Internet Voting Based on Homomorphic Threshold Encryption

Document Sample
Internet Voting Based on Homomorphic Threshold Encryption Powered By Docstoc
					Non-interactive Zaps and
 New Techniques for
         NIZK
             Jens Groth
           Rafail Ostrovsky
             Amit Sahai

  University of California Los Angeles
 Witness-indistinguishability




Potential witnesses

                       Burglar
Witness-indistinguishability




   Witness
Witness-indistinguishability




              One of the witnesses,
              but which one?
Non-interactive zaps for Circuit SAT
   Poly-time algorithms P (prover) and V (verifier)
   No common reference string
   Perfect completeness:
    (C, w) so C(w)=1
              π ← P(1k, C, w) : V(1k, C , π)=1
   Perfect soundness:
    (C, π) with C unsatisfiable V(1k, C, π)=0
   Computational witness-indistinguishability:
    (C, w0, w1) so C(w0)=1 and C(w1)=1
              P(1k, C, w0) ≈ P(1k, C, w1)
                 Comparison
   Dwork and Naor, FOCS 2000:
    2-round zaps from trapdoor permutations
   Barak, Ong and Vadhan, Crypto 2003:
    Non-interactive zaps by derandomizing Dwork-
    Naor zaps (non-polynomial assumption)
   This talk:
    Non-interactive zaps based on decisional linear
    assumption
    Proof size O(|C|k) bits
           Bilinear groups
G, GT cyclic groups of prime order p
g generator for G
bilinear map e: G  G  GT
     e(ga, gb) = e(g, g)ab
     e(g, g) generator for GT
Decisional linear problem [Boneh et al. 04]
     f, h, g, u = fR, v = hS, w = gT
           T = R+S or T random ?
        Commitment scheme
Public key
     f = gx, h = g y, u = fR, v = hS, w = gT
     pk = (p, G, GT, e, g, f, h, u, v, w)
Commitment to m  Zp
     c = (umfr, vmhs, wmgr+s)
Perfect hiding trapdoor if T = R+S
      = (fmR+r, hmS+s, gm(R+S)+r+s)
        Commitment scheme
Commitment to m  Zp
     c = (umfr, vmhs, wmgr+s)
Perfect binding if T ≠ R+S
      = (c1, c2, c3)
      because c3c2-1/xc1-1/y = (wu-1/xv-1/y)m
                             = g(T/(R+S))m
      uniquely defines m
        Commitment scheme
Commitment to m  Zp
     c = (umfr, vmhs, wmgr+s)
Homomorphic
      (umfr, vmhs, wmgr+s) (uMfR, vMhS, wMgR+S)
     = (um+Mfr+R, vm+Mhs+S, wm+Mgr+R+s+S)
Witness indistinguishable proof of commitment to
message 0 or 1
     - Perfect sound on perfect binding key
     - Perfect WI on perfect trapdoor key
           Commitment scheme
   Homomorphic
   Two types of indistinguishable public keys:
      Perfect trapdoor
      Perfect binding
   Witness indistinguishable proof that
    commitment contains 0 or 1
      Perfect soundness on perfect binding key
      Perfect WI on perfect trapdoor key
NIZK proof for Circuit SAT
               1


          NAND
                        Circuit SAT is
     w4                 NP complete


    NAND

    w1    w2       w3
    NIZK proof for Circuit SAT
                   com(1)
WI proof                        WI proof c1
w4 = (w1w2)                   commit to 0 or 1
WI proof           NAND         WI proof c2
1 = (w4w3) c = com(w )        commit to 0 or 1
              4       4
                                WI proof c3
                                commit to 0 or 1
                NAND           WI proof c4
                               commit to 0 or 1
    c1 = com(w1)        c3 = com(w3)
              c2 = com(w2)
      WI proof for NAND-gate
Given c0, c1, c2 commitments containing bits b0,
 b1, b2 wish to prove b2 = (b0b1)

       b2 = (b0b1)
if and only if
       b0 + b1 + 2b2 - 2  {0,1}

WI proof c0c1c22com(-2) commitment to 0 or 1
      NIZK proof for Circuit SAT
   Commit to all wires wi as ci = com(wi)
   For each i make WI proof that ci contains 0 or 1
   For each NAND-gate make WI proof that
    c0c1c22com(-2) contains 0 or 1

