Paper 2019/1270

SAVER: SNARK-friendly, Additively-homomorphic, and Verifiable Encryption and decryption with Rerandomization

Jiwon Lee, Jaekyoung Choi, Jihye Kim, and Hyunok Oh


In the pairing-based zero-knowledge succinct non-interactive arguments of knowledge (zk-SNARK), there often exists a requirement for the proof system to be combined with encryption. As a typical example, a blockchain-based voting system requires the vote to be confidential (using encryption), while verifying voting validity (using zk-SNARKs). In these combined applications, a typical solution is to extend the zk-SNARK circuit to include the encryption code. However, complex cryptographic operations in the encryption algorithm increase the circuit size, which leads to impractically large proving time and CRS size. In this paper, we propose SNARK-friendly, Additively-homomorphic, and Verifiable Encryption and decryption with Rerandomization or SAVER, which is a novel approach to detach the encryption from the SNARK circuit. The encryption in SAVER holds many useful properties. It is SNARK-friendly: the encryption is conjoined with an existing pairing-based SNARK, in a way that the encryptor can prove pre-defined properties while encrypting the message apart from the SNARK. It is additively-homomorphic: the ciphertext holds a homomorphic property from the ElGamal-based encryption. It is a verifiable encryption: one can verify arbitrary properties of encrypted messages by connecting with the SNARK system. It provides a verifiable decryption: anyone without the secret can still verify that the decrypted message is indeed from the given ciphertext. It provides rerandomization: the proof and the ciphertext can be rerandomized as independent objects so that even the encryptor (or prover) herself cannot identify the origin. For the representative application, we also propose a Vote-SAVER based on SAVER, which is a novel voting system where voter's secret key lies only with the voter himself. The Vote-SAVER satisfies receipt-freeness (which implies ballot privacy), individual verifiability (which implies non-repudiation), vote verifiability, tally uniqueness, and voter anonymity. The experimental results show that our SAVER with respect to the Vote-SAVER relation yields 0.7s for zk-SNARK proving time and 10ms for encryption, with the CRS size of 16MB.

Available format(s)
Cryptographic protocols
Publication info
Preprint. MINOR revision.
pairing-based zk-SNARKverifiable encryptionverifiable decryptionpublic-key encryptionadditively-homomorphic encryptionrerandomization
Contact author(s)
jiwonlee @ hanyang ac kr
cjk2889 @ kookmin ac kr
jihyek @ kookmin ac kr
hoh @ hanyang ac kr
2020-12-29: last of 9 revisions
2019-11-05: received
See all versions
Short URL
Creative Commons Attribution


      author = {Jiwon Lee and Jaekyoung Choi and Jihye Kim and Hyunok Oh},
      title = {{SAVER}: {SNARK}-friendly, Additively-homomorphic, and Verifiable Encryption and decryption with Rerandomization},
      howpublished = {Cryptology ePrint Archive, Paper 2019/1270},
      year = {2019},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.