Stephanie Bayer和Jens Groth 2012年論文《Efficient Zero-Knowledge Argument for Correctness of a Shuffle 》。
該論文中主要針對e-voting mix-net構建中用到的shuffle homomorphic encryption場景,提出了an honest verifier zero-knowledge argument for the correctness of a shuffle of homomorphic encryptions 算法,該算法在prove和verify the correctness of a shuffle of 100,000 ElGamal ciphertexts用時均在2分鐘左右。
1. 背景知識
本論文的argument具有sublinear communication complexity,當shuffle N ( = m × n ) N(=m\times n) N ( = m × n ) ciphertexts時,需要傳送O ( m + n ) O(m+n) O ( m + n ) group elements 且若m = n m=n m = n 則最小的communication complexity 爲 O ( N ) O(\sqrt{N}) O ( N ) 。
prover的computational complexity爲O ( N log m ) O(N\log{m}) O ( N log m ) exponentiations for constant round arguments或者 若允許logarithmic number of rounds的話, prover的computational complexity可爲O ( N ) O(N) O ( N ) exponentiations。
verifier的計算比較輕量。
構建full shuffle argument的基礎爲:Neff’s approach [Nef01] is based on the invariance of polynomials under permutation of the roots,即Nef01的shuffle算法基於的是:多項式的根permutation的話,其最終形成的多項式是不變的——f ( x ) = ( x − r 1 ) ( x − r 2 ) . . . ( x − r n ) f(x)=(x-r_1)(x-r_2)...(x-r_n) f ( x ) = ( x − r 1 ) ( x − r 2 ) . . . ( x − r n ) 。
引入了multi-exponentiation argument,用於hide committed values。
基於hidden committed values的shuffle argument。與[Gro09]類似,做了些微改進。
主要是利用了EIGamal encryption的乘法同態性和Pedersen commitment的加法同態性。所以需要構建相應的common reference string σ = ( p k , c k ) \sigma =(pk,ck) σ = ( p k , c k ) ,p k pk p k 爲EIGamal encryption的public keys,c k ck c k 爲Pedersen commitment的commitment key,兩者可以基於不同的group實現,但是要求具有相同的prime order q q q 。
其中EIGamal的知識詳見:博客 EIGamal encryption VS Pairing encryption 。
EIGamal具有乘法同態性:
Pedersen commitment具有加法同態性:
2. Shuffle argument
需要an argument of knowledge of permutation π ∈ ∑ N \pi\in \sum_{N} π ∈ ∑ N and randomness { ρ i } i = 1 N \{\rho_i\}_{i=1}^N { ρ i } i = 1 N such that for given ciphertexts { C i } i = 1 N \{C_i\}_{i=1}^N { C i } i = 1 N , { C i ′ } i = 1 N \{C_i^{'}\}_{i=1}^N { C i ′ } i = 1 N we have C i ′ = C π ( i ) ε p k ( 1 ; ρ i ) C_i^{'}=C_{\pi(i)} \varepsilon_{pk}(1;\rho_i) C i ′ = C π ( i ) ε p k ( 1 ; ρ i ) 。
