On Tue 2015-05-26 15:39:49 -0400, Mark D. Baushke wrote: > Hi Folks, > > The generator value of 5 does not lead to a q-ordered subgroup which is > needed to pass tests in > > http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf I pulled revision 2 of this document from here: https://dx.doi.org/10.6028/nist.sp.800-56ar2 The "FFC Domain Parameter Generation" section does say: g is a generator of the cyclic subgroup of GF(p)* of order q, But i don't see a recommendation of why this matters. Surely we don't want the subgroup of order 2, but what is wrong with using a subgroup of order 2q = p-1? There's clearly no strong security advantage to the 2q subgroup -- it's just one bit larger -- but is there an attack that works against the 2q subgroup that doesn't work against the q subgroup? If this is a known concern, i'd be happy with just a pointer to a paper or web page explaining the risks of the larger group. otoh, if the goal is just to ensure we have word-for-word compliance with SP800-56A, then it's clear that choosing a different generator is the way to go (and without much of a security cost). but i'd like to know if there's a reason other than blind-spec-compliance. Pointers? Regards, --dkg
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev