Cryptographic Shuffles and Their Applications

학위논문 (박사)-- 서울대학교 대학원 : 수리과학부, 2012. 8. 천정희.For anonymization purposes, one can use a mix-net. A mix-net is a multi-party protocol to shuffle elements so that neither of the parties knows the permutation linking the input and output. One way to construct a mix-net is to let a set of mixers, so called mix-servers, take turns in permuting and re-encrypting or decrypting the inputs. If at least one of the mixers is honest, the input data and the output data can no longer be linked. In this role, shuffling constitutes an important building block in anonymization protocols and voting schemes. The problem is that the standard shuffle requires anyone who shuffles the input messages to keep his random permutation and randomizers secret. The assumption of a party keeping the secret information may be in some ways quite strong. Secondly, for this anonymization guarantee to hold we do need to ensure that all mixers act according to the protocol. In general, zero-knowledge proofs (ZKPs) are used for this purpose. However, ZKPs requires the expensive cost in the light of computation and communication. In TCC 2007, Adida and Wikstr\"{o}m proposed a novel approach to shuffle, called a public shuffle, in which a shuffler can perform shuffle publicly without needing information kept secret. Their scheme uses an encrypted permutation matrix to shuffle ciphertexts publicly. This approach significantly reduces the cost of constructing a mix-net to verifiable joint decryption. Though their method is successful in making shuffle to be a public operation, their scheme still requires that some trusted parties should choose a permutation to be encrypted and construct zero-knowledge proofs on the well-formedness of this permutation. In this dissertation, we study a method to construct a public shuffle without relying on permutations generated privately: Given an $n$-tuple of ciphertext $(c_1,\dots,c_n)$, our shuffle algorithm computes $f_i(c_1,\dots,c_n)$ for $i=1,\dots,\ell$ where each $f_i(x_1,\dots,x_n)$ is a symmetric polynomial in $x_1,\dots,x_n$. Depending on the symmetric polynomials we use, we propose two concrete constructions. One is to use ring homomorphic encryption with a constant ciphertext complexity and the other is to use simple ElGamal encryption with a linear ciphertext complexity in the number of users. Both constructions are free of zero-knowledge proofs and publicly verifiable.Abstract i 1 Introduction 1 1.1 ABriefHistoryofShuffles .................... 1 1.2 WhyShufflinginPublicHard?.................. 2 1.3 CryptographicShuffleSchemes.................. 4 1.4 ContributionsofThisWork ................... 6 1.4.1 OurDefinitionalApproach................ 6 1.4.2 OurConstructions .................... 6 1.5 Organization ........................... 8 2 Preliminaries 9 2.1 Basics ............................... 9 2.2 PublicKeyEncryption...................... 10 2.2.1 IND-CPASecurity .................... 11 2.2.2 IND-CCASecurity .................... 14 2.3 HomomorphicPublic-keyEncryption . . . . . . . . . . . . . . 15 2.4 Zero-KnowledgeProofs...................... 18 2.4.1 Zero-KnowledgeVariants................. 19 2.4.2 ProofofKnowledge.................... 20 2.5 Public-KeyObfuscation ..................... 21 3 Verifiable Secret Shuffles: A Review 24 3.1 Introduction............................ 24 3.2 NotationandDefinitions..................... 25 3.3 Security .............................. 27 3.3.1 VerifiabilityforSecretShuffles.............. 27 3.3.2 UnlinkabilityExperiments ................ 28 3.4 SelectedPriorWork ....................... 29 3.4.1 Furukawa-SakoProtocol ................. 30 3.4.2 GrothProtocol ...................... 31 3.5 PublicShuffleswithPrivatePermutation . . . . . . . . . . . . 33 3.5.1 Introduction........................ 33 3.5.2 AdidaandWikstro ̈mProtocol.............. 33 4 Verifiable Public Shuffles 36 4.1 Introduction............................ 36 4.2 GeneralizedShuffle ........................ 38 4.2.1 SyntaxofGeneralizedShuffle .............. 38 4.2.2 SecurityModel ...................... 39 4.2.3 CryptographicAssumption................ 43 4.3 Constructions from Ring Homomorphic Encryption . . . . . . 44 4.3.1 Construction from (n,n−1)-E . . . . . . . . . . 44 4.3.2 Construction from (1,n)-E ................ 45 4.4 Constructions from Group Homomorphic Encryption . . . . . 47 4.4.1 BuildingBlocks...................... 47 4.4.2 A Generalized Public Shuffle Scheme Based on Poly- nomialFactorization ................... 50 4.4.3 A Generalized Public Shuffle Scheme Based on Integer Factorization ....................... 58 5 Conclusion and Further Work 63 Abstract (in Korean) 72 Acknowledgement (in Korean) 74Docto