0

With this Elgamal variant defined below, we have covered in lecture but I do not still understand how a CCA could work against it. Is the use of the homomorphic nature of the encryption something you could use?

$c=\langle g^r, \mathcal{H}(y^r)\oplus m \rangle$

What could be a CCA against this type?

Patriot
  • 3,132
  • 3
  • 18
  • 65
Gallieon474
  • 21
  • 6
  • 3
    Xor some string to the second component. Does it invalidate the ciphertext? Constructing a CCA2 adversary from that should be easy. – DrLecter Dec 04 '16 at 17:37
  • This basically falls against the same attacks as unauthenticated stream ciphers do. – SEJPM Dec 04 '16 at 20:01

1 Answers1

2

I refer to you to a nice explanation of the basic attack on the "native" ElGamal scheme: How does chosen ciphertext attack on Elgamal work?

The difference between the native and this hashed scheme you outlined above is that the hashed elgamal version allows to encrypt a m-bit string message for any m since you use XOR, as long as the hashing function you use can output m bits. In the native ElGamal scheme, you have to map m into a group element, which may or may not be OK depending on which group you use. See Boneh's paper: section 4.1. For example, it is not straightforward when using Ed25519 with the special encoding, but solutions exists such as the elligator mappings.

Nikkolasg
  • 204
  • 1
  • 7