[12765] in cryptography@c2.net mail archive
Re: Diffie-Hellman 128 bit
daemon@ATHENA.MIT.EDU (Bill Stewart)
Fri Mar 14 19:54:48 2003
X-Original-To: cryptography@wasabisystems.com
X-Original-To: cryptography@wasabisystems.com
Date: Thu, 13 Mar 2003 22:12:36 -0800
To: NOP <nop@trapped-under-ice.com>
From: Bill Stewart <bill.stewart@pobox.com>
Cc: cryptography@wasabisystems.com
In-Reply-To: <006201c2e9aa$54768200$6f42420a@lanwan>
At 01:48 PM 03/13/2003 -0800, NOP wrote:
>I am looking at attacks on Diffie-Hellman.
>
>The protocol implementation I'm looking at designed their diffie-hellman
>using 128 bit primes (generated each time, yet P-1/2 will be a prime, so no
>go on pohlig-hellman attack), so what attacks are there that I can look at
>to come up with either the logarithm x from (a=g^x mod p) or the session key
>that is
>calculated. A brute force wouldn't work, unless I know the starting range.
>Are there any realistic
>attacks on DH parameters of this size, or is theoretically based on
>financial computation attacks?
Google for "Odlyzko Diffie Hellman" and look at the various papers.
Unless you're talking about elliptic curve versions of Diffie Hellman
(and even then 128 bits probably isn't enough), 128 is way too weak.
DH is similar in strength to RSA, so don't think about using less than 1024,
and realistically go for 2048 or more.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
