Add a basic ElGamal encryption gadget (#44)

* Basic elgamal encryption gadget

* fmt

Co-authored-by: Weikeng Chen <[email protected]>

Author: sam-steffen

src/encryption/constraints.rs

@@ -0,0 +1,26 @@
+use crate::encryption::AsymmetricEncryptionScheme;
+
+use ark_r1cs_std::prelude::*;
+use ark_relations::r1cs::SynthesisError;
+use core::fmt::Debug;
+
+use ark_ff::fields::Field;
+
+pub trait AsymmetricEncryptionGadget<C: AsymmetricEncryptionScheme, ConstraintF: Field> {
+    type OutputVar: AllocVar<C::Ciphertext, ConstraintF>
+        + EqGadget<ConstraintF>
+        + Clone
+        + Sized
+        + Debug;
+    type ParametersVar: AllocVar<C::Parameters, ConstraintF> + Clone;
+    type PlaintextVar: AllocVar<C::Plaintext, ConstraintF> + Clone;
+    type PublicKeyVar: AllocVar<C::PublicKey, ConstraintF> + Clone;
+    type RandomnessVar: AllocVar<C::Randomness, ConstraintF> + Clone;
+
+    fn encrypt(
+        parameters: &Self::ParametersVar,
+        message: &Self::PlaintextVar,
+        randomness: &Self::RandomnessVar,
+        public_key: &Self::PublicKeyVar,
+    ) -> Result<Self::OutputVar, SynthesisError>;
+}

