ElGamal Encryption - Security

Security

The security of the ElGamal scheme depends on the properties of the underlying group as well as any padding scheme used on the messages.

If the computational Diffie–Hellman assumption holds in the underlying cyclic group, then the encryption function is one-way.

If the decisional Diffie–Hellman assumption (DDH) holds in, then ElGamal achieves semantic security. Semantic security is not implied by the computational Diffie–Hellman assumption alone. See decisional Diffie–Hellman assumption for a discussion of groups where the assumption is believed to hold.

ElGamal encryption is unconditionally malleable, and therefore is not secure under chosen ciphertext attack. For example, given an encryption of some (possibly unknown) message, one can easily construct a valid encryption of the message .

To achieve chosen-ciphertext security, the scheme must be further modified, or an appropriate padding scheme must be used. Depending on the modification, the DDH assumption may or may not be necessary.

Other schemes related to ElGamal which achieve security against chosen ciphertext attacks have also been proposed. The Cramer–Shoup cryptosystem is secure under chosen ciphertext attack assuming DDH holds for . Its proof does not use the random oracle model. Another proposed scheme is DHAES, whose proof requires an assumption that is weaker than the DDH assumption.