shuffle

Documentation

Overview

Package shuffle implements Andrew Neff's verifiable shuffle proof scheme. Neff's shuffle proof algorithm as implemented here is described in the paper "Verifiable Mixing (Shuffling) of ElGamal Pairs", April 2004.

The PairShuffle type implements the general algorithm to prove the correctness of a shuffle of arbitrary ElGamal pairs. This will be the primary API of interest for most applications. For basic usage, the caller should first instantiate a PairShuffle object, then invoke PairShuffle.Init() to initialize the shuffle parameters, and finally invoke PairShuffle.Shuffle() to shuffle a list of ElGamal pairs, yielding a list of re-randomized pairs and a noninteractive proof of its correctness.

The SimpleShuffle type implements Neff's more restrictive "simple shuffle", which requires the prover to know the discrete logarithms of all the individual ElGamal ciphertexts involved in the shuffle. The general PairShuffle builds on this SimpleShuffle scheme, but SimpleShuffle may also be used by itself in situations that satisfy its assumptions, and is more efficient.

Index

• func Biffle(suite abstract.Suite, G, H abstract.Point, X, Y [2]abstract.Point, ...) (Xbar, Ybar [2]abstract.Point, prover proof.Prover)
• func BiffleTest(suite abstract.Suite, N int)
• func BiffleVerifier(suite abstract.Suite, G, H abstract.Point, X, Y, Xbar, Ybar [2]abstract.Point) (verifier proof.Verifier)
• func Shuffle(group abstract.Group, g, h abstract.Point, X, Y []abstract.Point, ...) (XX, YY []abstract.Point, P proof.Prover)
• func TestShuffle(suite abstract.Suite, k int, N int)
• func Verifier(group abstract.Group, g, h abstract.Point, X, Y, Xbar, Ybar []abstract.Point) proof.Verifier
• type PairShuffle
  • func (ps *PairShuffle) Init(grp abstract.Group, k int) *PairShuffle
  • func (ps *PairShuffle) Prove(pi []int, g, h abstract.Point, beta []abstract.Scalar, X, Y []abstract.Point, ...) error
  • func (ps *PairShuffle) Verify(g, h abstract.Point, X, Y, Xbar, Ybar []abstract.Point, ...) error
• type SimpleShuffle
  • func (ss *SimpleShuffle) Init(grp abstract.Group, k int) *SimpleShuffle
  • func (ss *SimpleShuffle) Prove(G abstract.Point, gamma abstract.Scalar, x, y []abstract.Scalar, ...) error
  • func (ss *SimpleShuffle) Verify(G, Gamma abstract.Point, ctx proof.VerifierContext) error

Functions

func Biffle

func Biffle(suite abstract.Suite, G, H abstract.Point,
	X, Y [2]abstract.Point, rand abstract.Cipher) (
	Xbar, Ybar [2]abstract.Point, prover proof.Prover)

Binary shuffle ("biffle") for 2 ciphertexts based on general ZKPs.

func BiffleTest

func BiffleTest(suite abstract.Suite, N int)

func BiffleVerifier

func BiffleVerifier(suite abstract.Suite, G, H abstract.Point,
	X, Y, Xbar, Ybar [2]abstract.Point) (
	verifier proof.Verifier)

func Shuffle

func Shuffle(group abstract.Group, g, h abstract.Point, X, Y []abstract.Point,
	rand cipher.Stream) (XX, YY []abstract.Point, P proof.Prover)

Randomly shuffle and re-randomize a set of ElGamal pairs, producing a correctness proof in the process. Returns (Xbar,Ybar), the shuffled and randomized pairs. If g or h is nil, the standard base point is used.

func TestShuffle

func TestShuffle(suite abstract.Suite, k int, N int)

func Verifier

func Verifier(group abstract.Group, g, h abstract.Point,
	X, Y, Xbar, Ybar []abstract.Point) proof.Verifier

Produce a Sigma-protocol verifier to check the correctness of a shuffle.

Types

type PairShuffle

type PairShuffle struct {
	// contains filtered or unexported fields
}

PairShuffle creates a proof of the correctness of a shuffle of a series of ElGamal pairs.

The caller must first invoke Init() to establish the cryptographic parameters for the shuffle: in particular, the relevant cryptographic Group, and the number of ElGamal pairs to be shuffled.

The caller then may either perform its own shuffle, according to a permutation of the caller's choosing, and invoke Prove() to create a proof of its correctness; or alternatively the caller may simply invoke Shuffle() to pick a random permutation, compute the shuffle, and compute the correctness proof.

func (*PairShuffle) Init

func (ps *PairShuffle) Init(grp abstract.Group, k int) *PairShuffle

Create a new PairShuffleProof instance for a k-element ElGamal pair shuffle. This protocol follows the ElGamal Pair Shuffle defined in section 4 of Andrew Neff, "Verifiable Mixing (Shuffling) of ElGamal Pairs", 2004.

func (*PairShuffle) Prove

func (ps *PairShuffle) Prove(
	pi []int, g, h abstract.Point, beta []abstract.Scalar,
	X, Y []abstract.Point, rand cipher.Stream,
	ctx proof.ProverContext) error

func (*PairShuffle) Verify

func (ps *PairShuffle) Verify(
	g, h abstract.Point, X, Y, Xbar, Ybar []abstract.Point,
	ctx proof.VerifierContext) error

Verifier for ElGamal Pair Shuffle proofs.

type SimpleShuffle

type SimpleShuffle struct {
	// contains filtered or unexported fields
}

func (*SimpleShuffle) Init

func (ss *SimpleShuffle) Init(grp abstract.Group, k int) *SimpleShuffle

func (*SimpleShuffle) Prove

func (ss *SimpleShuffle) Prove(G abstract.Point, gamma abstract.Scalar,
	x, y []abstract.Scalar, rand cipher.Stream,
	ctx proof.ProverContext) error

The "Simple k-shuffle" defined in section 3 of Neff, "Verifiable Mixing (Shuffling) of ElGamal Pairs", 2004. The Scalar vector y must be a permutation of Scalar vector x but with all elements multiplied by common Scalar gamma.

func (*SimpleShuffle) Verify

func (ss *SimpleShuffle) Verify(G, Gamma abstract.Point,
	ctx proof.VerifierContext) error

Verifier for Neff simple k-shuffle proofs.