Shuffle argument由multi-exponentiation argument和product argument組成:
multi-exponentiation argument:用於證明the product of a set of ciphertexts raised to a set of committed exponents yields a particular ciphertext。
product argument:用於證明a set of committed values has a particular product。
主要的實現步驟爲:
Prover對permutation進行commit,即commit to π ( 1 ) , … , π ( N ) \pi(1),…,\pi(N) π ( 1 ) , … , π ( N ) 。【第一組commitment】
Verifier給Prover challenge x x x 。
Prover commit to x π ( 1 ) , … , x π ( N ) x^{\pi(1)},…,x^{\pi(N)} x π ( 1 ) , … , x π ( N ) 。【第二組commitment】
Prover提供argument,證明其知道相應的openings of the commitments to permutations of respectively 1 , … , N 1,…,N 1 , … , N 和x 1 , … , x N x^1,…,x^N x 1 , … , x N ,同時證明這兩組commitment採用的是相同的permutation。【即第二組commitment是對x 1 , … , x N x^1,…,x^N x 1 , … , x N permuted in an order that was fixed before the prover saw x x x 】。
4.1 爲了證明兩組commitment採用的是相同的permutation,Verifier給Prover random challenges y y y 和z z z 。
4.2 Prover commit to 一系列 d 1 − z = y π ( 1 ) + x π ( 1 ) − z , … , d N − z = y π ( N ) + x π ( N ) − z d_1-z=y\pi(1)+x^{\pi(1)}-z,…,d_N-z=y\pi(N)+x^{\pi(N)}-z d 1 − z = y π ( 1 ) + x π ( 1 ) − z , … , d N − z = y π ( N ) + x π ( N ) − z 。使用product argument,即可證明∏ i = 1 N ( d i − z ) = ∏ i = 1 N ( y i + x i − z ) \prod_{i=1}^{N}(d_i-z)= \prod_{i=1}^{N}(yi+x^i-z) ∏ i = 1 N ( d i − z ) = ∏ i = 1 N ( y i + x i − z ) 等式成立。【想象其爲z z z 的N階多項式,d i d_i d i 是對其root根y i + x i yi+x^i y i + x i 的permute,基於Schwartz-Zippel lemma可知,針對特定的z z z 值Prover僞造找到相應d i d_i d i 值使該等式成立的概率不高於N q − 1 \frac{N}{q-1} q − 1 N ,可忽略。同理,針對y y y 值,Prover僞造兩組commitment使等式成立的概率也可忽略。】
Prover使用multi-exponentiation argument來證明存在ρ \rho ρ 值,使得$∏ i = 1 N C i x i = ε p k ( 1 ; ρ ) ∏ i = 1 N ( C i ’ ) x π ( i ) \prod_{i=1}^{N}C_i^{x^i}=\varepsilon_{pk}(1;\rho)\prod_{i=1}^{N}(C_i^’)^{x^{\pi(i)}} ∏ i = 1 N C i x i = ε p k ( 1 ; ρ ) ∏ i = 1 N ( C i ’ ) x π ( i ) 等式成立。即可實現基於密文C i , C i ’ C_i,C_i^’ C i , C i ’ 的shuffle證明,而Verifier不知道具體的permutation規則。
詳細的shuffle argument算法流程爲:
3. Multi-exponentiation Argument
將第二節shuffle argument算法流程中的a ⃗ , b ⃗ \vec{a},\vec{b} a , b 向量表示爲N=n*m矩陣。
其中的multi-exponentiation argument可表示爲:
