On 13 nov. 2013, at 19:21, Dave Cridland <[email protected]> wrote: > To decrypt all communications using 1024-bit DH over a year is likely to be > vastly bigger than for one conversation; the same isn't true for RSA, for > example, where you could solve the private key once.
This got me pondering, and I'm not quite convinced this is true. It's a bit late, so sorry if what I'm saying has some cryptographic errors. A naive brute-force attack on a DH key exchange would try g^1, g^2, g^3, ... to try to find either the exponent used by the server or the one used by the client. Assuming the DH group is the same, doing this for one key or for two or more keys at the same time should not take that much more time (I'd expect the multiplication by g to dominate the comparisons). Of course, there probably are better attacks than brute force. I'm just looking over some, and the precomputation of values in baby-step giant-step can be shared for multiple keys. This seems to also be the case for Pollard's lambda algorithm. The point of forward-secrecy is that is resistant against people cheating the math: stealing the private key doesn't help breaking the encryption. It doesn't imply that breaking 2 conversations is twice as hard as breaking one. People could counter this by changing the dhparam every x amount of time... but who does that? Regards, Thijs
signature.asc
Description: Message signed with OpenPGP using GPGMail
