ElGamal key generation is broken
Bug #985164 reported by
Legrandin
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Python-Crypto |
Fix Released
|
High
|
Unassigned |
Bug Description
In the ElGamal schemes (for both encryption and signatures), g is supposed to be the generator of the entire Z^*_p group.
However, in the current implementation, g is more simply the generator of a random sub-group of Z^*_p.
The order of such sub-group may be smaller than p-1, and since there are not constraints or checks on the factorization of p-1, the order may be *much* smaller than what it should be.
To say, if I limit the bit size to 8 bits, I get p=211 and g=107. The order of g is 42, much less than the expected (and "secure") 210!
CVE References
visibility: | private → public |
description: | updated |
Changed in pycrypto: | |
importance: | Undecided → High |
status: | New → In Progress |
To post a comment you must log in.
Patch available here:
https:/ /github. com/Legrandin/ pycrypto/ commit/ 9f912f13df99ad3 421eff360d6a62d 7dbec755c2