EC scalar multiplication and shuffling

Question

Problem

Alice has an array of random EC points $P_{1},...,P_{n}$ (their logarithms are not known neither to Alice nor to Bob). She sends them to Bob. Bob multiplies them all by a secret number $x$, suffles them and sends the resulting array $Q_{1},...,Q_{n}$ back to Alice. Bob wants to proof that all the points were multiplied by the same number not revealing the number itself and not revealing the mapping $P_{i} \to Q_{j}$.

Let's assume there is a (type 3) EC pairing $e: G_{1} \times G_{2} \to G_{T}$ and the points $P_{i}$ belong to the $G_{1}$. Generator points in the groups are $G_{1}$ and $G_{2}$.

First attempt

Bob can send a commitment $[xG_{2}]$ to Alice. But with that Alice could easily determine the shuffling: if $Q_{j}=xP_{i}$ then $e(Q_{j},G_{2})=e(P_{i},[xG_{2}])$.

Second attempt

Instead of sending the $[xG_{2}]$ Bob generates a blinding random number $z$ and sends three values to Alice: $[z^{-1}\sum_{}P_{i}]$, $[zxG_{2}]$ and $[z^{-1}G_{2}]$.

Alice checks if $e(\sum_{}P_{i}, [z^{-1}G_{2}]) = e([z^{-1}\sum_{}P_{i}], G_{2})$ and $e([z^{-1}\sum_{}P_{i}], [zxG_{2}]) = e(\sum_{}Q_{i}, G_{2})$ to validate that all points are multiplied by the same number. But I believe she won't know about the ordering of the encrypted points.

Questions

Can Bob somehow deceive multiplying the points by different numbers?
Can Alice determine the permutations in the $Q_{1},...,Q_{n}$ array?
Is there any different/simpler algorithm for the above problem?

Update:

Bob can modify the input array e.g. by repalacing $P_{1} \to P_{1}+R$ and $P_{2} \to P_{2}-R$ with some $R$ - random or dependent on the input points set (like $R=42P_{1}$ or $R=7\sum_{}P_{i}$). The sums $\sum_{}P_{i}$ and $\sum_{}Q_{i}$ would stay the same and Alice won't recignize the results are incorrect. I wonder if it is possible to make a simple proof that $Q_{1},...,Q_{n}$ is a permutations of $xP_{1},...,xP_{n}$.

Third attempt

Alice can generate a random value $h$, then multiply the points by that number: $[hP_{1},...,hP_{n}]=[H_{1},...,H_{n}]$, shuffle (!) them and send the array along with the points $[P_{1},...,P_{n}]$.

Bob multiplies the points in both arrays by $x$:

$[xP_{1},...,xP_{n}]=[Q_{1},...,Q_{n}]$

$[xH_{1},...,xH_{n}]=[S_{1},...,S_{n}]$

Then he shuffles them and sends back to Alice.

Alice multiplies the $S$ values by $h^{-1}$: $[h^{-1}S_{1},...,h^{-1}S_{n}]$ and the array should contain the same elements (permuted) as $Q_{1},...,Q_{n}$.

For cheating Bob needs to guess the mapping $P_{i} \to H_{j}$ and that probability falls with bigger $n$. For example, if Bob wants to corrupt the $Q_{3}$ he should know the position of $hP_{3}$ in the shuffled $H$-array. And if we use the commitments from the Second attepmt he is able to modify not lesser than 2 points (because the sums shouldn't be changed) and the probability is $\frac{1}{n(n-1)}$.

Questions for the Third attempt

Is it possible to lower that probability not requiring bigger numbers of the points?
Is it possible to avoid requirements of knowing any secret numbers like $h$ for the verification process, so Bob would be able to send the $[P_{1},...,P_{n}]$, $[Q_{1},...,Q_{n}]$ and some commitments to a third party and the third party would be able to verify if $Q_{1},...,Q_{n}$ is a permutations of $xP_{1},...,xP_{n}$ with some factor $x$ (unknown to anyone except Bob)?

fgrieu · Answer 1 · 2025-01-27T07:53:06.327

There is no solution to the problem as originally stated, with

Alice has an array of random EC points $P_1,\ldots,P_n$ (their logarithms are not known to Bob). She sends them to Bob. Bob multiplies them all by a secret number $x$, shuffles them and sends the resulting array $Q_1,\ldots,Q_n$ back to Alice. Bob wants (…) not reveal the mapping $P_{i} \to Q_{j}$.

Argument: Alice can generate the points $P_i$ so that $P_i=[u_i]G$ for some generator $G$ and some random $u_i$ known to Alice. Whatever the $x$ and shuffling used by Bob, if $P_a$ maps to $Q_{a'}$ and $P_b$ maps to $Q_{b'}$, it will hold $[u_b]Q_{a'}=[u_a]Q_{b'}$. This test is highly selective, and will let Alice find the mapping $P_{i} \to Q_{j}$ with $n^2$ point multiplications and a little matching (and a partial mapping with much less work).

That argument falls apart if the points are generated such that Alice does not know their logarithms. E.g. for a standard curve secp384r1, Alice might discloses bitstrings $B_i$ such that $\operatorname{SHA-384}(B_i)$ is the X coordinate of a point $P_i$ of the curve, and the parity of the Y coordinate of $P_i$ matches the first bit of $B_i$. This effectively discloses the $P_i$. On top of that this saves communication as the $B_i$ can be relatively small.

Note: it is no enough that the EC points $P_i$ are random and that their logarithms are not known to the parties. Problem is the above applies if the point $P_1$ is random (thus of unknown logarithm) and for others $P_i=[u_i]G$ with the $u_i$ random and know to Alice (thus also of unknown logarithm to base $G$). A correct statement is: it's made public independents random points $P_1,\ldots,P_n$.