This project provides a fully on-chain implementation of the ElGamal cryptosystem in Solidity, supporting both additive and multiplicative homomorphic encryption. It includes:
- ✅ Big number arithmetic using a custom
BigNumlibrary - ✅ ElGamal encryption (additive & multiplicative variants)
- ✅ Homomorphic operations: addition, subtraction, multiplication, division
- ✅ Unit tests with Foundry
- ✅ Decryption for small prime moduli
| Variant | Ciphertext Form | Decryption Method |
|---|---|---|
| Multiplicative | (c1, c2) = (g^r, m * h^r) |
m = c2 * (c1^x)^(-1) mod p |
| Additive | (c1, c2) = (g^r, g^m * h^r) |
g^m = c2 * (c1^x)^(-1) mod p + brute log |
Both variants support secure homomorphic operations.
This repo includes a standalone BigNum.sol library for:
- Modular exponentiation, multiplication, inversion
- Comparison, equality, shifting
- Encoding/decoding between bytes and integers
Used to support 256+ bit arithmetic for cryptographic ops on-chain.
We use Foundry to test all core functionality, including:
- Encryption and decryption for small and large primes
- Homomorphic addition, subtraction, multiplication, division
- Byte-level BigNumber correctness
- Edge cases in modular math
forge test[PASS] testEncryptDecryptSmallPrime()
[PASS] testDecryptMultiplicativeSmallPrime()
[PASS] testDecryptAdditiveSmallPrime()
[PASS] testHomomorphicAdditionLargePrime()
[PASS] testHomomorphicMultiplicationSmallPrime()
...
├── src/
│ ├── BigNum.sol # Core bignum arithmetic library
│ ├── ElGamalAdditive.sol # Additive ElGamal encryption
│ ├── ElGamalMultiplicative.sol # Multiplicative ElGamal encryption
│
├── test/
│ ├── ElGamalAdditive.t.sol # Unit tests for additive variant
│ ├── ElGamalMultiplicative.t.sol # Unit tests for multiplicative variant
│
├── foundry.toml
├── README.md
forge buildforge test -vvvforge fmtTo ensure correctness, we include decryption logic for small primes directly in Solidity, both for additive and multiplicative ElGamal.
Multiplicative decryption:
m = c2 * (c1^x)^(-1) mod pAdditive decryption (small primes only):
g^m = c2 * (c1^x)^(-1) mod p
m = bruteForceDiscreteLog(g^m, g, p)Note: Discrete log computation is infeasible for large primes. Decryption for large primes is not implemented, by design.
- Decryption only implemented for small primes
- No private key generation on-chain
- Not optimized for gas (this is a reference implementation)
- No zero-knowledge or proof systems (yet 😉)
This project is educational, research-oriented, and intended for those studying:
- Cryptography on-chain
- Secure multiparty computation (SMPC)
- Homomorphic encryption
- Solidity for systems programming
MIT — free to use, study, remix, or build on. Commercial use at your discretion.