# 10.5 The ElGamal Public Key Cryptosystem

In Chapter 9, we studied a public key cryptosystem whose security is based on the difficulty of factoring. It is also possible to design a system whose security relies on the difficulty of computing discrete logarithms. This was done by ElGamal in 1985. This system does not quite fit the definition of a public key cryptosystem given at the end of Chapter 9, since the set of possible plaintexts (integers mod $p$) is not the same as the set of possible ciphertexts (pairs of integers $(r\text{,}\text{}t)$ mod $p$). However, this technical point will not concern us.

Alice wants to send a message $m$ to Bob. Bob chooses a large prime $p$ and a primitive root $\alpha $. Assume $m$ is an integer with $0\le m<p$. If $m$ is larger, break it into smaller blocks. Bob also chooses a secret integer $b$ and computes $\beta \equiv {\alpha}^{b}\text{}(\text{mod}\text{}p)$. The information $(p\text{,}\text{}\alpha \text{,}\text{}\beta )$ is made public and is Bob’s public key. Alice does the following:

Downloads $(p\text{,}\text{}\alpha \text{,}\text{}\beta )$

Chooses a secret random integer $k$ and computes $r\equiv {\alpha}^{k}\text{}(\text{mod}\text{}p)$

Computes $t\equiv {\beta}^{k}m\text{}(\text{mod}\text{}p)$

Sends the pair $(r\text{,}\text{}t)$ to Bob

Bob decrypts by computing

This works because

If Eve determines $b$, then she can also decrypt by the same procedure that Bob uses. Therefore, it is important for Bob to keep $b$ secret. The numbers $\alpha $ and $\beta $ are public, and $\beta \equiv {\alpha}^{b}\text{}(\text{mod}\text{}p)$. The difficulty of computing discrete logs is what keeps $b$ secure.

Since $k$ is a random integer, ${\beta}^{k}$ is a random nonzero integer mod $p$. Therefore, $t\equiv {\beta}^{k}m\text{}(\text{mod}\text{}p)$ is $m$ multiplied by a random integer, and $t$ is random mod $p$ (unless $m=0$, which should be avoided, of course). Therefore, $t$ gives Eve no information about $m$. Knowing $r$ does not seem to give Eve enough additional information.

The integer $k$ is difficult to determine from $r$, since this is again a discrete logarithm problem. However, if Eve finds $k$, she can then calculate $t{\beta}^{-k}$, which is $m$.

It is important that a different random $k$ be used for each message. Suppose Alice encrypts messages ${m}_{1}$ and ${m}_{2}$ for Bob and uses the same value $k$ for each message. Then $r$ will be the same for both messages, so the ciphertexts will be $(r\text{,}\text{}{t}_{1})$ and $(r\text{,}\text{}{t}_{2})$. If Eve finds out the plaintext ${m}_{1}$, she can also determine ${m}_{2}$, as follows. Note that

Since Eve knows ${t}_{1}$ and ${t}_{2}$, she computes ${m}_{2}\equiv {t}_{2}{m}_{1}/{t}_{1}\text{}(\text{mod}\text{}p)$.

In Chapter 21, we’ll meet an analog of the ElGamal method that uses elliptic curves.

# 10.5.1 Security of ElGamal Ciphertexts

Suppose Eve claims to have obtained the plaintext $m$ corresponding to an RSA ciphertext $c$. It is easy to verify her claim: Compute ${m}^{e}\text{}(\text{mod}\text{}n)$ and check whether this equal $c$. Now suppose instead that Eve claims to possess the message $m$ corresponding to an ElGamal encryption $(r\text{,}\text{}t)$. Can you verify her claim? It turns out that this is as hard as the decision Diffie-Hellman problem from Section 10.4. In this aspect, the ElGamal algorithm is therefore much different than the RSA algorithm (of course, if some randomness is added to an RSA plaintext through OAEP, for example, then RSA encryption has a similar property).

