Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [elgamal-encryption]

ElGamal is a public key encryption scheme with security based on the discrete logarithm problem.

ElGamal is a public key encryption scheme. Its security relies the hardness of a problem (called decisional Diffie-Hellman) that is related to the discrete logarithm problem.

The encryption scheme is notable for being randomized (allowing CPA-security) and multiplicatively homomorphic.

354 questions
7
votes
2 answers

How is a re-encryption done with elGamal?

For example, the "Mental poker" protocol asks for Bob to encrypt each card with his key, shuffle them, and then pass them to Alice. Alice then encrypts each card with HER key, shuffles them, and then hands them back. Bob removes his original key…
Rich
  • 71
  • 2
3
votes
3 answers

How does an oblivious test of plaintext equality work?

Assume an ElGamal Cryptosystem. Assume a set of three players, $P_1$, $P_2$ and $P_3$. The private key $x$ is shared among the players. The player $P_1$ has a piece of the private key $x_1$, $P_2$ has the piece $x_2$ and $P_3$ has $x_3$. Assume the…
Bernardo Pacheco
  • 131
  • 4
3
votes
1 answer

How do I encrypt a long message using ElGamal encryption correctly?

According to ElGamal encryption, in order to encrypt a message I need to generate a shared secret s and after that I am to calculate c1 and c2 that are the final encrypted data. But what if my message is much longer than the bitness of the…
Fomalhaut
  • 131
  • 3
3
votes
0 answers

How to know if an ElGamal ciphertext is well-formed?

Is there a way to prove/verify that an exponential ElGamal ciphertext of a message representative $\widetilde{m}=mG$ is well-formed, meaning that $r_1 = r_2$ in: $$C = (R, S) = (r_1G, \widetilde m + r_2Y)$$ with $Y = xG$.
Fiono
  • 567
  • 2
  • 12
3
votes
1 answer

ElGamal ciphertext lenght

I'm studying for an exam and answering practice questions and I would love clarification on something. Apologies if it seems really simple. My lecture notes indicate that for ElGamal: the ciphertext is twice the length of the plaintext. Here is…
user58341
3
votes
2 answers

Can I use modulo $n^2$ arithmetic where $n=p \cdot q$ for ElGamal encryption?

In the paper which I was reading, the authors were using ElGamal encryption with modulo $p$, where $p$ was a prime. Do the commitment properties still hold if we use modulo $n^2$ where $n=p \cdot q$ and $p$ and $q$ are large primes? I was asking…
sankarshan damle
  • 51
  • 5
3
votes
1 answer

ElGamal - What if the Decisional Diffie-Hellmann problem could be solved?

I have read that if the DDH problem could be efficiently solved, the IND-CPA would not hold for ElGamal. I don't see why it makes ElGamal less secure if you have $g^a$, $g^b$ and $g^c$
Netik
  • 31
  • 1
3
votes
1 answer

How to use ElGamal to encrypt zero?

ElGamal encryption algorithm is as follows: To encrypt a value $m$, it chooses a random value $r$, and calculates $c_1=g^r$ $mod$ $q$ $c_2=m*h^r$ $mod$ $q$ where $g$ is the group generator, $x$ is the private key and $h=g^x$ is the public key. But…
Jan Leo
  • 915
  • 6
  • 13
2
votes
1 answer

Decrypting a ciphertext in ElGamal's cryptosystem

I am a student in computer science currently working on a problem set in cryptography (practical problem but stuck on the math part). Basically, suppose we receive a message that has been encrypted using ElGamal's crypto system and our goal is to…
seboll13
  • 21
  • 2
2
votes
0 answers

El-Gamal like encryption, how can i guess the key?

There is $p$ (large prime number), $g$ (generator of $p$), and $x_a$, $x_b$, $r$ (which are between $1$ and $p-1$). I know $g^{x_a}$, $g^{x_b}$, $g^r$, $g^{x_a\cdot x_b\cdot r} \bmod p$. How can I get $g^{x_a\cdot r}$?
Bomin Kim
  • 21
  • 1
2
votes
1 answer

Why $\alpha$ in ElGamal cryptosystem has to be a primitive root?

When choosing the public key for ElGamal, $\alpha$ must be chosen as a primitive mod p. What if $\alpha$ is not a primitive root ? How will it influence the encryption and decryption ?
Gan Sama
  • 49
  • 3
2
votes
0 answers

elgamal based decryption mixnet

Can anybody help me to understand elgamal based decryption mixnet? Pure elgamal can be used in mixnet (re-encryption mixnet) and its very easy, and I have implemented decryption mixnet using RSA also. See for example,…
Nazmul
  • 153
  • 1
  • 9
2
votes
2 answers

Information leak in ElGamal encryption with message in base group

Assume a finite commutative base group $\mathbb B$, some $g$ in $\mathbb B$, and $\mathbb{G} = \langle g\rangle$ the subgroup that $g$ generates, with choice of $\mathbb B$ and $g$ such that ElGamal encryption would be secure for a random message in…
fgrieu
  • 140,762
  • 12
  • 307
  • 587
2
votes
1 answer

Proof that in El Gamal DDH implies CPA

I am refering to the theorem: If the Discrete Diffie-Hellman problem is hard (i.e. if the DDH assumption holds), El Gamal is IND-CPA secure." which is stated here along with the proof. So we have adversary A that has a non-negligible advantage…
Antonis Paragas
  • 165
  • 1
  • 6
2
votes
1 answer

Which values are used for an elgamal cryptosystem public key?

I know that – within the elgamal cryptosystem – the values of $a$ and $b$ are public. But which values are used to create public keys?
K.S.Sri Krithika
  • 39
  • 2
1
2 3 4