[SUGGESTION NEEDED] A request for suggestion on furthering the discussion over ElGamal

NIIBE Yutaka gniibe at fsij.org
Thu Oct 19 03:35:12 CEST 2017

Weikeng Chen <w.k at berkeley.edu> wrote:
> I want to note again that: If used in the way you mention, then it is
> secure :) but also may not be good for some applications.

In my opinion, if "ElGamal" can be understood as "the ElGamal crypto
system in Multiplicative Group of Integers modulo p $Z_p^*$", as we do,
application writer should know its limitation.

Well, by your posts, I learned that a sort of "revisionism", in the
entry of "ElGamal encryption" in English verion of Wikipedia (BTW,
Japanese version is worse.  It simply denies the use of $Z_p^*$).
There, it is stretched to... more general version, i.e., the one on a
cyclic group.  While this sort of generalization and revision by
generalization are useful for academies, I am concerned in some matter
of misunderstanding between school and some fields in industry.

> What would be the next step you suggest? Implementing an independent
> elgamal-schnorr.c? Because in my proposed variant, $g$ is no longer a
> generator for $Z_p^*$, this is not consistent with the OpenPGP
> document for ElGamal configuration.

>From OpenPGP perspective, there is no need for change.

For an exercise of programming, I think that you can write
elgamal-schnorr.c based on libgcrypt/cipher/elgamal.c, only changing key
generation.  Well, another change is needed for elg_names, too.

It would be good to have elgamal-schnorr.c in libgcrypt, but I don't
know if it's worth or not.  Which application uses that?

Is that ElGamal so important, now, for what?  I wonder.

What's your purpose?  Do you intend to implement some crypto protocol
on top of that? Some tool with homomorphic encryption?

If we design new a tool for homomorphic encryption, it seems for me that
there are other crypto system which is better than ElGamal.

If we design new crypto protocol on ElGamal, for some reason, it seems
for me that we have better choice on a cyclic group other than Schnorr
Group.  Say, Elliptic curve?

More information about the Gcrypt-devel mailing list