## A Verifiable Secret Shuffle of Homomorphic Encryptions (2003)

### Cached

### Download Links

- [www.brics.dk]
- [www.brics.dk]
- [eprint.iacr.org]
- [www.brics.dk]
- [www.brics.dk]
- [eprint.iacr.org]
- DBLP

### Other Repositories/Bibliography

Citations: | 66 - 7 self |

### BibTeX

@MISC{Groth03averifiable,

author = {Jens Groth},

title = {A Verifiable Secret Shuffle of Homomorphic Encryptions},

year = {2003}

}

### Years of Citing Articles

### OpenURL

### Abstract

We show how to prove in honest verifier zero-knowledge the correctness of a shuffle of homomorphic encryptions (or homomorphic commitments.) A shuffle consists in a rearrangement of the input ciphertexts and a reencryption of them so that the permutation is not revealed. Our scheme

### Citations

1380 | Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ... verifier’s challenges are computed by applying a cryptographic hash-function to the transcript of the protocol. Security can be argued heuristically in the random oracle model by Bellare and Rogaway =-=[5]-=-. In the random oracle model, the hash-function is modeled as a random oracle that returns a random string on each input it has not been queried before. 2.5 Setup We will construct a 7-round public co... |

1246 | Untraceable electronic mail, return addresses, and digital pseudonyms
- Chaum
- 1981
(Show Context)
Citation Context ...) but will not reveal the permutation or the randomizers used in the re-encryption step (honest verifier zero-knowledge). APPLICATIONS. Shuffling is the key building block in most mix-nets. A mix-net =-=[8]-=- is a multi-party protocol run by a group of mix-servers to shuffle elements so that nobody knows the permutation linking the input and output. To mix ciphertexts we may let the mix-servers one after ... |

1156 | A public key cryptosystem and a signature scheme based on discrete logarithms
- Elgamal
- 1985
(Show Context)
Citation Context ...shuffle do not have these drawbacks and achieve better efficiency than [52]. Several papers have suggested zero-knowledge arguments for correctness of a shuffle, usually shuffling ElGamal ciphertexts =-=[16]-=-. Sako and Kilian [50] use cut-and-choosemethods and is thus not very efficient. Abe [1](corrected by Abe and Hoshino [2]) uses permutation networks and obtains reasonable efficiency. Currently there... |

666 | Public-key cryptosystems based on composite degree residue classes
- Paillier
- 1999
(Show Context)
Citation Context ...actical HVZK argument for correctness of a shuffle. A couple of other works [40, 44] also use the permutation matrix idea to obtain HVZK arguments for correctness of a shuffle of Paillier ciphertexts =-=[45]-=-. Following this paradigm we also have Furukawa et al. [19, 18] suggesting arguments for correctness of a combined shuffle-and-decrypt operation, an operation that is used in some decrypting mix-nets.... |

393 |
Non-interactive and information-theoretic secure verifiable secret sharing
- Pedersen
- 1992
(Show Context)
Citation Context ...(... |

275 | Proofs of partial knowledge and simplified design of witness hiding protocols
- Cramer, Damgård, et al.
- 1994
(Show Context)
Citation Context ... ... |

239 |
Factoring Integers with Elliptic Curves
- Lenstra
(Show Context)
Citation Context ...e decided in polynomial time. For Paillier encryption, all we need to verify is that there are no small prime factors in the modulus, which can be checked in heuristic polynomial time using Lenstra’s =-=[33]-=- elliptic curve factorization method. For other homomorphic cryptosystems, it may not be easy to decide whether the key is correct, however, we may be working in a scenario, where it is correctly setu... |

168 | A verifiable secret shuffle and its application to e-voting
- Neff
(Show Context)
Citation Context ...g arguments for correctness of a combined shuffle-and-decrypt operation, an operation that is used in some decrypting mix-nets. The other paradigm for verifying correctness of shuffles is due to Neff =-=[36]-=- and is based on polynomials being identical under permutation of their roots. Subsequent versions of that work [37, 38] correct some flaws and at the same time obtain higher efficiency. Unlike the Fu... |

163 | A new public-key cryptosystem as secure as factoring - Okamoto, Uchiyama |

162 | A generalisation, a simplification and some applications of paillier’s probabilistic public-key system - Damg̊ard, Jurik - 2001 |

122 | Making mix nets robust for electronic voting by randomized partial checking
- Jakobsson, Juels, et al.
- 2002
(Show Context)
Citation Context ..., 26, 7]. RELATED WORK. Chaum invented mix-nets in [8]. While his mix-net was based on shuffling, he did not suggest any method to guarantee correctness of the shuffles. Subsequent papers on mix-nets =-=[6, 48, 28, 22, 31, 15, 29, 42, 30, 46, 48, 52]-=- have tried in many ways to guarantee correctness of a shuffle, most of which have been partially or fully broken [3, 39, 53, 49]. Remaining are suggestions [15, 48, 28, 52], of which the first three ... |

108 | E±cient Concurrent Zero-Knowledge in the Auxiliary String Model. Eurocrypt 00
- Damgard
- 2000
(Show Context)
Citation Context ...ry is common in the literature. We also remark that there are efficient techniques to convert SHVZK arguments into zeroknowledge arguments for arbitrary verifiers in the common reference string model =-=[11, 21, 24]-=-. WITNESS-EXTENDED EMULATION. The standard definition of a system for proof of knowledge by Bellare and Goldreich [4] does not work in our setting since the adversary may have non-zero probability of ... |

98 | An efficient scheme for proving a shuffle
- Furukawa, Sako
(Show Context)
Citation Context ...nd Hoshino [2]) uses permutation networks and obtains reasonable efficiency. Currently there are two main paradigms that yield practical HVZK arguments for correctness of a shuffle. Furukawa and Sako =-=[20]-=- suggest a paradigm based on permutation matrices in the common reference string model. In this type of construction, we make a commitment to a permutation matrix, argue that we have committed to a pe... |

91 |
Receipt-free mix-type voting schemes - a practical solution to the implementation of voting booth
- Sako, Killian
- 1995
(Show Context)
Citation Context ...ese drawbacks and achieve better efficiency than [52]. Several papers have suggested zero-knowledge arguments for correctness of a shuffle, usually shuffling ElGamal ciphertexts [16]. Sako and Kilian =-=[50]-=- use cut-and-choosemethods and is thus not very efficient. Abe [1](corrected by Abe and Hoshino [2]) uses permutation networks and obtains reasonable efficiency. Currently there are two main paradigm... |

87 |
K.: Efficient anonymous channel and all/Nothing election scheme
- Park, Itoh, et al.
- 1993
(Show Context)
Citation Context ..., 26, 7]. RELATED WORK. Chaum invented mix-nets in [8]. While his mix-net was based on shuffling, he did not suggest any method to guarantee correctness of the shuffles. Subsequent papers on mix-nets =-=[6, 48, 28, 22, 31, 15, 29, 42, 30, 46, 48, 52]-=- have tried in many ways to guarantee correctness of a shuffle, most of which have been partially or fully broken [3, 39, 53, 49]. Remaining are suggestions [15, 48, 28, 52], of which the first three ... |

81 |
Universally verifiable mix-net with verification work independent of the number of mix-servers
- Abe
- 1998
(Show Context)
Citation Context ...s have suggested zero-knowledge arguments for correctness of a shuffle, usually shuffling ElGamal ciphertexts [16]. Sako and Kilian [50] use cut-and-choosemethods and is thus not very efficient. Abe =-=[1]-=-(corrected by Abe and Hoshino [2]) uses permutation networks and obtains reasonable efficiency. Currently there are two main paradigms that yield practical HVZK arguments for correctness of a shuffle.... |

78 | Parallel coin-tossing and constant-round secure two-party computation
- Lindell
(Show Context)
Citation Context ...0% probability of making a convincing argument, where we nonetheless cannot extract a witness. We shall define an argument of knowledge through witness-extended emulation, the name taken from Lindell =-=[35]-=-. Lindell’s definition pertains to proofs of knowledge in the plain model, we will adapt his definition to the setting of public coin arguments in the common reference string model. Informally, our de... |

72 | An integer commitment scheme based on groups with hidden order,” Cryptology ePrint Archive, Report 2001/064 - Damgard, Fujisaki - 2001 |

71 | A practical Mix
- Jakobsson
- 1998
(Show Context)
Citation Context ..., 26, 7]. RELATED WORK. Chaum invented mix-nets in [8]. While his mix-net was based on shuffling, he did not suggest any method to guarantee correctness of the shuffles. Subsequent papers on mix-nets =-=[6, 48, 28, 22, 31, 15, 29, 42, 30, 46, 48, 52]-=- have tried in many ways to guarantee correctness of a shuffle, most of which have been partially or fully broken [3, 39, 53, 49]. Remaining are suggestions [15, 48, 28, 52], of which the first three ... |

