ElGamal encryption consists of three components: the key generator, the encryption algorithm, and the decryption algorithm.
The key generator works as follows:
- Alice generates an efficient description of a cyclic group of order with generator . See below for a discussion on the required properties of this group.
- Alice chooses an randomly from .
- Alice computes .
- Alice publishes , along with the description of , as her public key. Alice retains as her private key, which must be kept secret.
The encryption algorithm works as follows: to encrypt a message to Alice under her public key ,
- Bob chooses a random from , then calculates .
- Bob calculates the shared secret .
- Bob maps his message onto an element of .
- Bob calculates .
- Bob sends the ciphertext to Alice.
Note that one can easily find if one knows . Therefore, a new is generated for every message to improve security. For this reason, is also called an ephemeral key.
The decryption algorithm works as follows: to decrypt a ciphertext with her private key ,
- Alice calculates the shared secret
- and then computes which she then converts back into the plaintext message , where is the inverse of in the group . (E.g. modular multiplicative inverse if is a subgroup of a multiplicative group of integers modulo n).
- The decryption algorithm produces the intended message, since
The ElGamal cryptosystem is usually used in a hybrid cryptosystem. I.e., the message itself is encrypted using a symmetric cryptosystem and ElGamal is then used to encrypt the key used for the symmetric cryptosystem. This is because asymmetric cryptosystems like Elgamal are usually slower than symmetric ones for the same level of security, so it is faster to encrypt the symmetric key (which most of the time is quite small if compared to the size of the message) with Elgamal and the message (which can be arbitrarily large) with a symmetric cipher.