Protocol I - Mixnets and Verifiable Shuffling

R²_n, for anyn≥2, andAan attacker that can solve DDH. Then:

AdvF1≤AdvA

We will not provide the proves of these theorems here, but a sketch can be found in the paper by Furukawa and Sako for the interested reader [13].

5.2 Protocol I

We will in this section first construct Protocol I, and then look at the security of the pro-tocol. Sequences(gi)and(g_i⁰)are made public, and a sequence(ri)andAij is given as private input toP. The protocol proves that both (5.1) and (5.3) hold.

Construction

Apparently, this will leak information aboutAij. To prevent this, randomizersψ,(ψi), andσare added, and (5.5) and (5.6) are modified.

First, we add randomizersψand(ψi).Psendsα= (g⁰,(Fi), H)as commitments in

Further, we add randomizerσand (5.6) is modified to be:

This verification is computed over exponents in order the hide the values of(F_j+σr_j), (H+σψ)andσ. This gives us the two verification equations:

g^s⁰

The protocol is three move, illustrated in Figure 5.1. The output of the protocol is(α, β, γ), whereα = (w, g⁰,( ˆw_i),w),ˆ β = (β_i)andγ = (s₀,(s_i)). The prover computesg⁰. We enumerate the following equation for convenience:

g⁰=g^ψ

Theorem 20. Protocol I is complete.

Completeness of the protocol can be proved with simple calculations.

Theorem 21. IfVaccepts Protocol I with non-negligible probability, thenP^∗either knows both(ri)andAij that satisfy (5.1), or can generate non-trivial integers(ai)and a satis-fyingg^aQn

i=1g_i^aⁱ = 1with overwhelming probability.

Proof. First, we prove that ifVaccepts with non-negligible probability, thenP^∗knows ri, Aij, ψand(ψi)that satisfy (5.3) and (5.9). Recall that (5.3) gives thatg_i⁰=g^rⁱQn

j=1g^A_j^ji. This can be proved with rewinding. The technique is described in detail in proof of Theorem 8. First, we start running the protocol andP^∗outputsα= (w, g⁰,( ˆwi),w).ˆ Pis given challenge(β_i,1), and outputsγ₁= (s_0,1, s_i,1). This gives us one accepted transcript (α, βi,1, γ1).

We perform rewindingntimes. Each time is P^∗ is given challenge(βi,b),(βi,1) 6=

(βi,b), andP^∗outputs the corresponding outputγb= (s0,b,(si,b))(b= 2, ..., n+ 1),

5.2 Protocol I

Public input:p,q,g, n,(g_i),(g⁰_i) (i= 1, ..., n) Private input toP:(r_i),A_ij(i, j= 1, ..., n)

Prover,P Verifier,V

ψ, ψ_i, σ←^r Zq,(i= 1, ..., n) Compute:

w←g^σ g⁰ ←g^ψQn

j=1g_j^ψ^j ˆ

wi ←g^Pⁿ^j=1^2ψ^j^A^ji^+σrⁱ(i= 1, ..., n) ˆ

w←g^Pⁿ^j=1^ψ²^j^+σψ

w,g⁰,( ˆw_i)ⁿ_i=1,wˆ

−−−−−−−−−−−−−→

β_i←^r Zq,(i= 1, ..., n)

(β_i)ⁿ_i=1

←−−−−−−−−

Compute: s0←Pn

j=1rjβj+ψmodq si←Pn

j=1Aijβj+ψimodq,(i= 1, ..., n)

s₀,(s_i)ⁿ_i=1

−−−−−−−−−−→

Verify if

(5.7)and(5.8)hold Figure 5.1:Protocol I.

(i= 1, ..., n). This gives us a total of(n+ 1)accepted transcripts: gives us the following system of equations:



The matrix to the left will be invertible except with negligible probability, when(β_i)is chosen at random fromZq. Hence(r1, r2, ..., rn, ψ)can be extracted.

Further, we extract(Aij)by making use of the fact thatsi,b =Pn

j=1Aijβj,b+ψi. This gives us the following system of equations:



The matrix to the left will be invertible except with negligible probability, hence(A_ij)and (ψi)can be extracted. IfVaccepts, the same(ri),Aij,ψand(ψi)are used to calculate g⁰ and(g_i⁰)by (5.3) and (5.9) respectively. This provesP^∗‘s knowledge of(r_i),A_ij,ψ and(ψi)such that (5.3) and (5.9) are satisfied. Next, we will prove that this knowledge implies that either (5.1) is satisfied, orP^∗is able to find a non-trivial representation of1

5.2 Protocol I with overwhelming probability.

First, we look at (5.7), the first verification equation. Assume thatP^∗knows(ri), Aij, ψ and(ψi)satisfying (5.3) and (5.9), and(ai)andasatisfying (5.7). We note that the fol-lowing gives a non-trivial representation of1:

g^s⁰⁻^Pⁿ^j=1^r^j^β^j^+ψ non-trivial representation of1with overwhelming probability if (5.7) is satisfied.

Next, we look at (5.8) that is the other equation verified byV. Assume thatP^∗knows (ri), Aij, ψ and(ψi)satisfying (5.3) and (5.9). If (5.8) is satisfied, then the following

It is clear that if (5.1) does not hold, the probability that (5.8) holds is negligible. This gives us that ifVaccepts either (5.1) holds, orP^∗is able to find a non-trivial representation of 1. This completes our proof.

Remark that since (g₁, ..., g_n) originally are chosen by those who encrypt the messages, we cannot assure that the prover does not know the relation among(gi). Hence, we can not assure thatP^∗is not able to construct(ai)andaand such thatg^aQn

i=1g^a_iⁱ = 1. We

note that the protocol does not satisfy the ordinary soundness property.

