Re-encrypting a message and proving that the message has not changed











up vote
9
down vote

favorite
1












Is there a method that allows for re-encryption of a message in a way that allows observers who only have access to the two cipher texts to prove that the plain text message is the same in each?



More specifically: if I have a message $m$, and I encrypt it with an asymmetric key scheme $E_1: c_1 = E_1(m)$ and then re-encrypt it with a new key pair $E_2: c_2 = E_2(m),$



is there a way for an observer (possibly using a ZKP or homomorphic encryption) who only has access to $c_1, c_2$ and the public keys of $E_1$ and $E_2$ to prove that $m$ is the same plain text used to generate $C_1$ and $C_2$?










share|improve this question




















  • 1




    Do you specifically need a new key-pair? I think this is doable using El Gamal with a ZKP, but I'm pretty sure you'd need to use the same key pair. Before attempting to come up with an answer, I'd just like to make sure I know what I'm dealing with. Also, what do you need to use this for. Is this homework, or....?
    – ymbirtt
    Nov 19 at 13:57






  • 1




    Is the encryptor cooperating? That is, is he required to cooperate in generating ciphertexts that can be proven to share the same plaintext (which would get around Viou's objection; a random third party wouldn't be able to)
    – poncho
    Nov 19 at 14:33










  • Are the key pairs required to be fully independent? If it were acceptable to have a set of key pairs that would allow anyone given both halves of one pair to find the private halves of all keys in the set when given the public key, I think RSA could work. If one uses one pair of primes to produce multiple key pairs with different public keys, then the result of encrypting a message using one public key and then another would be independent of the order in which the keys were used, but I'm not sure how useful that would be.
    – supercat
    Nov 19 at 17:50















up vote
9
down vote

favorite
1












Is there a method that allows for re-encryption of a message in a way that allows observers who only have access to the two cipher texts to prove that the plain text message is the same in each?



More specifically: if I have a message $m$, and I encrypt it with an asymmetric key scheme $E_1: c_1 = E_1(m)$ and then re-encrypt it with a new key pair $E_2: c_2 = E_2(m),$



is there a way for an observer (possibly using a ZKP or homomorphic encryption) who only has access to $c_1, c_2$ and the public keys of $E_1$ and $E_2$ to prove that $m$ is the same plain text used to generate $C_1$ and $C_2$?










share|improve this question




















  • 1




    Do you specifically need a new key-pair? I think this is doable using El Gamal with a ZKP, but I'm pretty sure you'd need to use the same key pair. Before attempting to come up with an answer, I'd just like to make sure I know what I'm dealing with. Also, what do you need to use this for. Is this homework, or....?
    – ymbirtt
    Nov 19 at 13:57






  • 1




    Is the encryptor cooperating? That is, is he required to cooperate in generating ciphertexts that can be proven to share the same plaintext (which would get around Viou's objection; a random third party wouldn't be able to)
    – poncho
    Nov 19 at 14:33










  • Are the key pairs required to be fully independent? If it were acceptable to have a set of key pairs that would allow anyone given both halves of one pair to find the private halves of all keys in the set when given the public key, I think RSA could work. If one uses one pair of primes to produce multiple key pairs with different public keys, then the result of encrypting a message using one public key and then another would be independent of the order in which the keys were used, but I'm not sure how useful that would be.
    – supercat
    Nov 19 at 17:50













up vote
9
down vote

favorite
1









up vote
9
down vote

favorite
1






1





Is there a method that allows for re-encryption of a message in a way that allows observers who only have access to the two cipher texts to prove that the plain text message is the same in each?



More specifically: if I have a message $m$, and I encrypt it with an asymmetric key scheme $E_1: c_1 = E_1(m)$ and then re-encrypt it with a new key pair $E_2: c_2 = E_2(m),$



is there a way for an observer (possibly using a ZKP or homomorphic encryption) who only has access to $c_1, c_2$ and the public keys of $E_1$ and $E_2$ to prove that $m$ is the same plain text used to generate $C_1$ and $C_2$?










share|improve this question















Is there a method that allows for re-encryption of a message in a way that allows observers who only have access to the two cipher texts to prove that the plain text message is the same in each?