66 | Flash Mixing
- Jakobsson
- 1999
(Show Context)
Citation Context |

44 | How to break the direct RSA-implementation of mixes
- Pfitzmann, Pfizmann
- 1990
(Show Context)
Citation Context ...huffles. Subsequent papers on mix-nets [6, 48, 28, 22, 31, 15, 29, 42, 30, 46, 48, 52] have tried in many ways to guarantee correctness of a shuffle, most of which have been partially or fully broken =-=[3, 39, 53, 49]-=-. Remaining are suggestions [15, 48, 28, 52], of which the first three have various drawbacks. Desmedt and Kurosawa [15] require that at most a small fraction of the mix-servers is corrupt. Peng et al... |

42 | A Generalisation, a Simplification and some - Damg̊ard, Jurik - 1992 |

38 | Almost Entirely Correct Mixing With Applications to Voting
- Boneh, Golle
(Show Context)
Citation Context |

35 | Remarks on mix-network based on permutation networks
- Abe, Hoshino
(Show Context)
Citation Context ...rguments for correctness of a shuffle, usually shuffling ElGamal ciphertexts [16]. Sako and Kilian [50] use cut-and-choosemethods and is thus not very efficient. Abe [1](corrected by Abe and Hoshino =-=[2]-=-) uses permutation networks and obtains reasonable efficiency. Currently there are two main paradigms that yield practical HVZK arguments for correctness of a shuffle. Furukawa and Sako [20] suggest a... |

34 | A length-invariant hybrid mix
- Ohkubo, Abe
- 2000
(Show Context)
Citation Context |

28 | A Length-Flexible Threshold Cryptosystem with Applications - Damg̊ard, Jurik |

27 | Strengthening zero-knowledge protocols using signatures - Garay, MacKenzie, et al. |

21 | Four practical attacks for “optimistic mixing for exitpolls
- Wikström
- 2003
(Show Context)
Citation Context ...huffles. Subsequent papers on mix-nets [6, 48, 28, 22, 31, 15, 29, 42, 30, 46, 48, 52] have tried in many ways to guarantee correctness of a shuffle, most of which have been partially or fully broken =-=[3, 39, 53, 49]-=-. Remaining are suggestions [15, 48, 28, 52], of which the first three have various drawbacks. Desmedt and Kurosawa [15] require that at most a small fraction of the mix-servers is corrupt. Peng et al... |

19 |
Eiichiro Fujisaki. A statistically-hiding integer commitment scheme based on groups with hidden order
- Damgård
- 2002
(Show Context)
Citation Context ...poses, we use a homomorphic commitment scheme with message space ℤ ... |

19 | Verifiable shuffles: A formal model and a Paillier-based efficient construction with provable security
- Nguyen, Safavi-Naini, et al.
(Show Context)
Citation Context ...n matrix and argue that the ciphertexts have been shuffled according to this permutation. It turns out that their protocol is not honest verifier zero-knowledge [19], but it does hide the permutation =-=[40]-=-. Furukawa [18] develops the permutation matrix idea further and obtains a practical HVZK argument for correctness of a shuffle. A couple of other works [40, 44] also use the permutation matrix idea t... |

18 |
Flaws in some robust optimistic mix-nets
- Abe, Imai
- 2003
(Show Context)
Citation Context ...huffles. Subsequent papers on mix-nets [6, 48, 28, 22, 31, 15, 29, 42, 30, 46, 48, 52] have tried in many ways to guarantee correctness of a shuffle, most of which have been partially or fully broken =-=[3, 39, 53, 49]-=-. Remaining are suggestions [15, 48, 28, 52], of which the first three have various drawbacks. Desmedt and Kurosawa [15] require that at most a small fraction of the mix-servers is corrupt. Peng et al... |

18 | Efficient cryptographic protocol design based on distributed El Gamal encryption
- Brandt
- 2005
(Show Context)
Citation Context ... leak the permutation, the randomizers or any other information pertaining to the shuffle. Shuffle arguments have also found use as sub-protocols in more complex protocols or zero-knowledge arguments =-=[32, 26, 7]-=-. RELATED WORK. Chaum invented mix-nets in [8]. While his mix-net was based on shuffling, he did not suggest any method to guarantee correctness of the shuffles. Subsequent papers on mix-nets [6, 48, ... |

