Paper 2017/122

One-Shot Verifiable Encryption from Lattices

Vadim Lyubashevsky and Gregory Neven


Verifiable encryption allows one to prove properties about encrypted data and is an important building block in the design of cryptographic protocols, e.g., group signatures, key escrow, fair exchange protocols, etc. Existing lattice-based verifiable encryption schemes, and even just proofs of knowledge of the encrypted data, require parallel composition of proofs to reduce the soundness error, resulting in proof sizes that are only truly practical when amortized over a large number of ciphertexts. In this paper, we present a new construction of a verifiable encryption scheme, based on the hardness of the Ring-LWE problem in the random-oracle model, for short solutions to linear equations over polynomial rings. Our scheme is "one-shot", in the sense that a single instance of the proof already has negligible soundness error, yielding compact proofs even for individual ciphertexts. Whereas verifiable encryption usually guarantees that decryption can recover a witness for the original language, we relax this requirement to decrypt a witness of a related but extended language. This relaxation is sufficient for many applications and we illustrate this with example usages of our scheme in key escrow and verifiably encrypted signatures. One of the interesting aspects of our construction is that the decryption algorithm is probabilistic and uses the proof as input (rather than using only the ciphertext). The decryption time for honestly-generated ciphertexts only depends on the security parameter, while the expected running time for decrypting an adversarially-generated ciphertext is directly related to the number of random-oracle queries of the adversary who created it. This property suffices in most practical scenarios, especially in situations where the ciphertext proof is part of an interactive protocol, where the decryptor is substantially more powerful than the adversary, or where adversaries can be otherwise discouraged to submit malformed ciphertexts.

Note: Corrected an omission in the decryption algorithm of the CPA scheme. Also corrected a more serious mistake in the decryption algorithm of the CCA scheme. There is no effect on the efficiency of the CPA scheme, whereas the CCA decryption algorithm is now 2X slower than before. Other typos corrected as well.

Available format(s)
Publication info
A minor revision of an IACR publication in EUROCRYPT 2017
Verifiable encryptionproofs of plaintext knowledgelattice cryptographyRing-LWE
Contact author(s)
vadim1980 @ gmail com
nev @ zurich ibm com
2018-03-21: revised
2017-02-16: received
See all versions
Short URL
Creative Commons Attribution


      author = {Vadim Lyubashevsky and Gregory Neven},
      title = {One-Shot Verifiable Encryption from Lattices},
      howpublished = {Cryptology ePrint Archive, Paper 2017/122},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.