Proving knowledge of message encrypted using Elgamal which is also committed in another "commitment"

Question

I need help with building a Sigma protocol (or any other efficient protocol for proving knowledge) of a committed message encrypted with Elgamal (regular Elgamal, not its exponent variation).

I have a public key $pk$ and secret key $sk$ such that $g^{sk} = pk$ and $g$ is a public generator of the group $G$. The committed message to be encrypted is $m_1$ and $g, pk, m_1 \in G$. (The reason $m_1$ is a group element because its a public key in my use-case)

So how can i first commit to message $m_1$, along some other information say $a$ and then later encrypt $m_1$ and prove that I have encrypted the same message that I earlier committed to. And can this commitment scheme be multi-message like Pedersen's (so commitment can be to $m_1, m_2, ... m_n, a$)?
The public key $pk$ is not of the verifier but of some 3rd party. The problem thus becomes of "verifiable encryption" but the verifiable encryption schemes I see in literature are encrypting field elements and not group elements.

I can't use pairings.

What I tried:

Lets say I commit to $m_1$ as $Com(m_1, a) = V = m_1 \cdot h^a$ where $V \in G, a \in Z_p$ and $h \in G$ is a public generator of the group. Elgamal encryption of $m_1$ is $E = (E_0, E_1) = (g^r, pk^r.m_1)$. Now $m_1 = V.h^{-a}$ substituting it in $E_1$ gives $E_1 = pk^r.V.h^{-a}$ which can be proven using folklore Sigma protocol.
But I don't think its correct a $V$ does not seem to be a valid commitment to $m_1$ (committer can change $a$ to get alternate $m_1'$)

score 1 · Answer 1 · answered May 10 '25 at 22:33

You want to prove, in zero knowledge, that a message m is:

Encrypted using ElGamal, and
Committed using a commitment scheme (e.g., Pedersen commitment),

and that the same m is used in both the encryption and the commitment, without revealing m or the randomness used.

Setup

Let G be a cyclic group of prime order q with generator g.

ElGamal public key: h = g^x, where x is the secret key.
Message: m ∈ Z_q

ElGamal Encryption

Choose random r ∈ Z_q.
Compute:
- c1 = g^r
- c2 = h^r * g^m

Pedersen Commitment

Choose random s ∈ Z_q.
Compute:
- C = g^m * h^s

Goal

Prove that the same m is used in both the ElGamal ciphertext (c1, c2) and the Pedersen commitment C.

From the ElGamal ciphertext:

c2 / h^r = g^m

From the commitment:

C / h^s = g^m

So, we need to prove:

log_g (c2 / h^r) = log_g (C / h^s)

This reduces to a zero-knowledge proof of equality of discrete logarithms in the same group (without pairings).

Zero-Knowledge Proof of Equal Discrete Logs

Let:

A = c2 / h^r
B = C / h^s

We need to prove:

log_g A = log_g B

Interactive Protocol

Prover chooses a random w ∈ Z_q and computes:
- a1 = g^w
- a2 = g^w
Prover → Verifier: Sends (a1, a2) to the verifier.
Verifier → Prover: Sends a random challenge c ∈ Z_q.
Prover computes:
- z = w + c * m
Prover → Verifier: Sends z to the verifier.
Verifier checks the following conditions:
- g^z == a1 * A^c
- g^z == a2 * B^c

If both checks pass, the verifier is convinced that log_g A = log_g B, meaning the same m was used in both the ElGamal encryption and the Pedersen commitment.

Non-Interactive Version (Fiat-Shamir)

To make this non-interactive, we can use the Fiat-Shamir heuristic, which replaces the challenge with a hash:

c = Hash(g, A, B, a1, a2)

The proof becomes the tuple (a1, a2, z). The verifier computes the challenge c from the hash and checks:

g^z == a1 * A^c
g^z == a2 * B^c

Conclusion

To prove that the same message is used in both an ElGamal encryption and a Pedersen commitment, we use a zero-knowledge proof of equality of discrete logarithms. This technique does not require pairings or special curves, and it works in any group where the discrete logarithm problem is hard.

This method is efficient, standard, and widely supported in cryptographic libraries.