Open main menu

ElGamal encryption

In cryptography, the ElGamal encryption system is an asymmetric key encryption algorithm for public-key cryptography which is based on the Diffie–Hellman key exchange. It was described by Taher Elgamal in 1985.[1] ElGamal encryption is used in the free GNU Privacy Guard software, recent versions of PGP, and other cryptosystems. The Digital Signature Algorithm (DSA) is a variant of the ElGamal signature scheme, which should not be confused with ElGamal encryption.

ElGamal encryption can be defined over any cyclic group , such as multiplicative group of integers modulo n. Its security depends upon the difficulty of a certain problem in related to computing discrete logarithms.

The algorithmEdit

ElGamal encryption consists of three components: the key generator, the encryption algorithm, and the decryption algorithm. The ElGamal paper and the Handbook of Applied Cryptography state to select the private key   in the range  . Tsiounis and Yung showed the lower limit as   in On the Security of EIGamal Based Encryption.[2]

Key generationEdit

The first party, Alice, generates a key pair as follows:

  • Generate an efficient description of a cyclic group   of order   with generator  . Let   represent the unit element of  .
  • Choose an integer   randomly from  .
  • Compute  .
  • The public key consists of the values  . Alice publishes this public key and retains   as her private key, which must be kept secret.

EncryptionEdit

A second party, Bob, encrypts a message   to Alice under her public key   as follows:

  • Map the message   to an element   of   using a reversible mapping function.
  • Choose an integer   randomly from  .
  • Compute  . This is called the shared secret.
  • Compute  .
  • Compute  .
  • Bob sends the ciphertext   to Alice.

Note that if one knows both the ciphertext   and the plaintext   one can easily find the shared secret  , since  . Therefore, a new   and hence a new   is generated for every message to improve security. For this reason,   is also called an ephemeral key.

DecryptionEdit

Alice decrypts a ciphertext   with her private key   as follows:

  • Compute  . Since  ,   and thus it is the same shared secret that was used by Bob in encryption.
  • Compute  , the inverse of   in the group  . This can be computed in one of several ways. If   is a subgroup of a multiplicative group of integers modulo n, the modular multiplicative inverse can be computed using the Extended Euclidean Algorithm. An alternative is to compute   as  . This is the inverse of   because of Lagrange's theorem, since  .
  • Compute  . This calculation produces the original message  , because  ; hence  .
  • Map   back to the plaintext message  .

Practical useEdit

Like most public key systems, the ElGamal cryptosystem is usually used as part of a hybrid cryptosystem where the message itself is encrypted using a symmetric cryptosystem and ElGamal is then used to encrypt only the symmetric key. This is because asymmetric cryptosystems like ElGamal are usually slower than symmetric ones for the same level of security, so it is faster to encrypt the message, which can be arbitrarily large, with a symmetric cipher, and then use ElGamal only to encrypt the symmetric key, which usually is quite small compared to the size of the message.

SecurityEdit

The security of the ElGamal scheme depends on the properties of the underlying group   as well as any padding scheme used on the messages.

If the computational Diffie–Hellman assumption (CDH) holds in the underlying cyclic group  , then the encryption function is one-way.[3]

If the decisional Diffie–Hellman assumption (DDH) holds in  , then ElGamal achieves semantic security;[4][3]. Semantic security is not implied by the computational Diffie–Hellman assumption alone.[5] See decisional Diffie–Hellman assumption for a discussion of groups where the assumption is believed to hold.

ElGamal encryption is unconditionally malleable, and therefore is not secure under chosen ciphertext attack. For example, given an encryption   of some (possibly unknown) message  , one can easily construct a valid encryption   of the message  .

To achieve chosen-ciphertext security, the scheme must be further modified, or an appropriate padding scheme must be used. Depending on the modification, the DDH assumption may or may not be necessary.

Other schemes related to ElGamal which achieve security against chosen ciphertext attacks have also been proposed. The Cramer–Shoup cryptosystem is secure under chosen ciphertext attack assuming DDH holds for  . Its proof does not use the random oracle model. Another proposed scheme is DHAES,[5] whose proof requires an assumption that is weaker than the DDH assumption.

EfficiencyEdit

ElGamal encryption is probabilistic, meaning that a single plaintext can be encrypted to many possible ciphertexts, with the consequence that a general ElGamal encryption produces a 2:1 expansion in size from plaintext to ciphertext.

Encryption under ElGamal requires two exponentiations; however, these exponentiations are independent of the message and can be computed ahead of time if need be. Decryption requires one exponentiation and one computation of a group inverse which can however be easily combined into just one exponentiation.

See alsoEdit

Further readingEdit

  • A. J. Menezes; P. C. van Oorschot; S. A. Vanstone. "Chapter 8.4 ElGamal public-key encryption" (PDF). Handbook of Applied Cryptography. CRC Press.

ReferencesEdit

  1. ^ Taher ElGamal (1985). "A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms" (PDF). IEEE Transactions on Information Theory. 31 (4): 469–472. CiteSeerX 10.1.1.476.4791. doi:10.1109/TIT.1985.1057074. (conference version appeared in CRYPTO'84, pp. 10–18)
  2. ^ Tsiounis, Yiannis; Yung, Moti (2006). "On the security of ElGamal based encryption". Lecture Notes in Computer Science. Berlin, Heidelberg: Springer. 1431. doi:10.1007/BFb0054019. ISBN 978-3-540-64693-8.
  3. ^ a b Mike Rosulek (2008-12-13). "Elgamal encryption scheme". University of Illinois at Urbana-Champaign. Archived from the original on 2016-07-22.
  4. ^ Tsiounis, Yiannis; Yung, Moti (2006-05-24). "On the security of ElGamal based encryption". Public Key Cryptography 1998: 117–134. doi:10.1007/BFb0054019. ISBN 978-3-540-69105-1.
  5. ^ a b Abdalla, Michel; Bellare, Mihir; Rogaway, Phillip (1999-03-17). "DHAES: An Encryption Scheme Based on the Diffie-Hellman Problem". THEORY OF CRYPTOGRAPHY LIBRARY.