Paper 2021/923

On the (in)security of ElGamal in OpenPGP

Luca De Feo, Bertram Poettering, and Alessandro Sorniotti

Abstract

Roughly four decades ago, Taher ElGamal put forward what is today one of the most widely known and best understood public key encryption schemes. ElGamal encryption has been used in many different contexts, chiefly among them by the OpenPGP standard. Despite its simplicity, or perhaps because of it, in reality there is a large degree of ambiguity on several key aspects of the cipher. Each library in the OpenPGP ecosystem seems to have implemented a slightly different "flavour" of ElGamal encryption. While --taken in isolation-- each implementation may be secure, we reveal that in the interoperable world of OpenPGP, unforeseen cross-configuration attacks become possible. Concretely, we propose different such attacks and show their practical efficacy by recovering plaintexts and even secret keys.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. Minor revision. CCS 2021
Keywords
OpenPGPElGamal encryptioncryptanalysisDLPside-channel attack
Contact author(s)
poe @ zurich ibm com
History
2021-07-09: received
Short URL
https://ia.cr/2021/923
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2021/923,
      author = {Luca De Feo and Bertram Poettering and Alessandro Sorniotti},
      title = {On the (in)security of {ElGamal} in {OpenPGP}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2021/923},
      year = {2021},
      url = {https://eprint.iacr.org/2021/923}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.