[pycrypto] PyCrypto ElGamal code questions/comments
Legrandin
gooksankoo at hoiptorrow.mailexpire.com
Sun Aug 5 09:55:25 EDT 2012
Hi Yaron,
Some comments inline:
> * The documentation of "generate" says that randfunc returns X random
> bytes. I think this should be bits.
>
I am not 100% sure, but a common idiom in pycrypto is:
"
if randfunc is None:
randfunc = Random.new().read
"
so randfunc(N) returns N bytes of full entropy.
* The "generate" function is way too conservative. We construct p as
> 2*q+1, where both p and q are prime. This makes p a classic "safe
> prime". It also makes two of the checks redundant: g cannot divide
> p-1, because only 2 and q divide it. g cannot be 2, and most likely
> will not be q during the lifetime of the universe. I believe that
> similarly, g**-1 cannot divide p-1, but my algebra skills are too
> rusty to prove it.
>
I contributed to that part with a patch. My intention was actually to list
in the loop
as many criteria as possible that a generator safe for both Elgamal
encryption and Elgamal signatures (because .generate() does not know how
the key will be used) must fulfill.
It's true they are redundant in practice, but I think it's good to leave a
track behind with the general conditions that one must check, regardless of
how the domain parameters are computed.
* For the same reasons, there is no need for the loop when
> constructing K (the secret parameter), e.g. on line #342. You just
> need to ensure that it is an odd number, otherwise its GCD with p-1
> would be 2. So choose a random t, 2 < t < q-1, and let K=2*t+1. No
> need for a loop or for the GCD calculation.
>
In the _sign() method I see only a loop to ensure that residues remains in
the range 0..p-1. The loop does not contribute to GDC computation.
> * An important check is missing: the message M needs to be less than
> p, both when signing and certainly when encrypting it.
>
True. Note that M must not the message when signing with PyCrypto's
Elgamal. It must be really be the cryptographic hash of the message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dlitz.net/pipermail/pycrypto/attachments/20120805/4792d29c/attachment.html>
More information about the pycrypto
mailing list