src/encryption/elgamal/constraints.rs

@@ -0,0 +1,230 @@
+use ark_r1cs_std::prelude::*;
+use ark_relations::r1cs::{Namespace, SynthesisError};
+
+use crate::encryption::elgamal::{
+    Ciphertext, ElGamal, Parameters, Plaintext, PublicKey, Randomness,
+};
+use crate::encryption::AsymmetricEncryptionGadget;
+use ark_ec::ProjectiveCurve;
+use ark_ff::{
+    fields::{Field, PrimeField},
+    to_bytes, Zero,
+};
+use core::{borrow::Borrow, marker::PhantomData};
+
+pub type ConstraintF<C> = <<C as ProjectiveCurve>::BaseField as Field>::BasePrimeField;
+
+#[derive(Clone, Debug)]
+pub struct RandomnessVar<F: Field>(Vec<UInt8<F>>);
+
+impl<C, F> AllocVar<Randomness<C>, F> for RandomnessVar<F>
+where
+    C: ProjectiveCurve,
+    F: PrimeField,
+{
+    fn new_variable<T: Borrow<Randomness<C>>>(
+        cs: impl Into<Namespace<F>>,
+        f: impl FnOnce() -> Result<T, SynthesisError>,
+        mode: AllocationMode,
+    ) -> Result<Self, SynthesisError> {
+        let r = to_bytes![&f().map(|b| b.borrow().0).unwrap_or(C::ScalarField::zero())].unwrap();
+        match mode {
+            AllocationMode::Constant => Ok(Self(UInt8::constant_vec(&r))),
+            AllocationMode::Input => UInt8::new_input_vec(cs, &r).map(Self),
+            AllocationMode::Witness => UInt8::new_witness_vec(cs, &r).map(Self),
+        }
+    }
+}
+
+#[derive(Derivative)]
+#[derivative(Clone(bound = "C: ProjectiveCurve, GG: CurveVar<C, ConstraintF<C>>"))]
+pub struct ParametersVar<C: ProjectiveCurve, GG: CurveVar<C, ConstraintF<C>>>
+where
+    for<'a> &'a GG: GroupOpsBounds<'a, C, GG>,
+{
+    generator: GG,
+    #[doc(hidden)]
+    _curve: PhantomData<C>,
+}
+
+impl<C, GG> AllocVar<Parameters<C>, ConstraintF<C>> for ParametersVar<C, GG>
+where
+    C: ProjectiveCurve,
+    GG: CurveVar<C, ConstraintF<C>>,
+    for<'a> &'a GG: GroupOpsBounds<'a, C, GG>,
+{
+    fn new_variable<T: Borrow<Parameters<C>>>(
+        cs: impl Into<Namespace<ConstraintF<C>>>,
+        f: impl FnOnce() -> Result<T, SynthesisError>,
+        mode: AllocationMode,
+    ) -> Result<Self, SynthesisError> {
+        let generator = GG::new_variable(cs, || f().map(|g| g.borrow().generator), mode)?;
+        Ok(Self {
+            generator,
+            _curve: PhantomData,
+        })
+    }
+}
+
+#[derive(Derivative)]
+#[derivative(Clone(bound = "C: ProjectiveCurve, GG: CurveVar<C, ConstraintF<C>>"))]
+pub struct PlaintextVar<C: ProjectiveCurve, GG: CurveVar<C, ConstraintF<C>>>
+where
+    for<'a> &'a GG: GroupOpsBounds<'a, C, GG>,
+{
+    pub plaintext: GG,
+    #[doc(hidden)]
+    _curve: PhantomData<C>,
+}
+
+impl<C, GG> AllocVar<Plaintext<C>, ConstraintF<C>> for PlaintextVar<C, GG>
+where
+    C: ProjectiveCurve,
+    GG: CurveVar<C, ConstraintF<C>>,
+    for<'a> &'a GG: GroupOpsBounds<'a, C, GG>,
+{
+    fn new_variable<T: Borrow<Plaintext<C>>>(
+        cs: impl Into<Namespace<ConstraintF<C>>>,
+        f: impl FnOnce() -> Result<T, SynthesisError>,
+        mode: AllocationMode,
+    ) -> Result<Self, SynthesisError> {
+        let plaintext = GG::new_variable(cs, f, mode)?;
+        Ok(Self {
+            plaintext,
+            _curve: PhantomData,
+        })
+    }
+}
+
+#[derive(Derivative)]
+#[derivative(Clone(bound = "C: ProjectiveCurve, GG: CurveVar<C, ConstraintF<C>>"))]
+pub struct PublicKeyVar<C: ProjectiveCurve, GG: CurveVar<C, ConstraintF<C>>>
+where
+    for<'a> &'a GG: GroupOpsBounds<'a, C, GG>,
+{
+    pub pk: GG,
+    #[doc(hidden)]
+    _curve: PhantomData<C>,
+}
+
+impl<C, GG> AllocVar<PublicKey<C>, ConstraintF<C>> for PublicKeyVar<C, GG>
+where
+    C: ProjectiveCurve,
+    GG: CurveVar<C, ConstraintF<C>>,
+    for<'a> &'a GG: GroupOpsBounds<'a, C, GG>,
+{
+    fn new_variable<T: Borrow<PublicKey<C>>>(
+        cs: impl Into<Namespace<ConstraintF<C>>>,
+        f: impl FnOnce() -> Result<T, SynthesisError>,
+        mode: AllocationMode,
+    ) -> Result<Self, SynthesisError> {
+        let pk = GG::new_variable(cs, f, mode)?;
+        Ok(Self {
+            pk,
+            _curve: PhantomData,
+        })
+    }
+}
+
+#[derive(Derivative, Debug)]
+#[derivative(Clone(bound = "C: ProjectiveCurve, GG: CurveVar<C, ConstraintF<C>>"))]
+pub struct OutputVar<C: ProjectiveCurve, GG: CurveVar<C, ConstraintF<C>>>
+where
+    for<'a> &'a GG: GroupOpsBounds<'a, C, GG>,
+{
+    pub c1: GG,
+    pub c2: GG,
+    #[doc(hidden)]
+    _curve: PhantomData<C>,
+}
+
+impl<C, GG> AllocVar<Ciphertext<C>, ConstraintF<C>> for OutputVar<C, GG>
+where
+    C: ProjectiveCurve,
+    GG: CurveVar<C, ConstraintF<C>>,
+    for<'a> &'a GG: GroupOpsBounds<'a, C, GG>,
+{
+    fn new_variable<T: Borrow<Ciphertext<C>>>(
+        cs: impl Into<Namespace<ConstraintF<C>>>,
+        f: impl FnOnce() -> Result<T, SynthesisError>,
+        mode: AllocationMode,
+    ) -> Result<Self, SynthesisError> {
+        let ns = cs.into();
+        let cs = ns.cs();
+        let prep = f().map(|g| *g.borrow());
+        let c1 = GG::new_variable(cs.clone(), || prep.map(|g| g.borrow().0), mode)?;
+        let c2 = GG::new_variable(cs.clone(), || prep.map(|g| g.borrow().1), mode)?;
+        Ok(Self {
+            c1,
+            c2,
+            _curve: PhantomData,
+        })
+    }
+}
+
+impl<C, GC> EqGadget<ConstraintF<C>> for OutputVar<C, GC>
+where
+    C: ProjectiveCurve,
+    GC: CurveVar<C, ConstraintF<C>>,
+    for<'a> &'a GC: GroupOpsBounds<'a, C, GC>,
+{
+    #[inline]
+    fn is_eq(&self, other: &Self) -> Result<Boolean<ConstraintF<C>>, SynthesisError> {
+        self.c1.is_eq(&other.c1)?.and(&self.c2.is_eq(&other.c2)?)
+    }
+}
+
+pub struct ElGamalEncGadget<C: ProjectiveCurve, GG: CurveVar<C, ConstraintF<C>>>
+where
+    for<'a> &'a GG: GroupOpsBounds<'a, C, GG>,
+{
+    #[doc(hidden)]
+    _curve: PhantomData<*const C>,
+    _group_var: PhantomData<*const GG>,
+}
+
+impl<C, GG> AsymmetricEncryptionGadget<ElGamal<C>, ConstraintF<C>> for ElGamalEncGadget<C, GG>
+where
+    C: ProjectiveCurve,
+    GG: CurveVar<C, ConstraintF<C>>,
+    for<'a> &'a GG: GroupOpsBounds<'a, C, GG>,
+    ConstraintF<C>: PrimeField,
+{
+    type OutputVar = OutputVar<C, GG>;
+    type ParametersVar = ParametersVar<C, GG>;
+    type PlaintextVar = PlaintextVar<C, GG>;
+    type PublicKeyVar = PublicKeyVar<C, GG>;
+    type RandomnessVar = RandomnessVar<ConstraintF<C>>;
+
+    fn encrypt(
+        parameters: &Self::ParametersVar,
+        message: &Self::PlaintextVar,
+        randomness: &Self::RandomnessVar,
+        public_key: &Self::PublicKeyVar,
+    ) -> Result<Self::OutputVar, SynthesisError> {
+        // flatten randomness to little-endian bit vector
+        let randomness = randomness
+            .0
+            .iter()
+            .flat_map(|b| b.to_bits_le().unwrap())
+            .collect::<Vec<_>>();
+
+        // compute s = randomness*pk
+        let s = public_key.pk.clone().scalar_mul_le(randomness.iter())?;
+
+        // compute c1 = randomness*generator
+        let c1 = parameters
+            .generator
+            .clone()
+            .scalar_mul_le(randomness.iter())?;
+
+        // compute c2 = m + s
+        let c2 = message.plaintext.clone() + s;
+
+        Ok(Self::OutputVar {
+            c1,
+            c2,
+            _curve: PhantomData,
+        })
+    }
+}

