On 18 March 2013 21:44, Matt Caswell <fr...@baggins.org> wrote: > However, you are correct that the DH computation does not use q, although > I do not > > know whether JCE requires it to be specified (not having used JCE). > > One other point on this - X9.42 describes an optional validation procedure which does use q. From RFC2631 (based on X9.42):
The following algorithm MAY be used to validate a received public key y. 1. Verify that y lies within the interval [2,p-1]. If it does not, the key is invalid. 2. Compute y^q mod p. If the result == 1, the key is valid. Otherwise the key is invalid. The primary purpose of public key validation is to prevent a small subgroup attack [LAW98] on the sender's key pair. If Ephemeral-Static mode is used, this check may not be necessary. See also [P1363] for more information on Public Key validation. Matt