|
|
- --- a/lib/Crypto/PublicKey/ElGamal.py
- +++ b/lib/Crypto/PublicKey/ElGamal.py
- @@ -153,33 +153,33 @@ def generate(bits, randfunc, progress_fu
- if number.isPrime(obj.p, randfunc=randfunc):
- break
- # Generate generator g
- - # See Algorithm 4.80 in Handbook of Applied Cryptography
- - # Note that the order of the group is n=p-1=2q, where q is prime
- if progress_func:
- progress_func('g\n')
- while 1:
- + # Choose a square residue; it will generate a cyclic group of order q.
- + obj.g = pow(number.getRandomRange(2, obj.p, randfunc), 2, obj.p)
- +
- # We must avoid g=2 because of Bleichenbacher's attack described
- # in "Generating ElGamal signatures without knowning the secret key",
- # 1996
- - #
- - obj.g = number.getRandomRange(3, obj.p, randfunc)
- - safe = 1
- - if pow(obj.g, 2, obj.p)==1:
- - safe=0
- - if safe and pow(obj.g, q, obj.p)==1:
- - safe=0
- + if obj.g in (1, 2):
- + continue
- +
- # Discard g if it divides p-1 because of the attack described
- # in Note 11.67 (iii) in HAC
- - if safe and divmod(obj.p-1, obj.g)[1]==0:
- - safe=0
- + if (obj.p - 1) % obj.g == 0:
- + continue
- +
- # g^{-1} must not divide p-1 because of Khadir's attack
- # described in "Conditions of the generator for forging ElGamal
- # signature", 2011
- ginv = number.inverse(obj.g, obj.p)
- - if safe and divmod(obj.p-1, ginv)[1]==0:
- - safe=0
- - if safe:
- - break
- + if (obj.p - 1) % ginv == 0:
- + continue
- +
- + # Found
- + break
- +
- # Generate private key x
- if progress_func:
- progress_func('x\n')
|
