On Wed, Jun 07, 2000 at 03:38:54PM +0200, Arne Ansper wrote:
[...]
>> On the other hand, if you assume that the client can be sure about
>> certain properties about the DH parameters, then you could speed
>> up the handshake even more by using short exponents (either with
>> one-time client DH keys, or as in your patch with predefined
>> keys). All this depends very much on the application, so the
> This is interesting. Does it mean that I must set the length field in
> DHparams structure to some smaller value than default?
Yes.
> How short is still
> secure?
Presuming that g generates a prime-order subgroup (or that p is a
safe prime, i.e. (p-1)/2 is prime too), then if exponents are
uniformly chosen from an interval [0, M], the complexity of
(known) attacks that exploit shortness of exponents is on the order of
the square root of M. That is, if you think that 2^80 operations
are infeasible, then using 160-bit exponents should be enough. (It
never makes sense to choose exponents larger than the group size;
there are no known general attacks against choosing them smaller
if the group is "larger than needed".)
If you use full-size exponents (i.e. M is around p-1), then you
are wasting time (considering just the strenght against *known*
attacks) because index-calculus attacks are faster than those attacks
that are based on your choice of exponents. There's a table somewhere
in some issue of Cryptobytes or so that states which exponents sizes
correspond in strength to which prime lengths, based on currently
known algorithms.
> Where can I read more about it?
The EUROCRYPT '96 paper "On Diffie-Hellman key agreement with short
exponents" by P.C. van Oorschot and M.J. Wiener showed that you cannot
use short exponents in general (because then there are small subgroups
that can be exploited); but there are no known problems when using
safe primes, or when g is the generator of a large prime-order
subgroup (where "large" means "at least about as large as the
exponents that you intend to use; not that in general, exponent
reuse is not a good idea in this case). Probably the Handbook of
Applied Cryptography has something on this. It does not, however,
offer the table that I talked about above.
--
Bodo M�ller <[EMAIL PROTECTED]>
PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