src/encryption/elgamal/mod.rs

@@ -0,0 +1,105 @@
+#[cfg(feature = "r1cs")]
+pub mod constraints;
+
+use crate::encryption::AsymmetricEncryptionScheme;
+use crate::Error;
+use ark_ec::{AffineCurve, ProjectiveCurve};
+use ark_ff::{fields::PrimeField, UniformRand};
+use ark_std::marker::PhantomData;
+use ark_std::rand::Rng;
+
+pub struct ElGamal<C: ProjectiveCurve> {
+    _group: PhantomData<C>,
+}
+
+pub struct Parameters<C: ProjectiveCurve> {
+    pub generator: C::Affine,
+}
+
+pub type PublicKey<C> = <C as ProjectiveCurve>::Affine;
+
+pub struct SecretKey<C: ProjectiveCurve>(pub C::ScalarField);
+
+pub struct Randomness<C: ProjectiveCurve>(pub C::ScalarField);
+
+impl<C: ProjectiveCurve> UniformRand for Randomness<C> {
+    #[inline]
+    fn rand<R: Rng + ?Sized>(rng: &mut R) -> Self {
+        Randomness(<C as ProjectiveCurve>::ScalarField::rand(rng))
+    }
+}
+
+pub type Plaintext<C> = <C as ProjectiveCurve>::Affine;
+
+pub type Ciphertext<C> = (
+    <C as ProjectiveCurve>::Affine,
+    <C as ProjectiveCurve>::Affine,
+);
+
+impl<C: ProjectiveCurve> AsymmetricEncryptionScheme for ElGamal<C>
+where
+    C::ScalarField: PrimeField,
+{
+    type Parameters = Parameters<C>;
+    type PublicKey = PublicKey<C>;
+    type SecretKey = SecretKey<C>;
+    type Randomness = Randomness<C>;
+    type Plaintext = Plaintext<C>;
+    type Ciphertext = Ciphertext<C>;
+
+    fn setup<R: Rng>(rng: &mut R) -> Result<Self::Parameters, Error> {
+        // get a random generator
+        let generator = C::rand(rng).into();
+
+        Ok(Parameters { generator })
+    }
+
+    fn keygen<R: Rng>(
+        pp: &Self::Parameters,
+        rng: &mut R,
+    ) -> Result<(Self::PublicKey, Self::SecretKey), Error> {
+        // get a random element from the scalar field
+        let secret_key: <C as ProjectiveCurve>::ScalarField = C::ScalarField::rand(rng);
+
+        // compute secret_key*generator to derive the public key
+        let public_key = pp.generator.mul(secret_key.clone()).into();
+
+        Ok((public_key, SecretKey(secret_key)))
+    }
+
+    fn encrypt(
+        pp: &Self::Parameters,
+        pk: &Self::PublicKey,
+        message: &Self::Plaintext,
+        r: &Self::Randomness,
+    ) -> Result<Self::Ciphertext, Error> {
+        // compute s = r*pk
+        let s = pk.mul(r.0.clone()).into();
+
+        // compute c1 = r*generator
+        let c1 = pp.generator.mul(r.0.clone()).into();
+
+        // compute c2 = m + s
+        let c2 = *message + s;
+
+        Ok((c1, c2))
+    }
+
+    fn decrypt(
+        _pp: &Self::Parameters,
+        sk: &Self::SecretKey,
+        ciphertext: &Self::Ciphertext,
+    ) -> Result<Self::Plaintext, Error> {
+        let c1: <C as ProjectiveCurve>::Affine = ciphertext.0;
+        let c2: <C as ProjectiveCurve>::Affine = ciphertext.1;
+
+        // compute s = secret_key * c1
+        let s = c1.mul(sk.0.clone());
+        let s_inv = -s;
+
+        // compute message = c2 - s
+        let m = c2 + s_inv.into_affine();
+
+        Ok(m)
+    }
+}