Verifiable Decryption for Fully Homomorphic Encryption

Abstract

Verifiable decryption allows one to prove the correct decryption of encrypted data. When the encrypted data is derived from homomorphic evaluations in the context of fully homomorphic encryption (FHE), verifiable decryption will be very useful in cloud computing or cryptographic protocols, e.g., secure medical computation, cryptographically verifiable election, etc. In this paper, we consider the problem of proving the correct decryption of an FHE ciphertext. Namely, we are interested in zero-knowledge proofs of knowledge of triples (m, s, c) such that the message m is the correct decryption of a ciphertext c for a secret key s. While analogous statements admit efficient zero-knowledge proof protocols in the discrete logarithm setting, they have never been addressed in FHE so far. We provide such verifiable decryption for Brakerski-Gentry-Vaikuntanathan (BGV) scheme, since this scheme was recognized as one of the most efficient leveled FHE schemes. Our solution is nearly “one shot”, in the sense that a single instance of the proof already has negligible soundness error, yielding compact proofs even for individual ciphertexts. Furthermore, to illustrate the applicability of verifiable decryption, we also give two example instantiations.