Extend plain Elgamal encryption to rerandomizable Hybrid encryption scheme

[jschneider-bensch]

With plain Elgamal, DB contents are limited to the plaintext domain of plain Elgamal, i.e. group elements.

One idea to improve this would be a hybrid encryption approach, where rerandomization is performed by

1. rerandomizing the wrapped symmetric key
2. encrypting the already encrypted message under a fresh symmetric key
3. encapsulating that fresh key in an additional Elgamal ciphertext

This way a rerandomized ciphertext grows by one elgamal ciphertext per rerandomization, but since we only ever perform one rerandomization before decryption in ScrambleDB that should be okay.

[jschneider-bensch]

Double HPKE #25 addresses this.