ElGamal Homomorphic Encryption Formula Question

Question

With Public Key $(G, q, g, h)$ where $G$ is a group, $q$ prime, $g$ a generator of $G$, Am I right in thinking that: $$\mathrm{Enc}(m;r) := (g^r, h^r \cdot g^m)$$

Answer 1

TL;DR: as pointed by DrLecter in comment¹, the question's formula is for exponential ElGamal encryption, with per-encryption random $r$ explicit.

---

I'll first describe (straight) ElGamal encryption. It works in an arbitrary finite cyclic group of generator $g$ and order $q$ (with the internal law noted multiplicatively). That is, $q$ is the smallest strictly positive integer with $g^q=1$, where $1$ is the neutral in the group (the integer $1$ when working in a subgroup of $\Bbb Z_p^*$, or the point at infinity for an Elliptic Curve group). Private key is an integer $x$ in $[0,q)$. Public key can² be $h=g^{q-x}$.

Encryption of a message supposes that it was mapped to an element $\widetilde m$ in the group by some encoding technique. Encryption draws a random integer $r$ in $[0,q)$, and outputs the ciphertext consisting of two group elements per the formula (different from that in the question): $$\mathrm{Enc}(\widetilde m,r)\gets(g^r,h^r\cdot\widetilde m)$$

(Straight) ElGamal decryption of ciphertext $(c_1,c_2)$ produced as above obtains $\widetilde m$ as follows: $$\begin{align} \mathrm{Dec}(c_1,c_2)&\gets {c_1}^x\cdot c_2\\ &\;={\left(g^r\right)}^x\cdot h^r\cdot\widetilde m\\ &\;=(g^r)^x\cdot (g^{q-x})^r \cdot\widetilde m\\ &\;=g^{rx+(q-x)r}\cdot\widetilde m\\ &\;=g^{qr}\cdot\widetilde m\\ &\;=(g^q)^r\cdot\widetilde m\\ &\;=1^r\cdot\widetilde m\\ &\;=\widetilde m\\ \end{align}$$ (Straight) ElGamal encryption is multiplicatively homomorphic (for multiplication of plaintext as mapped in the group), per the easily established relation $$\mathrm{Enc}(\widetilde m,r)=(c_1,c_2)\quad\mathrm{Enc}(\widetilde m',r')=(c'_1,c'_2)\implies\mathrm{Dec}(c_1\cdot c'_1,c_2\cdot c'_2)=\widetilde m\cdot\widetilde m'$$ There are functional issues with (straight) ElGamal encryption:

• It is non-trivial to map and unmap an applicative message $m$ to and from an element $\widetilde m$ of the group. In $\Bbb Z_p^*$ with $q$ prime or in an ECC group, practical methods are iterative. When working in $\Bbb Z_p^*$ with $p$ prime and $q=p-1$ (implying $q$ is not prime for sizable $p$), we can take $\widetilde m=m$ but then ElGamal encryption leaks one bit³ of information about $m$.
• Multiplicative homomorphism is less useful than additive homomorphism, and not directly useful since the multiplication is on mapped messages $\widetilde m$, rather than on arbitrary messages.

---

Here exponential ElGamal encryption comes to the rescue, solving both problems, at the expense of making decryption hard. Its encryption takes plaintext $m$ in $\Bbb Z_q$, maps it to $\widetilde m=g^m$, then encrypts per straight ElGamal. The encryption formula becomes as in the question: $$\mathrm{Enc}(m,r)\gets(g^r,h^r\cdot g^m)$$ Exponential ElGamal decryption decrypts per straight ElGamal yielding $\widetilde m$, then either verifies an externally supplied guess $w$ of the plaintext by checking if it holds $g^w=\widetilde m$, or solves that discrete logarithm problem yielding $w=m$.

Exponential ElGamal encryption is additively homomorphic (for addition of plaintexts modulo $q$) by composing ciphertexts as in straight ElGamal encryption.

Note: while getting $m$ in exponential ElGamal decryption requires solving a discrete logarithm problem, that's still possible for moderately large $m$, including deterministically by using baby step/giant step, which has cost $\mathcal O(\sqrt m)$ group operations. Also, when in a sugroup of $\Bbb Z_p^*$, sizable speedups are possible because the discrete logarithm for base $2$ is easier: we use $g=2$, or modify encryption to $\mathrm{Enc}(m,r)\gets(g^r\bmod p,h^r\cdot2^m\bmod p)$ with $2$ of the same (prime) order $q$ as $g$.

---

¹ That was minutes after the question was posed and years before this answer.

² Sometime the public key is given as $h=g^{-x}$, which is equivalent, or as $h=g^x$, in which case $x$ should be changed to $q-x$ or equivalently $-x$ for decryption.

³ The Legendre symbol $\bigl(\frac mp\bigr)$ can be found from the ciphertext. This issue was not highlighted in the original description: Taher ElGamal's A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms (July 1985 in IEEE Transactions on Information Theory, formerly in proceedings of Crypto 1984).