My question is about the verifiable encryption (Camenisch-Shoup). in the Paillier cryptosystem, a message $m$ is encrypted using a public key (composed of $N$ and $g$) and a random number $r$, resulting in a ciphertext $C = g^m \cdot r^N \pmod{N^2}$.
Alice after applying Paillier Encryption has three values in her hand: the cipher text $C$, the message $m$, and the random value $r$ (used during the generation of the cipher text). Alice needs to prove that she knows the values of $m$ and $r$. Then generates a proof involving these $m$ and $r$. Alice computes the commitment $(c_1, c_2)$ of the message $m$ and random value $r$. Next, Alice generates the Schnorr signature $s_1$ and $s_2$ for the corresponding commitment $(c_1, c_2)$.
Bob verifies these. but a separate zero-knowledge proof is required that will establish the fact that the selected public key is used for encryption.
Can you explain to me with an appropriate mathematical expression, how to generate this zero-knowledge proof that will establish the fact that the selected public key is used for encryption?
