[17] in cryptography@c2.net mail archive
Re: A question on ElGamal encryption and signatures
daemon@ATHENA.MIT.EDU (Hal Finney)
Fri Jan 3 16:45:19 1997
Date: Fri, 3 Jan 1997 11:47:30 -0800
From: Hal Finney <hal@rain.org>
To: cryptography@c2.net, pbarreto@uninet.com.br
From: Paulo Barreto <pbarreto@uninet.com.br>
> All ElGamal encryptions and signatures depend on a one-time secret
> parameter k (cf. Applied Cryptography 2nd ed, 476-478).
>
> If the same k is used to *sign* two documents, the signer's secret key
> can be recovered (this holds for DSA as well, and probably also for
> Schnorr).
>
> Now how about *encrypting* two documents with the same k? Which problem
> (if any) does this imply?
If you use the same k, and encrypt to the same person, then the K = g**(kx)
value will be the same each time. This is what is multiplied by the
session key and sent in the clear. So the attacker will see K*M1 and K*M2,
where K is the value above and M1,M2 are the session keys for two different
messages. K is not known, and I can't come up with a specific attack to
reveal M1, M2, ... from this, but it still would worry me to expose this
much information. It seems similar to reusing a one time pad.
Maybe someone else can show an attack on K*M1, K*M2, ..., where the Mi
are randomly padded, unknown session keys, and K is an unknown constant,
to help find some M value. Using PKCS padding, the top two bytes of M
are known to be 0, 2, which may provide an opening.
Hal