More specifically: if I have a message $m$, and I encrypt it with an asymmetric key scheme $E_1: c_1 = E_1(m)$ and then re-encrypt it with a new key pair $E_2: c_2 = E_2(m),$



is there a way for an observer (possibly using a ZKP or homomorphic encryption) who only has access to $c_1, c_2$ and the public keys of $E_1$ and $E_2$ to prove that $m$ is the same plain text used to generate $C_1$ and $C_2$?







encryption homomorphic-encryption zero-knowledge-proofs






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 19 at 19:37









kelalaka

3,59211332




3,59211332










asked Nov 19 at 10:21









zakum1

485




485








  • 1




    Do you specifically need a new key-pair? I think this is doable using El Gamal with a ZKP, but I'm pretty sure you'd need to use the same key pair. Before attempting to come up with an answer, I'd just like to make sure I know what I'm dealing with. Also, what do you need to use this for. Is this homework, or....?
    – ymbirtt
    Nov 19 at 13:57






  • 1




    Is the encryptor cooperating? That is, is he required to cooperate in generating ciphertexts that can be proven to share the same plaintext (which would get around Viou's objection; a random third party wouldn't be able to)
    – poncho
    Nov 19 at 14:33










  • Are the key pairs required to be fully independent? If it were acceptable to have a set of key pairs that would allow anyone given both halves of one pair to find the private halves of all keys in the set when given the public key, I think RSA could work. If one uses one pair of primes to produce multiple key pairs with different public keys, then the result of encrypting a message using one public key and then another would be independent of the order in which the keys were used, but I'm not sure how useful that would be.
    – supercat
    Nov 19 at 17:50














  • 1




    Do you specifically need a new key-pair? I think this is doable using El Gamal with a ZKP, but I'm pretty sure you'd need to use the same key pair. Before attempting to come up with an answer, I'd just like to make sure I know what I'm dealing with. Also, what do you need to use this for. Is this homework, or....?
    – ymbirtt
    Nov 19 at 13:57






  • 1




    Is the encryptor cooperating? That is, is he required to cooperate in generating ciphertexts that can be proven to share the same plaintext (which would get around Viou's objection; a random third party wouldn't be able to)
    – poncho
    Nov 19 at 14:33










  • Are the key pairs required to be fully independent? If it were acceptable to have a set of key pairs that would allow anyone given both halves of one pair to find the private halves of all keys in the set when given the public key, I think RSA could work. If one uses one pair of primes to produce multiple key pairs with different public keys, then the result of encrypting a message using one public key and then another would be independent of the order in which the keys were used, but I'm not sure how useful that would be.
    – supercat
    Nov 19 at 17:50








1




1




Do you specifically need a new key-pair? I think this is doable using El Gamal with a ZKP, but I'm pretty sure you'd need to use the same key pair. Before attempting to come up with an answer, I'd just like to make sure I know what I'm dealing with. Also, what do you need to use this for. Is this homework, or....?
– ymbirtt
Nov 19 at 13:57




Do you specifically need a new key-pair? I think this is doable using El Gamal with a ZKP, but I'm pretty sure you'd need to use the same key pair. Before attempting to come up with an answer, I'd just like to make sure I know what I'm dealing with. Also, what do you need to use this for. Is this homework, or....?
– ymbirtt
Nov 19 at 13:57




1




1




Is the encryptor cooperating? That is, is he required to cooperate in generating ciphertexts that can be proven to share the same plaintext (which would get around Viou's objection; a random third party wouldn't be able to)
– poncho
Nov 19 at 14:33




Is the encryptor cooperating? That is, is he required to cooperate in generating ciphertexts that can be proven to share the same plaintext (which would get around Viou's objection; a random third party wouldn't be able to)
– poncho
Nov 19 at 14:33












Are the key pairs required to be fully independent? If it were acceptable to have a set of key pairs that would allow anyone given both halves of one pair to find the private halves of all keys in the set when given the public key, I think RSA could work. If one uses one pair of primes to produce multiple key pairs with different public keys, then the result of encrypting a message using one public key and then another would be independent of the order in which the keys were used, but I'm not sure how useful that would be.
– supercat
Nov 19 at 17:50




Are the key pairs required to be fully independent? If it were acceptable to have a set of key pairs that would allow anyone given both halves of one pair to find the private halves of all keys in the set when given the public key, I think RSA could work. If one uses one pair of primes to produce multiple key pairs with different public keys, then the result of encrypting a message using one public key and then another would be independent of the order in which the keys were used, but I'm not sure how useful that would be.
– supercat
Nov 19 at 17:50










3 Answers
3






active

oldest

votes

















up vote
5
down vote



accepted










If we assume that the reencryptor is cooperating, that is, he consciously generates the re-encrypted ciphertext to make this proof easy, then it is possible.



The solution I have involves a variation of El Gamal over a pairing friendly curve.



Background:



In El Gamal, to generate the encryption of message $M$ to the public key $aG$, you select a random $r$, and output the pair $rG, r(aG) + M$; the decryptor knows $a$, and so compute $a(rG) = r(aG)$, allowing him to recover $M$.



A pairing friendly curve is an elliptic curve that has an efficiently computable function $e(A, B)$ that has the following properties:





  • $e(aG, bG) = e(G, G)^{ab}$ (for any integers $a, b$, the exponentiation is over some group, typically the muplticative group of some finite field


  • $e(G,G) ne 1$ (which implies that $e(G, aG) = 1$ iff $a equiv 0 pmod q$, where $q$ is the prime curve order)


[END OF BACKGROUND]



Now, one modification I make to standard ElGamal is to have a randomized invertable mapping between the actual message $m$ and the point $X$ we actually encrypt; that is, there is a function $H(m, r)$, which takes a message $m$, and a random value $r$, and outputs a point $X$; there is an inverse function that takes $X$ and recovers the original $m$. This is needed to prevent an attacker from using the function $e$ to test if a particular ciphertext corresponded to a particular plaintext.



Ok, the encryption of the message $m$ to the public key $A = aG$ is:



$$(rG, rA + H(m, r'))$$



where $r, r'$ are random values. The decryptor (who knows $a$) can recover $m$ in the obvious way.



Now, if the encryptor decides to send two ciphertexts to two different public keys that can be tested by a third party to be identical, he uses the same $r, r'$ values.



Then, when this third party receives the two ciphertexts:



$(X, Y)$ to public key $A$



$(W, Z)$ to public key $B$



He first checks if $X = W$ (which should be the case if the encryptor is cooperating; the first element of the ciphertext doesn't depend on the public key.



If that passes, he then checks if:



$$e( G, Y-Z ) = e( X, A-B) $$



Here's how that works:




  • $X = rG$, where $r$ is the random value the encryptor selected for both ciphertexts


  • $Y = rA + H(x, r')$ and $Z = rB + H(x', r")$, where $x, x'$ are the two plaintexts.



So, we have



$e(X, A-B) = e(rG, A-B) = e(G,A-B)^r$



$e(G, Y-Z) = e(G, rA + H(x, r') - rB - H(x', r")) = \
e(G,A-B)^{r} cdot e(G,H(x, r') - H(x', r"))$



These two will be the same iff $H(x, r') = H(x', r")$, that is, if $x = x'$.






share|improve this answer























  • El-Gamal has many tricks and one more.
    – kelalaka
    Nov 19 at 19:44


















up vote
8
down vote













I think this is not compatible with semantic security (IND-CPA). If such a proof exists, an adversary that chooses $(m_0,m_1)$ and receives $c_b=E_1(m_b)$ may compute $E_2(m_0)$ and try to prove that $m_b=m_0$. If the proof is correct, then he guesses that $b=0$, else $b=1$. But may be there exist weaker security models that allow to test the equality of two plaintexts.
Your problem seems similar to plaintext checkable encryptions.






share|improve this answer






























    up vote
    1
    down vote













    One weak solution can be based on Bongenaar' Multi-key FHE where;




    In the multi-key FHE setting, we have $N$ participants with their own keypair $(sk_i, pk_i)$ and message $ m_i$, who want to perform computations on all data without revealing any private information to each other. After the computation decryption should only be possible when all the secret keys that were used to encrypt the messages
    are involved.




    Now we can use this scheme as follows;




    • Encrypt the message $m$ with two different key, $pk_1,pk_2$ to get $c_1$, $c_2$

    • The observer encrypts the message $m_0 = 0$ the zero message, $c_0$.

    • Evaluate $c_1 - c_2 + c_0$ homomorphically using the scheme of Bongenaar's,

    • decrypt the result.


    The results;




    • If the result is not zero, then they are not the same.

    • Since we use semantic scheme, no one but the private key owner can decrypt $c_1$ and $c_2$ to reveal the $m_1$ and $m_2$


    • The observer must not be allowed to evaluate any other function, otherwise $c_1+c_2-c_0$ will reveal the $2m$. To mitigate, one can first evaluate $c_1-c_2$.






    share|improve this answer























      Your Answer





      StackExchange.ifUsing("editor", function () {
      return StackExchange.using("mathjaxEditing", function () {
      StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
      StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
      });
      });
      }, "mathjax-editing");

      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "281"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f64162%2fre-encrypting-a-message-and-proving-that-the-message-has-not-changed%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      3 Answers
      3






      active

      oldest

      votes








      3 Answers
      3






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes








      up vote
      5
      down vote



      accepted










      If we assume that the reencryptor is cooperating, that is, he consciously generates the re-encrypted ciphertext to make this proof easy, then it is possible.



      The solution I have involves a variation of El Gamal over a pairing friendly curve.



      Background:



      In El Gamal, to generate the encryption of message $M$ to the public key $aG$, you select a random $r$, and output the pair $rG, r(aG) + M$; the decryptor knows $a$, and so compute $a(rG) = r(aG)$, allowing him to recover $M$.



      A pairing friendly curve is an elliptic curve that has an efficiently computable function $e(A, B)$ that has the following properties:





      • $e(aG, bG) = e(G, G)^{ab}$ (for any integers $a, b$, the exponentiation is over some group, typically the muplticative group of some finite field


      • $e(G,G) ne 1$ (which implies that $e(G, aG) = 1$ iff $a equiv 0 pmod q$, where $q$ is the prime curve order)


      [END OF BACKGROUND]



      Now, one modification I make to standard ElGamal is to have a randomized invertable mapping between the actual message $m$ and the point $X$ we actually encrypt; that is, there is a function $H(m, r)$, which takes a message $m$, and a random value $r$, and outputs a point $X$; there is an inverse function that takes $X$ and recovers the original $m$. This is needed to prevent an attacker from using the function $e$ to test if a particular ciphertext corresponded to a particular plaintext.



      Ok, the encryption of the message $m$ to the public key $A = aG$ is:



      $$(rG, rA + H(m, r'))$$



      where $r, r'$ are random values. The decryptor (who knows $a$) can recover $m$ in the obvious way.



      Now, if the encryptor decides to send two ciphertexts to two different public keys that can be tested by a third party to be identical, he uses the same $r, r'$ values.



      Then, when this third party receives the two ciphertexts:



      $(X, Y)$ to public key $A$



      $(W, Z)$ to public key $B$



      He first checks if $X = W$ (which should be the case if the encryptor is cooperating; the first element of the ciphertext doesn't depend on the public key.



      If that passes, he then checks if:



      $$e( G, Y-Z ) = e( X, A-B) $$



      Here's how that works:




      • $X = rG$, where $r$ is the random value the encryptor selected for both ciphertexts


      • $Y = rA + H(x, r')$ and $Z = rB + H(x', r")$, where $x, x'$ are the two plaintexts.



