Introduction
In the realm of modern cryptography, ElGamal encryption stands as one of the cornerstone public-key cryptosystems. Introduced in 1985 by Taher ElGamal, this algorithm marked a significant advancement in asymmetric cryptography by building upon the foundational Diffie-Hellman key exchange protocol. Unlike symmetric ciphers such as AES, ElGamal enables secure communication without prior shared secrets, making it ideal for open networks like the internet.
ElGamal is probabilistic—meaning the same plaintext encrypted multiple times with the same public key produces different ciphertexts. This property provides strong resistance against chosen-plaintext attacks and adds an extra layer of security through randomness.
While not as widely deployed in its original form as RSA, ElGamal remains highly influential. It powers digital signature schemes (e.g., DSA – Digital Signature Algorithm), hybrid encryption systems, and is a key component in secure voting protocols and blockchain technologies.
Mathematical Foundation: The Discrete Logarithm Problem
The security of ElGamal relies on the Discrete Logarithm Problem (DLP), which is believed to be computationally infeasible for large prime fields.
Definition: Given a prime p, a generator g of the multiplicative group ℤp*, and an element h = gx mod p, find the integer x such that gx ≡ h (mod p).
No efficient algorithm exists to solve DLP in properly chosen groups (e.g., large prime fields or elliptic curves), making it a solid foundation for cryptographic security.
Key Components of ElGamal
| Component | Description |
|---|---|
| Public Parameters | p (large prime), g (generator modulo p) |
| Public Key | h = gx mod p |
| Private Key | x (secret exponent, 1 < x < p-1) |
| Message Space | m ∈ {0, 1, …, p-1} |
Note: In practice, messages are encoded into integers less than p. For text, use UTF-8 → integer conversion per block.
Step-by-Step: Key Generation
- Choose a large safe prime p such that p = 2q + 1 and q is also prime (optional but recommended).
- Select a generator g of ℤp* (or a subgroup of high order).
- Pick a random private key x ∈ {2, 3, …, p-2}.
- Compute public key:
h = gx mod p
- Publish: (p, g, h) | Keep secret: x
Security Tip: Use cryptographically secure random number generators (CSPRNG) for x.
Encryption Process
To encrypt a message m (where 0 ≤ m < p):
- Select a random ephemeral key k such that 1 ≤ k ≤ p-2 and gcd(k, p-1) = 1 (or simply k ∈ [1, p-2] in practice).
- Compute:
c₁ = gᵏ mod pc₂ = m · hᵏ mod p
- Output ciphertext: (c₁, c₂)
This is a Diffie-Hellman-like masking: c₂ hides m using the shared secret hᵏ = (gˣ)ᵏ = gˣᵏ.
Decryption Process
Given ciphertext (c₁, c₂) and private key x:
- Reconstruct the shared secret:
s = c₁ˣ mod p = (gᵏ)ˣ = gᵏˣ = (gˣ)ᵏ = hᵏ mod p
- Compute the modular inverse of s:
s⁻¹ mod p (using Extended Euclidean Algorithm)
- Recover plaintext:
m = c₂ · s⁻¹ mod p
Correctness Proof:
c₂ · s⁻¹ = (m · hᵏ) · (hᵏ)⁻¹ = m · hᵏ · h⁻ᵏ = m (mod p)
Full Example (Educational – Small Numbers)
Let’s walk through a complete example using small (insecure) values:
- p = 23 (prime)
- g = 5 (generator)
- Private key: x = 6
- Public key: h = 5⁶ mod 23 = 15,625 mod 23 = 8
Public Key: (23, 5, 8)
Encrypt m = 10:
- Choose k = 7
- c₁ = 5⁷ mod 23 = 78,125 mod 23 = 10
- hᵏ = 8⁷ mod 23 = 2,097,152 mod 23 = 18
- c₂ = 10 · 18 mod 23 = 180 mod 23 = 19
Ciphertext: (10, 19)
Decrypt:
- s = 10⁶ mod 23 = 1,000,000 mod 23 = 18
- s⁻¹ mod 23: Find y such that 18y ≡ 1 (mod 23) → y = 9
- m = 19 · 9 mod 23 = 171 mod 23 = 10
Recovered! m = 10
Pseudocode Implementation
import random
from sympy import mod_inverse # Or implement Extended Euclidean
# Key Generation
def generate_keys(p, g):
x = random.randint(2, p-2)
h = pow(g, x, p)
return (p, g, h), x # public, private
# Encryption
def elgamal_encrypt(public_key, m):
p, g, h = public_key
k = random.randint(2, p-2)
c1 = pow(g, k, p)
c2 = (m * pow(h, k, p)) % p
return (c1, c2)
# Decryption
def elgamal_decrypt(private_key, ciphertext, p):
x = private_key
c1, c2 = ciphertext
s = pow(c1, x, p)
s_inv = mod_inverse(s, p)
m = (c2 * s_inv) % p
return mPractical Considerations
Message Size Limitation
- Plaintext m must satisfy 0 ≤ m < p
- For large messages:
- Split into blocks
- Or use hybrid encryption: Encrypt symmetric key with ElGamal, data with AES
Performance
| Operation | Cost |
|---|---|
| Encryption | 2 modular exponentiations |
| Decryption | 1 exponentiation + 1 inverse |
| Slower than RSA for encryption |
Optimization: Precompute tables or use windowed exponentiation.
