How To Shuffle in Public

Ben Adida1? and Douglas Wikström2

1
MIT, Computer Science and Artificial Intelligence Laboratory, [email protected]
2
ETH Zürich, Department of Computer Science, [email protected]

Abstract. We show how to public-key obfuscate two commonly used shuffles: decryption shuffles
which permute and decrypt ciphertexts, and re-encryption shuffles which permute and re-encrypt
ciphertexts. Given a trusted party that samples and obfuscates a shuffle before any ciphertexts are
received, this reduces the problem of constructing a mix-net to verifiable joint decryption.
We construct a decryption shuffle from any additively homomorphic cryptosystem and show how it
can be public-key obfuscated. This construction does not allow efficient distributed verifiable decryp-
tion. Then we show how to public-key obfuscate: a decryption shuffle based on the Boneh-Goh-Nissim
(BGN) cryptosystem, and a re-encryption shuffle based on the Paillier cryptosystem. Both construc-
tions allow efficient distributed verifiable decryption. In the Paillier case we identify and exploit a
previously overlooked “homomorphic” property of the cryptosystem.
Finally, we give a distributed protocol for sampling and obfuscating each of the above shuffles and
show how it can be used in a trivial way to construct a universally composable mix-net. Our con-
structions are practical when the number of senders N is reasonably small, e.g. N = 350 in the BGN
case and N = 2000 in the Paillier case.

1 Introduction

Suppose a set of senders P1 , . . . , PN , each with input mi , want to compute the sorted list
(mπ(1) , . . . , mπ(N ) ) of messages while keeping the permutation π secret. A trusted party can
provide this service. First, it collects all messages. Then, it sorts the inputs and outputs the
result. A protocol, i.e., a list of machines M1 , . . . , Mk , that emulates the service of this trusted
party is called a mix-net, and the parties M1 , . . . , Mk are referred to as mix servers. The notion
of a mix-net was introduced by Chaum [10] and the main application of mix-nets is to perform
electronic elections.
Program obfuscation is the process of “muddling” a program’s instructions to prevent reverse-
engineering while preserving proper function. Barak et al. first formalized obfuscation as simu-
latability from black-box access [2]. Goldwasser and Tauman-Kalai extended this definition to
consider auxiliary inputs [18]. Some simple programs have been successfully obfuscated [8, 28].
However, generalized program obfuscation, though it would be fantastically useful in practice,
has been proven impossible in even the weakest of settings for both models (by their respec-
tive authors). Ostrovsky and Skeith [23] consider a weaker model, public-key obfuscation, where
the obfuscated program’s output is encrypted. In this model, they achieve the more complex
application of private stream searching.

1.1 Our Contributions

We show how to public-key obfuscate the shuffle phase of a mix-net. We show how any homo-
morphic cryptosystem can provide obfuscated mixing, though the resulting mix-net inefficient.
We show how special – and distinct – properties of the Boneh-Goh-Nissim [7] and Paillier [24]
cryptosystems enable obfuscated mixing with sufficient efficiency to be practical in some settings.
?
The author wishes to acknowledge support from the Caltech/MIT Voting Technology Project and the Knight
Foundation.
 We formalize our constructions in the public-key obfuscation model of Ostrovsky and Skeith,
whose indistinguishability property closely matches the security requirements of a mix-net. We
also show how to prove in zero-knowledge the correct obfuscation of a shuffle. Finally, we describe
a protocol that allows a set of parties to jointly and robustly generate an obfuscated randomly
chosen shuffle. Our mix-nets require considerably more exponentiations, O(κN 2 ) instead of O(κN )
where κ is the security parameter, than private mix-net techniques, yet they remain reasonably
practical for precinct-based elections, where voters are anonymized in smaller batches and all
correctness proofs can be carried out in advance.
Our constructions can also be presented in the obfuscation model of Barak et al., but we choose
the public-key obfuscation model as it immediately provides the indistinguishability property
desired from a shuffle functionality.

1.2 Previous Work

Most mix-nets are based on homomorphic cryptosystems and use the re-encryption-permutation
paradigm introduced by Park et al. [25] and made universally verifiable by Sako and Kilian
[26]. Each mix-server in turn re-encrypts and permutes the ciphertexts. The first efficient zero-
knowledge shuffle proofs were given independently by Neff [22] and Furukawa and Sako [17]. Groth
[20] generalized Neff’s approach to any homomorphic cryptosystem and improved its efficiency. A
third, different, approach was given recently by Wikström [30]. The first definition of security of a
mix-net was given by Abe and Imai [1] and the first proof of security of a mix-net as a whole was
given by Wikström [29, 30]. Wikström and Groth [32] give the first adaptively secure mix-net.
Multi-candidate election schemes where the set of candidates is predetermined have been
proposed using homomorphic encryption schemes, initially by Benaloh [6, 5] and subsequently
by others to handle multiple races and multiple candidates per race [13, 27, 14, 16, 3, 20]. Homo-
morphic tallying is similar to obfuscated shuffles in that, on and after election day, only public
computation is required for the anonymization process. However, homomorphic tallying cannot
recover the individual input plaintexts, which is required by the election laws in some countries
and in the case of write-in votes.
Ostrovsky and Skeith define the notion of public-key obfuscation to describe and analyze
their work on streaming-data search using homomorphic encryption [23]. In their definition, an
obfuscated program is run on plaintext inputs and provides the outputs of the original program
in encrypted form. We use a variation of this definition, where the inputs are encrypted and the
unobfuscated program may depend on the public key of the cryptosystem.

1.3 Overview of Techniques

The protocols presented in this work use homomorphic multiplication with a permutation ma-
trix, followed by a provable threshold decryption step typical of mix-nets. Roughly, the semantic
security of the encryption scheme hides the permutation.

Generic Construction. Consider two semantically-secure cryptosystems, CS = (G, E, D) and

CS 0 = (G 0 , E 0 , D0 ), where CS 0 is additively homomorphic and the plaintext space of CS 0 can
accommodate any ciphertext from CS. Note the interesting properties:
0 Epk (m) 0 0 Epk (m) 0
Epk 0 (1) = Epk 0 (Epk (m)) , Epk 0 (0) = Epk 0 (0) , and

0 0 0
Epk 0 (0)Epk 0 (Epk (m)) = Epk 0 (Epk (m)) .

Consider the element-wise encryption of a permutation matrix under E 0 , and consider inputs to
the shuffle as ciphertexts under E. Homomorphic matrix multiplication can be performed using the

2
properties above for multiplication and addition. The result is a list of double-encrypted messages,
0 (E (m )), that must then be provably decrypted. Unfortunately, a proof of double-decryption
Epk 0 pk i
is particularly inefficient because revealing any intermediate ciphertext Epk (mi ) is not an option,
as it would immediately leak the permutation.

BGN Construction. The BGN cryptosystem is additively homomorphic and has two encryption
algorithms and two decryption algorithms that can be used with the same keys and which provides
both additive and multiplicative homomorphisms in the following sense.
0
Epk (m1 ) ⊗ Epk (m1 ) = Epk (m1 m2 ) , Epk (m1 ) ⊕ Epk (m2 ) = Epk (m1 + m2 ) , and
0 0 0
Epk (m1 ) ⊕ Epk (m2 ) = Epk (m1 + m2 ) .

Thus, both the matrix and the inputs can be encrypted using the same encryption algorithm E
and public key, and the matrix multiplication uses both homomorphisms. The result is a list of
singly encrypted ciphertexts under E 0 , which lends itself to efficient, provable decryption.

Paillier Construction. The Paillier cryptosystem is additively homomorphic and supports layered
encryption, where a ciphertext can be encrypted again using the same public key. The homomor-
phic properties are preserved in the inner layer; in addition to the generic layered homomorphic
properties we have the special relation
0
Epk (Epk (0, r))Epk (m,s) = Epk
0 0
(Epk (0, r)Epk (m, s)) = Epk (Epk (m, r + s)) .

Thus, we can use E 0 encryption for the permutation matrix, and E encryption for the inputs.
When representing the permutation matrix under E 0 , instead of Epk 0 (1) to represent a one we
0
use Epk (Epk (0, r)) with a random r. During the matrix multiplication, the “inner” Epk (0, r) per-
forms re-encryption on the inputs, which allows the decryption process to reveal the intermediate
ciphertext without leaking the permutation, making the decryption proof much more efficient.

2 Preliminaries

2.1 Notation

We denote by κ the main security parameter and say that a function (·) is negligible if for every
constant c there exists a constant κ0 such that (κ) < κ−c for κ > κ0 . We denote by κc and κr
additional security parameters such that 2−κc and 2−κr are negligible, which determines the bit-
size of challenges and random paddings in our protocols. We denote by PT, PPT, and PT∗ , the set
of uniform polynomial time, probabilistic uniform polynomial time, and non-uniform polynomial
time Turing machines respectively. In interactive protocols we denote by P the prover and V
the verifier. We understand a proof of knowledge to mean a complete proof of knowledge with
overwhelming soundness and negligible knowledge error. We denote by ΣN the set of permutations
of N elements. And we write Λπ = (λπij ) for the corresponding permutation matrix. We denote by
Mpk , Rpk , and Cpk , the plaintext space, the randomizer space, and the ciphertext space induced
by the public key pk of some cryptosystem.

2.2 Homomorphic Cryptosystems

In the following definition we mean by abelian group a specific representation of an abelian group
for which there exists a polynomial time algorithm for computing the binary operator.

3
Definition 1 (Homomorphic). A cryptosystem CS = (G, E, D) is homomorphic if for every
key pair (pk, sk) ∈ G(1κ )

1. The message space Mpk is a subset of an abelian group G(Mpk ) written additively.
2. The randomizer space Rpk is an abelian group written additively.
3. The ciphertext space Cpk is a abelian group written multiplicatively.
4. For every m, m0 ∈ Mpk and r, r0 ∈ Rpk we have Epk (m, r)Epk (m0 , r0 ) = Epk (m + m0 , r + r0 ).

Furthermore, if Mpk = G(Mpk ) it is called fully homomorphic, and if G(Mpk ) = Zn for some
integer n > 0 it is called additive.

For an additively homomorphic cryptosystem, RE pk (c, r) = cEpk (0, r) is called a re-encryption

algorithm.

2.3 Functionalities

Definition 2 (Functionality). A functionality is a family F = {Fκ }κ∈N of sets of circuits such

that there exists a polynomial s(·) such that |F | ≤ s(κ) for every F ∈ Fκ .

We use a variation of the definition of public-key obfuscation of Ostrovsky and Skeith [23].
Our definition differs in that the functionality takes the public and secret keys as input.

