Note

Elgamal Encryption

Elgamal Encryption

By Roman Akhtariev

ElGamal Encryption

ElGamal is a public-key cryptosystem based on the hardness of the Discrete Logarithm Problem in a cyclic group.

Setup

Choose a large prime pp, a generator gg of the multiplicative group Zp\mathbb{Z}_p^*, and a private key xx. The public key is h=gxmodph = g^x \mod p.

Encryption

To encrypt message mm:

  1. Pick a random ephemeral key kk
  2. Compute c1=gkmodpc_1 = g^k \mod p
  3. Compute c2=mhkmodpc_2 = m \cdot h^k \mod p
  4. Ciphertext is (c1,c2)(c_1, c_2)

Decryption

Given private key xx:

  1. Compute shared secret s=c1xmodps = c_1^x \mod p
  2. Recover m=c2s1modpm = c_2 \cdot s^{-1} \mod p

Example Walkthrough

Let p=23p = 23, g=11g = 11, and choose private key x=6x = 6.

Setup — Key Generation

h=gxmodp=116mod23=9h = g^x \mod p = 11^6 \mod 23 = 9

  • Private key: x=6x = 6 — known only to the recipient.
  • Public key: (p,g,h)=(23,11,9)(p, g, h) = (23, 11, 9) — shared openly.

Encryption — Encrypt message m=7m = 7 with random k=3k = 3:

c1=gkmodp=113mod23=20c_1 = g^k \mod p = 11^3 \mod 23 = 20

c2=mhkmodp=793mod23=716mod23=112mod23=20c_2 = m \cdot h^k \mod p = 7 \cdot 9^3 \mod 23 = 7 \cdot 16 \mod 23 = 112 \mod 23 = 20

Ciphertext: (c1,c2)=(20,20)(c_1, c_2) = (20, 20)

Decryption — Recover mm using private key x=6x = 6:

s=c1xmodp=206mod23=16s = c_1^x \mod p = 20^6 \mod 23 = 16

s1mod23=13(since 1613=2081(mod23))s^{-1} \mod 23 = 13 \quad \text{(since } 16 \cdot 13 = 208 \equiv 1 \pmod{23}\text{)}

m=c2s1modp=2013mod23=260mod23=7m = c_2 \cdot s^{-1} \mod p = 20 \cdot 13 \mod 23 = 260 \mod 23 = 7 \quad \checkmark

Key Properties

  • Randomized: The random kk means encrypting the same message twice produces different ciphertexts.
  • Homomorphic: Multiplying two ciphertexts gives a valid encryption of the product of the plaintexts — this is why it shows up a lot in voting schemes and privacy protocols.
  • Ciphertext expansion: Output is 2x the size of the plaintext.
  • Semantic security holds under the Decisional Diffie-Hellman (DDH) assumption.

Exponential ElGamal and Additive Homomorphism

Standard ElGamal encrypts a group element directly — decryption recovers it as-is. Exponential ElGamal instead encodes an integer vv as the group element vGv \cdot G (or gvg^v in multiplicative notation), which changes the homomorphic property from multiplicative to additive:

Enc(a)+Enc(b)=Enc(a+b)\text{Enc}(a) + \text{Enc}(b) = \text{Enc}(a + b)

This is the key property that makes exponential ElGamal useful for on-chain voting and privacy protocols. The chain can sum thousands of encrypted shares without decrypting any of them — the tally accumulates homomorphically.

The tradeoff is that decryption now yields vGv \cdot G, not vv directly. Recovering the integer vv from vGv \cdot G is a discrete logarithm problem. In practice this is fine when vv is bounded (as it always is in a tally), because Baby-Step Giant-Step (BSGS) solves it cheaply in O(v)O(\sqrt{v}) time.

If we used standard ElGamal (direct group element recovery, no BSGS needed), we'd lose the additive homomorphism and couldn't accumulate encrypted votes on-chain.