Struct elastic_elgamal::VerifiableDecryption
source · pub struct VerifiableDecryption<G: Group> { /* private fields */ }
Expand description
Verifiable decryption for a certain Ciphertext
in the ElGamal encryption scheme.
Usable both for standalone proofs and in threshold encryption.
§Construction
Decryption is represented by a single group element – the result of combining
a SecretKey
scalar x
with the random element of the ciphertext R
(i.e., D = [x]R
, the Diffie – Hellman construction).
This element can retrieved using Self::as_element()
and applied to a ciphertext using
Self::decrypt()
or Self::decrypt_to_element()
.
The decryption can be proven with the help of a standard LogEqualityProof
. Indeed,
to prove the validity of decryption, it is sufficient to prove dlog_R(D) = dlog_G(K)
,
where G
is the conventional group generator and K = [x]G
is the public key for encryption.
§Examples
VerifiableDecryption
can be used either within the threshold encryption scheme provided by
the sharing
module, or independently (for example, if another approach
to secret sharing is used, or if the encryption key is not shared at all).
An example of standalone usage is outlined below:
let mut rng = thread_rng();
let keys = Keypair::<Ristretto>::generate(&mut rng);
// Suppose the `keys` holder wants to prove decryption
// of the following ciphertext:
let ciphertext = keys.public().encrypt(42_u64, &mut rng);
let (decryption, proof) = VerifiableDecryption::new(
ciphertext,
&keys,
&mut Transcript::new(b"decryption"),
&mut rng,
);
// This proof can then be universally verified:
let candidate_decryption = CandidateDecryption::from(decryption);
let decryption = candidate_decryption.verify(
ciphertext,
keys.public(),
&proof,
&mut Transcript::new(b"decryption"),
)?;
assert_eq!(
decryption.decrypt(ciphertext, &DiscreteLogTable::new(0..50)),
Some(42)
);
Implementations§
source§impl<G: Group> VerifiableDecryption<G>
impl<G: Group> VerifiableDecryption<G>
sourcepub fn new<R: CryptoRng + RngCore>(
ciphertext: Ciphertext<G>,
keys: &Keypair<G>,
transcript: &mut Transcript,
rng: &mut R
) -> (Self, LogEqualityProof<G>)
pub fn new<R: CryptoRng + RngCore>( ciphertext: Ciphertext<G>, keys: &Keypair<G>, transcript: &mut Transcript, rng: &mut R ) -> (Self, LogEqualityProof<G>)
Creates a decryption for the specified ciphertext
under keys
together with
a zero-knowledge proof of validity.
See CandidateDecryption::verify()
for the verification counterpart.
sourcepub fn as_element(&self) -> &G::Element
pub fn as_element(&self) -> &G::Element
Returns the group element encapsulated in this decryption.
sourcepub fn decrypt_to_element(&self, encrypted: Ciphertext<G>) -> G::Element
pub fn decrypt_to_element(&self, encrypted: Ciphertext<G>) -> G::Element
Decrypts the provided ciphertext and returns the produced group element.
As the ciphertext does not include a MAC or another way to assert integrity, this operation cannot fail. If the ciphertext is not produced properly (e.g., it targets another receiver), the returned group element will be garbage.
sourcepub fn decrypt(
&self,
encrypted: Ciphertext<G>,
lookup_table: &DiscreteLogTable<G>
) -> Option<u64>
pub fn decrypt( &self, encrypted: Ciphertext<G>, lookup_table: &DiscreteLogTable<G> ) -> Option<u64>
Decrypts the provided ciphertext and returns the original encrypted value.
lookup_table
is used to find encrypted values based on the original decrypted
group element. That is, it must contain all valid plaintext values. If the value
is not in the table, this method will return None
.
Trait Implementations§
source§impl<G: Clone + Group> Clone for VerifiableDecryption<G>
impl<G: Clone + Group> Clone for VerifiableDecryption<G>
source§fn clone(&self) -> VerifiableDecryption<G>
fn clone(&self) -> VerifiableDecryption<G>
1.0.0 · source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source
. Read more