簡化描述,假設ρ = 0 \rho=0 ρ = 0 ,public info: C 1 ⃗ , . . . , C m ⃗ , C \vec{C_1},...,\vec{C_m},C C 1 , . . . , C m , C ,witness: a 1 ⃗ , . . . , a m ⃗ \vec{a_1},...,\vec{a_m} a 1 , . . . , a m ,需要證明:C = ∏ i = 1 m C i ⃗ a i ⃗ C=\prod_{i=1}^{m}\vec{C_i}^{\vec{a_i}} C = ∏ i = 1 m C i a i 。
基本流程爲:
Prover依次對 a 1 ⃗ , . . . , a m ⃗ \vec{a_1},...,\vec{a_m} a 1 , . . . , a m 進行commit,將相應的c A ⃗ = ( c o m c k ( a 1 ⃗ ; r 1 ) , . . . , c o m c k ( a m ⃗ ; r m ) ) \vec{c_A}=(com_{ck}(\vec{a_1};r_1),...,com_{ck}(\vec{a_m};r_m)) c A = ( c o m c k ( a 1 ; r 1 ) , . . . , c o m c k ( a m ; r m ) ) 發送給verfier
Prover計算E k = ∏ 1 ≤ i , j ≤ m ; j = ( k − m ) + i C i ⃗ a j ⃗ E_k=\prod_{1\leq i,j\leq m;j=(k-m)+i}\vec{C_i}^{\vec{a_j}} E k = ∏ 1 ≤ i , j ≤ m ; j = ( k − m ) + i C i a j ,將相應的E 1 , E 2 , . . . , E 2 m − 1 E_1,E_2,...,E_{2m-1} E 1 , E 2 , . . . , E 2 m − 1 發送給Verifier【其中E m = C E_m=C E m = C 】。
Verifier給Prover challenge x x x 。
Prover計算a ⃗ = ∑ j = 1 m x j a j ⃗ \vec{a}=\sum_{j=1}^{m}x^j\vec{a_j} a = ∑ j = 1 m x j a j ,將相應的向量a ⃗ \vec{a} a 發送給verifier。
Verifier驗證C x m ∏ k = 1 ; k ≠ m 2 m − 1 E k x k = ∏ i = 1 m C i ⃗ ( x m − i a ⃗ ) C^{x^m}\prod_{k=1;k\neq m}^{2m-1}E_k^{x^k}=\prod_{i=1}^{m}\vec{C_i}^{(x^{m-i}\vec{a})} C x m ∏ k = 1 ; k = m 2 m − 1 E k x k = ∏ i = 1 m C i ( x m − i a ) 成立,則可證明C = ∏ i = 1 m C i ⃗ a i ⃗ C=\prod_{i=1}^{m}\vec{C_i}^{\vec{a_i}} C = ∏ i = 1 m C i a i 成立。相應的理論依據爲:∏ i = 1 2 m − 1 E k x k = ∏ i = 1 m C i ⃗ ( x m − i ∑ j = 1 m x j a j ⃗ ) = ∏ i = 1 m C i ⃗ ( x m − i a ⃗ ) = C x m ∏ k = 1 ; k ≠ m 2 m − 1 E k x k = C x m ∏ k = 1 ; k ≠ m 2 m − 1 ∏ 1 ≤ i , j ≤ m ; j = ( k − m ) + i C i ⃗ a j ⃗ x k = C x m ∏ i = 1 m C i ⃗ ∑ 1 ≤ j ≤ m ; k = m − i + j ; k ≠ m a j ⃗ x k \prod_{i=1}^{2m-1}E_k^{x^k}=\prod_{i=1}^{m}\vec{C_i}^{(x^{m-i}\sum_{j=1}^{m}x^j\vec{a_j})}=\prod_{i=1}^{m}\vec{C_i}^{(x^{m-i}\vec{a})}=C^{x^m}\prod_{k=1;k\neq m}^{2m-1}E_k^{x^k}=C^{x^m}\prod_{k=1;k\neq m}^{2m-1}{\prod_{1\leq i,j\leq m;j=(k-m)+i}\vec{C_i}^{\vec{a_j}x^k}}=C^{x^m}\prod_{i=1}^{m}{\vec{C_i}}^{\sum_{1\leq j\leq m;k=m-i+j;k\neq m}\vec{a_j}x^k} ∏ i = 1 2 m − 1 E k x k = ∏ i = 1 m C i ( x m − i ∑ j = 1 m x j a j ) = ∏ i = 1 m C i ( x m − i a ) = C x m ∏ k = 1 ; k = m 2 m − 1 E k x k = C x m ∏ k = 1 ; k = m 2 m − 1 ∏ 1 ≤ i , j ≤ m ; j = ( k − m ) + i C i a j x k = C x m ∏ i = 1 m C i ∑ 1 ≤ j ≤ m ; k = m − i + j ; k = m a j x k ,於是有:C x m = ∏ i = 1 m C i ⃗ ( x m − i ∑ j = 1 m x j a j ⃗ − ∑ 1 ≤ j ≤ m ; k = m − i + j ; k ≠ m a j ⃗ x k ) = ∏ i = 1 m C i ⃗ a i ⃗ x m = ( ∏ i = 1 m C i ⃗ a i ⃗ ) x m C^{x^m}=\prod_{i=1}^{m}{\vec{C_i}}^{(x^{m-i}\sum_{j=1}^{m}x^j\vec{a_j}-\sum_{1\leq j\leq m;k=m-i+j;k\neq m}\vec{a_j}x^k)}=\prod_{i=1}^{m}{\vec{C_i}}^{\vec{a_i}x^m}=(\prod_{i=1}^{m}{\vec{C_i}}^{\vec{a_i}})^{x^m} C x m = ∏ i = 1 m C i ( x m − i ∑ j = 1 m x j a j − ∑ 1 ≤ j ≤ m ; k = m − i + j ; k = m a j x k ) = ∏ i = 1 m C i a i x m = ( ∏ i = 1 m C i a i ) x m ,從而有:C = ∏ i = 1 m C i ⃗ a i ⃗ C=\prod_{i=1}^{m}\vec{C_i}^{\vec{a_i}} C = ∏ i = 1 m C i a i 成立。【注意,原論文有的公式有點typo。】
以上流程,可能存在witness泄露的來源點有:
1)爲了防止在rewind 第3和第4步時,Verifier用不同的challenge x x x 從Prover那獲取不同的a ⃗ = ∑ j = 1 m x j a j ⃗ \vec{a}=\sum_{j=1}^{m}x^j\vec{a_j} a = ∑ j = 1 m x j a j ,從而造成witness a 1 ⃗ , . . . , a m ⃗ \vec{a_1},...,\vec{a_m} a 1 , . . . , a m 的泄露,因此需要引入random vector a 0 ⃗ ← Z q n \vec{a_0}\leftarrow \mathbb{Z}_q^n a 0 ← Z q n ,Prover先commit to a 0 ⃗ \vec{a_0} a 0 ,然後收到challeng x x x 後,直接reveal a ⃗ = a 0 ⃗ + ∑ j = 1 m x j a j ⃗ \vec{a}=\vec{a_0}+\sum_{j=1}^{m}x^j\vec{a_j} a = a 0 + ∑ j = 1 m x j a j ,從而能保證witness不被泄露。
2)在第2步給Verifier傳輸的E k = ∏ 1 ≤ i , j ≤ m ; j = ( k − m ) + i C i ⃗ a j ⃗ E_k=\prod_{1\leq i,j\leq m;j=(k-m)+i}\vec{C_i}^{\vec{a_j}} E k = ∏ 1 ≤ i , j ≤ m ; j = ( k − m ) + i C i a j 值,可能也會造成witness a 1 ⃗ , . . . , a m ⃗ \vec{a_1},...,\vec{a_m} a 1 , . . . , a m 的泄露。可在此基礎上乘以randomn ciphertext ε p k ( G b k ; τ k ) \varepsilon_{pk}(G^{b_k};\tau_k) ε p k ( G b k ; τ k ) 【相應地,Prover需在收到challeng x x x 前,對b k b_k b k 進行commit c B k = c o m c k ( b k ; s k ) c_{B_k}=com_{ck}(b_k;s_k) c B k = c o m c k ( b k ; s k ) 】,爲了仍然保證E m = C E_m=C E m = C 成立,則要求b m = 0 , s m = 0 b_m=0,s_m=0 b m = 0 , s m = 0 。
若考慮ρ ≠ 0 \rho\neq0 ρ = 0 的正常情況,爲了仍然保證E m = C E_m=C E m = C 成立,相應的要求τ m = ρ \tau_m=\rho τ m = ρ 。
( a 0 ⃗ a 1 ⃗ ⋯ a m − 1 ⃗ a m ⃗ ) ( C 1 ⃗ C 2 ⃗ ⋮ C m ⃗ ) ( C 1 ⃗ a 0 ⃗ C 1 ⃗ a 1 ⃗ ⋱ C 1 ⃗ a m − 1 ⃗ C 1 ⃗ a m ⃗ C 2 ⃗ a 0 ⃗ C 2 ⃗ a 1 ⃗ ⋱ C 2 ⃗ a m − 1 ⃗ C 2 ⃗ a m ⃗ ⋱ ⋱ ⋱ ⋱ ⋱ C m ⃗ a 0 ⃗ C m ⃗ a 1 ⃗ ⋱ C m ⃗ a m − 1 ⃗ C m ⃗ a m ⃗ ) ε p k ( G b 2 m − 1 ; τ 2 m − 1 ) E 2 m − 1 ⋮ ε p k ( G b m + 1 ; τ m + 1 ) E m + 1 ε p k ( 1 ; ρ ) E m ε p k ( G b 0 ; τ 0 ) E 0 ε p k ( G b 1 ; τ 1 ) E 1 ⋯ ε p k ( G b m − 1 ; τ m − 1 ) E m − 1 \begin{matrix}
& \begin{pmatrix}
\ \ \ \ \vec{a_0}&\ \ \ \ \vec{a_1} & \cdots &\ \ \ \vec{a_{m-1}} &\ \ \ \ \vec{a_m}
\end{pmatrix} & \\
\begin{pmatrix}
\vec{C_1}\\
\vec{C_2}\\
\vdots\\
\vec{C_m}
\end{pmatrix} & \begin{pmatrix}
\vec{C_1}^{\vec{a_0}}& \vec{C_1}^{\vec{a_1}} & \ddots & \vec{C_1}^{\vec{a_{m-1}}} & \vec{C_1}^{\vec{a_m}}\\
\vec{C_2}^{\vec{a_0}} & \vec{C_2}^{\vec{a_1}} & \ddots & \vec{C_2}^{\vec{a_{m-1}}} & \vec{C_2}^{\vec{a_m}}\\
\ddots & \ddots & \ddots & \ddots & \ddots\\
\vec{C_m}^{\vec{a_0}} & \vec{C_m}^{\vec{a_1}} & \ddots & \vec{C_m}^{\vec{a_{m-1}}} & \vec{C_m}^{\vec{a_m}}
\end{pmatrix} & \begin{matrix}
\\
\varepsilon_{pk}(G^{b_{2m-1}};\tau_{2m-1})E_{2m-1}\\
\vdots\\
\varepsilon_{pk}(G^{b_{m+1}};\tau_{m+1})E_{m+1}\\
\varepsilon_{pk}(1;\rho)E_m
\end{matrix} \\
& \begin{matrix}
\varepsilon_{pk}(G^{b_0};\tau_0)E_0& \varepsilon_{pk}(G^{b_1};\tau_1)E_1 & \cdots & \varepsilon_{pk}(G^{b_{m-1}};\tau_{m-1})E_{m-1}
\end{matrix}&
\end{matrix} ⎝ ⎜ ⎜ ⎜ ⎛ C 1 C 2 ⋮ C m ⎠ ⎟ ⎟ ⎟ ⎞ ( a 0 a 1 ⋯ a m − 1 a m ) ⎝ ⎜ ⎜ ⎜ ⎜ ⎛ C 1 a 0 C 2 a 0 ⋱ C m a 0 C 1 a 1 C 2 a 1 ⋱ C m a 1 ⋱ ⋱ ⋱ ⋱ C 1 a m − 1 C 2 a m − 1 ⋱ C m a m − 1 C 1 a m C 2 a m ⋱ C m a m ⎠ ⎟ ⎟ ⎟ ⎟ ⎞ ε p k ( G b 0 ; τ 0 ) E 0 ε p k ( G b 1 ; τ 1 ) E 1 ⋯ ε p k ( G b m − 1 ; τ m − 1 ) E m − 1 ε p k ( G b 2 m − 1 ; τ 2 m − 1 ) E 2 m − 1 ⋮ ε p k ( G b m + 1 ; τ m + 1 ) E m + 1 ε p k ( 1 ; ρ ) E m
詳細算法如下圖所示:
3.1 Prover的計算壓力
在上述Multi-exponentiation Argument中,Prover需要計算E 0 , ⋯ , E 2 m − 1 E_0,\cdots,E_{2m-1} E 0 , ⋯ , E 2 m − 1 ,即對於k = 1 , ⋯ , 2 m − 1 k=1,\cdots,2m-1 k = 1 , ⋯ , 2 m − 1 ,有:
