The class E of encryption schemes

Definition 4.3. E is the set of encryption schemes Γ, obtained from the KEM/DEM paradigm, that

have the following properties:

1. The message space is a group_{M = (G, ∗) and the ciphertext space C is a set equipped with} a binary operation_◦e.

2. Letm_{∈ M be a message and c its encryption with respect to a key pk. On the common input} m, c, and pk, there exists an efficient zero knowledge proof of m being the decryption of c

with respect to pk. The private input of the prover is either the private key sk, corresponding to pk, or the randomness used to encryptm in c (the randomness which is input to the KEM

encapsulation algorithm).

3. _{∀m, m}′ _{∈ M, ∀pk : Γ.encryptpk}(m∗ m′_{) = Γ.encrypt}

pk(m)◦eΓ.encryptpk(m′). Moreover,

given the randomness used to encryptm in Γ.encryptpk(m) and m′ inΓ.encryptpk(m′), one

can deduce (using only the public parameters) the randomness used to encrypt m_{∗ m}′ _in

Γ.encryptpk(m)◦eΓ.encryptpk(m′).

Examples of encryption schemes in the above class are :

ELGAMAL[El Gamal, 1985] : ElGamal’s encryption is a KEM/DEM-based encryption scheme. It operates in a group(G,·) = hgi, and is given by the KEM key pair (sk = x, pk = y = gx_{). To}

encrypt a messagem _{∈ G, one first fixes a key y}r_{together with its encapsulationg}r_{, then encrypts}

m by simply computing the product m_{· y}r_{. The ciphertext consists of the pair (g}r_{, my}r_{). To de-}

crypt a ciphertext(c, e), one first decapsulates c to obtain the key k = cx_{, then retrievesm = ek}−1_.

Let_◦e, the binary operation defined onG× G, be the term-wise product:

∀a, b, c, d ∈ G: (a, b) ◦e(c, d) = (ac, bd).

ElGamal’s encryption is clearly homomorphic since

encrypt(m)_◦eencrypt(m′) = (gr, myr)◦e(gs, m′ys) = (gr+s, mm′yr+s) = encrypt(mm′)

Moreover, one can compute the randomness used to encryptm· m′ _{in encrypt(m)◦}

eencrypt(m′)

as the sum of the randomnesses used to generate encrypt(m) and encrypt(m′_{) resp.}

Finally, given a ciphertext and its corresponding plaintext, one can efficiently prove the correctness of this assertion. The private input of the prover is either the randomness used to produce the ciphertext, or the private key of the scheme. This proof is often called in the literature the proof of equality of two discrete logarithms. It was first provided in [Chaum & Pedersen, 1993]. Figure 4.2 depicts such a proof.

Prover Verifier Chooset_←R_{− Z} Computeh1 = gt Computeh2 = yt (h1, h2) −−−−−−−−−−→ b ←−−−−−−−−−− Choose b←R− {0, 1}ℓ_{(b∈ N)} s = t + xb −−−−−−−−−−→ Verify thatgs _{= h} 1eb1 andes1 = h2eb2

Figure 4.2: Proof system for _{(e1, e2) : e1 = gx ∧ e2 = yx} Common input: (e1, e2, y, g) and Private input: x

BBS [Boneh et al., 2004a] : It consists of the following algorithms:

• setup. We consider a bilinear group (G, +), with prime order d, generated by P .

• keygen. Probabilistically generate two secret values x1, x2 ∈ Z×d and compute X1 = x1P

andX2 = x2P . Set the private key to sk = (x1, x2) and the public key to pk = (X1, X2).

• encrypt. Let m ∈ G be a message. Generate a random nonce (a, b) ∈ Z2

dand compute the

session keyk = (a + b)P and its encapsulation c = (aX1, bX2). The ciphertext correspond-

ing tom is (c, k + m).

• decrypt. Given the private key sk and the element (c, k+m), where c = (aX1, bX2), compute

k as k = x−1₁ aX1+ x−12 bX2. Then recoverm from k + m.

The BBS scheme is IND-CPA secure under the decision linear assumption (Definition 2.5). Moreover, it is evident that this scheme satisfies the homomorphic properties announced in Defi- nition 4.3. Finally, the proof that a given BBS ciphertextc decrypts to some message m is simply the proof of equality of two discrete logarithms: the discrete logarithm of e(aX1, bX2) in base

e(kP, X2), and the discrete logarithm of X1in baseP , where e is the pairing underlying the group

G.

