Security and Applications of ElGamals Encryption Algorithm

1st Author

Melissa Helgeson

3rd Author

1st author's affiliation

1st line of address
2nd line of address
Telephone number, incl. country code

University of Minnesota, Morris

600 E. 4th St.
Morris, MN 56267
001 (507) 581-3327

3rd author's affiliation

1st line of address
2nd line of address
Telephone number, incl. country code

1st author's email address

helge117@morris.umn.edu

3rd E-mail

ABSTRACT

2.1. Symmetric Encryption

We introduce some basic ideas in cryptography in order to explain

ElGamals public key encryption scheme. Upon examining its
mathematical basis, the Diffie-Hellman problem, we note security
problems which occur if a generator for ElGamals encryption
algorithm is chosen poorly along with ways to avoid this issue.
Then we describe current research into applications of ElGamals
encryption including recipient anonymity and confidence voting.

In symmetric encryption, the key is shared between the two

individuals who wish to communicate. It can be used to encrypt
and decrypt their messages. A very simple example of this would
be a random reordering of the alphabet. Then A would become
whichever letter is first in the new order, B the second random
letter, and so forth. While this encryption is not very secure, it
does demonstrate a common problem with symmetric
encryptions: communicating the key (in this case the reordering of
the alphabet which was used). Any two people who wish to
communicate secretly must agree on the key beforehand and
communicate it to each other. Transmitting the key electronically
as a plaintext is insecure, but because encryption is often used for
computerized messages, such as personal information and
passwords, it would be very impractical to demand every pair of
individuals and/or organizations to meet face to face in order to
decide on a key whenever they wish to communicate secretly.

1. INTRODUCTION
In 1985, Taher ElGamal wrote an article in IEEE Transactions on
Information Theory outlining a new asymmetric encryption
scheme he had devised. The mathematical basis of his encryption
lies within a problem presented for encryption purposes by
Whitfield Diffie and Martin Hellman in 1976 [1].
In order to determine the security of ElGamals encryption, we
explain the terminology used to describe encryption, the
encryptions basis in the Diffie-Hellman problem, and explain the
steps of the algorithm. We notice that the element called the
generator must be chosen to satisfy certain properties, rather than
chosen completely at random, but a generator which satisfies
these properties is often difficult and time consuming. By
examining the properties of good generators in greater detail it is
possible to find an efficiently computed version of ElGamals
encryption which is secure against a wider range of attacks.
ElGamals encryption is a key element in Pretty Good Privacy
(PGP) and its open source versions. PGP is popular bundled
encryption software which is used to encrypt numerous types of
Internet traffic. However, we have chosen to examine some more
recent research into the uses of ElGamals encryption: anonymous
recipients and online voting.

2. MESSAGE ENCRYPTION SCHEMES

ElGamals encryption is used to encrypt, or obscure, the contents
of a message so that it cannot be read by an unintended recipient.
The algorithm is also able to decrypt the message, or make it
readable again. The original, unencrypted message is readable to
anyone who happens to intercept the message, so it is called the
plaintext. The result of encrypting the plaintext is called a cipher
text. In order for an algorithm to be useful, it must be able to hide
a plaintext from everyone except the intended recipient. The
security of the algorithm refers to how difficult it would be for an
unintended recipient to read plaintexts encrypted by the algorithm.
All schemes rely on a secret piece of information called a key.
But there are two fundamentally different types of encryption
schemes which convert plaintext to cipher text called symmetric
and asymmetric encryption schemes.

2.2. Asymmetric Encryption

Asymmetric encryption is one way to address the problem of
exchanging keys. An asymmetric encryption scheme has two
corresponding keys, one private and the other public. The two
keys work as a pair so that cipher text encrypted with a public key
can only be decrypted with the corresponding private key.
Therefore, the public key can be made visible to everyone and
used to encrypt messages for the owner of the corresponding
private key. In this way, multiple people can send messages to a
person using the same public key, eliminating the need for
multiple keys per person. Upon receiving a message, the owner of
the public key can use their private key to decode the message.
Because so much information about the encryption is public, the
private key must have an integral part in hiding the message from
a third party. If the message is wholly or partially recoverable
without the use of the private key, then the encryption has failed.
Also, the private key itself must be extremely difficult to
extrapolate if the message is to remain hidden from a third party.
In order to give this level of complexity, asymmetric encryption
tends to be longer, in both time to encrypt and space needed to
store the message, than symmetric encryptions. Because of this
drawback, asymmetric encryption is often used to allow two
people to decide on a shared key which is then used for their
further communications using symmetric encryption [3].

3. ELGAMALS ENCRYPTION
ElGamals encryption is an asymmetric encryption with private
key  and public key (, , ). In the public key,  is a prime to
use as the message space and modulus in our calculations;  is a
high order (generator) element for 
 as described in Section 4.1;
and  utilizes the Diffie-Hellman problem to incorporate and hide

the recipients private key by  = 

(  ). Section 3.4
discusses how these numbers are chosen in greater detail, but for
the purposes of this paper we will assume the plaintext has
already been transformed into an integer through some method
which has been agreed upon by the sender and recipient.
To understand how the algorithm works and its weaknesses we
must examine the mathematics behind it. ElGamals encryption is
based on the discrete logarithm and Diffie-Hellman problems.
Then we will determine how to encrypt plaintexts, decrypt cipher
texts, and generate public and private key pairs.

3.1. Mathematical Foundations

In order to convert the plaintext to cipher text, encryption
algorithms use a trapdoor function with the key acting as the
trapdoor. A trapdoor function is a function which is not only
computationally easy and fast in encrypting and decrypting
messages with the key, but also difficult and prohibitively slow to
compute without the key. In the case of ElGamals encryption, we
rely on the complexity of the Diffie-Hellman problem [3].
The Diffie-Hellman problem is a variation on the discrete
logarithm problem which has been widely studied in mathematics.
A well-studied problem is important because it gives us greater
confidence in the difficulty of solving it. Mathematicians have
been unable to find a reasonably fast general solution for the
discrete logarithm problem, but if they ever do, ElGamals
encryption would be broken.

3.1.1 Modular Arithmetic

ElGamals encryption uses finite fields to create cipher texts. A
finite field is a limited set of elements with properties similar to
those found with addition and multiplication of integers [3].
Because  is prime, it is possible to construct a field  which
includes every integer from 0 to  1. We can also form the
multiplicative portion of the field, 
 by excluding 0, because
division by zero is undefined. This is proven in [2].
Definition 1. The order of a field is the number of elements in the
field. It is denoted as a subscript of the field:  [2].
In order to avoid numbers which are outside this range  , and
similarly 
 , uses modular arithmetic to implement its
operations. Modular arithmetic is written as    . It reduces
any non-negative  to its remainder when divided by . For
example: 10   5 = 0 and 28   5 = 3. For negative values
of , the remainder must be subtracted from  in order to be
converted to its positive inverse. For example: 9   5 =
4   5 = 1.

Definition 2. The multiplicative order of an element  is the

number of different elements which can be obtained by raising 
to all possible powers   . It is denoted: ().
Definition 3. A multiplicative generator of 
 is an element 

such
that
()
=


1.


In order to use the field, ElGamals encryption requires that a

random element of high order  for  is chosen. Often this is
accomplished through the use of a multiplicative generator.
Then raising  to each power between 1 and  1 will give every
element of  once. For example, in  : 2 = 2, 2 = 4, 2! = 3,
and 2" = 1, so 2 is a generator in  . Because the generators
order determines what portion of the elements will be used to

encrypt the message, a poorly chosen generator can also lead to

security problems [3].
To better understand this let us look at the order of 4 in  , as
shown in Table 1. Table 1 begins with  = 1 and repeats
after  = 5, so (4) = 5. Because of these repetitions, the
multiplicative order of  is exactly the number of elements in the
field which are being used to encrypt the plaintext. This means
using  = 4 in  would give only 5 possible values of  =

(  11) regardless of what you choose for .


4
  11

10

Table 1. A table showing that (4) = 5 in  .

3.1.2 The Discrete Logarithm Problem

The discrete logarithm problem is a study of the difficulty of
computing exponents in finite fields. In other words, computing 
for 
=  (  ) such that ,  # . Also,  is chosen from
the integers    1 or $% . This is done to avoid a choice
of % =  (  ) which will result in  = 1 for any  [2].
Because of the use of modular arithmetic, it is more difficult to
compute  than it would be in the real number system. In the real
numbers, it would be simple to use the log function to get an
approximation for . However, working in  we need to find an
exact integer solution. At this time there is no fast way of
computing  for large  . If  is small, the answer can be found
relatively quickly by trying all possibilities. No efficient algorithm
to compute  exists, and even methods such as Pollard's Kangaroo
method [4], do not increase the efficiency greatly for large .

3.1.3 The Diffie-Hellman Problem

The Diffie-Hellman problem proposes the problem of computing
, & # $% given 
' , 
, and ' in  is just as difficult as the
discrete logarithm problem. This involves two variables , &
instead of just , but the problem is otherwise the same.
After looking at ElGamals encryption, it may seem obvious that
if the Diffie-Hellman problem is secure then our encryption
algorithm is also secure. However, it is actually difficult to prove
that the security of the Diffie-Hellman problem directly implies
the security of ElGamals encryption. Such a proof was completed
relatively recently by Tsiounis and Yung in 1998 [5].

3.2. Encrypting Plaintext

First, the message sender needs to obtain the public key of the
intended recipient: (, , ). Then the sender must verify that the
integer message, let us call it , is less than . If  > , when we
apply the modulus function to the message it will not be
represented uniquely and the resulting decryption will not be
readable. In this case,  should be broken into a series of partial
messages and encrypted individually. Both the sender and
recipient must agree on how a message should be broken up.
The cipher text is represented as a pair (, )). In order to calculate
this pair, the sender must choose an integer & from $% using a
uniformly random method. This means that the possibility of
randomly choosing any number should be 1/( 2).
After choosing &, the sender calculates  = ' (  ) and ) =
 '  (  ). If  = 1, it is necessary to choose a different & and

recalculate  and ). A choice of  = 1 results in a visible plaintext

as described in Theorem 1.
Theorem 1. The contents of the message can be derived from
only the cipher text pair (, )) if  or  is 1.
Proof. Let (, )) represent a cipher text pair encrypting
message .
Case 1: Let  = 1. Then:

) =  '  (  )

= 1'  (  )

Case 2: Let  = 1. Recall that  = 

(  ) and  =
' (  ). Then:
) = (
)'  (  )
= (' )
 (  )

= 
 (  )
= 1
 (  )
=

Therefore, allowing  or  to be 1 allows the plaintext to be

revealed using only the given cipher text.
We can compute an example of an encryption using a small
prime. Let the recipients public key be (, , ) = (31, 3, 4) and
the senders message be  = 19. The sender must randomly
choose an element & $!, , for example & = 12. Then they
calculate the cipher text as (3 (  31), 19(4) (  31))
or (8, 25).

3.3. Decrypting Cipher Text

The recipient may retrieve the message by calculating  =

)/
(  ) where  is the recipients private key. Note that
the complexity of division and negative exponents can be avoided
by moving 
into the numerator and replacing  with  1
. This is because . , = 1 = . % (  ) for all .#
.
ElGamals encryption returns the original plaintext message from
any cipher text which was correctly calculated using the receivers
public key. This is proven in Theorem 2.
Theorem 2. ElGamals encryption returns the original plaintext
message when given a cipher text which was correctly calculated
using the receivers public key.
Proof. Let there be some cipher text (, )) which was properly
computed with the public key (, , ). Then  = ' (  )
and ) =  ' (  ) for some & # $/%0 and  < . Also  =

for some  # $/%0 . Note that  is known to the message
receiver, but & is not. We have:
2

(  ) =
=
=

56 7
(87 )4

(  )

5(84 )7
(84 )7
59
9

Using this formula and the private key , we can decrypt our
example cipher text (, )) = (8, 25). Because the recipient is the
owner of the public and private key pair, the value of  for  =

(  ) is known to them. In the case of public
key (31, 3, 4),  was calculated by 4 = 3: (  31), so  = 18.
Then we can decrypt the message by  = ) %%
(  ) =
25(8)!%%: . This reduces to the original message of 19.

3.4. Generating a Key

34

This is equal to  because  < . Therefore we are

guaranteed to get the original plaintext message from a correctly
calculated cipher text when using ElGamals encryption.

(  )

(  )

=  (  )

To generate the public key (, , ), we first need to create a finite
field of order . We do this by choosing a large (approximately
1024-bit) prime  at random [3]. Because  sets up the message
space 
 , it must be large enough to hide the message, so our
example of  = 31 would be a very bad choice in practice. We
also choose a random element of 
 , to be our generator .
Verifying whether  is a generator for a large 
 is difficult as it
requires that we check the condition  times. We will look at
solutions and approximations for this problem in Section 4.
The private key  must be chosen in a uniformly random method
from $% , similar to the choice of & for encryption. Then the
final piece of the public key utilizes the discrete logarithm
problem to incorporate and hide the recipients private key . It
is  = 
(  ). If  = 1, it is necessary to choose a
different , refer to Theorem 1. The Diffie-Hellman problem is
also used to hide  because all message senders
compute ' (  ) and  ' = 
' (  ).

4. CHOOSING A GENERATOR ELEMENT

First we need to understand that the difficulty of breaking
ElGamals encryption depends only indirectly on , but directly
corresponds to the multiplicative order of the chosen generator.
In order to demonstrate this concept, let us look at  = 19 and
choose  = 7. By taking 7
(  11) for 1  <  the
following values are found:
{7, 11,1,7,11,1,7,11,1,7,11,1,7,11,1,7,11, 1}

(1)

so (7) = 3. This means every message can only be encoded to

one of three different cipher texts. Recall, also, that 1 cannot be
used as the third portion of the public key because it will encrypt
so that the cipher text is the same as the plaintext. Because 1 is
always obtained by raising any element of the group to  1,
there is one less option for a valid encryption of any message.
This means in order to decode the message, an attacker only needs
try (), in this case 2, good guesses for the recipients
private key to reveal all possible plaintexts. Furthermore, it is not
difficult to find good guesses. This is because the different keys
cycle in a predictable order. Recall that the third portion of the
public key is 
(  ) which gives (1). It is easy to see the
pattern, which in fact holds true for all 
 [2].
Note that changing  will only change which three cipher texts
are used, not increase the number of them. Also, because

(  ) is part of the public key, the use of different  in no
way hides which three cipher texts can be used (anyone can
encrypt messages with the public key to get cipher texts).

4.1. Verifying an Element Has High Order

Because of the algorithms reliance on the multiplicative order
of , we must be reasonably sure we have chosen  with high
order. A high order elements order must contain at least one large
prime factor. We will call high order elements quasi-generators.
The best choices for , in terms of having a large collection of
cipher texts, are full generators. However, verifying that a
random  is a generator of  1 elements relies on a complete
check of each power between 1 and  1 to determine the
multiplicative order is in fact . We can shortcut this process if we
know the prime factorization of  1 as described in Theorem 3.
Theorem 3. Given the prime factorization of  1 for some
prime , we can determine whether a given  is a multiplicative
generator of  .

Proof. For some prime , let  1 have ? different prime

factors, @ @B . Let  ,  , , B correspond to the repetitions of
each factor.
In order to determine if some element  of  is a generator
for the entire group, we must prove that  is not a generator for
any smaller subgroup. Because of Lemma 1, we may do this by
checking (%)/CD 1 (  ) for all @F . Note that if this
equation does equal 1 for any @F , then the order of  is a divisor
of ( 1)/@F and therefore not a full generator.
Lemma 1. For all elements  of  , () divides  1.
This is derived from Lagranges Theorem [2].

But for large  1, it is often difficult to compute the prime

factorization, particularly for numbers which have two or more
large primes, as is often the case with large  1. We can,
however, compute a partial factorization of  1 and use it to
determine if the chosen  is a quasi-generator.

To determine whether a given  is a quasi-generator, we begin by

computing a partial factorization of  1. This can be done in a
reasonable amount of time by first identifying all small prime
factors of  1 and their powers. Because only very large primes
are difficult to identify, we will be able to accomplish this in a
reasonable amount of time by choosing to stop the search for
additional prime factors when the time it takes to find a new
factor becomes too long. This time may be defined by the user to
work with their application of the algorithm.

Because we have identified all powers of @F ,  and  are

relatively prime. Therefore if KH 1 (  ) then it follows
from Lemma 1 that some prime factor of  must divide ().
This means that () is at least as large as one of the prime
factors we were unable to find in a reasonable amount of time and
can be called a quasi-generator.

4.2. Frequencies of High Order Generators

Note that every generator is also a quasi-generator because full
generators will not be eliminated by our process. Therefore, we
cans use Eulers Phi function to explain the scarcity of bad
choices for generators. This gives us confidence that there are a
sufficiently large number of quasi-generators and we will be able
to randomly choose and verify one in a reasonable amount of
time.
Definition 4. The Euler Phi function, denoted L(), calculates
the number of elements  with 1  <  such that greatest
common divisor of  and  is 1 [2].

In order to best understand how L() can help determine the

availability of a safe generator, let us look at an example of
 = 19 and all of its possible generators graphed out on a circle,
as shown in Figure 1. We can create such circles for any  if we
can identify a generator for the entire field.
To begin we create a circle with  1 = 18 slices to represent
each possible multiplicative generator of  . Note that it is
unnecessary to create  = 19 slices because we know 0 6 =
0 (  ) for all  and therefore 0 is never a generator for the
field.
Then, the numbers 1 to 18 are placed in the slices, each number
will be called the M-value for its slice. We can find the possible
multiplicative orders and how often each order occurs by a series
of simple calculations.
For each slice we reduce the fraction: M/( 1) into lowest
terms; the new denominator is the multiplicative order for that
value of M and is placed along the inside of the circle, as shown in
Figure 1. For example, in slice 10, the multiplicative order is
computed by: 10/18 = 5/9 to get a multiplicative order of 9.

After searching for factors in this manner the remainder of  1

is unlikely to be a prime. However, because it is only difficult to
factor large primes, the remaining prime factors of  1 will not
be small primes. By identifying and eliminating all small factors,
we can prove that an element is a generator for a larger portion of
the group. Theorem 4 outlines the process for determining if an
element is a quasi-generator.
Theorem 4. Given a partial prime factorization of  1 for
some prime , we can determine whether a given  is a quasigenerator.
Proof. We begin by identifying all small prime factors
of  1 and their powers. We continue looking for small factors
until it becomes difficult or  1 has factored completely. Let the
6 6
6
factors we are able to identify be:  = @ H @ I @BJ where @F
refers to each factor and F is its power. Also let  =
( 1)/ .

Figure 1. A table of multiplicative orders for  = 19 with  = 2

used to fill-in the corresponding g-values.

We now only need to identify a full generator  , and place it

along the outside of the circle in slice 1. In the case of  = 19, we
find 2 is a full generator. Then we can fill in the rest of the outside
circle by taking N (  ). To use slice 10 as an example
again: 2,   18 = 17.

 1 = @F D , where @F D are the prime power factors of p-1.

Then we begin with the probability of choosing a generator at
random and rewrite the formula.
(P%)
%

Because  is a generator of the entire field, each number from 1

to p-1 is placed around the outside of the circle exactly once when
we are finished. Therefore, by taking the values on the outside of
the circle as  and those on the inside as (), we can easily
choose a  with high order to use.

(CD D )

R
CD D
R

R SH

CD D % CD D
R
CD D

= C|% (1 )

(2)

Let us refer back to our example of  = 19 to convince ourselves

of the truth of this formula. Then  1 = 18 = 2 3 and @ =
2, 3. Therefore:

In order to find an initial value to use as a full generator, we may

use the high frequency of small primes being generators and a
relatively short trial and error session. Although  is a part of the
public key, simply choosing one of these common generators as 
would eliminate the randomness of this choice. This randomness
is important because the reuse of the one value of  by everyone
who uses the algorithm will create a large pool of information for
an attacker to utilize. This increases the chances that attackers will
see a repeated cipher text when looking at messages from
numerous different senders and recipients who utilize some 
with a common . In this case, the attacker may have already
extrapolated the contents of the message from the actions of the
person who received it the first time [3]. For example, if two
people are deciding where to meet for an appointment they will
later meet at the chosen place. Then the next time the two people
choose a meeting place the attacker can intercept their message
and replace it with the old cipher text to send one person to the
wrong place. This would prevent or delay the meeting.

V(%)
%

= W1 X W1 X = W X W X =
!


!

is a
by (2). This means that one out of every three elements in Y
generator. This is equivalent to the result of 6/18 = 1/3 we count
in either Figure 1 or Table 2.

This example and (2) in general show that larger prime factors
will have less impact on the resulting probability than small ones.
This can be seen more clearly by using the formula to find the
probability for  = 149. Then  1 = 148 = 2 37, and W1

:

X W1 !ZX = !Z. Figure 2 illustrates the lessening impact of

larger factors on the frequency of quasi-generators. Note that the
dots form almost solid lines near fractions with fairly small
denominators such as: 1/2, 2/5, 1/3, and 2/7. This is because of the
large impact of small divisors such as 2, 3, 5, and 7.

From Figure 1 we can see that for each divisor  of  1, there

are L() elements of multiplicative order . This actually holds
true for the multiplicative order of any element (see Table 2 for
more examples). Therefore there are L( 1) generators for each
field generated by a prime, or there is a L( 1)/( 1)
probability of choosing a generator when choosing at random.
Multiplicative O rde r for Ele me nt

p
2

3 4

4 2

8 9 10 11 12 13 14 15 16 17 18

6 3

11 10

5 5

5 10 10 10 5

13 12

3 6

4 12 12

6 12

17

8 16 4 16 16 16

19 18 18 9

4 3

8 8 16 16 16
6 9 18

6 18 18 18

4 16

Table 2. A table of multiplicative orders for the elements of prime

order fields (p 19). Note: the element 1 is excluded as its order
is always 1.

Figure 2. A plot showing the chance that a random element of 


is a generator. Computed using (2) for 10 000 primes beginning
with 104 729.

Also note that a substantial number of the remaining elements are

of high order. Recall L() is the number of elements with order
exactly . Because of this we can set a limit on the results of L()
for any value of  which divides  1 as L() . This
indicates that there should be a significant amount of high order
elements regardless of . Furthermore, it suggests there is an
inverse relationship between the number of factors of  1 and
the number of generators of  . It is possible to determine the
impact of a given factor on the probability of a generator. To do
this we use the general formula for the factorization of  1:

5. APPLICATIONS
The most common application of ElGamals encryption is PGP. It
is used to help users exchange keys so they can use symmetric
encryption. We will focus on lesser known applications.
ElGamals encryption is often used for research because it can be
modified to fit in a special class called semantically secure
algorithms. This means it will hide the message so well that even
if an attackers specifically prepare two messages to encrypt, they

will not be able to do better than flipping a fair coin to determine

which one is actually encrypted if they see one of the cipher texts.
ElGamals encryption has been used to create implementations of
numerous ideas which are being researched. Among these are
anonymous public key encryption, which hides the identity of the
recipient of the message, and internet voting protocols. We will
look at one example of an anonymous public key system as well
as a confidence/non-confidence voting protocol.

5.1. Anonymous Public Key Encryption

One recent area of research is in the ability to keep the identity of
the cipher texts recipient hidden. Being able to hide the
recipients identity would be extremely useful when there is
concern about the sender knowing the recipients identity or if the
recipient has security concerns about communicating with a
device which may have (now or later) security flaws. Waters,
Felten, and Sahai propose a number of conditions which must be
met for an anonymous public key encryption to be secure as well
as an implementation of such a system using ElGamals
encryption. [7]

5.1.1 Conditions for Good Anonymous Public Keys

In order to create a feasible system of anonymous public keys, the
authors outline a number of conditions to satisfy. First, the
messages must be sent to a group of addresses to maintain
anonymity on hardware level. This means that numerous peoples
messages will be sent to the same place. In order for this to be
feasible, we must have one of two properties. It needs to be either
easy for a recipient to determine if the message belongs to them
before decrypting or fast to decrypt all of the messages in order to
determine which ones belong to them. If the recipients are wasting
a great deal of time decrypting and attempting to read messages
which do not belong to them, it becomes increasingly likely for
them to miss one or more.
Some suggest marking the messages so the recipients only decrypt
the messages which are intended for them. However this may give
the senders information about which messages are going to the
same person. When senders to the same recipient can identify
each other, it is possible for them to work together to determine
the recipients identity. An anonymous public key encryption
should hide the recipients identity as well as possible regardless
of whether the senders are correlating their data with each other.
The general principles for a good encryption must also be upheld.
The encryption must be difficult to decrypt without the key as
well as fast to encrypt and decrypt with the key. In the case of
anonymous recipients, it is often difficult to maintain the security
of the encryption without creating a complicated decryption
process. Waters, Felten, and Sahai suggest the use of various
generators with a semantically secure version of ElGamals
encryption so that decryption can be done normally.

5.1.2 Semantically Secure ElGamal Implementation

In ElGamals encryption, the recipients private key is given to
senders as a power of the generator. Because the recipients
private key is obscured by the generator, it is possible for the
recipient to use the same key with multiple different generators
without giving away the private key. Then a group of people can
conceal their identities by having all their messages sent to the
same address by using multiple public keys. These keys will be
disposable, so that no information can be gained by their reuse.

To conceal their identities, a group of recipients must all agree on

one value of . Then each person chooses various  and then
calculates the values of  which correspond to their private key.
So the public keys (23, 6, 7) and (23, 2, 8) would both belong to
the person with private key  = 3.
There is still one problem; as we have described ElGamals
encryption, some patterns can be seen across multiple generators
with the same key. For example, a private key of ( 1)/2 will
always give  =  1 for a full generator. This can be proven
using Fermats Theorem [2]. The authors utilize a semantically
secure version of the algorithm to resolve this problem. This
algorithm differs from the original encryption in how  and  are
chosen and how the message space is described.
First,  must be chosen so that ( 1)/2 is also a prime. To
%
!%
demonstrate this we will use  = 23. This means
=
=
11 is prime. Because the prime factorization of  1 contains
only one large factor, ( 1)/2, we can calculate all the full
generators . We will actually use =  (  ), which are
quasi-generators because they have order ( 1)/2, the largest
possible factor of  1. The message space is described as the
set of integers which are generated by . Note that this means
some messages  which would be within  are not in the new
message space. However it can be proven that if  is not in the
message space then   will be [3]. Furthermore, a simple
calculation (%)/ (  ) will tell us whether to use 
or   because the equation equals 1 only when  is in the
message space [3].
Each individual then chooses a private key and publishes multiple
public keys using it. Table 3 gives an example of the public
keys (23, , ) for three people with private keys 6, 9, and 16.
Note that some spaces were left blank deliberately to show that it
is not necessary that every person use every generator, or even the
same number of generators. Because has high order, it is
extremely unlikely that two private keys which give the
same -values will be chosen in larger  , so using the same
does not cause any problem with the users reading others
messages. In fact, reuse of various is necessary so that the
recipient cannot be identified based on that value.
h = g2 (mod 23)
a
6

18

16

12

13

13

16

9
16

13

Table 3. Some public keys in 

8
!

12

13

16

18

18
8

for three private keys.

Because the messages are encrypted using the same private key
for each user, regardless of , decryption is a simple process.
When a cipher text is sent to the group, each person tries to
decrypt it using their key. Note that nothing has changed within
the algorithm itself, therefore the message decrypts just as quickly
as any other message encrypted with ElGamals encryption.
In Table 4, we encrypt  = 19 with three different public keys
belonging to two different people. To show they are
indistinguishable, we use the same random number & to encode all
of them. Note that it is unclear from the cipher text which

message belongs to which person, but upon decryption, the person

with private key 6 will get the original plaintext only for messages
encrypted with one of their public keys. The cipher texts can be
marked with the public key used to send them to help the
recipients determine if they have decoded a correct plaintext.
Public Key

(31, 3, 16)

