Elgamal with secret key equal to zero possible?

Question

From various sources (e.g. this paper, page 3), the key generation algorithm of Elgamal samples the secret key $x$ from $\mathbb{Z}_q$, which is identifiable to $\{0, 1, 2, \dots, q-1\}$.

My question is: what happens when the sampled $x$ is, say, zero? Indeed, in this case, the public ley $h$ is equal to 1, and encrypting plaintext $m$ with randomness $r$ yields $(g^r, m)$. This seems to me like a serious issue. The same happens with $x = 1$. In this case $h = g$, it is easy to notice that $h$ is equal to $g$ and deduce that the secret key is $1$.

Of course,this "methodology" does not extend to any value of $x$ (testing whether $g^x$ is equal to the public key), since this is pretty much a brute force attack, by assumption computationally infeasible. I also understand why the scheme can be proven secure, though: because $q$ is so large that the case $x = 0$ or $x = 1$ happens with a negligible probability. Yet, in practice, it can happen... Do implementations take that into account?

Answer 1

It's worse than that: if $x = 1283767$, then the ciphertext will be $(g^r, m \cdot g^{r \cdot 1283767})$, which an adversary can immediately detect by checking whether $h = g^{1283767}$ and subsequently exploit to decrypt messages! The same trick works for $x = -1$, $x = 42$, and $x = 123456789$.

We pick $q$ and $g$ so that the space of values for $x$ is so large that if we choose $x$ uniformly at random, the adversary's probability of success at guessing it is negligible, below $2^{-128}$—so small that you should be more worried about cosmic rays flipping bits in your RAM than you are about this event.

There are much better attacks recovering $x$ from $h = g^x$, requiring you to choose $q$ to have thousands of bits. You should be much more worried about how you're using Elgamal encryption and how you shoehorn arbitrary messages in your application into integers mod $q$, and even more worried about articulating higher-level application security goals.