I can't find relevant literature discussing three attack models of the ECC-ElGamal algorithm (CPA, CCA1, CCA2)
ECC-ElGamal algorithm: ElGamal with elliptic curves
I only know that ElGamal belongs to CPA, but I can't determine which one (CPA, CCA1 or CCA2) belongs to in the case of ElGamal on ECC.
It would be better if there is a source of relevant literature!!! Thank you very much!!
In Tsiounis and Yung's proof of the IND-CPA semantic security of El Gamal, the only assumption made is that the decisional Diffie-Hellman problem is hard. The proof transfers easily to any group where the decisional Diffie-Hellman problem is hard, including we believe (non-pairing-friendly) elliptic curve groups.
Similarly all El Gamal instantiations are trivially CCA2 attackable (given a ciphertext $(rG,rA+M)$, request a decryption of (for example) $(2rG,2(rA+M))$ to recover $2M$ and hence $M$.
As far as I know the semantic security of any instance of IND-CPA secure El Gamal under CCA1 is an open problem.
On the pairing-friendly elliptic curve point, note that for such curves there is a means of checking whether a given El Gamal encryption is an encryption of a hypothetical message e.g. to check that $(P,Q)=(rG,rA+M)$ compute the pairing of $P$ and $A$ with the pairing of $G$ and $Q-M$. If the equality of the pairing holds, then so does the equality of the encryptions. This is because the decisional Diffie-Hellman problem is soluble in these groups.
