Not using private key at all

framp / paillier-in-set-zkp

Generates a Zero Knowledge Proof that an encrypted value is in a set of known values

10 stars 6 forks source link

Not using private key at all #3

Closed jochenonline closed 4 years ago

jochenonline commented 4 years ago

@framp Is it correct that in your example the private key is never used? Without diving to deep into it I would have expected that the proof is done with the private key...

framp commented 4 years ago

Hi Jochen!

The private key is not needed in order to verify that the encrypted content is part of a set, by design; once you have the private key you can just decrypt the content and compare the plaintext value with your set.

This enables some interesting properties: Assuming one party is generating a paillier keypair and sharing its public key.

A second party can encrypt something with the public key
A third party can use the same public key to validate the content is valid but not know which value is set
The original party can decrypt the value

The private key can be used to decrypt the content encrypted with the public key, as I'm doing in the tests: https://github.com/framp/paillier-in-set-zkp/blob/master/index.js#L130

jochenonline commented 4 years ago

@framp Thank your very much for your explanation. Understood!

I wonder what the use case for this functionality is. If everybody knows both the public key and the set, it is no problem to select one set member encrypt it and create the proof. What can I "proof" by this?

It would be a different story if the set would be kept secret and only the proof would be made public, but that seems not to be the case...

Did I get something wrong?

framp commented 4 years ago

For example having a third party validate a message.

Imagine someone sending a payment with a secret amount and encrypting the amount. A third party could validate that the payment is a positive number in a certain set (let's say all numbers up to a thousand) without leaking any information of the amount.

(A bit contrived as an example, maybe more apt for homomorphic encryption :) )

jochenonline commented 4 years ago

@framp Understood again :-)

A better example might be an evoting application. Every voter should send an encrypted 0 or 1 to add them all up in the end. It would be very bad, if someone sent a 13 for example because that would compromise the whole election.

So...before accepting a ballot one would have to proof that only a 0 or 1 is in it without revealing which of both.

framp commented 4 years ago

One of the reasons I was looking into paillier in set was to do exactly that :D https://github.com/framp/chepaillier-voting