# Proposition

*A machine that solves Decision Diffie-Hellman problems mod $p$ can be used to decide the validity of mod $p$ ElGamal ciphertexts, and a machine that decides the validity of mod $p$ ElGamal ciphertexts can be used to solve Decision Diffie-Hellman problems mod $p$.*

Proof. Suppose first that you have a machine ${M}_{1}$ that can decide whether an ElGamal decryption is correct. In other words, when given the inputs $p\text{,}\text{}\alpha \text{,}\text{}\beta \text{,}\text{}(r\text{,}\text{}t)\text{,}\text{}m$, the machine outputs “yes” if $m$ is the decryption of $(r\text{,}\text{}t)$ and outputs “no” otherwise. Let’s use this machine to solve the decision Diffie-Hellman problem. Suppose you are given ${\alpha}^{x}$ and ${\alpha}^{y}$, and you want to decide whether or not $c\equiv {\alpha}^{xy}$. Let $\beta ={\alpha}^{x}$ and $r={\alpha}^{y}\text{}(\text{mod}\text{}p)$. Moreover, let $t=c$ and $m=1$. Input

into ${M}_{1}$. Note that in the present setup, $x$ is the secret integer $b$ and ${\alpha}^{y}$ takes the place of the $r\equiv {\alpha}^{k}$. The correct decryption of $(r\text{,}\text{}t)=({\alpha}^{y}\text{,}\text{}{\alpha}^{xy})$ is $t{r}^{-b}\equiv c{r}^{-x}\equiv c{\alpha}^{-xy}$. Therefore, ${M}_{1}$ outputs “yes” exactly when $m=1$ is the same as $c{\alpha}^{-xy}\text{}(\text{mod}\text{}p)$, namely when $c\equiv {\alpha}^{xy}\text{}(\text{mod}\text{}p)$. This solves the decision Diffie-Hellman problem.

Conversely, suppose you have a machine ${M}_{2}$ that can solve the decision Diffie-Hellman problem. This means that if you give ${M}_{2}$ inputs $p\text{,}\text{}\alpha \text{,}\text{}{\alpha}^{x}\text{,}\text{}{\alpha}^{y}\text{,}\text{}c$, then ${M}_{2}$ outputs “yes” if $c\equiv {\alpha}^{xy}$ and outputs “no” if not. Let $m$ be the claimed decryption of the ElGamal ciphertext $(r\text{,}\text{}t)$. Input $\beta \equiv {\alpha}^{b}$ as ${\alpha}^{x}$, so $x=b$, and input $r\equiv {\alpha}^{k}$ as ${\alpha}^{y}$ so $y=k$. Input $t{m}^{-1}\text{}(\text{mod}\text{}p)$ as $c$. Note that $m$ is the correct plaintext for the ciphertext $(r\text{,}\text{}t)$ if and only if $m\equiv t{r}^{-a}\equiv t{\alpha}^{-xy}$, which happens if and only if $t{m}^{-1}\equiv {\alpha}^{xy}$. Therefore, $m$ is the correct plaintext if and only if $c\equiv t{m}^{-1}$ is the solution to the Diffie-Hellman problem. Therefore, with these inputs, ${M}_{2}$ outputs “yes” exactly when $m$ is the correct plaintext.

The reasoning just used can also be used to show that solving the computational Diffie-Hellman problem is equivalent to breaking the ElGamal system:

# Proposition

*A machine that solves computational Diffie-Hellman problems mod $p$ can be used to decrypt mod $p$ ElGamal ciphertexts, and a machine that decrypts mod $p$ ElGamal ciphertexts can be used to solve computational Diffie-Hellman problems mod $p$.*

Proof. If we have a machine ${M}_{3}$ that can decrypt all ElGamal ciphertexts, then input $\beta \equiv {\alpha}^{x}$ (so $a=x$) and $r\equiv {\alpha}^{y}$. Take any nonzero value for $t$. Then ${M}_{3}$ outputs $m\equiv t{r}^{-a}\equiv t{\alpha}^{-xy}$. Therefore, $t{m}^{-1}\text{}(\text{mod}\text{}p)$ yields the solution ${\alpha}^{xy}$ to the computational Diffie-Hellman problem.

Conversely, suppose we have a machine ${M}_{4}$ that can solve computational Diffie-Hellman problems. If we have an ElGamal ciphertext $(r\text{,}\text{}t)$, then we input ${\alpha}^{x}={\alpha}^{a}\equiv \beta $ and ${\alpha}^{y}\equiv {\alpha}^{k}\equiv r$. Then ${M}_{4}$ outputs ${\alpha}^{xy}\equiv {\alpha}^{ak}$. Since $m\equiv t{r}^{-a}\equiv t{\alpha}^{-ak}$, we obtain the plaintext $m$.