Definition 3 (Public-Key Obfuscator). An algorithm O ∈ PPT is a public-key obfuscator

for a functionality F with respect to a cryptosystem CS = (G, E, D) if there exists a decryption
algorithm D0 ∈ PT and a polynomial s(·) such that for every κ ∈ N, F ∈ Fκ , (pk, sk) ∈ G(1κ ),
and x ∈ {0, 1}∗ ,
0 (O(1κ , pk, sk, F )(x)) = F (pk, sk, x).
1. Correctness. Dsk
2. Polynomial blow-up. |O(1κ , pk, sk, F )| ≤ s(|F |).

Example 1. Suppose CS is additively homomorphic, a ∈ Mpk , (pk, sk) ∈ G(1κ ), and define
Fa (pk, sk, x) = ax, where x ∈ Mpk . An obfuscator for the functionality F of such circuits can be
defined as a circuit with Epk (a) hardcoded which, on input x ∈ Mpk , outputs Epk (a)x = Epk (ax).

We extend the definition of polynomial indistinguishability of a public-key obfuscator.

Experiment 1 (Indistinguishability, Expoind−b

F ,CS,O,A (κ)).

(pk, sk) ← G(1κ )

(F0 , F1 , state) ← A(choose, pk),
d ← A(O(1κ , pk, sk, Fb ), state)

If F0 , F1 ∈ Fκ return d, otherwise 0.

Definition 4 (Indistinguishability). A public-key obfuscator O for a functionality F with

respect to a cryptosystem CS = (G, E, D) is polynomially indistinguishable if | Pr[Expoind−0
F ,CS,O,A (κ) =
oind−1
1] − Pr[ExpF ,CS,O,A (κ) = 1]| is negligible.

Note that the obfuscator in Example 1 is polynomially indistinguishable if CS is polynomially

indistinguishable.

4
2.4 Shuffles
The most basic form of a shuffle is the decryption shuffle. It simply takes a list of ciphertexts,
decrypts them and outputs them in permuted order. In some sense this is equivalent to a mix-net.

Definition 5 (Decryption Shuffle). A CS-decryption shuffle, for a cryptosystem CS = (G, E, D)

is a functionality DS N = {DS N (κ),κ }κ∈N , where N (κ) is a polynomially bounded and polynomi-
ally computable function, such that for every κ ∈ N, DS N (κ),κ = {DSπ }π∈ΣN (κ) , and for every
(pk, sk) ∈ G(1κ ), and c1 , . . . , cN (κ) ∈ Cpk the circuit DSπ is defined by

DSπ (pk, sk, (c1 , . . . , cN (κ) )) = (Dsk (cπ(1) ), . . . , Dsk (cπ(N (κ)) )) .

A common way to implement a mix-net is to use the re-encryption-permutation paradigm of

Park et al. [25]. Using this approach the ciphertexts are first re-encrypted and permuted in a
joint way and then decrypted. The re-encryption shuffle below captures the joint re-encryption
and permutation phase of a mix-net.

Definition 6 (Re-encryption Shuffle). A CS-re-encryption shuffle, for a homomorphic cryp-

tosystem CS = (G, E, D) is a functionality RS N = {RS N (κ),κ }κ∈N , where N (κ) is a polyno-
mially bounded and polynomially computable function, such that for every κ ∈ N, RS N (κ),κ =
{RSπ,r }π∈ΣN (κ) ,r∈({0,1}∗ )N (κ) , and for every (pk, sk) ∈ G(1κ ), and c1 , . . . , cN (κ) ∈ Cpk the circuit
RSπ,r is defined by

RSπ (pk, sk, (c1 , . . . , cN (κ) )) = (RE pk (cπ(1) , r1 ), . . . , RE pk (cπ(N (κ)) , rN (κ) )) .

3 Constructing and Obfuscating a Generic Decryption Shuffle

We show that, in principle, all that is needed is an additively homomorphic cryptosystem. Con-
sider two semantically-secure cryptosystems, CS = (G, E, D) and CS 0 = (G 0 , E 0 , D0 ), with CS 0 being
additively homomorphic with binary operator ⊕ on ciphertexts. Suppose that ciphertexts from
CS can be encrypted under CS 0 for all (pk, sk) ∈ G(1κ ) and (pk 0 , sk 0 ) ∈ G 0 (1κ ), i.e., Cpk ⊆ M0pk0 .
The following operations are then possible and, more interestingly, indistinguishable thanks to
the semantic security of both cryptosystems:

0 Epk (m) 0 0 Epk (m) 0

Epk 0 (1) = Epk 0 (Epk (m)) and Epk 0 (0) = Epk 0 (0) .

3.1 The Obfuscator

Consider a permutation matrix Λπ = (λπij ) corresponding to a permutation π. Consider its
element-wise encryption under CS 0 with public key pk 0 and a corresponding matrix of random
2
factors (rij ) ∈ R0N π 0 π N
pk0 , i.e., C = (Epk0 (λij , rij )). Then given d = (d1 , d2 , . . . , dN ) ∈ Cpk it is possible
to perform homomorphic matrix multiplication as
N
!
M
0
d ? Cπ = (cπij )di such that Dsk (Dsk π
0 (d ? C )) = (mπ(1) , mπ(2) , . . . , mπ(N ) ) .

i=1

Definition 7 (Obfuscator). The obfuscator O for the decryption shuffle DS N takes input
(1κ , (pk, pk 0 ), (sk, sk 0 ), DSπ ), where (pk, sk) ∈ G(1κ ), (pk 0 , sk 0 ) ∈ G 0 (1κ ) and DSπ ∈ DS N (κ),κ ,
computes C π = Epk 0 (Λπ ), and outputs a circuit that hardcodes C π , and on input d = (d , . . . , d
0 1 N (κ) )
0 π
computes d = d ? C as outlined above and outputs d . 0

5
Technically, this is a decryption shuffle of a new cryptosystem CS 00 = (G 00 , E, D), where CS 00
executes the original key generators and outputs ((pk, pk 0 ), (sk, sk 0 )) and the original algorithms
E and D simply ignore (pk 0 , sk 0 ). We give a reduction without any loss in security for the following
straight-forward proposition. We also note that O does not use (sk, sk 0 ): obfuscation only requires
the public key.

Proposition 1. If CS 0 is polynomially indistinguishable then O is polynomially indistinguishable.

The construction can be generalized to the case where the plaintext space of CS 0 does not
contain the ciphertext space of CS. Each inner ciphertext di is split into pieces (di1 , . . . , dit )
each fitting in the plaintext space of CS 0 and then apply each list (d1,l , . . . , dN,l ) to the en-
crypted permutation matrix as before. This gives lists (d01,l , . . . , d0N,l ) from which the output list
((d01,l )l , . . . , (d0N,l )l ) is constructed.

3.2 Limitations of the Generic Construction

The matrix C π requires a proof that it is the encryption of a proper permutation matrix. This
can be accomplished using more or less general techniques depending on the cryptosystem, but
this is prohibitively expensive in general.
0 (E (m ))
Even if we prove that C π is correctly formed, the post-shuffle verifiable decryption of Epk 0 pk i
to mi is prohibitively expensive: revealing the inner ciphertext is out of the question, as it would
leak the shuffle permutation, which again leaves us only with generic proof techniques. Instead,
we turn to more efficient constructions.

4 Obfuscating a Boneh-Goh-Nissim Decryption Shuffle

We show how to obfuscate a decryption shuffle for the Boneh-Goh-Nissim (BGN) cryptosystem
[7] by exploiting both its additive homomorphism and its one-time multiplicative homomorphism.

4.1 The BGN Cryptosystem

We denote the BGN cryptosystem by CS bgn = (G bgn , E bgn , Dbgn ). It operates in two groups G1
and G2 , both of order n = q1 q2 , where q1 and q2 are distinct prime integers. We use multiplicative
notation in both G1 and G2 , and denote by g a generator in G1 . The groups G1 and G2 exhibit a
polynomial-time computable bilinear map e : G1 × G1 → G2 such that G = e(g, g) generates G2 .
Bilinearity implies that ∀u, v ∈ G1 and ∀a, b ∈ Z, e(ua , v b ) = e(u, v)ab . We refer the reader to [7]
for details on how such groups can be generated and on the cryptosystem’s properties, which we
briefly summarize here.

Key generation. On input 1κ , G bgn generates parameters (q1 , q2 , G1 , g, G2 , e(·, ·)) as above such
that n = q1 q2 is a κ-bit integer. It chooses u ∈ G1 randomly, defines h = uq2 , and outputs a
public key pk = (n, G1 , G2 , e(·, ·), g, h) and secret key sk = q1 .
Encryption in G1 . On input pk and m, E bgn selects r ∈ Zn randomly and outputs c = g m hr .
Decryption in G1 . On input sk = q1 and c ∈ G1 , Dbgn outputs m0 = loggq1 (cq1 ).

Because decryption computes a discrete logarithm, the plaintext space must be restricted
0 0
considerably. Corresponding algorithms E bgn and D bgn perform encryption and decryption in G2
using the generators G = e(g, g) and H = e(g, h). The BGN cryptosystem is semantically secure
under the Subgroup Decision Assumption, which states that no A ∈ PT∗ can distinguish between
a uniform distribution on G1 and a uniform distribution on the unique order q1 subgroup in G1 .

6
Homomorphisms. The BGN cryptosystem is additively homomorphic. We need this property,
but we also exploit its one-time multiplicative homomorphism implemented by the bilinear map
(we denote α = logg u in the BGN key generation):
bgn bgn 0
e(Epk (m0 , r0 ), Epk (m1 , r1 )) = Epkbgn (m0 m1 , m0 r1 + m1 r0 + αq2 r0 r1 )
The result is a ciphertext in G2 which cannot be efficiently converted back to an equivalent
ciphertext in G1 . Thus, the multiplicative homomorphism can be evaluated only once, after which
def
only homomorphic additions are possible. For clarity, we write c1 ⊕ c2 = c1 c2 for ciphertexts in
def
G1 or G2 and c1 ⊗ c2 = e(c1 , c2 ) for ciphertexts in G1 .

4.2 The Obfuscator

Our obfuscator is based on the observation that matrix multiplication only requires an arithmetic
circuit with multiplication depth 1. Thus, the BGN cryptosystem can be used for homomorphic
bgn
matrix multiplication. Consider a N1 × N2 -matrix C = (cij ) = (Epk (aij )) and a N2 × N3 -matrix
bgn
C 0 = (djk ) = (Epk (bjk )), and let A = (aij ) and B = (bjk ). We define homomorphic matrix
multiplication by
   
N2 N2
0
cij ⊗ djk  and conclude that Dskbgn (C ? C 0 ) = 
M X
C ? C0 = 
def
aij bjk  = AB .
j=1 j=1

Definition 8 (Obfuscator). The obfuscator Obgn for the decryption shuffle DS bgn N takes input
bgn bgn bgn bgn
(1 , pk, sk, DSπ ), where (pk, sk) ∈ G (1 ) and DSπ ∈ DS N (κ),κ , computes C π = Epk
κ bgn κ (Λπ ),
and outputs a circuit with C π hard-coded such that, on input d = (d1 , . . . , dN (κ) ), it outputs
d0 = d ? C π .
Note that Obgn does not use sk. We have the following corollary from Proposition 3.
Corollary 1. The obfuscator Obgn for DS bgn N is polynomially indistinguishable if the BGN cryp-
tosystem is polynomially indistinguishable.

