From msuinfo!agate!howland.reston.ans.net!zaphod.mps.ohio-state.edu!ub!news.kei.com!ddsw1!chinet!schneier Thu May  6 22:59:50 1993
Newsgroups: sci.crypt
Path: msuinfo!agate!howland.reston.ans.net!zaphod.mps.ohio-state.edu!ub!news.kei.com!ddsw1!chinet!schneier
From: schneier@chinet.chinet.com (Bruce Schneier)
Subject: ElGamal Encryption using the Digital Signature Algorithm
Message-ID: <C6L9w6.6yC@chinet.chinet.com>
Organization: Chinet - Public Access UNIX
Date: Thu, 6 May 1993 05:00:05 GMT
Lines: 37


Here's how to do ElGamal encryption with DSA.  This procedure assumes the
existence of a DSA function call:

	DSAsign (p,q,g,k,x,h,r,s)

You supply the parameters p, q, g, j, x, and h, and the function returns
the signature parameters, r and s.

To do ElGamal encryption of a message m with public key y, choose a random
number k and call:

	DSAsign (p,p,g,k,0,0,r,s)

The value of r returned is a in the ElGamal scheme.  Throw s away.  Then call:

	DSAsign (p,p,y,k,0,0,r,s)

Rename the value of r to be u; throw s away.  Finally, call:

	DSAsign (p,p,m,1,u,0,r,s)

Throw r away.  The value of s returned is b in the ElGamel scheme.  Yoy now
have the ciphertext, a and b.

Decryption only takes two function calls.  First, call:

	DSAsign (p,p,a,x,0,0,r,s)

Rename r as e.  Throw s away.  Then call:

	DSAsign (p,p,1,e,b,0,r,s)

Throw r away.  The value of s returned is the plaintext, m.

This won't work if the function has size restrictions on some of the variables,
but it will work for a general implementation of the function.