Scott Fluhrer (sfluhrer) writes: > Now, there are q-1 different primitive elements; that's more than we > could reasonably list. We could specify a test to reject primitive > elements; however, that test isn't cheap (it can be done cheaper > than the full r**q==1 test, nevertheless, not cheaply. In addition, > an attacker injecting a primitive element could use it to deduce the > lsbit of the private exponent; however that cannot deduce any more > than that. I don't believe that the expense of the full test is > worth protecting one bit of the exponent.
Hmm... there is text in the RFC2412 about this I think: ---------------------------------------------------------------------- Because these two primes are congruent to 7 (mod 8), 2 is a quadratic residue of each prime. All powers of 2 will also be quadratic residues. This prevents an opponent from learning the low order bit of the Diffie-Hellman exponent (AKA the subgroup confinement problem). Using 2 as a generator is efficient for some modular exponentiation algorithms. [Note that 2 is technically not a generator in the number theory sense, because it omits half of the possible residues mod P. From a cryptographic viewpoint, this is a virtue.] ---------------------------------------------------------------------- I assume this the same thing you are talking about i.e. opponent learning the low order bit of the DH exponent, and RFC2412 claims that the nature of the primes that attack is not possible. Right? -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
