ElGamal encryption
|
The ElGamal algorithm is an asymmetric key encryption algorithm for public key cryptography which is based on Diffie-Hellman key agreement. It was described by Taher Elgamal in 1984. The ElGamal algorithm is used in the free GNU Privacy Guard software, recent versions of PGP, and other cryptosystems. The Digital Signature Algorithm, even though it is a signature scheme and performs no encryption, is similar to ElGamal in many respects.
ElGamal can be defined over any cyclic group <math>G<math>. Its security depends upon the difficulty of a certain problem in <math>G<math> related to computing discrete logs (see below).
Contents |
The algorithm
ElGamal consists of three components: the key generator, the encryption algorithm, and the decryption algorithm.
The key generator works as follows:
- Alice generates an efficient description of a cyclic group <math>G<math> of order <math>q<math> with generator <math>g<math>. See below for specific examples of how this can be done.
- Alice chooses a random <math>x<math> from <math>\{0, \ldots, q-1\}<math>.
- Alice computes <math>h = g^x<math>.
- Alice publishes <math>h<math>, along with the description of <math>G, q, g<math>, as her public key. Alice retains <math>x<math> as her secret key.
The encryption algorithm works as follows: to encrypt a message <math>m<math> to Alice under her public key <math>(G,q,g,h)<math>,
- Bob converts <math>m<math> into an element of <math>G<math>.
- Bob chooses a random <math>k<math> from <math>\{0, \ldots, q-1\}<math>, then calculates <math>c_1=g^k<math> and <math>c_2=m\cdot h^k<math>.
- Bob sends the ciphertext <math>(c_1,c_2)<math> to Alice.
The decryption algorithm works as follows: to decrypt a ciphertext <math>(c_1,c_2)<math> with her secret key <math>x<math>,
- Alice computes <math>c_2(c_1^x)^{-1}<math> as the plaintext message.
Note that the decryption algorithm does indeed produce the intended message since:
<math> c_2(c_1^x)^{-1} \equiv \frac{m\cdot h^k}{g^{xk}} \equiv \frac{m\cdot g^{xk}}{g^{xk}} \equiv m \pmod q<math>
If the space of possible messages is larger than the size of <math>G<math>, then the message can be split into several pieces and each piece can be encrypted independently. Typically, however, a short key to a symmetric-key cipher is first encrypted under ElGamal, and the (much longer) intended message is encrypted more efficiently using the symmetric-key cipher — this is termed hybrid encryption.
Security
ElGamal is a simple example of a semantically secure asymmetric key encryption algorithm (under reasonable assumptions). It is probabilistic, meaning that a single plaintext can be encrypted to many possible ciphertexts, with the consequence that a general ElGamal encryption produces a 2:1 expansion in size from plaintext to ciphertext.
ElGamal's security rests, in part, on the difficulty of solving the discrete logarithm problem in <math>G<math>. Specifically, if the discrete logarithm problem could be solved efficiently, then ElGamal would be broken. However, the security of ElGamal actually relies on the so-called Decisional Diffie-Hellman (DDH) assumption. This assumption is often stronger than the discrete log assumption, but is still believed to be true for many classes of groups.
Use as a signature scheme
Alice may have sent Bob a message m (using RSA for example) and may want to sign the message (for example to preserve integrity or to prove its authenticity to Bob - see digital signature).
To do this, Alice may take a collision-resistant hash function H; choose a random k as Bob would to send a message to Alice, except that k must satisfy hcf(k,p-1) = 1; and then find numbers r,s satisfying
- <math> r \, \equiv \, h^k \pmod p<math>
- <math> H(m) \, \equiv \, xr + ks \pmod {p-1}.<math>
Such a pair (r,s) is guaranteed to exist and to be uniquely defined since we imposed the conditition hcf(k,p-1) = 1. Bob may then accept the message as (almost certainly) authentic and unmodified if
- <math> g^H(m) \, \equiv \, h^r r^s \pmod p<math>
This will normally be the case since:
- <math>
\begin{matrix} g^H(m) & \equiv & g^{xr} g^{ks} \\ & \equiv & (g^{x})^r (g^{k})^s \\ & \equiv & (h)^r (r)^s \\ \end{matrix} <math>
In order to forge a signature, a third party must either know Alice's private key x (perhaps by solving the discrete logarithm problem) or find collisions in the hash function H. However in the latter case the said third party would only be able to sign messages M such that H(m) = H(M). It may be that these messages are in fact meaningless or at least not very useful.
Alice must be careful to choose a different k for each signature, because otherwise a third party will be able to deduce the secret key x with significantly less difficulty.
Generating the group G
As described above, ElGamal can be defined over any cyclic group <math>G<math>, and is secure if a certain computational assumption (the "DDH Assumption") about that group is true. Unfortunately, the straightforward use of <math>G=Z_p<math> for a prime <math>p<math> is insecure, because the DDH Assumption is false in this group. (In contrast, note that computing discrete logs is believed to be hard in <math>Z_p<math>, but this is not enough for the security of ElGamal.)
The two most popular types of groups used in ElGamal are subgroups of <math>Z_p<math> and groups defined over certain elliptic curves. Here is one popular way of choosing an appropriate subgroup of <math>Z_p<math> which is believed to be secure:
- Choose a random large prime <math>p<math> such that <math>p-1=kq<math> for some small integer <math>k<math> and large prime <math>q<math>. This can be done, for example with <math>k=2<math>, by first choosing a random large prime <math>q<math> and checking if <math>p=2q+1<math> is prime.
- Choose a random element <math>g \in Z_p<math> such that <math>g \neq 1<math> and <math>g^q=1 \bmod p<math>, i.e. such that <math>g<math> is of order <math>q<math>.
- The group <math>G<math> is the subgroup of <math>Z_p<math> generated by <math>g<math>, i.e. the set of <math>k<math>th residues mod <math>p<math>.
Note also that when encrypting, care must be taken to properly encode the message <math>m<math> as an element of <math>G<math>, and not, say, as just an arbitrary element of <math>Z_p<math>.
Efficiency
Encryption under ElGamal requires two exponentiations; however, these exponentiations are independent of the message and can be computed ahead of time if need be. Decryption only requires one exponentiation (plus one division, which is typically much faster). Unlike in the RSA and Rabin systems, ElGamal decryption cannot be sped up via the Chinese remainder theorem.
Miscellaneous
Note that ElGamal is malleable in an extreme way: for example, given an encryption <math>(c_1, c_2)<math> of some (possibly unknown) message <math>m<math>, one can easily construct an encryption <math>(c_1, 2 \cdot c_2)<math> of the message <math>2m<math>. Therefore ElGamal is not secure under chosen ciphertext attack. On the other hand, the Cramer-Shoup system (which is based on ElGamal) is secure under chosen ciphertext attack.
See also
References
- Taher Elgamal, "A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms", IEEE Transactions on Information Theory, v. IT-31, n. 4, 1985, pp469–472 or CRYPTO 84, pp10–18, Springer-Verlag.
- Handbook of Applied Cryptography (http://www.cacr.math.uwaterloo.ca/hac/), contains a detailed description of ElGamal Algorithm in Chapter 8 (http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf) (PDF file).de:Elgamal-Kryptosystem