I'm trying to understand a specific part of the paper "Lattice-Based Proof of Shuffle and Applications to Electronic Voting" by Aranha et al. In the section discussing verifiable shuffles, the authors write:
Verifiable shuffles. One application is to build a verifiable shuffle of ciphertexts of a homomorphic encryption scheme. The idea is to provide a method for proving that one collection of ciphertexts is a re-randomization of a second collection of ciphertexts, without revealing the correspondence of the ciphertexts. The ciphertexts of such schemes can be re-randomized by adding an encryption of 0. The idea is then to commit to each homomorphic encryption separately and use a proof of linearity to show that the committed value is the ciphertext, plus an encryption of 0. Depending on the commitment and homomorphic encryption scheme, this proof can be very efficient - in particular if proofs of correct encryption are “cheap” using the commitment scheme. Then, one can perform a proof of shuffle of known openings on these auxiliary commitments, which succeeds if a permutation of the re-randomized ciphertexts is revealed.
Here's where I'm confused:
If we re-randomize a ciphertext by adding an encryption of 0 (e.g., c' = c + Enc(0)), the randomness in Enc(0) means the linear relation won’t hold straightforwardly, unless we also commit to the specific encryption of 0 used. If the proof only operates on the commitments, then a dishonest prover could use any encryption (not necessarily of 0) and still pass the proof, unless we can somehow prove that the added ciphertext is truly an encryption of 0.
So my question is:
How can the verifier be convinced that the value added is truly an encryption of 0, especially if the proof works only over commitments and not directly over the ciphertexts? Is there a standard way to ensure correctness here without requiring the decryption of the ciphertexts?
Any insights or clarifications on how the authors intended this mechanism to be sound would be greatly appreciated.
Link to the paper: <https://eprint.iacr.org/2021/338.pdf