5 Obfuscating a Paillier Re-encryption Shuffle

We show how to obfuscate a re-encryption shuffle for the Paillier cryptosystem [24] by exploiting
its additive homomorphism and its generalization introduced by Damgård et al. [15]. We expose
a previously unnoticed homomorphic property of this generalized Paillier construction.

5.1 The Paillier Cryptosystem

We denote the Paillier cryptosystem CS pai = (G pai , E pai , Dpai ). It is defined as follows:
Key Generation. On input 1κ , G pai chooses safe primes p = 2p0 + 1 and q = 2q 0 + 1 randomly
such that n = pq is a κ-bit integer, defines global parameter v = n + 1 and outputs a public
key pk = n and a secret key sk = p.
Encryption. On input pk and m ∈ Zn , E pai selects r ∈ Z∗n randomly and outputs v m rn mod n2 .
Decryption. On input sk and c, given e such that e = 1 mod n and e = 0 mod φ(n), Dpai
outputs (ce − 1)/n.
The Paillier cryptosystem is polynomially indistinguishable under the Decision Composite
Residuosity Assumption, which states that no A ∈ PT∗ can distinguish the uniform distribution
on Z∗n2 from the uniform distribution on the subgroup of nth residues in Z∗n2 .

7
Generalized Paillier. Damgård et al. [15] generalize this scheme, replacing computations modulo
n2 with computations modulo ns+1 and plaintext space Zn with Zns . Damgård et al. prove
that the security of the generalized scheme follows from the security of the original scheme for
s > 0 polynomial in the security parameter, though we only exploit the cases s = 1, 2. We write
Enpai m ns mod ns+1 for generalized encryption to make explicit the value of s used in
s+1 (m) = v r
pai
a particular encryption. Similarly we write Dp,s+1 (c) for the decryption algorithm (see [15] for
details) and we use Mns+1 and Cns+1 to denote the corresponding message and ciphertext spaces.

Alternative Encryption. There are natural and well known alternative encryption algorithms.
It is easy to see that one can pick the random element r ∈ Z∗ns instead of in Z∗n . If hs+1 is a
generator of the group of ns th residues, then we may define encryption of a message m ∈ Zns as
v m hrs+1 mod ns where r is chosen randomly in [0, n2κr ].

Homomorphisms. The Paillier cryptosystem is additively homomorphic. Furthermore, the recur-

sive structure of the Paillier cryptosystem allows a ciphertext Enpai ∗
2 (m) ∈ Cn2 = Zn2 to be viewed
as a plaintext in the group Mn3 = Zn2 that can
be encrypted using a generalized version of the
cryptosystem, i.e., we can compute Enpai pai
3 En2 (m) . Interestingly, the nested cryptosystems preserve
the group structures over which they are defined. In other words we have
pai
E 2 (m,s)
Enpai pai
3 (En2 (0, r))
n = Enpai pai pai pai pai
3 (En2 (0, r)En2 (m, s)) = En3 (En2 (m, r + s)) .

Note how this homomorphic operation is similar to the generic additive operation from Section
3, except the inner “1” has been replaced with an encryption of 0. As a result, though the output
is also a double-encrypted mi , a re-encryption has occurred on the inner ciphertext.

5.2 The Obfuscator

We use the additive homomorphism and the special homomorphic property exhibited above to
define a form of homomorphic matrix multiplication of matrices of ciphertexts.
Given an N -permutation matrix Λπ = (λπij ) and randomness r, s ∈ (Z∗n )N ×N , define


C π = (cπij ) = Enpai π pai
3 λij En2 (0, rij ), sij .

We define a kind of matrix multiplication of d = (d1 , . . . , dN ) ∈ Cn2 and C π as above by

N
!
pai pai
Y
d ? Cπ = (cπij )di and conclude that Dp,2 (Dp,3 (d ? C π )) = (mπ(1) , . . . , mπ(N ) ) .
i=1

In other words, we can do homomorphic matrix multiplication with a permutation matrix using
layered Paillier, but we stress that the above matrix multiplication does not work for all matrices.
We are now ready to define the obfuscator for the Paillier-based shuffle.
Definition 9 (Obfuscator). The obfuscator Opai for the re-encryption shuffle RS pai
N takes in-
κ pai pai κ pai pai
put a tuple (1 , n, sk, RS ), where (n, p) ∈ G (1 ) and RS ∈ RS N (κ),κ , computes C π =
(Enpai π pai
3 (λij En2 (0, rij ), sij )), and outputs a circuit with hardcoded C
π that, on input d = (d , . . . , d
1 N (κ) ),
0
outputs d = d ? C . π

Note, again, that Opai does not use sk.

Proposition 2. The obfuscator Opai for RS pai N is polynomially indistinguishable if the Paillier
cryptosystem is polynomially indistinguishable.

8
6 Proving Correctness of Obfuscation
We show how to prove the correctness of a BGN or Paillier obfuscation. We assume, for now, that a
single party generates the encrypted matrix, though the techniques described here are immediately
applicable to the distributed generation and proofs in Section 7. For either cryptosystem, we start
with a trivially encrypted identity matrix, and we let the prover demonstrate that he correctly
shuffled the columns of this matrix.
Definition 10. Denote by Rmrp the relation consisting of pairs ((1κ , pk, C, C 0 ), r) such that C ∈
×N ×N
CN
pk , C 0 = (RE pk (ci,π(j) , rij )), r ∈ RN
pk , and π ∈ ΣN .
In the BGN case, the starting identity matrix can be simply C = Epk (Λid , 0∗ ). Recall that,
where the BGN matrix contains encryptions of 1, the Paillier matrix contains outer encryptions
of different inner encryptions of zero, which need to remain secret.
Thus, in the Paillier case, we begin by generating and proving correct a list of N double-
encryptions of zero. We construct a proof of double-discrete log with 1/2-soundness that must be
repeated a number of times. This repetition remains “efficient enough” because we only need to
perform a linear number of sets of repeated proofs. We then use these N double-encrypted zeros
as the diagonal of our identity matrix, completing it with trivial outer encryptions of zero.
In both cases, we then take this identity matrix, shuffle and re-encrypt its columns, and
provide a zero-knowledge proof of knowledge of the permutation and re-encryption factors. A
verifier is then certain that the resulting matrix is a permutation matrix.

6.1 Proving a Shuffle of the Columns of a Ciphertext Matrix

Consider the simpler and extensively studied problem of proving that a list of ciphertexts have
been correctly re-encrypted and permuted, sometimes called a “proof of shuffle”.
Definition 11. Denote by Rrp the relation consisting of pairs ((1κ , pk, d, d0 ), r) such that d =
(dj ) ∈ CN 0 N
pk and d = RE pk ((dπ(j) ), r) for some r ∈ Rpk and π ∈ ΣN .
There are several known efficient methods [22, 17, 20, 30] for constructing a protocol for this rela-
tion. Although these protocols differ slightly in their properties, they all essentially give “honest
verifier zero-knowledge proofs of knowledge.” As our protocol can be adapted to the concrete de-
tails of these techniques, we assume, for clarity, that there exists an honest verifier zero-knowledge
proof of knowledge πrp for the above relation. These protocols can be extended to prove a shuffle
of lists of ciphertexts (which is what we need), but a detailed proof of this fact have not appeared.
We present a simple batch proof (see [4]) of a shuffle to allow us to argue more concretely about
the complexity of our scheme.
Protocol 1 (Matrix Re-encryption-Permutation).
×N
Common Input. A public key pk and C, C 0 ∈ CN
pk
N ×N
Private Input. π ∈ ΣN and r ∈ Rpk such that C 0 = RE pk ((ci,π(j) ), r).
1. V chooses u ∈ [0, 2κc − 1]NLrandomly and hands it to P.
2. They both compute d = ( N ui 0 =(
LN 0 ui
c
i=1 ij ) and d i=1 (cij ) ).
3. They run πrp on common input (pk, d, d0 ) and private input π, r0 = ( N
P
i=1 rij ui ).
Proposition 3. Protocol 1 is public-coin and honest verifier zero-knowledge. For inputs with
C = Epk (Λπ ) for π ∈ ΣN the error probability is negligible and there exists a knowledge extractor.
Remark 1. When the plaintexts are known, and this is the case when C is an encryption of the
identity matrix, slightly more efficient techniques can be used. This is sometimes called a “shuffle
of known plaintexts” (see [22, 20, 30]).

9
6.2 Proving Double Re-encryption

The following relation captures the problem of proving correctness of a double-re-encryption.

Definition 12. Denote by Rpai κ 0

dr the relation consisting of pairs ((1 , n, c, c ), (r, s)), such that
r 2
c0 = ch1 mod n hs2 mod n3 with r, s ∈ [0, N 2κr ].

Protocol 2 (Double Re-encryption).

Common Input. A modulus n and c, c0 ∈ Cn3
r 2
Private Input. r, s ∈ [0, n2κr ] such that c0 = ch2 mod n hs3 mod n3 .
r0 mod n2 hs0
1. P chooses r0 ∈ [0, n22κr ] and s0 ∈ [0, n3 22κr ] randomly, computes α = ch2 3 mod n3 ,
and hands α to V.
2. V chooses b ∈ {0, 1} randomly and hands b to P.
3. P defines (e, f ) = (r0 − br, s0 − b(he2 mod n2 )s). Then it hands (e, f ) to V.
e 2
4. V checks that α = ((c0 )b c1−b )h2 mod n hf3 mod n3 .

The protocol is iterated in parallel κc times to make the error probability negligible. For
proving a lists of ciphertexts, we use independent copies of the protocol for each element.

Proposition 4. Protocol 2 is a public-coin honest verifier zero-knowledge proof of knowledge for

Rpai
dr .

