Crate elastic_elgamal

ElGamal encryption and related cryptographic protocols with pluggable crypto backend.

⚠ Warnings

While the logic in this crate relies on standard cryptographic assumptions (complexity of discrete log and computational / decisional Diffie–Hellman problems in certain groups), it has not been independently verified for correctness or absence of side-channel attack vectors. Use at your own risk.

ElGamal encryption is not a good choice for general-purpose public-key encryption since it is vulnerable to chosen-ciphertext attacks. For security, decryption operations should be limited on the application level.

Overview

• Ciphertext provides ElGamal encryption. This and other protocols use PublicKey, SecretKey and Keypair to represent participants’ keys.
• Besides basic encryption, PublicKey also provides zero-knowledge proofs of zero encryption and of Boolean value encryption. These are useful in higher-level protocols, e.g., re-encryption.
• Zero-knowledge range proofs for ElGamal ciphertexts are provided via RangeProofs and a high-level PublicKey method.
• Proof of equivalence between an ElGamal ciphertext and a Pedersen commitment is available as CommitmentEquivalenceProof.
• sharing module exposes a threshold encryption scheme based on Feldman’s verifiable secret sharing, including verifiable distributed decryption.
• dkg module implements distributed key generation using Pedersen’s scheme with hash commitments.
• app module provides higher-level protocols utilizing zero-knowledge proofs and ElGamal encryption, such as provable encryption of m-of-n choice and a simple version of quadratic voting.

Backends

group module exposes a generic framework for plugging a Group implementation into crypto primitives. It also provides several implementations:

• Ristretto and Curve25519Subgroup implementations based on Curve25519.
• Generic implementation allowing to plug in any elliptic curve group conforming to the traits specified by the elliptic-curve crate. For example, the secp256k1 curve can be used via the k256 crate.

Crate features

std

(on by default)

Enables support of types from std, such as the Error trait and the HashMap collection.

hashbrown

(off by default)

Imports hash maps and sets from the eponymous crate instead of using ones from the Rust std library. This feature is necessary if the std feature is disabled.

curve25519-dalek

(on by default)

Implements Group for two prime groups based on Curve25519 using the curve25519-dalek crate: its prime subgroup, and the Ristretto transform of Curve25519 (aka ristretto255).

curve25519-dalek-ng

(off by default)

Same in terms of functionality as curve25519-dalek, but uses the curve25519-dalek-ng crate instead of curve25519-dalek. This may be beneficial for applications that use bulletproofs or other libraries depending on curve25519-dalek-ng.

The curve25519-dalek-ng crate does not compile unless some crypto backend is selected. You may select the backend by specifying curve25519-dalek-ng as a direct dependency as follows:

[dependencies.elastic-elgamal]
version = "..."
default-features = false
features = ["std", "curve25519-dalek-ng"]

[dependencies.curve25519-dalek-ng]
version = "4"
features = ["u64_backend"] # or other backend

This feature is mutually exclusive with curve25519-dalek.

serde

(off by default)

Enables Serialize / Deserialize implementations for most types in the crate. Group scalars, elements and wrapper key types are serialized to human-readable formats (JSON, YAML, TOML, etc.) as strings that represent corresponding byte buffers using base64-url encoding without padding. For binary formats, byte buffers are serialized directly.

For complex types (e.g., participant states from the sharing module), self-consistency checks are not performed on deserialization. That is, deserialization of such types should only be performed from a trusted source or in the presence of additional integrity checks.

Crate naming

“Elastic” refers to pluggable backends, configurable params for threshold encryption, and the construction of zero-knowledge RingProofs (a proof consists of a variable number of rings, each of which consists of a variable number of admissible values). elastic_elgamal is also one of autogenerated Docker container names.

Re-exports

• pub use crate::proofs::RingProofBuilder;

Modules

• app
  High-level applications for proofs defined in this crate.
• dkg
  Committed Pedersen’s distributed key generation (DKG).
• group
  Traits and implementations for prime-order groups in which the decisional Diffie–Hellman (DDH), computational Diffie–Hellman (CDH) and discrete log (DL) problems are believed to be hard.
• sharing
  Feldman’s verifiable secret sharing (VSS) for ElGamal encryption.

Structs

• CandidateDecryption
  Candidate for a VerifiableDecryption that is not yet verified. This presentation should be used for decryption data retrieved from an untrusted source.
• Ciphertext
  Ciphertext for ElGamal encryption.
• CiphertextWithValue
  ElGamal Ciphertext together with fully retained information about the encrypted value and randomness used to create the ciphertext.
• CommitmentEquivalenceProof
  Zero-knowledge proof that an ElGamal ciphertext encrypts the same value as a Pedersen commitment.
• DiscreteLogTable
  Lookup table for discrete logarithms.
• Keypair
  Keypair for ElGamal encryption and related protocols, consisting of a SecretKey and the matching PublicKey.
• LogEqualityProof
  Zero-knowledge proof of equality of two discrete logarithms in different bases, aka Chaum–Pedersen protocol.
• PreparedRange
  RangeDecomposition together with values precached for creating and/or verifying RangeProofs in a certain Group.
• ProofOfPossession
  Zero-knowledge proof of possession of one or more secret scalars.
• PublicKey
  Public key for ElGamal encryption and related protocols.
• RangeDecomposition
  Decomposition of an integer range 0..n into one or more sub-ranges. Decomposing the range allows constructing RangeProofs with size / computational complexity O(log n).
• RangeProof
  Zero-knowledge proof that an ElGamal ciphertext encrypts a value into a certain range 0..n.
• RingProof
  Zero-knowledge proof that the one or more encrypted values is each in the a priori known set of admissible values. (Admissible values may differ among encrypted values.)
• SecretKey
  Secret key for ElGamal encryption and related protocols. This is a thin wrapper around the Group scalar.
• SumOfSquaresProof
  Zero-knowledge proof that an ElGamal-encrypted value is equal to a sum of squares of one or more other ElGamal-encrypted values.
• VerifiableDecryption
  Verifiable decryption for a certain Ciphertext in the ElGamal encryption scheme. Usable both for standalone proofs and in threshold encryption.

Enums

• PublicKeyConversionError
  Errors that can occur when converting other types to PublicKey.
• VerificationError
  Error verifying base proofs, such as RingProof, LogEqualityProof or ProofOfPossession.