In cryptography, the ElGamal encryption system is an asymmetric key encryption algorithm for public-key cryptography which is based on the Diffie–Hellman key exchange.
[1] ElGamal encryption is used in the free GNU Privacy Guard software, recent versions of PGP, and other cryptosystems.
The Digital Signature Algorithm (DSA) is a variant of the ElGamal signature scheme, which should not be confused with ElGamal encryption.
ElGamal encryption can be defined over any cyclic group
, like multiplicative group of integers modulo n if and only if n is 1, 2, 4, pk or 2pk, where p is an odd prime and k > 0.
Its security depends upon the difficulty of the Decisional Diffie Hellman Problem in
The algorithm can be described as first performing a Diffie–Hellman key exchange to establish a shared secret
, then using this as a one-time pad for encrypting the message.
The first is purely key exchange, whereas the latter two mix key exchange computations with message computations.
, one can easily find the shared secret
is generated for every message to improve security.
as follows: Like most public key systems, the ElGamal cryptosystem is usually used as part of a hybrid cryptosystem, where the message itself is encrypted using a symmetric cryptosystem, and ElGamal is then used to encrypt only the symmetric key.
This is because asymmetric cryptosystems like ElGamal are usually slower than symmetric ones for the same level of security, so it is faster to encrypt the message, which can be arbitrarily large, with a symmetric cipher, and then use ElGamal only to encrypt the symmetric key, which usually is quite small compared to the size of the message.
The security of the ElGamal scheme depends on the properties of the underlying group
If the computational Diffie–Hellman assumption (CDH) holds in the underlying cyclic group
[2][3] Semantic security is not implied by the computational Diffie–Hellman assumption alone.
ElGamal encryption is unconditionally malleable, and therefore is not secure under chosen ciphertext attack.
, one can easily construct a valid encryption
Depending on the modification, the DDH assumption may or may not be necessary.
Other schemes related to ElGamal which achieve security against chosen ciphertext attacks have also been proposed.
The Cramer–Shoup cryptosystem is secure under chosen ciphertext attack assuming DDH holds for
ElGamal encryption is probabilistic, meaning that a single plaintext can be encrypted to many possible ciphertexts, with the consequence that a general ElGamal encryption produces a 1:2 expansion in size from plaintext to ciphertext.
Encryption under ElGamal requires two exponentiations; however, these exponentiations are independent of the message and can be computed ahead of time if needed.