Re: [TLS] Short Ephermal Diffie-Hellman keys

[pgut001 at cs.auckland.ac.nz (Peter Gutmann)]

Eric Rescorla <ekr at networkresonance.com> writes:

>So, I'm no DH expert, but my understanding is that there are three common
>cases:
>
>1. Randomly generated p with no special structure
>2. Sophie-Germain primes where q is about p/2.
>3. DSA-style groups where q<<p.
>
>Only in the last case does carrying around q offer much benefit.
>
>Is this common enough that it's worth changing the spec? It was my
>understanding that we mostly encouraged people to use S-G primes in any case.

Use of S-G primes is mostly historical.  I use the Lim-Lee algorithm, which
both produces known-good (verifiable) DSA-style primes, and is extremely
efficient (far more so than anything that produces S-G primes).  Having an
ability to (optionally) specify DSA-style parameters would be a considerable
help.

(Actually I'd make them mandatory, but I suspect that'd get too many
complaints from existing users.  Mind you given the current low use of DH
compared to the near-universal RSA, it'd be nice to get implementors into good
habits early and require verifiable DSA-style parameters).

Peter.

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls