Fast DH parameters generation

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Fast DH parameters generation

Dr. Pala
Hi all,

I am working on an application that would use DH to allow exchanging
symmetric keys (not a TLS app), and we noticed that we could use two
different approaches to generate the parameters.

The first option is to use the DH_generate_parameters_ex() +
DH_generate_key() - but that takes quite a long time when using 2048
bits DH.

The second option, instead, is to generate DSA parameters and then copy
them as DH params - i.e., using DSA_generate_parameters_ex() +
DSA_dup_DH() + DH_generate_key().

Of course, the second approach is a lot faster - however, can anyone
explain the warning not from the documentation "Be careful to avoid
small subgroup attacks when using this." ? AFAIK, for such attacks to be
effective, they require that the parameters are re-used multiple times.
However, in our specific case, the generated parameters will be used
only once (2048 bits) and then discarded...

Cheers,
Max


_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Fast DH parameters generation

Jeffrey Walton-3
> Of course, the second approach is a lot faster - however, can anyone explain
> the warning not from the documentation "Be careful to avoid small subgroup
> attacks when using this." ? AFAIK, for such attacks to be effective, they
> require that the parameters are re-used multiple times. However, in our
> specific case, the generated parameters will be used only once (2048 bits)
> and then discarded...

No, small subgroups or confinement attacks are due to Schnorr. They
are based on the size of q, not the size of p. See
https://en.wikipedia.org/wiki/Small_subgroup_confinement_attack.

You can have a large group (2048-bits), but a small subgroup (say
48-bits or 64-bits) that makes the problem much easier. A security
level of 48-bits is well within reach of many attackers. 64-bits is
within reach of some attackers, given how cheaply compute time can be
purchased on Nova or EC2.

And also see "On Small Subgroup Non-confinement Attack",
https://eprint.iacr.org/2010/149.pdf.
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users