7 Distributed Generation and Obfuscation of a Shuffle

We now explain how to sample and obfuscate the BGN and Paillier shuffles in a distributed way.
In order to focus the discussion on our contribution, we study the properties of our protocol in a
hybrid model as defined in the universally composable framework of Canetti [9]. The hybrid world
contains an ideal authenticated bulletin board FBB , an ideal coin-flipping functionality FCF , an
R
ideal zero-knowledge proof of knowledge of a plaintext FZKkp , and an ideal key generator FKG
that also allows decryption of a list of ciphertexts if requested by a majority of the mix-servers.
The only natural use of our construction is as a subprotocol, as it does not realize any natural,
universally composable functionality. We could, of course, use game-based definitions instead, but
this would not capture all the relevant security properties when used in a complete mix-net setting.
Instead, we show how our protocol can be used in a trivial way to securely realize an ideal mix-net
functionality FMN . To simplify the exposition, we say that a public-coin protocol is used “in a
distributed way” when the challenge is taken from the ideal coin-flipping functionality.
Our protocol varies slightly depending on the cryptosystem used: the BGN construction is
a decryption shuffle, while the Paillier construction is a re-encryption shuffle. We only indicate
which cryptosystem is used when necessary and keep our notation generic otherwise, e.g. we
write CS instead of CS bgn or CS pai . Recall that, in the Paillier case, the obfuscated shuffle can be
viewed as an outer-layer encrypted permutation matrix where the ones are replaced by inner-layer
ciphertexts of zero. Thus, at the start of the Paillier version, we need an additional subprotocol.

Protocol 3 (Generation of Double-Paillier Encrypted Zeros).

Common Input. A Paillier public key n and integer N .
Mix-server Mj proceeds as follows.

1. Define d0 = (Enpai pai ∗ pai pai ∗

3 (En2 (0, 0 )), . . . , En3 (En2 (0, 0 ))) of length N .
2. For l = 1, . . . , k do:

10
 (a) If l 6= j, then wait until (Ml , List, dl ), dl ∈ Cn3 , appears on FBB . Execute the verifier of
Protocol 2 in a distributed way. If it fails, then set dl = dl−1 .
(b) If l = j, then do:
rj,i
h mod n2 s
i. Choose rj , sj ∈ [0, n2κr ]N randomly, compute dj = (dj−1,i
2
h3j,i mod n3 ), and
publish (List, dj ) on FBB .
ii. Prove using Protocol 2 in a distributed way knowledge of rj , sj ∈ [0, n2κr ]N such that
(n, dj−1 , dj ) ∈ Rpai
dr .
3. Output dk .

Protocol 4 (Generation and Obfuscation of a Shuffle).

Common Input. A public key pk and integer N .
Mix-server Mj proceeds as follows.
1. In BGN Case. Define C0 = Epk (Λid , 0∗ ), with Λid an N × N identity matrix .
In Paillier Case. Execute Protocol 3 and denote its output by (c1,1 , . . . , cN,N ). Then form
a matrix C0 = (cit ) by setting the remaining elements ci,t = Enpai ∗
3 (0, 0 ) for i 6= t.
2. For l = 1, . . . , k do:
×N
(a) If l 6= j, then wait until (Ml , Matrix, Cl ), Cl = (cl,i,t ) ∈ CN
pk , appears on FBB . Execute
the verifier of Protocol 1 in a distributed way. If it fails, then set Cl = Cl−1 .
(b) If l = j, then do:
×N
i. Choose rj ∈ RN pk randomly, choose πj ∈ ΣN randomly,
compute Cj = RE pk ((cj−1,i,πj (t) ), rj ), and publish (Matrix, Cj ) on FBB .
×N
ii. Prove, using Protocol 1 in a distributed way, knowledge of rj ∈ RN pk such that
((pk, Cj−1 , Cj ), rj ) ∈ Rmrp .
3. Output Ck .

8 Trivial Mix-Net From Obfuscated Shuffle

We now give the promised trivial realization of an ideal mix-net. The ideal mix-net functionality
FMN we consider is essentially the same as that used in [29, 30, 32]. It simply accepts inputs and
waits until a majority of the mix-servers requests that the mixing process starts. At this point it
sorts the inputs and outputs the result.

Functionality 1 (Mix-Net). The ideal functionality for a mix-net, FMN , running with mix-
servers M1 , . . . , Mk , senders P1 , . . . , PN , and ideal adversary S proceeds as follows
1. Initialize a list L = ∅, a database D, a counter c = 0, and set JS = ∅ and JM = ∅.
2. Repeatedly wait for inputs
– Upon receipt of (Pi , Send, mi ) with mi ∈ {0, 1}κm and i 6∈ JS from CI , store this tuple in
D under the index c, set c ← c + 1, and hand (S, Pi , Input, c) to CI .
– Upon receipt of (Mj , Run) from CI , store (Mj , Run) in D under the index c, set c ← c + 1,
and hand (S, Mj , Input, c) to CI .
– Upon receipt of (S, AcceptInput, c) such that something is stored under the index c in D
do
(a) If (Pi , Send, mi ) with i 6∈ JS is stored under c, then append mi to L, set JS ← JS ∪ {i},
and hand (S, Pi , Send) to CI .
(b) If (Mj , Run) is stored under c, then set JM ← JM ∪ {j}. If |JM | > k/2, then sort the
list L lexicographically to form a list L0 , hand ((S, Mj , Output, L0 ),
{(Ml , Output, L0 )}kl=1 ) to CI and ignore further messages. Otherwise, hand CI the list
(S, Mj , Run).

11
 The functionalities of the hybrid world are fairly natural. The bulletin board FBB is authen-
ticated; everybody can write to it, and nobody can delete anything. It also stores the order in
which messages appear. The coin-flipping functionality FCF waits for a coin-request and then
simply outputs the requested number of random coins. The zero-knowledge proof of knowledge
R
of a plaintext FZKkp allows a sender to submit a public key pk, a ciphertext c, a message m, and
a random string r ∈ {0, 1}∗ , and simply tells the mix-servers if m ∈ {0, 1}κm and c = Epk (m, r)
or not. The key generation functionality generates a key pair (pk, sk) = G(1κ ) and outputs the
public key pk. Then if it receives more than k/2 requests to decrypt a certain list of ciphertexts,
it decrypts it using sk and outputs the result. The definitions of these functionalities are given in
Appendix B.

Protocol 5 (Trivial Mix-Net).

Sender Pi proceeds as follows.

1. Wait for (PublicKey, pk) from FKG .

2. Wait for an input m ∈ {0, 1}κm , choose r ∈ {0, 1}∗ randomly, and compute c = Epk (m, r).
R
Then publish (Send, c) on FBB and hand (Prover, (pk, c), (m, r)) to FZKkp .

Mix-server Mj proceeds as follows.

Offline Phase

1. Wait for (PublicKey, pk) from FKG .

2. Execute Protocol 4 (with either BGN or Paillier as appropriate) and denote the output ob-
fuscated (decryption/re-encryption) shuffle by C π .

Online Phase
3. Initialize JM = ∅, JP = ∅, and repeatedly wait for new inputs or a new message on FBB .
– On input (Run) hand (Write, Run) to FBB .
– If (Mj , Run) appears on FBB , then set JM ← JM ∪ {j}. If |JM | > k/2, go to Step 4.
– If (Pγ , Send, cγ ) appears on FBB for γ 6∈ JP then do:
(a) Set JP ← JP ∪ {γ}.
R
(b) Hand (Question, Pγ , (pk, cγ )) to FZKkp and wait for a reply
R
(Verifier, Pγ , (pk, cγ ), bγ ) from FZKkp .
4. Let JP0 ⊂ JP be the set of γ such that bγ = 1. Form a list of trivial encryptions dpad =
(Epk (0, 0∗ ), . . . , Epk (0, 0∗ )) of length N −|JP0 |. Then form the concatenated list d = (cγ )γ∈JP kdpad ,
and compute d0 = d ? C π .
5. In BGN Case. Hand (Decrypt, d0 ) to FKG and wait until it returns (Decrypted, m). Form
a new list m0 by sorting m lexicographically and removing N − |JP0 | copies of 0. Then output
(Output, m0 ).
In Paillier Case. Hand (Decrypt, d0 ) to FKG and wait until it returns (Decrypted, d00 ).
Hand (Decrypt, d00 ) to FKG and wait until it returns (Decrypted, m). Form a new list m0 by
sorting m lexicographically and removing N − |JP0 | copies of 0. Then output (Output, m0 ).

Remark 2. The decryption step at the end of the protocol can be implemented efficiently in a
distributed and verifiable way using known methods (e.g. [15, 32]).
R
Proposition 5. Protocol 5 securely realizes FMN in the (FBB , FCF , FZKkp , FKG )-hybrid model
with respect to static adversaries corrupting any minority of the mix-servers and any set of senders
under the polynomial indistinguishability of the BGN or Paillier cryptosystem respectively.

12
9 Complexity Estimates
Our constructions clearly require O(N 2 ) exponentiations, but we give estimates that show that
the constant hidden in the ordo-notation is reasonably small in some practical settings. For
simplicity we assume that the cost of squaring a group element equals the cost of multiplying
two group elements and that computing an exponentiation using a κe -bit integer modulo a κ-bit
integer corresponds to κe /κ full exponentiations modulo a κ-bit integer. We optimize using fixed-
base exponentiation and simultaneous exponentiation (see [21]). We assume that evaluating the
bilinear map corresponds to computing 6 exponentiations in the group G1 and we assume that
such one such exponentiation corresponds to 8 modular exponentiations. This seems reasonable,
although we are not aware of any experimental evidence. In the Paillier case we assume that
multiplication modulo ns is s2 times as costly as multiplication modulo n. We assume that the
proof of a shuffle requires 8N exponentiations (this is conservative).
Most exponentiations when sampling and obfuscating a shuffle are fixed-base exponentiations.
The only exception is a single exponentiation each time an element is double-re-encrypted, but
there are only N such elements. In the proof of correct obfuscation the bit-size κc of the elements
in the random vector u used in Protocol 1 is much smaller than the security parameter, and
simultaneous exponentiation is applicable. In the Paillier case, simultaneous exponentiation is
applicable during evaluation, and precomputation lowers the on-line complexity. Unfortunately,
this does not work in the BGN case due to the bilinear map. For a detailed description of how we
computed our estimates we refer the reader to the Scheme-program in Appendix C. For practical
parameters we get the estimates in Fig. 1.

Construction Sample & Obfuscate Prove Precompute Evaluate

BGN with N = 350 14 (0.5h) 3 (0.1h) NA 588 (19.6h)
Paillier with N = 2000 556 (18.5h) 290 (9.7h) 3800 (127h) 533 (17.8h)

Fig. 1. The table gives the complexity of the operations in terms of 104 modular κ-bit exponentiations and in
parenthesis the estimated running time in hours assuming that κ = 1024, κc = κr = 50, and that one exponentiation
takes 12 msec to compute (a 1024-bit exponentiation using GMP [19] takes 12 msec on our 3 GHz PC).

Given a single computer, the BGN construction is only practical when N ≈ 350 and the
maximal number of bits in any submitted ciphertext is small. On the other hand, the Paillier
construction is practical for normal sized voting precincts in the USA: N ≈ 2000 full length
messages can be accommodated, and, given one week of pre-computing, the obfuscated shuffle
can be evaluated overnight. All constructions are easily parallelized, i.e., larger values of N can
be accommodated, or the running time can be reduced by using more computers.

