CVE-2021-40528

An attacker observes a single ElGamal ciphertext (Y, Z) produced by a sender using Libgcrypt (or a library with similar short-exponent, full-group-generator behavior) that was encrypted under a recipient's public key whose prime p–1 has small factors (e.g., a DSA-like or quasi-safe prime). Because the sender's ephemeral exponent y is short (≈344 bits for a 2048-bit p) and g generates the full group of order p–1, the attacker can apply Pohlig–Hellman to compute y modulo each small factor of p–1, then combine results via CRT and recover y with Baby-step giant-step. With y known, the attacker computes the shared secret X^y = Y^x and decrypts M = Z / X^y mod p. The attack requires no chosen ciphertexts, no side channel, and only one intercepted ciphertext [ref_id=1].

The vulnerability is in Libgcrypt's ElGamal implementation, which generates Lim–Lee primes, uses a full-group generator g (smallest integer ≥ 2 that generates the full group), and draws the ephemeral exponent y from a short interval (≈344 bits for a 2048-bit p). The specific functions are not named in the advisory, but the parameter choices are described in detail [ref_id=1].

The advisory does not include a patch diff, but the CVE description states the fix is in Libgcrypt before 1.9.4. The recommended remediation is to ensure that the ephemeral exponent y is sampled uniformly from the full range [1, p–1] (as the Go standard library does) or at least from an interval large enough to resist Pohlig–Hellman combined with Baby-step giant-step. Additionally, implementations should validate that the received public key's group order has no small factors or, alternatively, restrict the generator to a prime-order subgroup to eliminate the small-subgroup attack surface [ref_id=1].