On 13 nov. 2013, at 23:46, Dave Cridland <d...@cridland.net> wrote: > On Wed, Nov 13, 2013 at 10:41 PM, Thijs Alkemade <th...@xnyhps.nl> wrote: > > On 13 nov. 2013, at 19:21, Dave Cridland <d...@cridland.net> wrote: > >> To decrypt all communications using 1024-bit DH over a year is likely to be >> vastly bigger than for one conversation; the same isn't true for RSA, for >> example, where you could solve the private key once. > > This got me pondering, and I'm not quite convinced this is true. It's a bit > late, so sorry if what I'm saying has some cryptographic errors. > > A naive brute-force attack on a DH key exchange would try g^1, g^2, g^3, ... > to try to find either the exponent used by the server or the one used by the > client. Assuming the DH group is the same, doing this for one key or for two > or more keys at the same time should not take that much more time (I'd expect > the multiplication by g to dominate the comparisons). > > > Ah, so you're suggesting a brute-force attack against multiple parallel DH > uses of the same key would be cost-effective? > > That's interesting, and if you're right - and you may well be - then I'm > certainly quite wrong here. > > I've copied the security@ list on this one, where wiser minds than me hang > out.
Not the same key - just multiple keys generated using the same DH group.
signature.asc
Description: Message signed with OpenPGP using GPGMail