10 Conclusion
It is surprising that a functionality as powerful as a shuffle can be public-key obfuscated in any
useful way. It is even more surprising that this can be achieved using the Paillier cryptosystem
which, in contrast to the BGN cryptosystem, was not specifically designed to have the kind of
“homomorphic” properties we exploit. One intriguing question is whether other useful “homo-
morphic” properties have been overlooked in existing cryptosystems.
From a practical point of view we stress that, although the performance of our mix-net is much
worse than that of known constructions, it exhibits a property which no previous construction
has: a relatively small group of mix-servers can prepare obfuscated shuffles for voting precincts.
The precincts can compute the shuffling without any private key and produce ciphertexts ready
for decryption.

13
References

1. M. Abe and H. Imai. Flaws in some robust optimistic mix-nets. In Australasian Conference on Information
Security and Privacy – ACISP 2003, volume 2727 of Lecture Notes in Computer Science, pages 39–50. Springer
Verlag, 2003.
2. B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. P. Vadhan, and K. Yang. On the (im)possibility
of obfuscating programs. In Advances in Cryptology – Crypto 2001, volume 2139 of Lecture Notes in Computer
Science, pages 1–18. Springer Verlag, 2001.
3. O. Baudron, P.-A. Fouque, D. Pointcheval, J. Stern, and G. Poupard. Practical multi-candidate election system.
In 20th ACM Symposium on Principles of Distributed Computing – PODC, pages 274–283. ACM Press, 2001.
4. M. Bellare, J. A. Garay, and T. Rabin. Fast batch verification for modular exponentiation and digital signatures.
In Advances in Cryptology – Eurocrypt ’98, pages 236–250. Springer Verlag, 1998.
5. J. Benaloh and M. Yung. Distributing the power of a government to enhance the privacy of voters. In 5th
ACM Symposium on Principles of Distributed Computing – PODC, pages 52–62. ACM Press, 1986.
6. J. Cohen (Benaloh) and M. Fischer. A robust and verifiable cryptographically secure election scheme. In
28th IEEE Symposium on Foundations of Computer Science (FOCS), pages 372–382. IEEE Computer Society
Press, 1985.
7. D. Boneh, E.-J. Goh, and K. Nissim. Evaluating 2-DNF formulas on ciphertexts. In 2nd Theory of Cryptography
Conference (TCC), volume 3378 of Lecture Notes in Computer Science, pages 325–342. Springer Verlag, 2005.
8. R. Canetti. Towards realizing random oracles: Hash functions that hide all partial information. In Advances in
Cryptology – Crypto 1997, volume 1294 of Lecture Notes in Computer Science, pages 455–469. Springer Verlag,
1997.
9. R. Canetti. Universally composable security: A new paradigm for cryptographic protocols. In 42nd IEEE
Symposium on Foundations of Computer Science (FOCS), pages 136–145. IEEE Computer Society Press, 2001.
(Full version at Cryptology ePrint Archive, Report 2000/067, http://eprint.iacr.org, October, 2001.).
10. D. Chaum. Untraceable electronic mail, return addresses and digital pseudo-nyms. Communications of the
ACM, 24(2):84–88, 1981.
11. D. Chaum and T. Pedersen. Wallet Databases with Observers. In Advances in Cryptology – Crypto 1992,
volume 740 of Lecture Notes in Computer Science, pages 89–105. Springer Verlag, 1992.
12. R. Cramer, I. Damgard, and Berry Schoenmakers. Proofs of Partial Knowledge and Simplified Design of
Witness Hiding Protocols. In Advances in Cryptology – Crypto 1994, volume 839 of Lecture Notes in Computer
Science, pages 174–187. Springer Verlag, 1994.
13. R. Cramer, M. Franklin, L. A.M. Schoenmakers, and M. Yung. Multi-authority secret-ballot elections with
linear work. Technical report, CWI (Centre for Mathematics and Computer Science), Amsterdam, The Nether-
lands, 1995.
14. R. Cramer, R. Gennaro, and B. Schoenmakers. A secure and optimally efficient multi-authority election scheme.
In Advances in Cryptology – Eurocrypt ’97, volume 1233 of Lecture Notes in Computer Science, pages 103–118.
Springer Verlag, 1997.
15. I. Damgård and M. Jurik. A generalisation, a simplification and some applications of paillier’s probabilistic
public-key system. In Public Key Cryptography – PKC 2001, volume 1992 of Lecture Notes in Computer
Science, pages 119–136. Springer Verlag, 2001.
16. P.-A. Fouque, G. Poupard, and J. Stern. Sharing decryption in the context of voting or lotteries. In Financial
Cryptography 2000, volume 2339 of Lecture Notes in Computer Science, pages 90–104, London, UK, 2001.
Springer-Verlag.
17. J. Furukawa and K. Sako. An efficient scheme for proving a shuffle. In Advances in Cryptology – Crypto 2001,
volume 2139 of Lecture Notes in Computer Science, pages 368–387. Springer Verlag, 2001.
18. S. Goldwasser and Y. Tauman Kalai. On the impossibility of obfuscation with auxiliary input. In 46th IEEE
Symposium on Foundations of Computer Science (FOCS), pages 553–562. IEEE Computer Society Press, 2005.
19. T. Granlund. Gnu multiple precision arithmetic library (GMP). Software available at http://swox.com/gmp,
March 2005.
20. J. Groth. A verifiable secret shuffle of homomorphic encryptions. In Public Key Cryptography – PKC 2003,
volume 2567 of Lecture Notes in Computer Science, pages 145–160. Springer Verlag, 2003.
21. A. Menezes, P. Oorschot, and S. Vanstone. Handbook of Applied Cryptography. CRC Press, 1997.
22. A. Neff. A verifiable secret shuffle and its application to e-voting. In 8th ACM Conference on Computer and
Communications Security (CCS), pages 116–125. ACM Press, 2001.
23. R. Ostrovsky and W. E. Skeith III. Private searching on streaming data. Cryptology ePrint Archive, Report
2005/242, 2005. http://eprint.iacr.org/.
24. P. Paillier. Public-key cryptosystems based on composite degree residuosity classes. In Advances in Cryptology
– Eurocrypt ’99, volume 1592 of Lecture Notes in Computer Science, pages 223–238. Springer Verlag, 1999.

14
25. C. Park, K. Itoh, and K. Kurosawa. Efficient anonymous channel and all/nothing election scheme. In Advances
in Cryptology – Eurocrypt ’93, volume 765 of Lecture Notes in Computer Science, pages 248–259. Springer
Verlag, 1994.
26. K. Sako and J. Kilian. Reciept-free mix-type voting scheme. In Advances in Cryptology – Eurocrypt ’95, volume
921 of Lecture Notes in Computer Science, pages 393–403. Springer Verlag, 1995.
27. B. Schoenmakers. A simple publicly verifiable secret sharing scheme and its application to electronic. In
Advances in Cryptology – Crypto ’99, volume 3027 of Lecture Notes in Computer Science, pages 148–164.
Springer Verlag, 1999.
28. H. Wee. On obfuscating point functions. In 37th ACM Symposium on the Theory of Computing (STOC), pages
523–532. ACM Press, 2005.
29. D. Wikström. A universally composable mix-net. In 1st Theory of Cryptography Conference (TCC), volume
2951 of Lecture Notes in Computer Science, pages 315–335. Springer Verlag, 2004.
30. D. Wikström. A sender verifiable mix-net and a new proof of a shuffle. In Advances in Cryptology – Asiacrypt
2005, volume 3788 of Lecture Notes in Computer Science, pages 273–292. Springer Verlag, 2005. (Full version
[31]).
31. D. Wikström. A sender verifiable mix-net and a new proof of a shuffle. Cryptology ePrint Archive, Report
2004/137, 2005. http://eprint.iacr.org/.
32. D. Wikström and J. Groth. An adaptively secure mix-net without erasures. In 33rd International Colloquium
on Automata, Languages and Programming (ICALP), volume 4052 of Lecture Notes in Computer Science,
pages 276–287. Springer Verlag, 2006.

A Proofs

Proof (Proposition 1). Denote by A an arbitrary adversary in the polynomial indistinguishability

experiment run with the obfuscator O. Denote by A0 an adversary to the polynomial indistin-
guishability experiment Expind−bCS 0 ,A0
(κ) with the cryptosystem CS 0 defined as follows. It accepts a
public key pk as input and forwards it to A. When A returns (DSπ0 , DSπ1 ), A0 outputs the
two messages 0 and 1. Then it is given an encryption c(b) = Epk 0 (b). Denote by Λπ0 and Λπ1

the two permutation matrices corresponding to DSπ0 and DSπ1 respectively. The adversary A0
defines a matrix C πb = (cπij ), by setting cπij = Epk 0 (λπ0 ) if λπ0 = λπ1 and cπ to a reencryption
ij ij ij ij
of c(b) if λπij0 = 0, or to a reencryption of c(1−b) if λπij0 = 1. This second ciphertext c(1−b) can be
computed homomorphically from c(b) . Then A0 continues the simulation using C πb to compute
the obfuscated circuit, and when A outputs a bit it gives it as its output. Then by construction
Pr[Expind−b
CS 0 ,A
(κ) = 1] = Pr[Expoind−b
DS ,CS 0 ,O,A
(κ) = 1] and the proposition follows.
N

Proof (Proposition 3). Completeness and the fact that the protocol is public-coin follow by in-
spection. We now concentrate on the more interesting properties.

Zero-Knowledge. The honest verifier zero-knowledge simulator simply picks u randomly as in the
protocol and then invokes the honest verifier zero-knowledge simulator of the subprotocol πrp . It
follows that the simulated view is indistinguishable from the real view of the verifier.

Negligible Error Probability. Consider the following intuitively appealing lemma.

Lemma 1. Let η be a product of κ/2-bit primes and let N be polynomially bounded in κ. Let
Λ = (λij ) be an N × N -matrix over Zη and let u ∈ [0, 2κc − 1]N be randomly chosen. Then if Λ
is not a permutation matrix Pru [∃π ∈ ΣN : uΛπ = uΛ] is negligible.

Proof. Follows by elementary linear algebra (see [31]).

By assumption C = Epk (Λπ ) for some π ∈ ΣN . Write Λ = Dpk (C 0 ). Then the lemma and the
soundness of the proof of a shuffle πrp implies the soundness of the protocol.

15
Knowledge Extraction. For knowledge extraction we may now assume that C 0 can be formed from
C by permuting and re-encrypting its columns. Before we start we state a useful lemma.

