Re: Weak keys for ElGamal
- From: "Anton Berg" <antonberg1@xxxxxx>
- Date: 28 Oct 2006 04:19:38 -0700
Hi,
Note that hardness of DLP is not sufficient to prove the security ofYes, for the semantic security of ElGamal I need the DDH assumption.
ElGamal: You need DDH for that.
I am thinking of the following scenario: Let's consider a signature
scheme. A party now uses her secret key to sign a message m. Later on
then she claims, that she didn't sign the message m and she can
convince the other parties from that fact because she chooses "by
chance" (or intentionally exactly to be able to refuse the signature
later on) a "weak key".
Anton
.
- Follow-Ups:
- Re: Weak keys for ElGamal
- From: David Wagner
- Re: Weak keys for ElGamal
- References:
- Weak keys for ElGamal
- From: Anton Berg
- Re: Weak keys for ElGamal
- From: Kristian Gjøsteen
- Re: Weak keys for ElGamal
- From: Kristian Gjøsteen
- Weak keys for ElGamal
- Prev by Date: Re: Weak keys for ElGamal
- Next by Date: Re: Ideas please
- Previous by thread: Re: Weak keys for ElGamal
- Next by thread: Re: Weak keys for ElGamal
- Index(es):
