), or a previously queried instance and a transformation in T from that instance to the new one (validly transformed proof) A bit more formally: from (x, π ) the extractor outputs (w,x ′ ,T) such that either (1) (x,w) ∈ R or (2) x ′ was queried (to simulator) and x = T(x ′ ) for T ∈ T We call the proof CM-SSE (controlled malleable simulation sound extractable) if no PPT adversary A can violate these two conditions 7

Controlled-malleable proofs (cm-NIZKs) [CKLM12] Consider an allowable set of transformations T High-level idea: extractor can pull out either a witness (fresh proof), or a previously queried instance and a transformation in T from that instance to the new one (validly transformed proof) A bit more formally: from (x, π ) the extractor outputs (w,x ′ ,T) such that either (1) (x,w) ∈ R or (2) x ′ was queried (to simulator) and x = T(x ′ ) for T ∈ T We call the proof CM-SSE (controlled malleable simulation sound extractable) if no PPT adversary A can violate these two conditions If a proof is zero knowledge, CM-SSE, and strongly derivation private, then we call it a cm-NIZK (like function privacy for homomorphic encryption) 7

Compactly verifiable shuffles [CKLM12] B 1 b 1 b 2 B 2 . . . b 3 B 3 b 4 B 4 b 5 B 5 8

Compactly verifiable shuffles [CKLM12] B 1 b 1 b 2 B 2 . . . b 3 B 3 b 4 B 4 b 5 B 5 π Initial mix server still outputs a fresh proof π , but now subsequent servers “maul” this proof using permutation φ i , re-randomization R i , and secret key sk i 8

Compactly verifiable shuffles [CKLM12] B 1 b 1 b 2 B 2 . . . b 3 B 3 b 4 B 4 b 5 B 5 π Initial mix server still outputs a fresh proof π , but now subsequent servers “maul” this proof using permutation φ i , re-randomization R i , and secret key sk i 8

Compactly verifiable shuffles [CKLM12] B 1 b 1 b 2 B 2 . . . b 3 B 3 b 4 B 4 b 5 B 5 T 2 =( φ 2 ,R 2 ,sk 2 ) π π (2) =Eval(T 2 , π ) Initial mix server still outputs a fresh proof π , but now subsequent servers “maul” this proof using permutation φ i , re-randomization R i , and secret key sk i 8

Compactly verifiable shuffles [CKLM12] B 1 b 1 b 2 B 2 . . . b 3 B 3 b 4 B 4 b 5 B 5 T 2 =( φ 2 ,R 2 ,sk 2 ) π π (2) =Eval(T 2 , π ) Initial mix server still outputs a fresh proof π , but now subsequent servers “maul” this proof using permutation φ i , re-randomization R i , and secret key sk i 8

Compactly verifiable shuffles [CKLM12] B 1 b 1 b 2 B 2 . . . b 3 B 3 b 4 B 4 b 5 B 5 T M =( φ M ,R M ,sk M ) T 2 =( φ 2 ,R 2 ,sk 2 ) π π (2) =Eval(T 2 , π ) Initial mix server still outputs a fresh proof π , but now subsequent servers “maul” this proof using permutation φ i , re-randomization R i , and secret key sk i 8

Compactly verifiable shuffles [CKLM12] B 1 b 1 b 2 B 2 . . . b 3 B 3 b 4 B 4 b 5 B 5 T M =( φ M ,R M ,sk M ) T 2 =( φ 2 ,R 2 ,sk 2 ) π π (2) =Eval(T 2 , π ) π (M) =Eval(T k, π (M-1) ) Initial mix server still outputs a fresh proof π , but now subsequent servers “maul” this proof using permutation φ i , re-randomization R i , and secret key sk i We call this shuffle compactly verifiable, as the last proof π (M) can now be used to verify the correctness of the whole shuffle (under an appropriate definition) 8

Compactly verifiable shuffles [CKLM12] B 1 b 1 b 2 B 2 . . . b 3 B 3 b 4 B 4 b 5 B 5 T M =( φ M ,R M ,sk M ) T 2 =( φ 2 ,R 2 ,sk 2 ) π π (2) =Eval(T 2 , π ) π (M) =Eval(T k, π (M-1) ) Initial mix server still outputs a fresh proof π , but now subsequent servers “maul” this proof using permutation φ i , re-randomization R i , and secret key sk i We call this shuffle compactly verifiable, as the last proof π (M) can now be used to verify the correctness of the whole shuffle (under an appropriate definition) So if there are L ciphertexts and M servers, proof size can be O(L+M) 8

