What are the security weaknesses of the ElGamal Encryption Protocol (EEP)?
ElGamal provides no integrity, is vulnerable to insertion attacks, has a homomorphic property, is not safe against MitM, and has a known-plaintext attack.
* Every weakness follows from ElGamal protecting confidentiality only. *
The thread tying these together is that ElGamal was built for confidentiality only: it hides a message but makes no promise that the message arrived unmodified, came from who it claims, or was sent only once. Every weakness below is a consequence of that single gap.
The five weaknesses:
| Fact | Issue |
|---|---|
| No integrity | Attacker can modify ciphertext without detection |
| Insertion vulnerable | Attacker can send fabricated ciphertexts to Bob |
| Homomorphic | Multiplying ciphertexts multiplies plaintexts — attacker can scale messages without knowing them |
| MitM vulnerable | Same as DH — no authentication built in |
| Known-plaintext attack | If attacker knows one plaintext-ciphertext pair with the same ephemeral key, they can decrypt other messages |
Critical rule: Alice must use a fresh random $i$ for every message! Reusing $i$ allows trivial key recovery.
Advantage over RSA: ElGamal is inherently probabilistic — the same plaintext produces different ciphertexts each time (because $i$ is random). RSA needs OAEP padding to achieve this.
Go deeper:
Malleability (cryptography) — Wikipedia — shows an ElGamal ciphertext bending to a scaled plaintext.
ElGamal encryption — Wikipedia — notes it is unconditionally malleable and CCA-insecure.