Lately I did a bit of research about the Digital Signature Algorithm and how it works. My question according to this is of no practical matter for me but of pure interest.
However, I’m curious how to generate the subprime in DSA: Somewhere during the generation of the parameters for the algorithm one chooses a 1024-bit prime p. The next step is to find a 160-bit prime q which is a divisor of p-1. That’s where I get stuck. I have no idea how to find that subprime q in time, without having to wait forever. I also couldn’t find any documentation about that particular part of DSA on the internet and all the example implementations I’ve found use library functions to create the parameters.
Does anyone know more about that subprime generation or can lead me to a place where I can read about it?
Thanks in advance.
As suggested by Zoredache: The algorithm to create the pair of primes
pandqfor DSA, found in the Digital Signature Standard.Let
L-1 = 160*n + b, whereb,n ∈ ℕand0 ≤ b < 160seed > 2¹⁶⁰. Letgbe the length ofseedin bits.U = sha(seed) XOR sha(seed+1 mod 2^g)(where sha is the Secure Hash Algorithm)q = U OR 2¹⁵⁹ OR 1qis prime, if not go to step 1.counter = 0, offset = 2For k = 0,...,n: V_k = sha((seed + offset + k) mod 2^g)W = V_0 + V_1 * 2^160 + ... + V_(n-1) * 2^((n-1)*160) + (V_n mod 2^b) * 2^(n*160)X = W + 2^(L-1)c = X mod 2*qp = X - (c-1)If p < 2^(L-1)go to step 13.pis prime, if so go to step 15.counter = counter + 1, offset = offset + n + 1counter >= 4096go to step 1, if not go to step 7.pandqso thatqis a divisor ofp-1.I hope I did not get anything wrong. I didn’t understand everything completely yet but the major trick is to calculate
pout ofqinstead of trying the opposite thing.