chie-crypto 0.2.0

Cryptographic primitives for CHIE Protocol
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472

//! ElGamal encryption for additively homomorphic public key encryption.
//!
//! ElGamal encryption provides:
//! - Additively homomorphic encryption: E(m₁) + E(m₂) = E(m₁ + m₂)
//! - Re-randomization support for ciphertext unlinkability
//! - Public key encryption with semantic security
//! - Useful for privacy-preserving aggregations in CHIE protocol
//!
//! # Example
//! ```
//! use chie_crypto::elgamal::{ElGamalKeypair, ElGamalCiphertext};
//!
//! // Generate a keypair
//! let keypair = ElGamalKeypair::generate();
//!
//! // Encrypt messages
//! let msg1 = 100u64;
//! let msg2 = 200u64;
//! let ct1 = keypair.encrypt(msg1);
//! let ct2 = keypair.encrypt(msg2);
//!
//! // Homomorphic addition
//! let ct_sum = ct1.add(&ct2);
//!
//! // Decrypt the sum
//! let sum = keypair.decrypt(&ct_sum).unwrap();
//! assert_eq!(sum, msg1 + msg2);
//! ```

use curve25519_dalek::{
    constants::RISTRETTO_BASEPOINT_TABLE,
    ristretto::{CompressedRistretto, RistrettoPoint},
    scalar::Scalar,
};
use rand::RngExt;
use serde::{Deserialize, Serialize};
use thiserror::Error;
use zeroize::Zeroize;

/// ElGamal encryption error types
#[derive(Error, Debug)]
pub enum ElGamalError {
    #[error("Invalid ciphertext")]
    InvalidCiphertext,
    #[error("Invalid public key")]
    InvalidPublicKey,
    #[error("Decryption failed")]
    DecryptionFailed,
    #[error("Value out of range (max 2^32)")]
    ValueOutOfRange,
    #[error("Serialization error: {0}")]
    SerializationError(String),
}

pub type ElGamalResult<T> = Result<T, ElGamalError>;

/// ElGamal secret key (scalar in the Ristretto group)
#[derive(Clone, Zeroize)]
#[zeroize(drop)]
pub struct ElGamalSecretKey {
    scalar: Scalar,
}

impl ElGamalSecretKey {
    /// Generate a random ElGamal secret key
    pub fn generate() -> Self {
        let mut rng = rand::rng();
        let mut bytes = [0u8; 32];
        rng.fill(&mut bytes);
        let scalar = Scalar::from_bytes_mod_order(bytes);
        Self { scalar }
    }

    /// Create an ElGamal secret key from bytes
    pub fn from_bytes(bytes: &[u8; 32]) -> ElGamalResult<Self> {
        let scalar = Scalar::from_bytes_mod_order(*bytes);
        Ok(Self { scalar })
    }

    /// Export secret key to bytes
    pub fn to_bytes(&self) -> [u8; 32] {
        self.scalar.to_bytes()
    }

    /// Derive public key from secret key
    pub fn public_key(&self) -> ElGamalPublicKey {
        let point = RISTRETTO_BASEPOINT_TABLE * &self.scalar;
        ElGamalPublicKey { point }
    }
}

/// ElGamal public key (point in the Ristretto group)
#[derive(Clone, Copy, Debug, Serialize, Deserialize, PartialEq, Eq)]
pub struct ElGamalPublicKey {
    point: RistrettoPoint,
}

impl ElGamalPublicKey {
    /// Create an ElGamal public key from compressed bytes
    pub fn from_bytes(bytes: &[u8; 32]) -> ElGamalResult<Self> {
        let compressed =
            CompressedRistretto::from_slice(bytes).map_err(|_| ElGamalError::InvalidPublicKey)?;
        let point = compressed
            .decompress()
            .ok_or(ElGamalError::InvalidPublicKey)?;
        Ok(Self { point })
    }

    /// Export public key to compressed bytes
    pub fn to_bytes(&self) -> [u8; 32] {
        self.point.compress().to_bytes()
    }
}

/// ElGamal ciphertext (c₁, c₂) where:
/// - c₁ = r*G (ephemeral public key)
/// - c₂ = m*G + r*H (encrypted message)
///
/// where H is the recipient's public key
#[derive(Clone, Copy, Debug, Serialize, Deserialize, PartialEq, Eq)]
pub struct ElGamalCiphertext {
    c1: RistrettoPoint,
    c2: RistrettoPoint,
}

impl ElGamalCiphertext {
    /// Create an ElGamal ciphertext from compressed bytes (64 bytes: 32 for c1 + 32 for c2)
    pub fn from_bytes(bytes: &[u8; 64]) -> ElGamalResult<Self> {
        let mut c1_bytes = [0u8; 32];
        let mut c2_bytes = [0u8; 32];
        c1_bytes.copy_from_slice(&bytes[..32]);
        c2_bytes.copy_from_slice(&bytes[32..]);

        let compressed_c1 = CompressedRistretto::from_slice(&c1_bytes)
            .map_err(|_| ElGamalError::InvalidCiphertext)?;
        let compressed_c2 = CompressedRistretto::from_slice(&c2_bytes)
            .map_err(|_| ElGamalError::InvalidCiphertext)?;

        let c1 = compressed_c1
            .decompress()
            .ok_or(ElGamalError::InvalidCiphertext)?;
        let c2 = compressed_c2
            .decompress()
            .ok_or(ElGamalError::InvalidCiphertext)?;

        Ok(Self { c1, c2 })
    }

    /// Export ciphertext to bytes
    pub fn to_bytes(&self) -> [u8; 64] {
        let mut bytes = [0u8; 64];
        bytes[..32].copy_from_slice(&self.c1.compress().to_bytes());
        bytes[32..].copy_from_slice(&self.c2.compress().to_bytes());
        bytes
    }

    /// Homomorphic addition: E(m₁) + E(m₂) = E(m₁ + m₂)
    pub fn add(&self, other: &ElGamalCiphertext) -> ElGamalCiphertext {
        ElGamalCiphertext {
            c1: self.c1 + other.c1,
            c2: self.c2 + other.c2,
        }
    }

    /// Scalar multiplication: k * E(m) = E(k * m)
    pub fn mul_scalar(&self, scalar: u64) -> ElGamalCiphertext {
        let s = Scalar::from(scalar);
        ElGamalCiphertext {
            c1: self.c1 * s,
            c2: self.c2 * s,
        }
    }

    /// Re-randomize the ciphertext for unlinkability
    /// Returns a new ciphertext encrypting the same message but unlinkable to the original
    pub fn rerandomize(&self, public_key: &ElGamalPublicKey) -> ElGamalCiphertext {
        let mut rng = rand::rng();
        let mut r_bytes = [0u8; 32];
        rng.fill(&mut r_bytes);
        let r = Scalar::from_bytes_mod_order(r_bytes);

        // Add encryption of zero: (r*G, r*H)
        let delta_c1 = RISTRETTO_BASEPOINT_TABLE * &r;
        let delta_c2 = public_key.point * r;

        ElGamalCiphertext {
            c1: self.c1 + delta_c1,
            c2: self.c2 + delta_c2,
        }
    }
}

/// ElGamal keypair (secret key + public key)
pub struct ElGamalKeypair {
    secret_key: ElGamalSecretKey,
    public_key: ElGamalPublicKey,
}

impl ElGamalKeypair {
    /// Generate a random ElGamal keypair
    pub fn generate() -> Self {
        let secret_key = ElGamalSecretKey::generate();
        let public_key = secret_key.public_key();
        Self {
            secret_key,
            public_key,
        }
    }

    /// Create a keypair from a secret key
    pub fn from_secret_key(secret_key: ElGamalSecretKey) -> Self {
        let public_key = secret_key.public_key();
        Self {
            secret_key,
            public_key,
        }
    }

    /// Get the public key
    pub fn public_key(&self) -> ElGamalPublicKey {
        self.public_key
    }

    /// Get a reference to the secret key
    pub fn secret_key(&self) -> &ElGamalSecretKey {
        &self.secret_key
    }

