[Cryptography] How often should the DH group be changed?

[Pierre Abbat]

On Tuesday, March 11, 2025 2:26:46 AM EDT Peter Gutmann wrote:
> What's your threat model?  Without that, the answer is "anything from never
> to every time there's a new connection".

The data are valuable when produced and for about a day after. By a week 
after, they are used up and no longer worth anything. If, however, the 
adversary figures out how to compute discrete logs in the group, it can 
eavesdrop on future messages, until the group is changed.

A government has hired Eve to tap the connections between nodes. Since the 
keys agreed to by DH are used for link encryption, I'm ignoring the 
possibility that Mallory could run a node and thus gain access to messages 
that pass through her node but are intended for someone else.

On Tuesday, March 11, 2025 9:51:50 AM EDT Sebastian Stache via cryptography 
wrote:
> It might be tempting to change public constants in an effort to increase
> resistance to brute force attacks, pre-imaging and such, but I would
> recommend to increase the sizes (of primes, keys and hashes) instead.
> Also, how would you distribute the new group to all clients?

Clients don't need the group, only nodes do. Every client has (or should have) 
a local connection to a node (or be on the same computer as a node).

Pierre
-- 
The Black Garden on the Mountain is not on the Black Mountain.