3 research outputs found
Cryptographic Shuffles and Their Applications
νμλ
Όλ¬Έ (λ°μ¬)-- μμΈλνκ΅ λνμ : μ리과νλΆ, 2012. 8. μ²μ ν¬.For anonymization purposes, one can use a mix-net.
A mix-net is a multi-party protocol to
shuffle elements so that neither of the parties knows the permutation linking the
input and output.
One way to construct
a mix-net is to let a set of mixers, so called mix-servers, take turns in permuting and re-encrypting or
decrypting the inputs. If at least one of the mixers is honest, the input data and
the output data can no longer be linked.
In this role, shuffling
constitutes an important building block in anonymization protocols and voting
schemes.
The problem is that
the standard shuffle requires anyone who shuffles the input messages
to keep his random permutation and randomizers secret.
The assumption of a party keeping the secret information
may be in some ways quite strong.
Secondly, for this anonymization guarantee to
hold we do need to ensure that all mixers act according to the protocol.
In general, zero-knowledge proofs (ZKPs) are used for this purpose.
However, ZKPs requires the expensive cost in the light of
computation and communication.
In TCC 2007, Adida and Wikstr\"{o}m proposed a novel approach to
shuffle, called a public shuffle,
in which a shuffler can perform shuffle publicly without needing information kept secret.
Their scheme uses an encrypted permutation matrix to shuffle
ciphertexts publicly.
This approach significantly reduces the cost of constructing a mix-net
to verifiable joint decryption. Though their method is successful in making
shuffle to be a public operation, their scheme
still requires that some trusted parties should choose a permutation
to be encrypted and construct zero-knowledge proofs on the
well-formedness of this permutation.
In this dissertation, we study a method to construct a public shuffle
without relying on permutations generated privately: Given an
-tuple of ciphertext , our shuffle algorithm
computes for where each
is a symmetric polynomial in .
Depending on the symmetric polynomials we use, we propose two concrete constructions.
One is to use ring homomorphic encryption with a constant ciphertext
complexity and the other is to use simple ElGamal encryption with a
linear ciphertext complexity in the number of users. Both
constructions are free of zero-knowledge proofs and publicly
verifiable.Abstract i
1 Introduction 1
1.1 ABriefHistoryofShuffles .................... 1
1.2 WhyShufflinginPublicHard?.................. 2
1.3 CryptographicShuffleSchemes.................. 4
1.4 ContributionsofThisWork ................... 6
1.4.1 OurDefinitionalApproach................ 6
1.4.2 OurConstructions .................... 6
1.5 Organization ........................... 8
2 Preliminaries 9
2.1 Basics ............................... 9
2.2 PublicKeyEncryption...................... 10
2.2.1 IND-CPASecurity .................... 11
2.2.2 IND-CCASecurity .................... 14
2.3 HomomorphicPublic-keyEncryption . . . . . . . . . . . . . . 15
2.4 Zero-KnowledgeProofs...................... 18
2.4.1 Zero-KnowledgeVariants................. 19
2.4.2 ProofofKnowledge.................... 20
2.5 Public-KeyObfuscation ..................... 21
3 Verifiable Secret Shuffles: A Review 24
3.1 Introduction............................ 24
3.2 NotationandDefinitions..................... 25
3.3 Security .............................. 27
3.3.1 VerifiabilityforSecretShuffles.............. 27
3.3.2 UnlinkabilityExperiments ................ 28
3.4 SelectedPriorWork ....................... 29
3.4.1 Furukawa-SakoProtocol ................. 30
3.4.2 GrothProtocol ...................... 31
3.5 PublicShuffleswithPrivatePermutation . . . . . . . . . . . . 33
3.5.1 Introduction........................ 33
3.5.2 AdidaandWikstro ΜmProtocol.............. 33
4 Verifiable Public Shuffles 36
4.1 Introduction............................ 36
4.2 GeneralizedShuffle ........................ 38
4.2.1 SyntaxofGeneralizedShuffle .............. 38
4.2.2 SecurityModel ...................... 39
4.2.3 CryptographicAssumption................ 43
4.3 Constructions from Ring Homomorphic Encryption . . . . . . 44
4.3.1 Construction from (n,nβ1)-E . . . . . . . . . . 44
4.3.2 Construction from (1,n)-E ................ 45
4.4 Constructions from Group Homomorphic Encryption . . . . . 47 4.4.1 BuildingBlocks...................... 47
4.4.2 A Generalized Public Shuffle Scheme Based on Poly- nomialFactorization ................... 50
4.4.3 A Generalized Public Shuffle Scheme Based on Integer Factorization ....................... 58
5 Conclusion and Further Work 63
Abstract (in Korean) 72
Acknowledgement (in Korean) 74Docto