# 5.6: The ElGamal Cryptosystem

$$\newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} }$$

$$\newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}}$$

$$\newcommand{\id}{\mathrm{id}}$$ $$\newcommand{\Span}{\mathrm{span}}$$

( \newcommand{\kernel}{\mathrm{null}\,}\) $$\newcommand{\range}{\mathrm{range}\,}$$

$$\newcommand{\RealPart}{\mathrm{Re}}$$ $$\newcommand{\ImaginaryPart}{\mathrm{Im}}$$

$$\newcommand{\Argument}{\mathrm{Arg}}$$ $$\newcommand{\norm}[1]{\| #1 \|}$$

$$\newcommand{\inner}[2]{\langle #1, #2 \rangle}$$

$$\newcommand{\Span}{\mathrm{span}}$$

$$\newcommand{\id}{\mathrm{id}}$$

$$\newcommand{\Span}{\mathrm{span}}$$

$$\newcommand{\kernel}{\mathrm{null}\,}$$

$$\newcommand{\range}{\mathrm{range}\,}$$

$$\newcommand{\RealPart}{\mathrm{Re}}$$

$$\newcommand{\ImaginaryPart}{\mathrm{Im}}$$

$$\newcommand{\Argument}{\mathrm{Arg}}$$

$$\newcommand{\norm}[1]{\| #1 \|}$$

$$\newcommand{\inner}[2]{\langle #1, #2 \rangle}$$

$$\newcommand{\Span}{\mathrm{span}}$$ $$\newcommand{\AA}{\unicode[.8,0]{x212B}}$$

$$\newcommand{\vectorA}[1]{\vec{#1}} % arrow$$

$$\newcommand{\vectorAt}[1]{\vec{\text{#1}}} % arrow$$

$$\newcommand{\vectorB}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} }$$

$$\newcommand{\vectorC}[1]{\textbf{#1}}$$

$$\newcommand{\vectorD}[1]{\overrightarrow{#1}}$$

$$\newcommand{\vectorDt}[1]{\overrightarrow{\text{#1}}}$$

$$\newcommand{\vectE}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash{\mathbf {#1}}}}$$

