Succinct Malleable NIZKs and an Application to Compact Shuffles

Chase, Melissa; Kohlweiss, Markulf; Lysyanskaya, Anna; Meiklejohn, Sarah

doi:10.1007/978-3-642-36594-2_6

Cited by 18 publications

(12 citation statements)

References 31 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…While the result of Chase et al [24] therefore assures us that we can construct a cm-NIZK supporting T dac . One might also wish to instantiate our cm-NIZK using their first, more efficient, construction.…”

Section: Instantiating Our Constructionmentioning

confidence: 76%

“…We instantiate malleable signatures generically based on malleable zero-knowledge proofs which can be instantiated either very succinctly using SNARGS [24] or using GrothSahai proofs [12]. An interesting open question is the relationship between this new instantiation of the above primitives and existing constructions.…”

Section: Discussionmentioning

confidence: 98%

“…Two constructions of cm-NIZKs exist within the literature, both due to Chase et al: their original construction [12] based on Groth-Sahai proofs [39], and a more recent construction [24] based on succinct non-interactive arguments of knowledge (SNARGs) and homomorphic encryption. While the latter construction is less efficient, showing that it supports the class of transformations T dac is relatively straightforward: all we need to show is that the language and class of transformations are what is called t-tiered, meaning that (1) every instance x in the language can be labeled with an integer i = tier(x), and (2) every transformation T ∈ T dac is such that tier(T (x)) > tier(x) for all x ∈ L such that tier(x) < t, and…”

Section: Instantiating Our Constructionmentioning

confidence: 99%

“…In addition to satisfying this new definition, our construction provides several desirable functional features (non-interactive delegation and the ability to delegate polynomially many times). Our construction is generic and can be instantiated either using succinct non-interactive arguments of knowledge (SNARGs) and homomorphic encryption [24], or using Groth-Sahai proofs [12]. The latter relies only on standard assumption (e.g., Decision Linear [25]).…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Malleable Signatures: New Definitions and Delegatable Anonymous Credentials

Chase

Kohlweiss

Lysyanskaya

et al. 2014

2014 IEEE 27th Computer Security Foundations Symposium

Self Cite

View full text Add to dashboard Cite

A signature scheme is malleable if, on input a message and a signature, it is possible to efficiently compute a signature on a related message, for a transformation that is allowed with respect to this signature scheme. In this paper, we first provide new definitions for malleable signatures that allow us to capture a broader range of transformations than was previously possible. We then give a generic construction based on malleable zero-knowledge proofs that allows us to construct malleable signatures for a wide range of transformation classes, with security properties that are stronger than those that have been achieved previously. Finally, we construct delegatable anonymous credentials from signatures that are malleable with respect to an appropriate class of transformations (that we show our malleable signature supports). The resulting instantiation satisfies a stronger security notion than previous schemes while also scaling linearly with the number of delegations.

show abstract

Section: Instantiating Our Constructionmentioning

confidence: 76%

Section: Discussionmentioning

confidence: 98%

Section: Instantiating Our Constructionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Malleable Signatures: New Definitions and Delegatable Anonymous Credentials

Chase

Kohlweiss

Lysyanskaya

et al. 2014

2014 IEEE 27th Computer Security Foundations Symposium

Self Cite

View full text Add to dashboard Cite

show abstract

“…The CKLM solution is therefore asymptotically superior only in the case where there are more mix servers than voters. In recent follow-up work, CKLM extended their results [10] in a way that would allow permutations to be represented as lists rather than matrices, but the extension does not apply for the scenario at hand because it can only tolerate a constant number of mix servers. A natural question, therefore, is the following: Is it possible to combine the CKLM techniques with the Groth-Lu techniques to get a cm-NIZK for the correctness of a shuffle of size Θ(k(L + M ))?…”

Section: Introductionmentioning

confidence: 99%

Verifiable Elections That Scale for Free

Chase

Kohlweiss

Lysyanskaya

et al. 2013

Public-Key Cryptography – PKC 2013

Self Cite

View full text Add to dashboard Cite

In order to guarantee a fair and transparent voting process, electronic voting schemes must be verifiable. Most of the time, however, it is important that elections also be anonymous. The notion of a verifiable shuffle describes how to satisfy both properties at the same time: ballots are submitted to a public bulletin board in encrypted form, verifiably shuffled by several mix servers (thus guaranteeing anonymity), and then verifiably decrypted by an appropriate threshold decryption mechanism. To guarantee transparency, the intermediate shuffles and decryption results, together with proofs of their correctness, are posted on the bulletin board throughout this process.In this paper, we present a verifiable shuffle and threshold decryption scheme in which, for security parameter k, L voters, M mix servers, and N decryption servers, the proof that the end tally corresponds to the original encrypted ballots is only O(k(L + M + N )) bits long. Previous verifiable shuffle constructions had proofs of size O(kLM + kLN ), which, for elections with thousands of voters, mix servers, and decryption servers, meant that verifying an election on an ordinary computer in a reasonable amount of time was out of the question.The linchpin of each construction is a controlled-malleable proof (cm-NIZK), which allows each server, in turn, to take a current set of ciphertexts and a proof that the computation done by other servers has proceeded correctly so far. After shuffling or partially decrypting these ciphertexts, the server can also update the proof of correctness, obtaining as a result a cumulative proof that the computation is correct so far. In order to verify the end result, it is therefore sufficient to verify just the proof produced by the last server., . . . , c (i−1) L ), result

show abstract