I need a cryptosystem that is additively homomorphic. Paillier preferably, but not neccessarily.
Also, for every ciphertext the private key holder must be able to prove non-interactively that the plaintext was non-negative.
In Paillier it is rather simple to prove that the ciphertext is equal to the plaintext. The encrypting party must simply reveal the random salt. Now I need to prove that the plaintext is non-negative without revealing it.
Let's say the most significant bit of the plaintext denotes the sign.
My first flawed idea: The verifier takes the ciphertext. Let's say the plaintext had at most N bits. The verifier homomorphicaly adds 1, then floor-divides by 2, then adds 1, then floor-divides by 2, ... and so on. After N cycles positive numbers will yield 1 while negative 0. The prover now has to prove that the resulting number is 0 or 1, which can be done by revealing salt. The whole procedure is deterministic (given the salt for encrypting 1s was deterministic), that means the prover may calculate the encrypted form of 0 or 1 in advance. The resulting salt would only be needed to be attached to the ciphertext as certificate. The flaw is of course that the verifier can not floor-divide by 2, as this requires calculating of square root modulo n=pq, where p and q are unknown.
My second flawed idea: It's the prover who does the square root. He can do it, as he has the key. The certificate would consist of the series of N numbers, each equal to the square root of the previous multiplied by encrypted 1. At the end, we get 0 or 1 and we reveal the salt. The flaw is that only even numbers' encryptions can be squared. For odd numbers we would need to publish two numbers whose plaintexts differ by 1. This obviously reveals every bit of the plaintext in every step, so it's bad.
Are there any cryptosystems that can do it?