Lemma 2. Let η be a product of κ/2-bit primes, let N be polynomially bounded in κ, and let
u1 , . . . , ul−1 ∈ ZN such that ujj = 1 mod η and uji = 0 mod η for 1 ≤ i, j ≤ l − 1 < N and
i 6= j. Let ul ∈ [0, 2κc − 1]N be randomly chosen, where 2P −κc is negligible. Then the probability

that there exists a1 , . . . , al ∈ Z such that if we define ul = lj=1 aj uj mod η, then u0l,l = 1 mod η,
0

and u0l,i = 0 mod η for i < l is overwhelming in κ.

Proof. Note that b = ul,l − l−1

P
j=1 ul,j uj,l is invertible with overwhelming probability, and when
it is we view its inverse b as an integer and define aj = −b−1 ul,j for j < l and al = b−1 .
−1
Pl −1
For i < l this gives ul,i = j=1 aj uj,i = b (1 − ai uii ) = 0 mod η and for i = l this gives
ul,l = j=1 aj uj,l = b−1 (ul,l − l−1
Pl P
j=1 ul,j uj,l ) = 1 mod η.

It remains to exhibit a knowledge extractor. By assumption there exists a polynomial t(κ) and
negligible knowledge error (κ) such that the extractor of the subprotocol πrp executes in time
Tγ 0 (κ) = t(κ)/(γ 0 − (κ)) for every common input (d, d0 ), induced by a random vector u, to the
subprotocol such that the success probability of the subprotocol is γ 0 . We invoke the extractor, but
we must stop it if γ 0 turns out to be too low and find a new random u that induces a common input
to the subprotocol with a larger value of γ 0 . For simplicity we assume that the same negligible
function (κ) bounds the failure probability in Lemma 2. We assume that (κ) < γ/4, i.e., the
knowledge error will increase somewhat compared to the knowledge error of πrp .
Consider a fixed common input (pk, C, C 0 ) and prover P. Denote by γ the probability that P
convinces V. We denote by B the distribution over {0, 1} given by pB (1) = γ/(8t(κ)). Note that
this distribution can be sampled for any common input even without knowledge of γ, since we
can simply perform a simulation of the protocol, pick an element from the space {1, . . . , 8t(κ)}
randomly, and define the sample to be one if the prover succeeds and the picked element equal
one. We are going to use the random variable to implicitly be able to say if an induced common
input to the subprotocol gives a too low success probability γ 0 . We now make this idea precise.
The extractor proceeds as follows, where in the BGN case η denotes the modulus n and in the
Paillier case η denotes the order of the plaintext space of the outer layer Paillier, i.e., n2 where n
is the modulus and encryption is defined modulo n3 .

1. For l = 1, . . . , N do:
(a) Start the simulation of an execution between V and P and denote by ul the random vector
chosen by the simulator. Denote by (pk, dl , d0l ) the common input to the subprotocol πrp
induced by ul .
(b) If ul,j = ul,j 0 for some j 6= j 0 or if there does not exists ak,l ∈ Z such that ll0 =1 ak,l0 ul0 ,j
P
equals one modulo η if j = l and it equals zero modulo η for j < l, then go to Step 1a.
(c) Invoke the knowledge extractor of the protocol πrp on the common input (pk, dl , d0l ). How-
ever, in between each step executed by the extractor, the distribution B is sampled. If a
sample equals one before the extractor halts, then go to Step 1a. Otherwise, denote by πl
and sl the permutation and extracted randomness such that ((pk, dl , d0l ), (πl , sl )) ∈ Rrp .
2. Compute ak,l ∈ Z such that N
P
l=1 ak,l ul,j equals one or zero modulo η depending on if k = j
or not. Define (bkj ) = (akl )(ulj ) − I, where I is the identity N × N -matrix and the matrix
operations are taken over the integers.
In BGN Case. Compute r = (rk,j ) = (ak,l )(sl,j ), and output (π, r).
QN ak,l
In Paillier Case. Compute r = (rk,j ) = ( N 0 bki /η
Q
i=1 (ci,π(j) /cij ) l=1 sl,j ), where the division
bki /η is taken over the integers, and output (π, r).

16
 We do the easy part of the analysis first. Consider the correctness of the output given that
the extractor halts. Since ul,j = ul,j 0 for all j 6= j 0 and both Dpk (C) and Dpk (C 0 ) are permutation
matrices by assumption, we conclude that π1 = . . . = πN = π for some permutation π ∈ ΣN . We
have
YN N
Y
0 uli 0
(cij ) = dlj = dl,π(j) Epk (0, sl,j ) = Epk (0, sl,j ) cui,π(j)
li
. (1)
i=1 i=1

Apply the ak,l as exponents on the left of Equation (1) and take the product over all l. This gives
N N
!ak,l N N
! N
Y Y Y Y Y
(c0ij )uli = (c0ij )ak,l uli = c0kj (c0ij )bki .
l=1 i=1 i=1 l=1 i=1

Then apply the exponents ak,l on the right side of Equation (1) and take the product over all l.
This gives
N N
!ak,l N
! N !
Y Y uli
Y Y b
akl
Epk (0, sl,j ) ci,π(j) = Epk (0, sl,j ) ki
ci,π(j) ck,π(j) .
l=1 i=1 l=1 i=1

To summarize, we have shown that

N N
! !
Y Y
c0kj = (ci,π(j) /c0ij )bki Epk (0, sl,j ) akl
ck,π(j) .
i=1 l=1

We conclude the argument differently depending on the cryptosystem used.

In BGN Case. Note that bki = 0 mod η for all k and i, and the order of any ciphertext divides
η. Thus, the first product equals one in the ciphertext group. Furthermore, the randomizer space
is Zη so we have
N
!
X
0
ckj = Epk 0, akl sl,j ck,π(j) .
l=1

In Paillier Case. Again bki = 0 mod η for all k and i, but the order a ciphertext may be
larger than η. However, we may define b0ki = bki /η, where division is over the integers, define
s0j = N 0 b0ki
Q
i=1 (ci,π(j) /cij ) , and write

N
!
Y
c0kj = Epk 0, s0j sal,jkl ck,π(j) .
l=1

We remark that s0j is an element in Z∗n3 and not in Z∗n as expected. However, it is a witness of
re-encryption using one of the alternative Paillier encryption algorithms.
It remains to prove that the extractor is efficient in terms of the inverse success probability of
the prover. Fix an l. Denote by E the event that the prover succeeds to convince the adversary,
i.e., Pr[E] = γ. Denote by S the set of vectors u such that Pr[E | u ∈ S] ≥ γ/2. An averaging
argument implies that Pr[u ∈ S] ≥ γ/2. Denote by Eul the event that the go to statement in
Step 1b is executed. We show that if u ∈ S, then a witness is extracted efficiently with constant
probability, and if u 6∈ S, then the extraction algorithm will be stopped relatively quickly.
If u 6∈ S, then we focus only on the distribution B. The expected number of samples from B
needed before a sample is equal to one is clearly 1/pB (1) = 8t(κ)/γ. Thus, if we ignore the issue
of finding the witness the simulation in Step 1c is efficient in terms of 1/γ.

17
 If u ∈ S, then the expected number of steps needed by the extractor of the subprotocol πrp is
bounded by Tγ/2 (κ). By Markov’s inequality the probability that more than 2Tγ/2 (κ) steps are
needed is bounded by 1/2. The probability that one of the first ω = 2Tγ/2 (κ) samples of B is one
2
is bounded by 1 − (1 − pB (1))ω ≤ 1 − eω(−pB (1)+pB (1) ) ≤ 1 − e−1/2 , since (κ) < γ/4.
Thus, Step 1c executes in expected time 8t(κ)/γ, and from independence follows that it halts
due to the extractor finding a witness with probability at least 1 − 12 (1 − e−1/2 ). In other words
the expected number of restarts of the lth iteration of Step 1 is constant.
From Lemma 2 and independence of the ul,j follow that the probability that the go to state-
ment of Step 1b is executed is negligible. This means that the extractor runs in expected time
cN t(κ)/(γ − 4(κ)) for some constant c. This concludes the proof, since cN t(κ) is polynomial and
4(κ) is negligible.

Proof (Proposition 2). Let A be any adversary in the polynomial indistinguishability experi-
ment run with the obfuscator Opai . Denote by Aind the polynomial indistinguishability adversary
that takes a public key pk as input and then simulates this protocol to A. When A outputs
two challenge circuits (RS0pai , RS1pai ) with corresponding matrices (M0 , M1 ), i.e., the matrices are
permutation matrices with the ones replaced by re-encryption factors, Aind outputs (M0 , M1 ).
pai
When the polynomial indistinguishability experiment returns Epk (Mb ) it forms the obfuscated
circuit and hands it to A. Then Aind outputs the output of A. It follows that the advantage of
Aind in the polynomial indistinguishability experiment with the Paillier cryptosystem and using
polynomial length list of ciphertexts is identical to the advantage of A in the polynomial indis-
tinguishability experiment with Opai . It now follows from a standard hybrid argument that the
polynomial indistinguishability of the Paillier cryptosystem is broken if Opai is not polynomially
indistinguishable.

Proof (Proposition 4). Completeness and the public-coin property follow by inspection. The hon-
est verifier zero-knowledge simulator simply picks e ∈ [0, n2κr ] and f ∈ [0, n3 2κr ] and b ∈ {0, 1}
e
randomly and defines α = ((c0 )b c1−b )h2 hf3 mod n3 . The resulting view is statistically close to a
real view, since 2−κr is negligible.
e e0 0
For soundness, note that if we have ch2 hf3 = α = (c0 )h2 hf3 mod n3 with e, f, e0 , f 0 ∈ Z, then
we can divide by hf3 and take the he2 th root on both sides. This gives
e0 −e (f 0 −f )/he2
c = (c0 )h2 h3 mod n3 ,

which implies that the basic protocol is special 1/2-sound. The protocol is then iterated in parallel
κc times which gives negligible error probability 2−κc . The proof of knowledge property follows
immediately from special soundness.

A.1 Proof of Proposition 5

The proof proceeds as most proofs of security in the UC-framework. First we define an ideal
adversary S that runs the real adversary A as a black-box. Then we show that if the environment
can distinguish the ideal model run with the ideal adversary from the real model run with the
real adversary with non-negligible probability, then we can reach a contradiction.

The Ideal Adversary. The ideal adversary simulates the view of the real model to the real
adversary. Denote by IM and IP the indices of the corrupted mix-servers and senders correspond-
ingly. The ideal adversary corrupts the corresponding dummy parties. Then it simulates the real
model as follows.

18
Links Between Corrupted Parties and the Environment. The ideal adversary simulates the sim-
ulated environment Z 0 such that it appears as if A is communicating directly with Z. Similarly,
it simulates the corrupted dummy party M̃j (or P̃i ) for j ∈ IM (or i ∈ IP ) such that it appears
as if Mj (or Pi ) is directly communicating with Z. This is done by simply forwarding messages.

