# ElGamal Cryptosystem

## Key Generation

Steps:

* A trusted party chooses a prime number $p$ and an element of the field $g$ (of large order, ideally a generator).
* The party that generates the keys draws a private key $a$<$p$ and computes $A=g^a (\text{mod }p)$. Publishes $A$ as the public key

The public key is $A$ and the private key $a$.

In [None]:
from crypto import GeneratePrimeGeneratorPair

size_bits = 16

p, g = GeneratePrimeGeneratorPair(size_bits)

print(f"p = {p}")
print(f"g = {g}")

In [None]:
from random import randrange



print(f"PublicKey: {A}")
print(f"PrivateKey: {a}")

## Encryption function

The party that wants to send a message $m$ and knows the public parameters knows $p$, $g$ and $A$ (the latter one is the public key). To encrypt we need a random ephemeral key $k$ to compute the two parts of the ciphertext

$$c_1=g^k (\text{mod }p)$$
$$c_2=mA^k (\text{mod }p)$$

The ciphertext is the tuple ($c_1$, $c_2$).

In [None]:


print(f"m: {m}")
print(f"k: {k}")
print(f"c: {c}")

## Decryption function

The decryption function computes the ciphertext $c$=($c_1$, $c_2$) to the original message $m$. 

$$m = (c_1^a)^{-1}*c_2 (\text{mod }p)$$


In [None]:
from crypto import InverseFermat



print(f"message decrypted: {m2}")

Let's check analitically that the previous equation holds. On the one hand we have $(c_1^a)^{-1}$:

$$(c_1^a)^{-1}(\text{mod }p)=(g^{ka})^{-1}(\text{mod }p)=(A^{k})^{-1}(\text{mod }p)$$

Also

$$c_2(\text{mod }p)=m*A^k(\text{mod }p)$$

if we multiply both we get

$$(c_1^a)^{-1}*c_2 (\text{mod }p)=(A^{k})^{-1}*m*A^k(\text{mod }p)=m(\text{mod }p)$$

proving that the previous decryption is correct.

In [None]:
from typing import Tuple

def ElGamalKeyGenerator(size: int = 64):
    '''
    Implementation of El Gamal Cryptosystem
    This function generates plublic and private keys
    Input:
        size: size in bits of the field
    Output:
        PublicKey: (A, g, p)
        PrivateKey: (sk, p)
    '''
    p, g = GeneratePrimeGeneratorPair(size)
    sk = randrange(2, p-1)
    A = pow(g, sk, p)

    # Return public key and private key
    return (A, g, p), (sk, p)

def ElGamalEncrypt(m: int, PublicKey: Tuple[int]):
    '''
    Encrypts a message m using the ElGamal public key
    Input:
        m: message (An integer message) (mod p)
        PublicKey: A tuple (A, g, p)
    Output:
        c: tuple (c1, c2) encrypted message 
    '''
    A, g, p = PublicKey[0], PublicKey[1], PublicKey[2]
    k = randrange(2, p-1)

    return (pow(g, k, p), pow(A, k, p)*m%p)


def ElGamalDecrypt(c: Tuple[int, int], PrivateKey: Tuple[int]):
    '''
    Decrypts a ciphertext m using the El Gamnal private key
    Input:
        c: tuple (c1, c2) the ciphertext of the message
        PublicKey: A tuple (sk, p)
    Output:
        m: Decrypted message
    '''
    c1, c2 = c[0], c[1]
    sk, p = PrivateKey[0], PrivateKey[1]
    x = InverseFermat(pow(c1, sk, p), p)
    return (x * c2)%p

## What is the difficulty of breaking this code?

In order to decrypt the messages one has to find the secret key $a$. Let's take the decryption algorithm:

$$m = (c_1^a)^{-1}*c_2 (\text{mod }p)$$

and multiply by $c_2^{-1}$ to both sides

$$m*c_2^{-1} = (c_1^a)^{-1} (\text{mod }p)$$

and apply the inverse to both sides

$$m^{-1}*c_2 = c_1^a (\text{mod }p)$$

this is equivalent to the discrete lograithm problem: Try to find $y$ given $x$, $g$ and $p$.

$$x=g^y \textit{(mod p)}$$

In our case

$$x=m^{-1}*c_2$$
$$g=c_1$$
and

$$y=a$$


In [None]:
x = InverseFermat(m, p)*c2%p
g = c1
y = randrange(p)

while x!=pow(g, y, p):
    y = randrange(p)
    
print(f"y: {y}")
print(f"a: {a}")