LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

How does ElGamal encryption work on elliptic curves (the Volker Müller / Koblitz method)?

EC ElGamal maps the message to a curve point M, then masks it: ciphertext is $(k \cdot G, M + k \cdot Q)$ where Q is the public key. Decryption subtracts $d \cdot (k \cdot G)$ to recover M.

Key Generation (Bob):

  • Choose curve $E$, base point $G$ of order $n$
  • Choose secret $d \in \{2, ..., n-2\}$
  • Compute public key: $Q = d \cdot G$
  • Publish: $(E, G, n, Q)$

Encryption (Alice sends point $M$ to Bob):

  1. Choose random ephemeral $k \in \{2, ..., n-2\}$
  2. Compute ephemeral key: $k_E = k \cdot G$
  3. Compute masking key: $k_M = k \cdot Q$ (= $k \cdot d \cdot G$)
  4. Compute ciphertext point: $C = M + k_M$
  5. Send $(k_E, C)$ to Bob

Decryption (Bob):

  1. Compute masking key: $k_M = d \cdot k_E$ (= $d \cdot k \cdot G$)
  2. Recover: $M = C - k_M$

Why it works: $C - k_M = (M + k \cdot Q) - d \cdot (k \cdot G) = M + k \cdot d \cdot G - d \cdot k \cdot G = M$

Key differences from RSA:

  • Additive masking ($M + k_M$) instead of multiplicative ($m \cdot K$) — because the group operation on curves is addition
  • Inherently probabilistic — random $k$ means different ciphertext each time (no OAEP needed!)
  • Ciphertext is two points — doubles the message size (ciphertext expansion factor = 2)

Challenge: The message $m$ (a number) must be mapped to a curve point $M$. This is non-trivial — not every $x$ value has a corresponding point on the curve. The Koblitz method uses trial: try $x = m \cdot c + j$ for $j = 0, 1, 2, ...$ until a valid point is found.

Go deeper:

From Quiz: KRYPTOG / Elliptic Curve Cryptography | Updated: Jul 14, 2026