[cryptography] Diffie-Hellman after the Logjam paper versus IETF RFCs ...
pgut001 at cs.auckland.ac.nz
Thu Nov 19 20:46:02 EST 2015
Thierry Moreau <thierry.moreau at connotech.com> writes:
>Q.1 Is the generator value selection per RFC6124 a better alternative than
>the fixed generator value 2?
It's a fashion statement. Specifically, the reasoning in RFC 6142 is:
Many of the commonly used Diffie-Hellman groups are inappropriate for
use in EKE. Most of these groups use a generator that is not a
primitive element of the group. As a result, an attacker running a
dictionary attack would be able to learn at least 1 bit of
information for each decrypted password guess.
For generators you've got the choice of either choosing a value where the
generated DH secret is limited to half the possible values or one where you
leak a bit of the secret exponent. For example for the widely-used g = 2, if
p is congruent to 11 mod 24 then g is a quadratic nonresidue and the DH secret
covers all possible values but you leak the LSB of the secret exponent, but if
p is congruent to 11 mod 23 then g is a quadratic residue and the DH secret
only covers half the possible values, but you don't leak any bits of the
Which of the two do you use? Flip a coin? Google-survey poll? Mentioned it
to Shamir over drinks at the Crypto rump session? They're wearing quadratic
nonresidues in Milan this year? It's really just a personal preference.
>Finally, RFC5114 seems to scoop NIST on its own ground, introducing DH
>parameter sets with a defined and reduced size "prime order subgroup" with a
>generator value as large as the DH prime.
... which is phenomenally inefficient to work with. Unless you're desperate
to worship at the NIST numerology altar, avoid this one.
>The default answers are yes to Q.1 and no to Q.2.
I'd say it's undecided for Q.1 and hell no to Q.2.
>RFC6124 has it almost right (it should have omitted the 1024 prime size) but
>seems outside of mainstream IETF work.
At least it includes a 1536 bit group rather than jumping straight to 2048,
offering a not-too-difficult upgrade from 1024. It's also good that it does
still offer 1024, for situations where it's good enough for the job.
More information about the cryptography