On Wed, May 27, 2015 at 05:08:25PM -0400, Daniel Kahn Gillmor wrote: > On Tue 2015-05-26 15:39:49 -0400, Mark D. Baushke wrote: > > Hi Folks, > > > > The generator value of 5 does not lead to a q-ordered subgroup which > > is needed to pass tests in > > > > http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf > > I pulled revision 2 of this document from here: > > https://dx.doi.org/10.6028/nist.sp.800-56ar2 > > The "FFC Domain Parameter Generation" section does say: > > g is a generator of the cyclic subgroup of GF(p)* of order q, > > But i don't see a recommendation of why this matters. Surely we don't > want the subgroup of order 2, but what is wrong with using a subgroup > of order 2q = p-1? > > There's clearly no strong security advantage to the 2q subgroup -- > it's just one bit larger -- but is there an attack that works against > the 2q subgroup that doesn't work against the q subgroup? If this is > a known concern, i'd be happy with just a pointer to a paper or web > page explaining the risks of the larger group. > > otoh, if the goal is just to ensure we have word-for-word compliance > with SP800-56A, then it's clear that choosing a different generator is > the way to go (and without much of a security cost). but i'd like to > know if there's a reason other than blind-spec-compliance. Pointers? > > Regards, > > --dkg One reason the generator of the full (Z/pZ)* is avoided is because knowledge of g^a and g^b (both known to Mallory) leaks information about the shared secret g^(ab) via their legendre symbols. This is particularly troublesome in the context of El Gamal. I don't have a reference to recommend off-hand but you might want to google for "decisional diffie hellman assumption". --mancha
Attachment:
pgpLE5hn0X0zk.pgp
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev