Publicly verifiable multi-user public key encryption

Introduction

Public key encryption (PKE) is a standard tool used in many protocols with two parties – sender and receiver. Sender uses receiver's public key to encrypt a secret message and receiver uses her private key to decrypt it. In modern (decentralized) protocols there's a third party – verifier. Verifier acts as an arbiter, she verifies that both parties (sender and receiver) follow the protocol correctly. When there's a need for privacy a PKE scheme does not offer the verifier to do her job – to get access to the encrypted message privacy property must be sacrificed.

To overcome this issue there's publicly verifiable public key encryption (PVPKE). In such a scheme the sender encrypts a message and proves certain useful properties about it such that the verifier can verify the proof (ie. that the properties do actually hold for the encrypted message without decrypting it) and the receiver can decrypt the message as usual.

Some useful properties about encrypted text might include the following:

proof of decryptability, ie. that the receiver can indeed decrypt the message (and not claim that she can't, without revealing her private decryption key);
proof of correct encryption, ie. that the sender has encrypted a valid message (and not some garbage).

Depending on the underlying platform (message space, key space) and provable properties there can be many approaches. In a general case encryption algorithm is represented as a circuit, then a proof system is used to construct a (non-interactive) proof for that circuit.

In this post we present an extension to multi-receiver ElGamal PKE extended with Bulletproofs-based proof of correct encryption and decryptability that can be used to construct a publicly verifiable secret sharing (PVSS) scheme and non-interactive threshold signature scheme (NITSS).

TSS case study

To better illustrate our goal with PVPKE, lets consider a threshold Schnorr signature scheme (TSS). In TSS any subset of

t

-out-of-

n

signers can produce a valid signature. In the simplest case

t

-out-of-

n

property is achieved with a secret sharing scheme (SSS). In a distributed multi-party protocol it's done with distributed key generation (DKG). In TSS a DKG protocol is used to generate keys and nonce during signing round. A DKG is usually constructed as multiple VSS sessions where each signer gets to act as a secret dealer. The pseudocode for a DKG protocol is presented below.

$C o m m i t m e n t s^{i}, S h a r e s^{i} \leftarrow VSS.ShareRandom ()$
broadcast
$C o m m i t m e n t s^{i}$
$G o o d \leftarrow {}$
for each
$j$ :
4.1. receive
$C o m m i t m e n t s^{j}$ from
$P e e r^{j}$
4.2. send
$E_{j}^{i} = PKE.Encrypt [P K^{j}] (S h a r e^{i} (j))$ to
$P e e r^{j}$
4.3. receive
$E_{i}^{j}$ from
$P e e r^{j}$
4.4.
$S h a r e^{j} (i) \leftarrow PKE.Decrypt [s k^{i}] (E_{i}^{j})$
4.5. if
$VSS.Verify (C o m m i t m e n t^{j}, S h a r e^{j} (i))$ then
$G o o d \leftarrow G o o d \cup {j}$
4.6. else handle bad dealer
$P e e r^{j}$
$F i n a l S h a r e^{i} \leftarrow \sum_{j \in G o o d} S h a r e^{j} (i)$
return
$F i n a l S h a r e^{i}$

In order for the protocol to be correct peers need to know which secret shares exactly (ie. the set

G o o d

) contribute to the final value (signing key, nonce, final signature). It's trivial if we consider that all peers are honest, ie. they won't try to disrupt the execution of the protocol, or forge a signature. This is not the case in real world and we have to account for that.

First, we need to assume asynchronous networking model. In it an adversary can block (but not reorder) some messages. That means that we have to communicate with all peers at once (and not sequentially as presented in the pseudocode). Next, the broadcast primitive must be reliable (ie. all honest nodes must receive the same commitments which is not true with an incorrect trivial "send-to-all" implementation of broadcast). Next, an adversary shall not be able to break a secure channel between peers (implemented with PKE in the pseudocode). Lastly, there should be a proper "handle bad dealer" procedure.

We shall focus on the last issue. Without PVPKE many DKG protocols do special "complaint-and-verify" rounds. In simple terms, the idea is for

P e e r^{k}

to decide which peer to trust in a dispute between

P e e r^{i}

and

P e e r^{j}

where

P e e r^{i}

complains that

P e e r^{j}

is bad and

P e e r^{j}

tries to prove otherwise. With PVPKE we can implement DKG as follows.

$C o m m i t m e n t s^{i}, S h a r e s^{i} \leftarrow PVSS.ShareRandom ()$
$E n c r y p t e d S h a r e s^{i}, P r o o f s^{i} \leftarrow PVPKE.ProveEncrypt [\vec{P K}] (S h a r e s^{i})$
broadcast
$C o m m i t m e n t s^{i}, E n c r y p t e d S h a r e s^{i}, P r o o f s^{i}$
$G o o d \leftarrow {}$
for each
$j$ :
5.1. receive
$C o m m i t m e n t s^{j}, E n c r y p t e d S h a r e s^{j}, P r o o f s^{j}$ from
$P e e r^{j}$
5.2. if
$PVSS.Verify [P K^{j}] (C o m m i t m e n t s^{j}, E n c r y p t e d S h a r e s^{j}, P r o o f s^{j})$ then
$G o o d \leftarrow G o o d \cup {j}$
5.3.
$S h a r e^{j} (i) \leftarrow PVPKE.Decrypt [s k^{i}] (E n c r y p t e d S h a r e s_{i}^{j})$
$F i n a l S h a r e^{i} \leftarrow \sum_{j \in G o o d} S h a r e^{j} (i)$
return
$F i n a l S h a r e^{i}$

An obvious drawback is added complexity to generate and verify proofs and increased size of broadcasted messages.

Overview

There is a number of well-known PKE/KEM systems such as ElGamal encryption, DHIES, Paillier, Kurosawa-Desmedt, Cramer-Shoup, RSA. The usual approach to PVPKE is to extend a PKE system with a non-interactive zero-knowledge proof (NIZKP), for example publicly verifiable ElGamal and RSA encryption, Paillier-based PVSS, Paillier-based IND-CCA secure PVPKE, pairing-based PVPKE, non-interactive DKG. These constructions target different properties such as semantic or IND-CCA2 security, homomorphic property, threshold compatibility, forward secrecy, pairing or RSA friendliness.

Among others we require the following properties:

assumed hardness of DL/DH problems or their variant;
semantic encryption "in scalar";
proofs of decryptability and correct encryption;
multi-user encryption;
aggregation and batch verification of proofs.

The first requirement means compatibility with Ed25519/X25519; no pairings, RSA, composite/unknown order groups are allowed. The second and third requirements enable a simple application in PVSS, DKG, and TSS constructions; we do not need a stronger IND-CCA2 security. The last two requirements make implementations efficient.

The obvious candidate for a suitable PKE is ElGamal encryption. It satisfies requirements 1 and 4. In order to be able to decrypt a scalar we need to be able to compute a discrete logarithm. It's only possible for small scalars, hence we need to split a secret scalar to be encrypted into sufficiently small chunks.

For decryptability proof we need to prove that the owner of the private key corresponding to the encryption public key is able to decrypt an encrypted small chunk. This is done with a preimage proof (ElGamal encryption is additively homomorphic) and range proof (that the secret scalar chunk is sufficiently small). Proof of correct encryption is also a preimage proof (but for a combined scalar, not individual chunks).

Preimage proofs are easily doable with Schnorr sigma protocol generalized by Maurer. Range proofs are much more difficult. To do that we use Bulletproofs – a succinct proof system in DL setting. If we use a straightforward approach we wouldn't fulfill requirement 5. Fortunately, Bulletproofs range proof can be modified to support ElGamal commitments (instead of Pedersen commitments which is used initially), extended statement for chunking proofs, and efficient aggregation (due to use of multi-user ElGamal encryption).

PVPKE & PVSS

Let

\overset{―}{X} = \overset{―}{x} \cdot G

be receivers' public keys, then lifted ElGamal multi-user encryption is defined by the following two equations.

\overset{―}{C}, R = {Enc}_{\overset{―}{X}} (\overset{―}{s}, r) = \overset{―}{s} \cdot H + r \cdot \overset{―}{X}, r G

s_{j} = {Dec}_{x_{j}} (C_{j}, R) = {DL}_{H} (C_{j} - x_{j} R)

Enc

and

Dec

have all the nice additively homomorphic properties allowing to use them in Bulletproofs.

{DL}_{H} (s_{j} H)

only works for

s_{j} \in [0. {.2}^{b})

with small

b

. For any

s_{j} \in Z_{q}

s_{j} = \sum_{l = 0}^{m - 1} 2^{b l} s_{j, l}

we split it into

m

chunks

s_{j, l} \in [0. {.2}^{b})

{\overset{―}{C}}_{l}, R_{l} = {Enc}_{\overset{―}{X}} ({\overset{―}{s}}_{l}, r_{l}) = {\overset{―}{s}}_{l} \cdot H + r_{l} \cdot \overset{―}{X}, r_{l} G

s_{j, l} = {Dec}_{x_{j}} (C_{j, l}, R_{l}) = {DL}_{H} (C_{j, l} - x_{j} R_{l})

This effectively increases

m

times the cipher text size.

In order to turn it into PVPKE we need to add some nice proofs.

Decryptability is the proof that the receiver can decrypt

s H = C - x R

(ie. the owner of the private key

x

is the actual receiver):

Decryptability {(C, R; s, r) : C, R = {Enc}_{X} (s, r)}

It's possible to use

Preimage

proof with

{Enc}_{X} (s, r)

as one-way homomorphic map. Formally the proof means that the dealer knows

s, r

, but semantically it means the receiver's public key

X

was used to encrypt

s

. It's possible to aggregate the final proof to account for

n

receivers and

m

chunks.

Chunking is the proof that the receiver can bruteforce DLog

s = {DL}_{H} (s H)

Chunking {(C; s, r) : C = s H + r X \land s \in [0. {.2}^{b})}

We'll use a modified

RangeProof

proof with

C, R

as ElGamal commitment. Formally this proof does also prove knowledge of

s, r

. We need to make sure that it's safe to use public key

X

and

H

as CRS in ElGamal commitment.

We want to use our PVPKE scheme to construct a PVSS scheme. Let's recall Feldman's VSS:

The dealer generates random polynomial
$f (x) = \sum_{k = 0}^{t - 1} x^{k} f_{k}$ such that
$s = f_{0} = f (0)$ is the dealer's secret.
Next, the dealer publishes commitment
$F_{k} = f_{k} H$ to
$f (x)$ .
$F_{0}$ is the dealer's public key and
$F (x) = \sum_{k = 0}^{t - 1} x^{k} F_{k}$ is commitment polynomial.
Next, the dealer computes shares
$s_{j} = f (j)$ and securely delivers them to each receiver.
Receivers can use Feldman's verification equation
$s_{j} H \overset{?}{=} F (j)$ to verify their shares.
The shared secret can be recovered via interpolation polynomial
$\hat{f} (x) = \sum_{j \in J} l_{j}^{J} (x) s_{j}$ where
$l_{j}^{J} (x) = \prod_{i \in J, i \neq j} \frac{x - i}{j - i}$ is Lagrange polynomial. Then the recovered secret is
$\hat{s} = \hat{f} (0)$ .

In a PVSS scheme scalars to be encrypted are secret shares satisfying certain verification equation

s_{j} H = F (j)

. Thus we have to add a corresponding proof.

Sharing is the proof that encrypted share is correct, ie.

s_{j} H = F (j)

Sharing {(F_{k}, C_{j, l}, R_{l}, X_{j}; r_{l}) : \sum_{l} 2^{b l} C_{j, l} - F (j) = \sum_{l} 2^{b l} r_{l} X_{j} \land R_{l} = r_{l} G}

Again, we use

Preimage

proof of knowledge with

g_{X_{j}} (r_{l}) = (\sum_{l} 2^{b l} r_{l} X_{j}, r_{l} G)

as one-way homomorphic map. Formally it means the knowledge of

r

and equality of discrete logs. Semantically it means image of encrypted value is

F (j)

Bulletproofs improved

Here we will specify in more detail Bulletproofs-based interactive protocol to support PVSS proofs. It can then be made non-interactive with Fiat-Shamir transform.

First, let's combine all the desired statements into one (secret share chunk here is

v_{j, l}

to be more consistent with the Bulletproofs paper and avoid clash of names):

PVSS {(F_{k}, C_{j, l}, R_{l}, X_{j}; v_{j, l}, r_{l}) : C_{j, l}, R_{l} = {Enc}_{X_{j}} (v_{j, l}, r_{l}) \land v_{j, l} \in [0. {.2}^{b}) \land \sum_{l} 2^{b l} C_{j, l} - F (j) = \sum_{l} 2^{b l} r_{l} X_{j}},

where

k = 0. . t - 1, j = 1. . n, l = 1. . m

Here the following notation will be used:

${\vec{c}}^{n} = (c^{i})_{i = 0}^{n - 1} \in Z_{q}^{n}$ ;
$x \cdot \vec{a} = (x a_{i})_{i = 0}^{n - 1}$ ;
$⟨ \vec{a}, \vec{b} ⟩ = \sum_{i = 0}^{n - 1} a_{i} b_{i}$ ;
$\vec{a} \circ \vec{b} = (a_{i} b_{i})_{i = 0}^{n - 1}$ ;
$\vec{x} \times \vec{b} = ‖_{i = 0}^{n - 1} (x_{i} \cdot \vec{b})$ ;
$v_{j} = \sum_{l = 0}^{m - 1} 2^{b l} v_{j, l}$ ,
$v = ‖_{j} (v_{j, l})_{l}$ ;
$VCommit (a, b, c) = ⟨ a, \vec{G} ⟩ + ⟨ b, \vec{H} ⟩ + c K$ .

