We present an attack on plain ElGamal and plain RSA encryption.
The attack shows that without proper preprocessing of the plaintexts,
both ElGamal and RSA encryption are fundamentally insecure. Namely,
when one uses these systems to encrypt a (short) secret key of a symmetric
cipher it is often possible to recover the secret key from the
ciphertext. Our results demonstrate that preprocessing messages prior
to encryption is an essential part of both systems.