Security of Signed ElGamal Encryption

  • Claus Peter Schnorr
  • Markus Jakobsson
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1976)


Assuming a cryptographically strong cyclic group G of prime order q and a random hash function H, we show that ElGamal encryption with an added Schnorr signature is secure against the adaptive chosen ciphertext attack, in which an attacker can freely use a decryption oracle except for the target ciphertext. We also prove security against the novel one-more-decyption attack. Our security proofs are in a new model, corresponding to a combination of two previously introduced models, the Random Oracle model and the Generic model. The security extends to the distributed threshold version of the scheme. Moreover, we propose a very practical scheme for private information retrieval that is based on blind decryption of ElGamal ciphertexts.


Group Element Generic Step Random Oracle Secret Data Security Proof 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [ABR98]
    M. Abdalla, M. Bellare and P. Rogaway: DHES: An Encryption Scheme Based on the Diffie-Hellman Problem. Contributions to P1363,
  2. [BDPR98]
    M. Bellare, A. Desai, D. Pointcheval and P. Rogaway: Plaintext Awareness, Non-Malleability, and Chosen Ciphertext Security: Implications and Separations. Crypto’98, LNCS 1462, pp. 26–45, 1998.Google Scholar
  3. [BL96]
    D. Boneh and R.J. Lipton: Algorithms for black-box fields and their application in cryptography. Crypto’96, LNCS 1109, pp. 283–297, 1996.Google Scholar
  4. [BR93]
    M. Bellare and P. Rogaway: Random Oracles are Practical: a Paradigms for Designing Efficient Protocols. 1st ACM Conference on Computer Communication Security, pp. 62–73, 1993.Google Scholar
  5. [BR94]
    M. Bellare and P. Rogaway: Optimal Asymmetric Encryption. Eurocrypt’ 94, LNCS 950, pp. 92–111, 1995.CrossRefGoogle Scholar
  6. [CGH98]
    R. Canetti, O. Goldreich and S. Halevi: The Random Oracle Methodology, Revisited. STOC’98, ACM Press, pp. 209–218, 1998.Google Scholar
  7. [CS98]
    R. Cramer and V. Shoup: A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack. Crypto’98, LNCS 1462, pp. 13–25, 1998.Google Scholar
  8. [DDN91]
    D. Dolev, C. Dwork and M. Naor: Non-Malleable Cryptography. STOC’91, ACM Press pp. 542–552, 1991.Google Scholar
  9. [DDN98]
    D. Dolev, C. Dwork and M. Naor: Non-Malleable Cryptography. Manuscript (updated, full length version of STOC paper), 1998.Google Scholar
  10. [E85]
    T. ElGamal: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. IEEE Trans. Inform. Theory, 31, pp. 469–472, 1985.zbMATHCrossRefMathSciNetGoogle Scholar
  11. [FO99]
    E. Fujisaki and T. Okamoto: Secure Integration of Asymmetric and Symmetric Encryption Schemes. Crypto’99, LNCS 1666, pp. 537–554, 1999.Google Scholar
  12. [FFS88]
    U. Feige, A. Fiat and A. Shamir: Zero-knowledge proofs of identity. J. Cryptology, 1, pp. 77–94, 1988.zbMATHCrossRefMathSciNetGoogle Scholar
  13. [FS87]
    A. Fiat and A. Shamir: How to Prove Yourself: Practical Solutions of Identi fication and Signature Problems. Proc. Crypto’86, LNCS 263, pp. 186–194, 1987.Google Scholar
  14. [GM84]
    S. Goldwasser and S. Micali: Probabilistic Encryption. J. Computer and System Sciences, 28, pp. 270–299,1984.zbMATHCrossRefMathSciNetGoogle Scholar
  15. [J98]
    M. Jakobsson: A Practical Mix. Eurocrypt’98, LNCS 1403, pp. 448–461, 1998.Google Scholar
  16. [MOV96]
    A. Menezes, P. van Oorschot and S. Vanstone: Handbook of Applied Cryptography. CRC Press, Inc., 1996.Google Scholar
  17. [Ne94]
    V.I. Nechaev: Complexity of a Determinate Algorithm for the Discrete Logarithm. Mathematical Notes 55, pp. 165–172, 1994.Google Scholar
  18. [RS92]
    C. Racko. and D.R. Simon: Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack. Crypto’91, LNCS 576, pp. 433–444, 1992.Google Scholar
  19. [Sch80]
    J. Schwartz: Fast probabilistic algorithms for verification of polynomial identities. J. ACM, 27(4), pp. 701–717, 1980.zbMATHCrossRefGoogle Scholar
  20. [Sc91]
    C.P. Schnorr: Efficient Signature Generation for Smart Cards. Journal of Cryptology 4 (1991), pp. 161–174.zbMATHGoogle Scholar
  21. [SJ99]
    C.P. Schnorr and M. Jakobsson: Security of Discrete Log Cryptosystems in the Random Oracle and Generic Model. TR report University Frankfurt and Bell Laboratories 1999.Google Scholar
  22. [Sc00]
    C.P. Schnorr: Small Generic Hardcore Subsets for the Discrete Logarithm: Short Secret DL-Keys. Presented at rump session of Eurocrypt’2000.Google Scholar
  23. [Sh97]
    V. Shoup: Lower Bounds for Discrete Logarithms and Related Problems. Eurocrypt’97, LNCS 1233, pp. 256–266, 1997.Google Scholar
  24. [Sh00]
    V. Shoup: Using Hash Functions as a Hedge against Chosen Ciphertext Attack. Eurocrypt’2000, LNCS 1807, pp. 275–288, 2000.Google Scholar
  25. [SG98]
    V. Shoup and R. Gennaro: Securing Threshold Cryptosystems against Chosen Ciphertext Attacks. Eurocrypt’98, LNCS 1404, pp. 1–16, 1998.Google Scholar
  26. [TY98]
    Y. Tsiounis and M. Yung, On the Security of ElGamal Based Encryption. PKS’98, LNCS 1431, pp. 117–134, 1998.Google Scholar
  27. [ZS92]
    Y. Zheng and J. Seberry, Practical Approaches to Attaining Security against Adaptively Chosen Ciphertext Attacks. Crypto’92, LNCS 740, pp. 292–304, 1992.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  • Claus Peter Schnorr
    • 1
  • Markus Jakobsson
    • 2
  1. 1.Fachbereich Mathematik/InformatikUniversität FrankfurtGermany
  2. 2.Information Sciences LaboratoryBell Laboratories Murray HillNew Jersey

Personalised recommendations