1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
--- a/lib/Crypto/PublicKey/ElGamal.py
+++ b/lib/Crypto/PublicKey/ElGamal.py
@@ -153,33 +153,33 @@ def generate(bits, randfunc, progress_fu
if number.isPrime(obj.p, randfunc=randfunc):
break
# Generate generator g
- # See Algorithm 4.80 in Handbook of Applied Cryptography
- # Note that the order of the group is n=p-1=2q, where q is prime
if progress_func:
progress_func('g\n')
while 1:
+ # Choose a square residue; it will generate a cyclic group of order q.
+ obj.g = pow(number.getRandomRange(2, obj.p, randfunc), 2, obj.p)
+
# We must avoid g=2 because of Bleichenbacher's attack described
# in "Generating ElGamal signatures without knowning the secret key",
# 1996
- #
- obj.g = number.getRandomRange(3, obj.p, randfunc)
- safe = 1
- if pow(obj.g, 2, obj.p)==1:
- safe=0
- if safe and pow(obj.g, q, obj.p)==1:
- safe=0
+ if obj.g in (1, 2):
+ continue
+
# Discard g if it divides p-1 because of the attack described
# in Note 11.67 (iii) in HAC
- if safe and divmod(obj.p-1, obj.g)[1]==0:
- safe=0
+ if (obj.p - 1) % obj.g == 0:
+ continue
+
# g^{-1} must not divide p-1 because of Khadir's attack
# described in "Conditions of the generator for forging ElGamal
# signature", 2011
ginv = number.inverse(obj.g, obj.p)
- if safe and divmod(obj.p-1, ginv)[1]==0:
- safe=0
- if safe:
- break
+ if (obj.p - 1) % ginv == 0:
+ continue
+
+ # Found
+ break
+
# Generate private key x
if progress_func:
progress_func('x\n')
|
