proofs of restricted shuffles
play

Proofs of Restricted Shuffles Bjrn Terelius and Douglas Wikstrm KTH, - PowerPoint PPT Presentation

Sep 30, 2022 •346 likes •969 views

Introduction Proof of Knowledge of Permutation Matrix Restricted Permutations Proofs of Restricted Shuffles Bjrn Terelius and Douglas Wikstrm KTH, Stockholm May 3, 2010 Bjrn Terelius and Douglas Wikstrm Proofs of Restricted Shuffles

  1. Introduction Proof of Knowledge of Permutation Matrix Restricted Permutations Proofs of Restricted Shuffles Björn Terelius and Douglas Wikström KTH, Stockholm May 3, 2010 Björn Terelius and Douglas Wikström Proofs of Restricted Shuffles

  2. Introduction Proof of Knowledge of Permutation Matrix Restricted Permutations A motivating example: Voting Consider a voting system where each voter submit an encrypted vote. Björn Terelius and Douglas Wikström Proofs of Restricted Shuffles

  3. Introduction Proof of Knowledge of Permutation Matrix Restricted Permutations A motivating example: Voting Consider a voting system where each voter submit an encrypted vote. ◮ How can we ensure that the voters remain anonymous when the votes are decrypted? Björn Terelius and Douglas Wikström Proofs of Restricted Shuffles

  4. Introduction Proof of Knowledge of Permutation Matrix Restricted Permutations A motivating example: Voting Consider a voting system where each voter submit an encrypted vote. ◮ How can we ensure that the voters remain anonymous when the votes are decrypted? ◮ There are two main ways to achieve this, homomorphic tallying [CGS97] and mixnets [Cha81]. Björn Terelius and Douglas Wikström Proofs of Restricted Shuffles

  5. Introduction Proof of Knowledge of Permutation Matrix Restricted Permutations Mixnets S 1 E ( m 1 ) m π (1) S 2 E ( m 2 ) m π (2) MN · · · . . . ) m π ( N ) m N ( E S N Björn Terelius and Douglas Wikström Proofs of Restricted Shuffles

  6. Introduction Proof of Knowledge of Permutation Matrix Restricted Permutations Mixnets (2) ◮ How can we implement a mixnet? Björn Terelius and Douglas Wikström Proofs of Restricted Shuffles

  7. Introduction Proof of Knowledge of Permutation Matrix Restricted Permutations Mixnets (2) ◮ How can we implement a mixnet? ◮ Chain of mixservers, each permutes and re-encrypts its list of inputs. L k − 1 L 0 L 1 L 2 L k · · · T 1 T 2 T k Björn Terelius and Douglas Wikström Proofs of Restricted Shuffles

  8. Introduction Proof of Knowledge of Permutation Matrix Restricted Permutations Proof of a shuffle ◮ How can we verify that a server really permutes and re-encrypts the votes? Björn Terelius and Douglas Wikström Proofs of Restricted Shuffles

  9. Introduction Proof of Knowledge of Permutation Matrix Restricted Permutations Proof of a shuffle ◮ How can we verify that a server really permutes and re-encrypts the votes? ◮ Let each server produce an interactive zero-knowledge proof, a proof of a shuffle [SK95, Nef01, FS01]. Björn Terelius and Douglas Wikström Proofs of Restricted Shuffles

  10. Introduction Proof of Knowledge of Permutation Matrix Restricted Permutations Proof of a shuffle ◮ How can we verify that a server really permutes and re-encrypts the votes? ◮ Let each server produce an interactive zero-knowledge proof, a proof of a shuffle [SK95, Nef01, FS01]. ◮ Like [FS01], we will construct a proof that a commitment contains a permutation matrix. Björn Terelius and Douglas Wikström Proofs of Restricted Shuffles

  11. Introduction Proof of Knowledge of Permutation Matrix Restricted Permutations Proof of a shuffle ◮ How can we verify that a server really permutes and re-encrypts the votes? ◮ Let each server produce an interactive zero-knowledge proof, a proof of a shuffle [SK95, Nef01, FS01]. ◮ Like [FS01], we will construct a proof that a commitment contains a permutation matrix. ◮ One can then prove that the encrypted votes are permuted accordingly. Björn Terelius and Douglas Wikström Proofs of Restricted Shuffles

