RE: DSAKeyValue text from Brian LaMacchia on 2001-06-13 (w3c-ietf-xmldsig@w3.org from April to June 2001)

From: Brian LaMacchia <bal@microsoft.com>
Date: Wed, 13 Jun 2001 10:17:03 -0700
To: "Donald Eastlake 3rd" <dee3@torque.pothole.com>, <w3c-ietf-xmldsig@w3.org>
Cc: <Donald.Eastlake@motorola.com>
Message-ID: <BCDB2C3F59F5744EBE37C715D66E779C012AF537@red-msg-04.redmond.corp.microsoft.com>

Don,

Your wording on J is fine with me.  If you want to be more pedantic look
at the description of J in section 2.3.3 of
http://www.ietf.org/internet-drafts/draft-ietf-pkix-ipki-pkalgs-02.txt
(PKIX draft on algs for son-of-2459).  (2.3.3 is the D-H section but
basically it's the same idea.)

					--bal

-----Original Message-----
From: Donald Eastlake 3rd [mailto:dee3@torque.pothole.com] 
Sent: Tuesday, June 12, 2001 12:17 PM
To: Brian LaMacchia; w3c-ietf-xmldsig@w3.org
Cc: Donald.Eastlake@motorola.com
Subject: Re: DSAKeyValue text


In-reply-to: Your message of "Fri, 08 Jun 2001 10:54:18 PDT."
 
<BCDB2C3F59F5744EBE37C715D66E779CEAB702@red-msg-04.redmond.corp.microsof
t.com>

I don't have any big problem adding "J" back in but it needs
explanation.  I went to the FIPS for DSA and, as far as I can recall,
the only J that I saw was in the primality test.

See the attached.

Thanks,
Donald

From:  "Brian LaMacchia" <bal@microsoft.com>
Date:  Fri, 8 Jun 2001 10:54:18 -0700
Message-ID:
<BCDB2C3F59F5744EBE37C715D66E779CEAB702@red-msg-04.redmond.corp.microsof
t.com>
To:  "Donald E Eastlake 3rd" <dee3@torque.pothole.com>
Cc:  <w3c-ietf-xmldsig@w3.org>

>Hi Don,
>
>I think there's some confusion about the meaning of the optional 
>parameter J.  In my implementation (which is based off what the MS 
>CryptoAPI library produces), J is (P-1)/Q, not the internal counter 
>from the DSA FIPS key-generation algorithm.  I believe this was the 
>original intent of including a J in the structure.
>
>I asked Jim Schaad if he knew why J was optionally explicitly called 
>out since it could always be computed from the other parameters and he 
>said it was for performance reasons -- bignum multiplication being 
>faster than bignum division -- for validating that the group parameters

>are properly constructed.  (For DH J is typically small and probably 
>more important, but with DSA its going to be large because Q is limited

>to 160 bits.  CryptoAPI also includes J for DH public key blobs, 
>presumably for this exact reason.)
>
>Obviously I would prefer that J, defined as P-1/Q, remain as an 
>optional component of the structure, since I currently emit it when 
>creating DSAKeyValue elements :-)
>
>                                       --bal

Received on Wednesday, 13 June 2001 13:51:59 UTC