Can anyone tell me how an ElGamal encrypted message has to be
decrypted? The open-pgp documentation doesn't give the answer.
I'm specially interested in how padding and checksums are handled.
I'm asking this question, because ElGamal encryption has the
same multiplicative properties as RSA. In particular, given
the encryption of a message M (including padding), it is easy
to generate the encryption of M*S (mod p) for a given S, without
knowing M. Hence the same attack that was possible against SSL
potentially works against ElGamal, when used with PKCS #1 v1.5
BTW, is there any reason why PKCS #1 v1.5 padding is used and
not PKCS #1 v2?
-- Daniel Bleichenbacher