Closed XinwenXiang closed 1 year ago
What class are you trying to use as G? mcl::G1 is a group of an elliptic curve, so it does not have 1.
I may have misrepresented. In ElGamal enc(ek, mes ; rand) , it suppose that mes belong to G as a element to do (ek^rand,g^rand.mes), to meet nizk, I need to set mes as the “identity element” of G , so that g^rand.mes=g^rand
A standard ElGamal encryption assumes that G is a multiplicative group, not an elliptic curve. The identity element of mc::G1 is zero.
excuse, may i do not understand your answer totally I'm implement the scheme in the group defined by an elliptic curve. I just run: ` let rhok=new mcl.Fr() rhok.setByCSPRNG() let cOne=new mcl.G1()
let cipherWithOne=pke.PKEEncRand(relationPP.g,relationPP.ek,cOne,rhok)
let check=mcl.mul(relationPP.g,rhok)
if(cipherWithOne.v.isEqual(check)) console.log("11111111111111")`
and it worked , it seems that new a element in G1 defalut to be the “identity element”
If you want to use an elliptic curve for ElGamal encryption, a message m must be in G, NOT a scalar. the formulation is the following: (additive formula)
keyGen
dk <- Fr.setByCSPRNG()
g <- hashAndMapToG1('1') # this is a generator of G1
pk <- mul(g, dk)
Enc(pk, m)
m in G1
r <- Fr.setByCSPRNG()
c <- (mul(pk, r), add(mul(g, r), m)) # (pk * r, g * r + m)
Dec(dk, c = (u, v))
m <- sub(v, mul(u, inv(dk))) # v - u * (1/dk) = (g * r + m) - (pk * r) * (1/dk) = m
Does the original paper assume an elliptic curve?
In the original paper does not assume an elliptic curve, and my theoretical base knowledge may be lacking.
When I try to implement an encryption scheme, I follow the rule that "a group can be defined by an elliptic curve" and I just need to verify that the properties of the group defined by the elliptic curve satisfy the scheme description. Is that right?
I do not know how to define a group in another way. and thanks a lot for your patient answer.
When I try to implement an encryption scheme, I follow the rule that "a group can be defined by an elliptic curve" and I just need to verify that the properties of the group defined by the elliptic curve satisfy the scheme description. Is that right?
Yes.
What is the size of the message m? If you can assume |m| <= 2^24 or so, then you can use lifted ElGamal Encryption with an elliptic curve.
cf.
thanks a lot!!
it really helps me :)
hi, I'm trying to use mcl-wasm to implement a nizk. in this picture, Enc is ElGamal Encryption, I want to encrypt "1" of G.
however, this way is not work , means that i can't get "1"of G. How can i solve it?
thanks a lot