[Operators] IM Observatory and Diffie-Hellman parameters

Thijs Alkemade thijs at xnyhps.nl
Wed Nov 13 22:41:37 UTC 2013


On 13 nov. 2013, at 19:21, Dave Cridland <dave at cridland.net> wrote:

> To decrypt all communications using 1024-bit DH over a year is likely to be vastly bigger than for one conversation; the same isn't true for RSA, for example, where you could solve the private key once.

This got me pondering, and I'm not quite convinced this is true. It's a bit
late, so sorry if what I'm saying has some cryptographic errors.

A naive brute-force attack on a DH key exchange would try g^1, g^2, g^3, ...
to try to find either the exponent used by the server or the one used by the
client. Assuming the DH group is the same, doing this for one key or for two
or more keys at the same time should not take that much more time (I'd expect
the multiplication by g to dominate the comparisons).

Of course, there probably are better attacks than brute force. I'm just
looking over some, and the precomputation of values in baby-step giant-step
can be shared for multiple keys. This seems to also be the case for Pollard's
lambda algorithm.

The point of forward-secrecy is that is resistant against people cheating the
math: stealing the private key doesn't help breaking the encryption. It
doesn't imply that breaking 2 conversations is twice as hard as breaking one.

People could counter this by changing the dhparam every x amount of time...
but who does that?

Regards,
Thijs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20131113/1f9bdc9e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.jabber.org/pipermail/operators/attachments/20131113/1f9bdc9e/attachment.pgp>


More information about the Operators mailing list