International Association
for Cryptologic Research

The well-known Signed ElGamal scheme consists of ElGamal

encryption with a non-interactive Schnorr proof of knowledge. While this

scheme should be intuitively secure against chosen-ciphertext attacks

in the random oracle model, its security has not yet been proven nor

disproven so far, without relying on further non-standard assumptions

like the generic group model. Currently, the best known positive result

is that Signed ElGamal is non-malleable under chosen-plaintext attacks.

In this paper we provide evidence that Signed ElGamal may not be CCA

secure in the random oracle model. That is, building on previous work of

Shoup and Gennaro (Eurocrypt\'98), Seurin and Treger (CT-RSA 2013),

and Bernhard et al. (PKC 2015), we exclude a large class of potential

reductions that could be used to establish CCA security of the scheme.