Comment 0 for bug 985164

Legrandin (gooksankoo) wrote :

In the ElGamal schemes (for both encryption and decryption), g is supposed to be the generator of the entire Z^*_p group.
However, in the current implementation, g is more simply the generator of a random sub-group of Z^*_p.
The order of such sub-group may be smaller than p-1, and since there are not constraints or checks on the factorization of p-1, the order may be *much* smaller than what it should be.

To say, if I limit the bit size to 8 bits, I get p=211 and g=107. The order of g is 42, much less than the expected (and "secure") 210!