6 Dec
2013
6 Dec
'13
8:12 p.m.
Daniel Kahn Gillmor dkg@fifthhorseman.net writes:
Why would a DH key exchange need the larger group but a DSA signature be secure with the smaller group?
I think the main point of the smaller group in DSA is to get small signatures.
And discrete logs in the large group and discrete logs in the small subgroup are of comparable difficulty, because there's more structure in the larger group ("index calculus" is the name of the trick, iirc).
For DH, I don't think there's any particular reason to prefer to work in a small subgroup. But I may be missing something, of course.
Regards, /Niels
--
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.