20120418 21:03:37 
Legrandin 
description 
In the ElGamal schemes (for both encryption and decryption), g is supposed to be the generator of the entire Z^*_p group.
However, in the current implementation, g is more simply the generator of a random subgroup of Z^*_p.
The order of such subgroup may be smaller than p1, and since there are not constraints or checks on the factorization of p1, the order may be *much* smaller than what it should be.
To say, if I limit the bit size to 8 bits, I get p=211 and g=107. The order of g is 42, much less than the expected (and "secure") 210! 
In the ElGamal schemes (for both encryption and signatures), g is supposed to be the generator of the entire Z^*_p group.
However, in the current implementation, g is more simply the generator of a random subgroup of Z^*_p.
The order of such subgroup may be smaller than p1, and since there are not constraints or checks on the factorization of p1, the order may be *much* smaller than what it should be.
To say, if I limit the bit size to 8 bits, I get p=211 and g=107. The order of g is 42, much less than the expected (and "secure") 210! 
