# ElGamal encryption scheme (on the multiplicative group)

Fix a group $G$ with a generator $g$.

**Key generation**

The first party, Alice, generates a key pair as follows:

* Generate an efficient description of a cyclic group $G\,$ of order $q\,$ with generator $g$.  Let $e$ represent the unit element of $G$.
* Choose an integer $x$ randomly from $\{1, \ldots, q-1\}$.
* Compute $h := g^x$.
* The public key consists of the values $(G,q,g,h)$. Alice publishes this public key and retains $x$ as her private key, which must be kept secret.
* Private key: $x$

In [4]:
#implementation of the key
def FindGen(p):
    fact=(p-1).factor()
    gammali=[]
    for i in range(0,len(fact)):
        b=1
        while b==1:
            a=randint(1,p-1)
            b=power_mod(a,(p-1)//fact[i][0],p)
        gammali+=[power_mod(a,(p-1)//(fact[i][0]**fact[i][1]),p)]
    gamma=prod(gammali)%p
    return gamma

def PublicPrivateKey(p): #assume here that p is a prime number
    g=FindGen(p)
    q=p-1
    x=randint(1,q-1)
    h=power_mod(g,x,p)
    return x,(p,q,g,h)

In [8]:
AlicePrivateKey,AlicePublicKey=PublicPrivateKey(11)
#keep AlicePrivateKey safely
#AlicePublicKey this is know to everyone interested

Encoding:
We assume that that there exists a bijection of the message space $\mathcal{M}$ onto a subset of $G$. Hence we can identify each message $M$ with an element $m\in G$.

In [2]:
#bijection from Mspace to a subset of G
#we want to encode simply ASCII symbols (UTF symbols) in some particular range

**Encryption:** (Bob sends a message to Alice)

* Choose an integer $y$ randomly from $\{1, \ldots, q-1\}$.
* Compute $s := h^y$. This is called the ''shared secret''.
* Compute $c_1 := g^y$.
* Compute $c_2 := m \cdot s$.
* Bob sends the ciphertext $(c_1,c_2)$ to Alice.

In [3]:
#encryption

**Decryption**

Alice decrypts a ciphertext $(c_1,c_2)$ with her private key $x$ as follows:
* Compute $s := c_1^x$. Since $c_1 = g^y$, $c_1^x = g^{xy} = h^y$ and thus it is the same shared secret that was used by Bob in encryption.
* Compute $s^{-1}$, the inverse of $s$ in the group $G$. 

This can be computed in one of several ways. If $G$ is a subgroup of a multiplicative group of integers modulo $n$, the modular multiplicative inverse can be computed using the Extended Euclidean Algorithm. An alternative is to compute $s^{-1}$ as $c_1^{q-x}$.

This is the inverse of $s$ because of Lagrange's theorem, since $s \cdot c_1^{q-x} = g^{xy} \cdot g^{(q-x)y} = (g^{q})^y = e^y = e$.
* Compute $m := c_2 \cdot s^{-1}$. This calculation produces the original message $m$, because $ c_2 = m \cdot s$; hence $ c_2 \cdot s^{-1} = (m \cdot s) \cdot s^{-1} = m \cdot e = m$.
* Map $m$ back to the plaintext message $M$.

[Inspired by Wikipedia]


**Exercise**
Implement this protocol for $G=\Phi(p)$.

In [9]:
#decryption

In [10]:
#Safety discussion in the context of potential DLP attack on the multiplicative group.