    /// Encrypt a message (u64 value)
    ///
    /// The message is encoded as m*G (point on the curve)
    /// Ciphertext: (c₁, c₂) = (r*G, m*G + r*H)
    pub fn encrypt(&self, message: u64) -> ElGamalCiphertext {
        encrypt(&self.public_key, message)
    }

    /// Decrypt a ciphertext to recover the original message
    ///
    /// Decryption: m*G = c₂ - x*c₁
    /// Then solve discrete log to get m
    pub fn decrypt(&self, ciphertext: &ElGamalCiphertext) -> ElGamalResult<u64> {
        decrypt(&self.secret_key, ciphertext)
    }
}

/// Encrypt a message using ElGamal encryption
pub fn encrypt(public_key: &ElGamalPublicKey, message: u64) -> ElGamalCiphertext {
    // Generate random ephemeral key
    let mut rng = rand::rng();
    let mut r_bytes = [0u8; 32];
    rng.fill(&mut r_bytes);
    let r = Scalar::from_bytes_mod_order(r_bytes);

    // Encode message as point: m*G
    let m_scalar = Scalar::from(message);
    let m_point = RISTRETTO_BASEPOINT_TABLE * &m_scalar;

    // c₁ = r*G
    let c1 = RISTRETTO_BASEPOINT_TABLE * &r;

    // c₂ = m*G + r*H
    let c2 = m_point + (public_key.point * r);

    ElGamalCiphertext { c1, c2 }
}

/// Decrypt an ElGamal ciphertext
///
/// Uses baby-step giant-step algorithm for discrete log
/// Works for small messages (up to 2^32)
pub fn decrypt(
    secret_key: &ElGamalSecretKey,
    ciphertext: &ElGamalCiphertext,
) -> ElGamalResult<u64> {
    // Compute m*G = c₂ - x*c₁
    let m_point = ciphertext.c2 - (secret_key.scalar * ciphertext.c1);

    // Solve discrete log to get m
    // For small values, we can use brute force or baby-step giant-step
    solve_discrete_log(&m_point)
}

/// Solve discrete log for small values using baby-step giant-step algorithm
///
/// This finds m such that m*G = P for small m (up to 2^20 ~ 1 million)
fn solve_discrete_log(point: &RistrettoPoint) -> ElGamalResult<u64> {
    const MAX_SEARCH: u64 = 1 << 20; // Search up to 2^20 ~ 1 million
    const BATCH_SIZE: u64 = 1 << 10; // Baby step size

    // Baby-step giant-step algorithm
    // Precompute baby steps: i*G for i = 0..BATCH_SIZE
    let mut baby_steps = std::collections::HashMap::new();
    let mut current = RistrettoPoint::default(); // 0*G = identity
    let generator = RISTRETTO_BASEPOINT_TABLE * &Scalar::ONE;

    for i in 0..BATCH_SIZE {
        baby_steps.insert(current.compress().to_bytes(), i);
        current += generator;
    }

    // Giant steps: check if P - j*BATCH_SIZE*G is in baby steps
    let giant_step = generator * Scalar::from(BATCH_SIZE);
    let mut current = *point;

    for j in 0..(MAX_SEARCH / BATCH_SIZE) {
        if let Some(&i) = baby_steps.get(&current.compress().to_bytes()) {
            return Ok(j * BATCH_SIZE + i);
        }
        current -= giant_step;
    }

    Err(ElGamalError::DecryptionFailed)
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_keypair_generation() {
        let keypair = ElGamalKeypair::generate();
        let pk = keypair.public_key();

        // Verify public key can be serialized and deserialized
        let pk_bytes = pk.to_bytes();
        let pk2 = ElGamalPublicKey::from_bytes(&pk_bytes).unwrap();
        assert_eq!(pk, pk2);
    }

    #[test]
    fn test_encrypt_decrypt() {
        let keypair = ElGamalKeypair::generate();
        let message = 42u64;

        let ciphertext = keypair.encrypt(message);
        let decrypted = keypair.decrypt(&ciphertext).unwrap();

        assert_eq!(message, decrypted);
    }

    #[test]
    fn test_homomorphic_addition() {
        let keypair = ElGamalKeypair::generate();
        let msg1 = 100u64;
        let msg2 = 200u64;

        let ct1 = keypair.encrypt(msg1);
        let ct2 = keypair.encrypt(msg2);

