`import "go.dedis.ch/kyber/shuffle"`

Package shuffle implements Andrew Neff's verifiable shuffle proof scheme. Neff's shuffle proof algorithm as implemented here is described in the paper "Verifiable Mixing (Shuffling) of ElGamal Pairs", April 2004.

The PairShuffle type implements the general algorithm to prove the correctness of a shuffle of arbitrary ElGamal pairs. This will be the primary API of interest for most applications. For basic usage, the caller should first instantiate a PairShuffle object, then invoke PairShuffle.Init() to initialize the shuffle parameters, and finally invoke PairShuffle.Shuffle() to shuffle a list of ElGamal pairs, yielding a list of re-randomized pairs and a noninteractive proof of its correctness.

The SimpleShuffle type implements Neff's more restrictive "simple shuffle", which requires the prover to know the discrete logarithms of all the individual ElGamal ciphertexts involved in the shuffle. The general PairShuffle builds on this SimpleShuffle scheme, but SimpleShuffle may also be used by itself in situations that satisfy its assumptions, and is more efficient.

- func Biffle(suite Suite, G, H kyber.Point, X, Y [2]kyber.Point, rand cipher.Stream) ( Xbar, Ybar [2]kyber.Point, prover proof.Prover)
- func BiffleVerifier(suite Suite, G, H kyber.Point, X, Y, Xbar, Ybar [2]kyber.Point) ( verifier proof.Verifier)
- func Shuffle(group kyber.Group, g, h kyber.Point, X, Y []kyber.Point, rand cipher.Stream) (XX, YY []kyber.Point, P proof.Prover)
- func Verifier(group kyber.Group, g, h kyber.Point, X, Y, Xbar, Ybar []kyber.Point) proof.Verifier
- type PairShuffle
- func (ps *PairShuffle) Init(grp kyber.Group, k int) *PairShuffle
- func (ps *PairShuffle) Prove( pi []int, g, h kyber.Point, beta []kyber.Scalar, X, Y []kyber.Point, rand cipher.Stream, ctx proof.ProverContext) error
- func (ps *PairShuffle) Verify( g, h kyber.Point, X, Y, Xbar, Ybar []kyber.Point, ctx proof.VerifierContext) error
- type SimpleShuffle
- func (ss *SimpleShuffle) Init(grp kyber.Group, k int) *SimpleShuffle
- func (ss *SimpleShuffle) Prove(G kyber.Point, gamma kyber.Scalar, x, y []kyber.Scalar, rand cipher.Stream, ctx proof.ProverContext) error
- func (ss *SimpleShuffle) Verify(G, Gamma kyber.Point, ctx proof.VerifierContext) error
- type Suite

❖

func Biffle(suite Suite, G, H kyber.Point, X, Y [2]kyber.Point, rand cipher.Stream) ( Xbar, Ybar [2]kyber.Point, prover proof.Prover)

Biffle is a binary shuffle ("biffle") for 2 ciphertexts based on general ZKPs.

❖

func BiffleVerifier(suite Suite, G, H kyber.Point, X, Y, Xbar, Ybar [2]kyber.Point) ( verifier proof.Verifier)

BiffleVerifier returns a verifier of the biffle

❖

func Shuffle(group kyber.Group, g, h kyber.Point, X, Y []kyber.Point, rand cipher.Stream) (XX, YY []kyber.Point, P proof.Prover)

Shuffle randomly shuffles and re-randomizes a set of ElGamal pairs, producing a correctness proof in the process. Returns (Xbar,Ybar), the shuffled and randomized pairs. If g or h is nil, the standard base point is used.

Verifier produces a Sigma-protocol verifier to check the correctness of a shuffle.

❖

```
type PairShuffle struct {
// contains filtered or unexported fields
}
```

PairShuffle creates a proof of the correctness of a shuffle of a series of ElGamal pairs.

The caller must first invoke Init() to establish the cryptographic parameters for the shuffle: in particular, the relevant cryptographic Group, and the number of ElGamal pairs to be shuffled.

The caller then may either perform its own shuffle, according to a permutation of the caller's choosing, and invoke Prove() to create a proof of its correctness; or alternatively the caller may simply invoke Shuffle() to pick a random permutation, compute the shuffle, and compute the correctness proof.

❖

func (ps *PairShuffle) Init(grp kyber.Group, k int) *PairShuffle

Init creates a new PairShuffleProof instance for a k-element ElGamal pair shuffle. This protocol follows the ElGamal Pair Shuffle defined in section 4 of Andrew Neff, "Verifiable Mixing (Shuffling) of ElGamal Pairs", 2004.

❖

func (ps *PairShuffle) Prove( pi []int, g, h kyber.Point, beta []kyber.Scalar, X, Y []kyber.Point, rand cipher.Stream, ctx proof.ProverContext) error

Prove returns an error if the shuffle is not correct.

❖

func (ps *PairShuffle) Verify( g, h kyber.Point, X, Y, Xbar, Ybar []kyber.Point, ctx proof.VerifierContext) error

Verify ElGamal Pair Shuffle proofs.

❖

```
type SimpleShuffle struct {
// contains filtered or unexported fields
}
```

SimpleShuffle is the "Simple k-shuffle" defined in section 3 of Neff, "Verifiable Mixing (Shuffling) of ElGamal Pairs", 2004.

❖

func (ss *SimpleShuffle) Init(grp kyber.Group, k int) *SimpleShuffle

Init initializes the simple shuffle with the given group and the k parameter from the paper.

❖

func (ss *SimpleShuffle) Prove(G kyber.Point, gamma kyber.Scalar, x, y []kyber.Scalar, rand cipher.Stream, ctx proof.ProverContext) error

Prove the "Simple k-shuffle" defined in section 3 of Neff, "Verifiable Mixing (Shuffling) of ElGamal Pairs", 2004. The Scalar vector y must be a permutation of Scalar vector x but with all elements multiplied by common Scalar gamma.

❖

func (ss *SimpleShuffle) Verify(G, Gamma kyber.Point, ctx proof.VerifierContext) error

Verify for Neff simple k-shuffle proofs.

Suite wraps the functionalities needed by the shuffle/ package. These are the same functionatlities needed by the proof/ package.

Package shuffle imports 6 packages (graph). Updated 2019-11-20. Refresh now. Tools for package owners.