E k = ∏ 1 ≤ i , j ≤ m ; j = ( k − m ) + i C i ⃗ a j ⃗ = ∏ i = 1 , j = 1 ; j = ( k − m ) + i m , m C i ⃗ a j ⃗ E_k=\prod_{1\leq i,j\leq m;j=(k-m)+i}\vec{C_i}^{\vec{a_j}}=\prod_{i=1,j=1;j=(k-m)+i}^{m,m}\vec{C_i}^{\vec{a_j}} E k = ∏ 1 ≤ i , j ≤ m ; j = ( k − m ) + i C i a j = ∏ i = 1 , j = 1 ; j = ( k − m ) + i m , m C i a j
對應的計算量有:
1)需有m 2 m^2 m 2 次C i ⃗ a j ⃗ \vec{C_i}^{\vec{a_j}} C i a j 次product運算;
2)C i ⃗ a j ⃗ = ∏ l = 1 n C i l a i l \vec{C_i}^{\vec{a_j}}=\prod_{l=1}^{n}C_{il}^{a_{il}} C i a j = ∏ l = 1 n C i l a i l 有n n n 次exponentiation運算in H \mathbb{H} H 。
從而E k E_k E k 有m n 2 mn^2 m n 2 次exponentiation運算in H \mathbb{H} H 。
當m m m 較大時,Prover的計算壓力很大,可通過多項式插值(FFT)或Toom-Cook或增加Verifier與Prover交互次數等方式來優化:
FFT:
Toom-Cook:
增加Verifier與Prover交互次數:基本思路爲:m × m m\times m m × m 矩陣內元素真正有效的僅爲對角線上的元素,不需要計算所有m 2 m^2 m 2 個元素,轉爲將m × m m\times m m × m 矩陣切分爲小的block矩陣μ × μ \mu \times \mu μ × μ (其中m = μ m ′ m=\mu m' m = μ m ′ ),只需要關注對角線上的block,並使用遞歸證明對角線block上的內容即可。
( C 1 ⃗ a 1 ⃗ ⋱ C 1 ⃗ a m − 1 ⃗ C 1 ⃗ a m ⃗ C 2 ⃗ a 1 ⃗ ⋱ C 2 ⃗ a m − 1 ⃗ C 2 ⃗ a m ⃗ ⋱ ⋱ ⋱ ⋱ C m ⃗ a 1 ⃗ ⋱ C m ⃗ a m − 1 ⃗ C m ⃗ a m ⃗ ) \begin{pmatrix}
\vec{C_1}^{\vec{a_1}} & \ddots & \vec{C_1}^{\vec{a_{m-1}}} & \vec{C_1}^{\vec{a_m}}\\
\vec{C_2}^{\vec{a_1}} & \ddots & \vec{C_2}^{\vec{a_{m-1}}} & \vec{C_2}^{\vec{a_m}}\\
\ddots & \ddots & \ddots & \ddots\\
\vec{C_m}^{\vec{a_1}} & \ddots & \vec{C_m}^{\vec{a_{m-1}}} & \vec{C_m}^{\vec{a_m}}
\end{pmatrix} ⎝ ⎜ ⎜ ⎜ ⎜ ⎛ C 1 a 1 C 2 a 1 ⋱ C m a 1 ⋱ ⋱ ⋱ ⋱ C 1 a m − 1 C 2 a m − 1 ⋱ C m a m − 1 C 1 a m C 2 a m ⋱ C m a m ⎠ ⎟ ⎟ ⎟ ⎟ ⎞
3.2 Prover的計算優化實現
針對3.1中的計算壓力,在https://github.com/3for/verifiable-shuffle中分別做了相應的優化實現:
# This parameter determine which version of the program is executed.
# 0 stands for no optimization inside of the code
# 1 uses multi-exponentiation techniques
# 2 uses multi-exponentiation techniques and FFT to find values E_i
# 3 uses multi-exponentiation techniques, extra interaction and Toom-Cook 4 to find values E_i, in this case m =16 or 64\n
3
參考資料:
[1] 2012年論文《Efficient Zero-Knowledge Argument for Correctness of a Shuffle 》
[2] PPT 《Efficient Zero-Knowledge Argument for Correctness of a Shuffle 》
[3] 博客 向量的Hadamard product VS Inner product
[4] 博客 EIGamal encryption VS Pairing encryption