On Dec 8, 2018, at 7:16 AM, Roger Ellenberger
<rogerandrea(_dot_)ellenberger(_at_)students(_dot_)bfh(_dot_)ch> wrote:
[…]
Long story short: We would like to know what the considerations have
been to use ElGamal combined with a PKCS-EME encoding, since without the
encoding/padding it actually lacks of CPA security. Unfortunately we did
not find any authoritative reference which give a statement about
ElGamal security when $m$ is not in G_q but padded.
Thank you very much in advance for your help.
What a wonderful idea. I really like it.
The short answer to your question is that there aren’t any references. I concur
with Watson that any issue is minimal, especially if you’re using Elgamal keys
that are 3K to 4K.
A longer answer is that OpenPGP is pretty much the first substantial protocol
to use Elgamal keys. Back in the late ‘90s, when patents were an issue, the
then "PGP 3” system which became “PGP 5” and then that became standardized as
OpenPGP, wanted an alternative to RSA. The RSA patent expired in the year 2000,
but the discrete log patents expired in ’97. Thus, there was a real reason for
wanting a discrete log option. They picked Elgamal because you can use it more
or less as if it were RSA. As time went on, Elgamal signatures fell by the
wayside over DSA, leaving Elgamal for encryption.
Derek Atkins might remember more, because a lot of those original decisions
were made by some combination of him, Colin Plumb, and Hal Finney.
Jon
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp