**One-Shot Verifiable Encryption from Lattices**

*Vadim Lyubashevsky and Gregory Neven*

**Abstract: **Verifiable encryption allows one to prove properties about encrypted data and is an important building block in the design of cryptographic protocols, e.g., group signatures, key escrow, fair exchange protocols, etc. Existing lattice-based verifiable encryption schemes, and even just proofs of knowledge of the encrypted data, require parallel composition of proofs to reduce the soundness error, resulting in proof sizes that are only truly practical when amortized over a large number of ciphertexts.

In this paper, we present a new construction of a verifiable encryption scheme, based on the hardness of the Ring-LWE problem in the random-oracle model, for short solutions to linear equations over polynomial rings. Our scheme is "one-shot", in the sense that a single instance of the proof already has negligible soundness error, yielding compact proofs even for individual ciphertexts. Whereas verifiable encryption usually guarantees that decryption can recover a witness for the original language, we relax this requirement to decrypt a witness of a related but extended language. This relaxation is sufficient for many applications and we illustrate this with example usages of our scheme in key escrow and verifiably encrypted signatures.

One of the interesting aspects of our construction is that the decryption algorithm is probabilistic and uses the proof as input (rather than using only the ciphertext). The decryption time for honestly-generated ciphertexts only depends on the security parameter, while the expected running time for decrypting an adversarially-generated ciphertext is directly related to the number of random-oracle queries of the adversary who created it. This property suffices in most practical scenarios, especially in situations where the ciphertext proof is part of an interactive protocol, where the decryptor is substantially more powerful than the adversary, or where adversaries can be otherwise discouraged to submit malformed ciphertexts.

**Category / Keywords: **Verifiable encryption, proofs of plaintext knowledge, lattice cryptography, Ring-LWE

**Original Publication**** (with minor differences): **IACR-EUROCRYPT-2017

**Date: **received 13 Feb 2017, last revised 21 Mar 2018

**Contact author: **vadim1980 at gmail com, nev at zurich ibm com

**Available format(s): **PDF | BibTeX Citation

**Note: **Corrected an omission in the decryption algorithm of the CPA scheme. Also corrected a more serious mistake in the decryption algorithm of the CCA scheme. There is no effect on the efficiency of the CPA scheme, whereas the CCA decryption algorithm is now 2X slower than before. Other typos corrected as well.

**Version: **20180321:124526 (All versions of this report)

**Short URL: **ia.cr/2017/122

[ Cryptology ePrint archive ]