ElGamal encryption

ElGamal encryption

In cryptography, the ElGamal encryption system is an asymmetric key encryption algorithm for public-key cryptography which is based on the Diffie-Hellman key agreement. It was described by Taher Elgamal in 1984 [Taher ElGamal, "A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms", IEEE Transactions on Information Theory, v. IT-31, n. 4, 1985, pp469–472 "or" CRYPTO 84, pp10–18, Springer-Verlag.] . ElGamal encryption is used in the free GNU Privacy Guard software, recent versions of PGP, and other cryptosystems. The Digital Signature Algorithm is a variant of the ElGamal signature scheme, which should not be confused with ElGamal encryption.

ElGamal encryption can be defined over any cyclic group G. Its security depends upon the difficulty of a certain problem in G related to computing discrete logarithms (see below).

The algorithm

ElGamal encryption consists of three components: the key generator, the encryption algorithm, and the decryption algorithm.

The key generator works as follows:

* Alice generates an efficient description of a multiplicative cyclic group G, of order q, with generator g,. See below for a discussion on the required properties of this group.
* Alice chooses a random x, from {0, ldots, q-1}.
* Alice computes h = g^x,.
* Alice publishes h,, along with the description of G, q, g,, as her public key. Alice retains x, as her private key which must be kept secret.

The encryption algorithm works as follows: to encrypt a message m, to Alice under her public key (G,q,g,h),,

* Bob converts m, into an element of G,.
* Bob chooses a random y, from {0, ldots, q-1},, then calculates c_1=g^y, and c_2=mcdot h^y.
* Bob sends the ciphertext (c_1,c_2), to Alice.

The decryption algorithm works as follows: to decrypt a ciphertext (c_1,c_2), with her private key x,,

* Alice computes frac{c_2}{c_1^x} as the plaintext message.

The decryption algorithm produces the intended message, since

: frac{c_2}{c_1^x} = frac{mcdot h^y}{g^{xy = frac{mcdot g^{xy{g^{xy = m.

If the space of possible messages is larger than the size of G,, then the message can be split into several pieces and each piece can be encrypted independently. Alternately, ElGamal may be used in a hybrid cryptosystem to improve efficiency on long messages.

Security

The security of the ElGamal scheme depends on the properties of the underlying group G as well as any padding scheme used on the messages.

If the computational Diffie-Hellman assumption holds the underlying cyclic group G, then the encryption function is one-way"CRYPTUTOR", " [http://crypto.cs.uiuc.edu/wiki/index.php/Elgamal_encryption_scheme Elgamal encryption scheme] "] .

If the decisional Diffie-Hellman assumption (DDH) holds in G, thenElGamal achieves semantic security. Semantic security is not implied by the computational Diffie-Hellman assumption aloneM. Abdalla, M. Bellare, P. Rogaway, "DHAES, An encryption scheme based on the Diffie-Hellman Problem" (Appendix A)] . See decisional Diffie-Hellman assumption for a discussion of groups where the assumption is believed to hold.

ElGamal encryption is unconditionally malleable, and therefore is not secure under chosen ciphertext attack. For example, given an encryption (c_1, c_2) of some (possibly unknown) message m, one can easily construct a valid encryption (c_1, 2 c_2) of the message 2m.

To achieve chosen-ciphertext security, the scheme must be further modified, or an appropriate padding scheme must be used. Depending on the modification, the DDH assumption may or may not be necessary.

Other schemes related to ElGamal which achieve security against chosen ciphertext attacks have also been proposed.The Cramer-Shoup system is secure under chosen ciphertext attack assuming DDH holds for G. Its proof does not use the random oracle model. Another proposed scheme is DHAES, whose proof requires an assumption that is weaker than the DDH assumption.

Efficiency

ElGamal encryption is probabilistic, meaning that a single plaintext can be encrypted to many possible ciphertexts, with the consequence that a general ElGamal encryption produces a 2:1 expansion in size from plaintext to ciphertext.