Simulation of Honest Senders. The ideal adversary clearly does not know the messages submitted
by honest senders to FMN in the ideal model. Thus, it must use some place holders in its simulation
and then make sure that this is not noticed.
Honest senders Pi with i 6∈ IP are simulated as follows. When S receives (S, Pi , Input, f ) it
simulates Pi honestly on input (Send, 0). It interrupt the simulation of FBB , when it is about to
hand (A, Input, f 0 , Pi , ci ) to CI . Then it stores (f, f 0 ) and continues the simulation.
When FBB receives (A, AcceptInput, f 0 ) from CI it interrupts the simulation of FBB . Then
it hands (AcceptInput, f ) to FMN and waits until it receives a message from FMN before it
continues the simulation of FBB .

Extraction From Corrupt Senders. When a corrupt sender submits a message in the simulated
real model, then the ideal adversary must instruct the corresponding corrupted dummy sender
to submit the same message.
R
When some Mj with j 6∈ IM receives (Mj , Verifier, Pγ , (pk, cγ ), 1) from FZKkp in the simu-
lation of Step 3b, the simulation is interrupted and the message mγ encrypted in cγ is extracted
R
from the simulation of FZKkp . Then P̃γ is instructed to submit mγ to FMN . When S receives
(P̃γ , Input, f ) it hands (AcceptInput, f ) to FMN and waits until it receives (P̃i , Send) from FMN .
Then the simulation of Mj is continued.

Simulation of Honest Mix-Servers. When an honest dummy mix-server signals that it wishes to
start the mixing process, the corresponding simulated mix-server must do the same.
When S receives (M̃j , Input, f ) from FMN , with j 6∈ IM , it gives the simulated mix-server Mj
the input Run. When FBB is about to output (A, Input, f 0 , Mj , Run) the simulation is interrupted
and (f, f 0 ) stored before the simulation is continued. When FBB receives (A, AcceptInput, f 0 )
the simulation of FBB is interrupted and S hands (AcceptInput, f ) to FMN . When it returns the
simulation is continued. Note that it normally returns (M̃j , Run) or (M̃j , Output, L0 ), but the
empty message can be returned if the accept instruction is ignored.

Extraction From Corrupt Mix-Servers. When a corrupted mix-server signals that it wishes to start
the mixing process in the simulated real model, the corresponding corrupted dummy mix-server
must do the same.
When FBB is about to hand (A, AcceptInput, f 0 ) to CI and (Mj , Run) has been stored in the
database D1 of FBB , the simulation is interrupted. Then S instructs M̃j to hand Run to FMN
and waits until it receives (M̃j , Input, f ) from FMN . Then it hands (AcceptInput, f ) to FMN .
When it returns the simulation of FBB is continued.

Simulation of Decryption. Note that when the decryption step is simulated by FKG , S already
knows the output L0 of FMN . Simulation proceeds slightly differently in the BGN and Paillier
cases, but in both cases a list (m01 , . . . , m0N ) is formed by padding L0 with zeros until it has size
N.
BGN Case. Choose πsim ∈ ΣN randomly and use (m0πsim (1) , . . . , m0πsim (N ) ) in the simulation of
FKG .
Paillier Case. In this case the key generator is called twice to decrypt the outer and inner
layer of the ciphertexts respectively. Choose πsim ∈ ΣN and r̄i ∈ Z∗n randomly and compute

19
 pai pai
c00 = (c001 , . . . , c00N ) = (En,2 (m0πsim (1) , r̄1 ), . . . , En,2 (m0πsim (N ) , r̄N )). In the first call use c00 in the
simulation of FKG and in the second call use (m0πsim (1) , . . . , m0πsim (N ) ).

Reaching a Contradiction. Consider any real adversary A and environment Z. We show that
if Z can distinguish the ideal model run with S from the real model run with A, then we can
break the indistinguishability of the underlying cryptosystem.
Denote by Tideal a simulation of the ideal model run with S and Z and denote by Treal a
simulation of the real model run with A and Z. Denote by Tl the simulation of T0 = Tideal except
R
for the following modifications of simulation honest senders Pi for i 6∈ IP and i < l and FZKkp .

R
1. Pi submits (Prover, (pk, c), ⊥) to FZKkp , i.e., it does not submit any witness. Instead, the
R
simulation of FZKkp is modified to behave as if it received a witness from these senders.
R
2. Instead of giving Pi the zero input, S peeks into the ideal functionality FZKkp and uses the
message mi submitted by the corresponding honest dummy sender P̃i .

Claim 1. | Pr[T0 = 1] − Pr[TN = 1]| is negligible.

Proof. This follows by a standard hybrid argument. We need only observe that the secret key
of the cryptosystem is not used by S in its simulation. More precisely, define Al to be the
polynomial indistinguishability adversary for the cryptosystem that takes a public key pk as
input and simulates Tl , except that if l 6∈ IP it interrupts the simulation when Pl is about to
compute it submission ciphertext. Then it hands (M0 , M1 ) = (ml , 0) to the experiment, where
ml is the message that P̃l handed to FMN . It is given a challenge ciphertext cl = Epk (Mb ) for a
randomly chosen b ∈ {0, 1} which it uses in the continued simulation.
By inspection we see that Pr[Expind−b CS,Al (κ) = 1] = Pr[Tl−b = 1]. The polynomial indistin-
guishability of the cryptosystem then implies that | Pr[Tl = 1] − Pr[Tl+1 = 1]| is negligible for
l = 1, . . . , N . The triangle inequality and the fact that N is polynomially bounded then implies
that | Pr[T0 = 1] − Pr[TN = 1]| is negligible as claimed.

Informally speaking we have now plugged back the correct messages in the simulation. The
problem is that decryption is still simulated incorrectly. In other words TN is still not identically
distributed Treal . To prove that the distributions are indistinguishable we need to sample the latter
distribution without using the secret key of the cryptosystem. We do this using the knowledge
extractors of the proofs of knowledge of correct obfuscation. One of the honest mix-servers must
also simulate its proof of correct re-encryption and permutation of a matrix of ciphertexts.
Denote by Bb the simulation of TN or Treal (depending on if b = 0 or not) except that in the
simulation, if a corrupt mix-server Mj with j ∈ IM succeeds in Protocol 1 or Protocol 2 then
the knowledge extractor of the protocol is invoked to extract the witness. In the Paillier case
we assume that in the same way the knowledge extractors of corrupt mix-servers are invoked in
Protocol 3. Denote the maximal knowledge error of Protocol 1 and Protocol 2 by  = (κ), and
recall that the knowledge error of a proof of knowledge does not depend on the adversary, but is
a parameter of the protocol itself. Denote then by t(κ)/(δ − ), where t(κ) is some polynomial,
the expected running time of the extractor in any of these protocols for a prover with success
probability δ, and recall that also t(κ) is a parameter of the protocol. In the simulation carried
out by Bb the running time of any extractor is restricted to t(κ)/ and if extraction fails it outputs
0.

Claim 2. | Pr[B0 = 1] − Pr[TN = 1]| and | Pr[B1 = 1] − Pr[Treal = 1]| is negligible.

20
Proof. Recall that Protocol 1 assumes that the first matrix C is an encryption of a permutation
matrix (or in the Paillier case a permutation matrix where the ones have been replaced by inner
encryptions of zero). Due to the negligible error probability of the protocols, the probability that
a mix-server succeeds to prove a false statement is negligible. Thus, we assume without loss that
all statements for which the extractors are invoked there exists a witness.
Then consider the event El that in the lth proof computed by any mix-server Mj it succeeds
with probability less than 2 conditioned on the simulation up to this point, and still succeeds
in the actual simulation. We clearly have Pr[El ] < 2. The union bound then implies the claim,
since there are at most 2k invocations of the protocols in total.

Claim 3. Bb runs in expected polynomial time.

Proof. This follows, since at any instance where an extractor is invoked for a prover on some
statement, if the prover succeeds with probability δ > 2, then the extractor runs in expected
time at most 2t(κ)/δ (although it may not output a witness at all), and otherwise the running
time is bounded by t(κ)/. Thus, in total this part of the simulation runs in expected time 2t(κ).
As the extractors are only invoked polynomially many times, the complete simulation runs in
expected polynomial time.

Observe that B1 can be sampled even without the secret key, since all the random permutations
and all random exponents are extracted. More precisely, since the list of original inputs and how
they are permuted (and inner-layer re-encrypted in the Paillier case), is known by the simulator
it can simulate decryption perfectly. Assume from now on that this is done.
Denote by Bb0 the simulation of Bb except for the following modification. Denote by Ml some
fixed mix-server with l 6∈ IM . Instead of letting it execute the prover of Protocol 1, or Protocol 2
the honest verifier zero-knowledge simulator guaranteed to exist by Proposition 3 and Proposition
4 respectively is invoked by programming the coin-flipping functionality FCF .

Claim 4. | Pr[Bb = 1] − Pr[Bb0 = 1]| is negligible.

Proof. This follows directly from the honest verifier zero-knowledge property of Protocol 1 and
Protocol 2.

BGN Case. Simply write B000 instead of B00 to allow a single proof for the two cases (we are
taking care about some special features of the Paillier case below).
Paillier Case. In this case we need to take care of the fact that the inner re-encryption factors
used by the simulator to simulate decryption are independently chosen from the true re-encryption
factors generated in Protocol 3.
Denote by B000 the simulation of B00 except that the former uses the re-encryption factors
extracted from the executions of Protocol 2.

Claim 5 (Paillier Case). | Pr[B00 = 1] − Pr[B000 = 1]| is negligible.

Proof. Denote by Aind the polynomial indistinguishability adversary that takes n as input and
simulates B00 except that in Protocol 3 Ml computes its output cj as follows. It generates two
(0) (1)
random lists ri , ri ∈ (Z∗n )N and hands these to the experiment. The experiment returns cj =
(b)
Enpai
3 (ri ) for a random b ∈ {0, 1}, which is used in the continued simulation. Then it defines
(1) Qk
r̄i = ri j=l+1 rj,i , where rj,i are the values extracted by the knowledge extractors or chosen by
simulated honest mix-servers. Note that if b = 0, the the simulation is identically distributed to
B00 and otherwise statistically close distributed to B000 .