  12. Introduction Proof of Knowledge of Permutation Matrix Restricted Permutations Test for permutation matrices M permutation matrix M not permutation matrix     0 1 0 0 1 0 M = 1 0 0 M = 2 0 − 1     0 0 1 0 0 1 Björn Terelius and Douglas Wikström Proofs of Restricted Shuffles

  13. Introduction Proof of Knowledge of Permutation Matrix Restricted Permutations Test for permutation matrices M permutation matrix M not permutation matrix     0 1 0 0 1 0 M = 1 0 0 M = 2 0 − 1     0 0 1 0 0 1     x 2 x 2 Mx = x 1 Mx = 2 x 1 − x 3     x 3 x 3 Björn Terelius and Douglas Wikström Proofs of Restricted Shuffles

  14. Introduction Proof of Knowledge of Permutation Matrix Restricted Permutations Test for permutation matrices M permutation matrix M not permutation matrix     0 1 0 0 1 0 M = 1 0 0 M = 2 0 − 1     0 0 1 0 0 1     x 2 x 2 Mx = x 1 Mx = 2 x 1 − x 3     x 3 x 3 � N � N i = 1 � m i , x � = x 2 x 1 x 3 i = 1 � m i , x � = x 2 ( 2 x 1 − x 3 ) x 3 = x 1 x 2 x 3 � = x 1 x 2 x 3 Björn Terelius and Douglas Wikström Proofs of Restricted Shuffles

  15. Introduction Proof of Knowledge of Permutation Matrix Restricted Permutations Test for permutation matrices Theorem (Permutation Matrix) Let M = ( m i , j ) be an N × N-matrix over Z q and x = ( x 1 , . . . , x N ) be a list of variables. Then M is a permutation matrix if and only if � N � N i = 1 � m i , x � = i = 1 x i and M 1 = 1 . Björn Terelius and Douglas Wikström Proofs of Restricted Shuffles

  16. Introduction Proof of Knowledge of Permutation Matrix Restricted Permutations Test for permutation matrices Theorem (Permutation Matrix) Let M = ( m i , j ) be an N × N-matrix over Z q and x = ( x 1 , . . . , x N ) be a list of variables. Then M is a permutation matrix if and only if � N � N i = 1 � m i , x � = i = 1 x i and M 1 = 1 . Lemma (Schwartz-Zippel) Let f ∈ Z q [ x 1 , . . . , x N ] be a non-zero polynomial of total degree d and let e 1 , . . . , e N be chosen randomly from Z q . Then Pr [ f ( e 1 , . . . , e N ) = 0 ] ≤ d q . Björn Terelius and Douglas Wikström Proofs of Restricted Shuffles

  17. Introduction Proof of Knowledge of Permutation Matrix Restricted Permutations Recall Pedersen commitments Let g , g 1 be randomly chosen generators in a group of prime order q . The Pedersen commitment of m ∈ Z q is C ( m , s ) = g s g m 1 where s is chosen randomly from Z q . Björn Terelius and Douglas Wikström Proofs of Restricted Shuffles

  18. Introduction Proof of Knowledge of Permutation Matrix Restricted Permutations Recall Pedersen commitments Let g , g 1 be randomly chosen generators in a group of prime order q . The Pedersen commitment of m ∈ Z q is C ( m , s ) = g s g m 1 where s is chosen randomly from Z q . ◮ perfectly hiding ◮ computationally binding ◮ homomorphic, C ( m , s ) C ( m ′ , s ′ ) = C ( m + m ′ , s + s ′ ) C ( m , s ) e = C ( em , es ) Björn Terelius and Douglas Wikström Proofs of Restricted Shuffles

  19. Introduction Proof of Knowledge of Permutation Matrix Restricted Permutations Generalized Pedersen commitments [FS01] Let g , g 1 , . . . , g N be randomly chosen generators in a group of prime order q . We commit to a vector m = ( m 1 , . . . , m N ) T by N � g m i C ( m , s ) = g s i i = 1 where s is chosen randomly from Z q . Björn Terelius and Douglas Wikström Proofs of Restricted Shuffles

  20. Introduction Proof of Knowledge of Permutation Matrix Restricted Permutations Generalized Pedersen commitments [FS01] Let g , g 1 , . . . , g N be randomly chosen generators in a group of prime order q . We commit to a vector m = ( m 1 , . . . , m N ) T by N � g m i C ( m , s ) = g s i i = 1 where s is chosen randomly from Z q . ◮ perfectly hiding ◮ computationally binding ◮ homomorphic, C ( m , s ) C ( m ′ , s ′ ) = C ( m + m ′ , s + s ′ ) C ( m , s ) e = C ( em , es ) Björn Terelius and Douglas Wikström Proofs of Restricted Shuffles

