# Internet Voting Based on Homomorphic Threshold Encryption

Document Sample

```					Non-interactive Zaps and
New Techniques for
NIZK
Jens Groth
Rafail Ostrovsky
Amit Sahai

University of California Los Angeles
Witness-indistinguishability

Potential witnesses

Burglar
Witness-indistinguishability

Witness
Witness-indistinguishability

One of the witnesses,
but which one?
Non-interactive zaps for Circuit SAT
   Poly-time algorithms P (prover) and V (verifier)
   No common reference string
   Perfect completeness:
(C, w) so C(w)=1
π ← P(1k, C, w) : V(1k, C , π)=1
   Perfect soundness:
(C, π) with C unsatisfiable V(1k, C, π)=0
   Computational witness-indistinguishability:
(C, w0, w1) so C(w0)=1 and C(w1)=1
P(1k, C, w0) ≈ P(1k, C, w1)
Comparison
   Dwork and Naor, FOCS 2000:
2-round zaps from trapdoor permutations
   Barak, Ong and Vadhan, Crypto 2003:
Non-interactive zaps by derandomizing Dwork-
Naor zaps (non-polynomial assumption)
   This talk:
Non-interactive zaps based on decisional linear
assumption
Proof size O(|C|k) bits
Bilinear groups
G, GT cyclic groups of prime order p
g generator for G
bilinear map e: G  G  GT
e(ga, gb) = e(g, g)ab
e(g, g) generator for GT
Decisional linear problem [Boneh et al. 04]
f, h, g, u = fR, v = hS, w = gT
T = R+S or T random ?
Commitment scheme
Public key
f = gx, h = g y, u = fR, v = hS, w = gT
pk = (p, G, GT, e, g, f, h, u, v, w)
Commitment to m  Zp
c = (umfr, vmhs, wmgr+s)
Perfect hiding trapdoor if T = R+S
= (fmR+r, hmS+s, gm(R+S)+r+s)
Commitment scheme
Commitment to m  Zp
c = (umfr, vmhs, wmgr+s)
Perfect binding if T ≠ R+S
= (c1, c2, c3)
because c3c2-1/xc1-1/y = (wu-1/xv-1/y)m
= g(T/(R+S))m
uniquely defines m
Commitment scheme
Commitment to m  Zp
c = (umfr, vmhs, wmgr+s)
Homomorphic
(umfr, vmhs, wmgr+s) (uMfR, vMhS, wMgR+S)
= (um+Mfr+R, vm+Mhs+S, wm+Mgr+R+s+S)
Witness indistinguishable proof of commitment to
message 0 or 1
- Perfect sound on perfect binding key
- Perfect WI on perfect trapdoor key
Commitment scheme
   Homomorphic
   Two types of indistinguishable public keys:
 Perfect trapdoor
 Perfect binding
   Witness indistinguishable proof that
commitment contains 0 or 1
 Perfect soundness on perfect binding key
 Perfect WI on perfect trapdoor key
NIZK proof for Circuit SAT
1

NAND
Circuit SAT is
w4                 NP complete

NAND

w1    w2       w3
NIZK proof for Circuit SAT
com(1)
WI proof                        WI proof c1
w4 = (w1w2)                   commit to 0 or 1
WI proof           NAND         WI proof c2
1 = (w4w3) c = com(w )        commit to 0 or 1
4       4
WI proof c3
commit to 0 or 1
NAND           WI proof c4
commit to 0 or 1
c1 = com(w1)        c3 = com(w3)
c2 = com(w2)
WI proof for NAND-gate
Given c0, c1, c2 commitments containing bits b0,
b1, b2 wish to prove b2 = (b0b1)

b2 = (b0b1)
if and only if
b0 + b1 + 2b2 - 2  {0,1}

WI proof c0c1c22com(-2) commitment to 0 or 1
NIZK proof for Circuit SAT
   Commit to all wires wi as ci = com(wi)
   For each i make WI proof that ci contains 0 or 1
   For each NAND-gate make WI proof that
c0c1c22com(-2) contains 0 or 1

Perfect completeness
Perfect binding key - perfect soundness
Perfect trapdoor key - perfect zero-knowledge
Perfect NIZK on perfect trapdoor key
Simulation:
Make trapdoor commitments
Trapdoor-open relevant commitments to 0 and WI prove

Proof that simulation works on C with w so C(w)=1:
Can trapdoor-open commitments to wi’s and WI prove
By perfect witness-indistinguishability of the WI
proofs indistinguishable from simulation
Can from the start make commitments to wi’s
By perfect hiding of the commitments indistinguishable
from previous method
Corresponds to real proof on trapdoor key
Non-interactive zaps
Naïve idea:
Prover chooses public key and makes NIZK proof
Problem: Can choose trapdoor key and prove anything
Better idea:
Prover chooses two public keys and makes an NIZK
proof with each of them
Makes choice so:
One is trapdoor, one is perfect binding
Verifiable that at least one key is perfect binding
Verifier cannot tell which key is trapdoor
Choosing two keys
Generate group (p, G, GT, e, g)
E.g., elliptic curve E: y2 = x3 +1 mod q, where q smallest suitable
prime so E has order p subgroup. Easy to verify p is prime, p
defines (G, GT, e), easy to verify that g is order p point on curve.
