Re: ElGamal Encryption

Lewis McCarthy (lmccarth@cs.umass.edu)
Sat, 13 Feb 1999 20:32:45 -0500

• Next message: James A. Donald: "Re: ECC patents"
• Previous message: Walied.Othman@student.kuleuven.ac.be: "ElGamal Encryption"
• In reply to: Mail System Internal Data: "DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA"
• Next in thread: James A. Donald: "Re: ElGamal Encryption"

Wal Othman writes:
> To encrypt a message using ElGamal a user needs to choose a random number for
> an exponent, suppose the message is longer than the modulus, we would have to
> divide the message into blocks smaller than the modulus but should the
> exponent be different for each block.

Reusing the ephemeral private exponent allows a known-plaintext attack.
If the attacker obtains one of the plaintext blocks then she can recover the
other(s) by dividing out the reused key. [cf. Note 8.23 (ii) in _HAC_]
Given (m1, c1), (m2, c2), and m1, the attacker computes m2 = m1 {c1}^-1 c2.

-Lewis http://www.cs.umass.edu/~lmccarth

-- 
"we have to yet really seriously debate the constitutional issues and 
whether or not we're willing to give up more freedom in order to have 
more security" -- U.S. Secretary of Defense William Cohen, 3 Feb 1999

• Next message: James A. Donald: "Re: ECC patents"
• Previous message: Walied.Othman@student.kuleuven.ac.be: "ElGamal Encryption"
• In reply to: Mail System Internal Data: "DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA"
• Next in thread: James A. Donald: "Re: ElGamal Encryption"