question on ElGamal implementation

NIIBE Yutaka gniibe at
Fri Sep 22 03:36:59 CEST 2017

Weikeng Chen <w.k at> wrote:
> I cannot find details in the source code that libGCrypt uses such a
> subgroup -- this seems not the best practice. I would like to raise
> this as an issue to discuss -- whether it is really using a secure
> subgroup for ElGamal.
> 1. [Correctness of my code reading] Is it due to my misunderstanding
> of the code and I made it wrong -- that libGCrypt is surely finding
> the good generator for that subgroup?

I think that your reading is correct.  In particular:

    Starting Ln 629, ... we are finding the primitive root of the group
    modulus $p$, not the subgroup.

This is correct.  (And... you can also test with running code, if

> 2. [Should we improve?] Why not prefer a better generator?

I think that it's good thing that the generator 'g' computed by
_gcry_generate_elg_prime will be the one of the subgroup (instead of the
one of multiplicative group of integers modulo p).
(Provided it is not patented.)

On the other hand, I don't think it is required, because "plaintext" to
be encrypted is usually random; It is used in a hybrid cryptosystem.

More information about the Gcrypt-devel mailing list