17 | Non-interactive zero-knowledge arguments for voting
- Groth
- 2005
(Show Context)
Citation Context ... leak the permutation, the randomizers or any other information pertaining to the shuffle. Shuffle arguments have also found use as sub-protocols in more complex protocols or zero-knowledge arguments =-=[32, 26, 7]-=-. RELATED WORK. Chaum invented mix-nets in [8]. While his mix-net was based on shuffling, he did not suggest any method to guarantee correctness of the shuffles. Subsequent papers on mix-nets [6, 48, ... |

16 | The Vector-Ballot E-Voting Approach
- Kiayias, Yung
- 2004
(Show Context)
Citation Context ... leak the permutation, the randomizers or any other information pertaining to the shuffle. Shuffle arguments have also found use as sub-protocols in more complex protocols or zero-knowledge arguments =-=[32, 26, 7]-=-. RELATED WORK. Chaum invented mix-nets in [8]. While his mix-net was based on shuffling, he did not suggest any method to guarantee correctness of the shuffles. Subsequent papers on mix-nets [6, 48, ... |

14 | Verifiable mixing (shuffling) of elgamal pairs
- Neff
- 2003
(Show Context)
Citation Context ... trouble. It is an interesting open problem to come up with a highly efficient 3-move SHVZK proof for correctness of a shuffle. Our shuffle argument can be used for many different cryptosystems. Neff =-=[36, 37]-=- investigated the case of ElGamal encryption, which we will look a little closer at now. For SHVZK proofs it is reasonable to use groups of the same size both for the cryptosystem and for the commitme... |

12 |
Efficient and verifiable shuffling and shuffle-decryption
- Furukawa
- 2005
(Show Context)
Citation Context ...gue that the ciphertexts have been shuffled according to this permutation. It turns out that their protocol is not honest verifier zero-knowledge [19], but it does hide the permutation [40]. Furukawa =-=[18]-=- develops the permutation matrix idea further and obtains a practical HVZK argument for correctness of a shuffle. A couple of other works [40, 44] also use the permutation matrix idea to obtain HVZK a... |

11 | Verifiable shuffle of large size ciphertexts
- Groth, Lu
(Show Context)
Citation Context ...rukawa [18] suggests a 3-move SHVZK argument where both the prover and the verifier uses 9... |

10 | A public key cryptosystem based on the subgroup membership problem - Nieto, Boyd, et al. - 2001 |

7 | Honest verifier zero-knowledge arguments applied
- Groth
(Show Context)
Citation Context ...ry is common in the literature. We also remark that there are efficient techniques to convert SHVZK arguments into zeroknowledge arguments for arbitrary verifiers in the common reference string model =-=[11, 21, 24]-=-. WITNESS-EXTENDED EMULATION. The standard definition of a system for proof of knowledge by Bellare and Goldreich [4] does not work in our setting since the adversary may have non-zero probability of ... |

5 | Efficient multi-exponentiation and application to batch verification of digital signatures, 2000. http://dasan.sejong.ac.kr/∼chlim/pub/multi exp.ps - Lim |

5 |
The Security of a Mix-Center Based on a Semantically Secure Cryptosystem
- Wikstrom
- 2002
(Show Context)
Citation Context |

4 |
Golle and Ari Juels. Parallel mixing
- Philippe
- 2004
(Show Context)
Citation Context |

4 | A correct, private and efficient mix network
- Peng, Boyd, et al.
(Show Context)
Citation Context |

2 | Satoshi Obana, and Kazue Sako. An implementation of a universally verifiable electronic voting scheme based on shuffling - Furukawa, Miyauchi, et al. - 2002 |

1 |
Cryptography in subgroups of ℤ ∗
- Groth
- 2005
(Show Context)
Citation Context ...poses, we use a homomorphic commitment scheme with message space ℤ ... |

1 |
Jakobsson and Ari Juels. Millimix: Mixing in small batches
- Markus
- 1999
(Show Context)
Citation Context |

1 |
and Reihaneh Safavi-Naini. Breaking and mending resilient mix-nets
- Nguyen
- 2003
(Show Context)
Citation Context |

1 | Efficient electronic gambling: An extended implementation of the toolbox for mental card games - Stamer - 2005 |