On 12/9/18 1:44 AM, Jon Callas wrote:
On Dec 8, 2018, at 7:16 AM, Roger Ellenberger
<rogerandrea(_dot_)ellenberger(_at_)students(_dot_)bfh(_dot_)ch> wrote:
[…]
Long story short: We would like to know what the considerations have
been to use ElGamal combined with a PKCS-EME encoding, since without the
encoding/padding it actually lacks of CPA security. Unfortunately we did
not find any authoritative reference which give a statement about
ElGamal security when $m$ is not in G_q but padded.
Thank you very much in advance for your help.
What a wonderful idea. I really like it.
Very appreciated. We're thrilled you like it.
The short answer to your question is that there aren’t any references. I
concur with Watson that any issue is minimal, especially if you’re using
Elgamal keys that are 3K to 4K.
A longer answer is that OpenPGP is pretty much the first substantial protocol
to use Elgamal keys. Back in the late ‘90s, when patents were an issue, the
then "PGP 3” system which became “PGP 5” and then that became standardized as
OpenPGP, wanted an alternative to RSA. The RSA patent expired in the year
2000, but the discrete log patents expired in ’97. Thus, there was a real
reason for wanting a discrete log option. They picked Elgamal because you
can use it more or less as if it were RSA. As time went on, Elgamal
signatures fell by the wayside over DSA, leaving Elgamal for encryption.
We already supposed that there might be historical reasons for that. So
that's exactly the sort of reply we hoped to get. That's awesome. Thanks
a lot Jon.
Derek Atkins might remember more, because a lot of those original decisions
were made by some combination of him, Colin Plumb, and Hal Finney.
Jon
We are pleased to get as much information as possible if anymore
remembers more. However Jon's answer is already a big leap forward.
Cheers
Tobias and Roger
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp