Crate elastic_elgamal
source · [−]Expand description
ElGamal encryption and related cryptographic protocols with pluggable crypto backend.
⚠ Warnings
While the logic in this crate relies on standard cryptographic assumptions (complexity of discrete log and computational / decisional Diffie–Hellman problems in certain groups), it has not been independently verified for correctness or absence of side-channel attack vectors. Use at your own risk.
ElGamal encryption is not a good choice for general-purpose public-key encryption since it is vulnerable to chosen-ciphertext attacks. For security, decryption operations should be limited on the application level.
Overview
Ciphertext
provides ElGamal encryption. This and other protocols usePublicKey
,SecretKey
andKeypair
to represent participants’ keys.- Besides basic encryption,
PublicKey
also provides zero-knowledge proofs of zero encryption and of Boolean value encryption. These are useful in higher-level protocols, e.g., re-encryption. - Zero-knowledge range proofs for ElGamal ciphertexts are provided via
RangeProof
s and a high-levelPublicKey
method. sharing
module exposes a threshold encryption scheme based on Feldman’s verifiable secret sharing, including verifiable distributed decryption.app
module provides higher-level protocols utilizing zero-knowledge proofs and ElGamal encryption, such as provable encryption of m-of-n choice and a simple version of quadratic voting.
Backends
group
module exposes a generic framework for plugging a Group
implementation into crypto primitives. It also provides several implementations:
Ristretto
andCurve25519Subgroup
implementations based on Curve25519 usingcurve25519-dalek
.Generic
implementation allowing to plug in any elliptic curve group conforming to the traits specified by theelliptic-curve
crate. For example, the secp256k1 curve can be used via thek256
crate.
Crate features
std
(on by default)
Enables support of types from std
, such as the Error
trait and the HashMap
collection.
hashbrown
(off by default)
Imports hash maps and sets from the eponymous crate
instead of using ones from the Rust std library. This feature is necessary
if the std
feature is disabled.
serde
(off by default)
Enables Serialize
/ Deserialize
implementations for most types in the crate.
Group scalars, elements and wrapper key types are serialized to human-readable formats
(JSON, YAML, TOML, etc.) as strings that represent corresponding byte buffers using
base64-url encoding without padding. For binary formats, byte buffers are serialized directly.
For complex types (e.g., participant states from the sharing
module), self-consistency
checks are not performed on deserialization. That is, deserialization of such types
should only be performed from a trusted source or in the presence of additional integrity
checks.
Crate naming
“Elastic” refers to pluggable backends, configurable params for threshold encryption,
and the construction of zero-knowledge RingProof
s (a proof consists of
a variable number of rings, each of which consists of a variable number of admissible values).
elastic_elgamal
is also one of autogenerated Docker container names.
Modules
High-level applications for proofs defined in this crate.
Traits and implementations for prime-order groups in which the decisional Diffie–Hellman (DDH), computational Diffie–Hellman (CDH) and discrete log (DL) problems are believed to be hard.
Feldman’s verifiable secret sharing (VSS) for ElGamal encryption.
Structs
Candidate for a VerifiableDecryption
that is not yet verified. This presentation should be
used for decryption data retrieved from an untrusted source.
Ciphertext for ElGamal encryption.
ElGamal Ciphertext
together with fully retained information about the encrypted value and
randomness used to create the ciphertext.
Lookup table for discrete logarithms.
Zero-knowledge proof of equality of two discrete logarithms in different bases, aka Chaum–Pedersen protocol.
RangeDecomposition
together with values precached for creating and/or verifying
RangeProof
s in a certain Group
.
Zero-knowledge proof of possession of one or more secret scalars.
Public key for ElGamal encryption and related protocols.
Decomposition of an integer range 0..n
into one or more sub-ranges. Decomposing the range
allows constructing RangeProof
s with size / computational complexity O(log n)
.
Zero-knowledge proof that an ElGamal ciphertext encrypts a value into a certain range 0..n
.
Zero-knowledge proof that the one or more encrypted values is each in the a priori known set of admissible values. (Admissible values may differ among encrypted values.)
Secret key for ElGamal encryption and related protocols. This is a thin wrapper around
the Group
scalar.
Zero-knowledge proof that an ElGamal-encrypted value is equal to a sum of squares of one or more other ElGamal-encrypted values.
Verifiable decryption for a certain Ciphertext
in the ElGamal encryption scheme.
Usable both for standalone proofs and in threshold encryption.
Enums
Errors that can occur when converting other types to PublicKey
.
Error verifying base proofs, such as RingProof
, LogEqualityProof
or ProofOfPossession
.