cipher: Fix ElGamal encryption for other implementations.
* cipher/elgamal.c (gen_k): Remove support of smaller K. (do_encrypt): Never use smaller K. (sign): Folllow the change of gen_k.
Cherry-pick master commit of:
This change basically reverts encryption changes in two commits:
Use of smaller K for ephemeral key in ElGamal encryption is only good,
when we can guarantee that recipient's key is generated by our
implementation (or compatible).
For detail, please see:
Luca De Feo, Bertram Poettering, Alessandro Sorniotti, "On the (in)security of ElGamal in OpenPGP"; in the proceedings of CCS'2021.
- GnuPG-bug-id: T5328
- Suggested-by: Luca De Feo, Bertram Poettering, Alessandro Sorniotti
- Signed-off-by: NIIBE Yutaka <email@example.com>