Abstract. Verifiable encryption allows one to prove properties about encrypted data and is an important building block in the design of cryptographic protocols, e.g., group signatures, key escrow, fair
exchange protocols, etc. Existing lattice-based verifiable encryption schemes, and even just proofs of
knowledge of the encrypted data, require parallel composition of proofs to reduce the soundness error,
resulting in proof sizes that are only truly practical when amortized over a large number of ciphertexts.
In this paper, we present a new construction of a verifiable encryption scheme, based on the hardness
of the Ring-LWE problem in the random-oracle model, for short solutions to linear equations over
polynomial rings. Our scheme is “one-shot”, in the sense that a single instance of the proof already has
negligible soundness error, yielding compact proofs even for individual ciphertexts. Whereas verifiable
encryption usually guarantees that decryption can recover a witness for the original language, we relax
this requirement to decrypt a witness of a related but extended language. This relaxation is sufficient
for many applications and we illustrate this with example usages of our scheme in key escrow and
verifiably encrypted signatures.
One of the interesting aspects of our construction is that the decryption algorithm is probabilistic and
uses the proof as input (rather than using only the ciphertext). The decryption time for honestlygenerated ciphertexts only depends on the security parameter, while the expected running time for
decrypting an adversarially-generated ciphertext is directly related to the number of random-oracle
queries of the adversary who created it. This property suffices in most practical scenarios, especially
in situations where the ciphertext proof is part of an interactive protocol, where the decryptor is
substantially more powerful than the adversary, or where adversaries can be otherwise discouraged to
submit malformed ciphertexts.
