[SUGGESTION NEEDED] A request for suggestion on furthering the discussion over ElGamal

Weikeng Chen w.k at berkeley.edu
Wed Oct 18 07:06:11 CEST 2017 

Thank Niibe.

I will try to adjust my language -- I think that is totally normal. Don't worry!

I think I got your points:
(1) ElGamal is included in GnuPG and OpenPGP, one reason is the patent
of RSA (Sorry! I didn't know this part of the history.)
(2) At that time, OpenPGP has selected the original version of
ElGamal. The RFC 4880 and the obsoleted version RFC 2440 mentions
ElGamal, both follows this practice.

This means that the ElGamal in libGcrypt, which has a responsibility
to meet the standard, cannot have unstable changes (however, my
proposal is not compatible and not aligned with the standard).

I want to note again that: If used in the way you mention, then it is
secure :) but also may not be good for some applications.

What would be the next step you suggest? Implementing an independent
elgamal-schnorr.c? Because in my proposed variant, $g$ is no longer a
generator for $Z_p^*$, this is not consistent with the OpenPGP
document for ElGamal configuration.

Weikeng




On Tue, Oct 17, 2017 at 9:35 PM, NIIBE Yutaka <gniibe at fsij.org> wrote:
> Hello,
>
> This message is to gcrypt-devel, Cc-ed to Weikeng Chen and Werner Koch.
>
> Weikeng Chen <w.k at berkeley.edu> wrote:
>> Actually, my teacher Alessandro (an assistant professor of
>> cryptography and theory) and I (a Ph.D. student on applied
>> cryptography) have a brief discussion after the class.
>
> I think that... possibly, you and your teacher are so young, well, it
> means that I am too old.  If you find some difficulty to communicate to
> one of maintainers of crypto implementation with long history, I think
> that it's normal.  Don't worry.
>
>
> Well, I tried to answer your questions, but it seemed it didn't work and
> it won't work, perhaps.  From this world, what I see is: you keep using
> your language and keep insisting your points.  That's good of youth.
>
>
> As a Zen Buddhist, I would say:
>
>     When you ask, ask yourself how and where your questions come
>     (recursively).
>
> ElGamal is here in GnuPG, due to the patent of RSA, in the last century.
> GnuPG Project started in Europe.  I remember Debian had non-US part [0].
>
>
> Admitting some sort of dis-communication, or different terms and
> languages, I should write my own explanation.  Here we go.
>
> I wrote:
>> Actually, I think that "ElGamal crypto system" can refer different
>> crypto systems.
>
> In the original paper of Taher Elgamal, "THE PUBLIC KEY SYSTEM" is
> explaind as a crypto system in Multiplicative Group of Integers modulo p
> $Z_p^*$, where p is large prime.
>
> In the OpenPGP standard [1], we have ElGamal encryption.  In this
> context, "ElGamal Crypto system" specifically refers to the ElGamal
> Crypto system in Multiplicative Group of Integers modulo p $Z_p^*$.
> (For your reference, the input message into the ElGamal encryption is a
> session key for symmetric cipher, and it is encoded by PKCS#1 v1.5.)
>
> In the OpenPGP standard, it refers the Handbook of Applied Cryptography
> by Alfred Menezes, Paul van Oorschot, and Scott Vanstone [2].  In that
> book, probably it's too old for you, we can find a subsubsection 8.4.1
> "Basic ElGamal encryption", and it describes encryption and decryption
> (in Multiplicative Group of Integers modulo p $Z_p^*$).
>
> The routines for ElGamal in libgcrypt, specifically implements the one
> in Multiplicative Group of Integers modulo p $Z_p^*$.
>
> GnuPG implements OpenPGP by using libgcrypt.  You can find a concrete
> example how the routines of libgcrypt is used to implement the crypto
> protocol of OpenPGP.
>
>
>                         *       *       *
>
> Having written that...
>
> I don't know if it's worth or not, but it make sense to modify/enhance
> libgcrypt so that it can support ElGamal crypto system on Schnorr group.
> When it will be done, it can be used for other crypto protocol(s).
>
>
> If someone misunderstands as if current version of libgcrypt's ElGamal
> were on Schnorr group, I'm afraid it would be due to some historical
> revisionism or something.
>
>
> [0] https://wiki.debian.org/non-US
> [1] https://tools.ietf.org/html/rfc4880
> [2] http://cacr.uwaterloo.ca/hac/
> --



-- 

Weikeng Chen @ 795 Soda Hall

More information about the Gcrypt-devel mailing list