  21. Introduction Proof of Knowledge of Permutation Matrix Restricted Permutations Generalized Pedersen commitments We commit column-wise to an N × N -matrix M = ( m i , j ) , so a = C ( M , s ) is a list of N commitments satisfying C ( M , s ) e = C ( Me , � s , e � ) where we use the convention � N a e = i = 1 a e i . i Björn Terelius and Douglas Wikström Proofs of Restricted Shuffles

  22. Introduction Proof of Knowledge of Permutation Matrix Restricted Permutations A review of sigma proofs A sigma proof is a three-message protocol such that 1. the view of the verifier can be simulated for any given challenge Björn Terelius and Douglas Wikström Proofs of Restricted Shuffles

  23. Introduction Proof of Knowledge of Permutation Matrix Restricted Permutations A review of sigma proofs A sigma proof is a three-message protocol such that 1. the view of the verifier can be simulated for any given challenge 2. a witness can be computed from any pair of accepting transcripts with the same random tape and distinct challenges Björn Terelius and Douglas Wikström Proofs of Restricted Shuffles

  24. Introduction Proof of Knowledge of Permutation Matrix Restricted Permutations Example: Proof of knowledge of discrete logarithm P wants to prove knowledge of x such that y = g x 1. P chooses r at random and sends α = g r 2. V sends a random challenge c 3. P responds with d = cx + r V accepts the proof iff y c α = g d Björn Terelius and Douglas Wikström Proofs of Restricted Shuffles

Recommend

Succinct Malleable NIZKs and an Application to Compact Shuffles Melissa Chase (MSR Redmond)

Succinct Malleable NIZKs and an Application to Compact Shuffles Melissa Chase (MSR Redmond)

Succinct Malleable NIZKs and an Application to Compact Shuffles Melissa Chase (MSR Redmond) Markulf Kohlweiss (MSR Cambridge) Anna Lysyanskaya (Brown University) Sarah Meiklejohn (UC San Diego) 1 Proofs of proofs 2 Proofs of proofs Suppose

1.47k views • 121 slides
Quasi-shuffles, Hoffmans exponential and applications to SDEs Kurusch EbrahimiFard, Simon

Quasi-shuffles, Hoffmans exponential and applications to SDEs Kurusch EbrahimiFard, Simon

Quasi-shuffles, Hoffmans exponential and applications to SDEs Kurusch EbrahimiFard, Simon J.A. Malham , Frederic Patras and Anke Wiese ACPMS Seminar 29th May 2020 14:30 KEF, Malham, Patras Wiese Quasi-shuffles: Hoffmans exponential

606 views • 39 slides
Descents, Peaks, and Shuffles of Permutations and Noncommutative Symmetric Functions Ira M.

Descents, Peaks, and Shuffles of Permutations and Noncommutative Symmetric Functions Ira M.

Descents, Peaks, and Shuffles of Permutations and Noncommutative Symmetric Functions Ira M. Gessel Department of Mathematics Brandeis University Workshop on Quasisymmetric Functions Bannf International Research Station November 17, 2010

983 views • 77 slides
A Decentralized and Distributed E-voting Scheme Based on Cryptographic Shuffles Decentralized

A Decentralized and Distributed E-voting Scheme Based on Cryptographic Shuffles Decentralized

A Decentralized and Distributed E-voting Scheme Based on Cryptographic Shuffles Decentralized and Distributed Systems Laboratory Andy Caforio Responsible: Prof. Bryan Ford Supervision: Linus Gasser, Philipp Jovanovic 1 Way back when

445 views • 20 slides
SMU Classification: Restricted SMU Classification: Restricted Challenges of investing in Asia

SMU Classification: Restricted SMU Classification: Restricted Challenges of investing in Asia

SMU Classification: Restricted SMU Classification: Restricted Challenges of investing in Asia during the COVID-19 Crisis Prof Dave Fernandez - Director, Sim Kee Boon Institute for Financial Economics July 2, 2020 SMU Classification: Restricted

575 views • 21 slides
Proofs, Continued Today Proofs : A style guide Proofs should be easy to

