Given an Elgamel encryption scheme with public parameters kpub = (p, a, B) and an unknown private key kpr = d. Due to an erroneous implementation of the random number generator of the encrypting party, the following relation holds for two temporary keys:
kM,j+1 = k2M,j mod p.
Given n consecutive ciphertexts
(kE1, y1), (kE2, y2),…,(KEn, yn)
to the plaintexts
Furthermore, the first plaintext x1 is known (e.g., header information).
- Describe how an attacker can compute the plaintexts x1, x2, …,xn from the given quantities.
- Can an attacker compute the private key d from the given information? Give reasons for your answer.