        // Homomorphic addition
        let ct_sum = ct1.add(&ct2);

        // Decrypt the sum
        let sum = keypair.decrypt(&ct_sum).unwrap();
        assert_eq!(sum, msg1 + msg2);
    }

    #[test]
    fn test_scalar_multiplication() {
        let keypair = ElGamalKeypair::generate();
        let msg = 50u64;
        let k = 3u64;

        let ct = keypair.encrypt(msg);
        let ct_mult = ct.mul_scalar(k);

        let result = keypair.decrypt(&ct_mult).unwrap();
        assert_eq!(result, msg * k);
    }

    #[test]
    fn test_rerandomization() {
        let keypair = ElGamalKeypair::generate();
        let message = 123u64;

        let ct1 = keypair.encrypt(message);
        let ct2 = ct1.rerandomize(&keypair.public_key());

        // Different ciphertexts
        assert_ne!(ct1, ct2);

        // Same plaintext
        assert_eq!(keypair.decrypt(&ct1).unwrap(), message);
        assert_eq!(keypair.decrypt(&ct2).unwrap(), message);
    }

    #[test]
    fn test_ciphertext_serialization() {
        let keypair = ElGamalKeypair::generate();
        let message = 777u64;

        let ct = keypair.encrypt(message);
        let ct_bytes = ct.to_bytes();
        let ct2 = ElGamalCiphertext::from_bytes(&ct_bytes).unwrap();

        assert_eq!(ct, ct2);
        assert_eq!(keypair.decrypt(&ct2).unwrap(), message);
    }

    #[test]
    fn test_zero_message() {
        let keypair = ElGamalKeypair::generate();
        let message = 0u64;

        let ct = keypair.encrypt(message);
        let decrypted = keypair.decrypt(&ct).unwrap();

        assert_eq!(message, decrypted);
    }

    #[test]
    fn test_large_message() {
        let keypair = ElGamalKeypair::generate();
        let message = 10000u64;

        let ct = keypair.encrypt(message);
        let decrypted = keypair.decrypt(&ct).unwrap();

        assert_eq!(message, decrypted);
    }

    #[test]
    fn test_multiple_additions() {
        let keypair = ElGamalKeypair::generate();
        let values = vec![10u64, 20, 30, 40, 50];
        let expected_sum: u64 = values.iter().sum();

        let mut ct_sum = keypair.encrypt(0);
        for &value in &values {
            let ct = keypair.encrypt(value);
            ct_sum = ct_sum.add(&ct);
        }

        let result = keypair.decrypt(&ct_sum).unwrap();
        assert_eq!(result, expected_sum);
    }

    #[test]
    fn test_secret_key_serialization() {
        let sk = ElGamalSecretKey::generate();
        let sk_bytes = sk.to_bytes();
        let sk2 = ElGamalSecretKey::from_bytes(&sk_bytes).unwrap();

        assert_eq!(sk.to_bytes(), sk2.to_bytes());
        assert_eq!(sk.public_key().to_bytes(), sk2.public_key().to_bytes());
    }

    #[test]
    fn test_deterministic_public_key() {
        let sk_bytes = [42u8; 32];
        let sk1 = ElGamalSecretKey::from_bytes(&sk_bytes).unwrap();
        let sk2 = ElGamalSecretKey::from_bytes(&sk_bytes).unwrap();

        assert_eq!(sk1.public_key(), sk2.public_key());
    }

    #[test]
    fn test_encryption_randomness() {
        let keypair = ElGamalKeypair::generate();
        let message = 100u64;

        let ct1 = keypair.encrypt(message);
        let ct2 = keypair.encrypt(message);

        // Different ciphertexts due to random ephemeral key
        assert_ne!(ct1, ct2);

        // Same plaintext
        assert_eq!(keypair.decrypt(&ct1).unwrap(), message);
        assert_eq!(keypair.decrypt(&ct2).unwrap(), message);
    }
}