Perfect completeness
Perfect binding key - perfect soundness
Perfect trapdoor key - perfect zero-knowledge
 Perfect NIZK on perfect trapdoor key
Simulation:
  Make trapdoor commitments
  Trapdoor-open relevant commitments to 0 and WI prove

Proof that simulation works on C with w so C(w)=1:
  Can trapdoor-open commitments to wi’s and WI prove
      By perfect witness-indistinguishability of the WI
      proofs indistinguishable from simulation
  Can from the start make commitments to wi’s
      By perfect hiding of the commitments indistinguishable
      from previous method
      Corresponds to real proof on trapdoor key
               Non-interactive zaps
Naïve idea:
       Prover chooses public key and makes NIZK proof
Problem: Can choose trapdoor key and prove anything
Better idea:
       Prover chooses two public keys and makes an NIZK
       proof with each of them
Makes choice so:
       One is trapdoor, one is perfect binding
       Verifiable that at least one key is perfect binding
       Verifier cannot tell which key is trapdoor
               Choosing two keys
Generate group (p, G, GT, e, g)
E.g., elliptic curve E: y2 = x3 +1 mod q, where q smallest suitable
prime so E has order p subgroup. Easy to verify p is prime, p
defines (G, GT, e), easy to verify that g is order p point on curve.
Choose x,y ← Zp*, R,S ← Zp and set
        f = gx, h = g y, u = fR, v = hS, w = gR+S
Output two public keys
        (p, G, GT, e, g, f, h, u, v, w)
        (p, G, GT, e, g, f, h, u, v, wg)
At least one must be perfectly binding, but by decisional linear
assumption hard to tell which one
      Witness-indistinguishability
Circuit C and two witnesses w0, w1
• Generate pk0 perfect trapdoor and pk1 perfect binding
• NIZK proof using w0 on pk0         NIZK proof using w0 on pk1
• Simulate proof on trapdoor pk0     NIZK proof using w0 on pk1
• NIZK proof using w1 on pk0         NIZK proof using w0 on pk1
• Switch to pk0 perfect binding and pk1 perfect trapdoor
• NIZK proof using w1 on pk0         Simulate proof on trapdoor pk1
• NIZK proof using w1 on pk0         NIZK proof using w1 on pk1
• Switch back to pk0 perfect trapdoor and pk1 perfect binding
       WI proof for message 0 or 1
(c1, c2, c3) = (umfr, vmhs, wmgr+s)
(c1, c2, c3) is commitment to 0 or 1 if and only if
             (c1, c2, c3) or (c1/u, c2/v, c3/w) contain 0
(c1, c2, c3) contains 0 if and only if
             (c1, c2, c3-1) = (fr, hs, g-(r+s))
Similarly for (c1/u, c2/v, c3/w)
We’ll present a general proof that given
(A=fa, B=hb, C=gc) and (X=fx, Y=hy, Z=gz)
then (a+b+c)(x+y+z)=0
    WI proof for message 0 or 1

   Examine matrix:
       e(A, X)    e(A, Y)      e(A, Z)
        e(B, X)     e(B, Y)    e(B, Z)
        e(C, X)     e(C, Y)    e(C, Z)

   Note that verifier can generate this matrix
    WI proof for message 0 or 1
   Suppose prover knows (a, b, c)
        e(f, Xa)    e(f, Ya)   e(f, Za)
        e(h, Xb)    e(h, Yb)   e(h, Zb)
        e(g, Xc)    e(g, Yc)   e(g, Zc)
   The right-hand entries convince the verifier
    that a+b+c =0 (each column multiplies to 1)
   Similarly, if prover knows (x, y, z) can reveal
    left-hand entries and rows multiply to 1
   Bad: Tells verifier which witness used
    WI proof for message 0 or 1
   Blind across diagonal
        e(f, Xa)     e(f, htYa)   e(f, g-tZa)
        e(h, f-tXb) e(h, Yb)      e(h, gtZb)
        e(g, ftXc)   e(g, h-tYc) e(g, Zc)
   If both a+b+c = 0 and x+y+z=0 then
    matrix is distributed identical to its transpose
   It hides perfectly whether we are looking at
    rows or columns
                   Summary
   Homomorphic commitments with
    indistinguishable trapdoor/binding keys and WI
    proofs for message 0 or 1
   NIZK proofs from such commitments
   Simple and efficient O(|C|k) bit-size non-
    interactive zaps
        Perfect completeness
        Perfect soundness
        Computational WI

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:3
posted:9/12/2011
language:English
pages:24
Lingjuan Ma Lingjuan Ma
About