0

If I generate a private and public key for DSA using Crypto++:

CryptoPP::AutoSeededRandomPool rng;

CryptoPP::DSA::PrivateKey privateKey;

privateKey.GenerateRandomWithKeySize(rng, 2048);

CryptoPP::DSA::PublicKey publicKey;

privateKey.MakePublicKey(publicKey);

When I encode the private key like so:

CryptoPP::ByteQueue privateKeyQueue;
key.DEREncodePrivateKey(privateKeyQueue);

Then the information pushed to the queue for the private key is smaller than the encoded data for the public key:

CryptoPP::ByteQueue publicKeyQueue;
key.DEREncodePublicKey(publicKeyQueue);

Is this expected and is this the right way to generate my public key that will be shared with others?

I've only every worked with RSA before and the public key is much smaller than the private key.

jww
  • 97,681
  • 90
  • 411
  • 885
keith
  • 5,122
  • 3
  • 21
  • 50

1 Answers1

1

So... treading lightly because modulo arithmetic is not my strong point...

Source of my information is here:

https://en.wikipedia.org/wiki/Digital_Signature_Algorithm

Choose an approved cryptographic hash function H. In the original DSS, H was always SHA-1, but the stronger SHA-2 hash functions are approved for use in the current DSS.[5][9] The hash output may be truncated to the size of a key pair.

Decide on a key length L and N. This is the primary measure of the cryptographic strength of the key. The original DSS constrained L to be a multiple of 64 between 512 and 1024 (inclusive). NIST 800-57 recommends lengths of 2048 (or 3072) for keys with security lifetimes extending beyond 2010 (or 2030), using correspondingly longer N.[10] FIPS 186-3 specifies L and N length pairs of (1024,160), (2048,224), (2048,256), and (3072,256).

Choose an N-bit prime q. N must be less than or equal to the hash output length.

(so q is N bits long - say 256 for a 3072-bit key)

Choose an L-bit prime modulus p such that pā€“1 is a multiple of q. Choose g, a number whose multiplicative order modulo p is q. This may be done by setting g = h(pā€“1)/q mod p for some arbitrary h (1 < h < pāˆ’1), and trying again with a different h if the result comes out as 1. Most choices of h will lead to a usable g; commonly h=2 is used.

(so p would be 3072 bits long)

The algorithm parameters (p, q, g) may be shared between different users of the system.

Per-user keys

Given a set of parameters, the second phase computes private and public keys for a single user:

Choose x by some random method, where 0 < x < q. Calculate y = gx mod p.

Public key is (p, q, g, y).

public key has a p in it - so it must be at least 3072 bits long

Private key is x.

since x depends on q, it will have (in our case) 256 bits - this is the private key length.

Does that seem reasonable?

Community
  • 1
  • 1
Richard Hodges
  • 68,278
  • 7
  • 90
  • 142
  • Yes that seems reasonable. Given your observation about the bit lengths of p and q, I'd go further and claim that length(y) > length(x) is the answer given it's computed modulo p and given that p, q, g are probably needed for both signing and verifying. ā€“ keith Oct 28 '15 at 19:09