I'll use Taher ElGamal's A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms (July 1985 in IEEE Transactions on Information Theory, formerly in proceedings of Crypto 1984) as the reference scheme.
- Public parameters are a large prime $p$ with $p-1$ having at least one large prime factor, and a generator $\alpha$.
- Long-term (public, private) key pair for receiver Bob is $(y_B,x_B)$ with random secret $x_B$ and $y_B=\alpha^{x_B}\bmod p$.
- Message $m$ is in $[0,p)$. Sender draws random $k$, computes $K={y_B}^k\bmod p$, $c_1=\alpha^k\bmod p$, $c_2=Km\bmod p$. The ciphertext is $(c_1,c_2)$.
- Receiver Bob accepts ciphertext $(c_1,c_2)$ in $[0,p)^2$, computes $K={c_1}^{x_B}\bmod p$, and $m=K^{-1}c_2\bmod p$.
As is, the scheme is not IND-CPA secure. For a start, $m=0\iff c_2=0$, which is easily fixed by using $\Bbb Z_p^*$ as the message space; assume that.
Another issue breaking IND-CPA is that the Legendre symbol $\displaystyle\biggl(\frac m p\biggr)$ can be found from $(p,\alpha,y_B,c_1,c_2)$, leaking one bit of information about $m$.
What has been devised to fix that, and how are the modified encryption schemes named? What security property and argument do we have for these?
I'm in particular interested by variants where
- $m$ is restricted to $\displaystyle\biggl(\frac m p\biggr)=+1$ by altering some bits of $m$ by trial and error.
- some field of $m$ is randomized (e.g. highest-order bit set to 0, next high-order $b$ bits per-encryption randomness, where $b$ is a security parameter).
- $m$ is a bitstring shorter than $p$ by $b$ bits; $K$ is truncated to $\tilde K$ of that size, keeping low-order bits; and $c_2=m\oplus\tilde K$ for encryption, $m=c_2\oplus\tilde K$ for decryption.
- as 3 above with $\tilde K$ further split into $K_i\mathbin\| K_e$, $K_i$ used as key for a Carter-Wegman hash preventing decryption of falsified ciphertexts, and $K_e$ the key for XOR-encryption of a message $m$ restricted to the corresponding size.
