1

I have the following data where all the inputs are Big Integers,

  1. group size $p$,
  2. group generator $g$
  3. public key of the receiver $y$
  4. $c_1$ and $c_2$
  5. Random Number as well

I am trying to execute an EL Gamal Attack (On a Weak Number Generator) without knowing the secret key $x$.

$$y = g^x \bmod p\quad \text{where } x \text{ is the secret key.}$$

As we know $y,g$ and $p$. I am trying to compute $x$.I tried as follows $m$ as,

$$m = c_2 \times (c_1^x )^{-1}$$

By converting $m$ as ByteArray, I am not getting the desired output!

  • What I am missing out? What's the advantage of having this random number as input?

Actually,I tried finding x by taking log on both sides,

log y = x log g mod p

Each y, g, and P are of 1024 bits. Java is not supporting this BigInteger computation. How can I solve this equation involving such a big number?

Or is there any other shortcut available to compute the secret key, if the public key and g are given? Also, how can I take advantage of the given random number?

codeX
  • 111
  • 3

1 Answers1

1

$g$, $p$, and $y$ are of length 308 (decimal digits). How can I compute $x$ accurately from the equation?

Computations with integers this size (for example, verifying a guess of an integer $x$) are possible with Python's pow in its three-arguments form, Java's BigInteger modPow, GP/Pari, Sage, Mathematica…

I tried finding $x$ by taking log on both sides

That method can give you a real $x$, but here we want an integer. Given 1024-bit prime $p$, generator $g$, and $y=g^x\bmod p$, there is no general and easy way to find an integer $x$. That may be possible if the order of $g$ is appropriately smooth, but nothing in the context suggests that. That also may be possible if $x$ was generated by a weak RNG, but since the nature of the weakness is untold, it is hard to tell how to proceed.

  1. Random Number as well

Perhaps that mysterious given helps to determine the nature of the RNG weakness. Or/and perhaps this given is somewhat related to the random number generated during the encryption, which knowledge would trivially allow to decipher without the private key $x$.

fgrieu
  • 149,326
  • 13
  • 324
  • 622