2

In some contexts (ZKP of the validity of a decryption key without revealing the message in public, section 3.3 of CAO21), one wants to emit a proof that the encryption of a message with a public key cryptosystem $Enc(m)$ satisfies some properties. Examples of such properties are "$m$ is a private key associated with a public key", "$m$ is the discrete logarithm associated with a known predefined value" or "$hash(m)$ is a known predefined value".

However I have trouble finding concrete verifiable encryption schemes.

A classical scheme for discrete logarithms was described in CAM03, but it relies on the strong RSA assumption, so it now requires quite large parameters. Another is Juggling from JUG20 and is implemented there. Juggling is more general as it allows transferring segments of the discrete logarithm but it is quite complicated (eg uses bulletproofs)

  • Are there reference implementations of CAM03?
  • Are there other, modern, possibly simpler methods, relative to discrete logarithms or to hash properties?
  • What is the "reference" algorithm for verifiable encryption in 2022? I suppose that some zero-knowledge proof schemes provide verifiable encryption but I am not sure which.
Labo
  • 131
  • 4

1 Answers1

1

The very simplest scheme I can think of is:

Bob sends a one-time uniformly random blinding factor scalar $b$ to Alice, and publicly announces the value $B=bG$.

Alice encrypts a scalar $m$ as $c=m+b\operatorname{mod}\ell$, where $\ell$ is the group size of the well-known base point $G$.

If $M$ is known, where $M=mG$, anyone can verify that $cG\overset{?}{=} M+B$ and that therefore Bob can decrypt $c$ since he knows the blinding factor $b$.

knaccc
  • 4,880
  • 1
  • 18
  • 33