Alice creates ordered set of $N$ public messages $(m_1,...,m_N)$ and sequentially sends them to Bob. Bob evaluates $N$ functions $E_i(m_1,...,m_N)$ (possibly using a secret random value $r$ and/or his own private key $d_B$) and makes $N$ resulting values publicly available, but uses a secret permutation $P(i)$ before publishing. In other words, he publishes $E_{P(i)}$. Is it possible to construct such functions $E_i(.)$, so that
- Anyone can verify that Bob's published values $(E_{P(1)},..,Е_{P(N)})$ indeed correspond to the messages $(m_1,...,m_N)$
- It's hard come up with an alternative set of messages $(m^\prime_i)_{i\in[N]}\ne (m_i)_{i\in[N]}$ which would yield the values $(E_{P(i)})_{i\in[N]}$
- The public information ($(m_i)_{i\in[N]}$, $(E_{P(i)})_{i\in[N]}$, $e_B$) leaks no information on the secret premutation $P(i)$