$$\newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} }$$

$$\newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}}$$

$$\newcommand{\avec}{\mathbf a}$$ $$\newcommand{\bvec}{\mathbf b}$$ $$\newcommand{\cvec}{\mathbf c}$$ $$\newcommand{\dvec}{\mathbf d}$$ $$\newcommand{\dtil}{\widetilde{\mathbf d}}$$ $$\newcommand{\evec}{\mathbf e}$$ $$\newcommand{\fvec}{\mathbf f}$$ $$\newcommand{\nvec}{\mathbf n}$$ $$\newcommand{\pvec}{\mathbf p}$$ $$\newcommand{\qvec}{\mathbf q}$$ $$\newcommand{\svec}{\mathbf s}$$ $$\newcommand{\tvec}{\mathbf t}$$ $$\newcommand{\uvec}{\mathbf u}$$ $$\newcommand{\vvec}{\mathbf v}$$ $$\newcommand{\wvec}{\mathbf w}$$ $$\newcommand{\xvec}{\mathbf x}$$ $$\newcommand{\yvec}{\mathbf y}$$ $$\newcommand{\zvec}{\mathbf z}$$ $$\newcommand{\rvec}{\mathbf r}$$ $$\newcommand{\mvec}{\mathbf m}$$ $$\newcommand{\zerovec}{\mathbf 0}$$ $$\newcommand{\onevec}{\mathbf 1}$$ $$\newcommand{\real}{\mathbb R}$$ $$\newcommand{\twovec}[2]{\left[\begin{array}{r}#1 \\ #2 \end{array}\right]}$$ $$\newcommand{\ctwovec}[2]{\left[\begin{array}{c}#1 \\ #2 \end{array}\right]}$$ $$\newcommand{\threevec}[3]{\left[\begin{array}{r}#1 \\ #2 \\ #3 \end{array}\right]}$$ $$\newcommand{\cthreevec}[3]{\left[\begin{array}{c}#1 \\ #2 \\ #3 \end{array}\right]}$$ $$\newcommand{\fourvec}[4]{\left[\begin{array}{r}#1 \\ #2 \\ #3 \\ #4 \end{array}\right]}$$ $$\newcommand{\cfourvec}[4]{\left[\begin{array}{c}#1 \\ #2 \\ #3 \\ #4 \end{array}\right]}$$ $$\newcommand{\fivevec}[5]{\left[\begin{array}{r}#1 \\ #2 \\ #3 \\ #4 \\ #5 \\ \end{array}\right]}$$ $$\newcommand{\cfivevec}[5]{\left[\begin{array}{c}#1 \\ #2 \\ #3 \\ #4 \\ #5 \\ \end{array}\right]}$$ $$\newcommand{\mattwo}[4]{\left[\begin{array}{rr}#1 \amp #2 \\ #3 \amp #4 \\ \end{array}\right]}$$ $$\newcommand{\laspan}[1]{\text{Span}\{#1\}}$$ $$\newcommand{\bcal}{\cal B}$$ $$\newcommand{\ccal}{\cal C}$$ $$\newcommand{\scal}{\cal S}$$ $$\newcommand{\wcal}{\cal W}$$ $$\newcommand{\ecal}{\cal E}$$ $$\newcommand{\coords}[2]{\left\{#1\right\}_{#2}}$$ $$\newcommand{\gray}[1]{\color{gray}{#1}}$$ $$\newcommand{\lgray}[1]{\color{lightgray}{#1}}$$ $$\newcommand{\rank}{\operatorname{rank}}$$ $$\newcommand{\row}{\text{Row}}$$ $$\newcommand{\col}{\text{Col}}$$ $$\renewcommand{\row}{\text{Row}}$$ $$\newcommand{\nul}{\text{Nul}}$$ $$\newcommand{\var}{\text{Var}}$$ $$\newcommand{\corr}{\text{corr}}$$ $$\newcommand{\len}[1]{\left|#1\right|}$$ $$\newcommand{\bbar}{\overline{\bvec}}$$ $$\newcommand{\bhat}{\widehat{\bvec}}$$ $$\newcommand{\bperp}{\bvec^\perp}$$ $$\newcommand{\xhat}{\widehat{\xvec}}$$ $$\newcommand{\vhat}{\widehat{\vvec}}$$ $$\newcommand{\uhat}{\widehat{\uvec}}$$ $$\newcommand{\what}{\widehat{\wvec}}$$ $$\newcommand{\Sighat}{\widehat{\Sigma}}$$ $$\newcommand{\lt}{<}$$ $$\newcommand{\gt}{>}$$ $$\newcommand{\amp}{&}$$ $$\definecolor{fillinmathshade}{gray}{0.9}$$

$$\newcommand{\NN}{\mathbb N}$$
$$\newcommand{\RR}{\mathbb R}$$
$$\newcommand{\QQ}{\mathbb Q}$$
$$\newcommand{\ZZ}{\mathbb Z}$$
$$\newcommand{\Cc}{\mathcal C}$$
$$\newcommand{\Dd}{\mathcal D}$$
$$\newcommand{\Ee}{\mathcal E}$$
$$\newcommand{\Ff}{\mathcal F}$$
$$\newcommand{\Kk}{\mathcal K}$$
$$\newcommand{\Mm}{\mathcal M}$$
$$\newcommand{\Pp}{\mathcal P}$$
$$\newcommand{\ind}{\operatorname{ind}}$$
$$\newcommand{\ord}{\operatorname{ord}}$$

As mentioned in the previous section, exponentiation in mod $$p$$, where $$p$$ is a prime known to the public, is a good candidate one-way function: It is fast (feasible) in the forward direction; its inverse, being discrete log with respect to a primitive root $$r$$ mod $$p$$ is thought to be infeasible – even when that root is known to the public. This was behind the security of DHKE, and now we discuss how to use this one-way function to set up a more usual public-key cryptosystem: the ElGamal Cryptosystem.

