> > This is not always such a great idea. DSA keys are not particularly well > suited for ElGamal and DH operations, although sometimes you can get away > with it. We are using a global group for DH operations, independent of the node public key. We are sharing the primitives for DSA and ElGamal though, generated for DSA (since it has some stronger requirements for q and g).
> The problem is that DSA keys use a relatively small subgroup of 160 > bits, and more specifically, that they don't care if (p-1)/2q has many > small factors. This is not an issue for DSA signatures, but it turns > out that some protocols can leak key information if this happens. > > The classic paper on this is Lim and Lee, "A Key Recovery Attack on > Discrete Log-based Schemes Using a Prime Order Subgroup," from Crypto 97. > Unfortunately I can't find it online. Actually I have a PDF of it from > the Crypto proceedings CD-ROM. Darn, I can't find it. Well, I'll put > it up if I do. > > If Freenet uses random keys for the DH-exchange, and the DSA keys just > to sign using DSA signatures, then it should be okay. Doing ElGamal > with these keys can be risky, especially in an automated environment like > Freenet. An attacker could hammer your node with connection attempts and > see which ones decrypt properly for you, and in some cases this could leak > a lot of information about a DSA key when used for ElGamal decryption, > using the Lim and Lee technique. I can provide more information on the > math if you want.
