0

I have read here that Elgamal is resistant to brute-force attack, because the group to where the key is selected is very large. But since the key generation is random, (i assume)there is a chance that the key generated is lower than the recommended.

example, the recommended keylength is 1024 bits, but the key generated ($x$) was really small, way under 512 bits. The adversary can see that the $g^x$ is indeed small (smaller than $g^{2^{1024}}$ and $g^{2^{512}}$), limiting his/her search.

My question is, would a public key encryption be vulnerable to brute-force attack the moment it generated a low value key ? If it is, what are the countermeasures ?

Kelen Nihomori
  • 27
  • 3

1 Answers1

2

The chance that such a key is generated randomly is negligibly low. These 512 bits of security are for both the higher order and lower order bits. The chance of generating such a value is one in $2^{512}$ (each time you try, assuming that each value in the 1024 bit number is about equally valid). That means you can try forever before getting such a low value.

Just try and run your random bit generator and wait for it to generate 512 bits of zeros in succession. That's similar as guessing a 512 bit key. It is simply not going to happen. No such key exists or will exist if it was generated randomly.

As it is impossible to create such a key at random, there is very little reason searching for such a key either, or to limit the value to a minimum. That kind of effort is better put into making sure that the random bit generator is working correctly and to make sure that the key pair generation process isn't erroneous in itself.

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313