Elgamal Cryptosystem

§ Motivation

We've already discussed how to securely exchange keys, but not a cryptosystem; i.e. a system that can be used to encrypt and decrypt messages. The Elgamal cryptosystem is very similar to Diffie-Hellman, but it can be used to encrypt messages.

§ Cryptosystem Discussion

Let $\mathcal{K}$ denote the key space (all possible keys), $\mathcal{M}$ the message space, and $\mathcal{C}$ ciphertext space (encrypted message).

For a resonably secure public key cryptosystem, we would want the following properties

1. For any key $k \in \mathcal{K}$ and message in $m \in \mathcal{M}$, it must be easy to compute the ciphertext $e_k(m) = e(k, m)$ (encryption is fast).
2. For any key $k \in \mathcal{K}$ and ciphertext in $c \in \mathcal{C}$, it must be easy to compute $d_k(c) = d(k, c)$ (decryption is fast).
3. Given one or more $c_1, \dots, c_n \in \mathcal{C}$, all encrypted using the same $k \in \mathcal{K}$, it must be very difficult to compute any of $d_k(c_1), \dots, d_k(c_n)$ without knowledge of $k$.
4. Given one or many pairs of plaintexts and corresponding ciphertexts $(m_1, c_1), \dots, (m_n, c_n)$ it must be very difficult to compute any ciphertext besides $c_1, \dots, c_n$ without knowing $k$ (khown plaintext attack resilience).
5. For any message $m_1, \dots, m_n \in \mathcal{M}$ chosen by an adversarial eavesdropper, even with knowledge of ciphertexts $e_k(m_1), \dots, e_k(m_n)$, it is very difficult to decrypt any ciphertext $c$ that is not in the given list without knowing key $k$ (chosen plaintext attack resilience).

§ Elgamal Public Key Cryptosystem