``ElGamal'' is leaky and vulnerable

I'll need some help with this, since I'm actually not too familiar with ElGamal, but I can draw a few parallels to RSA.

PyCrypto appears to have originally been designed to be an assortment of fast, low-level cryptographic primitives that can be composed to implement higher-level protocols. The target audience has really just been other crypto implementers. Unfortunately, due to being the top search result for 'python cryptography', a lot of ordinary application developers have been using it directly without really knowing what they are doing.

Crypto.PublicKey.RSA is an implementation of textbook RSA, and there's no good way to change it without breaking things for other developers who understand this and implemented the appropriate padding on top of it (e.g. the paramiko developers). We've recently added the Crypto.Cipher.PKCS1_OAEP and Crypto.Signature.PKCS1_PSS modules, so that we can at least tell people to use those instead of the raw RSA primitive.

Crypto.PublicKey.ElGamal is similar. It implements textbook ElGamal, by design. This is known, and while it's an unfortunate design decision, it's probably not going to change any time soon. We assume that application developers are implementing standard protocols with an appropriate level of understanding of what's going on, and with some interoperability testing (if they're not doing this already, they're screwed anyway). We should probably implement some sort of standard padding scheme on top of the ElGamal primitive, like we did with RSA. (Is there even a standard padding scheme for ElGamal?)

I'd like to focus the discussion on vulnerabilities, if any, under the assumption that textbook ElGamal is *not* being used. Can any of you comment on that?

Also, does anyone object if I make this bug report public? The fact that PyCrypto implements textbook ElGamal isn't new, and since I only released PyCrypto 2.6 a few days ago, I don't see any reason to keep this secret.

I understood that there are raw and low-level materials (RSA and ElGamal) in implementation and we will make high-level schemes (RSA_OAEP and someone).
If the textbook ElGamal is not being used, I have no comments on this issue.

Thanks.

You mentioned, "the problems arise from the patch #985164". What did you mean by that? Does any of that still apply?

Legrandin, do you understand this?

The patch repairs the unexpected small subgroup problem.
But attack 1 in #0 arises partly from the choice of the patch generating a primitive g, i.e., g's order is 2q.

Xagawa points out a very valid problem.

I wonder how sever it is in practice though.
Leakage of K's parity should not be a devastating problem since it is not sufficient to break the scheme (although it is known that leakage of just a few more bits is, see the other Nguyen's paper). Leakage of (M | p) depends on how M is encoded, which could be seen as something the padding scheme should take care of (that is, the fact that plaintext should always be a QR).
Leakage of x's parity is the most worrying to me, but I cannot come up with any practical attack right now.

Having said that, this to me looks like an intrinsic property (or limitation) of Elgamal.
In other words, a scheme where g has order smaller than phi(p) is not Elgamal anymore, but a variant of it.
Since such g cannot be a QR, this problem cannot really be solved...

Finally, it's worth noting that all problems apply to "raw" RSA too (e.g. I can tell the parity of the plaintext from the ciphertext and I always know the parity of the private key).

OK, I'm marking this bug as public and closing it for now. Feel free to reopen it, or open related bugs (e.g. documentation), if you think that's appropriate.

I've added ElGamal padding to the wishlist: https://bugs.launchpad.net/pycrypto/+bug/1005873

I should also mention: Thanks, xagawa, for the bug report. It's always helpful when people report these sorts of things.

Cheers,
- Dwayne