It is known that there exists a reduction from the CCA1-security of Damgård's Elgamal (DEG) cryptosystem to what we call the ddh dsdh assumption. We show that ddhdsdh is unnecessary for DEG-CCA1, while DDH is insufficient for DEG-CCA1. We also show that CCA1-security of the Elgamal cryptosystem is equivalent to another assumption ddhdsdh, while we show that ddhdsdh is insufficient for Elgamal's CCA1-security. Finally, we prove a generic-group model lower bound Ω(2√q) for the hardest considered assumption ddhdsdh, where q is the largest prime factor of the group order. © 2011 Springer-Verlag.
CITATION STYLE
Lipmaa, H. (2011). On the CCA1-security of Elgamal and Damgård’s Elgamal. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 6584 LNCS, pp. 18–35). https://doi.org/10.1007/978-3-642-21518-6_2
Mendeley helps you to discover research relevant for your work.