Date: 27 Oct 2000

Why Textbook ElGamal and RSA Encryption Are Insecure

Abstract

We present an attack on plain ElGamal and plain RSA encryption. The attack shows that without proper preprocessing of the plaintexts, both El Gamal and RSA encryption are fundamentally insecure. Namely, when one uses these systems to encrypt a (short) secret key of a symmetric cipher it is often possible to recover the secret key from the ciphertext. Our results demonstrate that preprocessing messages prior to encryption is an essential part of bothsy stems.

Implementations of ElGamal often use an element g ∈ ℤ*p of prime order q where q is much smaller than p. When the set of plaintexts is equal to the subgroup generated by g, the Decision Diffie Hellman assumption implies that ElGamal is semantically secure. Unfortunately, implementations of ElGamal often encrypt an m-bit message by viewing it as an m-bit integer and directly encrypting it. The resulting system is not semantically secure - the ciphertext leaks the Legendre symbol of the plaintext.