EC ElGamal versus static+ephemeral ECDH

Question

A client application needs to encrypt a UDP datagram for a server with known EC public key $P$. Performing a full ECDH key exchange would defeat the benefit of using UDP as a connectionless protocol. I am therefore looking at ways to share a temporary symmetrical key decided by the client only.

Two solutions to that constraint seem to be :

• Generating an ephemeral key pair $(k,K)$, and encrypt the payload with $kP$ − ECDH.
• Generating a random key $r$ and encrypt it with EC ElGamal.

The ECDH approach requires 1 EC multiplication from the client ($kP$), 1 EC point to include in the datagram ($K$), and 1 EC multiplication from the server ($pK$).

According to the link above, the EC ElGamal approach seems to require 2 EC multiplications from the client, 2 EC points to include in the datagram, and 1 EC multiplication from the server.

Diffie-Hellman is apparently lighter in computation and header data. What is the advantage of using ElGamal ?

Answer 1

ElGamal appears to be used instead of Diffie-Hellman (or IES) in OpenPGP mostly because when that format was put together, there were some unresolved intellectual property issues surrounding both RSA and Diffie-Hellman, while ElGamal was unproblematic. This trend for ElGamal seems to stick around, mostly by force of habit, e.g. when switching to elliptic-curve variants.

If you look at ElGamal closely, you will see that it is, in fact, a Diffie-Hellman key exchange, where the resulting key is used to encrypt a message in a kind of one-time-pad system (the $y^r$ value is the DH output, and is combined, using the group operation, with the message to encrypt). Using the group operation allows for homomorphism, but when that property is not needed, it is a useless complication and overhead.