1/* 2 * Copyright 2019 Google LLC. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * https://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16// This file specifies formats of the public key, secret key, and ciphertext of 17// the ElGamal encryption scheme, over an Elliptic Curve or over a 18// multiplicative integer group. 19 20syntax = "proto2"; 21 22package private_join_and_compute; 23 24// Public key for ElGamal encryption scheme. For ElGamal over integers, all the 25// fields are serialized BigNums; for ElGamal over an Elliptic Curve, g and y 26// are serialized ECPoints, p is not set. 27// 28// g is the generator of a cyclic group. 29// y = g^x for a random x, where x is the secret key. 30// 31// To encrypt a message m: 32// u = g^r for a random r; 33// e = m * y^r; 34// Ciphertext = (u, e). 35// 36// To encrypt a small message m in exponential ElGamal encryption scheme: 37// u = g^r for a random r; 38// e = g^m * y^r; 39// Ciphertext = (u, e). 40// 41// Note: The exponential ElGamal encryption scheme is an additively homomorphic 42// encryption scheme, and it only works for small messages. 43message ElGamalPublicKey { 44 optional bytes p = 1; // modulus of the integer group 45 optional bytes g = 2; 46 optional bytes y = 3; 47} 48 49// Secret key (or secret key share) for ElGamal encryption scheme. x is a 50// serialized BigNum. 51// 52// To decrypt a ciphertext (u, e): 53// m = e * (u^x)^{-1}. 54// 55// To decrypt a ciphertext (u, e) in exponential ElGamal encryption scheme: 56// m = log_g (e * (u^x)^{-1}). 57// 58// In a 2-out-of-2 threshold ElGamal encryption scheme, for secret key shares 59// x_1 and x_2, the ElGamal secret key is x = x_1 + x_2, satisfying y = g^x for 60// public key (g, y). 61// 62// To jointly decrypt a ciphertext (u, e): 63// Each party computes (u^{x_i})^{-1}; 64// m = e * (u^{x_1})^{-1} * (u^{x_2})^{-1}, or 65// m = log_g (e * (u^{x_1})^{-1} * (u^{x_2})^{-1}) in exponential ElGamal. 66message ElGamalSecretKey { 67 optional bytes x = 1; 68} 69 70// Ciphertext of ElGamal encryption scheme. For ElGamal over integers, all the 71// fields are serialized BigNums; for ElGamal over an Elliptic Curve, all the 72// fields are serialized ECPoints. 73// 74// For public key (g, y), message m, and randomness r: 75// u = g^r; 76// e = m * y^r. 77// 78// In exponential ElGamal encryption scheme, for public key (g, y), small 79// message m, and randomness r: 80// u = g^r; 81// e = g^m * y^r. 82message ElGamalCiphertext { 83 optional bytes u = 1; 84 optional bytes e = 2; 85} 86