FYI... ---------- Forwarded message ---------- From: Weikeng Chen <w...@berkeley.edu> Date: Tue, May 22, 2018 at 3:55 AM Subject: Report a (not severe) security bug of CryptoPP in ElGamal To: noloa...@gmail.com
Hi Jeffrey, Sorry. This is the only way we can find a maintainer of CryptoPP in private, which consolidates a responsible disclosure. CryptoPP uses padding to secure ElGamal. But the padding is not sufficient. In more details, CryptoPP uses a prime-order group with a QR generator for ElGamal. That is great! (QR means quadratic residue, QNR means quadratic non-residue.) But when CryptoPP encodes a message, the message may be encoded into a QR or into a QNR, depending on the message and the random pad added to the message. It is possible that given a message m, it has 48% possibility to become a QR, and 52% to become a QNR. Or, it is also possible that for another message m', it has 52% possibility to become a QR, and 48% as a QNR. There is a *Difference* between different messages, which may lead to an attack that guesses the message. Because it is easy to determine whether a ciphertext is QR or QNR, and it implies whether the padded message is QR or QNR. We know such explanation is usually not intuitive -- we had very terrible experience communicating with PyCryptodome and libgcrypt, so far they refuse to fix completely. So below is a PoC for CryptoPP, with a preliminary patch: https://github.com/weikengchen/attack-on-cryptopp-elgamal which the attack abuses the above possibility distribution difference to guess the message from the ciphertext. This security bug is not severe, because, in the real world, people use ElGamal mostly to encrypt a symmetric key (i.e., hybrid encryption). It is secure if ElGamal encrypts a symmetric key. Therefore, we do make this repo of the PoC public as it does not lead to a security risk to existing systems. So my report concludes. It is not easy to fix -- because you need to change the implementation of ElGamal encryption in CryptoPP to proceed, which hurts the compatibility. The fix in the patch of that repo is to encode the message into a QR, not using padding. Let me know your idea of what we should do the next. Weikeng -- You received this message because you are subscribed to "Crypto++ Users". More information about Crypto++ and this group is available at http://www.cryptopp.com and http://groups.google.com/forum/#!forum/cryptopp-users. --- You received this message because you are subscribed to the Google Groups "Crypto++ Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to cryptopp-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.