Score:0

Prove data encrypted with different keys matches

in flag

Suppose user A encrypts some data using his public key and stores the data publicly. Later user A would like to transfer that same data to user B publicly by encrypting it using user B's public key.

What is the best way to verify that the same data was transferred to user B without knowing the data, user A, and user B's private keys?

Ievgeni avatar
cn flag
Is it homework?
in flag
no, trying to figure out if this is possible at all and what I should read more about. Would like to create something of this sort on Ethereum so secret data can be transferred securely between people publicly.
Ievgeni avatar
cn flag
Question : Is it a deterministic encryption scheme?
in flag
I don't know if this is possible at this point so it's too early to set any boundaries. Would be preferable if it's deterministic though.
Ievgeni avatar
cn flag
Other question : Is $A$ authorized to add new data (like ZK-proofs) to help B to make the verification? If yes what are the security constraints?
in flag
@levgeni Yes, additional data can be added, however verification should happen before the transfer (before User B has the data). I'm looking for something like this: 1. User A -> store data encrypted with User A's public key in a public contract. 2. User A -> attempts to transfer same data this time encrypted using User B's public key through the same public contract. 3. The contract verifies if User A didn't lie (transfer different data). If the verification is successful, data is stored, otherwise the request is rejected. The contract should verify this, not user B.
in flag
^ In the example above the contract does not know the data and does not know the private keys of User A and user B. It is aware of the public keys of A and B, the data encrypted using A's public key and the data encrypted using B's public key. Any additional metadata can be added to help this verification without revealing the data.
ming alex avatar
in flag
There are some examples for solving your question in section 20.2 of the [book](http://toc.cryptobook.us/book.pdf)
Score:1
cn flag

Zero-knowledge proof seems fit with your goal. $A$ has to prove that it exists $M$ such that $C=Enc(M, pk_A)$, and $C^\prime=Enc(M, pk_B)$. This ZKP can be done without revealing any information about the data $M$ (that's why we call it Zero-Knowledge). For concrete instantiation you can use El Gamal encryption, and Groth-Sahai ZK-proof techniques :

https://en.wikipedia.org/wiki/ElGamal_encryption

https://eprint.iacr.org/2007/155

Notice that you do not need to use private key of $B$ to verify the equality but if it is the contact which verifies, it's probably better.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.