1,557 research outputs found

    An Efficient Pairing-Based Shuffle Argument

    Get PDF
    We construct the most efficient known pairing-based NIZK shuffle argument. It consists of three subarguments that were carefully chosen to obtain optimal efficiency of the shuffle argument: * A same-message argument based on the linear subspace QANIZK argument of Kiltz and Wee, * A (simplified) permutation matrix argument of Fauzi, Lipmaa, and Zając, * A (simplified) consistency argument of Groth and Lu. We prove the knowledge-soundness of the first two subarguments in the generic bilinear group model, and the culpable soundness of the third subargument under a KerMDH assumption. This proves the soundness of the shuffle argument. We also discuss our partially optimized implementation that allows one to prove a shuffle of 100 000100\,000 ciphertexts in less than a minute and verify it in less than 1.51.5 minutes

    On Money as a Means of Coordination between Network Packets

    Full text link
    In this work, we apply a common economic tool, namely money, to coordinate network packets. In particular, we present a network economy, called PacketEconomy, where each flow is modeled as a population of rational network packets, and these packets can self-regulate their access to network resources by mutually trading their positions in router queues. Every packet of the economy has its price, and this price determines if and when the packet will agree to buy or sell a better position. We consider a corresponding Markov model of trade and show that there are Nash equilibria (NE) where queue positions and money are exchanged directly between the network packets. This simple approach, interestingly, delivers improvements even when fiat money is used. We present theoretical arguments and experimental results to support our claims

    Efektiivsed mitteinteraktiivsed nullteadmusprotokollid referentssÔne mudelis

    Get PDF
    VĂ€itekirja elektrooniline versioon ei sisalda publikatsioone.Koos digitaalse ajastu vĂ”idukĂ€iguga on interneti vahendusel vĂ”imalik sooritada ĂŒha ulmelisemana nĂ€ivaid tegevusi. TĂ€ielikule krĂŒpteeringule ehitatud mobiilsed rakendused, nagu nĂ€iteks WhatsApp, suudavad tagada, et kĂ”ne vĂ”i sĂ”num jĂ”uaksid ĂŒksnes Ă”ige adressaadini. Enamik pangasĂŒsteeme garanteerivad TLS protokolli kasutades, et arvete maksmisel ja ĂŒlekannete tegemisel poleks nende andmeid kellelgi vĂ”imalik lugeda ega muuta. MĂ”ned riigid pakuvad vĂ”imalust elektroonilisel teel hÀÀletada (nĂ€iteks Eesti) vĂ”i referendumeid lĂ€bi viia (nĂ€iteks Ć veits), tagades sealjuures traditsioonilise paberhÀÀletuse tasemel turvalisuse kriteeriumid. KĂ”ik eelnevalt kirjeldatud tegevused vajavad kasutajate turvalisuse tagamiseks krĂŒptograafilist protokolli. Tegelikkuses ei saa me kunagi eeldada, et kĂ”ik protokolli osapooled jĂ€rgivad protokolli spetsifikatsiooni. Reaalses elus peab protokolli turvalisuseks iga osapool tĂ”estama, et ta seda jĂ€rgis ilma privaatsuse ohverdamiseta. Üks viis seda teha on nullteadmusprotokolli abil. Nullteadmusprotokoll on tĂ”estus, mis ei lekita mingit informatsiooni peale selle, et vĂ€ide on tĂ”ene. Tihti tahame, et nullteadmusprotokoll oleks mitteinteraktiivne. Sellisel juhul piisab, kui tĂ”estus on arvutatud ainult ĂŒhe korra ning verifitseerijatel on igal ajal vĂ”imalik seda kontrollida. On kaks peamist mudelit, mis vĂ”imaldavad mitteinteraktiivsete nullteadmusprotokollide loomist: juhusliku oraakli (JO) mudel ja referentssĂ”ne mudel. JO mudeli protokollid on vĂ€ga efektiivsed, kuid mĂ”ningate piirangute tĂ”ttu eelistame referentssĂ”ne mudelit. Selles töös esitleme kolme stsenaariumit, milles mitteinteraktiivne nullteadmus on asjakohane: verifitseeritav arvutamine, autoriseerimine ja elektrooniline hÀÀletamine. Igas stsenaariumis pakume vĂ€lja nullteadmusprotokolli referentssĂ”ne mudelis, mis on seni efektiivseim ning vĂ”rreldava efektiivsusega protokollidega JO mudelis.In the current digital era, we can do increasingly astonishing activities remotely using only our electronic devices. Using mobile applications such as WhatsApp, we can contact someone with the guarantee, using an end-to-end encryption protocol, that only the recipient can know the conversation's contents. Most banking systems enable us to pay our bills and perform other financial transactions, and use the TLS protocol to guarantee that no one can read or modify the transaction data. Some countries provide an option to vote electronically in an election (e.g. Estonia) or referendum (e.g. Switzerland) with similar privacy guarantees to traditional paper voting. In all these activities, a cryptographic protocol is required to ensure users' privacy. In reality, some parties participating in a protocol might not act according to what was agreed in the protocol specification. Hence, for a real world protocol to be secure, we also need each party to prove that it behaves honestly, but without sacrificing privacy of its inputs. This can be done using a zero-knowledge argument: a proof by a polynomial-time prover that gives nothing else away besides its correctness. In many cases, we want a zero-knowledge argument to be non-interactive and transferable, so that it is computed only once, but can be verified by many verifiers at any future time. There are two main models that enable transferable non-interactive zero-knowledge (NIZK) arguments: the random oracle (RO) model and the common reference string (CRS) model. Protocols in the RO model are very efficient, but due to some of its limitations, we prefer working in the CRS model. In this work we provide three scenarios where NIZK arguments are relevant: verifiable computation, authorization, and electronic voting. In each scenario, we propose NIZK arguments in the CRS model that are more efficient than existing ones, and are comparable in efficiency to the best known NIZK arguments in the RO model