The RSA public-key cryptosystem did its actual encryption by exponentiation in mod $$n=pq$$. The decryption then was by exponentiation with the multiplicative inverse in mod $$\phi(n)$$ of the encryption exponent. The owner of the private key – $$(p,\ q)$$ – knows also the decryption exponent, entirely because $$\phi(n)$$ can be computed.

Similarly, ElGamal uses an elementary arithmetic operation – multiplication of a numerical form of the message by a random number in some mod – to do the scrambling needed for encryption. Enough information is also passed along in the ciphertext so that the intended recipient, who knows the value of a certain discrete log, can cancel out this scrambling multiplication. Here are the details:

Definition: ElGamal Cryptosystem

To start, Alice picks a large prime $$p$$, a primitive root $$r$$ mod $$p$$, and a secret value $$\alpha\in\NN$$ satisfying $$2\le\alpha\le p-1$$. She computes the value $$a=r^\alpha$$ and then posts her ElGamal public [encryption] key $$(p,r,a)$$ on her website.

Alice’s ElGamal private [decryption] key is $$(p,r,\alpha)$$. The association of decryption to encryption keys is by $$\Ee:(p,r,\alpha)\mapsto(p,r,r^\alpha)$$.

The message space is $$\Mm=\{m\in\ZZ\mid 2\le m\le p-1\}$$, which we will assume can be interpreted as meaningful messages encoded numerically by some widely known scheme.

Say Bob wishes to send Alice the cleartext $$m\in\Mm$$. For each new such message $$m$$, he generates a random number $$\beta\in\NN$$ such that $$2\le\beta\le p-2$$ and builds the ciphertext for ElGamal encryption as the two pieces $c=e_{(p,r,a)}(m)=(r^\beta\pmod*{p},\ m\cdot a^\beta\pmod*{p})\ .$

When Alice gets the ciphertext $$c=(c_1,c_2)$$, she can recover the cleartext by ElGamal decryption $d_{(p,r,\alpha)}(c_1,c_2) = c_2\cdot c_1^{p-1-\alpha}\ .$

All of the above parts together form the ElGamal cryptosystem.

We first need to know this is correct, in the sense that

Proposition $$\PageIndex{1}$$

With the notation as above in the Definition of ElGamal Cryptosystem, we have $d_{(p,r,\alpha)}(e_{(p,r,a)}(m)) = m\quad\forall m\in\Mm\ .$

Proof

Just compute: \begin{aligned} d_{(p,r,\alpha)}(e_{(p,r,a)}(m)) &\equiv m\cdot a^\beta\pmod*{p}\cdot(r^\beta)^{p-1-\alpha}\pmod{p}\\ &\equiv m\cdot (r^\alpha)^\beta\cdot(r^\beta)^{p-1-\alpha}\pmod{p}\\ &\equiv m\cdot r^{\alpha\beta+\beta(p-1)-\alpha\beta}\pmod{p}\\ &\equiv m\cdot (r^{p-1})^\beta\pmod{p}\\ &\equiv m\cdot 1^\beta\pmod{p}\\ &\equiv m\pmod{p}\end{aligned} Note that the power $$p-1-\alpha$$ as the exponent of the $$c_1$$ term in decryption is to make $$(c_1^{-1})^\alpha$$ without using negative powers, by applying Theorem 5.1.2.

