EN FR
Homepage Inria website


Section: New Results

Security analysis of ElGamal implementations

Throughout the last century, especially with the beginning of public key cryptography due to Diffie-Hellman, many cryptographic schemes have been proposed. Their security depends on mathematically complex problems such as integer factorization and discrete logarithm. In fact, it is thought that a cryptographic scheme is secure if it resists cryptographic attacks over a long period of time. On one hand, since certain schemes may take several years before being widely studied in depth, they become vulnerable as time passes. On the other hand, a cryptographic scheme is a provable one, if it resists cryptographic attacks relying on mathematical hypothesis.

Being easily adaptable to many kinds of cryptographic groups, the ElGamal encryption scheme enjoys homomorphic properties while remaining semantically secure , provided that the Decisional Diffie-Hellman (DDH) assumption holds on the chosen group. While the homomorphic property forbids resistance against chosen ciphertext attacks, it is very convenient for voting systems. The ElGamal encryption scheme is the most extensively used alternative to RSA, and it is the homomorphic encryption scheme almost exclusively used for voting systems. Moreover, ElGamal is the only homomorphic encryption scheme implemented by default in many hardware security modules.

In order to be provable secure, ElGamal encryption needs to be implemented on top of a group verifying the Decisional Diffie-Hellman (DDH) assumption. Since this assumption does not hold for all groups, one may have to wrap an encoding and a decoding phase to ElGamal to be able to have a generic encryption scheme.

We have submitted a paper that studies ElGamal encryption scheme libraries in order to identify which implementations respect the DDH assumption. The paper presents an analysis of 25 libraries that implement ElGamal encryption scheme in the wild. We focus our analysis on understanding whether the DDH assumption is respected in these implementations, ensuring a secure scheme in which no information about the original message could be leaked. The DDH assumption is crucial for the security of ElGamal because it ensures indistinguishability under chosen-plaintext attacks (IND-CPA). Without the DDH assumption, encryption mechanisms may leak one bit of information about the plaintext and endager the security of the electoral system as one bit has the ability to completely invalidate privacy in an election. One way to comply with the DDH assumption is by using groups of prime order. In particular, when adopting safe primes, one can ensure the existence of a large prime order subgroup and restrict messages to belong to this subgroup. Mapping plaintexts into subgroups is called message encoding. Such encoding necessitates to be efficient and precisely invertible to allow decoding after the decryption.

Our results show that out of 25 analyzed libraries, 20 are wrongly implemented because they do not respect the conditions to achieve IND-CPA security under the DDH assumption. This means that encryptions using ElGamal from any of these 20 libraries leak one bit of information.

From the 5 libraries which respect the DDH assumption, we also study and compare various encoding and decoding techniques. We identify four different message encoding and decoding techniques and discuss the different designs and conclude which implementation is more efficient for voting systems.