(31, 12, 9)

(31, 16, 8)

Encryption (b = 4)

(12, 10)

(13, 22)

(9, 15)

Decryption (a = 6)

19

19

Table 4. A table of  = 19 encoded using two of the public keys

for  = 6 and one for  = 9.
5.1.3 Real World Application
Anonymous public keys can be added to PGP software with only
a few modifications. The software contains a semantically secure
version of ElGamal already, so the authors were able to copy this
code and make a few modifications of the procedure for exporting
a public key and choosing a prime in order to fully implement
anonymous public keys. First, PGP does not necessarily use the
same prime to encrypt all of the messages. This was changed so
that a reasonably large prime was used for all the messages.
Second, software originally stored one public key and sent it
whenever a request was made, but in this case the software must
keep track of which generators it has used and create a new public
key with an unused one and the original private key. Finally, PGP
sends out some identifying user data with the public key by
default. Allowing this data to be sent would defeat the purpose of
anonymous keys, but the system required it. Therefore that data is
not removed, but instead modified so that it is not user specific.

5.2. Internet Voting

There has also been a great deal of interest in the use of
encryption schemes to create a secure method for submitting
online votes. Wang and Leung propose to use ElGamals
encryption scheme to implement elections by confidence voting.
In order to do this, they establish criteria for assuring the privacy
of the voters, security of the votes, and safety of the voting
system. First, there should be no method by which people can
determine whom anyone did or did not vote for. Also, eligible
voters should be able to vote exactly once and non-eligible voters
to not be able to sneak in a vote. Individuals should not be able to
crash the voting system and cause the election to restart. Finally
the results should be verifiable. The authors utilize ElGamals
encryption to collect and tally the votes in a manner consistent
with these criteria. [6]

encrypting  = 2 or no by encrypting  = 2, with the public

key: (, , ]). It is unlikely that two votes will look the same
because of the random exponent &. They repeat the encryption for
each candidate and publish the results in order. The order that
they are placed in is important so that their vote is not counted for
the wrong candidate. Again, we need to perform a check. This
time we need to make sure that no one is trying to cheat by voting
with extra confidence. For example, 2 would be counted as
two votes when they are totaled. The way to check for this is
described in [6]. A person voting all no will be able to
essentially not vote without others knowing because their ballot
will not affect the tally.
To get the results, we must explore one more mathematical aspect
of the encryption: homomorphism. Homomorphism refers to an
encryptions ability to combine the cipher texts so that they will
decrypt as if we had added the plaintexts. Because ElGamals
encryption is homomorphic, we can tally the election results this
way. First we multiply all the votes for one candidate together.
Because they votes were constructed as2, and2 , the exponents
will be added together so that the resulting exponent is the number
of people who voted yes.
The totals can be decrypted and compared as plaintext at this
point. Recall that an encrypted total is a combination of cipher
texts (, )), for all candidates. To decrypt them, every person must
publish a decryption key for every candidates total, the results
of 
(  ) for each voter and candidate. Just like when the 
were chosen, we can check the validity of these values. Anyone
refusing to publish these values will cause the others to have to
recalculate this number after that persons vote has been omitted.
Then, because ] is a combination of , we need to multiply each
persons 
(  ) to incorporate all the private keys in our
decryption. We will call that result ^. To decrypt we take )/^
or ^ % ). By comparing the values we can determine who won.
Table 5 contains the general formulas for these calculations.
Private Keys
Public Key

random _ $%
(, , ] =

a
B_b
_ )

for all 1 ` ?_
_ = 
a

_c {2, , 2 }

for all 1 ) ?2

Votes

d_c = e'ac , ]'ac _ f

for random
&_c $%

Ballots

{d_H , d_I , , d_Jc }

for all `

Messages

a
B_b
d_c
'ac

g2 =
( 'ac , ]

=
_c )

for all )

5.2.1 Implementation Using ElGamals Encryption

ElGamals encryption can be used to meet all of these criteria.
The first step in confidence voting with ElGamals encryption is
to create and distribute the public and private keys. This is similar
to the step of distributing ballots and verifying voter identity. To
do this, the group responsible for the election will choose  and 
for the public key. Then they will ask each individual to
calculate  = 
to create their private keys. Anyone can verify
that these were computed correctly by asking for a zeroknowledge proof. See [3] for details. When all the  have been
published and verified, they are multiplied together to form the
last portion of the public key. Let us call this value ].

Table 5. This table shows the general formulas for encrypting

votes and decrypting totaled results for ?_ voters and ?2
candidates.

Next, the individuals need to encrypt their actual votes or fill out
their ballot. To do this, each person votes yes by

Because all the encrypted totals as well as the decryption keys are
all public, the results may be verified by any of the participants.