Theorem 22. LetBbe an attacker that can distinguish if an accepted transcript(α, β, γ) was constructed by (P,V) in Protocol I or by a simulatorSfor Protocol I. We then have an attackerAagainst DDH such thatAdvB≤AvdA.

Proof. The proof is constructed as follows:

1. Construct a simulatorSfor Protocol I.

2. Construct an attackerF1that can distinguish between uniform instances fromE_n+1² andR²_n+1.

3. Describe how the attacker can act as a simulatorS⁰.

4. Prove thatS⁰perfectly simulates (P,V) whenI∈E_n+1² and thatS⁰perfectly simu-latesSwhenI∈R²_n+1.

Construction of S: A simulatorSfor Protocol I is constructed in Figure 5.2. The simulator outputs (w,g⁰,( ˆw_i),w,ˆ (β_i),s₀,(s_i)).

Input:p,q,g, n,(gi),(g⁰_i) (i= 1, ..., n) Simulator,S s0, si, βi

←r Zq,(i= 1, ..., n) w,wˆ_i←^r Gq,(i= 1, ..., n) Compute:

g⁰ ←g^s⁰Qn

j=1g_j^s^jg⁰_j^−β^j ˆ

w←w^s⁰g^Pⁿ^j=1^(s²^j^−β^j²⁾Qn j=1wˆ^−β_j ^j Figure 5.2:Construction of a simulator for Protocol I.

Construction of F1: We will construct an attacker F1 that can distinguish uniform in-stances fromE_n+1² andR²_n+1ifScannot simulate Protocol I. AssumeI= (x⁽¹⁾₁ , x⁽²⁾₁ , ..., x⁽¹⁾_n+1, x⁽²⁾_n+1), was chosen uniformly from eitherE_n+1² orR²_n+1.

We letg = x⁽¹⁾₁ . First, F1 generates (g_i)as the constants used in Proof 1, and a permutation matrixAij. He computes(i= 1, ..., n):

g⁰_i=x⁽¹⁾_i+1

j=1

g_j^A^ji

5.2 Protocol I The attacker will now act as a simulatorS⁰, based on the values and the permutation matrix he has obtained.S⁰is constructed in Figure 5.3.

Input:p,q,g, n,(gi),(g⁰_i) (i= 1, ..., n) Simulator,S⁰

s0, si, βi

←r Zq,(i= 1, ..., n) w←x⁽²⁾₁

Compute:

g⁰←g^s⁰Qn

j=1g^s_j^jg_j⁰^−β^j ψj←sj−Pn

k=1Ajkβk modq,(j= 1, ..., n) ˆ

wi←x⁽²⁾_i+1Qn

j=1g^2ψ^j^A^ji,(i= 1, ..., n) ˆ

w←w^s⁰g^Pⁿ^j=1^(s²^j^−β²^j⁾Qn j=1wˆ^−β_j ^j Figure 5.3:Construction of simulatorS⁰.

S⁰ outputs an accepted transcript (w,g⁰,( ˆw_i),w,ˆ (β_i),s₀,(s_i)). We will now prove thatS⁰perfectly simulates (P,V) whenI ∈E_n+1² and thatS⁰ perfectly simulatesSwhen I∈R²_n+1.

S⁰ perfectly simulates(P,V)whenI ∈ E_n+1² : We assumeI ∈ E_n+1² . S⁰ perfectly sim-ulates (P,V) if transcripts constructed byS⁰and (P,V) have the same distribution. The proof is similar to the proof of Theorem 4, but we will outline the main differences.

In protocol IPchoosesσ←^r Zq. We now let:σ=log_x(1) 1

x⁽²⁾₁ . Remark that this will tamper the protocol, becauseσwill still be a random value. Pis given private input(ri) defined as follows:ri=log_x(1)

x⁽¹⁾_i+1.

This gives us that(P,V)choosesψ,(ψ_i)and(β_i)at random fromZq, andS⁰chooses s0,(si)and(βi)at random fromZq. It is clear thatS⁰ perfectly simulates (P,V) when I∈E_n+1² .

S⁰perfectly simulatesSwhenI∈R²_n+1: We assumeI∈R²_n+1. In this case(x⁽²⁾₁ , ..., x⁽²⁾_n+1) is chosen at random fromGq byS⁰. This gives us Table 5.1. It is clear that transcripts constructed bySandS⁰ gives the same distribution, henceS⁰ perfectly simulateSwhen I∈R²_n+1.

Figure 5.4 illustrates what we have proven so far. Transitivity gives us that if we have an attacker Bthat is able to distinguish transcripts from (P,V) andS, then we have an attacker F1 that is able do distinguish uniform instances from E²_n+1 andR²_n+1. From Theorem 19 we know that if it is easy forF1to distinguish these instances, then it is easy

S S⁰ s0, si, βi

←r Zq(i= 1, ..., n) s0, si, βi

←r Zq,(i= 1, ..., n) w,wˆi

←r Gq(i= 1, ..., n) x⁽²⁾_i ←^r Gq(i= 1, ..., n+ 1)

Table 5.1:Outline of the randomness in transcripts constructed bySandS⁰.

forAto solve the DDH problem. Hence, if it is easy forBto distinguish the transcripts, it is easy forAto solve DDH. This completes the proof of the theorem.

(P,V) S⁰

I∈E_n+1²

I∈E_n+1² I∈R²_n+1 I∈R²_n+1

S⁰ S

Transcript ≈ Transcript Transcript Transcript DDH

≈ ≈

Figure 5.4:An illustration of how the proof is constructed.

We note that as long as it is difficult to solve DDH,Bwill not be able to distinguish if an accepted transcript (α, β, γ) was constructed by (P,V) or byS. The protocol is computationally HVZK.

In document Mixnets and Verifiable Shuffling (sider 51-58)