      So, we have



      $e(X, A-B) = e(rG, A-B) = e(G,A-B)^r$



      $e(G, Y-Z) = e(G, rA + H(x, r') - rB - H(x', r")) = \
      e(G,A-B)^{r} cdot e(G,H(x, r') - H(x', r"))$



      These two will be the same iff $H(x, r') = H(x', r")$, that is, if $x = x'$.






      share|improve this answer























      • El-Gamal has many tricks and one more.
        – kelalaka
        Nov 19 at 19:44















      up vote
      5
      down vote



      accepted










      If we assume that the reencryptor is cooperating, that is, he consciously generates the re-encrypted ciphertext to make this proof easy, then it is possible.



      The solution I have involves a variation of El Gamal over a pairing friendly curve.



      Background:



      In El Gamal, to generate the encryption of message $M$ to the public key $aG$, you select a random $r$, and output the pair $rG, r(aG) + M$; the decryptor knows $a$, and so compute $a(rG) = r(aG)$, allowing him to recover $M$.



      A pairing friendly curve is an elliptic curve that has an efficiently computable function $e(A, B)$ that has the following properties:





      • $e(aG, bG) = e(G, G)^{ab}$ (for any integers $a, b$, the exponentiation is over some group, typically the muplticative group of some finite field


      • $e(G,G) ne 1$ (which implies that $e(G, aG) = 1$ iff $a equiv 0 pmod q$, where $q$ is the prime curve order)


      [END OF BACKGROUND]



      Now, one modification I make to standard ElGamal is to have a randomized invertable mapping between the actual message $m$ and the point $X$ we actually encrypt; that is, there is a function $H(m, r)$, which takes a message $m$, and a random value $r$, and outputs a point $X$; there is an inverse function that takes $X$ and recovers the original $m$. This is needed to prevent an attacker from using the function $e$ to test if a particular ciphertext corresponded to a particular plaintext.



      Ok, the encryption of the message $m$ to the public key $A = aG$ is:



      $$(rG, rA + H(m, r'))$$



      where $r, r'$ are random values. The decryptor (who knows $a$) can recover $m$ in the obvious way.



      Now, if the encryptor decides to send two ciphertexts to two different public keys that can be tested by a third party to be identical, he uses the same $r, r'$ values.



      Then, when this third party receives the two ciphertexts:



      $(X, Y)$ to public key $A$



      $(W, Z)$ to public key $B$



      He first checks if $X = W$ (which should be the case if the encryptor is cooperating; the first element of the ciphertext doesn't depend on the public key.



      If that passes, he then checks if:



      $$e( G, Y-Z ) = e( X, A-B) $$



      Here's how that works:




      • $X = rG$, where $r$ is the random value the encryptor selected for both ciphertexts


      • $Y = rA + H(x, r')$ and $Z = rB + H(x', r")$, where $x, x'$ are the two plaintexts.



      So, we have



      $e(X, A-B) = e(rG, A-B) = e(G,A-B)^r$



      $e(G, Y-Z) = e(G, rA + H(x, r') - rB - H(x', r")) = \
      e(G,A-B)^{r} cdot e(G,H(x, r') - H(x', r"))$



      These two will be the same iff $H(x, r') = H(x', r")$, that is, if $x = x'$.






      share|improve this answer























      • El-Gamal has many tricks and one more.
        – kelalaka
        Nov 19 at 19:44













      up vote
      5
      down vote



      accepted







      up vote
      5
      down vote



      accepted






      If we assume that the reencryptor is cooperating, that is, he consciously generates the re-encrypted ciphertext to make this proof easy, then it is possible.



      The solution I have involves a variation of El Gamal over a pairing friendly curve.



      Background:



      In El Gamal, to generate the encryption of message $M$ to the public key $aG$, you select a random $r$, and output the pair $rG, r(aG) + M$; the decryptor knows $a$, and so compute $a(rG) = r(aG)$, allowing him to recover $M$.



      A pairing friendly curve is an elliptic curve that has an efficiently computable function $e(A, B)$ that has the following properties:





      • $e(aG, bG) = e(G, G)^{ab}$ (for any integers $a, b$, the exponentiation is over some group, typically the muplticative group of some finite field


      • $e(G,G) ne 1$ (which implies that $e(G, aG) = 1$ iff $a equiv 0 pmod q$, where $q$ is the prime curve order)


      [END OF BACKGROUND]



      Now, one modification I make to standard ElGamal is to have a randomized invertable mapping between the actual message $m$ and the point $X$ we actually encrypt; that is, there is a function $H(m, r)$, which takes a message $m$, and a random value $r$, and outputs a point $X$; there is an inverse function that takes $X$ and recovers the original $m$. This is needed to prevent an attacker from using the function $e$ to test if a particular ciphertext corresponded to a particular plaintext.



