On Wed 2015-05-27 18:02:40 -0400, mancha wrote: > One reason the generator of the full (Z/pZ)* is avoided is because > knowledge of g^a and g^b (both known to Mallory) leaks information about > the shared secret g^(ab) via their legendre symbols. Their Legendre symbol of g^(ab) is 1 bit; but the full |2q| group is 1 bit larger than the |q| subgroup. Either way, we're not talking about a radical change in cryptographic strength, right? Or is there some way to parlay knowledge of the Legendre symbol of g^(ab) into a larger attack? --dkg _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev