6

We all know that textbook ElGamal falls due to chosen ciphertext attacks, because of its multiplicative homomorphic property ($E(A)*E(B)=E(AB)$).

However these attacks require the ciphertext ($E(A)$ or $E(B)$) to be given, meaning as per this answer this would mean ElGamal isn't IND-CCA2, but IND-CCA1 as the access to a decryption oracle before the ciphertext is known doesn't help anything.

Hence my question:
Is the ElGamal encryption scheme IND-CCA1 or "only" IND-CPA?

"Bonus" question:
If the ElGamal encryption scheme isn't IND-CCA1 how would the CCA1 attack look like?

Community
  • 1
SEJPM
  • 45,967
  • 7
  • 99
  • 205

1 Answers1

9

The CCA1 security of ElGamal is a big open question. There are no attacks known, but standard reductions don't seem to work.

In 1991, Damgard proposed an ElGamal variant and proved it to be CCA1-secure (albeit under a very problematic non-falsifiable assumption, called the "knowledge of exponent assumption"); see the paper here http://link.springer.com/chapter/10.1007%2F3-540-46766-1_36.

More recently, Lipmaa here showed that ElGamal can be proven to be CCA1-secure under a non-standard (but falsifiable) assumption. The assumption is that DDH is hard even given access to a static CDH oracle (that computes the Diffie-Hellman function for a fixed "secret" exponent). [Caveat: I haven't read the paper so I can't vouch for correctness...]

Yehuda Lindell
  • 27,820
  • 1
  • 66
  • 83
  • In the paper http://link.springer.com/chapter/10.1007%2F3-540-46766-1_36. It says $E(m) = (g^{r}, y^{r} \oplus m)$. But I remember that the encryption algorithm is that $E(m) = (g^{r}, y^{r} \cdot m)$? Which one is correct? – Blanco Jan 22 '19 at 13:31