Advances in Cryptology — ASIACRYPT 2000

Volume 1976 of the series Lecture Notes in Computer Science pp 30-43


Why Textbook ElGamal and RSA Encryption Are Insecure

Extended Abstract
  • Dan BonehAffiliated withComputer Science Department, Stanford University
  • , Antoine JouxAffiliated withDCSSI
  • , Phong Q. NguyenAffiliated withDépartement d’Informatique, École Normale Supérieure


We present an attack on plain ElGamal and plain RSA encryption. The attack shows that without proper preprocessing of the plaintexts, both El Gamal and RSA encryption are fundamentally insecure. Namely, when one uses these systems to encrypt a (short) secret key of a symmetric cipher it is often possible to recover the secret key from the ciphertext. Our results demonstrate that preprocessing messages prior to encryption is an essential part of bothsy stems.