The private exponent length need only be sufficient to make a brute force search (using the public exponent as a target) computationally infeasible, since the discrete log problem is still in the "hard" category.
Cogent DH Private Exponent recommendations are always stated in terms of P, e.g., x : 1 < x < (p-1)/2. - M On Mon, Apr 18, 2011 at 7:25 PM, Mike Mohr <akih...@gmail.com> wrote: > You might take a look at RFC 3526: > > http://tools.ietf.org/html/rfc3526 > > It is my understanding that the DH exponent can be significantly > shorter than the modulus without compromising security. RFC 3526 is > from 2003, but I haven't found anything published since then that > would make me think its assertions are invalid or outdated. The > paranoid tinfoil hat crowd can probably take twice the maximum bit > count from section 8 (620x2=1240) and be happy. > > Mike > > On Mon, Apr 18, 2011 at 8:01 AM, ikuzar <razuk...@gmail.com> wrote: >> Hello, >> I 'd like to know the length of DH session key generated by >> DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh) . Here : >> http://www.openssl.org/docs/crypto/DH_generate_key.html >> It is said that key must point to DH_size(dh) bytes of memory. is 128 bits >> the default length ? how can I adjust this length according the symetric-key >> algorithm I use ( AES128/ICM) >> Thanks for your help. >> >> > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org