6 Sep
2015
6 Sep
'15
8:27 a.m.
On Sun, Sep 06, 2015 at 07:56:07AM +0000, Peter Gutmann wrote:
I haven't seen anything about this (so far) that doesn't class it as a purely certificational weakness. Consider the following equivalent of the flaw, but
OK, you might be right. Summary of my verbiage on this list is here: https://j.ludost.net/blog/archives/2015/09/05/rfc-2631_fips_186-3_and_openss... besides DH: 2) openssl 1.0.1p accepts composite $q$ in DSA 3) fips 160? forces small subgroup as low as 160 bits and openssl 1.0.1p insists on this. The repeat, the DL is subexponential in the whole group of order $p-1$ and I don't exclude the possibility to be easier in the small forced subgroup. Have fun, -- georgi