question on ElGamal implementation
gniibe at fsij.org
Fri Sep 22 03:36:59 CEST 2017
Weikeng Chen <w.k at berkeley.edu> wrote:
> I cannot find details in the source code that libGCrypt uses such a
> subgroup -- this seems not the best practice. I would like to raise
> this as an issue to discuss -- whether it is really using a secure
> subgroup for ElGamal.
> 1. [Correctness of my code reading] Is it due to my misunderstanding
> of the code and I made it wrong -- that libGCrypt is surely finding
> the good generator for that subgroup?
I think that your reading is correct. In particular:
Starting Ln 629, ... we are finding the primitive root of the group
modulus $p$, not the subgroup.
This is correct. (And... you can also test with running code, if
> 2. [Should we improve?] Why not prefer a better generator?
I think that it's good thing that the generator 'g' computed by
_gcry_generate_elg_prime will be the one of the subgroup (instead of the
one of multiplicative group of integers modulo p).
(Provided it is not patented.)
On the other hand, I don't think it is required, because "plaintext" to
be encrypted is usually random; It is used in a hybrid cryptosystem.
More information about the Gcrypt-devel