Abstract. Verifiable encryption allows one to prove properties about encrypted data and is an important building block in the design of cryptographic protocols, e.g., group signatures, key escrow, fair

exchange protocols, etc. Existing lattice-based verifiable encryption schemes, and even just proofs of

knowledge of the encrypted data, require parallel composition of proofs to reduce the soundness error,

resulting in proof sizes that are only truly practical when amortized over a large number of ciphertexts.

In this paper, we present a new construction of a verifiable encryption scheme, based on the hardness

of the Ring-LWE problem in the random-oracle model, for short solutions to linear equations over

polynomial rings. Our scheme is “one-shot”, in the sense that a single instance of the proof already has

negligible soundness error, yielding compact proofs even for individual ciphertexts. Whereas verifiable

encryption usually guarantees that decryption can recover a witness for the original language, we relax

this requirement to decrypt a witness of a related but extended language. This relaxation is sufficient

for many applications and we illustrate this with example usages of our scheme in key escrow and

verifiably encrypted signatures.

One of the interesting aspects of our construction is that the decryption algorithm is probabilistic and

uses the proof as input (rather than using only the ciphertext). The decryption time for honestlygenerated ciphertexts only depends on the security parameter, while the expected running time for

decrypting an adversarially-generated ciphertext is directly related to the number of random-oracle

queries of the adversary who created it. This property suffices in most practical scenarios, especially

in situations where the ciphertext proof is part of an interactive protocol, where the decryptor is

substantially more powerful than the adversary, or where adversaries can be otherwise discouraged to

submit malformed ciphertexts.