Security Parameters (2025 Recommendations)
| Security Level | Prime Size | Notes |
|---|---|---|
| 112-bit | 2048-bit | Legacy |
| 128-bit | 3072-bit | Recommended |
| 256-bit | 15360-bit | Paranoid |
Use elliptic curve variant (EC-ElGamal) for better efficiency at equivalent security.
Variants and Extensions
1. ElGamal Digital Signature Scheme
Used in DSA and GOST R 34.10
Sign: (r, s) where r = gᵏ mod p, s = k⁻¹(H(m) + x r) mod (p-1)
2. Elliptic Curve ElGamal (EC-ElGamal)
- Operates over elliptic curve groups
- Much smaller keys (256-bit curve ≈ 3072-bit RSA)
- Basis for ECIES (Elliptic Curve Integrated Encryption Scheme)
3. Threshold ElGamal
Private key split among n parties; t needed to decrypt. Used in secure multiparty computation.
Security Analysis
| Attack Type | Resistance |
|---|---|
| Brute Force | Infeasible with large p |
| Discrete Log (GNFS, Index Calculus) | Hard with safe primes |
| Chosen-Plaintext (CPA) | Secure (due to randomness) |
| Chosen-Ciphertext (CCA) | Not secure without modifications |
| Malleability | Vulnerable – (c₁, 2c₂) decrypts to 2m |
Fix for CCA: Use Fujisaki-Okamoto padding or switch to ECIES
Applications
| Domain | Use Case |
|---|---|
| Secure Email | PGP/GPG (via hybrid mode) |
| Blockchain | Transaction signing (similar to ECDSA) |
| Secure Voting | Homomorphic tallying |
| Key Encapsulation | KEM in post-quantum hybrids |
Advantages vs Disadvantages
| Pros | Cons |
|---|---|
| Probabilistic → no patterns | Ciphertext expansion (2×) |
| Based on well-studied DLP | Slower than RSA encryption |
| Supports signatures | Malleable (fixable) |
| Easy to implement | Large key sizes (mitigated with ECC) |
Conclusion
ElGamal encryption remains a fundamental algorithm in cryptographic education and research. Its elegant combination of number theory, randomness, and public-key principles makes it both powerful and instructive.
While pure ElGamal is rarely used directly in modern systems due to performance and malleability concerns, its ideas live on in DSA, ECIES, and post-quantum KEMs.
For developers and security engineers:
- Use EC-ElGamal or ECIES for real-world asymmetric encryption
- Prefer hybrid schemes (ElGamal + AES-GCM)
- Always validate inputs and use constant-time operations
References & Further Reading
- Taher ElGamal, "A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms", IEEE Transactions on Information Theory, 1985.
- NIST Special Publication 800-56A: Recommendation for Pair-Wise Key Establishment Schemes
- Handbook of Applied Cryptography – Menezes, van Oorschot, Vanstone (Chapter 8)
Explore ElGamal now on KFCipher – generate keys, encrypt messages, and verify decryption in real-time!
Secure your knowledge. One cipher at a time.