Question about ElGamal kem() function

[pgorsira]

Quick question about the kem() function given for ElGamal encryption:

kem: function(paranoia) {
    var sec = sjcl.bn.random(this._curve.r, paranoia),
        tag = this._curve.G.mult(sec).toBits(),
        key = sjcl.hash.sha256.hash(this._point.mult(sec).toBits());
    return { key: key, tag: tag };
  }

For key = sjcl.hash.sha256.hash(this._point.mult(sec).toBits()), is it necessary to compute SHA256 hash and use that as AES secret? Or can we get by with something like this: key = this._point.mult(sec).toBits() (no hash)? Would this be less secure?

I ask as I am trying to take advantage of multiplicative homomorphism of ElGamal. So, multiply encrypted secret by a scalar, decrypt new ciphertext (unkem()), and multiply decryption result by scalar inverse to get original secret. I am able to do this when I remove the SHA256 hashing code above, however with hashing code still enabled I am getting a not on the curve error when trying to multiply decryption result by scalar inverse (because we are using hash for key which I believe pushes it off the curve).

So, wondering if removing hash logic degrades security of the method / is not advised or if hashing is performed for different reasons (and wondering what those reasons are if so). Thanks!

[owlstead]

Hashing is probably performed just to perform random extraction: compressing the randomness in the resulting point into 256 bits. This is somewhat better than to resize the point to bits. However, you should be able to always perform the hashing afterwards rather than before the multiplication.

You will loose some randomness (not that much, but still) if you just rip bits from the result. Saying that you're using AES-256 while the key doesn't contain (256) random bits is of course lying to yourself and possibly others.