On Wed, Nov 13, 2013 at 10:41 PM, Thijs Alkemade <th...@xnyhps.nl> wrote:
> > On 13 nov. 2013, at 19:21, Dave Cridland <d...@cridland.net> wrote: > > To decrypt all communications using 1024-bit DH over a year is likely to > be vastly bigger than for one conversation; the same isn't true for RSA, > for example, where you could solve the private key once. > > > This got me pondering, and I'm not quite convinced this is true. It's a bit > late, so sorry if what I'm saying has some cryptographic errors. > > A naive brute-force attack on a DH key exchange would try g^1, g^2, g^3, > ... > to try to find either the exponent used by the server or the one used by > the > client. Assuming the DH group is the same, doing this for one key or for > two > or more keys at the same time should not take that much more time (I'd > expect > the multiplication by g to dominate the comparisons). > > Ah, so you're suggesting a brute-force attack against multiple parallel DH uses of the same key would be cost-effective? That's interesting, and if you're right - and you may well be - then I'm certainly quite wrong here. I've copied the security@ list on this one, where wiser minds than me hang out. > Of course, there probably are better attacks than brute force. I'm just > looking over some, and the precomputation of values in baby-step giant-step > can be shared for multiple keys. This seems to also be the case for > Pollard's > lambda algorithm. > > The point of forward-secrecy is that is resistant against people cheating > the > math: stealing the private key doesn't help breaking the encryption. It > doesn't imply that breaking 2 conversations is twice as hard as breaking > one. > > People could counter this by changing the dhparam every x amount of time... > but who does that? > > Regards, > Thijs >