Re: El Gamal and Message Blocking
- From: Mark Wooding <mdw@xxxxxxxxxxxxxxxx>
- Date: Tue, 25 Mar 2008 16:41:50 +0000 (UTC)
Ertugrul Söylemez <es@xxxxxxxx> wrote:
However, the usual and more realistic approach is to use ElGamal
together with a symmetric cipher.
The usual approach is not to use ElGamal at all. It's unlikely to be
the droid you're looking for. See DLIES or ECIES.
Using ElGamal properly requires that (a) you work in a prime-order
group, and (b) you can encode your messages as elements of this group
(and decode them again). Otherwise the decisional DH assumption
required for security doesn't hold. DLIES and ECIES don't have these
subtleties; their security is based on what seems to be a weaker
assumption [1], and they provide stronger security properties (in
particular, they assure integrity of messages, which translates into
security against chosen-ciphertext attacks).
[1] If you're really worried that the `gap' or `strong' computational DH
assumption, which the DLIES and ECIES schemes are based on, are less
reliable than standard CDH then use Cash, Kiltz and Shoup's twin-DH
version (http://eprint.iacr.org/2008/067).
-- [mdw]
.
- Follow-Ups:
- Re: El Gamal and Message Blocking
- From: Ertugrul Söylemez
- Re: El Gamal and Message Blocking
- References:
- El Gamal and Message Blocking
- From: AndZ
- Re: El Gamal and Message Blocking
- From: Ertugrul Söylemez
- El Gamal and Message Blocking
- Prev by Date: Re: El Gamal and Message Blocking
- Next by Date: Re: cryptanalyzing bitwise tramps?
- Previous by thread: Re: El Gamal and Message Blocking
- Next by thread: Re: El Gamal and Message Blocking
- Index(es):
