Only Additive Homomorphic Enc/Dec using she namespace

herumi / mcl

a portable and fast pairing-based cryptography library

BSD 3-Clause "New" or "Revised" License

450 stars 152 forks source link

Only Additive Homomorphic Enc/Dec using she namespace #117

Closed eNipu closed 3 years ago

eNipu commented 3 years ago

I would like to use mcl for calculating additive holomorphic encryption(lifted ElGamal) over the G_1 group only. Is it possible?

I found that there is a flag named isG1only_ and initG1only method. I thought that the library can be used without using pairing groups G2 and GT. Is my thought correct?

Is the test code of the CYBOZU_TEST_AUTO(liftedElGamal) function can be used as an example for this purpose?
If I add the public parameters of Curve25519 in mcl::ecparam, will it work?

Thank you.

herumi commented 3 years ago

thought that the library can be used without using pairing groups G2 and GT. Is my thought correct?

Yes.

Is the test code of the CYBOZU_TEST_AUTO(liftedElGamal) function can be used as an example for this purpose?

Yes.

If I add the public parameters of Curve25519 in mcl::ecparam, will it work?

No. The Curve25519 type is different from the Weierstrass function, so the current mcl does not support the curve.

eNipu commented 3 years ago

@herumi Thank you for your reply.

I've two more questions.

If I understood correctly, then there are two ways to achieve additive-homomorphism in mcl. One is using the API's in elgmal.hpp and another is using namespace mcl::she for G1 group only. ElgamalT uses curve on the prime field. mcl::she can take both pairing-friendly curves and prime field curves.

For encryption and decryption speed, is it better to use ElgamalT over mcl::she for the G_1 group only?
If the plaintext integer is > 2^32 then what is your suggestion to speed up the ElGamal decryption?

herumi commented 3 years ago

she.hpp is newer than elgamal.hpp, so she.hpp is faster decryption.
she::init(curve, hashSize, tryNum) where hashSize and tryNum affect decryption time.

It requires hashSize * 4-byte table for decryption and increases initializing time. see https://github.com/herumi/mcl/blob/master/misc/she/she-api.md#global-functions

eNipu commented 3 years ago

@herumi Thank you! I tried both mcl::ElgamalT and mcl::she for the enc and decryption. It seems that the mcl::she is faster for decryption but mcl::ElgamalT is about 5 times faster for encryption. This probably because I was using secp160k1 has a smaller prime modulus than the BN curve.

Is it possible to use the prime order curve defined in EcParam with she.hpp when G_1 only group is used?
she.hpp has a python binding file. I'm thinking to write a similar binding for elgamal.hpp. If you have any suggestions for any particular binding library please let me know.

herumi commented 3 years ago

but mcl::ElgamalT is about 5 times faster for encryption.

PrecomputedPublicKey is a little faster than ElgamalT.

https://github.com/herumi/mcl/blob/master/sample/she_g1only.cpp

make bin/she_g1only.exe && bin/she_g1only.exe
pub.enc 188.295Kclk
ppub.enc  48.435Kclk
Dec(Enc(123) + Enc(654)) = 777(ok)
elgamal
dec=777
enc  57.724Kclk

eNipu commented 3 years ago

@herumi Thank you. I am closing this issue.