--- lib/Crypto/PublicKey/ElGamal.py

+++ lib/Crypto/PublicKey/ElGamal.py

@@ -153,33 +153,33 @@ def generate(bits, randfunc, progress_fu

         if number.isPrime(obj.p, randfunc=randfunc):

             break

     # Generate generator g

-    # See Algorithm 4.80 in Handbook of Applied Cryptography

-    # Note that the order of the group is n=p-1=2q, where q is prime

     if progress_func:

         progress_func('g\n')

     while 1:

+        # Choose a square residue; it will generate a cyclic group of order q.

+        obj.g = pow(number.getRandomRange(2, obj.p, randfunc), 2, obj.p)

+

         # We must avoid g=2 because of Bleichenbacher's attack described

         # in "Generating ElGamal signatures without knowning the secret key",

         # 1996

-        #

-        obj.g = number.getRandomRange(3, obj.p, randfunc)

-        safe = 1

-        if pow(obj.g, 2, obj.p)==1:

-            safe=0

-        if safe and pow(obj.g, q, obj.p)==1:

-            safe=0

+        if obj.g in (1, 2):

+            continue

+

         # Discard g if it divides p-1 because of the attack described

         # in Note 11.67 (iii) in HAC

-        if safe and divmod(obj.p-1, obj.g)[1]==0:

-            safe=0

+        if (obj.p - 1) % obj.g == 0:

+            continue

+

         # g^{-1} must not divide p-1 because of Khadir's attack

         # described in "Conditions of the generator for forging ElGamal

         # signature", 2011

         ginv = number.inverse(obj.g, obj.p)

-        if safe and divmod(obj.p-1, ginv)[1]==0:

-            safe=0

-        if safe:

-            break

+        if (obj.p - 1) % ginv == 0:

+            continue

+

+        # Found

+        break

+

     # Generate private key x

     if progress_func:

         progress_func('x\n')