# Crate elastic_elgamal

source ·## Expand description

ElGamal encryption and related cryptographic protocols with pluggable crypto backend.

## ⚠ Warnings

While the logic in this crate relies on standard cryptographic assumptions
(complexity of discrete log and computational / decisional Diffie–Hellman problems
in certain groups), it has not been independently verified for correctness or absence
of side-channel attack vectors. **Use at your own risk.**

ElGamal encryption is not a good choice for general-purpose public-key encryption since it is vulnerable to chosen-ciphertext attacks. For security, decryption operations should be limited on the application level.

## Overview

`Ciphertext`

provides ElGamal encryption. This and other protocols use`PublicKey`

,`SecretKey`

and`Keypair`

to represent participants’ keys.- Besides basic encryption,
`PublicKey`

also provides zero-knowledge proofs of zero encryption and of Boolean value encryption. These are useful in higher-level protocols, e.g., re-encryption. - Zero-knowledge range proofs for ElGamal ciphertexts are provided via
`RangeProof`

s and a high-level`PublicKey`

method. - Proof of equivalence between an ElGamal ciphertext and a Pedersen commitment
is available as
`CommitmentEquivalenceProof`

. `sharing`

module exposes a threshold encryption scheme based on Feldman’s verifiable secret sharing, including verifiable distributed decryption.`dkg`

module implements distributed key generation using Pedersen’s scheme with hash commitments.`app`

module provides higher-level protocols utilizing zero-knowledge proofs and ElGamal encryption, such as provable encryption of m-of-n choice and a simple version of quadratic voting.

## Backends

`group`

module exposes a generic framework for plugging a `Group`

implementation into crypto primitives. It also provides several implementations:

`Ristretto`

and`Curve25519Subgroup`

implementations based on Curve25519.`Generic`

implementation allowing to plug in any elliptic curve group conforming to the traits specified by the`elliptic-curve`

crate. For example, the secp256k1 curve can be used via the`k256`

crate.

## Crate features

`std`

*(on by default)*

Enables support of types from `std`

, such as the `Error`

trait and the `HashMap`

collection.

`hashbrown`

*(off by default)*

Imports hash maps and sets from the eponymous crate
instead of using ones from the Rust std library. This feature is necessary
if the `std`

feature is disabled.

`curve25519-dalek`

*(on by default)*

Implements `Group`

for two prime groups based on Curve25519 using the `curve25519-dalek`

crate: its prime subgroup, and the Ristretto transform of Curve25519 (aka ristretto255).

`curve25519-dalek-ng`

*(off by default)*

Same in terms of functionality as `curve25519-dalek`

, but uses the `curve25519-dalek-ng`

crate instead of `curve25519-dalek`

. This may be beneficial for applications that use
`bulletproofs`

or other libraries depending on `curve25519-dalek-ng`

.

The `curve25519-dalek-ng`

crate does not compile unless some crypto backend is selected.
You may select the backend by specifying `curve25519-dalek-ng`

as a direct dependency as follows:

```
[dependencies.elastic-elgamal]
version = "..."
default-features = false
features = ["std", "curve25519-dalek-ng"]
[dependencies.curve25519-dalek-ng]
version = "4"
features = ["u64_backend"] # or other backend
```

This feature is mutually exclusive with `curve25519-dalek`

.

`serde`

*(off by default)*

Enables `Serialize`

/ `Deserialize`

implementations for most types in the crate.
Group scalars, elements and wrapper key types are serialized to human-readable formats
(JSON, YAML, TOML, etc.) as strings that represent corresponding byte buffers using
base64-url encoding without padding. For binary formats, byte buffers are serialized directly.

For complex types (e.g., participant states from the `sharing`

module), self-consistency
checks are **not** performed on deserialization. That is, deserialization of such types
should only be performed from a trusted source or in the presence of additional integrity
checks.

## Crate naming

“Elastic” refers to pluggable backends, configurable params for threshold encryption,
and the construction of zero-knowledge `RingProof`

s (a proof consists of
a variable number of rings, each of which consists of a variable number of admissible values).
`elastic_elgamal`

is also one of autogenerated Docker container names.

## Re-exports

`pub use crate::proofs::RingProofBuilder;`

## Modules

- High-level applications for proofs defined in this crate.
- Committed Pedersen’s distributed key generation (DKG).
- Traits and implementations for prime-order groups in which the decisional Diffie–Hellman (DDH), computational Diffie–Hellman (CDH) and discrete log (DL) problems are believed to be hard.
- Feldman’s verifiable secret sharing (VSS) for ElGamal encryption.

## Structs

- Candidate for a
`VerifiableDecryption`

that is not yet verified. This presentation should be used for decryption data retrieved from an untrusted source. - Ciphertext for ElGamal encryption.
- ElGamal
`Ciphertext`

together with fully retained information about the encrypted value and randomness used to create the ciphertext. - Zero-knowledge proof that an ElGamal ciphertext encrypts the same value as a Pedersen commitment.
- Lookup table for discrete logarithms.
- Zero-knowledge proof of equality of two discrete logarithms in different bases, aka Chaum–Pedersen protocol.
`RangeDecomposition`

together with values precached for creating and/or verifying`RangeProof`

s in a certain`Group`

.- Zero-knowledge proof of possession of one or more secret scalars.
- Public key for ElGamal encryption and related protocols.
- Decomposition of an integer range
`0..n`

into one or more sub-ranges. Decomposing the range allows constructing`RangeProof`

s with size / computational complexity`O(log n)`

. - Zero-knowledge proof that an ElGamal ciphertext encrypts a value into a certain range
`0..n`

. - Zero-knowledge proof that the one or more encrypted values is each in the a priori known set of admissible values. (Admissible values may differ among encrypted values.)
- Secret key for ElGamal encryption and related protocols. This is a thin wrapper around the
`Group`

scalar. - Zero-knowledge proof that an ElGamal-encrypted value is equal to a sum of squares of one or more other ElGamal-encrypted values.
- Verifiable decryption for a certain
`Ciphertext`

in the ElGamal encryption scheme. Usable both for standalone proofs and in threshold encryption.

## Enums

- Errors that can occur when converting other types to
`PublicKey`

.