      Ok, the encryption of the message $m$ to the public key $A = aG$ is:



      $$(rG, rA + H(m, r'))$$



      where $r, r'$ are random values. The decryptor (who knows $a$) can recover $m$ in the obvious way.



      Now, if the encryptor decides to send two ciphertexts to two different public keys that can be tested by a third party to be identical, he uses the same $r, r'$ values.



      Then, when this third party receives the two ciphertexts:



      $(X, Y)$ to public key $A$



      $(W, Z)$ to public key $B$



      He first checks if $X = W$ (which should be the case if the encryptor is cooperating; the first element of the ciphertext doesn't depend on the public key.



      If that passes, he then checks if:



      $$e( G, Y-Z ) = e( X, A-B) $$



      Here's how that works:




      • $X = rG$, where $r$ is the random value the encryptor selected for both ciphertexts


      • $Y = rA + H(x, r')$ and $Z = rB + H(x', r")$, where $x, x'$ are the two plaintexts.



      So, we have



      $e(X, A-B) = e(rG, A-B) = e(G,A-B)^r$



      $e(G, Y-Z) = e(G, rA + H(x, r') - rB - H(x', r")) = \
      e(G,A-B)^{r} cdot e(G,H(x, r') - H(x', r"))$



      These two will be the same iff $H(x, r') = H(x', r")$, that is, if $x = x'$.






      share|improve this answer














      If we assume that the reencryptor is cooperating, that is, he consciously generates the re-encrypted ciphertext to make this proof easy, then it is possible.



      The solution I have involves a variation of El Gamal over a pairing friendly curve.



      Background:



      In El Gamal, to generate the encryption of message $M$ to the public key $aG$, you select a random $r$, and output the pair $rG, r(aG) + M$; the decryptor knows $a$, and so compute $a(rG) = r(aG)$, allowing him to recover $M$.



      A pairing friendly curve is an elliptic curve that has an efficiently computable function $e(A, B)$ that has the following properties:





      • $e(aG, bG) = e(G, G)^{ab}$ (for any integers $a, b$, the exponentiation is over some group, typically the muplticative group of some finite field


      • $e(G,G) ne 1$ (which implies that $e(G, aG) = 1$ iff $a equiv 0 pmod q$, where $q$ is the prime curve order)


      [END OF BACKGROUND]



      Now, one modification I make to standard ElGamal is to have a randomized invertable mapping between the actual message $m$ and the point $X$ we actually encrypt; that is, there is a function $H(m, r)$, which takes a message $m$, and a random value $r$, and outputs a point $X$; there is an inverse function that takes $X$ and recovers the original $m$. This is needed to prevent an attacker from using the function $e$ to test if a particular ciphertext corresponded to a particular plaintext.



      Ok, the encryption of the message $m$ to the public key $A = aG$ is:



      $$(rG, rA + H(m, r'))$$



      where $r, r'$ are random values. The decryptor (who knows $a$) can recover $m$ in the obvious way.



      Now, if the encryptor decides to send two ciphertexts to two different public keys that can be tested by a third party to be identical, he uses the same $r, r'$ values.



      Then, when this third party receives the two ciphertexts:



      $(X, Y)$ to public key $A$



      $(W, Z)$ to public key $B$



      He first checks if $X = W$ (which should be the case if the encryptor is cooperating; the first element of the ciphertext doesn't depend on the public key.



      If that passes, he then checks if:



      $$e( G, Y-Z ) = e( X, A-B) $$



      Here's how that works:




      • $X = rG$, where $r$ is the random value the encryptor selected for both ciphertexts


      • $Y = rA + H(x, r')$ and $Z = rB + H(x', r")$, where $x, x'$ are the two plaintexts.



