## Practical Verifiable Encryption and Decryption of Discrete Logarithms (2003)

### Cached

### Download Links

- [www.iacr.org]
- [www.iacr.org]
- [eprint.iacr.org]
- [www.zurich.ibm.com]
- [shoup.net]
- [www.shoup.net]
- [eprint.iacr.org]
- DBLP

### Other Repositories/Bibliography

Citations: | 148 - 20 self |

### BibTeX

@INPROCEEDINGS{Camenisch03practicalverifiable,

author = {Jan Camenisch and Victor Shoup},

title = {Practical Verifiable Encryption and Decryption of Discrete Logarithms},

booktitle = {},

year = {2003},

pages = {126--144},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. This paper addresses the problem of designing practical protocols for proving properties about encrypted data. To this end, it presents a variant of the new public key encryption of Cramer and Shoup based on Paillier’s decision composite residuosity assumption, along with efficient protocols for verifiable encryption and decryption of discrete logarithms (and more generally, of representations with respect to multiple bases). This is the first verifiable encryption system that provides chosen ciphertext security and avoids inefficient cut-and-choose proofs. The presented protocols have numerous applications, including key escrow, optimistic fair exchange, publicly verifiable secret and signature sharing, universally composable commitments, group signatures, and confirmer signatures. 1

### Citations

1419 | Random Oracles are Practical: A Paradigm for Designing Efficient - Bellare, Rogaway - 1993 |

1231 | Probabilistic encryption - Goldwasser, Micali - 1984 |

881 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
- 1987
(Show Context)
Citation Context ...the user, encrypts the opening of the commitment, and proves that the ciphertext decrypts to an opening of the commitment. To turn this into a signature scheme, one must use the Fiat-Shamir heuristic =-=[FS87]-=- to make it non-interactive (the interactive version is called an identity escrow scheme). Although one can implement group signatures without it, by using verifiable encryption, one can build a more ... |

691 | Public-key cryptosystems based on composite degree residuosity classes
- Paillier
- 1999
(Show Context)
Citation Context ...Let n = pq and n ′ = p ′ q ′ . Consider the group Z ∗ n 2 and the subgroup P of Z ∗ n 2 consisting of all nth powers of elements in Z ∗ n 2. Paillier’s Decision Composite Residuosity (DCR) assumption =-=[Pai99]-=- is that given only n, it is hard to distinguish random elements of Z ∗ n 2 from random elements of P.s134 J. Camenisch, V. Shoup We can decompose Z ∗ n 2 as an internal direct product Z ∗ n 2 = Gn · ... |

476 | A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack
- Cramer, Shoup
(Show Context)
Citation Context ...ng that the proof is invalid. A difficulty in defining soundness for verifiable decryption is that for many public key encryption schemes (including ours and, e.g., the ElGamal based Cramer-Shoup one =-=[CS98]-=-), it is not well defined whether or not a ciphertext is valid given only the public key. More precisely, there are ciphertexts that can be both valid and invalid, depending on the actual value of the... |

442 | Security without identification: Transaction systems to make big brother obsolete - Chaum - 1985 |

408 |
Non-interactive and information-theoretic secure verifiable secret sharing
- Pedersen
- 1992
(Show Context)
Citation Context ...eason why this restriction is not really so excessive is because in the past few years, efficient protocols for proving numerous properties about committed values — using Pedersen’s commitment scheme =-=[Ped92]-=- and generalizations to groups of unknown order — have been developed (c.f., [FO97,DF02,Bou00]); by using our scheme for verifiable encryption of a representation (i.e., an opening of a commitment), w... |

358 |
Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack
- Rackoff, Simon
- 1991
(Show Context)
Citation Context ... can be described by just pointing out its aim while hiding all details. 2.3 Secure Public-Key Encryption We need the notion of a public-key encryption scheme secure against chosen ciphertext attacks =-=[RS92]-=- that supports labels [Sho01]. A label is an arbitrary bit string that is input to the encryption and decryption algorithms, specifying the “context” in which the encryption or decryption operation is... |

