Re: Weak keys for ElGamal


The very notion of "weak keys" makes no sense, given modern understanding
of confidentiality. Security in crypto is inherently a probabilistic
notion: what are the chances that an adversary guesses the message?
(You can never make that probability exactly zero.)

So could a party by chance (or
intentionally) choose a weak secret key and thereby reduce the security
of the ElGamal scheme?

Those are two different questions.

If one of the parties is malicious, they can just reveal the message
or key, so it doesn't make sense to ask for El Gamal to be secure if
one of the parties is malicious.

As for choosing a weak key by chance, the best way to answer the question
is to unask the question and ask a different one, because weak keys are
not a very relevant concept.
So from a security point of view it doesn't make a difference if I
choose the key randomly or always in a special intervall (but nobody
besides me knows this intervall).