Re: Diffie Hellman group parameters and private exponent size.

On Jul 30, 11:17 pm, kg <kristiag+n...@xxxxxxxxxxxx> wrote:
Fabrice Gautier  <fabrice.gaut...@xxxxxxxxx> wrote:

On Sat, 30 Jul 2011 00:54:22 -0700, kg wrote
(in article <j10dbe$ae...@xxxxxxxxxxxxxxxxxx>):

Fabrice  <fabrice.gaut...@xxxxxxxxx> wrote:
So can I just claim that openssl and gnutls and libtomcrypt are
unnecessary slow, or did I miss something ?

I think you missed one or two things. As far as I can tell, the TLS
protocol sends the prime and the generator, but not the size of the
subgroup generated. Since it is customary to use DH exponents about
the same sizes as the subgroup, a TLS implementation can not easily
use smaller exponents.

Well, that's exactly my point.
Since TLS does not send you the size of the siubgroup, I think the
implementation should extrapolate the size of the subgroup based on the size
of the prime  or based on the size of the symmetric key specified by the TLS
ciphersuite you are using?

How does it extrapolate? How should the implementation guess what the
other implementation has done?

Based on published estimates of the the security of DH.

For examples see:
RFC 3526, section 8
RFC 5114, section 4
FIPS 186-3, section 4.2
RFC 4419, section 6.2

Here is what RFC 4419 section 6.2 says:

6.2. Private Exponents

To increase the speed of the key exchange, both client and server
reduce the size of their private exponents. It should be at least
twice as long as the key material that is generated from the shared
secret. For more details, see the paper by van Oorschot and Wiener

Others documents I mentioned have tables that specify the length of
the exponent for a given prime size.

-- Fabrice

Relevant Pages