    Verifiable Elections That Scale for Free

    Get PDF
    In order to guarantee a fair and transparent voting process, electronic voting schemes must be verifiable. Most of the time, however, it is important that elections also be anonymous. The notion of a verifiable shuffle describes how to satisfy both properties at the same time: ballots are submitted to a public bulletin board in encrypted form, verifiably shuffled by several mix servers (thus guaranteeing anonymity), and then verifiably decrypted by an appropriate threshold decryption mechanism. To guarantee transparency, the intermediate shuffles and decryption results, together with proofs of their correctness, are posted on the bulletin board throughout this process. In this paper, we present a verifiable shuffle and threshold decryption scheme in which, for security parameter k, L voters, M mix servers, and N decryption servers, the proof that the end tally corresponds to the original encrypted ballots is only O(k(L + M + N)) bits long. Previous verifiable shuffle constructions had proofs of size O(kLM + kLN), which, for elections with thousands of voters, mix servers, and decryption servers, meant that verifying an election on an ordinary computer in a reasonable amount of time was out of the question. The linchpin of each construction is a controlled-malleable proof (cm-NIZK), which allows each server, in turn, to take a current set of ciphertexts and a proof that the computation done by other servers has proceeded correctly so far. After shuffling or partially decrypting these ciphertexts, the server can also update the proof of correctness, obtaining as a result a cumulative proof that the computation is correct so far. In order to verify the end result, it is therefore sufficient to verify just the proof produced by the last server

    A structure theorem for streamed information

    Get PDF
    We identify the free half shuffle algebra of SchĂŒtzenberger [31] with an algebra of real-valued functionals on paths, where the half shuffle emulates the integration of a functional against another. We then provide two, to our knowledge, new identities in arity 3 involving its commutator (area), and show that these are sufficient to recover the Zinbiel and Tortkara identities introduced by Dzhumadil'daev [11]. We then use these identities to provide a simple proof of the main result of Diehl et al. [8], namely that any element of the free half shuffle algebra can be expressed as a polynomial over iterated areas. Moreover, we consider minimal sets of Hall iterated integrals defined through the recursive application of the half shuffle product to Hall trees. Leveraging the duality between this set of Hall integrals and classical Hall bases of the free Lie algebra, we prove using combinatorial arguments that any element of the free half shuffle algebra can be written uniquely as a polynomial over Hall integrals. We interpret this result as a structure theorem for streamed information, loosely analogous to the unique prime factorisation of integers, allowing to split any real valued function on streamed data into two parts: a first that extracts and packages the streamed information into recursively defined atomic objects (Hall integrals), and a second that evaluates a polynomial function in these objects without further reference to the original stream. The question of whether a similar result holds if Hall integrals are replaced by Hall areas is left as an open conjecture. Finally, we construct a canonical, but to our knowledge, new decomposition of the free half shuffle algebra as shuffle power series in the greatest letter of the original alphabet with coefficients in a sub-algebra freely generated by a new alphabet with an infinite number of letters. We use this construction to provide a second proof of our structure theorem

    A Shuffle Argument Secure in the Generic Model

    Get PDF
    We propose a new random oracle-less NIZK shuffle argument. It has a simple structure, where the first verification equation ascertains that the prover has committed to a permutation matrix, the second verification equation ascertains that the same permutation was used to permute the ciphertexts, and the third verification equation ascertains that input ciphertexts were ``correctly\u27\u27 formed. The new argument has 3.53.5 times more efficient verification than the up-to-now most efficient shuffle argument by Fauzi and Lipmaa (CT-RSA 2016). Compared to the Fauzi-Lipmaa shuffle argument, we (i) remove the use of knowledge assumptions and prove our scheme is sound in the generic bilinear group model, and (ii) prove standard soundness, instead of culpable soundness
    • 

    corecore