Movatterモバイル変換

[0]ホーム

Jump to content

ElGamal encryption

Edit links

From Wikipedia, the free encyclopedia

Public-key cryptosystem

"ElGamal" redirects here. For signature algorithm, seeElGamal signature scheme.

Incryptography, theElGamal encryption system is apublic-key encryption algorithm based on theDiffie–Hellman key exchange. It was described byTaher Elgamal in 1985.^[1] ElGamal encryption is used in the freeGNU Privacy Guard software, recent versions ofPGP, and othercryptosystems. TheDigital Signature Algorithm (DSA) is a variant of theElGamal signature scheme, which should not be confused with ElGamal encryption.

ElGamal encryption can be defined over anycyclic group $G {\displaystyle G}$ , likemultiplicative group of integers modulo n if and only ifn is 1, 2, 4,p^k or 2p^k, wherep is an odd prime andk > 0. Its security depends upon the difficulty of theDecisional Diffie Hellman Problem in $G {\displaystyle G}$ .

Algorithm

[edit]

The algorithm first performs Diffie–Hellman key agreement to establish a shared secret $s {\displaystyle s}$ , then uses this as aone-time pad for encrypting the message. ElGamal encryption is performed in three phases: the key generation, the encryption, and the decryption. The first is purely key exchange, whereas the latter two mix key exchange computations with message computations.

Key generation

[edit]

The first party, Alice, generates a key pair as follows:

Generate an efficient description of acyclic group $G\,$ oforder $q\,$ withgenerator $g {\displaystyle g}$ . Let $e {\displaystyle e}$ represent the identity element of $G {\displaystyle G}$ .
It is not necessary to come up with a group and generator for each new key. Indeed, one may expect a specific implementation of ElGamal to be hardcoded to use a specific group, or a group from a specific suite. The choice of group is mostly about how large keys you want to use.
Choose an integer $x {\displaystyle x}$ randomly from $\{1,\ldots ,q-1\}$ .
Compute $h:=g^{x}$ .
Thepublic key consists of the values $(G,q,g,h)$ . Alice publishes this public key and retains $x {\displaystyle x}$ as her private key, which must be kept secret.

Encryption

[edit]

A second party, Bob, encrypts a message $M {\displaystyle M}$ to Alice under her public key $(G,q,g,h)$ as follows:

Map the message $M {\displaystyle M}$ to an element $m {\displaystyle m}$ of $G {\displaystyle G}$ using a reversible mapping function.
Choose an integer $y {\displaystyle y}$ randomly from $\{1,\ldots ,q-1\}$ .
Compute $s:=h^{y}$ . This is called theshared secret.
Compute $c_{1}:=g^{y}$ .
Compute $c_{2}:=m\cdot s$ .
Bob sends the ciphertext $(c_{1},c_{2})$ to Alice.

Note that if one knows both the ciphertext $(c_{1},c_{2})$ and the plaintext $m {\displaystyle m}$ , one can easily find the shared secret $s {\displaystyle s}$ , since $c_{2}\cdot m^{-1}=s$ . Therefore, a new $y {\displaystyle y}$ and hence a new $s {\displaystyle s}$ is generated for every message to improve security. For this reason, $y {\displaystyle y}$ is also called anephemeral key.

Decryption

[edit]

Alice decrypts a ciphertext $(c_{1},c_{2})$ with her private key $x {\displaystyle x}$ as follows:

Compute $s:=c_{1}^{x}$ . Since $c_{1}=g^{y}$ , $c_{1}^{x}=g^{xy}=h^{y}$ , and thus it is the same shared secret that was used by Bob in encryption.
Compute $s^{-1}$ , the inverse of $s {\displaystyle s}$ in the group $G {\displaystyle G}$ . This can be computed in one of several ways. If $G {\displaystyle G}$ is a subgroup of a multiplicative group of integers modulo $n {\displaystyle n}$ , where $n {\displaystyle n}$ is prime, themodular multiplicative inverse can be computed using theextended Euclidean algorithm. An alternative is to compute $s^{-1}$ as $c_{1}^{q-x}$ . This is the inverse of $s {\displaystyle s}$ because ofLagrange's theorem, since $s\cdot c_{1}^{q-x}=g^{xy}\cdot g^{(q-x)y}=(g^{q})^{y}=e^{y}=e$ .
Compute $m:=c_{2}\cdot s^{-1}$ . This calculation produces the original message $m {\displaystyle m}$ , because $c_{2}=m\cdot s$ ; hence $c_{2}\cdot s^{-1}=(m\cdot s)\cdot s^{-1}=m\cdot e=m$ .
Map $m {\displaystyle m}$ back to the plaintext message $M {\displaystyle M}$ .

Practical use

[edit]

Like most public key systems, the ElGamal cryptosystem is usually used as part of ahybrid cryptosystem, where the message itself is encrypted using a symmetric cryptosystem, and ElGamal is then used to encrypt only the symmetric key. This is because asymmetric cryptosystems like ElGamal are usually slower than symmetric ones for the samelevel of security, so it is faster to encrypt the message, which can be arbitrarily large, with a symmetric cipher, and then use ElGamal only to encrypt the symmetric key, which usually is quite small compared to the size of the message.

