{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,29]],"date-time":"2025-10-29T19:46:48Z","timestamp":1761767208744,"version":"3.41.0"},"reference-count":21,"publisher":"Association for Computing Machinery (ACM)","issue":"6","license":[{"start":{"date-parts":[[2023,5,24]],"date-time":"2023-05-24T00:00:00Z","timestamp":1684886400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Commun. ACM"],"published-print":{"date-parts":[[2023,6]]},"abstract":"<jats:p>\n            Roughly four decades ago, Taher ElGamal put forward what is today one of the most widely known and best understood public key encryption schemes. ElGamal encryption has been used in many different contexts, chiefly among them by the OpenPGP email encryption standard. Despite its simplicity, or perhaps because of it, in reality there is a large degree of ambiguity on several key aspects of the cipher. Each library in the OpenPGP ecosystem seems to have implemented a slightly different \"flavor\" of ElGamal encryption. While-taken in isolation-each implementation may be secure, we reveal that in the interoperable world of OpenPGP, unforeseen\n            <jats:italic>cross-configuration attacks<\/jats:italic>\n            become possible. Concretely, we propose different such attacks and show their practical efficacy by recovering plaintexts and even secret keys.\n          <\/jats:p>","DOI":"10.1145\/3592835","type":"journal-article","created":{"date-parts":[[2023,5,24]],"date-time":"2023-05-24T13:25:31Z","timestamp":1684934731000},"page":"107-115","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["On the (In)Security of ElGamal in OpenPGP"],"prefix":"10.1145","volume":"66","author":[{"given":"Luca","family":"De Feo","sequence":"first","affiliation":[{"name":"IBM Research Europe, Zurich, Switzerland"}]},{"given":"Bertram","family":"Poettering","sequence":"additional","affiliation":[{"name":"IBM Research Europe, Zurich, Switzerland"}]},{"given":"Alessandro","family":"Sorniotti","sequence":"additional","affiliation":[{"name":"IBM Research Europe, Zurich, Switzerland"}]}],"member":"320","published-online":{"date-parts":[[2023,5,24]]},"reference":[{"key":"e_1_2_1_1_1","volume-title":"https:\/\/pgp.key-server.io\/dump\/","author":"Open","year":"2021","unstructured":"OpenPGP server key dump from 15\/01\/2021. https:\/\/pgp.key-server.io\/dump\/, 2021. [Accessed 15\/01\/2021]."},{"key":"e_1_2_1_2_1","volume-title":"CT-RSA","author":"Acii\u00e7mez O.","year":"2007","unstructured":"Acii\u00e7mez, O., Ko\u00e7, \u00c7., Seifert, J.-P. Predicting secret keys via branch prediction. In CT-RSA 2007. M. Abe, ed. Volume 4377 of LNCS (2007). Springer, Heidelberg, 225--242."},{"key":"e_1_2_1_4_1","volume-title":"Cache-timing attacks on AES. Technical report","author":"Bernstein D.J.","year":"2005","unstructured":"Bernstein, D.J. Cache-timing attacks on AES. Technical report, 2005."},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-44448-3_3"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.17487\/rfc4880"},{"key":"e_1_2_1_7_1","volume-title":"ElGamal in OpenPGP. In ACM CCS 2021","author":"De Feo L.","year":"2021","unstructured":"De Feo, L., Poettering, B., Sorniotti, A. On the (in)security of ElGamal in OpenPGP. In ACM CCS 2021, G. Vigna and E. Shi, eds. ACM, NY, 2021, 2066--2080."},{"key":"e_1_2_1_9_1","volume-title":"CRYPTO'84","volume":"196","author":"ElGamal T.","year":"1984","unstructured":"ElGamal, T. A public key cryptosystem and a signature scheme based on discrete logarithms. In CRYPTO'84. G.R. Blakley and D. Chaum, eds. Volume 196 of LNCS (1984). Springer, Heidelberg, 10--18."},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-48324-4_11"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-44499-8_23"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.2307\/1971363"},{"key":"e_1_2_1_13_1","series-title":"LNCS (1997)","volume-title":"CRYPTO'97. B.S. Kaliski Jr.","author":"Lim C.H.","unstructured":"Lim, C.H. Lee, P.J. A key recovery attack on discrete log-based schemes using a prime order subgroup. In CRYPTO'97. B.S. Kaliski Jr., ed. Volume 1294 of LNCS (1997). Springer, Heidelberg, 249--263."},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.43"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-48059-5_14"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIT.1978.1055817"},{"key":"e_1_2_1_17_1","first-page":"918","article-title":"Monte Carlo methods for index computation mod p","volume":"32","author":"Pollard J.M","year":"1978","unstructured":"Pollard, J.M. Monte Carlo methods for index computation mod p. Math. Comput. 32 (1978), 918--924.","journal-title":"Math. Comput."},{"key":"e_1_2_1_18_1","volume-title":"CRYPTO'89","volume":"435","author":"Schnorr C.-P.","year":"1990","unstructured":"Schnorr, C.-P. Efficient identification and signatures for smart cards. In, CRYPTO'89. G. Brassard, ed. Volume 435 of LNCS (1990). Springer, Heidelberg, 239--252."},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1090\/pspum\/020\/0316385"},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1007\/s00145-009-9049-y"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-68339-9_29"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1007\/PL00003816"},{"key":"e_1_2_1_23_1","volume-title":"Proceedings of the 23rd USENIX Security Symposium","author":"Yarom Y.","year":"2014","unstructured":"Yarom, Y., Falkner, K. FLUSH+RELOAD: A high resolution, low noise, L3 cache side-channel attack. In Proceedings of the 23rd USENIX Security Symposium (San Diego, CA, USA, August 20--22, 2014). K. Fu and J. Jung, eds. (2014). USENIX Association, Berkeley, CA, 719--732."}],"container-title":["Communications of the ACM"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3592835","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3592835","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T17:49:17Z","timestamp":1750182557000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3592835"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,5,24]]},"references-count":21,"journal-issue":{"issue":"6","published-print":{"date-parts":[[2023,6]]}},"alternative-id":["10.1145\/3592835"],"URL":"https:\/\/doi.org\/10.1145\/3592835","relation":{},"ISSN":["0001-0782","1557-7317"],"issn-type":[{"type":"print","value":"0001-0782"},{"type":"electronic","value":"1557-7317"}],"subject":[],"published":{"date-parts":[[2023,5,24]]},"assertion":[{"value":"2023-05-24","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}