Encrypted verifiable schema with hidden content

Federico Rapetti

10/11/22, 2:58 PM

I'm having a problem with an encryption scheme.

There are two entities, $A$ and $B$. $A$ give a simple message $m \in [0,1]$ to $B$. $B$ should generate an encrypted message of $m$: $e=Enc_{pk}(m)$ such that $A$ can verify if $B$ has correctly encrypted a message generated from $A$ without tampering it. But, at the same time, $e$ should not reveal any information that can be used from $A$ to demonstrate the value of the message $m$ in $e$. (The decryption key $sk$ is not known by either $A$ or $B$)

Basically, the goal is to have an encrypted message on which $A$ can only check if the content is something that $A$ themself generated (eg. with a signature) but without being able to demonstrate to anyone the effective plaintext value.

There are no particolar constraint in the protocol, so additional data like signature or witness can be used.

Do you know any schema that can solve this situation?

1 + 3

encryption

public-key

zero-knowledge-proofs

Ievgeni

10/13/22, 10:37 AM

Why $A$ can't herself encrypt $m$ with $pk$ which is public key?

Federico Rapetti

10/14/22, 4:26 PM

@Ievgeni Because, if $A$ encrypts $m$ herself, she can later prove the content of $e$ by just encrypting $m$ again with the same random values

Ievgeni

10/14/22, 4:57 PM

Thank you for your answer :)

Score:0

Crypto

Ievgeni

10/11/22, 3:25 PM

It think, it can be solved by using structure preserving encryption/signature scheme (I mean schemes which are compatible with the ZK proof system you want to use).

The general idea is that Alice will sign the message and will send the signature $\sigma$ to Bob, then Bob will commit the message $m$, and the signature $\sigma$ and will build ZK proofs that $e$ contains $m$, and $\sigma$ is a valid signature for $m$ according to the public verification key of Alice.

Because Alice only sign one message, she will be convinced that $(com_m, com_\sigma)$ contains $(m, \sigma)$ (and thus that $e = Enc_{pk}(m)$).

But because the proofs are zero-knowledge, $Enc(m)$ is perfectly indistinguishable from another message potentially signed by Alice (even the secret signing key of Alice is revealed). And thus Alice could not convince anyone about the real value in $Enc(m)$.

For concrete instantiation, you can for example use Groth-Sahai proofs-system, with El Gamal as encryption scheme, and these signatures.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Encrypted verifiable schema with hidden content

TH: สคีมาที่ตรวจสอบได้เข้ารหัสพร้อมเนื้อหาที่ซ่อนอยู่

RO: Schemă criptată verificabilă cu conținut ascuns

RU: Зашифрованная проверяемая схема со скрытым содержимым

VI: Lược đồ có thể kiểm chứng được mã hóa với nội dung ẩn

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.