The ElGamal algorithm is an asymmetric key encryption algorithm for public key cryptography which is based on Diffie-Hellman key agreement. It was described by Taher Elgamal in 1984. The ElGamal algorithm is used in the free GNU Privacy Guard software, recent versions of PGP, and other cryptosystems. The Digital Signature Algorithm is a variant of the ElGamal signature scheme, which should not be confused with the ElGamal algorithm. In cryptography, an asymmetric key algorithm uses a pair of different, though related, cryptographic keys to encrypt and decrypt. ... Public key cryptography is a form of cryptography which generally allows users to communicate securely without having prior access to a shared secret key, by using a pair of cryptographic keys, designated as public key and private key, which are related mathematically. ... Diffie-Hellman key exchange is a cryptographic protocol which allows two parties to agree on a secret key over an insecure communication channel. ... Dr. Taher Elgamal (Arabic: طاهر الجمل) (born 18 August 1955) is an Egyptian-American cryptographer. ... 1984 (MCMLXXXIV) was a leap year starting on Sunday of the Gregorian calendar. ... The GNU Privacy Guard (GnuPG or GPG) is a free software replacement for the PGP suite of cryptographic software, released under the GNU General Public License. ... This article is about the encryption program. ... A cryptosystem (or cryptographic system) is the package of all procedures, protocols, cryptographic algorithms and instructions used for encoding and decoding messages using cryptography. ... The Digital Signature Algorithm (DSA) is a United States Federal Government standard for digital signatures. ... The ElGamal Signature scheme is a digital signature scheme which is based on the difficulty of computing discrete logarithms. ...

ElGamal can be defined over any cyclic group G. Its security depends upon the difficulty of a certain problem in G related to computing discrete logarithms (see below). In group theory, a cyclic group is a group that can be generated by a single element, in the sense that the group has an element a (called a generator of the group) such that, when written multiplicatively, every element of the group is a power of a (or na... In abstract algebra and its applications, the discrete logarithms are defined in group theory in analogy to ordinary logarithms. ...

The algorithm

ElGamal consists of three components: the key generator, the encryption algorithm, and the decryption algorithm.

The key generator works as follows:

• Alice generates an efficient description of a cyclic group G of order q with generator g. See below for specific examples of how this can be done.
• Alice chooses a random x from .
• Alice computes h = g^x.
• Alice publishes h, along with the description of G,q,g, as her public key. Alice retains x as her secret key.

The encryption algorithm works as follows: to encrypt a message m to Alice under her public key (G,q,g,h), In abstract algebra, a generating set of a group is a subset S such that every element of G can be expressed as the product of finitely many elements of S and their inverses. ... PKC, see PKC (disambiguation) Public-key cryptography is a form of modern cryptography which allows users to communicate securely without previously agreeing on a shared secret key. ... A key is a piece of information that controls the operation of a cryptography algorithm. ...

• Bob converts m into an element of G.
• Bob chooses a random y from , then calculates c₁ = g^y and .
• Bob sends the ciphertext (c₁,c₂) to Alice.

The decryption algorithm works as follows: to decrypt a ciphertext (c₁,c₂) with her secret key x,

• Alice computes as the plaintext message.

The decryption algorithm produces the intended message, since

If the space of possible messages is larger than the size of G, then the message can be split into several pieces and each piece can be encrypted independently. Typically, however, a short key to a symmetric-key cipher is first encrypted under ElGamal, and the (much longer) intended message is encrypted more efficiently using the symmetric-key cipher — this is termed hybrid encryption. A symmetric-key algorithm is an algorithm for cryptography that uses the same cryptographic key to encrypt and decrypt the message. ...

Security

ElGamal is a simple example of a semantically secure asymmetric key encryption algorithm (under reasonable assumptions). It is probabilistic, meaning that a single plaintext can be encrypted to many possible ciphertexts, with the consequence that a general ElGamal encryption produces a 2:1 expansion in size from plaintext to ciphertext. Semantic security is a widely-used definition for security in an asymmetric key encryption algorithm. ... Probabilistic encryption is the use of randomness in an encryption algorithm, so that when encrypting the same message several times it will, in general, yield different ciphertexts. ... The plain text term has a different meaning. ...

ElGamal's security rests, in part, on the difficulty of solving the discrete logarithm problem in G. Specifically, if the discrete logarithm problem could be solved efficiently, then ElGamal would be broken. However, the security of ElGamal actually relies on the so-called Decisional Diffie-Hellman (DDH) assumption. This assumption is often stronger than the discrete log assumption, but is still believed to be true for many classes of groups. In abstract algebra and its applications, the discrete logarithms are defined in group theory in analogy to ordinary logarithms. ... The decisional Diffie-Hellman (DDH) assumption is the assumption that a certain computational problem within a cyclic group is hard. ...

Generating the group G

As described above, ElGamal can be defined over any cyclic group G, and is secure if a certain computational assumption (the "DDH Assumption") about that group is true. Unfortunately, the straightforward use of G = Z_p for a prime p is insecure, because the DDH Assumption is false in this group. In contrast, computing discrete logs is believed to be hard in Z_p, but this is not enough for the security of ElGamal.

The two most popular types of groups used in ElGamal are subgroups of Z_p and groups defined over certain elliptic curves. Here is one popular way of choosing an appropriate subgroup of Z_p which is believed to be secure: In group theory, given a group G under a binary operation *, we say that some subset H of G is a subgroup of G if H also forms a group under the operation *. More precisely, H is a subgroup of G if the restriction of * to H is a group... In mathematics, an elliptic curve is a plane curve defined by an equation of the form y2 = x3 + a x + b, which is non-singular; that is, its graph has no cusps or self-intersections. ...

• Choose a random large prime p such that p − 1 = kq for some small integer k and large prime q. This can be done, for example with k = 2, by first choosing a random large prime q and checking if p = 2q + 1 is prime.
• Choose a random element such that and g^q = 1mod p, i.e. such that g is of order q.
• The group G is the subgroup of Z_p generated by g, i.e. the set of kth residues mod p.

When encrypting, care must be taken to properly encode the message m as an element of G, and not, say, as just an arbitrary element of Z_p. In mathematics, a prime number (or a prime) is a natural number that has exactly two (distinct) natural number divisors, which are 1 and the prime number itself. ...

Efficiency

Encryption under ElGamal requires two exponentiations; however, these exponentiations are independent of the message and can be computed ahead of time if need be. The ciphertext is twice as long as the plaintext, which is a disadvantage as compared to some other algorithms. Decryption only requires one exponentiation (instead of division, exponentiate c₁ to q − x). Unlike in the RSA and Rabin systems, ElGamal decryption cannot be sped up via the Chinese remainder theorem. In mathematics, exponentiation (frequently known colloquially as raising a number to a power) is a process generalized from repeated (or iterated) multiplication, in much the same way that multiplication is a process generalized from repeated addition. ... In cryptography, RSA is an algorithm for public-key encryption. ... The Miller-Rabin primality test or Rabin-Miller primality test is a primality test: an algorithm which determines whether a given number is prime, similar to the Fermat primality test and the Solovay-Strassen primality test. ... link titleThe Chinese remainder theorem (CRT) is the name for several related results in abstract algebra and number theory. ...

Miscellaneous

ElGamal is malleable in an extreme way: for example, given an encryption (c₁,c₂) of some (possibly unknown) message m, one can easily construct an encryption of the message 2m. Therefore ElGamal is not secure under chosen ciphertext attack. On the other hand, the Cramer-Shoup system (which is based on ElGamal) is secure under chosen ciphertext attack. Malleable is a term used in the analyses of cryptographic algorithms: A malleable encryption algorithm allows transformations on the ciphertext to produce meaningful changes in the plaintext. ... A chosen ciphertext attack is an attack on a cryptosystem in which the cryptanalyst chooses ciphertext and causes it to be decrypted with an unknown key. ... The Cramer-Shoup system is an asymmetric key encryption algorithm for public key cryptography, and was the first efficient scheme proven to be secure against adaptive chosen ciphertext attack using standard cryptographic assumptions. ...

See also

• ElGamal Signature scheme

The ElGamal Signature scheme is a digital signature scheme which is based on the difficulty of computing discrete logarithms. ...

References

• Taher ElGamal, "A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms", IEEE Transactions on Information Theory, v. IT-31, n. 4, 1985, pp469–472 or CRYPTO 84, pp10–18, Springer-Verlag.
• Handbook of Applied Cryptography, contains a detailed description of ElGamal Algorithm in Chapter 8 (PDF file).

To meet Wikipedias quality standards, this article or section may require cleanup. ...