Bill Stewart
Fri, 14 Mar 2003 16:53:24 -0800
I am looking at attacks on Diffie-Hellman.
The protocol implementation I'm looking at designed their diffie-hellman using 128 bit primes (generated each time, yet P-1/2 will be a prime, so no go on pohlig-hellman attack), so what attacks are there that I can look at to come up with either the logarithm x from (a=g^x mod p) or the session key that is calculated. A brute force wouldn't work, unless I know the starting range. Are there any realistic attacks on DH parameters of this size, or is theoretically based on financial computation attacks?
Google for "Odlyzko Diffie Hellman" and look at the various papers. Unless you're talking about elliptic curve versions of Diffie Hellman (and even then 128 bits probably isn't enough), 128 is way too weak. DH is similar in strength to RSA, so don't think about using less than 1024, and realistically go for 2048 or more.
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]