Daniel Kahn Gillmor <dkg@xxxxxxxxxxxxxxxxx> writes: > > From: "Roginsky, Allen" <allen.roginsky@xxxxxxxx> > > Subject: RE: Question on SP 800-56A rev2 > > > > The reason the y^q=1 (mod p) tests exists is to verify that y is in the > > required subgroup. > > I think this answer "begs the question" -- yes, the mathematical test > verifies that y generates a subgroup of size q. But the question we > were discussing is why does the subgroup need to be of size q instead of > size p-1? I forwarded your post to Allen Raginsky with this note: > > From: Mark Baushke [mailto:mdb@xxxxxxxxxxx] > > Sent: Friday, June 12, 2015 10:23 PM > > To: Roginsky, Allen > > Subject: Fwd: [Bug 2302] with DH-GEX, ssh (and sshd) should not fall back to unconfigured DH groups or at least document this behaviour and use a stronger group > > > > Hi Allen, > > > > It seems that there is a followup question to your statements… > > > > It really is sort of the root question, whey does anyone actually > > care if we have a q-ordered subgroup or not? Is there an attack > > which is not published on this kind of issue? > > > > -- Mark I have received this reply from Allen... -- Mark ------- forwarded message ------- From: "Roginsky, Allen" <allen.roginsky@xxxxxxxx> To: Mark Baushke <mdb@xxxxxxxxxxx> Subject: RE: [Bug 2302] with DH-GEX, ssh (and sshd) should not fall back to unconfigured DH groups or at least document this behaviour and use a stronger group Date: Mon, 15 Jun 2015 06:17:55 +0000 Hi Mark, The private key x may be placed in the smaller subgroup – of size q – precisely because there are no known attacks against the DH method that could exploit the structure of this subgroup. The public key must be in a larger group because there are attacks exploiting the structure of the DH public key (the attacks against the discreet logarithm problem in the multiplicative group of a finite field). Regards, Allen ------- end of forwarded message ------- _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev