cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data . The Decisional Diffie-Hellman assumption does not hold for Libgcrypt"s ElGamal implementation.