Why are the ciphertexts multiplied instead of added in elgamal.py?

[aidamanzano]

In the Ciphertext class of elgamal.py in helios-server/helios/crypto, why is the function mul() homomorphically multiplying the ciphertexts? I understood Helios was using exponential elgamal to homomorphically add the ciphertexts. I also see that in the encrypt_with_r() fucntion of the PublicKey class, it is m that is encrypted and not g^m. Is Helios using additive homomorphic encryption or multiplicative?

[joaomorenorf]

When you multiply two exponential numbers you actually sum their exponents: a^m1*a^m2 = a^(m1+m2)

[aidamanzano]

yes, but in the encrypt_with_r() function of the Ciphertext class, it is m that is being encrypted, not g^m (where g is the generator). ciphertext.beta = (m * pow(self.y, r, self.p)) % self.p is how m is being encrypted.

[benadida]

Helios uses exponential El Gamal, so additive homomorphism, but to do that you multiply the cipher texts. There may we'll be some APIs that could be better explained!

[aidamanzano]

Thank you @benadida. Where in elgamal.py is the exponential elgamal encryption happening? I have only found where m is encrypted, not g^m, in the encrypt_with_r() function. Is plaintext.m being set to g^m then? If that is the case, where is the discrete log being computed to find log_g(m)?

[felixdoerre]

Just in case you are still wondering now, one year later, where the exponential elgamal logic happens (and just to document it, if someone else searches and finds this issue):

• The encryptions of votes happen in js, and the exponential plaintexts for that are generated here: https://github.com/benadida/helios-server/blob/017a53c6acd15f49a02afca1be1307847592fff0/helios/media/helios/jscrypto/helios.js#L193
• The decryption with the dlog happens with a full table here: https://github.com/benadida/helios-server/blob/9308a72e2932987051edcf5344315b17b9c6501b/helios/workflows/homomorphic.py#L232