On 12/06/2013 02:00 PM, Niels Möller wrote:
Simplest would be to just drop these requirements from dsa_generate_keypair, and let it do whatever the caller asks for. Do you think that makes sense?
This seems reasonable to me, even for people who want to make DSA keys. If they want to follow the strict requirements about the sizes of p and q, they have all the tools at their disposal to follow them, and i'm not sure nettle should be enforcing that behavior.
Do you need exactly the same thing for DH? I.e., a group of relatively small size q, which is a subgroup of Z_p^* for some much larger p?
I imagine one might want to rather use primes like p = 2q + 1 or so, so the size q subgroup is almost as large as Z_p. I'm not sure the current code works with q_size = p_size-1.
Why would a DH key exchange need the larger group but a DSA signature be secure with the smaller group? This is a serious question and not a rhetorical one -- if you have a pointer to any sort of writeup that explains the difference of these two uses of the discrete log, i'd like to try to understand it. Sorry if this is a dumb question!
--dkg