Supporting Information for Privacy-preserving search for chemical compound databases

For self-containment, we briefly recall the lifted ElGamal encryption scheme with the non-interactive zero-knowledge proof (NIZK) system which proves that the plaintext is either 0 or 1, proposed in [1], and provide some intuition for it. Let G be a group of prime order p such that the Decisional DiffieHellman assumption holds (i.e., the resulting encryption scheme provides a standard security property called semantic security). The public key is (g, h, f) where g, f are random generators in G and h = g for z randomly picked from Zp = {0, 1, . . . , p−1}. The secret key is z. Let H be a hash function. Encrypting a plaintext b ∈ {0, 1} gives a ciphertext (C1 = g , C2 = h f ), for random u ∈ Zp. Decryption computes y = C2C −z 1 and outputs 1 if y = f or outputs 0 if y = 1. • Encrypting a plaintext 0 outputs the ciphertext (C1, C2) where C1 = g , C2 = h u where u is randomly picked from Zp. The proof that its plaintext is either 0 or 1 consists of (s0, t0, s1, t1) where s0 = r + t0u and t0 = H(C1, C2, g , h, g11 , h11f 1)− t1 where r, s1, t1 are randomly picked from Zp. • Encrypting a plaintext 1 outputs the ciphertext (C1, C2) where C1 = g , C2 = h f where u are randomly picked from Zp. The proof that its plaintext is either 0 or 1 consists of (s0, t0, s1, t1) where s1 = r + t1u and t1 = H(C1, C2, g s0−ut0 , h00f0 , g, h)− t0 where r, s0, t0 are randomly picked from Zp.