I was bit hasty making the random exponent 'k' a prime. Further researh
shows that Elgamal encryption has no specific needs in respect to k,
any random number is fine.
It is bit different for signing, there it needs to be 'relatively prime'
to p - 1, that means GCD(k, p-1) == 1, which is also a lot lighter than
full primality. As we don't do signing, this can be ignored.
This brings major speedup to Elgamal encryption.
Index: pgsql/contrib/pgcrypto/pgp-mpi-openssl.c
===================================================================
*** pgsql.orig/contrib/pgcrypto/pgp-mpi-openssl.c
--- pgsql/contrib/pgcrypto/pgp-mpi-openssl.c
*************** pgp_elgamal_encrypt(PGP_PubKey *pk, PGP_
*** 120,126 ****
* generate k
*/
k_bits = decide_k_bits(BN_num_bits(p));
! if (!BN_generate_prime(k, k_bits, 0, NULL, NULL, NULL, NULL))
goto err;
/*
--- 120,126 ----
* generate k
*/
k_bits = decide_k_bits(BN_num_bits(p));
! if (!BN_rand(k, k_bits, 0, 0))
goto err;
/*
--