      So, we have



      $e(X, A-B) = e(rG, A-B) = e(G,A-B)^r$



      $e(G, Y-Z) = e(G, rA + H(x, r') - rB - H(x', r")) = \
      e(G,A-B)^{r} cdot e(G,H(x, r') - H(x', r"))$



      These two will be the same iff $H(x, r') = H(x', r")$, that is, if $x = x'$.







      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited Nov 19 at 19:16

























      answered Nov 19 at 18:18









      poncho

      88.6k2133227




      88.6k2133227












      • El-Gamal has many tricks and one more.
        – kelalaka
        Nov 19 at 19:44


















      • El-Gamal has many tricks and one more.
        – kelalaka
        Nov 19 at 19:44
















      El-Gamal has many tricks and one more.
      – kelalaka
      Nov 19 at 19:44




      El-Gamal has many tricks and one more.
      – kelalaka
      Nov 19 at 19:44










      up vote
      8
      down vote













      I think this is not compatible with semantic security (IND-CPA). If such a proof exists, an adversary that chooses $(m_0,m_1)$ and receives $c_b=E_1(m_b)$ may compute $E_2(m_0)$ and try to prove that $m_b=m_0$. If the proof is correct, then he guesses that $b=0$, else $b=1$. But may be there exist weaker security models that allow to test the equality of two plaintexts.
      Your problem seems similar to plaintext checkable encryptions.






      share|improve this answer



























        up vote
        8
        down vote













        I think this is not compatible with semantic security (IND-CPA). If such a proof exists, an adversary that chooses $(m_0,m_1)$ and receives $c_b=E_1(m_b)$ may compute $E_2(m_0)$ and try to prove that $m_b=m_0$. If the proof is correct, then he guesses that $b=0$, else $b=1$. But may be there exist weaker security models that allow to test the equality of two plaintexts.
        Your problem seems similar to plaintext checkable encryptions.






        share|improve this answer

























          up vote
          8
          down vote










          up vote
          8
          down vote









          I think this is not compatible with semantic security (IND-CPA). If such a proof exists, an adversary that chooses $(m_0,m_1)$ and receives $c_b=E_1(m_b)$ may compute $E_2(m_0)$ and try to prove that $m_b=m_0$. If the proof is correct, then he guesses that $b=0$, else $b=1$. But may be there exist weaker security models that allow to test the equality of two plaintexts.
          Your problem seems similar to plaintext checkable encryptions.






          share|improve this answer














          I think this is not compatible with semantic security (IND-CPA). If such a proof exists, an adversary that chooses $(m_0,m_1)$ and receives $c_b=E_1(m_b)$ may compute $E_2(m_0)$ and try to prove that $m_b=m_0$. If the proof is correct, then he guesses that $b=0$, else $b=1$. But may be there exist weaker security models that allow to test the equality of two plaintexts.
          Your problem seems similar to plaintext checkable encryptions.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Nov 19 at 10:59

























          answered Nov 19 at 10:52









          Viou

          1364




          1364






















              up vote
              1
              down vote













              One weak solution can be based on Bongenaar' Multi-key FHE where;




              In the multi-key FHE setting, we have $N$ participants with their own keypair $(sk_i, pk_i)$ and message $ m_i$, who want to perform computations on all data without revealing any private information to each other. After the computation decryption should only be possible when all the secret keys that were used to encrypt the messages
              are involved.




              Now we can use this scheme as follows;




              • Encrypt the message $m$ with two different key, $pk_1,pk_2$ to get $c_1$, $c_2$

              • The observer encrypts the message $m_0 = 0$ the zero message, $c_0$.

              • Evaluate $c_1 - c_2 + c_0$ homomorphically using the scheme of Bongenaar's,

              • decrypt the result.


              The results;




              • If the result is not zero, then they are not the same.

