[Operators] IM Observatory and Diffie-Hellman parameters

Dave Cridland dave at cridland.net
Wed Nov 13 22:46:09 UTC 2013

On Wed, Nov 13, 2013 at 10:41 PM, Thijs Alkemade <thijs at xnyhps.nl> wrote:

> On 13 nov. 2013, at 19:21, Dave Cridland <dave at cridland.net> wrote:
> To decrypt all communications using 1024-bit DH over a year is likely to
> be vastly bigger than for one conversation; the same isn't true for RSA,
> for example, where you could solve the private key once.
> This got me pondering, and I'm not quite convinced this is true. It's a bit
> late, so sorry if what I'm saying has some cryptographic errors.
> A naive brute-force attack on a DH key exchange would try g^1, g^2, g^3,
> ...
> to try to find either the exponent used by the server or the one used by
> the
> client. Assuming the DH group is the same, doing this for one key or for
> two
> or more keys at the same time should not take that much more time (I'd
> expect
> the multiplication by g to dominate the comparisons).
Ah, so you're suggesting a brute-force attack against multiple parallel DH
uses of the same key would be cost-effective?

That's interesting, and if you're right - and you may well be - then I'm
certainly quite wrong here.

I've copied the security@ list on this one, where wiser minds than me hang

> Of course, there probably are better attacks than brute force. I'm just
> looking over some, and the precomputation of values in baby-step giant-step
> can be shared for multiple keys. This seems to also be the case for
> Pollard's
> lambda algorithm.
> The point of forward-secrecy is that is resistant against people cheating
> the
> math: stealing the private key doesn't help breaking the encryption. It
> doesn't imply that breaking 2 conversations is twice as hard as breaking
> one.
> People could counter this by changing the dhparam every x amount of time...
> but who does that?
> Regards,
> Thijs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20131113/64094b5f/attachment-0001.html>

More information about the Operators mailing list