[openpgp] De Feo, Poettering, Sorniotti: On the (in)security of ElGamal in OpenPGP
Marcus Brinkmann <marcus.brinkmann@rub.de> Mon, 12 July 2021 12:07 UTC
Return-Path: <marcus.brinkmann@rub.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A0243A122B for <openpgp@ietfa.amsl.com>; Mon, 12 Jul 2021 05:07:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.499
X-Spam-Level:
X-Spam-Status: No, score=-2.499 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rub.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k58IOC0GZw_a for <openpgp@ietfa.amsl.com>; Mon, 12 Jul 2021 05:07:24 -0700 (PDT)
Received: from out2.mail.ruhr-uni-bochum.de (out2.mail.ruhr-uni-bochum.de [IPv6:2a05:3e00:c:1001::8693:2ae5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA60B3A11C4 for <openpgp@ietf.org>; Mon, 12 Jul 2021 05:07:21 -0700 (PDT)
Received: from mx2.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by out2.mail.ruhr-uni-bochum.de (Postfix mo-ext) with ESMTP id 4GNjF020Ksz8SMt for <openpgp@ietf.org>; Mon, 12 Jul 2021 14:07:16 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=rub.de; s=mail-2017; t=1626091636; bh=mwgbv0awrizARg/wMfTwGx3AV4Ef/ZWVURWFCP7ETsg=; h=To:From:Subject:Date:From; b=D+gjlCC1uNqAy7MHyVa2uoDQZC4p7vqOIcTwicrr0/I4lGLfQz/V6wdFDAZmiz2As D4oGfWQRKb0PROigb4aD8hna6imVbMegqmGU5hJTnoYj1onfhO4ZB3WFLWtSgKKSZn +IYZqsGgVxMPtxR/NJx0r+GS14iKAWjk/kXWqh1Q=
Received: from out2.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by mx2.mail.ruhr-uni-bochum.de (Postfix idis) with ESMTP id 4GNjF01QNwz8SMP for <openpgp@ietf.org>; Mon, 12 Jul 2021 14:07:16 +0200 (CEST)
X-Envelope-Sender: <marcus.brinkmann@rub.de>
X-RUB-Notes: Internal origin=134.147.42.236
Received: from mail2.mail.ruhr-uni-bochum.de (mail2.mail.ruhr-uni-bochum.de [134.147.42.236]) by out2.mail.ruhr-uni-bochum.de (Postfix mi-int) with ESMTP id 4GNjF00MFhz8SMp for <openpgp@ietf.org>; Mon, 12 Jul 2021 14:07:15 +0200 (CEST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.1 at mx2.mail.ruhr-uni-bochum.de
Received: from [10.5.63.59] (int-63-59.vpn.ruhr-uni-bochum.de [10.5.63.59]) by mail2.mail.ruhr-uni-bochum.de (Postfix) with ESMTPSA id 4GNjDz33rVzDgyh for <openpgp@ietf.org>; Mon, 12 Jul 2021 14:07:14 +0200 (CEST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.0 at mail2.mail.ruhr-uni-bochum.de
To: openpgp@ietf.org
From: Marcus Brinkmann <marcus.brinkmann@rub.de>
Message-ID: <8544f714-c12c-54f7-cebb-f2f9d2ab13c0@rub.de>
Date: Mon, 12 Jul 2021 14:07:14 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/8QNiMVCBb7k_vo82fv6rZXPmVbk>
Subject: [openpgp] De Feo, Poettering, Sorniotti: On the (in)security of ElGamal in OpenPGP
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jul 2021 12:07:37 -0000
Hi, there is a new preprint on cross-configuration attacks due to different choices of Elgamal Key and Encryption parameters in OpenPGP and its implementations: Luca De Feo and Bertram Poettering and Alessandro Sorniotti, On the (in)security of ElGamal in OpenPGP (2021) https://eprint.iacr.org/2021/923.pdf Abstract: Roughly four decades ago, Taher ElGamal put forward what is today one of the most widely known and best understood public key encryption schemes. ElGamal encryption has been used in many different contexts, chiefly among them by the OpenPGP standard. Despite its simplicity, or perhaps because of it, in reality there is a large degree of ambiguity on several key aspects of the cipher. Each library in the OpenPGP ecosystem seems to have implemented a slightly different “flavour” of ElGamal encryption. While –taken in isolation– each implementation may be secure, we reveal that in the interoperable world of OpenPGP, unforeseen cross-configuration attacks become possible. Concretely, we propose different such attacks and show their practical efficacy by recovering plaintexts and even secret keys. The authors say in the introduction: "Our research is timely since a new version of the OpenPGP standard is currently being discussed [18]; we hope that our findings will influence that discussion." -- Dipl.-Math. Marcus Brinkmann Lehrstuhl für Netz- und Datensicherheit Ruhr Universität Bochum Universitätsstr. 150, Geb. ID 2/461 D-44780 Bochum Telefon: +49 (0) 234 / 32-25030 http://www.nds.rub.de/chair/people/mbrinkmann
- [openpgp] De Feo, Poettering, Sorniotti: On the (… Marcus Brinkmann