a future issue to also restrict the message space to G

[weikengchen]

from http://crypto.stanford.edu/~dabo/pubs/papers/DDH.pdf and https://en.wikipedia.org/wiki/ElGamal_encryption

We need to map a message to the space of G.

One idea in Boneh's paper [STOC'97]: use the hash function to hash g^{ab} and make it one-time pad. This will lose the homomorphism, and in this project, it would lose compatibility.

One idea that is guaranteed to work is to pad a suffix of the message, randomly changing the suffix and we result in an element in G. This takes slightly longer time. But elements in G are sufficient, so it can be found quickly. This will make the cryptosystem only probabilistic correct.

There are other cryptography papers working to solve that. But these schemes rely on special assumptions.

I will need to do some literature review to see what is the best solution and update this issue.