[cryptography] Diffie-Hellman after the Logjam paper versus IETF RFCs ...

Peter Gutmann pgut001 at cs.auckland.ac.nz
Thu Nov 19 20:46:02 EST 2015

Thierry Moreau <thierry.moreau at connotech.com> writes:

>Q.1 Is the generator value selection per RFC6124 a better alternative than
>the fixed generator value 2?

It's a fashion statement.  Specifically, the reasoning in RFC 6142 is:

   Many of the commonly used Diffie-Hellman groups are inappropriate for
   use in EKE.  Most of these groups use a generator that is not a
   primitive element of the group.  As a result, an attacker running a
   dictionary attack would be able to learn at least 1 bit of
   information for each decrypted password guess.

For generators you've got the choice of either choosing a value where the
generated DH secret is limited to half the possible values or one where you
leak a bit of the secret exponent.  For example for the widely-used g = 2, if
p is congruent to 11 mod 24 then g is a quadratic nonresidue and the DH secret
covers all possible values but you leak the LSB of the secret exponent, but if
p is congruent to 11 mod 23 then g is a quadratic residue and the DH secret
only covers half the possible values, but you don't leak any bits of the

Which of the two do you use?  Flip a coin?  Google-survey poll?  Mentioned it
to Shamir over drinks at the Crypto rump session?  They're wearing quadratic
nonresidues in Milan this year?  It's really just a personal preference.

>Finally, RFC5114 seems to scoop NIST on its own ground, introducing DH
>parameter sets with a defined and reduced size "prime order subgroup" with a
>generator value as large as the DH prime.

... which is phenomenally inefficient to work with.  Unless you're desperate
to worship at the NIST numerology altar, avoid this one.

>The default answers are yes to Q.1 and no to Q.2.

I'd say it's undecided for Q.1 and hell no to Q.2.

>RFC6124 has it almost right (it should have omitted the 1024 prime size) but
>seems outside of mainstream IETF work.

At least it includes a 1536 bit group rather than jumping straight to 2048,
offering a not-too-difficult upgrade from 1024.  It's also good that it does
still offer 1024, for situations where it's good enough for the job.


More information about the cryptography mailing list