ElGamal key generation is broken
Bug #985164 reported by
Legrandin
This bug affects 2 people
Affects  Status  Importance  Assigned to  Milestone  

PythonCrypto 
Fix Released

High

Unassigned 
Bug Description
In the ElGamal schemes (for both encryption and signatures), g is supposed to be the generator of the entire Z^*_p group.
However, in the current implementation, g is more simply the generator of a random subgroup of Z^*_p.
The order of such subgroup may be smaller than p1, and since there are not constraints or checks on the factorization of p1, the order may be *much* smaller than what it should be.
To say, if I limit the bit size to 8 bits, I get p=211 and g=107. The order of g is 42, much less than the expected (and "secure") 210!
CVE References
visibility:  private → public 
description:  updated 
Changed in pycrypto:  
importance:  Undecided → High 
status:  New → In Progress 
To post a comment you must log in.
Patch available here:
https://github.com/Legrandin/pycrypto/commit/9f912f13df99ad3421eff360d6a62d7dbec755c2