BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//Talks.cam//talks.cam.ac.uk//
X-WR-CALNAME:Talks.cam
BEGIN:VEVENT
SUMMARY:Efficient Verification of ElGamal Ciphertext Shuffles - Groth\, J 
 (UCL)
DTSTART:20120131T140000Z
DTEND:20120131T144500Z
UID:TALK36044@talks.cam.ac.uk
CONTACT:Mustapha Amrani
DESCRIPTION:A shuffle is a permutation and rerandomization of a set of cip
 hertexts. This means that the input ciphertexts and the output ciphertexts
  contain the same set of plaintexts but in permuted order. Furthermore\, d
 ue to rerandomization of the ciphertexts the permutation is hidden. Mix-ne
 ts often use a sequence of random shuffles performed by different mix-serv
 ers to hide the link between senders and plaintexts. A common use is found
  in voting schemes\, where a mix-net uses random shuffles to anonymize a s
 et of encrypted votes.\n      To protect against malicious mix-servers it 
 is necessary to verify that the shuffles are correct. Otherwise\, a bad mi
 x-server could for instance substitute encrypted votes cast by honest vote
 rs with encrypted votes for another candidate. Zero-knowledge proofs can b
 e used to guarantee the correctness of a shuffle without revealing the und
 erlying permutation or anything else. By providing such a zero-knowledge p
 roof the mix-server can prove that it has not substituted any ciphertexts 
 or in any other way deviated from the protocol\; but at the same time the 
 link between input ciphertexts and output ciphertexts remains secret.\n   
    Zero-knowledge proofs for correctness of a shuffle are complicated beas
 ts but we will present a construction that is both efficient and where the
  required communication is much smaller than the size of the shuffle itsel
 f. We have implemented the zero-knowledge proof and will provide concrete 
 performance measurements for verifying shuffles of ElGamal ciphertexts.
LOCATION:Seminar Room 1\, Newton Institute
END:VEVENT
END:VCALENDAR