[openpgp] De Feo, Poettering, Sorniotti: On the (in)security of ElGamal in OpenPGP

Marcus Brinkmann <marcus.brinkmann@rub.de> Mon, 12 July 2021 12:07 UTC

Return-Path: <marcus.brinkmann@rub.de>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 5A0243A122B for <openpgp@ietfa.amsl.com>; Mon, 12 Jul 2021 05:07:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.499
X-Spam-Status: No, score=-2.499 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rub.de
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id k58IOC0GZw_a for <openpgp@ietfa.amsl.com>; Mon, 12 Jul 2021 05:07:24 -0700 (PDT)
Received: from out2.mail.ruhr-uni-bochum.de (out2.mail.ruhr-uni-bochum.de [IPv6:2a05:3e00:c:1001::8693:2ae5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA60B3A11C4 for <openpgp@ietf.org>; Mon, 12 Jul 2021 05:07:21 -0700 (PDT)
Received: from mx2.mail.ruhr-uni-bochum.de (localhost []) by out2.mail.ruhr-uni-bochum.de (Postfix mo-ext) with ESMTP id 4GNjF020Ksz8SMt for <openpgp@ietf.org>; Mon, 12 Jul 2021 14:07:16 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=rub.de; s=mail-2017; t=1626091636; bh=mwgbv0awrizARg/wMfTwGx3AV4Ef/ZWVURWFCP7ETsg=; h=To:From:Subject:Date:From; b=D+gjlCC1uNqAy7MHyVa2uoDQZC4p7vqOIcTwicrr0/I4lGLfQz/V6wdFDAZmiz2As D4oGfWQRKb0PROigb4aD8hna6imVbMegqmGU5hJTnoYj1onfhO4ZB3WFLWtSgKKSZn +IYZqsGgVxMPtxR/NJx0r+GS14iKAWjk/kXWqh1Q=
Received: from out2.mail.ruhr-uni-bochum.de (localhost []) by mx2.mail.ruhr-uni-bochum.de (Postfix idis) with ESMTP id 4GNjF01QNwz8SMP for <openpgp@ietf.org>; Mon, 12 Jul 2021 14:07:16 +0200 (CEST)
X-Envelope-Sender: <marcus.brinkmann@rub.de>
X-RUB-Notes: Internal origin=
Received: from mail2.mail.ruhr-uni-bochum.de (mail2.mail.ruhr-uni-bochum.de []) by out2.mail.ruhr-uni-bochum.de (Postfix mi-int) with ESMTP id 4GNjF00MFhz8SMp for <openpgp@ietf.org>; Mon, 12 Jul 2021 14:07:15 +0200 (CEST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.1 at mx2.mail.ruhr-uni-bochum.de
Received: from [] (int-63-59.vpn.ruhr-uni-bochum.de []) by mail2.mail.ruhr-uni-bochum.de (Postfix) with ESMTPSA id 4GNjDz33rVzDgyh for <openpgp@ietf.org>; Mon, 12 Jul 2021 14:07:14 +0200 (CEST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.0 at mail2.mail.ruhr-uni-bochum.de
To: openpgp@ietf.org
From: Marcus Brinkmann <marcus.brinkmann@rub.de>
Message-ID: <8544f714-c12c-54f7-cebb-f2f9d2ab13c0@rub.de>
Date: Mon, 12 Jul 2021 14:07:14 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/8QNiMVCBb7k_vo82fv6rZXPmVbk>
Subject: [openpgp] De Feo, Poettering, Sorniotti: On the (in)security of ElGamal in OpenPGP
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jul 2021 12:07:37 -0000


there is a new preprint on cross-configuration attacks due to different
choices of Elgamal Key and Encryption parameters in OpenPGP and its

Luca De Feo and Bertram Poettering and Alessandro Sorniotti, On the
(in)security of ElGamal in OpenPGP (2021)



Roughly four decades ago, Taher ElGamal put forward what is today one of
the most widely known and best understood public key encryption schemes.
ElGamal encryption has been used in many different contexts, chiefly
among them by the OpenPGP standard. Despite its simplicity, or perhaps
because of it, in reality there is a large degree of ambiguity on
several key aspects of the cipher. Each library in the OpenPGP ecosystem
seems to have implemented a slightly different “flavour” of ElGamal
encryption. While –taken in isolation– each implementation may be
secure, we reveal that in the interoperable world of OpenPGP, unforeseen
cross-configuration attacks become possible. Concretely, we propose
different such attacks and show their practical efficacy by recovering
plaintexts and even secret keys.

The authors say in the introduction: "Our research is timely since a new
version of the OpenPGP standard is currently being discussed [18]; we
hope that our findings will influence that discussion."

Dipl.-Math. Marcus Brinkmann

Lehrstuhl für Netz- und Datensicherheit
Ruhr Universität Bochum
Universitätsstr. 150, Geb. ID 2/461
D-44780 Bochum

Telefon: +49 (0) 234 / 32-25030