ElGamal encryption - Citizendia

In cryptography, the ElGamal encryption system is an asymmetric key encryption algorithm for public-key cryptography which is based on the Diffie-Hellman key agreement. Cryptography (or cryptology; from Greek grc κρυπτός kryptos, "hidden secret" and grc γράφω gráphō, "I write" Public-key cryptography, also known as asymmetric cryptography, is a form of Cryptography in which the key used to encrypt a message differs from the key Public-key cryptography, also known as asymmetric cryptography, is a form of Cryptography in which the key used to encrypt a message differs from the key Diffie-Hellman key exchange ( D-H) is a Cryptographic protocol that allows two parties that have no prior knowledge of each other to jointly establish a shared secret It was described by Taher Elgamal in 1984^[1]. Dr Taher Elgamal ( Arabic: طاهر الجمل (born 18 August 1955) is an Egyptian Cryptographer. Year 1984 ( MCMLXXXIV) was a Leap year starting on Sunday (link displays the 1984 Gregorian calendar) ElGamal encryption is used in the free GNU Privacy Guard software, recent versions of PGP, and other cryptosystems. GNU Privacy Guard ( GnuPG or GPG) is a replacement for the PGP suite of cryptographic software Pretty Good Privacy (PGP is a Computer program that provides Cryptographic Privacy and Authentication. There are two different meanings of the word cryptosystem. One is used by the cryptographic community while the other is the meaning understood by the public The Digital Signature Algorithm is a variant of the ElGamal signature scheme, which should not be confused with ElGamal encryption. The Digital Signature Algorithm (DSA is a United States Federal Government standard or FIPS for Digital signatures It was proposed by the The ElGamal signature scheme is a Digital signature scheme which is based on the difficulty of computing Discrete logarithms It was described by Taher ElGamal

ElGamal encryption can be defined over any cyclic group $G$ . In Group theory, a cyclic group or monogenous group is a group that can be generated by a single element in the sense that the group has an Its security depends upon the difficulty of a certain problem in $G$ related to computing discrete logarithms (see below). In Mathematics, specifically in Abstract algebra and its applications discrete logarithms are group-theoretic analogues of ordinary Logarithms

1 The algorithm
2 Security
3 Efficiency
4 See also
5 References

The algorithm

Elgamal encryption consists of three components: the key generator, the encryption algorithm, and the decryption algorithm.

The key generator works as follows:

Alice generates an efficient description of a multiplicative cyclic group $G\,$ of order $q\,$ with generator $g\,$ . In Abstract algebra, a generating set of a group G is a Subset S such that every element of G can be expressed as the See below for a discussion on the required properties of this group.
Alice chooses a random $x\,$ from $\{0, \ldots, q-1\}$ .
Alice computes $h = g^x\,$ .
Alice publishes $h\,$ , along with the description of $G, q, g\,$ , as her public key. Public-key cryptography, also known as asymmetric cryptography, is a form of Cryptography in which the key used to encrypt a message differs from the key Alice retains $x\,$ as her private key which must be kept secret.

The encryption algorithm works as follows: to encrypt a message $m\,$ to Alice under her public key $(G,q,g,h)\,$ ,

Bob converts $m\,$ into an element of $G\,$ .
Bob chooses a random $y\,$ from $\{0, \ldots, q-1\}\,$ , then calculates $c_1=g^y\,$ and $c_2=m\cdot h^y$ .
Bob sends the ciphertext $(c_1,c_2)\,$ to Alice.

The decryption algorithm works as follows: to decrypt a ciphertext $(c_1,c_2)\,$ with her private key $x\,$ ,

Alice computes $\frac{c_2}{c_1^x}$ as the plaintext message.

The decryption algorithm produces the intended message, since

$\frac{c_2}{c_1^x} = \frac{m\cdot h^y}{g^{xy}} = \frac{m\cdot g^{xy}}{g^{xy}} = m.$

If the space of possible messages is larger than the size of $G\,$ , then the message can be split into several pieces and each piece can be encrypted independently. Alternately, Elgamal may be used in a hybrid cryptosystem to improve efficiency on long messages. In Cryptography, public-key cryptosystems are convenient in that they do not require the sender and receiver to share a common secret in order to communicate securely (among

Security

The security of the ElGamal scheme depends on the properties of the underlying group $G$ as well as any padding scheme used on the messages.

If the computational Diffie-Hellman assumption holds the underlying cyclic group $G$ , then the encryption function is one-way^[2]. The computational Diffie-Hellman (CDH assumption is the assumption that a certain computational problem within a Cyclic group is hard A one-way function is a function that is easy to compute but "hard to invert" (in the sense defined below

If the decisional Diffie-Hellman assumption (DDH) holds in $G$ , then ElGamal achieves semantic security. The decisional Diffie-Hellman (DDH assumption is a Computational hardness assumption about a certain problem involving discrete logarithms in cyclic groups Semantic security is a widely-used definition for security in an Asymmetric key encryption algorithm. ^[2] Semantic security is not implied by the computational Diffie-Hellman assumption alone^[3]. See decisional Diffie-Hellman assumption for a discussion of groups where the assumption is believed to hold. The decisional Diffie-Hellman (DDH assumption is a Computational hardness assumption about a certain problem involving discrete logarithms in cyclic groups

ElGamal encryption is unconditionally malleable, and therefore is not secure under chosen ciphertext attack. Malleability is a property of some cryptographic Algorithms An encryption algorithm is malleable if it is possible for an adversary to transform a Ciphertext A chosen-ciphertext attack (CCA is an Attack model for Cryptanalysis in which the cryptanalyst gathers information at least in part by choosing a Ciphertext For example, given an encryption $(c 1, c 2)$ of some (possibly unknown) message $m$ , one can easily construct a valid encryption $(c 1,2 c 2)$ of the message $2 m$ .

To achieve chosen-ciphertext security, the scheme must be further modified, or an appropriate padding scheme must be used. Depending on the modification, the DDH assumption may or may not be necessary. For instance, one such padding scheme is OAEP+ ^[4], which requires only one-wayness of the underlying encryption scheme to achieve security against chosen-ciphertext attacks. This article is about the padding scheme used in public-key cryptography The security proof of OAEP+ is in the random oracle model. In Cryptography, a random oracle is an oracle (a theoretical black box) that responds to every query with a (truly Random response chosen

Other schemes related to ElGamal which achieve security against chosen ciphertext attacks have also been proposed. The Cramer-Shoup system is secure under chosen ciphertext attack assuming DDH holds for $G$ . The Cramer-Shoup system is an Asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against Adaptive chosen ciphertext attack Its proof does not use the random oracle model. In Cryptography, a random oracle is an oracle (a theoretical black box) that responds to every query with a (truly Random response chosen Another proposed scheme is DHAES^[3], whose proof requires an assumption that is weaker than the DDH assumption.

Efficiency

ElGamal encryption is probabilistic, meaning that a single plaintext can be encrypted to many possible ciphertexts, with the consequence that a general ElGamal encryption produces a 2:1 expansion in size from plaintext to ciphertext. Probabilistic encryption is the use of Randomness in an Encryption algorithm so that when encrypting the same message several times it will in general yield different In Cryptography, plaintext is the information which the sender wishes to transmit to the receiver(s

Encryption under ElGamal requires two exponentiations; however, these exponentiations are independent of the message and can be computed ahead of time if need be. Decryption only requires one exponentiation (instead of division, exponentiate $c 1$ to $q - x$ ). Unlike in the RSA and Rabin systems, ElGamal decryption cannot be sped up via the Chinese remainder theorem. In Cryptography, RSA is an Algorithm for Public-key cryptography. The Rabin cryptosystem is an asymmetric Cryptographic technique whose security like that of RSA, is related to the difficulty of Factorization. The Chinese remainder theorem is a result about congruences in Number theory and its generalizations in Abstract algebra.

References

^ Taher ElGamal, "A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms", IEEE Transactions on Information Theory, v. The ElGamal signature scheme is a Digital signature scheme which is based on the difficulty of computing Discrete logarithms It was described by Taher ElGamal IT-31, n. 4, 1985, pp469–472 or CRYPTO 84, pp10–18, Springer-Verlag.
^ ^a ^b CRYPTUTOR, "Elgamal encryption scheme"
^ ^a ^b M. Abdalla, M. Bellare, P. Rogaway, "DHAES, An encryption scheme based on the Diffie-Hellman Problem" (Appendix A)
^ Victor Shoup. OAEP Reconsidered. IBM Zurich Research Lab, Saumerstr. 4, 8803 Ruschlikon, Switzerland. September 18, 2001. full version (pdf)

Handbook of Applied Cryptography, contains a detailed description of the ElGamal algorithm in Chapter 8 (PDF file).
Dan Boneh, The Decision Diffie-Hellman Problem, ANTS 1998, pp. Dan Boneh (דן בונה ˈdæn boʊˈneɪ is a Professor of Computer Science and Electrical Engineering at Stanford University. 48–63 [1].

© 2009 citizendia.org; parts available under the terms of GNU Free Documentation License, from http://en.wikipedia.org
network: | |

Contents

The algorithm

Security

Efficiency

See also

References