Fernando has a question about the DH key distribution.
He thinks the sets A and B should have primes less than p. Is that true?
In Diffie-Hellman we have the exponents a and b that are picked.
They don't have to be related to p other than if p is very small there is no point picking
really large values for a and b.
If p is really big, it's silly to pick small values of a.
The exponents are usually recommended to be at least 256 bits.
That's because there is an attacker where the work is related to the square root
of the size of the exponent rather than to the actual exponent.
If you want 128 bits of security, you need a 256-bit value.
You need to select a as a random value up to 256 bits.
That means if p is too small your attacker will go after p instead of focusing the attacker on a.
There is no particular relationship between the size of a and the size of p.
He also asks another question about Diffie-Hellman.
He wonders why in practice it is less accepted than RSA.
This is a good question.
They're both actually widely used in practice.
RSA is more widely used and more talked about.
They do different things. It's not a question of one being thought of as being more secure than the other.
The security of both depends on quite similar problems--
Diffie-Hellman depending on the discrete log problem,
RSA depending on factoring.
There is no reason to believe one of those is easier or harder than the other.
The property that Diffie-Hellman gives you is just this key agreement property.
RSA can do more things like digital signatures and encrypting messages.
That's a more versatile cipher. You can do more things with RSA.
All you can do with Diffie-Hellman is agree on a key,
but there are ciphers built on top of the same ideas that Diffie-Hellman
that can provide the same properties as RSA.