315 |
Wallet databases with observers
- Chaum, Pedersen
- 1993
(Show Context)
Citation Context ...t is, in the case the discrete logarithms are not equal). There are well-known, efficient, special honest-verifier zero-knowledge proof systems for proving that two discrete logarithms are equal (see =-=[CP93]-=-), so we focus on the problem of proving that two discrete logarithms are unequal. We discuss an efficient protocol for this problem separately as it is of independent interest and as the algebraic se... |

285 | Efficient group signature schemes for large groups
- Camenisch, Stadler
- 1997
(Show Context)
Citation Context ...ess the input y satisfies θ. Via standard rewinding arguments, this notion of soundness implies the more general notion of computational soundness. We use notation introduced by Camenisch and Stadler =-=[CS97]-=- for the various proofs of relations among discrete logarithms. For instance, PK{(a, b, c) : y = g a h b ∧ y = g a h c ∧ (u ≤ a ≤ v)} denotes a “zero-knowledge Proof of Knowledge of integers a, b, and... |

282 | Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols
- Cramer, Damgard, et al.
- 1994
(Show Context)
Citation Context ...f these equations hold is a fairly straightforward application of known techniques. To prove that at least one of the equations does not hold, we can use the “proof of partial knowledge” technique of =-=[CDS94]-=-, combined with the technique developed in §5. However, because in the present setting the group has non-prime order we can not prove the relationship among the secrets in the same way as in §5 and, m... |

254 | A practical and provably secure coalition-resistant group signature scheme - Ateniese, Camenisch, et al. |

246 | Optimistic fair exchange of digital signatures
- Asokan, Shoup, et al.
- 2000
(Show Context)
Citation Context ...equired data. The general problem of optimistic fair exchange has been extensively studied, c.f., [ASW97,BDM98,BP90,Mic,ASW00], while the solution using verifiable encryption was studied in detail in =-=[ASW00]-=-. Our scheme for verifiable encryption may be used directly to efficiently implement the fair exchange of Schnorr or DSS signatures. As outlined in [ASW00], if the public key of the Schnorr signature ... |

172 | Collision-free accumulators and fail-stop signature schemes without trees
- Baric, Pfitzmann
- 1997
(Show Context)
Citation Context ... have ζ = 1 (as −1 /∈ (Z ∗ n) 2 ). If c/d is odd then g = (ζw β g α ) c/d . In either case, we have computed a (c/d)th root of g. Discussion. The strong RSA assumption was introduced indepen=-=dently in [BP97]-=- and [FO97]. Since then, it has been found to be useful in the analysis of many cryptographic schemes (e.g., [CM98, 16sGHR99, CS00, ACJT00, CL01]). We do not claim that Theorem 3 is new: it has appear... |

172 | Concurrent zero knowledge - Dwork, Naor, et al. - 1998 |

168 | Optimistic protocols for fair exchange - ASOKAN, SCHUNTER, et al. - 1997 |

161 | Signature Schemes Based on the Strong RSA Assumption
- Cramer, Shoup
(Show Context)
Citation Context ...CS00, ACJT00, CL01]). We do not claim that Theorem 3 is new: it has appeared implicitly and in more restricted form in previous papers: the essential idea in the proof of Theorem 3 already appears in =-=[CS00]-=-, although that paper deals with a more restricted, and somewhat simpler, setting; also, the paper [DF02] implicitly contains a proof of a statement that is very similar to that of Theorem 3. The pape... |

160 | Efficient proofs that a committed number lies in an interval
- Boudot
- 2000
(Show Context)
Citation Context ... needs to be exact, i.e., if we allowed for the same sloppiness, then the prover could for instance add a multiple of n to m and then show that (u, e, v) does not (or does) decrypt to log γ δ. Boudot =-=[Bou00]-=- presents several protocols to prove that in integer m lies exactly in an interval [a, b]. One protocol uses the fact that x ∈ [a, b] is equivalent to b − x ≥ 0 and x − a ≥ 0 and that one can show tha... |

151 | Universally composable commitments
- Canetti, Fischlin
- 2001
(Show Context)
Citation Context ...These two applications of verifiable encryption were discussed in [CD00]. Universally composable commitments. The notion of universally composable (UC) commitments, introduced by Canetti and Fischlin =-=[CF01]-=-, is a very strong notion of security for a commitment scheme. It basically says that commitments in the real world acts like commitments in an ideal world in which, when a party A commits to a value ... |

149 | Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public key encryption. Cryptology ePrint Archive, Report 2001/085
- Cramer, Shoup
- 2001
(Show Context)
Citation Context ...t, let t = 2 −1 mod n, and compute ˆm := (e/u x1 ) 2t . If ˆm is of the form h m for some m ∈ [n], then output m; otherwise, output reject. This scheme differs from the DCR-based schemes presented in =-=[CS01]-=-, because in our situation, special attention must be paid to the treatment of elements of order 2 in the Z ∗ n 2, as these can cause some trouble for the proof ) r� .sPractical Verifiable Encryption ... |

143 | On the security of joint signature and encryption - An, Dodis, et al. |

135 | Statistical zero knowledge protocols to prove modular polynomial relations - Fujisaki, Okamoto - 1997 |

130 | Proving in zero-knowledge that a number is the product of two safe primes - Camenisch, Michels - 1999 |

130 | Design and Implementation of the Idemix Anonymous Credential System - Camenisch, Herreweghen - 2002 |

130 | Secure hash-and-sign signatures without the random oracle - Gennaro, Halevi, et al. - 1999 |

123 | Publicly Verifiable Secret Sharing
- Stadler
- 1996
(Show Context)
Citation Context ...elping to enforce the logic of the exchange protocol, and a verifiable decryption protocol may be used to hold T ’s feet to the fire. Publicly verifiable secret sharing and signature sharing. Stadler =-=[Sta96]-=- introduced the notion of publicly verifiable secret sharing. Here, one party, the dealer, shares a secret with several proxies P1, . . . , Pn, in such a way that a third party (other than the dealer ... |

118 | A proposal for an ISO standard for public key encryption, Cryptology ePrint Archive
- Shoup
- 2001
(Show Context)
Citation Context ...inting out its aim while hiding all details. 2.3 Secure Public-Key Encryption We need the notion of a public-key encryption scheme secure against chosen ciphertext attacks [RS92] that supports labels =-=[Sho01]-=-. A label is an arbitrary bit string that is input to the encryption and decryption algorithms, specifying the “context” in which the encryption or decryption operation is to take place. The definitio... |

114 | Efficient Concurrent Zero-Knowledge in the Auxiliary String Model
- Damg̊ard
(Show Context)
Citation Context ...l honest verifier zero knowledge and special soundness. We note that any such protocol can be easily and efficiently converted into a “real” zero knowledge protocol using well known techniques, e.g., =-=[Dam00]-=-. Our system for verifiable encryption of discrete logarithms is the first one that provides chosen ciphertext security and avoids inefficient cut-and-choose proofs. It is also the first practical sys... |

112 | Securing threshold cryptosystems against chosen ciphertext attack
- Shoup, Gennaro
(Show Context)
Citation Context ...e it comes in handy that the knowledge of the factorization of n is not required for decryption. This allows one to reduce the trust assumption for the TTP. This can be done either along the lines in =-=[SG98]-=-, which requires a random oracle security argument, or along the lines in [CG99], which does not require that argument, but for which the decryption protocol is less efficient. 4 Verifiable Encryption... |

103 | Efficient and practical fair exchange protocols with off-line TTP - Bao, Deng, et al. - 1998 |

103 |
Probabilistic algorithms
- Rabin
- 1976
(Show Context)
Citation Context ... again under the strong RSA assumption using additional parameters (n, g, h). Lagrange proved the an integer can always be represented ass142 J. Camenisch, V. Shoup four squares and Rabin and Shallit =-=[RS86]-=- provide an efficient algorithm to find these squares. We note that in our case the interval is symmetric and it therefore suffices to prove that ((n − 1)/2) 2 − m 2 ≥ 0 holds, which is more efficient... |

94 | Efficient non-transferable anonymous multi-show credential system with optional anonymity revocation - Camenisch, Lysyanskaya - 2001 |

85 |
Designated confirmer signatures
- Chaum
- 1995
(Show Context)
Citation Context ...lue revealed at opening time. The details of this construction and security proof are the subject of a forthcoming paper. Confirmer signatures. In a confirmer signature scheme, a notion introduced in =-=[Cha94]-=-, a party A creates an “opaque signature” ψ on a message m, which cannot be verified by any other party except a designated trusted third party T , who may either confirm or deny the validity of the s... |

