Elgamal Encryption
Elgamal Encryption
ElGamal Encryption
ElGamal is a public-key cryptosystem based on the hardness of the Discrete Logarithm Problem in a cyclic group.
Setup
Choose a large prime , a generator of the multiplicative group , and a private key . The public key is .
Encryption
To encrypt message :
- Pick a random ephemeral key
- Compute
- Compute
- Ciphertext is
Decryption
Given private key :
- Compute shared secret
- Recover
Example Walkthrough
Let , , and choose private key .
Setup — Key Generation
- Private key: — known only to the recipient.
- Public key: — shared openly.
Encryption — Encrypt message with random :
Ciphertext:
Decryption — Recover using private key :
Key Properties
- Randomized: The random means encrypting the same message twice produces different ciphertexts.
- Homomorphic: Multiplying two ciphertexts gives a valid encryption of the product of the plaintexts — this is why it shows up a lot in voting schemes and privacy protocols.
- Ciphertext expansion: Output is 2x the size of the plaintext.
- Semantic security holds under the Decisional Diffie-Hellman (DDH) assumption.
Exponential ElGamal and Additive Homomorphism
Standard ElGamal encrypts a group element directly — decryption recovers it as-is. Exponential ElGamal instead encodes an integer as the group element (or in multiplicative notation), which changes the homomorphic property from multiplicative to additive:
This is the key property that makes exponential ElGamal useful for on-chain voting and privacy protocols. The chain can sum thousands of encrypted shares without decrypting any of them — the tally accumulates homomorphically.
The tradeoff is that decryption now yields , not directly. Recovering the integer from is a discrete logarithm problem. In practice this is fine when is bounded (as it always is in a tally), because Baby-Step Giant-Step (BSGS) solves it cheaply in time.
If we used standard ElGamal (direct group element recovery, no BSGS needed), we'd lose the additive homomorphism and couldn't accumulate encrypted votes on-chain.