KS-BTL-F-03: Not using safe primes (Paillier)

[notatestuser]

In addition to the below audit feedback, the Paillier modulus N should be computed from two safe primes. Moreover, the primes P, Q should be safe primes with “large” difference (at least 1020-bit P-Q) to prevent square-root attacks.

GetRandomGeneratorOfTheQuadraticResidue() assumes safe primes

It seems the function GetRandomGeneratorOfTheQuadraticResidue() used in GenerateNTildei() works only if its input is the product of two safe primes, that is primes of the form p = 2q+1 for q another prime.

But the primes used in GenerateNTildei() are coming from its arguments and in keygen/round_1.go, it appears the primes are generated using rsa.GenerateMultiPrimeKey() are not safe primes.

[bazzilic]

@notatestuser would you happen to have a link to any sources that say that Paillier must have safe primes $p$ and $q$? Can't find this mentioned anywhere but here.