As an example of why this is useful, consider using Paillier homomorphic addition as part of a voting system where votes are kept anonymous.
Consider an example where we have three candidates. Each voter would encode their vote in the form: 000100000000 to vote for candidate-1, 000000010000 for candidate-2, and 000000000001 for candidate 3. Using Paillier, we could sum all the encrypted votes together and obtain a result, while keeping each individual vote secret. However, without a "proof of membership", a malicious voter might cast a malicious vote 011100000000. A "proof of membership" would allow us to verify a vote is within the set [000100000000, 000000010000, 000000000001] and thwart malicious votes.
I was wondering if it would be possible to add support for "proof of membership" in addition to the current existing range proof.
Details on implementing a proof-of-membership is here: https://paillier.daylightingsociety.org/Paillier_Zero_Knowledge_Proof.pdf
As an example of why this is useful, consider using Paillier homomorphic addition as part of a voting system where votes are kept anonymous.
Consider an example where we have three candidates. Each voter would encode their vote in the form:
000100000000to vote for candidate-1,000000010000for candidate-2, and000000000001for candidate 3. Using Paillier, we could sum all the encrypted votes together and obtain a result, while keeping each individual vote secret. However, without a "proof of membership", a malicious voter might cast a malicious vote011100000000. A "proof of membership" would allow us to verify a vote is within the set[000100000000, 000000010000, 000000000001]and thwart malicious votes.