At 08.12.18 / 16:16 Roger Ellenberger wrote:
According literature one need to map $m$ into $G_q$ to guarantee that
ElGamal ist IND-CPA secure. According the RFC this check is not
performed, but an encoding/padding is applied to the plaintext.
I stumble upon the same problem [1] when creating DKGPG some months ago.
In my oppinion it cannot be solved without revising ElGamal in the RFC.
Maybe the work of Sakurai and Shizuya [2] can help to understand some
implications of the RFC authors choice at that time.
[1] slide #17 of https://www.nongnu.org/libtmcg/dg81_slides.pdf
[2] https://link.springer.com/content/pdf/10.1007/3-540-49264-X_28.pdf
Best regards,
Heiko.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp