Diffie-Hellman 128 bit
Bill Stewart
bill.stewart at pobox.com
Fri Mar 14 01:12:36 EST 2003
At 01:48 PM 03/13/2003 -0800, NOP wrote:
>I am looking at attacks on Diffie-Hellman.
>
>The protocol implementation I'm looking at designed their diffie-hellman
>using 128 bit primes (generated each time, yet P-1/2 will be a prime, so no
>go on pohlig-hellman attack), so what attacks are there that I can look at
>to come up with either the logarithm x from (a=g^x mod p) or the session key
>that is
>calculated. A brute force wouldn't work, unless I know the starting range.
>Are there any realistic
>attacks on DH parameters of this size, or is theoretically based on
>financial computation attacks?
Google for "Odlyzko Diffie Hellman" and look at the various papers.
Unless you're talking about elliptic curve versions of Diffie Hellman
(and even then 128 bits probably isn't enough), 128 is way too weak.
DH is similar in strength to RSA, so don't think about using less than 1024,
and realistically go for 2048 or more.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list