In addition to the below audit feedback, the Paillier modulus N should be computed from two safe primes. Moreover, the primes P, Q should be safe primes with “large” difference (at least 1020-bit P-Q) to prevent square-root attacks.
It seems the function GetRandomGeneratorOfTheQuadraticResidue() used in GenerateNTildei() works only if its input
is the product of two safe primes, that is primes of the form p = 2q+1 for q another prime.
But the primes used in GenerateNTildei() are coming from its arguments and in
keygen/round_1.go, it appears the primes are generated using rsa.GenerateMultiPrimeKey() are not safe primes.
@notatestuser would you happen to have a link to any sources that say that Paillier must have safe primes $p$ and $q$? Can't find this mentioned anywhere but here.
In addition to the below audit feedback, the Paillier modulus
N
should be computed from two safe primes. Moreover, the primes P, Q should be safe primes with “large” difference (at least 1020-bitP-Q
) to prevent square-root attacks.