Thierry Moreau <thierry.mor...@connotech.com> writes: >Q.1 Is the generator value selection per RFC6124 a better alternative than >the fixed generator value 2?
It's a fashion statement. Specifically, the reasoning in RFC 6142 is: Many of the commonly used Diffie-Hellman groups are inappropriate for use in EKE. Most of these groups use a generator that is not a primitive element of the group. As a result, an attacker running a dictionary attack would be able to learn at least 1 bit of information for each decrypted password guess. For generators you've got the choice of either choosing a value where the generated DH secret is limited to half the possible values or one where you leak a bit of the secret exponent. For example for the widely-used g = 2, if p is congruent to 11 mod 24 then g is a quadratic nonresidue and the DH secret covers all possible values but you leak the LSB of the secret exponent, but if p is congruent to 11 mod 23 then g is a quadratic residue and the DH secret only covers half the possible values, but you don't leak any bits of the exponent. Which of the two do you use? Flip a coin? Google-survey poll? Mentioned it to Shamir over drinks at the Crypto rump session? They're wearing quadratic nonresidues in Milan this year? It's really just a personal preference. >Finally, RFC5114 seems to scoop NIST on its own ground, introducing DH >parameter sets with a defined and reduced size "prime order subgroup" with a >generator value as large as the DH prime. ... which is phenomenally inefficient to work with. Unless you're desperate to worship at the NIST numerology altar, avoid this one. >The default answers are yes to Q.1 and no to Q.2. I'd say it's undecided for Q.1 and hell no to Q.2. >RFC6124 has it almost right (it should have omitted the 1024 prime size) but >seems outside of mainstream IETF work. At least it includes a 1536 bit group rather than jumping straight to 2048, offering a not-too-difficult upgrade from 1024. It's also good that it does still offer 1024, for situations where it's good enough for the job. Peter. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography