ElGamal decryption vulnerable to side channel attacks
Bug #1077835 reported by
Legrandin
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Python-Crypto |
Fix Committed
|
Undecided
|
Unassigned | ||
Bug Description
The ElGamal decryption is vulnerable to side channel attacks as the one recently described here (for libgcrypt):
http://
The problem is that ElGamal.decrypt() does:
ax=pow(M[0], self.x, self.p)
where M[0] is controlled by the attacker and self.x is the private key.
A tentative patch available here:
https:/
It adds randomized message blinding to all decryptions, similarly to RSA.
I am not sure it is the best way, but it's a start.
Revision history for this message
| Darsey Litzenberger (dlitz) wrote | #1 |
| information type: | Private Security → Public Security |
| Changed in pycrypto: | |
| status: | New → Fix Committed |
To post a comment you must log in.
Committed to master branch: https:/