0

My textbook states, that the DDH-assumption is not satisfied when we use the group $\mathbb{Z}/p \mathbb{Z}$ and demonstrates an attack using Eulers Criterion. After that, it states that one should use the group of quadratic residues ($\operatorname{QR}$) over $\mathbb{Z}/p \mathbb{Z}$, where $p=2q+1$ is a safe prime.

I had a look at the El Gamal encryption scheme (which uses the DDH-assumption) and saw, that the message that we want to encrypt has to lie in the group that we choose. If this group is $\mathbb{Z}/p \mathbb{Z} = \{1,2,3,\ldots ,p-1\}$ we can encrypt every message, that is not greater than $p-1$. However, if we use the group of $\operatorname{QR}$'s over $\mathbb{Z}/p \mathbb{Z}$, I think that some messages (namely $(p-1)/2$ many) cannot be encrypted.

If this is true, how would one solve this in practice?

kelalaka
  • 48,443
  • 11
  • 116
  • 196

1 Answers1

1

If this is true, how would one solve this in practice?

Actually, in practice, what we generally do is not use El Gamal at all, but instead use Integrated Encryption Scheme (IES), which solves the same problem based on the same hard problem, but where one doesn't worry about Quadratic Residues (or the homomorphic properties, or the need to compute inverses, which is doable but annoying).

Now, if we have to use El Gamal (e.g. because we need to take advantage of the homomorphic properties), well, one way to avoid the QR problem is to simply square the plaintext before encryption (and hence the plaintext that we encrypt is always a QR). Then, on decryption, we would compute the square root (and take the smaller of the two possible values). This implies that the plaintext is limited to the range $(0, (p-1)/2)$, but any value in that range can be encrypted.

kelalaka
  • 48,443
  • 11
  • 116
  • 196
poncho
  • 147,019
  • 11
  • 229
  • 360
  • Thanks, that makes sense. I also thought about squaring the messages, but I only considered squaring messages that are not QRs (which got confusing). – David Lehnherr Jan 18 '20 at 05:36