def test_generate_safe_prime(self):
p = generate_probable_safe_prime(exact_bits=161)
self.assertEqual(p.size_in_bits(), 161)
def generate(bits, randfunc):
"""Randomly generate a fresh, new ElGamal key.
The key will be safe for use for both encryption and signature
(although it should be used for **only one** purpose).
Args:
bits (int):
Key length, or size (in bits) of the modulus *p*.
The recommended value is 2048.
randfunc (callable):
Random number generation function; it should accept
a single integer *N* and return a string of random
*N* random bytes.
Return:
an :class:`ElGamalKey` object
"""
obj = ElGamalKey()
# Generate a safe prime p
# See Algorithm 4.86 in Handbook of Applied Cryptography
obj.p = generate_probable_safe_prime(exact_bits=bits, randfunc=randfunc)
q = (obj.p - 1) >> 1
# Generate generator g
# See Algorithm 4.80 in Handbook of Applied Cryptography
# Note that the order of the group is n=p-1=2q, where q is prime
while 1:
# We must avoid g=2 because of Bleichenbacher's attack described
# in "Generating ElGamal signatures without knowning the secret key",
# 1996
#
obj.g = Integer.random_range(min_inclusive=3,
max_exclusive=obj.p,
randfunc=randfunc)
safe = 1
if pow(obj.g, 2, obj.p) == 1:
safe = 0
if safe and pow(obj.g, q, obj.p) == 1:
safe = 0
# Discard g if it divides p-1 because of the attack described
# in Note 11.67 (iii) in HAC
if safe and (obj.p - 1) % obj.g == 0:
safe = 0
# g^{-1} must not divide p-1 because of Khadir's attack
# described in "Conditions of the generator for forging ElGamal
# signature", 2011
ginv = obj.g.inverse(obj.p)
if safe and (obj.p - 1) % ginv == 0:
safe = 0
if safe:
break
# Generate private key x
obj.x = Integer.random_range(min_inclusive=2,
max_exclusive=obj.p - 1,
randfunc=randfunc)
# Generate public key y
obj.y = pow(obj.g, obj.x, obj.p)
return obj
def generate(bits, randfunc):
"""Randomly generate a fresh, new ElGamal key.
The key will be safe for use for both encryption and signature
(although it should be used for **only one** purpose).
Args:
bits (int):
Key length, or size (in bits) of the modulus *p*.
The recommended value is 2048.
randfunc (callable):
Random number generation function; it should accept
a single integer *N* and return a string of random
*N* random bytes.
Return:
an :class:`ElGamalKey` object
"""
obj=ElGamalKey()
# Generate a safe prime p
# See Algorithm 4.86 in Handbook of Applied Cryptography
obj.p = generate_probable_safe_prime(exact_bits=bits, randfunc=randfunc)
q = (obj.p - 1) >> 1
# Generate generator g
while 1:
# Choose a square residue; it will generate a cyclic group of order q.
obj.g = pow(Integer.random_range(min_inclusive=2,
max_exclusive=obj.p,
randfunc=randfunc), 2, obj.p)
# We must avoid g=2 because of Bleichenbacher's attack described
# in "Generating ElGamal signatures without knowning the secret key",
# 1996
if obj.g in (1, 2):
continue
# Discard g if it divides p-1 because of the attack described
# in Note 11.67 (iii) in HAC
if (obj.p - 1) % obj.g == 0:
continue
# g^{-1} must not divide p-1 because of Khadir's attack
# described in "Conditions of the generator for forging ElGamal
# signature", 2011
ginv = obj.g.inverse(obj.p)
if (obj.p - 1) % ginv == 0:
continue
# Found
break
# Generate private key x
obj.x = Integer.random_range(min_inclusive=2,
max_exclusive=obj.p-1,
randfunc=randfunc)
# Generate public key y
obj.y = pow(obj.g, obj.x, obj.p)
return obj
def test_generate_safe_prime(self):
p = generate_probable_safe_prime(exact_bits=161)
self.assertEqual(p.size_in_bits(), 161)
def generate(bits, randfunc):
"""Randomly generate a fresh, new ElGamal key.
The key will be safe for use for both encryption and signature
(although it should be used for **only one** purpose).
:Parameters:
bits : int
Key length, or size (in bits) of the modulus *p*.
Recommended value is 2048.
randfunc : callable
Random number generation function; it should accept
a single integer N and return a string of random data
N bytes long.
:attention: You should always use a cryptographically secure random number generator,
such as the one defined in the ``Cryptodome.Random`` module; **don't** just use the
current time and the ``random`` module.
:Return: An ElGamal key object (`ElGamalKey`).
"""
obj=ElGamalKey()
# Generate a safe prime p
# See Algorithm 4.86 in Handbook of Applied Cryptography
obj.p = generate_probable_safe_prime(exact_bits=bits, randfunc=randfunc)
q = (obj.p - 1) >> 1
# Generate generator g
# See Algorithm 4.80 in Handbook of Applied Cryptography
# Note that the order of the group is n=p-1=2q, where q is prime
while 1:
# We must avoid g=2 because of Bleichenbacher's attack described
# in "Generating ElGamal signatures without knowning the secret key",
# 1996
#
obj.g = Integer.random_range(min_inclusive=3,
max_exclusive=obj.p,
randfunc=randfunc)
safe = 1
if pow(obj.g, 2, obj.p)==1:
safe=0
if safe and pow(obj.g, q, obj.p)==1:
safe=0
# Discard g if it divides p-1 because of the attack described
# in Note 11.67 (iii) in HAC
if safe and (obj.p-1) % obj.g == 0:
safe=0
# g^{-1} must not divide p-1 because of Khadir's attack
# described in "Conditions of the generator for forging ElGamal
# signature", 2011
ginv = obj.g.inverse(obj.p)
if safe and (obj.p-1) % ginv == 0:
safe=0
if safe:
break
# Generate private key x
obj.x = Integer.random_range(min_inclusive=2,
max_exclusive=obj.p-1,
randfunc=randfunc)
# Generate public key y
obj.y = pow(obj.g, obj.x, obj.p)
return obj