El Gamal Encryption

Saravanan Vijayakumaran

Department of Electrical Engineering, IIT Bombay

October 21, 2025

Public-Key Encryption Schemes

A public-key encryption scheme is a triple of PPT algorithms (\textsf{Gen}, \textsf{Enc}, \textsf{Dec}) such that:
1. (pk,sk) \leftarrow \textsf{Gen}(1^n)
  - pk is the public key and sk is the private key
  - The public key defines a message space \mathcal{M}_{pk}
2. For m \in \mathcal{M}_{pk}, c \leftarrow \textsf{Enc}_{pk}(m).
3. m \coloneqq \textsf{Dec}_{sk}(c), where m \in \mathcal{M}_{pk} \cup \{\perp\}.
It is required that \textsf{Dec}_{sk}\left( \textsf{Enc}_{pk}\left( m \right) \right) = m for any message m \in \mathcal{M}_{pk}, except with negligible probability over the randomness of \textsf{Enc} and \textsf{Dec}

A public-key encryption scheme \Pi = (\textsf{Gen}, \textsf{Enc}, \textsf{Dec}) has indistinguishable encryptions in the presence of an eavesdropper, or is EAV-secure, if for all PPT adversaries \mathcal{A} there is a negligible function \textsf{negl} such that, for all n, \Pr\left[ \textsf{PubK}^{\textsf{eav}}_{\mathcal{A},\Pi}(n) = 1\right] \le \frac{1}{2} + \textsf{negl}(n).

In public-key encryption, the adversary always has access to an encryption oracle
Proposition: If a public-key encryption scheme has indistinguishable encryptions in the presence of an eavesdropper, it is CPA-secure

In 1985, Taher El Gamal constructed a public-key encryption scheme based on the Diffie-Hellman protocol
\textsf{Gen}:
- Run \mathcal{G}(1^n) to get (G, q, g).
- Choose a uniform x \in \mathbb{Z}_q and compute h \coloneqq g^x.
- The public key is \langle G, q, g, h \rangle and the private key is \langle G, q, g, x\rangle.
- The message space is G

\textsf{Enc}:
- For public key pk =\langle G, q, g, h \rangle and message m \in G, choose a uniform y \in \mathbb{Z}_q
- Output the ciphertext as \langle g^y, h^y \cdot m \rangle
\textsf{Dec}:
- For public key pk =\langle G, q, g, h \rangle and ciphertext \langle c_1, c_2 \rangle, output \hat{m} = c_2 \cdot c_1^{-x}.

Theorem: If the DDH problem is hard relative to \mathcal{G}, then the El Gamal encryption scheme is CPA-secure.
Proof
- Consider a modified “encryption scheme” \widetilde{\Pi} where the encryption of message m wrt public key \langle G, q, g, h \rangle is as follows
- Choose uniform y,z \in \mathbb{Z}_q and output ciphertext \langle g^y, g^z \cdot m \rangle.

Case 1: h_3 = g^z for uniform z \in \mathbb{Z}_q
- \langle c_1, c_2 \rangle = \langle g^y, g^z \cdot m_b \rangle
- \mathcal{A} experiences the experiment \textsf{PubK}^{\textsf{eav}}_{\mathcal{A},\widetilde{\Pi}}(n)
- Since D outputs 1 exactly when b' = b, we have \begin{align*} & \Pr\left[ D(G, q, g, g^x, g^y, g^z) =1 \right] \\ &= \Pr \left[ \textsf{PubK}^{\textsf{eav}}_{\mathcal{A}, \widetilde{\Pi}}(n)=1\right]= \frac{1}{2} \end{align*}

Case 2: h_3 = g^{xy}
- \langle c_1, c_2 \rangle = \langle g^y, g^{xy} \cdot m_b \rangle
- \mathcal{A} experiences the experiment \textsf{PubK}^{\textsf{eav}}_{\mathcal{A},\Pi}(n)
- Since D outputs 1 exactly when b' = b, we have \begin{align*}& \Pr\left[ D(G, q, g, g^x, g^y, g^{xy}) =1 \right] \\ &= \Pr \left[ \textsf{PubK}^{\textsf{eav}}_{\mathcal{A}, \Pi}(n)=1\right] \end{align*}

For any PPT distinguisher D, we have \begin{align*} &|\Pr\left[ D(G, q, g, g^x, g^y, g^{xy}) =1 \right]\\ &- \Pr\left[ D(G, q, g, g^x, g^y, g^{z}) =1 \right]| \le \textsf{negl}(n) \end{align*}
This implies that \begin{align*} &\left|\Pr \left[ \textsf{PubK}^{\textsf{eav}}_{\mathcal{A}, \Pi}(n)=1\right] - \frac{1}{2}\right| \le \textsf{negl}(n)\\ \implies & \Pr \left[ \textsf{PubK}^{\textsf{eav}}_{\mathcal{A}, \Pi}(n)=1\right] \le \frac{1}{2} + \textsf{negl}(n) \end{align*}