Graphically:

ElGamal Cryptosystem:

 Alice on public network Bob pick a prime $$p$$ find a primitive root $$r$$ choose $$\alpha\ \mid\ 2\le\alpha\le p-1$$ compute $$a=r^\alpha\pmod{p}$$ publish public key $$\rightarrowtail(p,r,a)$$ download public key given message $$m\in\Mm$$ (so $$2\le m\le p-1$$) choose $$\beta\ \mid\ 2\le\beta\le p-2$$ compute $$c_1=r^\beta\pmod*{p}$$ and $$c_2=m\cdot a^\beta\pmod*{p}$$ receive ciphertext $$(c_1,c_2)\leftarrowtail$$ transmit ciphertext compute cleartext $$m = c_2\cdot c_1^{p-1-\alpha}$$

There is a nice digital signature algorithm associated with ElGamal:

Definition: ElGamal Signature

Suppose Alice has ElGamal private key $$(p,r,\alpha)$$ and wishes to digitally sign the message $$m\in\Mm$$. She first chooses a random $$\gamma\in\NN$$ satisfying $$1<\gamma<p-1$$ and $$\gcd(\gamma,p-1)=1$$.

The digital signature on $$m$$ is $$(r^\gamma\pmod*{p},\gamma^{-1}\cdot(m-\alpha r^\gamma)\pmod*{p-1})$$, where the inverse is taken in mod $$p-1$$.

To verify the signature $$(x,y)$$ on message $$m$$ using Alice’s public key $$(p,r,a)$$, Bob checks to see if $$a^x x^y\equiv r^m\pmod{p}$$: if so, he accepts; if not, he rejects.

Again, we would like to know this does the right thing:

Proposition $$\PageIndex{2}$$

Using the notation as above, Bob will accept all signed messages produced by Alice.

Proof

Assuming the signed message $$(m,x,y)$$ was produced by Alice as above, we compute: \begin{aligned} a^x x^y &\equiv a^{r^\gamma} (r^\gamma)^{\gamma^{-1}(m-\alpha r^\gamma)}\pmod{p}\\ &\equiv (r^\alpha)^{r^\gamma} (r^\gamma)^{\gamma^{-1}(m-\alpha r^\gamma)}\pmod{p}\\ &\equiv r^{\alpha r^\gamma+\gamma\gamma^{-1}(m-\alpha r^\gamma)}\pmod{p}\\ &\equiv r^{\alpha r^\gamma+m-\alpha r^\gamma}\pmod{p}\\ &\equiv r^m\pmod{p}\end{aligned} So Bob will accept.

Graphically:

ElGamal Digital Signatures:

 Alice on public network Bob find prime $$p$$ and primitive root $$r$$ choose $$\alpha\ \mid\ 2\le\alpha\le p-1$$ compute $$a=r^\alpha\pmod{p}$$ publish public key $$\rightarrowtail(p,r,a)$$ download public key given message $$m\in\Mm$$ (so $$2\le m\le p-1$$) pick random $$\gamma$$ s.t. $$1<\gamma Exercise \(\PageIndex{1}$$

1. You instructor still likes the prime $$p=11717$$ with primitive root $$r=103$$ from an earlier exercise (Exercise 5.5.1(2)) on DHKE. In addition, your instructor has calculated the value $$a=1020$$ to complete an ElGamal public key $$(p,r,a)=(11717,103,1020)$$.

Using this public key, you want to send a message to your instructor, which should consist of the number $$42$$ (it is, after all, the answer to “life, the universe, and everything”). What ciphertext will you send? Show your work!

2. Now your instructor wants to send you your grade on a recent test by e-mail, and to prove that this e-mail does in fact originate with your instructor, the email contains both the score value of $$97$$ and the addendum “This score value signed with an ElGamal Digital signature using my public key [the same instructor’s public key as above in Exercise 5.6.1(1) being $$(p,r,a)=(11717,103,1020)$$]; the signature has the value $$(6220, 10407)$$.”

Do you accept this as truly coming from your instructor? Show your work!

3. Create an ElGamal public key and e-mail it to your instructor. Wait for a reply message which is ElGamal encrypted, then mail the cleartext back to your instructor.

Also, use your public key to sign the number (=message) $$17$$. Send the signed number to your instructor and wait to hear if the signature is accepted or not.

This page titled 5.6: The ElGamal Cryptosystem is shared under a CC BY-SA license and was authored, remixed, and/or curated by Jonathan A. Poritz.