Expand description

ElGamal encryption and related cryptographic protocols with pluggable crypto backend.

⚠ Warnings

While the logic in this crate relies on standard cryptographic assumptions (complexity of discrete log and computational / decisional Diffie–Hellman problems in certain groups), it has not been independently verified for correctness or absence of side-channel attack vectors. Use at your own risk.

ElGamal encryption is not a good choice for general-purpose public-key encryption since it is vulnerable to chosen-ciphertext attacks. For security, decryption operations should be limited on the application level.



group module exposes a generic framework for plugging a Group implementation into crypto primitives. It also provides several implementations:

Crate features


(on by default)

Enables support of types from std, such as the Error trait and the HashMap collection.


(off by default)

Imports hash maps and sets from the eponymous crate instead of using ones from the Rust std library. This feature is necessary if the std feature is disabled.


(off by default)

Enables Serialize / Deserialize implementations for most types in the crate. Group scalars, elements and wrapper key types are serialized to human-readable formats (JSON, YAML, TOML, etc.) as strings that represent corresponding byte buffers using base64-url encoding without padding. For binary formats, byte buffers are serialized directly.

For complex types (e.g., participant states from the sharing module), self-consistency checks are not performed on deserialization. That is, deserialization of such types should only be performed from a trusted source or in the presence of additional integrity checks.

Crate naming

“Elastic” refers to pluggable backends, configurable params for threshold encryption, and the construction of zero-knowledge RingProofs (a proof consists of a variable number of rings, each of which consists of a variable number of admissible values). elastic_elgamal is also one of autogenerated Docker container names.


High-level applications for proofs defined in this crate.

Traits and implementations for prime-order groups in which the decisional Diffie–Hellman (DDH), computational Diffie–Hellman (CDH) and discrete log (DL) problems are believed to be hard.

Feldman’s verifiable secret sharing (VSS) for ElGamal encryption.


Candidate for a VerifiableDecryption that is not yet verified. This presentation should be used for decryption data retrieved from an untrusted source.

Ciphertext for ElGamal encryption.

ElGamal Ciphertext together with fully retained information about the encrypted value and randomness used to create the ciphertext.

Lookup table for discrete logarithms.

Keypair for ElGamal encryption and related protocols, consisting of a SecretKey and the matching PublicKey.

Zero-knowledge proof of equality of two discrete logarithms in different bases, aka Chaum–Pedersen protocol.

RangeDecomposition together with values precached for creating and/or verifying RangeProofs in a certain Group.

Zero-knowledge proof of possession of one or more secret scalars.

Public key for ElGamal encryption and related protocols.

Decomposition of an integer range 0..n into one or more sub-ranges. Decomposing the range allows constructing RangeProofs with size / computational complexity O(log n).

Zero-knowledge proof that an ElGamal ciphertext encrypts a value into a certain range 0..n.

Zero-knowledge proof that the one or more encrypted values is each in the a priori known set of admissible values. (Admissible values may differ among encrypted values.)

Secret key for ElGamal encryption and related protocols. This is a thin wrapper around the Group scalar.

Zero-knowledge proof that an ElGamal-encrypted value is equal to a sum of squares of one or more other ElGamal-encrypted values.

Verifiable decryption for a certain Ciphertext in the ElGamal encryption scheme. Usable both for standalone proofs and in threshold encryption.


Errors that can occur when converting other types to PublicKey.

Error verifying base proofs, such as RingProof, LogEqualityProof or ProofOfPossession.