Why Textbook ElGamal and RSA Encryption Are Insecure

Extended Abstract
  • Dan Boneh
  • Antoine Joux
  • Phong Q. Nguyen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1976)


We present an attack on plain ElGamal and plain RSA encryption. The attack shows that without proper preprocessing of the plaintexts, both El Gamal and RSA encryption are fundamentally insecure. Namely, when one uses these systems to encrypt a (short) secret key of a symmetric cipher it is often possible to recover the secret key from the ciphertext. Our results demonstrate that preprocessing messages prior to encryption is an essential part of bothsy stems.


  1. 1.
    M. Abdalla, M. Bellare, P. Rogoway, “DHAES: An encryption scheme based on the Diffie-Hellman problem”, manuscript, 1998.Google Scholar
  2. 2.
    R. J. Anderson, S. Vaudenay, “Minding your p’s and q’s”, Proc of Asiacrypt’ 96, LNCS 1163, Springer-Verlag, pp. 26–35, 1996.Google Scholar
  3. 3.
    C. Batut, K. Belabas, D. Bernardi, H. Cohen, M. Olivier, “Pari/GP computer package version 2”, available at http://hasse.mathematik.tu-muenchen.de/ntsw/pari/Welcome.
  4. 4.
    M. Bellare, P. Rogaway, “Optimal asymmetric encryption-how to encrypt using RSA”, Proc. Eurocrypt’ 94, LNCS 950, Springer-Verlag, 1995.Google Scholar
  5. 5.
    D. Boneh, “The Decision Diffie-Hellman Problem”, Proc. ANTS-III, LNCS 1423, Springer-Verlag, 1998.Google Scholar
  6. 6.
    D. Boneh, “Twenty Years of Attacks on the RSA cryptosystem”, Notices of the AMS, 46(2):203–213, 1999.MATHMathSciNetGoogle Scholar
  7. 7.
    J.-S. Coron, D. Naccache, J. P. Stern, “On the Security of RSA Padding”, Proc. of Crypto’ 99, LNCS 1666, Springer-Verlag, pp. 1–18, 1999.Google Scholar
  8. 8.
    J.-S. Coron, M. Joye, D. Naccache, P. Paillier, “New Attacks on PKCS#1 v1.5 Encryption”, Proc. of Eurocrypt’ 2000, LNCS 1807, Springer-Verlag, pp. 369–381, 2000.Google Scholar
  9. 9.
    T. ElGamal, “A public key cryptosystem and a signature scheme based on the discrete logarithm”, IEEE Trans. on Information Theory, 31(4):469–472, 1985.MATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    E. Fujisaki, T. Okamoto, “Secure Integration of Asymmetric and Symmetric Encryption Schemes”, Proc. of Crypto’ 99, LNCS 1666, Springer-Verlag, pp. 537–554, 1999.Google Scholar
  11. 11.
    R. R. Hall, G. Tenenbaum, “Divisors”, Cambridge University Press, 1988.Google Scholar
  12. 12.
    A. Menezes, P. v. Oorschot, S. Vanstone, “Handbook of Applied Cryptography”, CRC Press, 1997.Google Scholar
  13. 13.
    T. Okamoto and D. Pointcheval, “PSEC-3: Provably Secure Elliptic Curve Encryption Scheme”, Submission to IEEE P1363a, 2000.Google Scholar
  14. 14.
    P. v Oorschot, M. J. Wiener, “On Diffie-Hellman Key Agreement With Short Exponents”, Proc. Eurocrypt’ 96, LNCS 1070, Springer-Verlag, 1996.Google Scholar
  15. 15.
    PKCS1, “Public Key Cryptography Standard No. 1 Version 2.0”, RSA Labs.Google Scholar
  16. 16.
    D. Pointcheval, “Chosen-Ciphertext Security for any One-Way Cryptosystem”, Proc. PKC’ 2000, LNCS 1751, Springer-Verlag, 2000.Google Scholar
  17. 17.
    R. L. Rivest., A. Shamir, L. M. Adleman “ A method for obtaining digital signatures and public-key cryptosystems”, Communications of the ACM, 21(2):120–126, 1978.MATHCrossRefMathSciNetGoogle Scholar
  18. 18.
    R. Schroeppel, A. Shamir, “A T = O(2n/2), S = O(2n/4) algorithm for certain NP-complete problems”, SIAM J. Comput., 10(3):456–464, 1981.MATHCrossRefMathSciNetGoogle Scholar
  19. 19.
    V. Shoup, “Number Theory C++ Library (NTL) version 3.7”, available at http://www.shoup.net/.

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  • Dan Boneh
    • 1
  • Antoine Joux
    • 2
  • Phong Q. Nguyen
    • 3
  1. 1.Computer Science DepartmentStanford UniversityStanfordUSA
  2. 2.DCSSIIssy-les-Moulineaux CedexFrance
  3. 3.Département d’InformatiqueÉcole Normale SupérieureParisFrance

Personalised recommendations