hal at finney.org wrote: > Oskar writes: > > - I believe that Scott is already doing encryption in the node connection > > process, and that he would use ElGamal using the same primitives as we > > have for DSA. > > This is not always such a great idea. DSA keys are not particularly well > suited for ElGamal and DH operations, although sometimes you can get away > with it. > > The problem is that DSA keys use a relatively small subgroup of 160 > bits, and more specifically, that they don't care if (p-1)/2q has many > small factors. This is not an issue for DSA signatures, but it turns > out that some protocols can leak key information if this happens. > > The classic paper on this is Lim and Lee, "A Key Recovery Attack on > Discrete Log-based Schemes Using a Prime Order Subgroup," from Crypto 97. > Unfortunately I can't find it online. Actually I have a PDF of it from > the Crypto proceedings CD-ROM. Darn, I can't find it. Well, I'll put > it up if I do.
CiteSeer comes to the rescue: http://citeseer.nj.nec.com/lim97key.html theo _______________________________________________ Devl mailing list Devl at freenetproject.org http://www.uprizer.com/mailman/listinfo/devl
