ElGamal Encryption and Related Zero-Knowledge Proofs
Implementation of ElGamal encryption and related zero-knowledge proofs with pluggable crypto backend.
The following protocols and high-level applications are included:
- Additively homomorphic ElGamal encryption
- Zero-knowledge proofs of zero encryption and Boolean value encryption
- Zero-knowledge range proofs for ElGamal ciphertexts
- Additively homomorphic m-of-n choice encryption with a zero-knowledge proof of correctness
- Additively homomorphic quadratic voting with a zero-knowledge proof of correctness
- Threshold ElGamal encryption via Feldman's verifiable secret sharing, including verifiable distributed decryption.
⚠ Warnings
While the logic in this crate relies on standard cryptographic assumptions (complexity of decisional Diffie–Hellman, computational Diffie–Hellman and discrete log problems in certain groups), it has not been independently verified for correctness or absence of side-channel attack vectors. Use at your own risk.
ElGamal encryption is not a good choice for general-purpose public-key encryption since it is vulnerable to chosen-ciphertext attacks. For security, decryption operations should be limited on the application level.
Usage
Add this to your Crate.toml
:
[]
= "0.2.1"
Single-choice polling
use ;
use ;
use thread_rng;
let mut rng = thread_rng;
// Generate a keypair for encrypting ballots. In more realistic setup,
// this keypair would be distributed among multiple talliers.
let = generate.into_tuple;
let choice_params = single;
// ^ single-choice polling with 5 options encrypted for `pk`
let choice = 2; // voter's choice
let enc = single;
let choices = enc.verify.unwrap;
// ^ 5 Boolean value ciphertexts that can be homomorphically added
// across ballots
// Decrypt a separate ballot for demo purposes.
let lookup_table = new;
for in choices.iter.enumerate
Quadratic voting
use ;
use ;
use thread_rng;
let mut rng = thread_rng;
let = generate.into_tuple;
let params = new;
// ^ 5 options, 20 credits (= 4 max votes per option)
assert_eq!;
let votes = ; // voter's votes
let ballot = new;
let encrypted = ballot.verify.unwrap;
// ^ 5 vote ciphertexts that can be homomorphically added across ballots
// Decrypt a separate ballot for demo purposes.
let lookup = new;
let decrypted: = encrypted
.map
.collect;
assert_eq!;
See the crate docs for more examples of usage.
Naming
"Elastic" refers to pluggable backends, encryption with a key shared
among a variable number of participants, and the construction of zero-knowledge ring proofs
(a proof consists of a variable number of rings, each of which consists of a variable number
of admissible values).
elastic_elgamal
is also one of autogenerated Docker container names.
Alternatives and similar tools
There are several Rust crates implementing ElGamal encryption
on elliptic curves, such as elgamal_ristretto
(this one features zero-knowledge proofs
of correct decryption and knowledge of the secret key).
As mentioned in the Warnings section, ElGamal is not a good choice for general-purpose
public-key encryption. RSA or ECIES schemes (such as the box
primitive from NaCl / libsodium)
can be used instead.
License
Licensed under either of Apache License, Version 2.0 or MIT license at your option.
Unless you explicitly state otherwise, any contribution intentionally submitted
for inclusion in elastic-elgamal
by you, as defined in the Apache-2.0 license,
shall be dual licensed as above, without any additional terms or conditions.