Choose x,y ← Zp*, R,S ← Zp and set
f = gx, h = g y, u = fR, v = hS, w = gR+S
Output two public keys
(p, G, GT, e, g, f, h, u, v, w)
(p, G, GT, e, g, f, h, u, v, wg)
At least one must be perfectly binding, but by decisional linear
assumption hard to tell which one
Witness-indistinguishability
Circuit C and two witnesses w0, w1
• Generate pk0 perfect trapdoor and pk1 perfect binding
• NIZK proof using w0 on pk0         NIZK proof using w0 on pk1
• Simulate proof on trapdoor pk0     NIZK proof using w0 on pk1
• NIZK proof using w1 on pk0         NIZK proof using w0 on pk1
• Switch to pk0 perfect binding and pk1 perfect trapdoor
• NIZK proof using w1 on pk0         Simulate proof on trapdoor pk1
• NIZK proof using w1 on pk0         NIZK proof using w1 on pk1
• Switch back to pk0 perfect trapdoor and pk1 perfect binding
WI proof for message 0 or 1
(c1, c2, c3) = (umfr, vmhs, wmgr+s)
(c1, c2, c3) is commitment to 0 or 1 if and only if
(c1, c2, c3) or (c1/u, c2/v, c3/w) contain 0
(c1, c2, c3) contains 0 if and only if
(c1, c2, c3-1) = (fr, hs, g-(r+s))
Similarly for (c1/u, c2/v, c3/w)
We’ll present a general proof that given
(A=fa, B=hb, C=gc) and (X=fx, Y=hy, Z=gz)
then (a+b+c)(x+y+z)=0
WI proof for message 0 or 1

   Examine matrix:
e(A, X)    e(A, Y)      e(A, Z)
e(B, X)     e(B, Y)    e(B, Z)
e(C, X)     e(C, Y)    e(C, Z)

   Note that verifier can generate this matrix
WI proof for message 0 or 1
   Suppose prover knows (a, b, c)
e(f, Xa)    e(f, Ya)   e(f, Za)
e(h, Xb)    e(h, Yb)   e(h, Zb)
e(g, Xc)    e(g, Yc)   e(g, Zc)
   The right-hand entries convince the verifier
that a+b+c =0 (each column multiplies to 1)
   Similarly, if prover knows (x, y, z) can reveal
left-hand entries and rows multiply to 1
   Bad: Tells verifier which witness used
WI proof for message 0 or 1
   Blind across diagonal
e(f, Xa)     e(f, htYa)   e(f, g-tZa)
e(h, f-tXb) e(h, Yb)      e(h, gtZb)
e(g, ftXc)   e(g, h-tYc) e(g, Zc)
   If both a+b+c = 0 and x+y+z=0 then
matrix is distributed identical to its transpose
   It hides perfectly whether we are looking at
rows or columns
Summary
   Homomorphic commitments with
indistinguishable trapdoor/binding keys and WI
proofs for message 0 or 1
   NIZK proofs from such commitments
   Simple and efficient O(|C|k) bit-size non-
interactive zaps
Perfect completeness
Perfect soundness
Computational WI

```
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
 views: 3 posted: 9/12/2011 language: English pages: 24
pptfiles
About