On Sat, Dec 8, 2018 at 7:21 AM Roger Ellenberger
<rogerandrea(_dot_)ellenberger(_at_)students(_dot_)bfh(_dot_)ch> wrote:
<snip>
Long story short: We would like to know what the considerations have
been to use ElGamal combined with a PKCS-EME encoding, since without the
encoding/padding it actually lacks of CPA security. Unfortunately we did
not find any authoritative reference which give a statement about
ElGamal security when $m$ is not in G_q but padded.
I suspect the only leak is one bit, namely whether or not m is a
quadratic residue mod p or not. The impact on the security is minimal.
But why not use threshold IECS as https://tools.ietf.org/html/rfc6637
does and avoid this quirk?
Thank you very much in advance for your help.
Best regards,
Tobias and Roger
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
--
"Man is born free, but everywhere he is in chains".
--Rousseau.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp