Note about ElGamal Encryption

Since CS276 (Cryptography), I am interested in reminding people that the textbook ElGamal encryption is not secure, unless it is only used for hybrid encryption. It has been known since as early as 1998 for Dan Boneh's paper on DDH assumption.

With a joint work with Erik-Oliver Blass, we provided the PoC and requested for CVE entries to encourage the developers of some cryptographic libraries (with insecure implementations) to warn the users. The CVE entries are: CVE-2018-6829 and CVE-2018-6594.

ElGamal is rarely used not for hybrid encryption. However, ElGamal has its advantages: multiplicative homomorphism with semantic security, the support of key splitting, and the ability of rerandomization. These properties, as Erik said, are useful for mixers, voting, shuffling.

I believe that it is necessary to do the correct things.