Finally, the Paillier [Paillier, 1999] encryption scheme cannot be viewed as an instance of this class as it is not based on the KEM/DEM paradigm.

Theorem 4.11. Let Γ be a OW-CPA secure encryption scheme from the above class E. Let fur-

thermorec be an encryption of some message under some public key pk. The protocol depicted in

Figure 4.3 is a zero knowledge proof of knowledge of the decryption ofc. The proof is similar to that of Theorem 4.10.

ProverP VerifierV Chooses′ R ←− G Computet2= Γ.encrypt(s′_{) −−−−−−−−−−−−−−−−−−−−−−−−−→}t2 b ←−−−−−−−−−−−−−−−−−−−−−−−−− Chooseb←− {0, 1}R ℓ _{(b∈ N)} z = s′ ∗ sb −−−−−−−−−−−−−−−−−−−−−−−−−→ PoK_{{z = Γ.decryptΓ.sk}(t2_◦e(e, sk)b)}

←−−−−−−−−−−−−−−−−−−−−−−−−→

Accept if the proof PoK is valid

Figure 4.3: Proof system for membership to the language_{{(e, s}k) :∃m : m = Γ.decryptΓ.sk(e, sk)} Common input: (e, sk, Γ.pk) andPrivate input: Γ.sk or randomness encrypting m in (e, sk)

Proof. To prove this theorem, we first remark that the encryption algorithm, with respect to a given

public key pk, induces a group law in the ciphertext space_C.

Completeness is straightforward. Soundness is again easy. In fact, we note that for a fixed commitmentt2, to each challengeb, corresponds a unique response z (we always assume that 2ℓis

smaller than the order of the ciphertext space), namely the plaintext of the ciphertextt2◦e(e, sk)b.

Thus, provided the encryption schemeΓ is one way, a cheating prover ˜P must guess correctly the challengeb in order to be able to carry out the protocol; i.e. he must choose z ←R− G, then computes the commitment t2 = Γ.encryptΓ.pk(z) ◦e (e, sk)−b and sends it as the first message. Once ˜P

receives the correctly guessed challenge, he will respond withz. We conclude that, provided PoK is sound, the soundness error probability of the protocol is at most2−ℓ_.

For the zero-knowledgeness, we describe the following simulator:

1. Generate uniformly a random challengeb′ _{←− {0, 1}}R ℓ_{. Choose a randomz ←− G, compute}R

t2 = Γ.encryptΓ.pk(z)◦e(e, sk)−b and send it to the verifier.

2. Getb from the verifier.

3. Ifb = b′_{, the simulator sends back z and simulates the proof PoK for z being the decryp-}

tion of t2 ◦e (e, sk)b (this proof is simulatable since it is zero knowledge by assumption).

Otherwise, it goes to Step 2 (rewinds the verifier).

The prover’s first message is always an encryption of a random value, and so is the first message of the simulator. Sinceb′ _{is chosen uniformly at random from{0, 1}}ℓ_{, then, the probability that the}

simulator does not rewind the verifier is2−ℓ_{, and thus the simulator runs in expected polynomial}

time if ℓ is logarithmic in the security parameter. Finally, the distribution of the answers of the prover and of the simulator is again the same. We conclude that above proof is perfectly zero knowledge.

ProverP VerifierV

ComputeI as defined in Definition 4.2 ComputeI as defined in Definition 4.2 Chooses′_{←− G}R Computet1= f (s′) Computet2= Γ.encryptΓ.pk(s′) t1, t2 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ b ←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− Chooseb←− {0, 1}R ℓ _{(b ∈ N)} z = s′_{∗ s}b −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ PoK{z = Γ.decryptΓ.sk(t2◦e(e, sk)b)}

←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→

Accept if the proof PoK is valid and, f (z) = t1◦sIcin case of confirmation,

f (z) 6= t1◦sIcin case of denial.

Figure 4.4: Proof system for membership to the language _{{(e, s}k, r) : ∃s : s =

Γ.decrypt(e, sk)∧ Σ.verify(retrieve(s, r), mke) = (6=)1} Common input: (e, sk, r, Σ.pk, Γ.pk)

andPrivate input: Γ.sk or randomness encrypting s in (e, sk)