# 15.3: ElGamal Encryption

$$\newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} }$$ $$\newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}}$$$$\newcommand{\id}{\mathrm{id}}$$ $$\newcommand{\Span}{\mathrm{span}}$$ $$\newcommand{\kernel}{\mathrm{null}\,}$$ $$\newcommand{\range}{\mathrm{range}\,}$$ $$\newcommand{\RealPart}{\mathrm{Re}}$$ $$\newcommand{\ImaginaryPart}{\mathrm{Im}}$$ $$\newcommand{\Argument}{\mathrm{Arg}}$$ $$\newcommand{\norm}[1]{\| #1 \|}$$ $$\newcommand{\inner}[2]{\langle #1, #2 \rangle}$$ $$\newcommand{\Span}{\mathrm{span}}$$ $$\newcommand{\id}{\mathrm{id}}$$ $$\newcommand{\Span}{\mathrm{span}}$$ $$\newcommand{\kernel}{\mathrm{null}\,}$$ $$\newcommand{\range}{\mathrm{range}\,}$$ $$\newcommand{\RealPart}{\mathrm{Re}}$$ $$\newcommand{\ImaginaryPart}{\mathrm{Im}}$$ $$\newcommand{\Argument}{\mathrm{Arg}}$$ $$\newcommand{\norm}[1]{\| #1 \|}$$ $$\newcommand{\inner}[2]{\langle #1, #2 \rangle}$$ $$\newcommand{\Span}{\mathrm{span}}$$

ElGamal encryption is a public-key encryption scheme that is based on DHKA

construction 15.6: ElGamal

The public parameters are a choice of cyclic group ? with n elements and generator g.

The scheme satisfies correctness, since for all M:

Security

Imagine an adversary who is interested in attacking an ElGamal scheme. This adversary sees the public key A = ga and a ciphertext (gb,M gab) go by. Intuitively, the Decisional Diffie-Hellman assumption says that the value gab looks random, even to someone who has seen gaand gb. Thus, the message M is masked with a pseudorandom group element — as we’ve seen before, this is a lot like masking the message with a random pad as in one-time pad. The only change here is that instead of the XOR operation, we are using the group operation in ?.

More formally, we can prove the security of ElGamal under the DDH assumption:

Claim 15.7

If the DDH assumption in group ? is true, then ElGamal in group ? is CPA$-secure. Proof It suffices to show that ElGamal has pseudorandom ciphertexts when the calling program sees only a single ciphertext. In other words, we will show that ℒpk-ots$-real ≋ ℒpk-ots$-rand, where these libraries are the ℒpk-cpa$-* libraries from Definition 15.2 but with the singleciphertext restriction used in Definition 15.4. It is left as an exercise to show that ℒpk-ots$-real ≋ ℒpk-ots$-rand implies CPA$security (which in turn implies CPA security); the proof is very similar to that of Claim 15.5. The sequence of hybrid libraries is given below: The starting point is the ℒpk-ots$-real library, shown here with the details of ElGamal filled in.

The main body of QUERY computes some intermediate values B and Ab . But since those lines are only reachable one time, it does not change anything to pre-compute them at initialization time.

We can factor out the generation of A,B,C in terms of the ℒdh-real library from the Decisional Diffie-Hellman security definition (Definition 14.5).

Applying the security of DDH, we can replace ℒdh-real with ℒdh-rand.

The call to DHQUERY has been inlined.

As before, since the main body of QUERY is only reachable once, we can move the choice of B and C into that subroutine instead of at initialization time.

When b is sampled uniformly from ℤn, the expression B = gb is a uniformly distributed element of ?. Also recall that when C is a uniformly distributed element of ?, then M · C is uniformly distributed — this is analogous to the one-time pad property (see Exercise 2.1). Applying this change gives the library to the left.

In the final hybrid, the response to QUERY is a pair of uniformly distributed group elements (B,X). Hence that library is exactly ℒpk-ots\$-rand, as desired.

15.3: ElGamal Encryption is shared under a CC BY-NC-SA 4.0 license and was authored, remixed, and/or curated by Mike Rosulek.