Shared decryption

This subprotocol implements the MPC of an ElGamal scheme.

We use the following simple version of ElGamal:

The cleartext $M$ is an element of the cryptographic group $E$ with $q$ points with DDH assumption, $X = xG$ is a public key of a recipient. Then, sender creates the cyphertext $(C = M + kP, K = kG)$, where $k \in_R \mathbb{Z}_q$.

In order to decrypt, the recipient calculates $M = C - xK$.

Now, consider the recipient which is an MPC with $n$ parties, and assume they have a $\mathbb{Z}_q$-shared private key $[x]$. Naturally, they can obtain the shared-over-group value $[M]_E = C - [x]K$.

As a last step, they use conversion described in sharing over groups to obtain coordinate-wise representation of the message $M$.