Shorter Lattice-Based Zero-Knowledge Proofs for the Correctness of a Shuffle

In an electronic voting procedure, mixing networks are used to ensure anonymity of the casted votes. Each node of the network re-encrypts the input list of ciphertexts and randomly permutes it in a process named shuffle, and must prove (in zero-knowledge) that the process was applied honestly. To maintain security of such a process in a post-quantum scenario, new proofs are based on different mathematical assumptions, such as lattice-based problems. Nonetheless, the best lattice-based protocols to ensure verifiable shuffling have linear communication complexity on N, the number of shuffled ciphertexts. In this paper we propose the first sub-linear (on N) post-quantum zero-knowledge argument for the correctness of a shuffle, for which we have mainly used two ideas: arithmetic circuit satisfiability results from [6] and Benes networks to model a permutation of N elements. The achieved communication complexity of our protocol with respect to N is O root Nlog(2) (N)), but we will also highlight its dependency on other important parameters of the underlying lattice ingredients.