Generic Plaintext Equality and Inequality Proofs

Abstract

Given two ciphertexts generated with a public-key encryption scheme, the problem of plaintext equality consists in determining whether the ciphertexts hold the same value. Similarly, the problem of plaintext inequality consists in deciding whether they hold a different value. Previous work has focused on building new schemes or extending existing ones to include support for plaintext equality/inequality. We propose generic and simple zero-knowledge proofs for both problems, which can be instantiated with various schemes. First, we consider the context where a prover with access to the secret key wants to convince a verifier, who has access to the ciphertexts, on the equality/inequality without revealing information about the plaintexts. We also consider the case where the prover knows the encryption’s randomness instead of the secret key. For plaintext equality, we also propose sigma protocols that lead to non-interactive zero-knowledge proofs. To prove our protocols’ security, we formalize notions related to malleability in the context of public-key encryption and provide definitions of their own interest.

A Instantiation

Based on the literature review, we found that ElGamal and Paillier were the most used schemes to implement plaintext equality/inequality proofs. For this reason, we present here examples of how to instantiate a subset of our protocols using these schemes

Let us first note that PKE schemes whose set of random coins and messages are cyclic groups \((\mathbb {G}_1,*)\) and \((\mathbb {G}_2,*)\) with identity elements \(e_1\) and \(e_2\) and which are homomorphic for \(*\) (i.e. \(\mathsf {Enc}(m,r)*\mathsf {Enc}(m',r')=\mathsf {Enc}(m*m',r*r')\)), are randomizable and message-randomizable. To randomize a ciphertext \(\mathsf {Enc}(m,r)\) with \(r'\) one can compute \(\mathsf {Enc}(m,r)*\mathsf {Enc}(e_1,r')=\mathsf {Enc}(m,r*r')\), and to randomize the plaintext with \(m'\) one can compute \(\mathsf {Enc}(m,r)*\mathsf {Enc}(m',e_2)=\mathsf {Enc}(m*m',r)\). We show that ElGamal and Pailler verify this property. Considering two ElGamal ciphertexts \((g^{r_1},\mathsf {pk}^{r_1}\cdot m_{1})\) and \((g^{r_2},\mathsf {pk}^{r_2} \cdot m_{2})\), we define the operation \(*\) as \((g^{r_1},\mathsf {pk}^r \cdot m_{1}) * (g^{r_2},\mathsf {pk}^r\cdot m_{2}) =(g^{r_1}\cdot g^{r_2},\mathsf {pk}^{r_1}\cdot m_{1}\cdot \mathsf {pk}^{r_2}\cdot m_{2}) =(g^{(r_1+r_2)},\mathsf {pk}^{(r_1+r_2)}\cdot ( m_1 \cdot m_{2}))\). Considering two Pailler ciphertexts \(((1+n)^{m_1}\cdot r_1^n \mod n^2)\) and \(((1+n)^{m_2}\cdot r_2^n \mod n^2)\), we define the operation \(*\) as \(((1+n)^{m_1}\cdot r_1^n \mod n^2)*((1+n)^{m_2}\cdot r_2^n \mod n^2) = ((1+n)^{m_1}\cdot r_1^n \cdot (1+n)^{m_2}\cdot r_2^n \mod n^2) = ((1+n)^{m_1}\cdot (1+n)^{m_2}\cdot r_1^n \cdot r_2^n \mod n^2) = ((1+n)^{(m_1+m_2)} \cdot (r_1 \cdot r_2)^n \mod n^2)\). It follows that ElGamal and Pailler can instantiate the protocols , and .