DSA: How to generate the subprime?

问题

Lately I did a bit of research about the Digital Signature Algorithm and how it works. My question according to this is of no practical matter for me but of pure interest.

However, I'm curious how to generate the subprime in DSA: Somewhere during the generation of the parameters for the algorithm one chooses a 1024-bit prime p. The next step is to find a 160-bit prime q which is a divisor of p-1. That's where I get stuck. I have no idea how to find that subprime q in time, without having to wait forever. I also couldn't find any documentation about that particular part of DSA on the internet and all the example implementations I've found use library functions to create the parameters.

Does anyone know more about that subprime generation or can lead me to a place where I can read about it?

Thanks in advance.

回答1:

As suggested by Zoredache: The algorithm to create the pair of primes p and q for DSA, found in the Digital Signature Standard.

Let L-1 = 160*n + b, where b,n ∈ ℕ and 0 ≤ b < 160

1. Choose a random number seed > 2¹⁶⁰. Let g be the length of seed in bits.
2. U = sha(seed) XOR sha(seed+1 mod 2^g) (where sha is the Secure Hash Algorithm)
3. q = U OR 2¹⁵⁹ OR 1
4. Test if q is prime, if not go to step 1.
5. counter = 0, offset = 2
6. For k = 0,...,n: V_k = sha((seed + offset + k) mod 2^g)
7. W = V_0 + V_1 * 2^160 + ... + V_(n-1) * 2^((n-1)*160) + (V_n mod 2^b) * 2^(n*160)
8. X = W + 2^(L-1)
9. c = X mod 2*q
10. p = X - (c-1)
11. If p < 2^(L-1) go to step 13.
12. Test if p is prime, if so go to step 15.
13. counter = counter + 1, offset = offset + n + 1
14. If counter >= 4096 go to step 1, if not go to step 7.
15. We have now p and q so that q is a divisor of p-1.

I hope I did not get anything wrong. I didn't understand everything completely yet but the major trick is to calculate p out of q instead of trying the opposite thing.

回答2:

I don't know much about it personally, but I did a quick grep through the OpenSSL source code and it mentioned the Federal Information Processing Standards Publication 186 as the document that the implementation was based on.

回答3:

Saying that q divides p-1 is the same as saying that p ≡ 1 mod q.

The FIPS method essentially shifts and adds successive hash outputs to build a pseudorandom chunk of the correct size, and then subtracts a remainder such that p ≡ 1 mod 2q, and finally tests for primality. The only 'real' entropy in the process is the random seed.

Note also that the old FIPS-186 above is 'hardcoded' for 160 bit q

If you have plenty of entropy you can just as easily get a chunk of random from a good source, set the top and bottom bits to 1, subtract ((p mod q)-1) then test that for primality.

回答4:

I don't think that's right. If you can factor p-1, then you can easily factor the public key, which is really bad.

The usual key generation takes two large primes p and q, of equal bit length; their product n=pq becomes the modulus of the cryptosystem. The totient of n is computed as phi(pq)=(p-1)(q-1). Then two keys are chosen, the encryption key e and the decryption key d, such that de ≡ 1 (mod phi(pq)) and gcd(e, phi(pq)) = 1. E must be odd, is frequently chosen to be prime to force the condition that it is co-prime to the totient, and is generally fairly small; e=2^16+1=65537 is common.

I wrote code for RSA, including key generation, at my blog.

来源：https://stackoverflow.com/questions/8350568/dsa-how-to-generate-the-subprime