Abstract
Given two ciphertexts generated with a public-key encryption scheme, the problem of plaintext equality consists in determining whether the ciphertexts hold the same value. Similarly, the problem of plaintext inequality consists in deciding whether they hold a different value. Previous work has focused on building new schemes or extending existing ones to include support for plaintext equality/inequality. We propose generic and simple zero-knowledge proofs for both problems, which can be instantiated with various schemes. First, we consider the context where a prover with access to the secret key wants to convince a verifier, who has access to the ciphertexts, on the equality/inequality without revealing information about the plaintexts. We also consider the case where the prover knows the encryption’s randomness instead of the secret key. For plaintext equality, we also propose sigma protocols that lead to non-interactive zero-knowledge proofs. To prove our protocols’ security, we formalize notions related to malleability in the context of public-key encryption and provide definitions of their own interest.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Protocols’ implementation in Rust. https://github.com/oblazy/proofofeq
Bernhard, D., Pereira, O., Warinschi, B.: How not to prove yourself: pitfalls of the Fiat-Shamir heuristic and applications to Helios. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 626–643. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_38
Blazy, O., Bultel, X., Lafourcade, P., Kempner, O.P.: Generic plaintext equality and inequality proofs (extended version) (2021). https://fc21.ifca.ai/papers/79.pdf
Blazy, O., Chevalier, C., Vergnaud, D.: Non-interactive zero-knowledge proofs of non-membership. In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 145–164. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16715-2_8
Blazy, O., Derler, D., Slamanig, D., Spreitzer, R.: Non-interactive plaintext (In-)Equality proofs and group signatures with verifiable controllable linkability. In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 127–143. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29485-8_8
Bootle, J., Cerulli, A., Chaidos, P., Groth, J., Petit, C.: Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 327–357. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_12
Bultel, X., Lafourcade, P.: A posteriori openable public key encryption. In: Hoepman, J.-H., Katzenbeisser, S. (eds.) SEC 2016. IAICT, vol. 471, pp. 17–31. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-33630-5_2
Camenisch, J., Shoup, V.: Practical verifiable encryption and decryption of discrete logarithms. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 126–144. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_8
Canard, S., Fuchsbauer, G., Gouget, A., Laguillaumie, F.: Plaintext-checkable encryption. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 332–348. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-27954-6_21
Canetti, R., Krawczyk, H., Nielsen, J.B.: Relaxing chosen-ciphertext security. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 565–582. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_33
Chaum, D., Pedersen, T.P.: Wallet databases with observers. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 89–105. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_7
Choi, S.G., Elbaz, A., Juels, A., Malkin, T., Yung, M.: Two-party computing with encrypted data. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 298–314. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-76900-2_18
Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055717
Damgård, I.: Towards practical public key systems secure against chosen ciphertext attacks. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 445–456. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_36
Damgård, I., Jurik, M., Nielsen, J.B.: A generalization of Paillier’s public-key system with applications to electronic voting. Int. J. Inf. Secur. 9(6), 371–385 (2010)
Dimitriou, T., Michalas, A.: Multi-party trust computation in decentralized environments in the presence of malicious adversaries. Ad Hoc Netw. 15, 53–66 (2014)
ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985). https://doi.org/10.1007/3-540-39568-7_2
Faonio, A., Fiore, D., Herranz, J., Ràfols, C.: Structure-preserving and re-randomizable RCCA-secure public key encryption and its applications. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11923, pp. 159–190. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34618-8_6
Goldreich, O., Teichner, L.: Super-Perfect Zero-Knowledge Proofs. Springer International Publishing, Cham (2020)
Goldwasser, S., Micali, S.: Probabilistic encryption and how to play mental poker keeping secret all partial information. In: Proceedings of the Fourteenth Annual ACM Symposium on Theory of Computing, pp. 365–377. STOC 1982. Association for Computing Machinery, New York, NY, USA (1982)
Golle, P., Jakobsson, M., Juels, A., Syverson, P.: Universal re-encryption for mixnets. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 163–178. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24660-2_14
Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_24
Hasan, O., Brunie, L., Bertino, E., Shang, N.: A decentralized privacy preserving reputation protocol for the malicious adversarial model. IEEE Trans. Inf. Forensics Security 8(6), 949–962 (2013)
Hazay, C., Lindell, Y.: Efficient Secure Two-Party Protocols: Techniques and Constructions. Springer-Verlag, 1st edn. (2010). https://doi.org/10.1007/978-3-642-14303-8
Hirt, M., Sako, K.: Efficient receipt-free voting based on homomorphic encryption. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 539–556. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_38
Jakobsson, M., Juels, A.: Mix and match: secure function evaluation via ciphertexts. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 162–177. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_13
Lindell, Y.: Parallel coin-tossing and constant-round secure two-party computation. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 171–189. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_10
McMurtry, E., Pereira, O., Teague, V.: When is a test not a proof? In: Chen, L., Li, N., Liang, K., Schneider, S. (eds.) ESORICS 2020. LNCS, vol. 12309, pp. 23–41. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-59013-0_2
Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_16
Parkes, D., Rabin, M., Shieber, S., Thorpe, C.: Practical secrecy-preserving, verifiably correct and trustworthy auctions. In: ICEC 2006 (2006)
Pass, R.: Alternative Variants of Zero-Knowledge Proofs. Techical report, KTH Royal Institute of Technology (2004)
Pass, R., Shelat, A.: A course in Cryptography (2010). http://www.cs.cornell.edu/courses/cs4830/2010fa/lecnotes.pdf
Prabhakaran, M., Rosulek, M.: Rerandomizable RCCA encryption. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 517–534. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_29
Reinert, M.: Cryptographic Techniques for Privacy and Access Control in Cloud-Based Applications. Ph.D. thesis, Saarland University, Saarbrücken, Germany (2018)
Ryan, P.Y.A.: Prêt à Voter with Paillier encryption. Math. Comput. Model. 48(9–10), 1646–1662 (2008)
Ryan, P.Y.A., Schneider, S.A.: Prêt à voter with re-encryption mixes. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 313–326. Springer, Heidelberg (2006). https://doi.org/10.1007/11863908_20
Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) Advances in Cryptology – CRYPTO 1989 Proceedings (1990)
Tang, Q.: Public key encryption supporting plaintext equality test and user-specified authorization. Sec. and Commun. Netw. 5(12), 1351–1362 (2012)
Yang, G., Tan, C.H., Huang, Q., Wong, D.S.: Probabilistic public key encryption with equality test. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 119–131. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11925-5_9
Acknowledgements
We would like to thank Travis Mayberry for his useful suggestions and comments to improve this work. Olivier Blazy was supported by the French ANR Project IDFIX (ANR-16-CE39-004). The European Commission partially supported Octavio Perez Kempner’s work as part of the CUREX project (H2020-SC1-FA-DTS-2018-1 under grant agreement No 826404).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Instantiation
A Instantiation
Based on the literature review, we found that ElGamal and Paillier were the most used schemes to implement plaintext equality/inequality proofs. For this reason, we present here examples of how to instantiate a subset of our protocols using these schemes
Let us first note that PKE schemes whose set of random coins and messages are cyclic groups \((\mathbb {G}_1,*)\) and \((\mathbb {G}_2,*)\) with identity elements \(e_1\) and \(e_2\) and which are homomorphic for \(*\) (i.e. \(\mathsf {Enc}(m,r)*\mathsf {Enc}(m',r')=\mathsf {Enc}(m*m',r*r')\)), are randomizable and message-randomizable. To randomize a ciphertext \(\mathsf {Enc}(m,r)\) with \(r'\) one can compute \(\mathsf {Enc}(m,r)*\mathsf {Enc}(e_1,r')=\mathsf {Enc}(m,r*r')\), and to randomize the plaintext with \(m'\) one can compute \(\mathsf {Enc}(m,r)*\mathsf {Enc}(m',e_2)=\mathsf {Enc}(m*m',r)\). We show that ElGamal and Pailler verify this property. Considering two ElGamal ciphertexts \((g^{r_1},\mathsf {pk}^{r_1}\cdot m_{1})\) and \((g^{r_2},\mathsf {pk}^{r_2} \cdot m_{2})\), we define the operation \(*\) as \((g^{r_1},\mathsf {pk}^r \cdot m_{1}) * (g^{r_2},\mathsf {pk}^r\cdot m_{2}) =(g^{r_1}\cdot g^{r_2},\mathsf {pk}^{r_1}\cdot m_{1}\cdot \mathsf {pk}^{r_2}\cdot m_{2}) =(g^{(r_1+r_2)},\mathsf {pk}^{(r_1+r_2)}\cdot ( m_1 \cdot m_{2}))\). Considering two Pailler ciphertexts \(((1+n)^{m_1}\cdot r_1^n \mod n^2)\) and \(((1+n)^{m_2}\cdot r_2^n \mod n^2)\), we define the operation \(*\) as \(((1+n)^{m_1}\cdot r_1^n \mod n^2)*((1+n)^{m_2}\cdot r_2^n \mod n^2) = ((1+n)^{m_1}\cdot r_1^n \cdot (1+n)^{m_2}\cdot r_2^n \mod n^2) = ((1+n)^{m_1}\cdot (1+n)^{m_2}\cdot r_1^n \cdot r_2^n \mod n^2) = ((1+n)^{(m_1+m_2)} \cdot (r_1 \cdot r_2)^n \mod n^2)\). It follows that ElGamal and Pailler can instantiate the protocols , and .
Rights and permissions
Copyright information
© 2021 International Financial Cryptography Association
About this paper
Cite this paper
Blazy, O., Bultel, X., Lafourcade, P., Kempner, O.P. (2021). Generic Plaintext Equality and Inequality Proofs. In: Borisov, N., Diaz, C. (eds) Financial Cryptography and Data Security. FC 2021. Lecture Notes in Computer Science(), vol 12674. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-64322-8_20
Download citation
DOI: https://doi.org/10.1007/978-3-662-64322-8_20
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-64321-1
Online ISBN: 978-3-662-64322-8
eBook Packages: Computer ScienceComputer Science (R0)