LOGBOOK

HELP

Quiz Entry - updated: 2026.07.10

Why must Alice use a fresh random ephemeral exponent $i$ for every ElGamal encryption, and what happens if she reuses it?

If Alice reuses $i$, an attacker who knows one plaintext-ciphertext pair can decrypt all subsequent messages encrypted with the same $i$ — a devastating known-plaintext attack.

Reusing the ephemeral exponent i enables a known-plaintext attack

* One leaked plaintext exposes the shared mask, unlocking every message sent with the same i. *

The danger comes from the mask being a pure function of $i$: the same $i$ always yields the same masking key $K_M = \beta^i$. So a single leaked plaintext lets the attacker solve for that key once, and from then on every other message wearing the same mask falls for free — no discrete log required. This is why "ephemeral" must mean fresh each time, not merely temporary.

The attack when $i$ is reused:

  1. Alice encrypts $x_1$ with ephemeral exponent $i$: sends $(k_E, y_1) = (g^i, x_1 \cdot K_M)$
  2. Attacker somehow learns $x_1$ (known plaintext)
  3. Attacker computes $K_M = y_1 \cdot x_1^{-1} \mod p$ — now they know the masking key!
  4. Alice encrypts $x_2$ with the same $i$: sends $(k_E, y_2) = (g^i, x_2 \cdot K_M)$
  5. Attacker decrypts: $x_2 = y_2 \cdot K_M^{-1} \mod p$ — broken!

Why this works: The same $i$ produces the same $k_E = g^i$ and the same $K_M = \beta^i$. The masking key is identical for all messages encrypted with the same $i$.

Other active attacks on ElGamal:

  • No integrity: Eve can modify ciphertext without detection
  • Insertion attack: Eve can encrypt and send her own messages to Bob using Bob's public key
  • Homomorphic property: Multiplying ciphertexts multiplies plaintexts — even easier to exploit than RSA's version because Eve just multiplies $y$ by a factor $s$: $(k_E, s \cdot y)$ decrypts to $s \cdot x$

Tip: ElGamal's probabilistic nature (different ciphertext each time) is ONLY guaranteed when $i$ is truly random and never reused.

Go deeper:

From Quiz: KRYPTOG / Diffie-Hellman and ElGamal | Updated: Jul 10, 2026