Step 1.

The prover chooses nonces

a_{L}

a_{R}

such that

v_{j, l} \in [0. {.2}^{b})

can be rewritten as a system of

n m + 2 b n m

scalar equations:

⟨ a_{L, j, l}, {\vec{2}}^{b} ⟩ = v_{j, l}, \forall j, \forall l \land a_{L} = a_{R} + {\vec{1}}^{b n m} \land a_{L} \circ a_{R} = {\vec{0}}^{b n m},

where

a_{L} = ‖_{j = 0}^{n - 1} (‖_{l = 0}^{m - 1} a_{L, j, l})

The prover chooses a random

α

and publishes commitment

A = VCommit (a_{L}, a_{R}, α)

Step 2.

The prover receives from the verifier challenge

y

and aggregates the previous system into the following one with

n m + 2

scalar equations:

⟨ a_{L, j, l}, {\vec{2}}^{b} ⟩ = v_{j, l}, \forall j, \forall l \land ⟨ a_{L} - a_{R} - {\vec{1}}^{b n m}, {\vec{y}}^{b n m} ⟩ = 0 \land ⟨ a_{L}, {\vec{y}}^{b n m} \circ a_{R} ⟩ = 0.

Step 3.

The prover receives from the verifier challenge

z

and further aggregates the system into

1

scalar equation:

z^{2} \sum_{j = 1}^{n} \sum_{l = 0}^{m - 1} z^{(j - 1) m + l} ⟨ a_{L, j, l}, {\vec{2}}^{b} ⟩ + + z ⟨ a_{L} - a_{R} - {\vec{1}}^{b n m}, {\vec{y}}^{b n m} ⟩ + + ⟨ a_{L}, {\vec{y}}^{b n m} \circ a_{R} ⟩ = = z^{2} \sum_{j = 1}^{n} \sum_{l = 0}^{m - 1} z^{(j - 1) m + l} v_{j, l} .

The same equation can be rewritten in inner-product form:

z^{2} ⟨ a_{L}, {\vec{z}}^{n m} \times {\vec{2}}^{b} ⟩ + z ⟨ a_{L}, {\vec{y}}^{b n m} ⟩ + ⟨ a_{L}, {\vec{y}}^{b n m} \circ a_{R} ⟩ - - z ⟨ {\vec{y}}^{b n m}, a_{R} ⟩ = z^{2} ⟨ z^{n m}, v ⟩ + z ⟨ {\vec{y}}^{b n m}, {\vec{1}}^{b n m} ⟩,

or in a folded form with only 1 inner product (the goal is to get inner product of

a_{L}

and

a_{R}

⟨ a_{L} - z \cdot {\vec{1}}^{b n m}, z^{2} \cdot z^{n m} \times {\vec{2}}^{b} + {\vec{y}}^{b n m} \circ (a_{R} + z \cdot {\vec{1}}^{b n m}) ⟩ = = z^{2} ⟨ z^{n m}, v ⟩ + (z - z^{2}) ⟨ {\vec{y}}^{b n m}, {\vec{1}}^{b n m} ⟩ - z^{3} ⟨ {\vec{1}}^{b n m}, {\vec{z}}^{n m} \times {\vec{2}}^{b} ⟩ = = z^{2} ⟨ z^{n m}, v ⟩ + δ (y, z) .

Step 4.

In order to use inner-product argument (IPA) and make proof zero-knowledge prover needs to blind

a_{L}

and

a_{R}

The prover chooses random nonces

s_{L}, s_{R}

, a random

ρ

, publishes commitment

S = VCommit (s_{L}, s_{R}, ρ)

Step 5.

The prover receives from the verifier challenge

x

and constructs blindings:

l = a_{L} - z \cdot {\vec{1}}^{b n m} + x \cdot s_{L}

r = z^{2} \cdot z^{n m} \times {\vec{2}}^{b} + {\vec{y}}^{b n m} \circ (a_{R} + z \cdot {\vec{1}}^{b n m} + x \cdot s_{R})

Note:

l

and

r

are polynomials in

x

over

Z_{q}^{b n m}

t = ⟨ l, r ⟩ = t_{0} + x t_{1} + x^{2} t_{2}

Equation

t_{0} = z^{2} ⟨ z^{n m}, v ⟩ + δ (y, z)

(

t (x)

evaluated at

x = 0

) is equivalent (with high probability) to the initial system and the statement that

v_{j, l}

is small.