Compact threshold decryption 9

Compact threshold decryption C=Enc(pk,m) 9

Compact threshold decryption C=Enc(pk,m) KeyGen Enc 9

Compact threshold decryption C=Enc(pk,m) sec KeyGen Enc 9

Compact threshold decryption C=Enc(pk,m) sec s 1 KeyGen Enc 9

Compact threshold decryption ret C=Enc(pk,m) sec s 1 KeyGen Enc 9

Compact threshold decryption ret C=Enc(pk,m) sec s 1 s 2 KeyGen Enc 9

Compact threshold decryption ret C=Enc(pk,m) sec s 1 s 2 Formed with ShareDec(C,s 1 ) Shares contain proof of correctness KeyGen Enc ShareDec (ShareProve) 9

Compact threshold decryption ret C=Enc(pk,m) k sec s 1 s 2 Formed with ShareDec(C,s 1 ) Shares contain proof of correctness KeyGen Enc ShareDec (ShareProve) ShareVerify 9

Compact threshold decryption ret C=Enc(pk,m) k sec s 1 s 2 s 3 Formed with ShareDec(C,s 1 ) Shares contain proof of correctness KeyGen Enc ShareDec (ShareProve) ShareVerify 9

Compact threshold decryption ey ret C=Enc(pk,m) k sec s 1 s 2 s 3 Formed with ShareDec(C,s 1 ) Shares contain proof of correctness KeyGen Enc ShareDec (ShareProve) ShareVerify 9

Compact threshold decryption m ey ret C=Enc(pk,m) k sec s 1 s 2 s 3 π (N) Formed with ShareDec(C,s 1 ) Shares contain proof of correctness KeyGen Enc ShareDec (ShareProve) ShareVerify 9

Compact threshold decryption m ey ret C=Enc(pk,m) k sec s 1 s 2 s 3 π (N) Formed with ShareDec(C,s 1 ) Shares contain proof of correctness Servers can decrypt in any order; not fixed KeyGen Enc ShareDec (ShareProve) ShareVerify 9

Compact threshold decryption m ey ret C=Enc(pk,m) k sec s 1 s 2 s 3 π (N) Formed with ShareDec(C,s 1 ) Shares contain proof of correctness Servers can decrypt in any order; not fixed KeyGen Enc Once again, final proof π (N) suffices for whole decryption, meaning total proof size can again be O(L+N) instead of O(LN) ShareDec (again, under an appropriate definition) (ShareProve) ShareVerify 9

Outline Shuffling and decrypting Cryptographic background Definitions Shuffling and decrypting A compact verifiable shuffle Threshold decryption A voting scheme Conclusions 10

Preliminary: BBS encryption [BBS04] 11

Preliminary: BBS encryption [BBS04] Setup: generate a symmetric prime-order bilinear group (p,G,G T ,e,g) 11

Preliminary: BBS encryption [BBS04] Setup: generate a symmetric prime-order bilinear group (p,G,G T ,e,g) KeyGen(crs): α , β ← F p ; f = g α , h = g β ; output sk = ( α , β ) and pk = (f,h) 11

Preliminary: BBS encryption [BBS04] Setup: generate a symmetric prime-order bilinear group (p,G,G T ,e,g) KeyGen(crs): α , β ← F p ; f = g α , h = g β ; output sk = ( α , β ) and pk = (f,h) Enc(crs,pk,M): r,s ← F p ; u = f r , v = h s , w = g r+s M; return (u,v,w) 11

Preliminary: BBS encryption [BBS04] Setup: generate a symmetric prime-order bilinear group (p,G,G T ,e,g) KeyGen(crs): α , β ← F p ; f = g α , h = g β ; output sk = ( α , β ) and pk = (f,h) Enc(crs,pk,M): r,s ← F p ; u = f r , v = h s , w = g r+s M; return (u,v,w) Dec(crs,sk,(u,v,w)): return u -1/ α v -1/ β w 11

Part 1: Compact verifiable shuffle 12

Part 1: Compact verifiable shuffle Our concrete shuffle is based on the Groth-Lu shuffle [GL07] 12

Part 1: Compact verifiable shuffle Our concrete shuffle is based on the Groth-Lu shuffle [GL07] • CRS of size O(M), proofs of size O(L) (but M of them) • Based on static pairing-based assumptions 12

Part 1: Compact verifiable shuffle Our concrete shuffle is based on the Groth-Lu shuffle [GL07] • CRS of size O(M), proofs of size O(L) (but M of them) • Based on static pairing-based assumptions Basically, alter their proofs and make them malleable (i.e., show they satisfy CM-friendliness) 12

