2

In some contexts (ZKP of the validity of a decryption key without revealing the message in public, section 3.3 of CAO21), one wants to emit a proof that the encryption of a message with a public key cryptosystem $Enc(m)$ satisfies some properties. Examples of such properties are "$m$ is a private key associated with a public key", "$m$ is the discrete logarithm associated with a known predefined value" or "$hash(m)$ is a known predefined value".

However I have trouble finding concrete verifiable encryption schemes.

A classical scheme for discrete logarithms was described in CAM03, but it relies on the strong RSA assumption, so it now requires quite large parameters. Another is Juggling from JUG20 and is implemented there. Juggling is more general as it allows transferring segments of the discrete logarithm but it is quite complicated (eg uses bulletproofs)

  • Are there reference implementations of CAM03?
  • Are there other, modern, possibly simpler methods, relative to discrete logarithms or to hash properties?
  • What is the "reference" algorithm for verifiable encryption in 2022? I suppose that some zero-knowledge proof schemes provide verifiable encryption but I am not sure which.
Labo
  • 131
  • 4

1 Answers1

1

The very simplest scheme I can think of is:

Bob sends a one-time uniformly random blinding factor scalar $b$ to Alice, and publicly announces the value $B=bG$.

Alice encrypts a scalar $m$ as $c=m+b\operatorname{mod}\ell$, where $\ell$ is the group size of the well-known base point $G$.

If $M$ is known, where $M=mG$, anyone can verify that $cG\overset{?}{=} M+B$ and that therefore Bob can decrypt $c$ since he knows the blinding factor $b$.

knaccc
  • 4,732
  • 1
  • 16
  • 30
  • 1
    Very nice. However this requires Bob to be honest about sending the correct values $(b, B)$. I edited the question to specify that $Enc$ should rely on a public key. – Labo Sep 02 '22 at 17:03
  • @Labo just in case it's not obvious: If Bob publicly declares he is expecting to receive the value $m$ from Alice using the blinding factor that generates $B$, Alice can immediately check if she was given the correct value of $b$ and abort the protocol if necessary. This leaves ambiguity as to whether Alice decided not to proceed or whether Alice refused to proceed due to an incorrect $b$ value. It's tough to design schemes like this and think laterally unless there is a specific practical scenario that is being designed for. – knaccc Sep 02 '22 at 17:24
  • I think we are in the standard scenario of verifiable encryption. In your scheme (which is very nice), you solved the need for Alice to be honest by requiring Bob to be honest. Unlike m which has value, b has no value because it is random but this protocol can still deadlock if Bob decides. CAM03 doesn't have this issue. – Labo Sep 02 '22 at 18:02
  • That being said, there is a possibility for Bob to prove a posteriori that he was honest. That is, if Alice refuses his pair $(b, B)$, he can publish $b$ along with the random seed he used to encrypt it. – Labo Sep 02 '22 at 18:07