Proofs, Continued Today Proofs : A style guide Proofs should be easy to

Euclid (300 BC) Proofs, Continued Today Proofs : A style guide Proofs should be easy to verify. All the cleverness goes into finding/writing the proof, not reading/verifying it! P vs. NP (informally) : P =

682 views • 21 slides
NDR PRESENTATION Restricted NDR PRESENTATION Restricted CONTENT Getting registered

NDR PRESENTATION Restricted NDR PRESENTATION Restricted CONTENT Getting registered

NDR PRESENTATION Restricted NDR PRESENTATION Restricted CONTENT Getting registered Credential management The NDR System Incident reporting Restricted CONTENT Getting registered Firewall access to organisations User

494 views • 27 slides
Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth workshop Introduction to the workshop PROOFS: Security Proofs for Embedded Systems UCSB August 20, 2016 5th edition of PROOFS PROOFS 2012:

311 views • 7 slides
South Wales Police Ray Forsey Head of Fleet The Real Benefits of Telematics Restricted

South Wales Police Ray Forsey Head of Fleet The Real Benefits of Telematics Restricted

Restricted South Wales Police Ray Forsey Head of Fleet The Real Benefits of Telematics Restricted Restricted Once Upon A Time Restricted Restricted Current Fleet Mercedes Vito Caged Van Ford Focus (Dog Vehicle) Mobile Police Station BMW

362 views • 18 slides
Mark Falcon Head of Regulatory Policy and Strategy PayExpo2015, 9-10 June 2015 1 PSR Restricted

Mark Falcon Head of Regulatory Policy and Strategy PayExpo2015, 9-10 June 2015 1 PSR Restricted

PSR Restricted Mark Falcon Head of Regulatory Policy and Strategy PayExpo2015, 9-10 June 2015 1 PSR Restricted The new economic regulator for payment systems... PSR Restricted Primary role is to promote competition PSR Restricted

698 views • 11 slides
Alcohol Harm Reduction Unit Insp Colin Dobson RESTRICTED RESTRICTED Historical position 2

Alcohol Harm Reduction Unit Insp Colin Dobson RESTRICTED RESTRICTED Historical position 2

RESTRICTED Alcohol Harm Reduction Unit Insp Colin Dobson RESTRICTED RESTRICTED Historical position 2 Licensing Units (North and South) 2 Sgts 1 Alcohol Harm Reduction Officer (PC) 5 PCSOs (Licensing) 2 Admin RESTRICTED

394 views • 15 slides
EH&S and Equipment Purchases EHS Restricted Equipment/Materials Orders EHS Restricted

EH&S and Equipment Purchases EHS Restricted Equipment/Materials Orders EHS Restricted

EH&S and Equipment Purchases EHS Restricted Equipment/Materials Orders EHS Restricted Equipment/Materials Instructions Use the EHS Purchase Approval button on the home page for the following: 1. Clean Air Devices (CAD) or Biological

329 views • 8 slides
IDEA CELLULAR LIM ITED INVESTOR PRESENTATION Restricted Restricted Idea Cellular An

IDEA CELLULAR LIM ITED INVESTOR PRESENTATION Restricted Restricted Idea Cellular An

IDEA CELLULAR LIM ITED INVESTOR PRESENTATION Restricted Restricted Idea Cellular An Overview Pan India Pure Play Wireless Operator - Voice + Data Holds 16%^ (2G+3G* +4G* * ) shareholding in Indus (thru ABTL). No. 3 Additionally own

735 views • 31 slides
Interactive Proofs Lecture 18 AM 1 Interactive Proofs 2 Interactive Proofs IP[k] 2

Interactive Proofs Lecture 18 AM 1 Interactive Proofs 2 Interactive Proofs IP[k] 2

Interactive Proofs Lecture 18 AM 1 Interactive Proofs 2 Interactive Proofs IP[k] 2 Interactive Proofs IP[k] IP[poly] = PSPACE 2 Interactive Proofs IP[k] IP[poly] = PSPACE IP protocol for TQBF using arithmetization 2 Interactive

1.75k views • 136 slides
S.E.A. Aquarium A Healthy Ocean Starts With You RWS Restricted RWS Restricted Start Small

S.E.A. Aquarium A Healthy Ocean Starts With You RWS Restricted RWS Restricted Start Small

