Using finite-field Diffie-Hellman with a generator of 2 is probably not the best choice. Unfortunately all of the published primes (RFCs 2409, 3526, and 7919) use 2 for the generator. Any other generator would likely be (not sure how much?) more secure.
The problem is that 2^X consists of a single bit of value 1 followed by a huge string of zeros. When you then reduce this modulo a large prime number, there will be a pattern in the bits which may help an attacker discern the value of X. This is further helped by the fact that all of the published primes have 64 bits of 1 in the topmost and bottom-most bits. In addition, the larger published primes are very similar to the shorter ones, the shorter ones closely matching truncated versions of the larger primes. If you were to manually perform the modulo-P operation yourself, you would add enough zeros to the end of P until the topmost bit is just to the right of the 1 bit from 2^X, and then you'd subtract. This bit pattern will always be the same, no matter the value of X. In particular, the top 64 bits disappear since they're all one. Continuing the mod-P operation, you adjust the number of zeros after the prime P and then subtract again, reducing the size of the operand. The pattern of bits again will be the same, regardless of the value of X, the only difference being the number of trailing zeros. I have not looked at the cyclic patterns which happen as you do this, but I wouldn't be surprised to find that the "new" primes based on e (RFC 7919) have easier-to-spot bit patterns than those based on pi. This is speculation of course. Should we define some new DH parameters which use a different generator? Maybe the primes are fine.... Mike _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