Encryption under ElGamal requires two exponentiations; however, these exponentiations are independent of the message and can be computed ahead of time if need be. Decryption only requires one exponentiation (instead of division, exponentiate c_1 to q-x). Unlike in the RSA and Rabin systems, ElGamal decryption "cannot" be sped up via the Chinese remainder theorem.

ee also

* ElGamal signature scheme
* Homomorphic encryption

References

* cite conference
first = Taher
last = Elgamal
title = A public key cryptosystem and a signature scheme based on discrete logarithms
booktitle = Proceedings of CRYPTO 84 on Advances in cryptology
pages = 10-18
publisher = Springer-Verlag New York, Inc.
date = 1985
location = Santa Barbara, California, United States
url = http://groups.csail.mit.edu/cis/crypto/classes/6.857/papers/elgamal.pdf
accessdate = 2008-09-30

* [http://www.cacr.math.uwaterloo.ca/hac/ Handbook of Applied Cryptography] , contains a detailed description of the ElGamal algorithm in [http://www.cacr.math.uwaterloo.ca/hac/about/chap8.pdf Chapter 8] (PDF file).
* Dan Boneh, The Decision Diffie-Hellman Problem, ANTS 1998, pp. 48–63 [http://crypto.stanford.edu/~dabo/abstracts/DDH.html] .


Wikimedia Foundation. 2010.

Игры ⚽ Нужно решить контрольную?

Look at other dictionaries:

  • ElGamal signature scheme — The ElGamal signature scheme is a digital signature scheme which is based on the difficulty of computing discrete logarithms. It was described by Taher ElGamal in 1984 (see T. ElGamal, A public key cryptosystem and a signature scheme based on… …   Wikipedia

  • Integrated Encryption Scheme — (IES) is a hybrid encryption scheme which provides semantic security against an adversary who is allowed to use chosen plaintext and chosen ciphertext attacks. The security of the scheme is based on the Diffie–Hellman problem. Two incarnations of …   Wikipedia

  • Optimal asymmetric encryption padding — This article is about the padding scheme used in public key cryptography. For the division of the Thailand Ministry of Science Technology and Environment entitled Office of Atomic Energy for Peace, see [1]. In cryptography, Optimal Asymmetric… …   Wikipedia

  • Homomorphic encryption — is a form of encryption where one can perform a specific algebraic operation on the plaintext by performing a (possibly different) algebraic operation on the ciphertext. Depending on one s viewpoint, this can be seen as a positive or negative… …   Wikipedia

  • Probabilistic encryption — is the use of randomness in an encryption algorithm, so that when encrypting the same message several times it will, in general, yield different ciphertexts. The term probabilistic encryption is typically used in reference to public key… …   Wikipedia

  • Elliptic Curve Integrated Encryption Scheme — Das Elliptic Curve Integrated Encryption Scheme (ECIES) ist ein hybrides Verschlüsselungsverfahren, dem elliptische Kurven zugrunde liegen. Als Hybridverfahren kombiniert es ein asymmetrisches Verfahren, das zum Versenden eines symmetrischen… …   Deutsch Wikipedia

  • Public-key cryptography — In an asymmetric key encryption scheme, anyone can encrypt messages using the public key, but only the holder of the paired private key can decrypt. Security depends on the secrecy of that private key …   Wikipedia

  • Cramer–Shoup cryptosystem — The Cramer–Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive chosen ciphertext attack using standard cryptographic assumptions. Its security is based on the… …   Wikipedia

  • CEILIDH — is a public key cryptosystem based on the discrete logarithm problem in algebraic torus. This idea was first introduced by Alice Silverberg and Karl Rubin in 2003. The main advantage of those schemes is the reduced size of the keys for the same… …   Wikipedia

  • Diffie–Hellman key exchange — (D–H)[nb 1] is a specific method of exchanging keys. It is one of the earliest practical examples of key exchange implemented within the field of cryptography. The Diffie–Hellman key exchange method allows two parties that have no prior knowledge …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”