S.E.A. Aquarium A Healthy Ocean Starts With You RWS Restricted RWS Restricted Start Small Dream Big with S.E.A. Aquarium S.E.A. Aquarium aims to acquaint children with the majestic oceans and their inhabitants, as well as to explore the

252 views • 9 slides
Formal proofs, variable binding, and program extraction from proofs Colloquium Logicum 2016 (10

Formal proofs, variable binding, and program extraction from proofs Colloquium Logicum 2016 (10

Formal proofs, variable binding, and program extraction from proofs Colloquium Logicum 2016 (10 - 12 September 2016, Hamburg) Gyesik Lee Hankyong National University 1 Overview 1. Verification of proofs 2. Hales proof of the Kepler

651 views • 43 slides
Proofs that, proofs why, and the analysis of paradoxes To Gerhard, on your 60th birthday Peter

Proofs that, proofs why, and the analysis of paradoxes To Gerhard, on your 60th birthday Peter

Proofs that, proofs why, and the analysis of paradoxes To Gerhard, on your 60th birthday Peter Schroeder-Heister Universit at T ubingen J agerfest Bern, 13.12.2013 p. 1 Russells antinomy in naive set theory Extend natural

688 views • 41 slides
NP-Hardness Proofs With What Problems We . . . What Problems We . . . Realistic Computers

NP-Hardness Proofs With What Problems We . . . What Problems We . . . Realistic Computers

NP-Hardness Proofs . . . Usual Proofs of NP- . . . Proofs of NP- . . . Pedagogical Problem . . . NP-Hardness Proofs With What Problems We . . . What Problems We . . . Realistic Computers Instead What Is NP-Hard: . . . Proof that . . . of

296 views • 12 slides
proofs of proximity for distribution testing (Distribution testing now with proofs!) Tom Gur

proofs of proximity for distribution testing (Distribution testing now with proofs!) Tom Gur

proofs of proximity for distribution testing (Distribution testing now with proofs!) Tom Gur (UC Berkeley) October 14, 2017 FOCS 2017 Workshop: Frontiers in Distribution Testing Joint work with Alessandro Chiesa (UC Berkeley) proofs of

2.25k views • 158 slides
Restricted mobility or restricted competition? Fixed-mobile convergence and universal access

Restricted mobility or restricted competition? Fixed-mobile convergence and universal access

Session 5B: Convergence Restricted mobility or restricted competition? Fixed-mobile convergence and universal access in Brazil Mrcio Aranha Hernn Galperin Franois Bar Marina Villela 1 Region gion 1 1 Local Region gion 2 2

134 views • 10 slides
with Applications to Change-point Detection and Restricted Boltzmann Machine Restricted Boltzmann

with Applications to Change-point Detection and Restricted Boltzmann Machine Restricted Boltzmann

The Gibbs Sampling Algorithm: with Applications to Change-point Detection and Restricted Boltzmann Machine Restricted Boltzmann machine Change-point model Yubo Paul Yang Jan. 24 2017 Introduction: History Stuart Geman Donald Geman @

369 views • 25 slides
Lecture 8: More Proofs review: proofs Start with hypotheses and facts Use rules of

Lecture 8: More Proofs review: proofs Start with hypotheses and facts Use rules of

cse 311: foundations of computing Fall 2015 Lecture 8: More Proofs review: proofs Start with hypotheses and facts Use rules of inference to extend set of facts Result is proved when it is included in the set Statement Fact 2

185 views • 18 slides
Foundation of proofs Jim Hefferon http://joshua.smcvt.edu/proofs The need to prove In

Foundation of proofs Jim Hefferon http://joshua.smcvt.edu/proofs The need to prove In

Foundation of proofs Jim Hefferon http://joshua.smcvt.edu/proofs The need to prove In Mathematics we prove things The base angles of an isoceles triangle are equal seems obvious to a person with mathematical aptitude. a if a = b

678 views • 52 slides
Flexiformality in Proofs: Bridging between Formal and Informal Proofs Michael Kohlhase Professur

Flexiformality in Proofs: Bridging between Formal and Informal Proofs Michael Kohlhase Professur

Flexiformality in Proofs: Bridging between Formal and Informal Proofs Michael Kohlhase Professur fr Wissensreprsentation und -verarbeitung Informatik, FAU Erlangen-Nrnberg http://kwarc.info 20. October 2016, Dagstuhl Seminar on

568 views • 39 slides

More recommend