FW: Zero-Knowledge proofs for valid decryption !!
Emmanouil Magkos
emagos at unipi.gr
Wed Jul 11 05:27:03 EDT 2001
The background of my question was an auction application where encrypted
bids are published on a bulletin board. All bids are authenticated, i.e.
signed by the bidders. Since there is no anonymity, (there are reasons for
this), the link between the encrypted bids and the decrypted results, which
will be published for verifiability, must be hidden. Note that in electronic
voting, which is a similar application to auctions, the homorphism of the
encryption scheme may allow an observer to "gather" the encrypted results,
and then only verify the "sum" of encrypted votes. However, in an auction
application, this is not the case. So there is a need for the Auctioneers
(they are distributed, for bid-secrecy) to publish a shuffle of the
decrypted bids, and then prove correctness of the decryption in
zero-knowledge.
Although I have read a few papers about mix-nets (in the e-voting context),
I had not realized that the mix idea answered my question (although I should
have :). Thanx for all folks who answered my question !!
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list