Is there a way to prove/verify that an exponential ElGamal ciphertext of a message representative $\widetilde{m}=mG$ is well-formed, meaning that $r_1 = r_2$ in:
$$C = (R, S) = (r_1G, \widetilde m + r_2Y)$$
with $Y = xG$.
Asked
Active
Viewed 113 times
3
-
What is the worry of this question? Because of the encryptor chooses $r_1\neq r_2$ they're just hurting themselves because they're actually encrypting a different unintended message. So is message modification on an existing ciphertext? – SEJPM Jan 15 '20 at 11:24
-
Basically I need to sum a bunch of ElGamal ciphertexts and decrypt the total. If one part is malicious he can bad form his ciphertext and invalidate the decryption. – Fiono Jan 15 '20 at 11:32
-
In that case he can also just create a sum using the wrong number. I think you need an entire structure for message integrity / authentication rather than a way to simply validate ciphertext. This leans more towards signatures and (Dare I say it? Bugger it, I'll say it!) blockchain technologies, if you ask me. – Maarten Bodewes Jan 17 '20 at 16:00
-
That is not exponential ElGamal. It is the normal ElGamal with additive notation. Which fairly misleading, since that is it actually what people think of as "addition (of integers or similar)". – tylo Jan 17 '20 at 16:11
-
1@tylo: my reading of both the original and current question is that it is expoential ElGamal, only in a group noted additively rather than multiplicatively as there. – fgrieu Jan 17 '20 at 16:16