| 2012-04-18 21:03:37 |
Legrandin |
description |
In the ElGamal schemes (for both encryption and decryption), g is supposed to be the generator of the entire Z^*_p group.
However, in the current implementation, g is more simply the generator of a random sub-group of Z^*_p.
The order of such sub-group may be smaller than p-1, and since there are not constraints or checks on the factorization of p-1, the order may be *much* smaller than what it should be.
To say, if I limit the bit size to 8 bits, I get p=211 and g=107. The order of g is 42, much less than the expected (and "secure") 210! |
In the ElGamal schemes (for both encryption and signatures), g is supposed to be the generator of the entire Z^*_p group.
However, in the current implementation, g is more simply the generator of a random sub-group of Z^*_p.
The order of such sub-group may be smaller than p-1, and since there are not constraints or checks on the factorization of p-1, the order may be *much* smaller than what it should be.
To say, if I limit the bit size to 8 bits, I get p=211 and g=107. The order of g is 42, much less than the expected (and "secure") 210! |
|
