public-key cryptanalysis dsa
Updated Fri, 20 May 2022 02:27:49 GMT

Safety of DSA key parameters sharing

I'm looking for a solution to use in a context where I need to be able to generate new asymmetric key pairs quickly (using a widely recognized algorithm, and EC-DSA is not applicable). It sounds like DSA would be the adequate solution.

According to the documentation, just generating DSA parameters once allows then to generate a large number of separate keys pairs only requiring the step of selecting a random private key 'x' for each of them. FIPS 186-3 says :

the intended signatory shall first obtain appropriate domain parameters, either by generating the domain parameters itself, or by obtaining domain parameters that another entity has generated

Is there any security issue I'm missing before reusing the same domain parameters for a large number of keys ? How frequently ought the domain parameters be changed ? (There's some reference around to the possibility for a CA to use the same domain parameters for all the certificates it issues)


So I actually asked the theoretical version of this question a while ago: what happens if you choose multiple keys from the same group?

The answer, as best as I determined, is its still secure. First, this practice is used both in the Internet Key Agreement Protocole (IKE) in IPSEC, and for SSH.

Second, the best algorithms for breaking DSA effectively involve solving the discrete log problem. Although these are faster in a fixed group, they are not fast enough. There are still somewhere far slower than polynomial and slighter faster than exponential. You can see the results here, there is a summary towards the end.

Thus the only concern is two people pick the same private key. This really unlikely in any group that is large enough to be secure.

External Links

External links referenced by this document:

Linked Articles

Local articles referenced by this article: