Zero knowledge proof of the sum of two values

Question

Given $v \in Z$, a prover knows $v$ and the verifier knows an encryption of $v$.

The prover provides the verifier with the encryptions of two values $m$ and $n$

How can the verifier verify that $m+n=v$ ?

I cannot find any scheme/algorithm in the literature I have searched, other than range proofs, and I am looking for pointers.

To illustrate, here is a naive (and wrong) approach to the problem.

Assuming a generator $g$ in a group of order $p$, co-primes.

The verifier knows $g^v$, the prover can provide $g^m$ and $g^n$. The verifier then verifies that $g^mg^n=g^{m+n}=g^v \pmod p$.

However if the prover provides $m'$ and $n'$ such that $m'+n'=m+n+k(p-1), k \in Z^*$ then the equation above verifies although $m'+n'> v$

(according to Fermat little's theorem $g^{k(p-1)}=(g^{p-1})^k \equiv 1 \pmod p$)

Answer 1

For this, it suffices to use additively homomorphic encryption. There are two possibilities for this: Paillier and ElGamal in the exponent.

For Paillier, given an encryption of $v$, $m$ and $n$, one can compute an encryption of zero by $v - m - n$. In the Damgard-Jurik paper, there is a very efficient zero-knowledge proof for proving that a ciphertext is an encryption of 0. So, this solves your problem.

For ElGamal, typical encryption is $(g^r,h^r\cdot m)$ where $h$ is the public-key. This is not additively homomorphic. However, you can change this to $(g^r,h^r\cdot g^m)$ and now you can add and subtract ciphertexts. With the same method as above, one can compute $v-m-n$ inside the ciphertext and then get an encryption of 0 which is just $(g^r,h^r)$. This implies that $(g,h,g^r,h^r)$ is a Diffie-Hellman tuple and this can be easily proved using known techniques for Sigma protocols. Note that this scheme is not efficiently decryptable, since decrypting only gives $g^m$ and you need to solve the discrete log problem to find $m$. Thus, if $m$ is from a small range, you can do this. Otherwise you cannot. However, it is an additively homomorphic commitment scheme, which may suffice for your application.