Security

[edit]

The security of the ElGamal scheme depends on the properties of the underlying group $G {\displaystyle G}$ as well as any padding scheme used on the messages. If thecomputational Diffie–Hellman assumption (CDH) holds in the underlying cyclic group $G {\displaystyle G}$ , then the encryption function isone-way.^[2]

If thedecisional Diffie–Hellman assumption (DDH) holds in $G {\displaystyle G}$ , thenElGamal achievessemantic security.^[2]^[3] Semantic security is not implied by the computational Diffie–Hellman assumption alone. SeeDecisional Diffie–Hellman assumption for a discussion of groups where the assumption is believed to hold.

ElGamal encryption is unconditionallymalleable, and therefore is not secure underchosen ciphertext attack. For example, given an encryption $(c_{1},c_{2})$ of some (possibly unknown) message $m {\displaystyle m}$ , one can easily construct a valid encryption $(c_{1},2c_{2})$ of the message $2m$ .

To achieve chosen-ciphertext security, the scheme must be further modified, or an appropriate padding scheme must be used. Depending on the modification, the DDH assumption may or may not be necessary.

Other schemes related to ElGamal which achieve security against chosen ciphertext attacks have also been proposed. TheCramer–Shoup cryptosystem is secure under chosen ciphertext attack assuming DDH holds for $G {\displaystyle G}$ . Its proof does not use therandom oracle model. Another proposed scheme isDHIES,^[4] whose proof requires an assumption that is stronger than the DDH assumption.

Efficiency

[edit]

ElGamal encryption isprobabilistic, meaning that a singleplaintext can be encrypted to many possible ciphertexts, with the consequence that a general ElGamal encryption produces a 1:2 expansion in size from plaintext to ciphertext.

Encryption under ElGamal requires twoexponentiations; however, these exponentiations are independent of the message and can be computed ahead of time if needed. Decryption requires one exponentiation and one computation of a group inverse, which can, however, be easily combined into just one exponentiation.

References

[edit]

^Taher ElGamal (1985)."A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms"(PDF).IEEE Transactions on Information Theory.31 (4):469–472.CiteSeerX 10.1.1.476.4791.doi:10.1109/TIT.1985.1057074.S2CID 2973271. (conference version appeared inCRYPTO'84, pp. 10–18)
^^a ^bMike Rosulek (2008-12-13)."Elgamal encryption scheme".University of Illinois at Urbana-Champaign. Archived fromthe original on 2016-07-22.
^Tsiounis, Yiannis; Yung, Moti (2006-05-24). "On the security of ElGamal based encryption".Public Key Cryptography. Lecture Notes in Computer Science. Vol. 1431. pp. 117–134.doi:10.1007/BFb0054019.ISBN 978-3-540-69105-1.
^Abdalla, Michel; Bellare, Mihir; Rogaway, Phillip (2001-01-01)."The Oracle Diffie-Hellman Assumptions and an Analysis of DHIES".Topics in Cryptology — CT-RSA 2001. Lecture Notes in Computer Science. Vol. 2020. pp. 143–158.doi:10.1007/3-540-45353-9_12.ISBN 978-3-540-41898-6.

Public-key cryptography

Algorithms

Integer factorization	Benaloh Blum–Goldwasser Cayley–Purser Damgård–Jurik GMR Goldwasser–Micali Naccache–Stern Paillier Rabin RSA Okamoto–Uchiyama Schmidt–Samoa
Discrete logarithm	BLS Cramer–Shoup DH DSA ECDH X25519 X448 ECDSA EdDSA Ed25519 Ed448 ECMQV EKE ElGamal signature scheme MQV Schnorr SPEKE SRP STS
Lattice/SVP/CVP/LWE/SIS	BLISS Kyber NewHope NTRUEncrypt NTRUSign RLWE-KEX RLWE-SIG
Others	AE CEILIDH EPOC HFE IES Lamport McEliece Merkle–Hellman Naccache–Stern knapsack cryptosystem Three-pass protocol XTR SQIsign SPHINCS⁺

Theory

Standardization

Topics

v t e Cryptography
General	History of cryptography Outline of cryptography Classical cipher Cryptographic protocol Authentication protocol Cryptographic primitive Cryptanalysis Cryptocurrency Cryptosystem Cryptographic nonce Cryptovirology Hash function Cryptographic hash function Key derivation function Secure Hash Algorithms Digital signature Kleptography Key (cryptography) Key exchange Key generator Key schedule Key stretching Keygen Machines Ransomware Random number generation Cryptographically secure pseudorandom number generator (CSPRNG) Pseudorandom noise (PRN) Secure channel Insecure channel Subliminal channel Encryption Decryption End-to-end encryption Harvest now, decrypt later Information-theoretic security Plaintext Codetext Ciphertext Shared secret Trapdoor function Trusted timestamping Key-based routing Onion routing Garlic routing Kademlia Mix network
Mathematics	Cryptographic hash function Block cipher Stream cipher Symmetric-key algorithm Authenticated encryption Public-key cryptography Quantum key distribution Quantum cryptography Post-quantum cryptography Message authentication code Random numbers Steganography
Category