- The algorithm Key generation Encryption Decryption Practical use
- Security
- Efficiency Decryption
- See also
- References
In cryptography, the ElGamal encryption system is an asymmetric key encryption algorithm for public-key cryptography which is based on the Diffie–Hellman key exchange. The system provides an additional layer of security by asymmetrically encrypting keys previously used for symmetric message encryption. It was described by Taher Elgamal in 1985.[1] ElGamal encryption is used in the free GNU Privacy Guard software, recent versions of PGP, and other cryptosystems. The Digital Signature Algorithm (DSA) is a variant of the ElGamal signature scheme, which should not be confused with ElGamal encryption.
ElGamal encryption can be defined over any cyclic group 
. Its security depends upon the difficulty of a certain problem in related to computing discrete logarithms (see below).
The algorithm
ElGamal encryption consists of three components: the key generator, the encryption algorithm, and the decryption algorithm.
Key generation
The key generator works as follows:
- Alice generates an efficient description of a cyclic group
of order 
with generator 
. See below for a discussion on the required properties of this group. - Alice chooses an
randomly from 
. - Alice computes
. - Alice publishes
, along with the description of 
, as her public key. Alice retains as her private key, which must be kept secret.
Encryption
The encryption algorithm works as follows: to encrypt a message 
to Alice under her public key 
,
- Bob chooses a random
from , then calculates 
. - Bob calculates the shared secret
. - Bob maps his message onto an element
of . - Bob calculates
. - Bob sends the ciphertext
to Alice.
Note that one can easily find 
if one knows . Therefore, a new is generated for every message to improve security. For this reason, is also called an ephemeral key.
Decryption
The decryption algorithm works as follows: to decrypt a ciphertext 
with her private key ,
- Alice calculates the shared secret
- and then computes
which she then converts back into the plaintext message , where 
is the inverse of 
in the group . (E.g. modular multiplicative inverse if is a subgroup of a multiplicative group of integers modulo n).
The decryption algorithm produces the intended message, since
Practical use
The ElGamal cryptosystem is usually used in a hybrid cryptosystem. I.e., the message itself is encrypted using a symmetric cryptosystem and ElGamal is then used to encrypt the key used for the symmetric cryptosystem. This is because asymmetric cryptosystems like Elgamal are usually slower than symmetric ones for the same level of security, so it is faster to encrypt the symmetric key (which most of the time is quite small if compared to the size of the message) with Elgamal and the message (which can be arbitrarily large) with a symmetric cipher.
Security
The security of the ElGamal scheme depends on the properties of the underlying group as well as any padding scheme used on the messages.
If the computational Diffie–Hellman assumption (CDH) holds in the underlying cyclic group , then the encryption function is one-way.[2]
If the decisional Diffie–Hellman assumption (DDH) holds in , then
ElGamal achieves semantic security;[3] (see also [2]). Semantic security is not implied by the computational Diffie–Hellman assumption alone.[4] See decisional Diffie–Hellman assumption for a discussion of groups where the assumption is believed to hold.
ElGamal encryption is unconditionally malleable, and therefore is not secure under chosen ciphertext attack. For example, given an encryption 
of some (possibly unknown) message , one can easily construct a valid encryption 
of the message 
.
To achieve chosen-ciphertext security, the scheme must be further modified, or an appropriate padding scheme must be used. Depending on the modification, the DDH assumption may or may not be necessary.
Other schemes related to ElGamal which achieve security against chosen ciphertext attacks have also been proposed.
The Cramer–Shoup cryptosystem is secure under chosen ciphertext attack assuming DDH holds for . Its proof does not use the random oracle model. Another proposed scheme is DHAES,[4] whose proof requires an assumption that is weaker than the DDH assumption.
Efficiency
ElGamal encryption is probabilistic, meaning that a single plaintext can be encrypted to many possible ciphertexts, with the consequence that a general ElGamal encryption produces a 2:1 expansion in size from plaintext to ciphertext.
Encryption under ElGamal requires two exponentiations; however, these exponentiations are independent of the message and can be computed ahead of time if need be. Decryption only requires one exponentiation:
Decryption
The division by 
can be avoided by using an alternative method for decryption.
To decrypt a ciphertext 
with Alice's private key 
,
- Alice calculates
.
is the inverse of . This is a consequence of Lagrange's theorem, because
whereis the identity element of
- Alice then computes
, which she then converts back into the plaintext message 
.
The decryption algorithm produces the intended message, since
See also
- Taher ElGamal, designer of this and other cryptosystems
- ElGamal signature scheme
- Homomorphic encryption
References
2. ^1 CRYPTUTOR, "Elgamal encryption scheme {{webarchive|url=https://web.archive.org/web/20090421130001/http://crypto.cs.uiuc.edu/wiki/index.php/Elgamal_encryption_scheme |date=2009-04-21 }}"
3. ^Yiannis Tsiounis, Moti Yung: On the Security of ElGamal Based Encryption. Public Key Cryptography 1998: 117-134 [https://link.springer.com/chapter/10.1007%2FBFb0054019]
4. ^1 M. Abdalla, M. Bellare, P. Rogaway, "DHAES, An encryption scheme based on the Diffie–Hellman Problem" (Appendix A)
- {{cite conference
| first = Taher
| last = ElGamal
| title = A public key cryptosystem and a signature scheme based on discrete logarithms
| booktitle = Advances in cryptology: Proceedings of CRYPTO 84
| pages = 10–18
| volume = 196
| series = Lecture Notes in Computer Science
| publisher = Springer-Verlag
| year = 1985
| location = Santa Barbara, California, United States
| url = http://groups.csail.mit.edu/cis/crypto/classes/6.857/papers/elgamal.pdf
| doi = 10.1007/3-540-39568-7_2}}
- {{cite book |author1=A. J. Menezes |author2=P. C. van Oorschot |author3=S. A. Vanstone |publisher=CRC Press |chapter-url=http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf |title=Handbook of Applied Cryptography |chapter=Chapter 8.4 ElGamal public-key encryption}}
- {{cite book |author=Dan Boneh |title=The Decision Diffie–Hellman Problem |journal=Lecture Notes in Computer Science |year=1998 |volume=1423 |pages=48–63 |doi=10.1007/BFb0054851 |url=http://crypto.stanford.edu/~dabo/abstracts/DDH.html|isbn=978-3-540-64657-0 |citeseerx=10.1.1.461.9971 }}
- 75th Field Artillery Brigade (United States)
- 75th Fighter-Interceptor Squadron
- 75th Fighter Squadron
- 75th Fighter Squadron (United States)
- 75th Fighter Squadron (USAF)
- 75th Guards Rifle Division
- 75th Illinois Infantry Regiment
- 75th Indiana Infantry Regiment
- 75th Indian Infantry Brigade
- 75th Infantry Division
- 75th Infantry Division (Wehrmacht)
- 75th meridian
- 75th meridian east
- 75th meridian west
- 75th Military Airlift Squadron
- 75th NFL Draft
- 75th Ohio Volunteer Infantry
- 75th Oregon Legislative Assembly
- 75th Oregon legislature
- 75th parallel
- 75th parallel north
- 75th parallel south
- 75th Police Precinct Station House
- 75th Reconnaissance Group
- 75th Regiment Infantry U.S. Colored Troops