Why Textbook ElGamal and RSA Encryption Are Insecure

Extended Abstract
  • Dan Boneh
  • Antoine Joux
  • Phong Q. Nguyen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1976)


We present an attack on plain ElGamal and plain RSA encryption. The attack shows that without proper preprocessing of the plaintexts, both El Gamal and RSA encryption are fundamentally insecure. Namely, when one uses these systems to encrypt a (short) secret key of a symmetric cipher it is often possible to recover the secret key from the ciphertext. Our results demonstrate that preprocessing messages prior to encryption is an essential part of bothsy stems.


Success Probability Modular Exponentiation Multiplicative Subgroup Public Exponent Smooth Factor 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    M. Abdalla, M. Bellare, P. Rogoway, “DHAES: An encryption scheme based on the Diffie-Hellman problem”, manuscript, 1998.Google Scholar
  2. 2.
    R. J. Anderson, S. Vaudenay, “Minding your p’s and q’s”, Proc of Asiacrypt’ 96, LNCS 1163, Springer-Verlag, pp. 26–35, 1996.Google Scholar
  3. 3.
    C. Batut, K. Belabas, D. Bernardi, H. Cohen, M. Olivier, “Pari/GP computer package version 2”, available at
  4. 4.
    M. Bellare, P. Rogaway, “Optimal asymmetric encryption-how to encrypt using RSA”, Proc. Eurocrypt’ 94, LNCS 950, Springer-Verlag, 1995.Google Scholar
  5. 5.
    D. Boneh, “The Decision Diffie-Hellman Problem”, Proc. ANTS-III, LNCS 1423, Springer-Verlag, 1998.Google Scholar
  6. 6.
    D. Boneh, “Twenty Years of Attacks on the RSA cryptosystem”, Notices of the AMS, 46(2):203–213, 1999.zbMATHMathSciNetGoogle Scholar
  7. 7.
    J.-S. Coron, D. Naccache, J. P. Stern, “On the Security of RSA Padding”, Proc. of Crypto’ 99, LNCS 1666, Springer-Verlag, pp. 1–18, 1999.Google Scholar
  8. 8.
    J.-S. Coron, M. Joye, D. Naccache, P. Paillier, “New Attacks on PKCS#1 v1.5 Encryption”, Proc. of Eurocrypt’ 2000, LNCS 1807, Springer-Verlag, pp. 369–381, 2000.Google Scholar
  9. 9.
    T. ElGamal, “A public key cryptosystem and a signature scheme based on the discrete logarithm”, IEEE Trans. on Information Theory, 31(4):469–472, 1985.zbMATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    E. Fujisaki, T. Okamoto, “Secure Integration of Asymmetric and Symmetric Encryption Schemes”, Proc. of Crypto’ 99, LNCS 1666, Springer-Verlag, pp. 537–554, 1999.Google Scholar
  11. 11.
    R. R. Hall, G. Tenenbaum, “Divisors”, Cambridge University Press, 1988.Google Scholar
  12. 12.
    A. Menezes, P. v. Oorschot, S. Vanstone, “Handbook of Applied Cryptography”, CRC Press, 1997.Google Scholar
  13. 13.
    T. Okamoto and D. Pointcheval, “PSEC-3: Provably Secure Elliptic Curve Encryption Scheme”, Submission to IEEE P1363a, 2000.Google Scholar
  14. 14.
    P. v Oorschot, M. J. Wiener, “On Diffie-Hellman Key Agreement With Short Exponents”, Proc. Eurocrypt’ 96, LNCS 1070, Springer-Verlag, 1996.Google Scholar
  15. 15.
    PKCS1, “Public Key Cryptography Standard No. 1 Version 2.0”, RSA Labs.Google Scholar
  16. 16.
    D. Pointcheval, “Chosen-Ciphertext Security for any One-Way Cryptosystem”, Proc. PKC’ 2000, LNCS 1751, Springer-Verlag, 2000.Google Scholar
  17. 17.
    R. L. Rivest., A. Shamir, L. M. Adleman “ A method for obtaining digital signatures and public-key cryptosystems”, Communications of the ACM, 21(2):120–126, 1978.zbMATHCrossRefMathSciNetGoogle Scholar
  18. 18.
    R. Schroeppel, A. Shamir, “A T = O(2n/2), S = O(2n/4) algorithm for certain NP-complete problems”, SIAM J. Comput., 10(3):456–464, 1981.zbMATHCrossRefMathSciNetGoogle Scholar
  19. 19.
    V. Shoup, “Number Theory C++ Library (NTL) version 3.7”, available at

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  • Dan Boneh
    • 1
  • Antoine Joux
    • 2
  • Phong Q. Nguyen
    • 3
  1. 1.Computer Science DepartmentStanford UniversityStanfordUSA
  2. 2.DCSSIIssy-les-Moulineaux CedexFrance
  3. 3.Département d’InformatiqueÉcole Normale SupérieureParisFrance

Personalised recommendations