### El Gamal public parameters
A large prime   p , and a generator   g . These parameters can shared across all users of the system.
In practice, often   $ p≈2^{2048}$ . For security reasons,   p  is often chosen so that   p−1=2q  for some prime   q ,
and   g  is chosen to have order   q , i.e.,   $g^{q}=1 mod p$ .

### El Gamal Key Generation
Generate a random integer   $a$  in the range   1,…,q , where   $q$  is the order of   g .
If   q  is unknown, it suffices to generate   $a$  uniformly in the range  $ 1,…,p $.
The secret key is   $a$ .
The public key is   $h=g^{a} mod p $.

### El Gamal Encryption
To encrypt a message   m , assume that   m  is an integer   $1 ≤ m ≤ p$ .
(In practice, it is important to encode   m  so that is in the subgroup generated by powers of   $g$ , but for this assignment, we will just assume   m  is already an appropriate integer, so no encoding is necessary).

To encrypt   $m$ , generate a random   r  in the range   $1 ≤ r ≤ q$ , and set
$(c1,c2)=(g^{r} mod p,h^{r}⋅m mod p)$ .

### El Gamal Decryption
Given a ciphertext,   $(c1,c2)$ , and a secret key,   $a$ , set
$m=c2/c1^{a} mod p $
You can read more about the El Gamal cryptosystem in the Handbook of Applied Cryptography

### Implementing El Gamal in python
Implement El Gamal key generation, encryption and decryption.
Assume that   p  and   g  are provided as global variables.
The function “keygen” should take no arguments and return a secret key (an integer in the range   1,…,p ) and a public key   $g^{a}mod p$ .
The function “encrypt” should take a public key,  $ h$ , and an integer  $ m$  and return an El Gamal ciphertext.
The function “decrypt” should take a private key,   a , and a ciphertext [  c1,c2 ] and return an integer   m .
In Python3.8 you can use the “pow” function to compute modular inverses.
For example

In [1]:
import random 

from params import p
from params import g

# g is chosen to have order q , g^q = 1 mod p

def keygen():
    # if q is the order of g
#     if( pow(g,q,p)==1):
#         a = random.SystemRandom().randint(1,q)
#     # if q is unknown, (1,p)
#     else: 
    a = random.SystemRandom().randint(1,p)
    h = pow(g,a,p)
    sk = a
    pk = h
    
    return pk,sk

def encrypt(pk,m):
    # set  (𝑐1,𝑐2)=(𝑔^𝑟𝑚𝑜𝑑𝑝,ℎ^𝑟⋅𝑚 𝑚𝑜𝑑 𝑝) 
    
    r = random.SystemRandom().randint(1,p)
    c1 = pow(g,r,p)      
    pre_c2= pow(pk,r,p)* pow(m,1,p)
    c2 = pow(pre_c2,1, p)
    return c1,c2

def decrypt(sk,c):
    # 𝑚=𝑐2/𝑐1^𝑎 𝑚𝑜𝑑 𝑝
    
    mes = pow(c[1],1,p)* pow(c[0],-sk,p) 
    m=mes%p
    return m



In [2]:
pk,sk = keygen()

In [3]:
#m = random.SystemRandom().randint(1,p//2)

m = 31
c = encrypt(pk,m)
c

(4921054694827866974163506445250955186380237984600125746447527126236107146734316622882474051243989452336856642529348167482971526972862473744639004027137291,
 4553428060945196763177004389774852200058400551198223523323750973493441275153044788093546558088382023290208589072821031768713764219160441585535581138382486)

In [4]:

m2 = decrypt(sk,c)
m2
    
    

31