In
cryptography
Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adver ...
, the ElGamal encryption system is an
asymmetric key encryption algorithm
Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic al ...
for
public-key cryptography
Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...
which is based on the
Diffie–Hellman key exchange. It was described by
Taher Elgamal
Taher Elgamal (Arabic: طاهر الجمل) (born 18 August 1955) is an Egyptian cryptographer and entrepreneur. He has served as the Chief Technology Officer (CTO) of Security at Salesforce since 2013. Prior to that, he was the founder and CEO ...
in 1985. ElGamal encryption is used in the free
GNU Privacy Guard
GNU Privacy Guard (GnuPG or GPG) is a free-software replacement for Symantec's PGP cryptographic software suite. The software is compliant with RFC 4880, the IETF standards-track specification of OpenPGP. Modern versions of PGP are interoperable ...
software, recent versions of
PGP, and other
cryptosystems. The
Digital Signature Algorithm
The Digital Signature Algorithm (DSA) is a public-key cryptosystem and Federal Information Processing Standard for digital signatures, based on the mathematical concept of modular exponentiation and the discrete logarithm problem. DSA is a variant ...
(DSA) is a variant of the
ElGamal signature scheme
The ElGamal signature scheme is a digital signature scheme which is based on the difficulty of computing discrete logarithms. It was described by Taher Elgamal in 1985. (conference version appeared in CRYPTO'84, pp. 10–18)
The ElGamal signature ...
, which should not be confused with ElGamal encryption.
ElGamal encryption can be defined over any
cyclic group
In group theory, a branch of abstract algebra in pure mathematics, a cyclic group or monogenous group is a group, denoted C''n'', that is generated by a single element. That is, it is a set of invertible elements with a single associative bina ...
, like
multiplicative group of integers modulo ''n''. Its security depends upon the difficulty of a certain problem in
related to computing
discrete logarithms.
The algorithm
ElGamal encryption consists of three components: the key generator, the encryption algorithm, and the decryption algorithm.
Key generation
The first party, Alice, generates a key pair as follows:
* Generate an efficient description of a
cyclic group
In group theory, a branch of abstract algebra in pure mathematics, a cyclic group or monogenous group is a group, denoted C''n'', that is generated by a single element. That is, it is a set of invertible elements with a single associative bina ...
of
order with
generator . Let
represent the identity element of
.
* Choose an integer
randomly from
.
* Compute
.
* The
public key
Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic al ...
consists of the values
. Alice publishes this public key and retains
as her private key, which must be kept secret.
Encryption
A second party, Bob, encrypts a message
to Alice under her public key
as follows:
* Map the message
to an element
of
using a reversible mapping function.
* Choose an integer
randomly from
.
* Compute
. This is called the ''shared secret''.
* Compute
.
* Compute
.
* Bob sends the ciphertext
to Alice.
Note that if one knows both the ciphertext
and the plaintext
, one can easily find the shared secret
, since
. Therefore, a new
and hence a new
is generated for every message to improve security. For this reason,
is also called an
ephemeral key.
Decryption
Alice decrypts a ciphertext
with her private key
as follows:
* Compute
. Since
,
, and thus it is the same shared secret that was used by Bob in encryption.
* Compute
, the inverse of
in the group
. This can be computed in one of several ways. If
is a subgroup of a multiplicative group of integers modulo
, where
is prime, the
modular multiplicative inverse In mathematics, particularly in the area of arithmetic, a modular multiplicative inverse of an integer is an integer such that the product is congruent to 1 with respect to the modulus .. In the standard notation of modular arithmetic this congr ...
can be computed using the
extended Euclidean algorithm. An alternative is to compute
as
. This is the inverse of
because of
Lagrange's theorem, since
.
* Compute
. This calculation produces the original message
, because
; hence
.
* Map
back to the plaintext message
.
Practical use
Like most public key systems, the ElGamal cryptosystem is usually used as part of a
hybrid cryptosystem, where the message itself is encrypted using a symmetric cryptosystem, and ElGamal is then used to encrypt only the symmetric key. This is because asymmetric cryptosystems like ElGamal are usually slower than symmetric ones for the same
level of security, so it is faster to encrypt the message, which can be arbitrarily large, with a symmetric cipher, and then use ElGamal only to encrypt the symmetric key, which usually is quite small compared to the size of the message.
Security
The security of the ElGamal scheme depends on the properties of the underlying group
as well as any padding scheme used on the messages. If the
computational Diffie–Hellman assumption (CDH) holds in the underlying cyclic group
, then the encryption function is
one-way.
If the
decisional Diffie–Hellman assumption (DDH) holds in
, then
ElGamal achieves
semantic security.
[
] Semantic security is not implied by the computational Diffie–Hellman assumption alone. See decisional Diffie–Hellman assumption for a discussion of groups where the assumption is believed to hold.
ElGamal encryption is unconditionally malleable
Ductility is a mechanical property commonly described as a material's amenability to drawing (e.g. into wire). In materials science, ductility is defined by the degree to which a material can sustain plastic deformation under tensile stres ...
, and therefore is not secure under chosen ciphertext attack
A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis where the cryptanalyst can gather information by obtaining the decryptions of chosen ciphertexts. From these pieces of information the adversary can attempt to recover the hidd ...
. For example, given an encryption of some (possibly unknown) message , one can easily construct a valid encryption of the message .
To achieve chosen-ciphertext security, the scheme must be further modified, or an appropriate padding scheme must be used. Depending on the modification, the DDH assumption may or may not be necessary.
Other schemes related to ElGamal which achieve security against chosen ciphertext attacks have also been proposed. The Cramer–Shoup cryptosystem is secure under chosen ciphertext attack assuming DDH holds for . Its proof does not use the random oracle model. Another proposed scheme is DHAES, whose proof requires an assumption that is weaker than the DDH assumption.
Efficiency
ElGamal encryption is probabilistic, meaning that a single plaintext
In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption algorithms. This usually refers to data that is transmitted or stored unencrypted.
Overview
With the advent of com ...
can be encrypted to many possible ciphertexts, with the consequence that a general ElGamal encryption produces a 1:2 expansion in size from plaintext to ciphertext.
Encryption under ElGamal requires two exponentiation
Exponentiation is a mathematical operation, written as , involving two numbers, the '' base'' and the ''exponent'' or ''power'' , and pronounced as " (raised) to the (power of) ". When is a positive integer, exponentiation corresponds to r ...
s; however, these exponentiations are independent of the message and can be computed ahead of time if needed. Decryption requires one exponentiation and one computation of a group inverse, which can, however, be easily combined into just one exponentiation.
See also
* Taher Elgamal
Taher Elgamal (Arabic: طاهر الجمل) (born 18 August 1955) is an Egyptian cryptographer and entrepreneur. He has served as the Chief Technology Officer (CTO) of Security at Salesforce since 2013. Prior to that, he was the founder and CEO ...
, designer of this and other cryptosystems
* ElGamal signature scheme
The ElGamal signature scheme is a digital signature scheme which is based on the difficulty of computing discrete logarithms. It was described by Taher Elgamal in 1985. (conference version appeared in CRYPTO'84, pp. 10–18)
The ElGamal signature ...
* Homomorphic encryption
Homomorphic encryption is a form of encryption that permits users to perform computations on its encrypted data without first decrypting it. These resulting computations are left in an encrypted form which, when decrypted, result in an identical ...
Further reading
*
*
References
{{DEFAULTSORT:Elgamal Encryption
Public-key encryption schemes