Part 1: Compact verifiable shuffle Our concrete shuffle is based on the Groth-Lu shuffle [GL07] • CRS of size O(M), proofs of size O(L) (but M of them) • Based on static pairing-based assumptions Basically, alter their proofs and make them malleable (i.e., show they satisfy CM-friendliness) End up with CRS of size O(M), proofs of size O(L+M) (improvement over [CKLM12], which had constant-sized CRS but proofs of size O(L 2 +M)) 12

Part 2: Compact threshold decryption (KeyGen) 13

Part 2: Compact threshold decryption (KeyGen) To split BBS decryption key sk = ( α , β ), just pick α 1 , β 1 ,..., α N-1 , β N-1 ← F p and set α N = -1/ α - ∑ α i and β N = -1/ β - ∑ β i ; then α 1 + ... + α N = -1/ α and β 1 + ... + β N = -1/ β 13

Part 2: Compact threshold decryption (KeyGen) To split BBS decryption key sk = ( α , β ), just pick α 1 , β 1 ,..., α N-1 , β N-1 ← F p and set α N = -1/ α - ∑ α i and β N = -1/ β - ∑ β i ; then α 1 + ... + α N = -1/ α and β 1 + ... + β N = -1/ β sec ret k ey 13

Part 2: Compact threshold decryption (KeyGen) To split BBS decryption key sk = ( α , β ), just pick α 1 , β 1 ,..., α N-1 , β N-1 ← F p and set α N = -1/ α - ∑ α i and β N = -1/ β - ∑ β i ; then α 1 + ... + α N = -1/ α and β 1 + ... + β N = -1/ β sec ret k ey 13

Part 2: Compact threshold decryption (KeyGen) To split BBS decryption key sk = ( α , β ), just pick α 1 , β 1 ,..., α N-1 , β N-1 ← F p and set α N = -1/ α - ∑ α i and β N = -1/ β - ∑ β i ; then α 1 + ... + α N = -1/ α and β 1 + ... + β N = -1/ β sec ret k ey sk i = ( α i , β i ) 13

Part 2: Compact threshold decryption (KeyGen) To split BBS decryption key sk = ( α , β ), just pick α 1 , β 1 ,..., α N-1 , β N-1 ← F p and set α N = -1/ α - ∑ α i and β N = -1/ β - ∑ β i ; then α 1 + ... + α N = -1/ α and β 1 + ... + β N = -1/ β sec ret Observe that for c = (u,v,w) = Enc(pk,m): k ey sk i = ( α i , β i ) 13

Part 2: Compact threshold decryption (KeyGen) To split BBS decryption key sk = ( α , β ), just pick α 1 , β 1 ,..., α N-1 , β N-1 ← F p and set α N = -1/ α - ∑ α i and β N = -1/ β - ∑ β i ; then α 1 + ... + α N = -1/ α and β 1 + ... + β N = -1/ β sec ret Observe that for c = (u,v,w) = Enc(pk,m): k ey w ∏ u α j ⋅ v β j = u α 1+...+ α k ⋅ v β 1+...+ β k ⋅ w = u -1/ α ⋅ v -1/ β w sk i = ( α i , β i ) 13

Part 2: Compact threshold decryption (KeyGen) To split BBS decryption key sk = ( α , β ), just pick α 1 , β 1 ,..., α N-1 , β N-1 ← F p and set α N = -1/ α - ∑ α i and β N = -1/ β - ∑ β i ; then α 1 + ... + α N = -1/ α and β 1 + ... + β N = -1/ β sec ret Observe that for c = (u,v,w) = Enc(pk,m): k ey w ∏ u α j ⋅ v β j = u α 1+...+ α k ⋅ v β 1+...+ β k ⋅ w = u -1/ α ⋅ v -1/ β w sk i = ( α i , β i ) = m 13

Part 2: Compact threshold decryption (KeyGen) To split BBS decryption key sk = ( α , β ), just pick α 1 , β 1 ,..., α N-1 , β N-1 ← F p and set α N = -1/ α - ∑ α i and β N = -1/ β - ∑ β i ; then α 1 + ... + α N = -1/ α and β 1 + ... + β N = -1/ β sec ret Observe that for c = (u,v,w) = Enc(pk,m): k ey w ∏ u α j ⋅ v β j = u α 1+...+ α k ⋅ v β 1+...+ β k ⋅ w = u -1/ α ⋅ v -1/ β w sk i = ( α i , β i ) = m Also want verification key vk = (Com(sk 1 )=(Com( α 1 ),Com( β 1 )),...,Com(sk N )) 13

Part 2: Compact threshold decryption (ShareDec) 14