Hi folks,
I'm having difficulty interpreting RFC3526, "More Modular
Exponential (MODP) Diffie-Hellman groups" section 1, "Introduction".
Quoting from the RFC
---------cut------------
The exponent size used in the Diffie-Hellman must be selected so that
it matches other parts of the system. It should not be the weakest
link in the security system. It should have double the entropy of
the strength of the entire system, i.e., if you use a group whose
strength is 128 bits, you must use more than 256 bits of randomness
in the exponent used in the Diffie-Hellman calculation.
----------paste---------
Alright here... I'm trying to interpret what is meant, in very pragmatic
terms, by "exponent size". I take the exponent to be the 'a' or 'b' in
the Diffie-Hellman calculations... That is the random number chosen by
each peer in an implementation specific way.
What confuses me is the juxtaposition of the statement that it must be
double the size of the group but with examples given which are *far*
below sizes of even the weakest groups. In fact, the examples seem to
indicate a corilation with key sizes of symetric key ciphers/hmacs.
So should a exponent size be double the size of the Diffie-Hellman "p",
or double the size of the symetric key? Or is there a formula for
"strength of group in bits" that I am missing?
In RFC 3766, "Determining Strengths for Public Keys", I found this:
---------cut--------------
Because of
Pollard's rho method, the search space in a DH key exchange for the
key (the exponent in a g^a term), must be twice as large as the
symmetric key. Therefore, to securely derive a key of K bits, an
implementation must use an exponent with at least 2*K bits. See
[ODL99] for more detail.
--------paste----------------
So I think I'm very close to answering my own question... The exponent
must be twice the size of the symentric key in use. I hesitate because
that is not quite what RFC3526 says ( "twice the size of the group" ).
Any illumination would be appreciated.
--
Ricky Charlet
rchar...@nortel.com
USA 408-495-5726
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
