Cryptology ePrint Archive: Report 2002/161

Practical Verifiable Encryption and Decryption of Discrete Logarithms

Jan Camenisch and Victor Shoup

Abstract: This paper presents a variant of the new public key encryption of Cramer and Shoup based on Paillier's decision composite residuosity assumption, along with an efficient protocol for verifiable encryption of discrete logarithms. This is the first verifiable encryption system that provides chosen ciphertext security and avoids inefficient cut-and-choose proofs. This has numerous applications, including fair exchange and key escrow. We also present efficient protocols for verifiable decryption, which has applications to, e.g., confirmer signatures. The latter protocols build on a new protocol for proving whether or not two discrete logarithms are equal that is of independent interest. Prior such protocols were either inefficient or not zero-knowledge.

Category / Keywords: cryptographic protocols /

Publication Info: extented abstract in Crypto 2003

Date: received 1 Nov 2002, last revised 25 Aug 2003

Contact author: jca at zurich ibm com

Available format(s): Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation

Version: 20030825:120805 (All versions of this report)

Short URL: ia.cr/2002/161

Discussion forum: Show discussion | Start new discussion