Weak keys for ElGamal

From: "Anton Berg" <antonberg1@xxxxxx>
Date: 27 Oct 2006 15:00:30 -0700

Hi,

let's consider the typical ElGamal encryption with primes p=2q+1. Let g
be a generator of the q-order group G for which the DL assumption
holds. The secret key x is from {1, ... q-1} and messages are taken
from G. If in general the discrete logarithm problem is hard in G are
there any weak keys from {1,...,q-1}? So could a party by chance (or
intentionally) choose a weak secret key and thereby reduce the security
of the ElGamal scheme? Are there any efficient algorithms to compute
the DL but which can only be applied if the secret key x satisfies
somehow "special contditions"?

I am sure, that this is not possible because the computation of the
discrete logarithm is random-self-reducible. Am I right with my
suggestion?

Thanks for your help,
Anton

.

Follow-Ups:
- Re: Weak keys for ElGamal
  - From: Peter van Liesdonk
- Re: Weak keys for ElGamal
  - From: Kristian Gjøsteen
- Re: Weak keys for ElGamal
  - From: David Wagner

Prev by Date: Point taken (Was Re: ADVERT: Secure communications)
Next by Date: Re: JSH: Go with prime counting
Previous by thread: Re: ADVERT: Secure communications
Next by thread: Re: Weak keys for ElGamal
Index(es):
- Date
- Thread

Relevant Pages

Re: Weak keys for ElGamal
... be a generator of the q-order group G for which the DL assumption ... The secret key x is from {1, ... intentionally) choose a weak secret key and thereby reduce the security ...
(sci.crypt)
Re: Weak keys for ElGamal
... be a generator of the q-order group G for which the DL assumption ... The secret key x is from {1, ... If in general the discrete logarithm problem is hard in G are ... The very notion of "weak keys" makes no sense, ...
(sci.crypt)
ElGamal Encryption
... generator g of the cyclic group Z_q is choosen, ... Now one calculates her secret key a \in and calculates ... An encryption of m looks then like: C=, where r \in Z_q. ...
(sci.crypt)