Totals
Set-up

Decryptions


a = ( 'ac )
a
_c = ]

'ac

i _c /^

^=i
^ = ] 'ac
= (i

Ba

Ba


a

_b


a ) 'ac

_b

Furthermore, in order to find out what one persons vote was, the
entire group would have to work together to find it because the
votes are combined before they were decrypted.
5.2.2 Extensions of this idea
The authors discuss two extensions of this basic idea: hiding the
number of votes a person received and voting with wider
confidence values. We will look briefly at each of these as they
demonstrate the fluidity of the voting protocol and the use of
ElGamals encryption.
If we want to keep the candidates totals a secret the process is a
bit more complex. We do this by comparing the encrypted totals
and only publishing the resulting rankings. This means we do not
ask for decryption keys for the totals.
To compare two candidates, we divide one candidates encrypted
total g by the others encrypted total g . The result will be an
encryption of 2jH%jI . To find out if the first candidate won, lost, or
tied the second, we need to know if g g is positive, negative or
zero. We dont want to expose the difference in votes, so we have
to compare them without decrypting.
We can make this comparison by calculating all non-negative
solutions for encrypting 2jH%jI with a single random key. There
are ? + 1 solutions for this for ? voters because results range from
a tie to everyone voting for the same person. Then we divide the
encrypted comparison by each of these possible results in turn.
The combined comparisons and possible results are then shuffled
and encrypted with another random key so that no one can tell
which result corresponds to which difference in votes. Finally, we
calculate ^ % ) as in Section 5.2.2 for each of these different
encryptions. If one of the decryptions is 1 = 2, , then g g must
be non-negative. This is because either g g = 0 to begin with
or to have divided by 2jH%jI to get 1.
The algorithm also allows other confidence levels. The powers are
only restricted to 0 and 1 to keep the size of the computation low
when the votes for each individual are being hidden. The
functions and protocols which are used to verify votes are valid
could be extended to see votes of 0 to 2 as valid, for example.
Then the people would be allowed to double vote for candidates
they were very confident in, while still voting for candidates they
were generally unopposed to.

6. CONCLUSIONS

prime factors. The issue lies with the time it takes to verify a
potential quasi-generator. Recall that a partial factorization is
necessary to do this and the process may take up to a few seconds
depending on the users decision on how to find prime factors and
how to determine if the factorization is sufficient.
Because the generator is typically only chosen once for the public
key and then reused, this time concern is negligible in a standard
use of ElGamals encryption or a system with many private keys
like confidence voting. This is a much more significant drawback
in the case of anonymous public keys, however, because many
generators must be chosen by the recipient in order to remain
anonymous.

7. ACKNOWLEDGMENTS
My thanks to my advisors for this project: David Roberts and
Elena Machkasova, as well as Barry McQuarrie, Kristin
Lamberty, and Marianne Helgeson for their assistance in
preparing this paper.

8. REFERENCES
1 ElGamal T. A Public Key Cryptosystem and a Signature
Scheme Based on Descrete Logarithms. Information Theory,
IEEE Transactions. 1985;31(4):496-492.
2 Herstein IN. Abstract Algebra. Hoboken, NJ: John Wiley &
Sons, Inc.; 1999.
3 Mao W. Modern Cryptography: Theory and Practice. Upper
Saddle River, NJ: Prentice Hall PTR; 2004.
4 Montenegro RaTP. How long does it take to catch a wild
kangaroo? STOC '09: Proceedings of the 41st annual ACM
symposium on Theory of computing. 2009 553-560.
5 Tsiounis Y, Yung M. On the Security of ElGamal Based
Encryption. Lecture Notes in Computer Science 1431. 1998
117-134.
6 Wang C, Leung Hf. A secure voter-resolved approval voting
protocol over internet. In: ICEC '05: Proceedings of the 7th
international conference on Electronic commerce; 2005; New
York. p. 646-652.
7 Waters BR, Felten EW, Sahai A. Receiver anonymity via
incomparable public keys. In: CCS '03: Proceedings of the 10th
ACM conference on Computer and communications security;
2003; Washington D.C. p. 112-121.

ElGamals encryption has a number of useful properties including

a semantically secure version. This makes it a popular choice
when developing implementations of procedures in which
individuals wish to hide their identities in some way, such as
confidence voting ballots and recipient identity. The flexibility of
ElGamals encryption allows the implementation of these ideas to
have different levels of complexity depending on which properties
need to be verified, such as the ideas described in Section 5.2.2.
Furthermore, the calculations involved in encrypting a message
with ElGamal are not prohibitively complex. The algorithm
involves only the use of simple modular arithmetic which uses
only positive integers and no division. Even considering the use of
1024-bit numbers, these calculations can be preformed quickly by
a computer. There is only one thing which may slow down the
process: choosing a quasi-generator. The problem is not that
quasi-generators are difficult to find, as we have shown that the
chance of choosing one at random depends heavily on small