[pycrypto] PyCrypto ElGamal code questions/comments

Yaron Sheffer yaronf.ietf at gmail.com
Mon Jul 9 02:38:11 EDT 2012


Hi,

I've been going over the code and I have a few questions. I realize that 
only few people are using this code, but hey, if it's good enough for a 
recent CVE :-)

  * The documentation of "generate" says that randfunc returns X random
    bytes. I think this should be bits.
  * The "generate" function is way too conservative. We construct p as
    2*q+1, where both p and q are prime. This makes p a classic "safe
    prime". It also makes two of the checks redundant: g cannot divide
    p-1, because only 2 and q divide it. g cannot be 2, and most likely
    will not be q during the lifetime of the universe. I believe that
    similarly, g**-1 cannot divide p-1, but my algebra skills are too
    rusty to prove it.
  * For the same reasons, there is no need for the loop when
    constructing K (the secret parameter), e.g. on line #342. You just
    need to ensure that it is an odd number, otherwise its GCD with p-1
    would be 2. So choose a random t, 2 < t < q-1, and let K=2*t+1. No
    need for a loop or for the GCD calculation.
  * An important check is missing: the message M needs to be less than
    p, both when signing and certainly when encrypting it.

Thanks,

     Yaron



More information about the pycrypto mailing list