21
 The standard extension of polynomial indistinguishability to polynomial length lists of cipher-
texts now implies the claim.
At this point we have reduced the difference between B000 and B100 to how decryption is simu-
lated. In the former decryption is simulated incorrectly by simply outputting the correct messages
in some randomlyt chosen order, whereas in the latter the corresponce between individual cipher-
texts and output messages is preserved.
Claim 6. | Pr[B000 = 1] − Pr[B100 = 1]| is negligible.
Proof. Consider the following polynomial indistinguishability adversary Aind to the obfuscation
of the decryption/re-encryption shuffle. It accepts a public key pk as input. Then it simulates B000
until some fixed simulated honest mix-server Ml with l 6∈ IM is about to produce its output in
the mix-net.
The adversary Aind chooses π (0) , π (1) ∈ ΣN randomly and defines πsim = π (1) πl+1 · · · πk , and
πl = π (0) . Due to the group properties of ΣN , this does not change the distribution of πsim in
either B000 or B100 .
BGN Case. The adversary Aind hands (DSπbgn bgn
(0) , DSπ (1) ) to the experiment and waits until it

returns an obfuscation O(pk, sk, DSπbgn

(b) ) for a random b. It extracts the encrypted permutation
(b)
matrix C π from the obfuscated shuffle and uses it as Ml ’s output.
pai
Paillier Case. Denote by r = (r1 , . . . , rN ) the joint random factors such that Dp,3 (C0 ) is the
n 2
diagonal matrix with diagonal (ri mod n ). These factors can be computed, from the witnesses ex-
tracted from the corrupt mix-servers in Protocol 2. The adversary Aind hands (RSπpai pai
(0) ,r , RSπ (1) ,r )

to the experiment and waits until it returns an obfuscation O(pk, sk, RSπpai
(b) ) for a random b. It
(b)
extracts the encrypted re-encryption and permutation matrix C π from the obfuscated shuffle
and uses it as Ml ’s output.
We conclude that Expoind−b
pai (κ) is identically distributed to Bb00 . Then the claim follows from
RS N ,Aind
the polynomial indistinguishability of the cryptosystem, since an expected polynomial time dis-
tinguisher can be turned into a strict polynomial time distinguisher using Markov’s inequality in
the standard way.

Conclusion of Proof of Proposition. To conclude the proof we simply note that Claim 1-6 implies
that | Pr[Tideal (A) = 1] − Pr[Treal (A) = 1]| is negligible for any real adversary A.

B Ideal Functionalities

Functionality 2 (Bulletin Board). The ideal bulletin board functionality, FBB , running with
parties P1 , . . . , Pn and ideal adversary S proceeds as follows. FBB holds two databases D1 and
D2 indexed on integers. Initialize two counters c1 = 0 and c2 = 0.
– Upon receiving (Pi , Write, mi ), mi ∈ {0, 1}∗ , from CI , store (Pi , mi ) in D2 by the index c2 in
the database, set c2 ← c2 + 1, and hand (S, Input, c2 , Pi , mi ) to CI .
– Upon receiving (S, AcceptInput, c) from CI check if a tuple (Pi , mi ) is stored in the database
D2 under c. If so, then store (Pi , mi ) in D1 under the index c1 , set c1 ← c1 + 1, and hand
(S, AcceptInput, c) to CI .
– Upon receiving (Pj , Read, c) from CI check if a tuple (Pi , mi ) is stored in the database D1
under c. If so hand ((S, Pj , Read, c, Pi , m), (Pj , Read, c, Pi , mi )) to CI . If not, hand
((S, Pj , NoRead, c), (Pj , NoRead, c)) to CI .

22
Functionality 3 (Coin-Flipping). The ideal Coin-Flipping functionality, FCF , with mix-servers
M1 , . . . , Mk , and adversary S proceeds as follows. Set Jκ = ∅ for all κ.
– On receipt of (Mj , GenerateCoins, κ) from CI , set Jκ ← Jκ ∪{j}. If |Jκ | = k, then set Jκ ← ∅
choose c ∈ {0, 1}κ randomly and hand
((S, Coins, c), {(Mj , Coins, c)}kj=1 ) to CI .

Functionality 4 (Key Generator). The ideal key generator FKG , running with mix-servers
M1 , . . . , Mk , senders P1 , . . . , PN , and ideal adversary S proceeds as follows
1. Initialize a database D. Compute (pk, sk) = G(1κ ) and hand ((S, PublicKey, pk),
{(Mj , PublicKey, pk)}kj=1 , {(Pi , PublicKey, pk)}N
i=1 ) to CI .
2. Repeatedly wait for messages. Upon reception of (Mj , Decrypt, c), set D ← D ∪ {(Mj , c)},
and if |{j : (Mj , c) ∈ D}| > k/2, then hand ((S, PublicKey, pk),
{(Mj , PublicKey, pk)}kj=1 ) to CI .

Functionality 5 (Zero-Knowledge Proof of Knowledge). Let L be a language given by a

binary relation R. The ideal zero-knowledge proof of knowledge functionality FZK R of a witness w

to an element x ∈ L, running with provers P1 , . . . , PN , and verifiers M1 , . . . , Mk , proceeds as

follows.
1. Upon receipt of (Pi , Prover, x, w) from CI , store w under the tag (Pi , x), and hand
(S, Pi , Prover, x, R(x, w)) to CI . Ignore further messages from Pi .
2. Upon receipt of (Mj , Question, Pi , x) from CI , if JPi ,x is not initialized set JPi ,x = ∅ and
otherwise JPi ,x ← JPi ,x ∪ {j}. Let w be the string stored under the tag (Pi , x) (the empty
string if nothing is stored). If |JPi ,x | = k, then hand ((S, Mj , Verifier, Pi , x, R(x, w)),
{(Mj , Verifier, Pi , x, R(x, w))}kj=1 ) to CI and otherwise (S, Mj , Question, Pi , x).

Definition 13. Let CS be a cryptosystem. Then denote by Rkp the relation consisting of pairs
((pk, c), (m, r)) such that c = Epk (m, r) and m ∈ {0, 1}κm .

C Program for Estimation of Complexity

;; Program to estimate the complexity of sampling, obfuscating,
;; proving correctness of an obfuscation, and evaluating.

;; isbgn: If equal to 1 we compute BGN complexity and otherwise Paillier

;; secp: Main security parameter, number of bits in Paillier modulus.
;; secpr: Bit-size of random padding in Schnorr proofs without mod-reduction.
;; secpc: Bit-size of challenge elements.
;; logb: Number of bits in each "chunk" in fixed-base exponentiation.
;; wsmall: Width of simultaneous exponentiation when we have small exponents.
;; wbig: Width of simultaneous exponentiation when we have big exponents.
;; oneexp: The time is takes to compute one modular secp-bit exponentiation.
;; N: Number of senders

(define (performance isbgn secp secpr secpc logb wsmall wbig oneexp N)

;; Displays time in minutes and hours to compute one exponentation

;; modulo a secp-bit integer
(define (display-as-time noexp)
(display (/ (truncate (round (/ (* oneexp noexp) 36))) 100)))

;; The cost in terms of multiplications to evaluate the bilinear map.

(define (bmap-cost) (* 6 (* 1.5 secp)))

;; The cost in terms of modular exponentiations to evaluate the bilinear map.

(define (ECC-cost) 8)

;; The cost of performing a fixed-base exponentation given precomputation.

;; The parameter is the number of bits in the exponent.
(define (logb-fixedbase expsize)
(let ((b (expt 2 logb)))
(- (+ (* (/ (- b 1) (* b logb)) expsize) b) 3)))

;; Precomputation needed for wbig

(define (w-simultaneous-wbig-precomp)
(expt 2 wbig))

23
 ;; The cost of wsmall-wise simultaneous exponentiation.
;; The parameter is the number of bits in the exponent.
(define (w-simultaneous-small expsize)
(/ (- (+ (* 2 expsize) (expt 2 wsmall)) 4)
wsmall))

;; The cost of wsmall-wise simultaneous exponentiation.

;; The parameter is the number of bits in the exponent.
(define (w-simultaneous-big-withoutprecomp expsize)
(/ (- (* 2 expsize) 4)
wbig))

;; The cost of a proof of a shuffle of lists.

;; This value is rather arbitrarily chosen.
(define (proof-of-shuffle) (* 8 N secp))

;; The cost of the proof of a shuffle of the rows in a matrix.

(define (matrix-reencryption-proof)
(if (> isbgn 0)
(+ (* N N (w-simultaneous-small secpc))
(proof-of-shuffle))
(+ (* 9 N N (w-simultaneous-small secpc))
(* 9 (proof-of-shuffle)))))

;; The cost of a single proof of double re-encryption.

(define (double-reencryption)
(* secpc (+ (* 9 (logb-fixedbase (+ (* 3 secp) (* 2 secpr))))
(* 4 (logb-fixedbase (+ secp (* 2 secpr))))
(* 2 secp 1.5 9))))

;; Translate the number of input multiplications to the

;; corresponding cost in terms of exponentiations
(define (mults-to-exps mults)
(round (/ mults (* 1.5 secp))))

;; The cost of sampling and obfuscating a shuffle.

;; In other words the cost of computing a random encrypted
;; "permutation matrix".
(define (sample-obfuscate-exps)
(mults-to-exps
(if (> isbgn 0)
(* N N (logb-fixedbase secp) (ECC-cost))
(* (+ (* 9 N N) (* 4 N))
(logb-fixedbase (+ secp secpr))))))

;; The cost of proving the correctness of a matrix.

(define (prove-exps)
(mults-to-exps
(if (> isbgn 0)
(* (matrix-reencryption-proof) (ECC-cost))
(+ (matrix-reencryption-proof)
(* N (double-reencryption))))))

;; Cost of precomputation for wbig-simultaneous exponentiation

(define (precompute-paillier-exps)
(mults-to-exps (/ (* N N (w-simultaneous-wbig-precomp)) wbig)))

;; The cost of performing homomorphic matrix multiplication.

(define (eval-exps)
(mults-to-exps
(if (> isbgn 0)
(* N N (+ (bmap-cost) 1) (ECC-cost))
(* 9 N N (w-simultaneous-big-withoutprecomp (* 2 secp))))))

(define (display-result)
(newline)
(if (> isbgn 0)
(display "BGN: ")
(display "PAI: "))
(display "secp=")
(display secp)
(display ", secpr=")
(display secpr)
(display ", secpc=")
(display secpc)
(display ", logb=")
(display logb)
(display ", wsmall=")
(display wsmall)
(display ", wbig=")
(display wbig)
(display ", bgood=")
(display (round (logb-fixedbase (* 2 secp))))
(display ", N=")
(display N)
(newline)

(display "Sample and Obfuscate ")

(display (sample-obfuscate-exps))
(display " ")
(display-as-time (sample-obfuscate-exps))
(newline)
(display "Prove ")

24
 (display (prove-exps))
(display " ")
(display-as-time (prove-exps))
(newline)
(cond ((= isbgn 0)
(display "Precomp. Eval ")
(display (precompute-paillier-exps))
(display " ")
(display-as-time (precompute-paillier-exps))
(newline)))
(display "Evaluate ")
(display (eval-exps))
(display " ")
(display-as-time (eval-exps)))

(display-result)
’()
)

;; Compute for both BGN and Paillier

(performance 1 1024 50 50 6 5 18 0.012 350)
(performance 0 1024 50 50 6 5 18 0.012 2000)

25