Quiz Entry - updated: 2026.05.31
What is ElGamal encryption, and how does it use Diffie-Hellman?
ElGamal turns the DH key exchange into a full asymmetric encryption scheme. The receiver's static DH public key acts as their long-term public key; each ciphertext encrypts a one-shot DH exchange.
Setup (receiver Alice):
p = large prime; g = generator
a = Alice's private key (random in [1, p−1])
A = g^a mod p ← Alice's public key
Encryption (sender Bob, message m):
b = random in [1, p−1] ← fresh per message
B = g^b mod p ← ephemeral public value
shared_key = A^b mod p ← Bob's view of DH shared secret
c = m · shared_key mod p ← simple group operation
send (B, c) to Alice
Decryption (Alice):
shared_key = B^a mod p ← Alice's view of DH shared secret = g^(ab)
m = c · shared_key⁻¹ mod p ← multiply by the inverse
Alice and Bob computed the same g^(ab) mod p, so encryption and decryption cancel.
Properties:
- Probabilistic — the random
bmakes the same plaintext encrypt to different ciphertexts every time (unlike textbook RSA). - Ciphertext is twice the size of the plaintext (you send both
Bandc). - The signature variant ElGamal Signature is the basis of DSA.
Where it's used:
- PGP / GnuPG historically used ElGamal for encryption (alongside DSA for signatures) before EC support became standard.
- The pattern (sender does a fresh DH with receiver's static key) inspired modern integrated encryption schemes (IES, ECIES) — those replace the raw
A^b · mwith proper symmetric encryption keyed by a KDF ong^(ab).
Tip: ElGamal as-such is rarely used today (the size overhead and proper hybrid integration matter), but understanding it helps see why "DH → ElGamal → ECIES" is one continuous design line.