Hi,
We are currently working on a Firefox extension which allows us to
encrypt and decrypt OpenPGP messages using partially-trusted remote
keystores. We perform the asymmetric decryption operations on these
remote keystores using a threshold ElGamal scheme. We develop this
extension as our thesis project at Bern University for Applied Sciences.
ElGamal is our preferred asymmetric algorithm since we make use of
threshold cryptography and the threshold scheme of ElGamal is much
simpler compared to threshold RSA.
Working on the decryption of OpenPGP messages we saw in the section 5.1
of RFC4880 that the symmetric key $s$ with algorithm identifier and
checksum is encoded and padded using PKCS#1 v1.5 EME encoding. The
result of the EME encoding $eme_encode(s) = m$ then is encrypted using
ElGamal.
A short recap of ElGamal: We use the Groups Z*_p and G_q for ElGamal,
where p is a safe prime, $q = (p-1)/2$ and $G_q$ is a subgroup of
$Z*_p$. Encryption is defined as follows:
$
enc(y, r, m): G_q x Z_q x G_q -> G_q x G_q
:= (c_1, c_2) = (g**k mod p, m * y**k mod p)
$
According literature one need to map $m$ into $G_q$ to guarantee that
ElGamal ist IND-CPA secure. According the RFC this check is not
performed, but an encoding/padding is applied to the plaintext.
Long story short: We would like to know what the considerations have
been to use ElGamal combined with a PKCS-EME encoding, since without the
encoding/padding it actually lacks of CPA security. Unfortunately we did
not find any authoritative reference which give a statement about
ElGamal security when $m$ is not in G_q but padded.
Thank you very much in advance for your help.
Best regards,
Tobias and Roger
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp