> Of course, the second approach is a lot faster - however, can anyone explain > the warning not from the documentation "Be careful to avoid small subgroup > attacks when using this." ? AFAIK, for such attacks to be effective, they > require that the parameters are re-used multiple times. However, in our > specific case, the generated parameters will be used only once (2048 bits) > and then discarded... No, small subgroups or confinement attacks are due to Schnorr. They are based on the size of q, not the size of p. See https://en.wikipedia.org/wiki/Small_subgroup_confinement_attack. You can have a large group (2048-bits), but a small subgroup (say 48-bits or 64-bits) that makes the problem much easier. A security level of 48-bits is well within reach of many attackers. 64-bits is within reach of some attackers, given how cheaply compute time can be purchased on Nova or EC2. And also see "On Small Subgroup Non-confinement Attack", https://eprint.iacr.org/2010/149.pdf.
