# ElGamal encryption

In cryptography, the ElGamal encryption system is an asymmetric key encryption algorithm for public-key cryptography which is based on the Diffie–Hellman key exchange. The system provides an additional layer of security by asymmetrically encrypting keys previously used for symmetric message encryption. It was described by Taher Elgamal in 1985.[1] ElGamal encryption is used in the free GNU Privacy Guard software, recent versions of PGP, and other cryptosystems. The Digital Signature Algorithm (DSA) is a variant of the ElGamal signature scheme, which should not be confused with ElGamal encryption.

ElGamal encryption can be defined over any cyclic group ${\displaystyle G}$. Its security depends upon the difficulty of a certain problem in ${\displaystyle G}$ related to computing discrete logarithms (see below).

## The algorithm

ElGamal encryption consists of three components: the key generator, the encryption algorithm, and the decryption algorithm.

### Key generation

The key generator works as follows:

• Alice generates an efficient description of a cyclic group ${\displaystyle G\,}$ of order ${\displaystyle q\,}$ with generator ${\displaystyle g}$. See below for a discussion on the required properties of this group.
• Alice chooses an ${\displaystyle x}$ randomly from ${\displaystyle \{1,\ldots ,q-1\}}$.
• Alice computes ${\displaystyle h:=g^{x}}$.
• Alice publishes ${\displaystyle h\,}$, along with the description of ${\displaystyle G,q,g\,}$, as her public key. Alice retains ${\displaystyle x}$ as her private key, which must be kept secret.

### Encryption

The encryption algorithm works as follows: to encrypt a message ${\displaystyle m}$ to Alice under her public key ${\displaystyle (G,q,g,h)}$,

• Bob chooses a random ${\displaystyle y}$ from ${\displaystyle \{1,\ldots ,q-1\}}$, then calculates ${\displaystyle c_{1}:=g^{y}}$.
• Bob calculates the shared secret ${\displaystyle s:=h^{y}:=g^{xy}}$ .
• Bob maps his message ${\displaystyle m}$ onto an element ${\displaystyle m'}$ of ${\displaystyle G}$.
• Bob calculates ${\displaystyle c_{2}:=m'\cdot s}$.
• Bob sends the ciphertext ${\textstyle (c_{1},c_{2})=(g^{y},m'\cdot h^{y})=(g^{y},m'\cdot g^{xy})}$ to Alice.

Note that one can easily find ${\displaystyle h^{y}}$ if one knows ${\displaystyle m'}$. Therefore, a new ${\displaystyle y}$ is generated for every message to improve security. For this reason, ${\displaystyle y}$ is also called an ephemeral key.

### Decryption

The decryption algorithm works as follows: to decrypt a ciphertext ${\displaystyle (c_{1},c_{2})}$ with her private key ${\displaystyle x}$,

• Alice calculates the shared secret ${\displaystyle s:=c_{1}{}^{x}}$
• and then computes ${\displaystyle m':=c_{2}\cdot s^{-1}}$ which she then converts back into the plaintext message ${\displaystyle m}$, where ${\displaystyle s^{-1}}$ is the inverse of ${\displaystyle s}$ in the group ${\displaystyle G}$. (E.g. modular multiplicative inverse if ${\displaystyle G}$ is a subgroup of a multiplicative group of integers modulo n).
The decryption algorithm produces the intended message, since
${\displaystyle c_{2}\cdot s^{-1}=m'\cdot h^{y}\cdot (g^{xy})^{-1}=m'\cdot g^{xy}\cdot g^{-xy}=m'.}$

### Practical use

The ElGamal cryptosystem is usually used in a hybrid cryptosystem. I.e., the message itself is encrypted using a symmetric cryptosystem and ElGamal is then used to encrypt the key used for the symmetric cryptosystem. This is because asymmetric cryptosystems like Elgamal are usually slower than symmetric ones for the same level of security, so it is faster to encrypt the symmetric key (which most of the time is quite small if compared to the size of the message) with Elgamal and the message (which can be arbitrarily large) with a symmetric cipher.

Other Languages
العربية: تشفير الجمل
azərbaycanca: El-Qamal sxemi
čeština: ElGamal