HOME

TheInfoList



OR:

In
cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adve ...
, the ElGamal encryption system is an
asymmetric key encryption algorithm Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...
for public-key cryptography which is based on the Diffie–Hellman key exchange. It was described by
Taher Elgamal Taher Elgamal (Arabic: طاهر الجمل) (born 18 August 1955) is an Egyptian cryptographer and entrepreneur. He has served as the Chief Technology Officer (CTO) of Security at Salesforce since 2013. Prior to that, he was the founder and CEO ...
in 1985. ElGamal encryption is used in the free GNU Privacy Guard software, recent versions of PGP, and other
cryptosystem In cryptography, a cryptosystem is a suite of cryptographic algorithms needed to implement a particular security service, such as confidentiality (encryption). Typically, a cryptosystem consists of three algorithms: one for key generation, one fo ...
s. The Digital Signature Algorithm (DSA) is a variant of the ElGamal signature scheme, which should not be confused with ElGamal encryption. ElGamal encryption can be defined over any cyclic group G, like multiplicative group of integers modulo ''n''. Its security depends upon the difficulty of a certain problem in G related to computing
discrete logarithm In mathematics, for given real numbers ''a'' and ''b'', the logarithm log''b'' ''a'' is a number ''x'' such that . Analogously, in any group ''G'', powers ''b'k'' can be defined for all integers ''k'', and the discrete logarithm log'' ...
s.


The algorithm

ElGamal encryption consists of three components: the key generator, the encryption algorithm, and the decryption algorithm.


Key generation

The first party, Alice, generates a key pair as follows: * Generate an efficient description of a cyclic group G\, of
order Order, ORDER or Orders may refer to: * Categorization, the process in which ideas and objects are recognized, differentiated, and understood * Heterarchy, a system of organization wherein the elements have the potential to be ranked a number of ...
q\, with generator g. Let e represent the identity element of G. * Choose an integer x randomly from \. * Compute h := g^x. * The public key consists of the values (G,q,g,h). Alice publishes this public key and retains x as her private key, which must be kept secret.


Encryption

A second party, Bob, encrypts a message M to Alice under her public key (G,q,g,h) as follows: * Map the message M to an element m of G using a reversible mapping function. * Choose an integer y randomly from \. * Compute s := h^y. This is called the ''shared secret''. * Compute c_1 := g^y. * Compute c_2 := m \cdot s. * Bob sends the ciphertext (c_1,c_2) to Alice. Note that if one knows both the ciphertext (c_1,c_2) and the plaintext m, one can easily find the shared secret s, since c_2 \cdot m^ = s. Therefore, a new y and hence a new s is generated for every message to improve security. For this reason, y is also called an
ephemeral key A cryptographic key is called ephemeral if it is generated for each execution of a key establishment process. In some cases ephemeral keys are used more than once, within a single session (e.g., in broadcast applications) where the sender generat ...
.


Decryption

Alice decrypts a ciphertext (c_1, c_2) with her private key x as follows: * Compute s := c_1^x. Since c_1 = g^y, c_1^x = g^ = h^y, and thus it is the same shared secret that was used by Bob in encryption. * Compute s^, the inverse of s in the group G. This can be computed in one of several ways. If G is a subgroup of a multiplicative group of integers modulo n, where n is prime, the modular multiplicative inverse can be computed using the extended Euclidean algorithm. An alternative is to compute s^ as c_1^. This is the inverse of s because of Lagrange's theorem, since s \cdot c_1^ = g^ \cdot g^ = (g^)^y = e^y = e. * Compute m := c_2 \cdot s^. This calculation produces the original message m, because c_2 = m \cdot s; hence c_2 \cdot s^ = (m \cdot s) \cdot s^ = m \cdot e = m. * Map m back to the plaintext message M.


Practical use

Like most public key systems, the ElGamal cryptosystem is usually used as part of a hybrid cryptosystem, where the message itself is encrypted using a symmetric cryptosystem, and ElGamal is then used to encrypt only the symmetric key. This is because asymmetric cryptosystems like ElGamal are usually slower than symmetric ones for the same level of security, so it is faster to encrypt the message, which can be arbitrarily large, with a symmetric cipher, and then use ElGamal only to encrypt the symmetric key, which usually is quite small compared to the size of the message.


Security

The security of the ElGamal scheme depends on the properties of the underlying group G as well as any padding scheme used on the messages. If the
computational Diffie–Hellman assumption The computational Diffie–Hellman (CDH) assumption is a computational hardness assumption about the Diffie–Hellman problem. The CDH assumption involves the problem of computing the discrete logarithm in cyclic groups. The CDH problem illustrates ...
(CDH) holds in the underlying cyclic group G, then the encryption function is one-way. If the
decisional Diffie–Hellman assumption The decisional Diffie–Hellman (DDH) assumption is a computational hardness assumption about a certain problem involving discrete logarithms in cyclic groups. It is used as the basis to prove the security of many cryptographic protocols, most notab ...
(DDH) holds in G, then ElGamal achieves
semantic security In cryptography, a semantically secure cryptosystem is one where only negligible information about the plaintext can be feasibly extracted from the ciphertext. Specifically, any probabilistic, polynomial-time algorithm (PPTA) that is given the ciph ...
. Semantic security is not implied by the computational Diffie–Hellman assumption alone. See
decisional Diffie–Hellman assumption The decisional Diffie–Hellman (DDH) assumption is a computational hardness assumption about a certain problem involving discrete logarithms in cyclic groups. It is used as the basis to prove the security of many cryptographic protocols, most notab ...
for a discussion of groups where the assumption is believed to hold. ElGamal encryption is unconditionally malleable, and therefore is not secure under
chosen ciphertext attack A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis where the cryptanalyst can gather information by obtaining the decryptions of chosen ciphertexts. From these pieces of information the adversary can attempt to recover the hidden ...
. For example, given an encryption (c_1, c_2) of some (possibly unknown) message m, one can easily construct a valid encryption (c_1, 2 c_2) of the message 2m. To achieve chosen-ciphertext security, the scheme must be further modified, or an appropriate padding scheme must be used. Depending on the modification, the DDH assumption may or may not be necessary. Other schemes related to ElGamal which achieve security against chosen ciphertext attacks have also been proposed. The Cramer–Shoup cryptosystem is secure under chosen ciphertext attack assuming DDH holds for G. Its proof does not use the random oracle model. Another proposed scheme is DHAES, whose proof requires an assumption that is weaker than the DDH assumption.


Efficiency

ElGamal encryption is probabilistic, meaning that a single
plaintext In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption algorithms. This usually refers to data that is transmitted or stored unencrypted. Overview With the advent of comp ...
can be encrypted to many possible ciphertexts, with the consequence that a general ElGamal encryption produces a 1:2 expansion in size from plaintext to ciphertext. Encryption under ElGamal requires two exponentiations; however, these exponentiations are independent of the message and can be computed ahead of time if needed. Decryption requires one exponentiation and one computation of a group inverse, which can, however, be easily combined into just one exponentiation.


See also

*
Taher Elgamal Taher Elgamal (Arabic: طاهر الجمل) (born 18 August 1955) is an Egyptian cryptographer and entrepreneur. He has served as the Chief Technology Officer (CTO) of Security at Salesforce since 2013. Prior to that, he was the founder and CEO ...
, designer of this and other cryptosystems * ElGamal signature scheme * Homomorphic encryption


Further reading

* *


References

{{DEFAULTSORT:Elgamal Encryption Public-key encryption schemes