Elliptic ElGamal Cryptosystems

Updated 25 November 2025

ElGamal over Elliptic Curves is a cryptographic system that generalizes classical ElGamal by leveraging elliptic curve groups and integrating group-ring techniques.
The system employs a detailed encryption process using elliptic curve point operations and masked group-ring elements to secure message blocks.
Security relies on both the hardness of the ECDLP and the group-ring discrete logarithm, prompting larger parameter sizes in response to new subexponential attacks.

The ElGamal cryptosystem over elliptic curves generalizes classical ElGamal encryption to the group structure of elliptic curves defined over finite fields. The security of elliptic curve ElGamal (EC-ElGamal) is traditionally based on the presumed intractability of the elliptic curve discrete logarithm problem (ECDLP). Recent advancements have proposed a class of cryptosystems that integrate group rings with elliptic curve techniques, yielding the so-called elliptic ElGamal–type group-ring cryptosystems. These constructions aim to achieve a higher security margin by requiring adversaries to solve both ECDLP and discrete logarithm problems in group rings, exploiting the algebraic complexity of both underlying algebraic structures (Mittal et al., 2019). At the same time, new algorithms for the ECDLP over binary fields impact contemporary parameter selection and security expectations for EC-ElGamal (Semaev, 2015).

1. Mathematical Foundations

Group Rings

Given a commutative ring $R$ with unity and a group $G$ , the group ring $R G$ is the set of all formal finite sums: $R G = \left\{ \sum_{i=1}^t r_i g_i : r_i \in R, g_i \in G, t < \infty \right\}$ Addition in $R G$ is defined coefficientwise, and multiplication by distributivity and the group operation in $G$ : $\left(\sum_i r_i g_i\right)\star\left(\sum_j s_j h_j\right) = \sum_{i,j}(r_i s_j)(g_i h_j)$ A unit in $R G$ is an element with a multiplicative inverse.

Elliptic Curves and ECDLP

Consider a prime $p$ and an elliptic curve $E$ given by

$E: y^2 = x^3 + A x + B,\quad 4A^3 + 27B^2 \not\equiv 0 \pmod{p}$

over $\F_p$. The point set $E(\F_p)$ forms an abelian group with explicitly defined group law. The ECDLP is to find $n$ given $P, Q \in E(\F_p)$ with $Q = nP$ . Classical attacks (e.g., Pollard's rho) have complexity $O(\sqrt{p})$ ; no subexponential classical algorithm was previously known for generic curves (Mittal et al., 2019).

2. Structure of the Elliptic ElGamal–Type Group-Ring Cryptosystem

System Parameters and Key Generation

A prime $p$ , elliptic curve $E/\F_p$, and base point $P \in E(\F_p)$
A group $G$ of sufficient order and its group ring $R G$ with $R = \F_p$
Plaintext blocks $(m_1,\dots,m_t) \in R^t$ are embedded into $R G$ as $r = \sum_{i=1}^t m_i g_i$
Private keys: unit $u \in U(R G)$ of large order, integers $n_1, n_2$
Public key: $(P, Q = n_1 P, A = u^{n_2})$

Encryption

For a message block $r = \sum_{i=1}^t m_i g_i$ , encryption proceeds as follows:

Choose random ephemeral $k \in [1, \mathrm{ord}(P)-1]$
Compute $C_1 = kP \in E(\F_p)$
Compute the curve-point sequence $kQ, 2kQ, ..., tkQ = (x_{i+2}, y_{i+2})$
Define the masked group-ring element:

$r \oplus kQ = \sum_{i=1}^t \big(m_i + x_{i+2} + y_{i+2}\big) g_i$

Compute $C_2 = (r \oplus kQ) \star A$
Send ciphertext $(C_1, C_2)$

Decryption

Upon receiving $(C_1, C_2)$ :

Unmask the group-ring element: $r \oplus kQ = C_2 \star u^{-n_2}$
Recover $kQ$ by computing $n_1 C_1 = kQ$
Extract $m_i$ via:

$m_i = [\text{coefficient of } g_i] - (x_{i+2} + y_{i+2}) \pmod{p}$

A detailed worked example using $p = 29, E: y^2 = x^3 + 4x + 20 \pmod{29}$ , is included in (Mittal et al., 2019).

3. Security Analysis

The cryptosystem's security is predicated on the compounded hardness of:

Solving the ECDLP in $E(\F_p)$
Solving discrete logarithm or stretch-and-invert problems in $R G$ , with no known subexponential or quantum algorithm if the group ring is noncommutative

The required hardness for an adversary is therefore at least the maximum of the best attacks against each component. If the group-ring unit problem introduces an additional security margin of $k$ bits, combining a 224-bit elliptic curve with a group ring that provides $k$ -bit complexity achieves the effective security of a $(224 + k)$ -bit standard elliptic curve (Mittal et al., 2019).

4. Impact of New ECDLP Algorithms

A new index-calculus-type algorithm by Semaev demonstrates a subexponential attack on ECDLP for binary fields $\F_{2^n}$ with complexity

$2^{c\sqrt{n\ln n}}, \quad c \approx 1.69$

using summation polynomials and Boolean Gröbner basis techniques (Semaev, 2015). For FIPS-recommended binary curves of size up to $n=571$ , this algorithm significantly reduces effective security. For instance, 571-bit binary curves provide substantially less than 128-bit security under this new attack. Classical 128-bit security requires curves with $n \gtrsim 900$ , highlighting the need for larger parameter sets (Semaev, 2015).

5. Comparative Features: Standard EC-ElGamal vs. Group-Ring Variant

Feature	Standard EC-ElGamal	EC-ElGamal–Type Group-Ring
Security basis	ECDLP in $E(\F_p)$	ECDLP + unit DLP in $R G$
Ciphertext structure	Pairs of curve points	Curve point + group-ring element
Best generic attack	Pollard rho: $O(\sqrt{q})$	Must succeed on both components
Quantum attack impact	Shor’s algorithm applicable (curve DLP only)	No direct Shor’s for noncommutative $R G$

The group-ring variant retains the efficient group operations of classical EC-ElGamal but introduces an additional layer of algebraic complexity, potentially increasing resistance to both classical and quantum attacks, depending on group ring structure (Mittal et al., 2019).

6. Recommendations and Future Directions

The new group-ring-based constructions aim to provide higher cumulative security by leveraging the intractability of both ECDLP and group-ring DLP. However, recent algorithmic advances for binary curves mandate substantial increases in elliptic curve parameter sizes to regain former security margins, especially for long-term cryptographic applications. Avoiding binary curves with $n \leq 571$ and migrating to either larger binary fields or prime field curves with modulus above 1800 bits is strongly recommended for classical 128-bit security (Semaev, 2015).

A plausible implication is that the use of group rings may also motivate further algebraic cryptanalysis techniques targeting the combined system, though current attacks do not offer a tractable approach to the group-ring discrete log component.

Hybrid and post-quantum cryptographic strategies are suggested, as the combined pressure of new classical and quantum cryptanalytic techniques may undermine established EC security parameters in the near future (Semaev, 2015).

PDF Markdown Chat (Pro)

References (2)

Group ring based public key cryptosystems (2019)

New algorithm for the discrete logarithm problem on elliptic curves (2015)

Whiteboard

Generate a whiteboard explanation of this topic.

Follow Topic

Get notified by email when new papers are published related to ElGamal Over Elliptic Curves.