85 | A group signature scheme with improved efficiency - Camenisch, Stadler - 1998 |

77 | Separability and efficiency for generic group signature schemes - Camenisch, Michels - 1999 |

76 | An integer commitment scheme based on groups with hidden order - Damgård, Fujisaki - 2002 |

76 | Resettable Zero-Knowledge - Canetti, Goldreich, et al. - 2000 |

75 | Identity Escrow - Kilian, Petrank - 1998 |

72 | Easy come - easy go divisible cash - Chan, Frankel, et al. |

72 | Digital payment systems with passive anonymity-revoking trustees - Camenisch, Maurer, et al. - 1996 |

67 | A Framework for Passwordbased Authenticated Key Exchange
- Gennaro, Lindell
- 2003
(Show Context)
Citation Context ...applications. However, we prefer to achieve non-malleability in the strictest sense, and because this comes at a marginal cost, we do so. We also mention that in independent work, Gennaro and Lindell =-=[GL03]-=- devise a similar (but not quite identical) scheme, but for completely different purposes: their goal is to construct efficient password-based key exchange protocols. Theorem 1. The above scheme is se... |

65 | An Efficient Threshold Public-Key Cryptosystem Secure Against Adaptive Chosen Ciphertext Attack
- Canetti, Goldwasser
- 1999
(Show Context)
Citation Context ... for decryption. This allows one to reduce the trust assumption for the TTP. This can be done either along the lines in [SG98], which requires a random oracle security argument, or along the lines in =-=[CG99]-=-, which does not require that argument, but for which the decryption protocol is less efficient. 4 Verifiable Encryption 4.1 Definitions At a high level, a verifiable encryption scheme for a binary re... |

56 | Receipt-free secret ballot elections (extended abstract), in - Benaloh, Tuinstra - 1994 |

53 | Damgard, “Verifiable Encryption, Group Encryption, and Their Applications to
- Camenisch, Ivan
- 2000
(Show Context)
Citation Context ...rete logarithm, one can easily implement a (publicly) verifiable signature sharing scheme [FR95,CG98] for Schnorr and DSS signatures. These two applications of verifiable encryption were discussed in =-=[CD00]-=-. Universally composable commitments. The notion of universally composable (UC) commitments, introduced by Canetti and Fischlin [CF01], is a very strong notion of security for a commitment scheme. It ... |

51 |
Modular Design of Secure yet Practical Cryptographic Protocols
- Cramer
- 1997
(Show Context)
Citation Context ...⌋}. Let a, b, and c be integers, with b > 0. Then c = a mod b denotes a − ⌊a/b⌋b (and we have 0 ≤ c < b), and c = a rem b denotes a − ⌈a/b⌋b (and we have −b/2 ≤ c < b/2). 2.2 Σ-protocols A Σ-protocol =-=[Cra96]-=- is a protocol between a prover and a verifier, where y is their common input and x is the prover’s additional input, which consists of three moves: in the first move the prover sends the verifier a “... |

48 | E±cient group signature schemes for large groups - Camenisch, Stadler - 1997 |

40 | Confirmer Signature Schemes Secure against Adaptive Adversaries
- Camenisch, Michels
- 2000
(Show Context)
Citation Context ... signature, which may then be verified by anybody. Additionally, the party A may prove the validity of an opaque signature ψ to a party B, at the time that A creates and gives ψ to B. As described in =-=[CM00]-=-, one may implement confirmer signatures as follows: A creates an ordinary signature σ on m, and encrypts σ under T ’s public key. Using verifiable encryption, A may prove to B that the resulting ciph... |

27 | Two-party generation of DSA signatures - MacKenize, Reiter - 2001 |

25 | Auto-recoverable autocertifiable cryptosystems - Young, Yung - 1998 |

24 | Generic Constructions for Secure and Efficient Confirmer Signature Schemes
- Michels, Stadler
- 1998
(Show Context)
Citation Context ...lar to ours. However, their protocol is about a factor of two less efficient than ours and is only computationally sound. We finally note that the (efficient) protocol proposed by Michels and Stadler =-=[MS98]-=- to prove whether or not two discrete logarithms are equal is not zero-knowledge because it reveals the value h x . 6 Verifiable Decryption In this section we provide a protocol that allows the decryp... |