[openssl-users] Fast DH parameters generation
Jeffrey Walton
noloader at gmail.com
Mon Jun 22 21:44:28 UTC 2015
> Of course, the second approach is a lot faster - however, can anyone explain
> the warning not from the documentation "Be careful to avoid small subgroup
> attacks when using this." ? AFAIK, for such attacks to be effective, they
> require that the parameters are re-used multiple times. However, in our
> specific case, the generated parameters will be used only once (2048 bits)
> and then discarded...
No, small subgroups or confinement attacks are due to Schnorr. They
are based on the size of q, not the size of p. See
https://en.wikipedia.org/wiki/Small_subgroup_confinement_attack.
You can have a large group (2048-bits), but a small subgroup (say
48-bits or 64-bits) that makes the problem much easier. A security
level of 48-bits is well within reach of many attackers. 64-bits is
within reach of some attackers, given how cheaply compute time can be
purchased on Nova or EC2.
And also see "On Small Subgroup Non-confinement Attack",
https://eprint.iacr.org/2010/149.pdf.
More information about the openssl-users
mailing list