Why must Alice use a fresh random ephemeral exponent $i$ for every ElGamal encryption, and what happens if she reuses it?
If Alice reuses $i$, an attacker who knows one plaintext-ciphertext pair can decrypt all subsequent messages encrypted with the same $i$ — a devastating known-plaintext attack.
* One leaked plaintext exposes the shared mask, unlocking every message sent with the same i. *
The danger comes from the mask being a pure function of $i$: the same $i$ always yields the same masking key $K_M = \beta^i$. So a single leaked plaintext lets the attacker solve for that key once, and from then on every other message wearing the same mask falls for free — no discrete log required. This is why "ephemeral" must mean fresh each time, not merely temporary.
The attack when $i$ is reused:
- Alice encrypts $x_1$ with ephemeral exponent $i$: sends $(k_E, y_1) = (g^i, x_1 \cdot K_M)$
- Attacker somehow learns $x_1$ (known plaintext)
- Attacker computes $K_M = y_1 \cdot x_1^{-1} \mod p$ — now they know the masking key!
- Alice encrypts $x_2$ with the same $i$: sends $(k_E, y_2) = (g^i, x_2 \cdot K_M)$
- Attacker decrypts: $x_2 = y_2 \cdot K_M^{-1} \mod p$ — broken!
Why this works: The same $i$ produces the same $k_E = g^i$ and the same $K_M = \beta^i$. The masking key is identical for all messages encrypted with the same $i$.
Other active attacks on ElGamal:
- No integrity: Eve can modify ciphertext without detection
- Insertion attack: Eve can encrypt and send her own messages to Bob using Bob's public key
- Homomorphic property: Multiplying ciphertexts multiplies plaintexts — even easier to exploit than RSA's version because Eve just multiplies $y$ by a factor $s$: $(k_E, s \cdot y)$ decrypts to $s \cdot x$
Tip: ElGamal's probabilistic nature (different ciphertext each time) is ONLY guaranteed when $i$ is truly random and never reused.
Go deeper:
ElGamal encryption — Wikipedia — why the ephemeral exponent must be fresh every time.