[openssl-users] Fast DH parameters generation

Jeffrey Walton noloader at gmail.com
Mon Jun 22 21:44:28 UTC 2015

> Of course, the second approach is a lot faster - however, can anyone explain
> the warning not from the documentation "Be careful to avoid small subgroup
> attacks when using this." ? AFAIK, for such attacks to be effective, they
> require that the parameters are re-used multiple times. However, in our
> specific case, the generated parameters will be used only once (2048 bits)
> and then discarded...

No, small subgroups or confinement attacks are due to Schnorr. They
are based on the size of q, not the size of p. See

You can have a large group (2048-bits), but a small subgroup (say
48-bits or 64-bits) that makes the problem much easier. A security
level of 48-bits is well within reach of many attackers. 64-bits is
within reach of some attackers, given how cheaply compute time can be
purchased on Nova or EC2.

And also see "On Small Subgroup Non-confinement Attack",

More information about the openssl-users mailing list