              • Since we use semantic scheme, no one but the private key owner can decrypt $c_1$ and $c_2$ to reveal the $m_1$ and $m_2$


              • The observer must not be allowed to evaluate any other function, otherwise $c_1+c_2-c_0$ will reveal the $2m$. To mitigate, one can first evaluate $c_1-c_2$.






              share|improve this answer



























                up vote
                1
                down vote













                One weak solution can be based on Bongenaar' Multi-key FHE where;




                In the multi-key FHE setting, we have $N$ participants with their own keypair $(sk_i, pk_i)$ and message $ m_i$, who want to perform computations on all data without revealing any private information to each other. After the computation decryption should only be possible when all the secret keys that were used to encrypt the messages
                are involved.




                Now we can use this scheme as follows;




                • Encrypt the message $m$ with two different key, $pk_1,pk_2$ to get $c_1$, $c_2$

                • The observer encrypts the message $m_0 = 0$ the zero message, $c_0$.

                • Evaluate $c_1 - c_2 + c_0$ homomorphically using the scheme of Bongenaar's,

                • decrypt the result.


                The results;




                • If the result is not zero, then they are not the same.

                • Since we use semantic scheme, no one but the private key owner can decrypt $c_1$ and $c_2$ to reveal the $m_1$ and $m_2$


                • The observer must not be allowed to evaluate any other function, otherwise $c_1+c_2-c_0$ will reveal the $2m$. To mitigate, one can first evaluate $c_1-c_2$.






                share|improve this answer

























                  up vote
                  1
                  down vote










                  up vote
                  1
                  down vote









                  One weak solution can be based on Bongenaar' Multi-key FHE where;




                  In the multi-key FHE setting, we have $N$ participants with their own keypair $(sk_i, pk_i)$ and message $ m_i$, who want to perform computations on all data without revealing any private information to each other. After the computation decryption should only be possible when all the secret keys that were used to encrypt the messages
                  are involved.




                  Now we can use this scheme as follows;




                  • Encrypt the message $m$ with two different key, $pk_1,pk_2$ to get $c_1$, $c_2$

                  • The observer encrypts the message $m_0 = 0$ the zero message, $c_0$.

                  • Evaluate $c_1 - c_2 + c_0$ homomorphically using the scheme of Bongenaar's,

                  • decrypt the result.


                  The results;




                  • If the result is not zero, then they are not the same.

                  • Since we use semantic scheme, no one but the private key owner can decrypt $c_1$ and $c_2$ to reveal the $m_1$ and $m_2$


                  • The observer must not be allowed to evaluate any other function, otherwise $c_1+c_2-c_0$ will reveal the $2m$. To mitigate, one can first evaluate $c_1-c_2$.






                  share|improve this answer














                  One weak solution can be based on Bongenaar' Multi-key FHE where;




                  In the multi-key FHE setting, we have $N$ participants with their own keypair $(sk_i, pk_i)$ and message $ m_i$, who want to perform computations on all data without revealing any private information to each other. After the computation decryption should only be possible when all the secret keys that were used to encrypt the messages
                  are involved.




                  Now we can use this scheme as follows;




                  • Encrypt the message $m$ with two different key, $pk_1,pk_2$ to get $c_1$, $c_2$

                  • The observer encrypts the message $m_0 = 0$ the zero message, $c_0$.

                  • Evaluate $c_1 - c_2 + c_0$ homomorphically using the scheme of Bongenaar's,

                  • decrypt the result.


                  The results;




                  • If the result is not zero, then they are not the same.

                  • Since we use semantic scheme, no one but the private key owner can decrypt $c_1$ and $c_2$ to reveal the $m_1$ and $m_2$


                  • The observer must not be allowed to evaluate any other function, otherwise $c_1+c_2-c_0$ will reveal the $2m$. To mitigate, one can first evaluate $c_1-c_2$.







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited Nov 19 at 19:36

























                  answered Nov 19 at 10:56









                  kelalaka

                  3,59211332




                  3,59211332






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Cryptography Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      Use MathJax to format equations. MathJax reference.


                      To learn more, see our tips on writing great answers.





                      Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                      Please pay close attention to the following guidance:


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f64162%2fre-encrypting-a-message-and-proving-that-the-message-has-not-changed%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      Costa Masnaga

                      Fotorealismo

                      Sidney Franklin