Now, the prover can prove that

t = z^{2} ⟨ z^{n m}, v ⟩ + δ (y, z) + x t_{1} + x^{2} t_{2}

with IPA instead.

Step 6.

t_{1}

t_{2}

serve as blindings for

t_{0}

. The prover commits to

t_{1}, t_{2}

with ElGamal commitment (

{Commit}_{X} (s, r) = s G + r X, r G

) using random

τ_{1}, τ_{2}

T_{i}, Q_{i} = {Commit}_{\overset{―}{X}} (t_{i}, τ_{i}), for i = 1, 2,

so that the following holds:

t G + τ_{x} \overset{―}{X} = z^{2} ⟨ z^{n m}, C ⟩ + δ (y, z) G + x T_{1} + x^{2} T_{2} .

We can use the equation above and the equations from the PVSS statement to deduce the form of the piece of proof

τ_{x}

, the form of point

\overset{―}{X}

and necessary verification equations.

More concretely, we use the following equations:

C_{j, l} = v_{j, l} G + r_{l} X_{j}

R_{l} = r_{l} G

⟨ z^{n m}, C ⟩ = \sum_{j = 1}^{n} z^{(j - 1) m} \sum_{l = 0}^{m - 1} z^{l} (v_{j, l} G + r_{l} X_{j})

\sum_{j = 1}^{n} z^{(j - 1) m} \sum_{l = 0}^{m - 1} z^{l} r_{l} X_{j} = (\sum_{l = 0}^{m - 1} z^{l} r_{l}) (\sum_{j = 1}^{n} z^{(j - 1) m} X_{j})

Thus we get:

\overset{―}{X} = \sum_{j = 1}^{n} z^{(j - 1) m} X_{j}

τ_{x} = z^{2} \sum_{l = 0}^{m - 1} z^{l} r_{l} + x τ_{1} + x^{2} τ_{2}

The prover publishes commitments

T_{i}, Q_{i}

for

i = 1, 2

and

τ_{x}

as part of proof.

Step 7.

The verifier verifies:

t G + τ_{x} \overset{―}{X} \overset{?}{=} z^{2} ⟨ z^{n m}, C ⟩ + δ (y, z) G + x T_{1} + x^{2} T_{2}

τ_{x} G \overset{?}{=} z^{2} ⟨ z^{m}, R ⟩ + x Q_{1} + x^{2} Q_{2}

Step 8.

The prover chooses random

η

, published commitment

N = η G

Step 9.

The prover receives challenge

u

from the verifier and publishes commitment

M = η \sum_{j = 1}^{n} u^{j} X_{j}

Step 10.

The prover receives challenge

w

from the verifier. The prover publishes proof:

s = η + w \sum_{l} 2^{b l} r_{l}

Step 11.

The verifier verifies:

s (G + \sum_{j = 1}^{n} u^{j} X_{j}) \overset{?}{=} N + M + + w (\sum_{l} 2^{b l} R_{l} + \sum_{j = 1}^{n} u^{j} (\sum_{l} 2^{b l} C_{j, l} - F (j))

Step 12.

In order to be able to use IPA, the prover computes the following commitment:

P = IPACommit (l, r) = = (⟨ a_{L}, \vec{G} ⟩ + ⟨ {\vec{y}}^{b n m} \circ a_{R}, \vec{H^{'}} ⟩ + α K) + + x (⟨ s_{L}, \vec{G} ⟩ + ⟨ {\vec{y}}^{b n m} \circ s_{R}, \vec{H^{'}} ⟩ + ρ K) - - (α + x ρ) K - ⟨ z \cdot {\vec{1}}^{b n m}, \vec{G} ⟩ + ⟨ z^{2} \cdot z^{n m} \times {\vec{2}}^{b} + z \cdot {\vec{y}}^{b n m}, \vec{H^{'}} ⟩

Let's denote

\vec{H^{'}} = {\vec{y}}^{- b n m} \circ \vec{H}

, we can rewrite expression for

P

as follows:

P = A + x S - μ K - z \cdot \vec{G} + ⟨ γ (y, z), \vec{H^{'}} ⟩

The prover publishes

μ = α + x ρ

as part of proof (so that

P

can be reconstructed by the verifier). The prover constructs and publishes IPA.

Step 13.

The verifier reconstructs commitment

P

and verifies IPA.

Publicly verifiable multi-user public key encryption

Introduction

TSS case study

Overview

PVPKE & PVSS

Bulletproofs improved

Read more

Untitled

VRF

VRF & ASM

PVSS succinct proofs