World Library  
Flag as Inappropriate
Email this Article

ElGamal encryption

Article Id: WHEBN0000059458
Reproduction Date:

Title: ElGamal encryption  
Author: World Heritage Encyclopedia
Language: English
Subject: Public-key cryptography, CEILIDH, Diffie–Hellman key exchange, Cryptography, Elgamal
Collection: Public-Key Encryption Schemes
Publisher: World Heritage Encyclopedia

ElGamal encryption

In cryptography, the ElGamal encryption system is an asymmetric key encryption algorithm for public-key cryptography which is based on the Diffie–Hellman key exchange. It was described by Taher Elgamal in 1985.[1] ElGamal encryption is used in the free GNU Privacy Guard software, recent versions of PGP, and other cryptosystems. The Digital Signature Algorithm is a variant of the ElGamal signature scheme, which should not be confused with ElGamal encryption.

ElGamal encryption can be defined over any cyclic group G. Its security depends upon the difficulty of a certain problem in G related to computing discrete logarithms (see below).


  • The algorithm 1
    • Key generation 1.1
    • Encryption 1.2
    • Decryption 1.3
    • Practical use 1.4
  • Security 2
  • Efficiency 3
    • Decryption 3.1
  • See also 4
  • References 5

The algorithm

ElGamal encryption consists of three components: the key generator, the encryption algorithm, and the decryption algorithm.

Key generation

The key generator works as follows:

  • Alice generates an efficient description of a cyclic group G\, of order q\, with generator g\,. See below for a discussion on the required properties of this group.
  • Alice chooses a random x\, from \{1, \ldots, q-1\}.
  • Alice computes h = g^x\,.
  • Alice publishes h\,, along with the description of G, q, g\,, as her public key. Alice retains x\, as her private key which must be kept secret.


The encryption algorithm works as follows: to encrypt a message m\, to Alice under her public key (G,q,g,h)\,,

  • Bob chooses a random y\, from \{1, \ldots, q-1\}, then calculates c_1=g^y\,.
  • Bob calculates the shared secret s=h^y\,.
  • Bob converts his secret message m\, into an element m'\, of G\,.
  • Bob calculates c_2=m'\cdot s.
  • Bob sends the ciphertext (c_1,c_2)=(g^y, m'\cdot h^y)=(g^y, m'\cdot(g^x)^y)\, to Alice.

Note that one can easily find h^y\, if one knows m'\,. Therefore, a new y\, is generated for every message to improve security. For this reason, y\, is also called an ephemeral key.


The decryption algorithm works as follows: to decrypt a ciphertext (c_1,c_2)\, with her private key x\,,

The decryption algorithm produces the intended message, since
c_2 \cdot s^{-1} = m'\cdot h^y \cdot (g^{xy})^{-1} = m'\cdot g^{xy} \cdot g^{-xy} = m'.

Practical use

The ElGamal cryptosystem is usually used in a hybrid cryptosystem. I.e., the message itself is encrypted using a symmetric cryptosystem and ElGamal is then used to encrypt the key used for the symmetric cryptosystem. This is because asymmetric cryptosystems like Elgamal are usually slower than symmetric ones for the same level of security, so it is faster to encrypt the symmetric key (which most of the time is quite small if compared to the size of the message) with Elgamal and the message (which can be arbitrarily large) with a symmetric cypher.


The security of the ElGamal scheme depends on the properties of the underlying group G as well as any padding scheme used on the messages.

If the computational Diffie–Hellman assumption (CDH) holds in the underlying cyclic group G, then the encryption function is one-way.[2]

If the decisional Diffie–Hellman assumption (DDH) holds in G, then ElGamal achieves semantic security.[2] Semantic security is not implied by the computational Diffie–Hellman assumption alone.[3] See decisional Diffie–Hellman assumption for a discussion of groups where the assumption is believed to hold.

ElGamal encryption is unconditionally malleable, and therefore is not secure under chosen ciphertext attack. For example, given an encryption (c_1, c_2) of some (possibly unknown) message m, one can easily construct a valid encryption (c_1, 2 c_2) of the message 2m.

To achieve chosen-ciphertext security, the scheme must be further modified, or an appropriate padding scheme must be used. Depending on the modification, the DDH assumption may or may not be necessary.

Other schemes related to ElGamal which achieve security against chosen ciphertext attacks have also been proposed. The Cramer–Shoup cryptosystem is secure under chosen ciphertext attack assuming DDH holds for G. Its proof does not use the random oracle model. Another proposed scheme is DHAES,[3] whose proof requires an assumption that is weaker than the DDH assumption.


ElGamal encryption is probabilistic, meaning that a single plaintext can be encrypted to many possible ciphertexts, with the consequence that a general ElGamal encryption produces a 2:1 expansion in size from plaintext to ciphertext.

Encryption under ElGamal requires two exponentiations; however, these exponentiations are independent of the message and can be computed ahead of time if need be. Decryption only requires one exponentiation:


The division by s\, can be avoided by using an alternative method for decryption. To decrypt a ciphertext (c_1,c_2)\, with Alice's private key x\,,

  • Alice calculates s'=c_1^=g^{(q-x)y}.

s'\, is the inverse of s\,. This is a consequence of Lagrange's theorem, because

s\cdot s' = g^{xy}\cdot g^{(q-x)y} = (g^q)^y = e^y =e,
where e\, is the identity element of G\,.
  • Alice then computes m'= c_2 \cdot s', which she then converts back into the plaintext message m\,.
The decryption algorithm produces the intended message, since
c_2 \cdot s' = m' \cdot s \cdot s' = m' \cdot e = m'.

See also


  1. ^ Taher ElGamal (1985). "A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms". IEEE Transactions on Information Theory 31 (4): 469–472.   (conference version appeared in CRYPTO'84, pp. 10–18)
  2. ^ a b CRYPTUTOR, "Elgamal encryption scheme"
  3. ^ a b M. Abdalla, M. Bellare, P. Rogaway, "DHAES, An encryption scheme based on the Diffie–Hellman Problem" (Appendix A)
  • ElGamal, Taher (1985). "Advances in cryptology: Proceedings of CRYPTO 84". Lecture Notes in Computer Science 196. Santa Barbara, California, United States: Springer-Verlag. pp. 10–18.  
  • A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. "Chapter 8.4 ElGamal public-key encryption". Handbook of Applied Cryptography. CRC Press. 
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.