Range proofs and split encryption should be connected cryptographically

[PopcornPaws]

Description

The current implementation (used only for benchmarking) doesn't check whether the encrypted "split" ciphers and the range proofs on the respective "split" scalar values are connected. In other words we have the following:

• the original data point $p\in\mathbb{F}$ represented as a scalar
• the "split" data points $p_i\in\mathbb{F}$ that are in a brute-forceable range (e.g. $2^{32}$)
  • $p = \sum p_i\cdot 2^{32\cdot i}$
• the "split" ciphertexts using exponential Elgamal encryption
  • $ct_i = (g^y, g^{p_i}h^y)$, where $g\in\mathbb{G}$ is a generator, $h = g^r$ with $r\overset{\textdollar}{\leftarrow}\mathbb{F}$
    -range proofs are generated on each $p_i$ to ensure they are within the brute-forceable range $2^{32}$

However, $p_i$ in the ciphertext $ct_i$ is currently not enforced in the verification process to be equal to the number we generated the range proof on. Thus, a malicious prover can split the original data point in such way that the "split" scalars are not in the brute-forceable range and generate range proofs on different scalars in the brute-forceable range.

Solution

We could somehow check the commitments of the range proofs against the ciphertexts, since they might both contain the element $g^{p_i}$.

• ciphertext: $g^{p_i}h^y$
• KZG commitment of polynomial $f(x)$: $g^f(tau) = g^{p_i}$ if we choose $f(x) = p_i$ as a constant polynomial, which is sufficient, according to this blogpost

Problem --- the implementation taken from here doesn't seem to use the constant polynomial for the secret number, so more thought should be given to how this can be implemented.