Join Log in
Score:0
Bertug avatar Crypto

How to proof Two CipherTexts holding same value with Zero Knowledge Proof?

at flag
Bertug

I am a beginner in cryptography.

I wonder is it possible to create by Zero Knowledge Proof, to prove Two cipherTexts that are encrypted by same Public Key with Paillier Encryption have the same value inside but without decrypting the texts. I have access to the Public Key at the moment.

I have an array which is like [1,0,0] => Paillier Encryption => [encryption(1),encryption(0),encryption(0)]

According to my business logic, sum of all the columns ( using Paillier.addition() ) in array must be equal to encryption(1)

Paillier ZKP I Tried to implement this(which is based on this PDF) but so far could not get any result.

Note: I am using ExpressJS and paillier-js library.

Edit1: My Implementation receives an encrypted Array via HTTP request from other another ExpressJS Instance. My implementation needs to create proof whether the array is valid or not. My Current Implementation

Edit 2: typo

154
1 + 0
Score:1
poncho avatar Crypto
my flag
poncho

I wonder is it possible create by Zero Knowledge Proof to prove Two cipherTexts which are encrypted by same Public Key with Paillier Encryption has the same value inside but without decrypting the texts. I have access to the Public Key at the moment.

Yes, of course.

The first step is to notice is that if you have two ciphertexts $C_1, C_2$, they correspond to the exact same ciphertext iff $C_1 * C_2^{-1}$ (which is the Pallier subtraction of the two) is an encryption of 0, that is, if $C_1 C_2^{-1} = r^n \pmod{n^2}$ (for some integer $r$)

$C_1C_2^{-1}$ can be computed without knowledge of the private key (and so we'll denote that value as $C$), and so the only thing left is to generate a zero knowledge proof of the value $r$.

Now, the paper you cited handles a more general case (where you have several values $D_1, D_2, ..., D_n$, and want to show that one of them is an encryption of 0, but don't want to leak which one it is). If we discard the logic that handles several values, we are left with this cut-and-choose protocol:

  • Prover selects a random value $s$ [1] and publishes $s^n \bmod n^2$

  • Verifies says either "show me $s$" or "show me $sr$"

  • Prover displays the requested value

  • If the verifier asked for $s$ and gets a value $s'$, he just verifies that $s'^n$ is the $s^n$ value he was given.

  • If the verifier asked for $sr$, and gets a value $s'$, he just verifies that $sr'^n$ is the value $s^n \cdot C = s^nr^n$

It should be clear that neither choice leaks the value $r$, and that the only way that both choices are answerable is if, in fact, that there does in fact exist a value $r$.

The probability of someone cheating without being detected is $2^{-1}$, so to get that probability down to a reasonable level, you need to repeat this procedure a number of times, say, 64 or 128 times.

The obvious question is "how does the prover know $r$?". Well, if he is the one generating $C_1, C_2$, the obvious response is "he remembers the $r_1, r_2$ values he used to encrypt them, and computes it for the corresponding $C$ value. If he is just given a (say) $C_1$ value, well, even though he can himself decrypt it, I don't know of a way for him to recover the corresponding $r$ value - he'd need to use a different ZKP technique.

I glanced through your code - I didn't see where you tried to do this sort of logic; on the other hand, I didn't look that hard...

[1]: The paper uses the symbol $\omega$ to denote this random value.

+ 2
Bertug avatar
at flag
Bertug
Thank you for your answer and your time Dear @poncho, I am currently trying to implement the logic you mentioned. As soon I as I get result, I will provide a feedback. In addition, I am trying to find C1* C2^(-1) which will be equal to C1 / C2 which is also the substraction of two -> C1-C2 = 0 (I assume decryption of both texts equal to 1) . Everytime I perform the operation then I decrypt the result, I should get 0 as an answer right (decrypting is just for testing), all other answers will be wrong, at the moment I am getting another ciphertext?
0
Reply
poncho avatar
my flag
poncho
@Bertug: if you are computing $C_1 - C_2 \bmod n^2$, well, that's wrong - that is certainly not the same as $C_1 \cdot C_2^{-1} \bmod n^2$
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.