An E cient Pairing-Based Shu e Argument

We construct the most e cient known pairing-based NIZK shu e argument. It consists of three subarguments that were carefully chosen to obtain optimal e ciency of the shu e argument: 1. A same-message argument based on the linear subspace QANIZK argument of Kiltz and Wee, 2. A (simpli ed) permutation matrix argument of Fauzi, Lipmaa, and Zaj¡c, 3. A (simpli ed) consistency argument of Groth and Lu. We prove the knowledge-soundness of the rst two subarguments in the generic bilinear group model, and the culpable soundness of the third subargument under a KerMDH assumption. This proves the soundness of the shu e argument. We also discuss our partially optimized implementation that allows one to prove a shu e of 100 000 ciphertexts in less than a minute and verify it in less than 1.5 minutes.