diff options
author | Legrandin <gooksankoo@hoiptorrow.mailexpire.com> | 2012-04-26 00:10:05 +0200 |
---|---|---|
committer | Legrandin <gooksankoo@hoiptorrow.mailexpire.com> | 2012-04-26 00:10:05 +0200 |
commit | ed2911838732eb40bd729b32e134b8947ebb005d (patch) | |
tree | 0d2cc64c39e3d6295bc749693be3064319733cf7 | |
parent | 6f312637208cc70b231892109564e2aebc92728a (diff) | |
download | pycrypto-ed2911838732eb40bd729b32e134b8947ebb005d.tar.gz |
Domain parameters for ElGamal and DSA can be freely shared. The message M to sign must really be hash.
-rw-r--r-- | lib/Crypto/PublicKey/DSA.py | 22 | ||||
-rw-r--r-- | lib/Crypto/PublicKey/ElGamal.py | 18 |
2 files changed, 26 insertions, 14 deletions
diff --git a/lib/Crypto/PublicKey/DSA.py b/lib/Crypto/PublicKey/DSA.py index 185ed01..d6bffd6 100644 --- a/lib/Crypto/PublicKey/DSA.py +++ b/lib/Crypto/PublicKey/DSA.py @@ -31,21 +31,26 @@ to find an integer *x* such that *g^x = h*. The problem is believed to be difficult, and it has been proved such (and therefore secure) for more than 30 years. -DSA is reasonably secure for new designs. - -The algorithm can only be used for authentication (digital signature). -DSA cannot be used for confidentiality (encryption). - The group is actually a sub-group over the integers modulo *p*, with *p* prime. The sub-group order is *q*, which is prime too; it always holds that *(p-1)* is a multiple of *q*. The cryptographic strength is linked to the magnitude of *p* and *q*. +The signer holds a value *x* (*0<x<q-1*) as private key, and its public +key (*y* where *y=g^x mod p*) is distributed. + In 2012, a sufficient size is deemed to be 2048 bits for *p* and 256 bits for *q*. For more information, see the most recent ECRYPT_ report. +DSA is reasonably secure for new designs. + +The algorithm can only be used for authentication (digital signature). +DSA cannot be used for confidentiality (encryption). + The values *(p,q,g)* are called *domain parameters*; they are not sensitive but must be shared by both parties (the signer and the verifier). +Different signers can share the same domain parameters with no security +concerns. -The DSA signature is twice as big the size of *q* (64 bytes if *q* is 256 bit +The DSA signature is twice as big as the size of *q* (64 bytes if *q* is 256 bit long). This module provides facilities for generating new DSA keys and for constructing @@ -141,9 +146,8 @@ class _DSAobj(pubkey.pubkey): :attention: The number *K* shall not be reused for any other operation and shall be discarded immediately. - :attention: It is strongly recommended to have M be a digest created - via a cryptographic hash, otherwise an attacker may mount an - existential forgery attack. + :attention: M must be a digest cryptographic hash, otherwise + an attacker may mount an existential forgery attack. :Return: A tuple with 2 longs. diff --git a/lib/Crypto/PublicKey/ElGamal.py b/lib/Crypto/PublicKey/ElGamal.py index a9efe75..1a157ce 100644 --- a/lib/Crypto/PublicKey/ElGamal.py +++ b/lib/Crypto/PublicKey/ElGamal.py @@ -34,7 +34,7 @@ and an element *h*, it is hard to find an integer *x* such that *g^x = h*. The group is the largest multiplicative sub-group of the integers modulo *p*, with *p* prime. The signer holds a value *x* (*0<x<p-1*) as private key, and its public -key (*g*, *p*, *y* where *y=g^x mod p*) is distributed. +key (*y* where *y=g^x mod p*) is distributed. The ElGamal signature is twice as big as *p*. @@ -48,10 +48,19 @@ the element *g^{ab}* when only *g^a* and *g^b* are known, and not *a* and *b*. As before, the group is the largest multiplicative sub-group of the integers modulo *p*, with *p* prime. The receiver holds a value *a* (*0<a<p-1*) as private key, and its public key -(*g*, *p*, *b* where *b*=g^a*) is given to the sender. +(*b* where *b*=g^a*) is given to the sender. The ElGamal ciphertext is twice as big as *p*. +Domain parameters +----------------- +For both signature and encryption schemes, the values *(p,g)* are called +*domain parameters*. +They are not sensitive but must be distributed to all parties (senders and +receivers). +Different signers can share the same domain parameters, as can +different recipients of encrypted messages. + Security -------- Both DLP and CDH problem are believed to be difficult, and they have been proved @@ -294,9 +303,8 @@ class ElGamalobj(pubkey): :attention: The number *K* shall not be reused for any other operation and shall be discarded immediately. - :attention: It is strongly recommended to have M be a digest created - via a cryptographic hash, otherwise an attacker may mount an - existential forgery attack. + :attention: M must be be a cryptographic hash, otherwise an + attacker may mount an existential forgery attack. :Return: A tuple with 2 longs. """ |