On Sun, Sep 06, 2015 at 07:56:07AM +0000, Peter Gutmann wrote: > > I haven't seen anything about this (so far) that doesn't class it as a purely > certificational weakness. Consider the following equivalent of the flaw, but
OK, you might be right. Summary of my verbiage on this list is here: https://j.ludost.net/blog/archives/2015/09/05/rfc-2631_fips_186-3_and_openssls_implementation_of_dsa_appear_broken_and_possibly_backdoored/index.html besides DH: 2) openssl 1.0.1p accepts composite $q$ in DSA 3) fips 160? forces small subgroup as low as 160 bits and openssl 1.0.1p insists on this. The repeat, the DL is subexponential in the whole group of order $p-1$ and I don't exclude the possibility to be easier in the small forced subgroup. Have fun, -- georgi
